From ugob at CAMO-ROUTE.COM  Thu Jan  1 00:04:14 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:41 2006
Subject: Resend quarantined file?
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE30A@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Harry Hanson [mailto:harryh@CET.COM]
> Envoy? : Wednesday, December 31, 2003 6:47 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Resend quarantined file?
> 
> 
> sendmail 

Then:

sendmail -t < messagefile  if message in one file.
If ? raw queue files ?, move the  df et qf files to /var/spool/mqueue.in/ and

Sendmail -qlxxxxxx

(xxx replace message ID)

hth

ugo

> 
> > -----Original Message-----
> > From: MailScanner mailing list 
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance
> > Sent: Wednesday, December 31, 2003 2:45 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Resend quarantined file?
> > 
> > > -----Message d'origine-----
> > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : 
> > Wednesday, December 
> > > 31, 2003 5:41 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Resend 
> > > quarantined file?
> > > 
> > > 
> > > Dec 31 04:58:27 mx01 MailScanner[38749]: Saved infected 
> > > "new_year3.exe" to
> > > /var/spool/MailScanner/quarantine/20031231/hBVCvaS3053144
> > > 
> > > 
> > > The recipient requested we send the mail, but how do I 
> > accomplish that 
> > > (can't simply move to outgoing queue as it gets a "not a 
> > regular file"
> > > error)?
> > 
> > 
> > What is your mailer?  sendmail, postfix, exim...?
> > > 
> > > Thanks.
> > > 
> > 
> 


From chris at FRACTALWEB.COM  Thu Jan  1 00:37:04 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:42 2006
Subject: OT: Thank you
In-Reply-To: <1072897344.16052.89.camel@venus.fractal>
References: <7D3DDF19D93C3642931C3EB8803165A959F607@mail.winnefox.org>
            <1072897344.16052.89.camel@venus.fractal>
Message-ID: <1072917424.16461.92.camel@venus.fractal>

And may I say, MailScanner and the community of people that has built up
to support the product and each other is a perfect example of what can
be accomplished with open source.

Long live Open Source!

From ugob at CAMO-ROUTE.COM  Thu Jan  1 00:55:59 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Harondel J. Sibble [mailto:help@pdscc.com]
> Envoy? : Wednesday, December 31, 2003 7:38 PM
> ? : Ugo Bellavance
> Objet : RE: postfix, mailscanner, mail relay
> 
> 
> 
> 
> On 31 Dec 2003 at 19:02, Ugo Bellavance wrote:
> 
> > 
> > Did you hash the transport file ?
> > 
> 
> Yup...
> 
> Just did it again anyways
> 
> Some stuff gets relayed through and some doesn't, I just send 
> an email to a 
> nonexistent account: nobody@mailscan.domain.com, that passed 
> through the 
> relay and was rejected by the internal server as a 
> nonexistent user, this is 
> good, however sending to 
> harondel.J.Sibble@mailscan.domain.com results in a 
> bounce back from the relay without going to the internal mailserver 

Please show us your main.cf.

Ugo
> <much scratching of the head>
> -- 
> Harondel J. Sibble 
> Sibble Computer Consulting
> Creating solutions for the small business and home computer user.
> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
> 
> 
> 


From ryan.finnesey at CORPDSG.COM  Thu Jan  1 07:45:05 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:42 2006
Subject: New Year.
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BEEA@dc012.corpdsg.com>

I would also like to wish everyone a happy New Year!


Ryan



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Erik Jakobsen
> Sent: Wednesday, December 31, 2003 12:55 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: New Year.
> 
> With this I want to pass a Happy New Year to all members of the list
here.
> 
> Also I want to thank you Julian for your huge job with MailScanner.
Its
> a nice piece of software, and you have done it good for all of us, but
> the spammers.
> 
> Cheers, Erik.
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja@urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter,
http://counter.li.org.


From ryan.finnesey at CORPDSG.COM  Thu Jan  1 07:45:49 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:42 2006
Subject: OT: Thank you
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BEEB@dc012.corpdsg.com>

Thank you for all your hard work.


Ryan



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Ken Anderson
> Sent: Wednesday, December 31, 2003 11:05 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: OT: Thank you
> 
> Many thanks to Julian and others for your hard work, and may you have
> _many_ more enjoyable years working on MailScanner! ;-)
> MailScanner is the mothership of antispam tools!
> 
> Ken A.
> Pacific.Net
> 
> 
> 
> Daniel Kleinsinger wrote:
> 
> > Thanks Julian!  Just chiming in to show my appreciation.
MailScanner is
> > great.
> > Happy New Year everyone!
> >
> > Daniel Kleinsinger
> >
> > Billy A. Pumphrey wrote:
> >
> >> I thank you Julian and everyone in the list that email back and
forth
> >> and helped me out with MailScanner.
> >>
> >> Thank You
> >> Billy Pumphrey
> >>
> >> -----Original Message-----
> >> From: Jody Cleveland [mailto:Cleveland@WINNEFOX.ORG]
> >> Sent: Tuesday, December 30, 2003 3:40 PM
> >> To: MAILSCANNER@JISCMAIL.AC.UK
> >> Subject: Re: OT: Thank you
> >>
> >> Ditto!
> >>
> >> > Thank you Julian for all the work, effort and
> >> > thought you have put into your Software. Thank you for not making
it
> >> > commercial. Thank yo9u for being who you are.
> >>
> >>
> >> --
> >> Jody Cleveland
> >> (cleveland@winnefox.org)
> >>
> >
> >


From ryan.finnesey at CORPDSG.COM  Thu Jan  1 07:47:23 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:42 2006
Subject: Linux World interview
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BEEC@dc012.corpdsg.com>

Very nice interview!   Is MailScaner going to be at Linux Expo in NYC?


Ryan



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Billy A. Pumphrey
> Sent: Wednesday, December 31, 2003 12:52 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Linux World interview
> 
> That's awesome, great interview and I'm glad that the product is
getting
> promoted.  The MailScanner box would be awesome.  Just plug it in and
> tell it the few settings that it needs and go.
> 
> Thank You
> Billy Pumphrey
> 
> -----Original Message-----
> From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Sent: Wednesday, December 31, 2003 11:30 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Linux World interview
> 
> If any of you are interested, I did an interview with Linuxworld
> magazine a
> month or two back, which they have just published. It's also on-line
> here:
> http://www.linuxworld.com/story/38287.htm?DE=1
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Thu Jan  1 13:40:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: Linux World interview
In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BEEC@dc012.corpdsg.com>
References: <3041D4D2B8A6F746AD9217BE05AE68C407BEEC@dc012.corpdsg.com>
Message-ID: <6.0.1.1.2.20040101133938.0465c7c0@imap.ecs.soton.ac.uk>

Not unless someone can give me some stand space, and help with expenses
:(

At 07:47 01/01/2004, you wrote:
>Very nice interview!   Is MailScaner going to be at Linux Expo in NYC?
>
>
>Ryan
>
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Billy A. Pumphrey
> > Sent: Wednesday, December 31, 2003 12:52 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Linux World interview
> >
> > That's awesome, great interview and I'm glad that the product is
>getting
> > promoted.  The MailScanner box would be awesome.  Just plug it in and
> > tell it the few settings that it needs and go.
> >
> > Thank You
> > Billy Pumphrey
> >
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> > Sent: Wednesday, December 31, 2003 11:30 AM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Linux World interview
> >
> > If any of you are interested, I did an interview with Linuxworld
> > magazine a
> > month or two back, which they have just published. It's also on-line
> > here:
> > http://www.linuxworld.com/story/38287.htm?DE=1
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan  1 13:31:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: Linux World interview
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C23824D@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C23824D@woodendc.woodmaclaw.local>
Message-ID: <6.0.1.1.2.20040101132934.04508ab8@imap.ecs.soton.ac.uk>

At 17:51 31/12/2003, you wrote:
>That's awesome, great interview and I'm glad that the product is getting
>promoted.  The MailScanner box would be awesome.  Just plug it in and
>tell it the few settings that it needs and go.

Watch this space. It's not quite an appliance, and won't be free, but it
will cost a lot less than the competition while providing far superior
facilities.

>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Sent: Wednesday, December 31, 2003 11:30 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Linux World interview
>
>If any of you are interested, I did an interview with Linuxworld
>magazine a
>month or two back, which they have just published. It's also on-line
>here:
>http://www.linuxworld.com/story/38287.htm?DE=1

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan  1 13:37:45 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: OT:  FW: Verification required for kfliong@wofs.com, protected by 0Spam.com.
In-Reply-To: <1395.159.134.205.208.1072908515.squirrel@www.blacknightsol
              utions.com>
References: <08146035CA49D6119A36009027AC822A0264EC29@CITY-EXCH-NTS>
            <1395.159.134.205.208.1072908515.squirrel@www.blacknightsolutions.com>
Message-ID: <6.0.1.1.2.20040101133202.04695e70@imap.ecs.soton.ac.uk>

At 22:08 31/12/2003, you wrote:
>Kevin
>
>You have a hell of a lot more patience than me.

More than me too.
Automated responses to mailing list postings don't annoy me too much (I 
take the "it's your loss" view). What gets me is when someone has mailed me 
asking for my help. I spend considerable effort giving them the best and 
most helpful response I can, and am met with an authentication request. I 
refuse on principal to jump through all the hoops, and it means I have just 
wasted my time and effort. If you want my help, whitelist me *before* you 
send me the request for help. Do not expect me to jump through hoops to 
contact you, just because you couldn't be bothered.

The spammers will eventually write enough code to work around these 
authentication systems (it's quite possible, just harder than they want to 
try at the moment). So they will fall by the wayside in a year or two at 
most. Any single defence mechanism is doomed to fail, and fail quite quickly.

Happy New Year everyone! May it be a fruitful and happy one for all of you.

Jules.

>I've noticed a number of these subscribers with their anti-spam junk on
>other lists recently and refuse pointblank to 'verify' myself. I really
>don't care whether they get my mail or not and as most of them never
>contribute in any form to the lists they are subscribed to not receiving
>their mail is not too painful for me.
>
>Happy New Year to all :)
>M
> >
>--
>Mr. Michele Neylon
>Blacknight Solutions
>http://www.blacknightsolutions.ie/
>Tel. 059-9139897
>.ie registration from ?45!

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at MINDWARESYSTEMS.COM  Fri Jan  2 02:25:23 2004
From: mailscanner at MINDWARESYSTEMS.COM (Kourosh Ghassemieh)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>
References: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>
            <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>
Message-ID: <1073010323.1233.18.camel@navi>

On Thu, 2004-01-01 at 15:39, Darren Fulton - Concept Technology wrote:
> >> -----Message d'origine-----
> >> De : Harondel J. Sibble [mailto:help@pdscc.com]
> >> Envoy? : Wednesday, December 31, 2003 7:38 PM
> >> ? : Ugo Bellavance
> >> Objet : RE: postfix, mailscanner, mail relay
<sniped>
> Yes, this sounds like postfix is refusing to receive email from the
> internet.  You may be able to address that by editing your postfix main.cf
> files.  Pay close attention to:
> 
> $relay_domains
> $mydestination
> mynetworks
> 

If you followed the instructions to set up two postfix instances you
need to make sure that you edit _both_ postfix config files.  I had the
same problem with postfix refusing to relay mail until I realized that
when I changed the network from my testing network to the production
network I made the changes in one config file bit not in the other.

The first instance of postfix would accept the mail as it comes from an
allowed network and put it in the queue.  Mailscanner would pick up the
mail and scan it.  The trouble came from the second instance of
postfix.  When it tried to deliver the scanned mail, it would see that
the mail came from a network not allowed to relay and bounce it.

Check to make sure that the configuration for _both_ instances is
correct.

Hope this helps.

-- 
Kourosh Ghassemieh <mailscanner@mindwaresystems.com>


From dot at DOTAT.AT  Thu Jan  1 17:53:04 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:21:42 2006
Subject: Linux World interview
In-Reply-To: <m2n.1AbjFe-000mVx@chiark.greenend.org.uk>
Message-ID: <E1Ac70K-00074x-00@chiark.greenend.org.uk>

Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
>If any of you are interested, I did an interview with Linuxworld magazine a
>month or two back, which they have just published. It's also on-line here:
>http://www.linuxworld.com/story/38287.htm?DE=1

"The spammers haven't really turned into virus writers yet."

Sadly not true: http://www.spamhaus.org/news.lasso?article=13

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
BAILEY: NORTHWESTERLY 6 TO GALE 8, BECOMING VARIABLE 3 THEN SOUTHEASTERLY 5 TO
7. SHOWERS THEN RAIN. MODERATE OR GOOD.

From cwharris at MORGAN.NET  Thu Jan  1 21:27:48 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:21:42 2006
Subject: queue.in backed up
Message-ID: <001501c3d0ae$1e908320$1c150fd0@shire>

Hello all,

I have Mailscanner running on a FreeBSD 4.6 box and last night my /var mount
point filled up and couldn't be written to. This of course caused problems.
Im not sure why it filled up. But anyways my queue.in directory is pretty
full now. I have mail delivering fine but it doesnt seem to be reducing
queue.in at all. In fact I would say it is increasing ever so slightly. How
can I get this to start reducing? Ive noticed that SA is timing out now too.

Chris

From chris at FRACTALWEB.COM  Thu Jan  1 21:51:44 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:42 2006
Subject: expected effects of new Can-Spam law?
Message-ID: <1072993904.16460.96.camel@venus.fractal>

Happy New Year!!!

Is everyone aware that the USA's new "Can-Spam" laws take effect today?

http://www.spamhaus.org/news.lasso?article=150

After reading this article, I can only guess that we're going to be hit
with an avalanche of spam starting in the next few weeks and continuing
forever.

Does anyone have a different take on this?

Chris

From garry at GLENDOWN.DE  Thu Jan  1 22:01:45 2004
From: garry at GLENDOWN.DE (Garry Glendown)
Date: Thu Jan 12 21:21:42 2006
Subject: queue.in backed up
In-Reply-To: <001501c3d0ae$1e908320$1c150fd0@shire>
References: <001501c3d0ae$1e908320$1c150fd0@shire>
Message-ID: <3FF498C9.4090804@glendown.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Harris wrote:
| queue.in at all. In fact I would say it is increasing ever so
slightly. How
| can I get this to start reducing? Ive noticed that SA is timing out
now too.

You need to check the files, but I would imagine those are partially
received queue files ... as the sending MTA probably did not receive the
"OK", they most likely were resent once your system accepted mails
agains ... thus, you should be able to remove those files ...

- -gg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBP/SYyG4pGa4IZ+YbAQLW0gf+MsjkQ+oLoNJO6eMYkyFRMcAvmfSOusTn
ublXhpqNRE2HlooAIzOGHW+Ra0Xd+li7knYHNUu1XQcbJPCgfjE9z1jBJ8YJdpDu
MRud22WYpEtBi5XW0WRyOyw883MDQ0E+sQhYIw20grvksd8FdKoKyg97wAz22K6x
9t3Qz7Il0c84fvFrs/+/S0kz4tm9gpFqA00jK/kIapYpP2AQKbBBSQ/9qPtKbCyW
VVybKXqFSqHUseg4kPO01ekUrRDbYz9XmmAWMfjYRjS3SzX5mWL2JK+9zJjErS3o
1jQrZTCk92HtbxFCVqVKmJ9sQQFX5Loz3BzypeA7ltd6KI+RA2xx3w==
=0rI4
-----END PGP SIGNATURE-----

From darren at concepttechnologyinc.com  Thu Jan  1 23:39:55 2004
From: darren at concepttechnologyinc.com (Darren Fulton - Concept Technology)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>

>> -----Message d'origine-----
>> De : Harondel J. Sibble [mailto:help@pdscc.com]
>> Envoy? : Wednesday, December 31, 2003 7:38 PM
>> ? : Ugo Bellavance
>> Objet : RE: postfix, mailscanner, mail relay
>>
>>
>>
>>
>> On 31 Dec 2003 at 19:02, Ugo Bellavance wrote:
>>
>> >
>> > Did you hash the transport file ?
>> >
>>
>> Yup...
>>
>> Just did it again anyways
>>
>> Some stuff gets relayed through and some doesn't, I just send
>> an email to a
>> nonexistent account: nobody@mailscan.domain.com, that passed
>> through the
>> relay and was rejected by the internal server as a
>> nonexistent user, this is
>> good, however sending to
>> harondel.J.Sibble@mailscan.domain.com results in a
>> bounce back from the relay without going to the internal mailserver
>
> Please show us your main.cf.
>
> Ugo
>> <much scratching of the head>
>> --
>> Harondel J. Sibble
>> Sibble Computer Consulting
>> Creating solutions for the small business and home computer user.
>> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
>> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
>>
>>
>>
>

Yes, this sounds like postfix is refusing to receive email from the
internet.  You may be able to address that by editing your postfix main.cf
files.  Pay close attention to:

$relay_domains
$mydestination
mynetworks


Best Regards,

Darren Fulton
Concept Technology, Inc.


From kfliong at WOFS.COM  Fri Jan  2 01:55:05 2004
From: kfliong at WOFS.COM (kfliong)
Date: Thu Jan 12 21:21:42 2006
Subject: OT:  FW: Verification required for kfliong@wofs.com, protected by 0Spam.com.
In-Reply-To: <6.0.1.1.2.20040101133202.04695e70@imap.ecs.soton.ac.uk>
References: <08146035CA49D6119A36009027AC822A0264EC29@CITY-EXCH-NTS>
            <1395.159.134.205.208.1072908515.squirrel@www.blacknightsolutions.com>
            <6.0.1.1.2.20040101133202.04695e70@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.0.20040102095352.02eba718@192.168.10.2>

yeah..sorry for the mess. I was a last effort for me to battle spams when 
mailscanner was not working properly for me.

I have since re-installed mailscanner and manage to get it to work now. So, 
I have removed the authentication thingie. Thanks for your patience.

At 09:37 PM 1/1/2004, you wrote:

>At 22:08 31/12/2003, you wrote:
>>Kevin
>>
>>You have a hell of a lot more patience than me.
>
>More than me too.
>Automated responses to mailing list postings don't annoy me too much (I 
>take the "it's your loss" view). What gets me is when someone has mailed 
>me asking for my help. I spend considerable effort giving them the best 
>and most helpful response I can, and am met with an authentication 
>request. I refuse on principal to jump through all the hoops, and it means 
>I have just wasted my time and effort. If you want my help, whitelist me 
>*before* you send me the request for help. Do not expect me to jump 
>through hoops to contact you, just because you couldn't be bothered.
>
>The spammers will eventually write enough code to work around these 
>authentication systems (it's quite possible, just harder than they want to 
>try at the moment). So they will fall by the wayside in a year or two at 
>most. Any single defence mechanism is doomed to fail, and fail quite quickly.
>
>Happy New Year everyone! May it be a fruitful and happy one for all of you.
>
>Jules.
>
>>I've noticed a number of these subscribers with their anti-spam junk on
>>other lists recently and refuse pointblank to 'verify' myself. I really
>>don't care whether they get my mail or not and as most of them never
>>contribute in any form to the lists they are subscribed to not receiving
>>their mail is not too painful for me.
>>
>>Happy New Year to all :)
>>M
>> >
>>--
>>Mr. Michele Neylon
>>Blacknight Solutions
>>http://www.blacknightsolutions.ie/
>>Tel. 059-9139897
>>.ie registration from ?45!
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

thanks 


From chris at trudeau.org  Fri Jan  2 04:25:27 2004
From: chris at trudeau.org (Chris Trudeau)
Date: Thu Jan 12 21:21:42 2006
Subject: Reporting/Summary
In-Reply-To: <3FF1A4D5.3010202@mcgill.ca>
Message-ID: <088c01c3d0e8$730567b0$23c8a8c0@serv>

Yep...all of these are good responses and I am using MailWatch
religiously....

I'm looking for more of a summary such as the output of pflogsum for
postfix.  Just a general...here's how many messages processed, how many
are spam viruses etc...that I can batch and email to myself every day...

Thanks again!

CT


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of chris albert
Sent: Tuesday, December 30, 2003 11:16 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Reporting/Summary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Trudeau wrote:

>I'm sure it has been mentioned here, but I can't find it in the
archives...
>
>What tools are you using (home-grown or not) on Sendmail MS systems to
>provide daily summary statistics related to message volume spam
percetnage
>etc...Anything out there?
>
>CT

Have you looked at Mail::Graph which can generate pages like:
http://bloodgate.com/spams/stats.html ?

C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/8aTVkRKXIlZkCr8RAgRkAJ9+vQsO0H1wdU4q8ahTV4gyhlHxvwCfa8Uw
b9kC6pUAKscZlaepHASj3J4=
=lxJV
-----END PGP SIGNATURE-----

From mailscanner at ecs.soton.ac.uk  Fri Jan  2 10:16:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: queue.in backed up
In-Reply-To: <001501c3d0ae$1e908320$1c150fd0@shire>
References: <001501c3d0ae$1e908320$1c150fd0@shire>
Message-ID: <6.0.1.1.2.20040102100755.03f8c318@imap.ecs.soton.ac.uk>

At 21:27 01/01/2004, you wrote:
>I have Mailscanner running on a FreeBSD 4.6 box and last night my /var mount
>point filled up and couldn't be written to. This of course caused problems.
>Im not sure why it filled up. But anyways my queue.in directory is pretty
>full now. I have mail delivering fine but it doesnt seem to be reducing
>queue.in at all. In fact I would say it is increasing ever so slightly. How
>can I get this to start reducing? Ive noticed that SA is timing out now too.

One of the problems (fixed in recent versions) was that finding the oldest
messages in the incoming queue could actually take a long time if the queue
was very large. As a result the message flow rate could drop quite badly
when hit with a huge incoming queue and a poor filesystem. Most filesystems
appear to have to search a list of all the directory entries to find a
particular file, which is very slow if you have to do it more than once You
need to do it at least twice for every message in the queue, to get the df
and the qf files (or the equivalent queue files for other MTAs). The one
notable exception is XFS, which handles large directories much better than
most other filesystems.

That was fixed in version 4.24. From then on there has been a "Max Normal
Queue Size" setting. When the queue gets bigger than that, it switches from
processing in strict date order to processing fastest in an attempt to
clear the queue. Its behaviour is a bit more complicated than that, but
that's basically the effect you will see. I normally set "Max Normal Queue
Size" to something like 500 or 1000.

Alternatively, move all the files out of your mqueue.in to somewhere else,
and drip-feed them back into the queue. Make sure you always put back
matching pairs of qf+df files, but if you put a few hundred in at a time it
will process them a lot faster than it can with all of them there.

First solution requires an upgrade (possibly), second solution is more manual.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan  2 10:07:21 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: Linux World interview
In-Reply-To: <E1Ac70K-00074x-00@chiark.greenend.org.uk>
References: <m2n.1AbjFe-000mVx@chiark.greenend.org.uk>
            <E1Ac70K-00074x-00@chiark.greenend.org.uk>
Message-ID: <6.0.1.1.2.20040102100623.03f8c4d0@imap.ecs.soton.ac.uk>

At 17:53 01/01/2004, you wrote:
>Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
> >If any of you are interested, I did an interview with Linuxworld magazine a
> >month or two back, which they have just published. It's also on-line here:
> >http://www.linuxworld.com/story/38287.htm?DE=1
>
>"The spammers haven't really turned into virus writers yet."
>
>Sadly not true: http://www.spamhaus.org/news.lasso?article=13

Yes, I know. I did the actual interview 2 or 3 months ago, and the
situation has changed since then.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan  2 10:35:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: New blocklist from Spamhaus
Message-ID: <6.0.1.1.2.20040102103118.02d1c970@imap.ecs.soton.ac.uk>

Spamhaus have started up a list of known machines which are open proxies,
spam zombies, etc.

To use it, edit you /etc/MailScanner/spam.lists.conf or
/opt/MailScanner/etc/spam.lists.conf and add a line that looks like this:

spamhaus-XBL                    xbl.spamhaus.org.

(Don't forget the "." at the end of the line!)

Then edit your MailScanner.conf and add
spamhaus-XBL
to your "Spam List =" setting.

Then just restart or reload MailScanner and it will start using the new list.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.freegard at LBSLTD.CO.UK  Fri Jan  2 10:41:37 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:42 2006
Subject: Reporting/Summary
Message-ID: <67D9E7698329D411936E00508B6590B902773D7F@neelix.lbsltd.co.uk>

Hi Chris,

If you let me know your requirements - I'll write a cronable job that will
e-mail you daily stats from MailWatch.

Would that be of use??

Kind regards,
Steve.

-----Original Message-----
From: Chris Trudeau
To: MAILSCANNER@JISCMAIL.AC.UK
Sent: 02/01/04 04:25
Subject: Re: Reporting/Summary

Yep...all of these are good responses and I am using MailWatch
religiously....

I'm looking for more of a summary such as the output of pflogsum for
postfix.  Just a general...here's how many messages processed, how many
are spam viruses etc...that I can batch and email to myself every day...

Thanks again!

CT


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of chris albert
Sent: Tuesday, December 30, 2003 11:16 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Reporting/Summary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Trudeau wrote:

>I'm sure it has been mentioned here, but I can't find it in the
archives...
>
>What tools are you using (home-grown or not) on Sendmail MS systems to
>provide daily summary statistics related to message volume spam
percetnage
>etc...Anything out there?
>
>CT

Have you looked at Mail::Graph which can generate pages like:
http://bloodgate.com/spams/stats.html ?

C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/8aTVkRKXIlZkCr8RAgRkAJ9+vQsO0H1wdU4q8ahTV4gyhlHxvwCfa8Uw
b9kC6pUAKscZlaepHASj3J4=
=lxJV
-----END PGP SIGNATURE-----

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From raymond at PROLOCATION.NET  Fri Jan  2 10:42:22 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:42 2006
Subject: New blocklist from Spamhaus
In-Reply-To: <6.0.1.1.2.20040102103118.02d1c970@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401021139160.13603-100000@mailbox.prolocation.net>

Hi!

> To use it, edit you /etc/MailScanner/spam.lists.conf or
> /opt/MailScanner/etc/spam.lists.conf and add a line that looks like this:
>
> spamhaus-XBL                    xbl.spamhaus.org.
>
> (Don't forget the "." at the end of the line!)

And a note about that:

The XBL wholly incorporates the highly-trusted CBL (Composite Block List)
from cbl.abuseat.org, therefore mail servers already using cbl.abuseat.org
should NOT also use xbl.spamhaus.org or you will be making 'double'
queries to basically the same data source and only one DNSBL will appear
to work, the other will appear to not catch anything.

CBL was allready in the spam.lists.conf of MS, not sure its wise to
double them Julian :)

Bye,
Raymond.

From dbird at SGHMS.AC.UK  Fri Jan  2 11:18:52 2004
From: dbird at SGHMS.AC.UK (Daniel Bird)
Date: Thu Jan 12 21:21:42 2006
Subject: New blocklist from Spamhaus
References: <6.0.1.1.2.20040102103118.02d1c970@imap.ecs.soton.ac.uk>
Message-ID: <3FF5539C.3010507@sghms.ac.uk>

Julian Field wrote:

> Spamhaus have started up a list of known machines which are open proxies,
> spam zombies, etc.
>
> To use it, edit you /etc/MailScanner/spam.lists.conf or
> /opt/MailScanner/etc/spam.lists.conf and add a line that looks like this:
>
> spamhaus-XBL                    xbl.spamhaus.org.
>
> (Don't forget the "." at the end of the line!)
>
> Then edit your MailScanner.conf and add
> spamhaus-XBL
> to your "Spam List =" setting.
>
> Then just restart or reload MailScanner and it will start using the
> new list.


For those that prefer to use SA to bump up the score instead of
MailScanner's RBL's, something like:

header          RCVD_SPAMHAUS_XBL
rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
describe        RCVD_SPAMHAUS_XBL       Found in SpamHaus XBL
tflags          RCVD_SPAMHAUS_XBL       net
score           RCVD_SPAMHAUS_XBL       1.5

in spam.assassin.prefs.conf should do the trick...

Dan

> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

--
____________________________________

Daniel Bird
Network and Systems Manager
Department Of Information Services
St. George's Hospital Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan@sghms.ac.uk
____________________________________

Everything is possible....except skiing through a revolving door




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From doko at CS.TU-BERLIN.DE  Fri Jan  2 11:31:12 2004
From: doko at CS.TU-BERLIN.DE (Matthias Klose)
Date: Thu Jan 12 21:21:42 2006
Subject: Bug#225825: mailscanner: Proofread Spanish messages (forwarded from Fernando J. Rodríguez (Herr Groucho))
Message-ID: <16373.22144.863237.236488@gargle.gargle.HOWL>

please find attached a patch for mailscanner forwarded from the Debian
BTS.

-------------- next part --------------
An embedded message was scrubbed...
From: =?iso-8859-1?q?Fernando_J=2E_Rodr=EDguez_=28Herr_Groucho=29?= <groucho@lugmen.org.ar>
Subject: Bug#225825: mailscanner: Proofread Spanish messages
Date: Thu, 01 Jan 2004 18:20:44 -0300
Size: 6735
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040102/96c2bc88/attachment.mht
From peter at UCGBOOK.COM  Fri Jan  2 14:18:40 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>
References: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>
Message-ID: <3FF57DC0.9000105@ucgbook.com>

DCC is really simple to install and it doesn't require anything except
GCC of course, it uses less net resources too. You need to open UDP/6277
in your firewall.

Download http://www.rhyolite.com/anti-spam/dcc/source/dcc-dccproc.tar.Z
# zcat dcc-dccproc.tar.Z | tar xvf -
# cd dcc-dccproc-X.X.X  (1.2.25 is most current)
# ./configure && make && make install
# cdcc info     (too verify that it works, remember the firewall)

That's it. In the SA config file for MailScanner DCC is on by default so
it should just kick in. Check your logs for it.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP


Matt wrote:
> Alright, a better question.  I am running MS and SA on a RAQ 550.  I am now
> debating between DCC and Pyzor.  I am leaning towards DCC since it does not
> require that I mess with Python.  Perhaps even Razor but it looks like more
> work.
>
> Any pros or cons of one or the other?  Do not want the trouble of installing
> and maintaining both at this time.
>
> Matt

From peter at UCGBOOK.COM  Fri Jan  2 14:25:51 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:42 2006
Subject: patching MIME-tools-5.411
In-Reply-To: <200312302300.hBUN0rPq001319@leka.soest.hawaii.edu>
References: <200312302300.hBUN0rPq001319@leka.soest.hawaii.edu>
Message-ID: <3FF57F6F.6090509@ucgbook.com>

I used the GNU Patch command (from http://www.sunfreeware.com) and it
worked.

Problems with patching MIME-tools have surfaced on the list several
times. I have asked for MIME-tools to be patched on MailScanners web
site (they are patched for the Linux distributions of MailScanner) but
got no response from Julian. Since we're only allowed to use a single
version of MIME-tools they could just as well be patched before we
download them. Just my $0.02.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

No Name wrote:
> I followed the Solaris 9 install notes on the website but can't get the
> files patched.

From sysadmins at ENHTECH.COM  Fri Jan  2 14:35:29 2004
From: sysadmins at ENHTECH.COM (Errol Neal)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <3FF57DC0.9000105@ucgbook.com>
References: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>
            <3FF57DC0.9000105@ucgbook.com>
Message-ID: <6.0.0.22.0.20040102093250.0313b2c8@mail.enhtech.com>

At 09:18 AM 1/2/2004, you wrote:

>That's it. In the SA config file for MailScanner DCC is on by default so
>it should just kick in. Check your logs for it.

You'll will need to configure the Score for DCC and the message count.

score DCC_CHECK 3.7
dcc_path /usr/local/bin/dccproc
dcc_body_max 5
dcc_fuz1_max 5
dcc_fuz2_max 5


>Matt wrote:
>>Alright, a better question.  I am running MS and SA on a RAQ 550.  I am now
>>debating between DCC and Pyzor.  I am leaning towards DCC since it does not
>>require that I mess with Python.  Perhaps even Razor but it looks like more
>>work.
>>
>>Any pros or cons of one or the other?  Do not want the trouble of installing
>>and maintaining both at this time.
>>
>>Matt


Regards,

Errol Neal


Errol U. Neal Jr., Systems Administrator
Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
http://www.enhtech.com
703-924-0301 or 800-368-3249
703-997-0839 Fax

From mailscanner at ecs.soton.ac.uk  Fri Jan  2 15:05:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: patching MIME-tools-5.411
In-Reply-To: <3FF57F6F.6090509@ucgbook.com>
References: <200312302300.hBUN0rPq001319@leka.soest.hawaii.edu>
            <3FF57F6F.6090509@ucgbook.com>
Message-ID: <6.0.1.1.2.20040102150424.03ff3768@imap.ecs.soton.ac.uk>

Thanks for the reminder. Finally done it for you. I have updated
http://www.sng.ecs.soton.ac.uk/mailscanner/install/perl.shtml
to link to the patched version.

At 14:25 02/01/2004, you wrote:
>I used the GNU Patch command (from http://www.sunfreeware.com) and it
>worked.
>
>Problems with patching MIME-tools have surfaced on the list several
>times. I have asked for MIME-tools to be patched on MailScanners web
>site (they are patched for the Linux distributions of MailScanner) but
>got no response from Julian. Since we're only allowed to use a single
>version of MIME-tools they could just as well be patched before we
>download them. Just my $0.02.
>
>/Peter Bonivart
>
>--Unix lovers do it in the Sun
>
>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
>No Name wrote:
>>I followed the Solaris 9 install notes on the website but can't get the
>>files patched.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Fri Jan  2 15:46:33 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:42 2006
Subject: patching MIME-tools-5.411
In-Reply-To: <6.0.1.1.2.20040102150424.03ff3768@imap.ecs.soton.ac.uk>
References: <200312302300.hBUN0rPq001319@leka.soest.hawaii.edu>           
            <3FF57F6F.6090509@ucgbook.com>
            <6.0.1.1.2.20040102150424.03ff3768@imap.ecs.soton.ac.uk>
Message-ID: <3FF59259.8090501@ucgbook.com>

Thank you. I hope it helps some non-Linux users.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Julian Field wrote:
> Thanks for the reminder. Finally done it for you. I have updated
> http://www.sng.ecs.soton.ac.uk/mailscanner/install/perl.shtml
> to link to the patched version.

From chris at FRACTALWEB.COM  Fri Jan  2 15:52:21 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:42 2006
Subject: pyzor--can build but not install
Message-ID: <1073058741.22608.2.camel@venus.fractal>

Hi everyone,

I have Python version 2.2 on the server (RH7.3, Ensim Pro) installed as
"python2". I can build pyzor (0.4.0) by typing "python2 setup.py build"
and that goes fine. Unfortunately, when I try to do "python2 setup.py
install" I get a ton of errors.

# python2 setup.py install
running install
Traceback (most recent call last):
  File "setup.py", line 25, in ?
    data_files=[('share/doc/pyzor', ['docs/usage.html'])],
  File "//usr/lib/python2.2/distutils/core.py", line 138, in setup
    dist.run_commands()
  File "//usr/lib/python2.2/distutils/dist.py", line 893, in
run_commands
    self.run_command(cmd)
  File "//usr/lib/python2.2/distutils/dist.py", line 912, in run_command
    cmd_obj.ensure_finalized()
  File "//usr/lib/python2.2/distutils/cmd.py", line 112, in
ensure_finalized
    self.finalize_options()
  File "//usr/lib/python2.2/distutils/command/install.py", line 267, in
finalize_options
    (prefix, exec_prefix) = get_config_vars('prefix', 'exec_prefix')
  File "//usr/lib/python2.2/distutils/sysconfig.py", line 421, in
get_config_vars
    func()
  File "//usr/lib/python2.2/distutils/sysconfig.py", line 326, in
_init_posix
    raise DistutilsPlatformError(my_msg)
distutils.errors.DistutilsPlatformError: invalid Python installation:
unable to open /usr/lib/python2.2/config/Makefile (No such file or
directory)

Any help would be appreciated.

Thanks,
Chris

From peter at UCGBOOK.COM  Fri Jan  2 16:14:44 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <6.0.0.22.0.20040102093250.0313b2c8@mail.enhtech.com>
References: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>           
            <3FF57DC0.9000105@ucgbook.com>
            <6.0.0.22.0.20040102093250.0313b2c8@mail.enhtech.com>
Message-ID: <3FF598F4.1020708@ucgbook.com>

Errol Neal wrote:
 > You'll will need to configure the Score for DCC and the message count.
 >
 > score DCC_CHECK 3.7
 > dcc_path /usr/local/bin/dccproc
 > dcc_body_max 5
 > dcc_fuz1_max 5
 > dcc_fuz2_max 5

It will work with the default score of 2.9 (with Bayes) and the path is
also set.

Do you know what the default values for body, fuz1/2 are? According to
the man page for dccproc they are zero so MailScanner/SA must enter some
value there I guess.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From mailscanner at ecs.soton.ac.uk  Fri Jan  2 16:50:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <3FF598F4.1020708@ucgbook.com>
References: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>
            <3FF57DC0.9000105@ucgbook.com>
            <6.0.0.22.0.20040102093250.0313b2c8@mail.enhtech.com>
            <3FF598F4.1020708@ucgbook.com>
Message-ID: <6.0.1.1.2.20040102164922.04129ea0@imap.ecs.soton.ac.uk>

At 16:14 02/01/2004, you wrote:
>Errol Neal wrote:
> > You'll will need to configure the Score for DCC and the message count.
> >
> > score DCC_CHECK 3.7
> > dcc_path /usr/local/bin/dccproc
> > dcc_body_max 5
> > dcc_fuz1_max 5
> > dcc_fuz2_max 5
>
>It will work with the default score of 2.9 (with Bayes) and the path is
>also set.
>
>Do you know what the default values for body, fuz1/2 are? According to
>the man page for dccproc they are zero so MailScanner/SA must enter some
>value there I guess.

What do those values do? I've never bothered setting them myself. MS
doesn't enter any values for them so I guess SA might?
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From hunter at userfriendly.net  Fri Jan  2 16:54:49 2004
From: hunter at userfriendly.net (Michael Weiner)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <6.0.1.1.2.20040102164922.04129ea0@imap.ecs.soton.ac.uk>
References: <02ec01c3ce6e$8cef8e20$7801a8c0@matthew>
            <3FF57DC0.9000105@ucgbook.com>
            <6.0.0.22.0.20040102093250.0313b2c8@mail.enhtech.com>
            <3FF598F4.1020708@ucgbook.com>
            <6.0.1.1.2.20040102164922.04129ea0@imap.ecs.soton.ac.uk>
Message-ID: <1073062489.2410.6.camel@nomad.userfriendly.net>

On Fri, 2004-01-02 at 11:50, Julian Field wrote:
> > > score DCC_CHECK 3.7
> > > dcc_path /usr/local/bin/dccproc
> > > dcc_body_max 5
> > > dcc_fuz1_max 5
> > > dcc_fuz2_max 5

> What do those values do? I've never bothered setting them myself. MS
> doesn't enter any values for them so I guess SA might?

Those are for matching the DCC values in the headers, as in the
following (from viewing the full headers of an incoming email i see):

X-DCC-SIHOPE-DCC-3-Metrics:  niteowl 1085; Body=1 Fuz1=1 Fuz2=1

IIRC, those settings in SA tell it when to mark the email as a positive
-- 
Michael B. Weiner, Linux+, Linux+ SME
Systems Administrator/Partner
The UserFriendly Network (UFN)
--
Linux Registered User #94900    Have you been counted?
http://counter.li.org
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040102/dc351326/attachment.bin
From ugob at CAMO-ROUTE.COM  Fri Jan  2 16:57:23 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:42 2006
Subject: pyzor--can build but not install
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE314@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Chris Yuzik [mailto:chris@FRACTALWEB.COM]
> Envoy? : Friday, January 02, 2004 10:52 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : pyzor--can build but not install
> 
> 
> Hi everyone,
> 
> I have Python version 2.2 on the server (RH7.3, Ensim Pro) 
> installed as
> "python2". I can build pyzor (0.4.0) by typing "python2 
> setup.py build"
> and that goes fine. Unfortunately, when I try to do "python2 setup.py
> install" I get a ton of errors.

make sure you have the -devel package installed
> 
> # python2 setup.py install
> running install
> Traceback (most recent call last):
>   File "setup.py", line 25, in ?
>     data_files=[('share/doc/pyzor', ['docs/usage.html'])],
>   File "//usr/lib/python2.2/distutils/core.py", line 138, in setup
>     dist.run_commands()
>   File "//usr/lib/python2.2/distutils/dist.py", line 893, in
> run_commands
>     self.run_command(cmd)
>   File "//usr/lib/python2.2/distutils/dist.py", line 912, in 
> run_command
>     cmd_obj.ensure_finalized()
>   File "//usr/lib/python2.2/distutils/cmd.py", line 112, in
> ensure_finalized
>     self.finalize_options()
>   File "//usr/lib/python2.2/distutils/command/install.py", 
> line 267, in
> finalize_options
>     (prefix, exec_prefix) = get_config_vars('prefix', 'exec_prefix')
>   File "//usr/lib/python2.2/distutils/sysconfig.py", line 421, in
> get_config_vars
>     func()
>   File "//usr/lib/python2.2/distutils/sysconfig.py", line 326, in
> _init_posix
>     raise DistutilsPlatformError(my_msg)
> distutils.errors.DistutilsPlatformError: invalid Python installation:
> unable to open /usr/lib/python2.2/config/Makefile (No such file or
> directory)
> 
> Any help would be appreciated.
> 
> Thanks,
> Chris
> 


From ralloway at WINBEAM.COM  Fri Jan  2 17:03:29 2004
From: ralloway at WINBEAM.COM (Richard Alloway)
Date: Thu Jan 12 21:21:42 2006
Subject: Interview, Thanks, New Year & Logging HTML Exploits
Message-ID: <LISTSERV%2004010217032945@JISCMAIL.AC.UK>

Hello everyone!

Great interview, Julian!  I enjoyed reading it!

Thanks for providing and supporting MailScanner!!!!

Happy New Year to all!!!


Now, on to my issue (most of us have one *grin*):

I have a customer complaining about his mailing lists from Staples Stores,
CNET, etc being converted to plain text.

Upon checking the logs, I see that HTML-specific exploits were detected in
the message and the message was converted to plain text.

Is there any way to log what the exploit was so I can create a ruleset for
these mailing lists if the detected exploit is not malicious?

Or is there a better way to go about allowing these mailing lists?

Thanks!

-Rich

From hermit921 at YAHOO.COM  Fri Jan  2 17:54:53 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:21:42 2006
Subject: expected effects of new Can-Spam law?
In-Reply-To: <1072993904.16460.96.camel@venus.fractal>
References: <1072993904.16460.96.camel@venus.fractal>
Message-ID: <6.0.0.22.2.20040102095214.01d51d00@pop.mail.yahoo.com>

I expect the new law to have little effect beyond appearing in the spam
body as "Official Government Approval" or some such drivel.  Like most spam
laws, spammers will probably ignore it.

hermit921

At 01:51 PM 1/1/2004, Chris Yuzik wrote:
>Happy New Year!!!
>
>Is everyone aware that the USA's new "Can-Spam" laws take effect today?
>
>http://www.spamhaus.org/news.lasso?article=150
>
>After reading this article, I can only guess that we're going to be hit
>with an avalanche of spam starting in the next few weeks and continuing
>forever.
>
>Does anyone have a different take on this?
>
>Chris

From mark at TIPPINGMAR.COM  Fri Jan  2 18:11:26 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <6.0.1.1.2.20040102164922.04129ea0@imap.ecs.soton.ac.uk>
Message-ID: <1480D266-3D4F-11D8-B2EA-0003939C8BF6@tippingmar.com>

Note that although this thread is entitled Pyzor we are now discussing
DCC.

 From man Mail::SpamAssassin::Conf

dcc_body_max NUMBER
dcc_fuz1_max NUMBER
dcc_fuz2_max NUMBER
DCC (Distributed Checksum Clearinghouse) is a system similar to Razor.
This option sets how
often a message's body/fuz1/fuz2 checksum must have been reported to
the DCC server before
SpamAssassin will consider the DCC check as matched.
As nearly all DCC clients are auto-reporting these checksums you should
set this to a relatively
high value, e.g. 999999 (this is DCC's MANY count).
The default is 999999 for all these options.

Personally, I set these to half of the suggested value (500000), to
make DCC trigger more often, like this in spam.assassin.prefs.conf:
dcc_body_max 500000
dcc_fuz1_max 500000
dcc_fuz2_max 500000


Also, to get back to Pyzor for a minute, also from the man page:

pyzor_max NUMBER
Pyzor is a system similar to Razor.  This option sets how often a
message's body checksum must
have been reported to the Pyzor server before SpamAssassin will
consider the Pyzor check as
matched. The default is 5.

I also lower this to 3 for my setup, again to make pyzor trigger more
often, like this in spam.assassin.prefs.conf:
pyzor_max 3

Mark Nienberg


On Friday, January 2, 2004, at 08:50  AM, Julian Field wrote:

> At 16:14 02/01/2004, you wrote:
>> Errol Neal wrote:
>> > You'll will need to configure the Score for DCC and the message
>> count.
>> >
>> > score DCC_CHECK 3.7
>> > dcc_path /usr/local/bin/dccproc
>> > dcc_body_max 5
>> > dcc_fuz1_max 5
>> > dcc_fuz2_max 5
>>
>> It will work with the default score of 2.9 (with Bayes) and the path
>> is
>> also set.
>>
>> Do you know what the default values for body, fuz1/2 are? According to
>> the man page for dccproc they are zero so MailScanner/SA must enter
>> some
>> value there I guess.
>
> What do those values do? I've never bothered setting them myself. MS
> doesn't enter any values for them so I guess SA might?
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at pdscc.com  Fri Jan  2 19:21:07 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <1073010323.1233.18.camel@navi>
References: <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>
Message-ID: <200401021936.LAA12325@sheridan.sibble.net>

On 1 Jan 2004 at 18:25, Kourosh Ghassemieh wrote:
> If you followed the instructions to set up two postfix instances you
> need to make sure that you edit _both_ postfix config files.  I had the
> same problem with postfix refusing to relay mail until I realized that
> when I changed the network from my testing network to the production
> network I made the changes in one config file bit not in the other.

Ahh, that sounds like it is most likely the problem. Oddly enough however, it
DOES relay some mails to the internal mailserver.

> Check to make sure that the configuration for _both_ instances is
> correct.
> Hope this helps.

Thanks I'll take a look at that and report back.
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From chris at FRACTALWEB.COM  Fri Jan  2 19:42:09 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:42 2006
Subject: pyzor--can build but not install
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE314@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F3629273AE314@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <1073072529.22154.33.camel@venus.fractal>

On Fri, 2004-01-02 at 08:57, Ugo Bellavance wrote:
> make sure you have the -devel package installed

Ugo,

Thanks for the suggestion. I've had a look and I do not have
python-devel installed.

Unfortunately, Ensim has "customized" the version of Python 2.2.2 that
came with the box. They don't have a customised version of python-devel
2.2.2 available, so I'm probably hooped with regards to pyzor. :-(

Thanks.
Chris

From peter at UCGBOOK.COM  Fri Jan  2 19:58:08 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <1480D266-3D4F-11D8-B2EA-0003939C8BF6@tippingmar.com>
References: <1480D266-3D4F-11D8-B2EA-0003939C8BF6@tippingmar.com>
Message-ID: <3FF5CD50.4020807@ucgbook.com>

Wouldn't that make Errols DCC very prone to false positives?

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Mark Nienberg wrote:
> The default is 999999 for all these options.

>>> Errol Neal wrote:
>>> > You'll will need to configure the Score for DCC and the message
>>> count.
>>> >
>>> > score DCC_CHECK 3.7
>>> > dcc_path /usr/local/bin/dccproc
>>> > dcc_body_max 5
>>> > dcc_fuz1_max 5
>>> > dcc_fuz2_max 5

From mark at TIPPINGMAR.COM  Fri Jan  2 20:15:43 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:21:42 2006
Subject: Pyzor
In-Reply-To: <3FF5CD50.4020807@ucgbook.com>
Message-ID: <7178FD12-3D60-11D8-8963-0003939C8BF6@tippingmar.com>

I think Errol is confusing the DCC number with the Pyzor number, which
is why I posted information about both.  DCC simply counts every
occurrence of a message, without any judgment of whether it is spam or
not.  Pyzor counts only messages that have been reported as spam.

Mark Nienberg

On Friday, January 2, 2004, at 11:58  AM, Peter Bonivart wrote:

> Wouldn't that make Errols DCC very prone to false positives?
>
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
> Mark Nienberg wrote:
>> The default is 999999 for all these options.
>
>>>> Errol Neal wrote:
>>>> > You'll will need to configure the Score for DCC and the message
>>>> count.
>>>> >
>>>> > score DCC_CHECK 3.7
>>>> > dcc_path /usr/local/bin/dccproc
>>>> > dcc_body_max 5
>>>> > dcc_fuz1_max 5
>>>> > dcc_fuz2_max 5

From jase at SENSIS.COM  Fri Jan  2 21:10:00 2004
From: jase at SENSIS.COM (Desai, Jason)
Date: Thu Jan 12 21:21:42 2006
Subject: OT: Exim - Using ACLs to verify RCPT TO
Message-ID: <ADF6087CA978A4418AF7F76DDCF2F72102757770@europa.ats.sensis.com>

I'm still using exim 3, but I've been able to get exim to use ldap to look
verify local users on an exchange server.  Here's what I do:

*  in exim.conf, make sure receiver_verify = true is set
*  In all of the routers definitions which deliver mail locally, set up a
condition something like this:

     condition = ${lookup ldap
{ldap://YOUR_LDAPSERVER/ou=YOUR_OU,o=YOUR_ORG?rdn?sub?(rfc822Mailbox=$local_
part@$domain)}{1}{0}}

It appears that Exchange email addresses can be in either rfc822Mailbox or
otherMailbox, so I actually duplicated all of my local router definitions,
and changed the condition to this:

     condition = ${lookup ldap
{ldap://YOUR_LDAPSERVER/ou=YOUR_OU,o=YOUR_ORG?rdn?sub?(otherMailbox=smtp%24$
local_part@$domain)}{1}{0}}

Now that I think about it, I suppose I could have ORed the two conditions
together.  The thinking is if there is no router to be used for a recipient,
then the sender will get an smtp error.

Anyways, I am by no means an ldap expert, and I reserve the right to be
doing something really dumb here.  I only got this setup to work by trial
and error, not because I know what I'm doing.  :-)  Hope it helps you out.

Jason

> -----Original Message-----
> From: ISP List [mailto:isp-list@TULSACONNECT.COM]
> Sent: Tuesday, December 30, 2003 11:54 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: [MAILSCANNER] Exim - Using ACLs to verify RCPT TO
>
>
> We're running MailScanner on several load-balanced inbound SMTP / MX
> handling machines running exim 4.x as the MTA.  These
> machines do a MySQL
> lookup to verify the "allowed relay" domains for each
> message, and then we
> use a SMTP "smart route" to send all scanned mail to the
> final destination
> mail server (which is also determined by a SQL lookup).
>
> The problem with this approach is that we cannot generate "550 user
> unknown" errors during the SMTP negotiation phase because the
> MailScanner
> boxes don't have any local accounts, so they don't know if the address
> exists or not.  This results in the "accept and bounce" behavior for
> non-existant mailboxes, which then results in a *large*
> number of bounce
> messages being sent to hotmail, yahoo, msn and others due to spammers
> forging the From: address (which then results in them
> tarpitting our SMTP
> connections).
>
> So, what I would like exim to do is to be able to do a LDAP
> or SQL lookup
> during the SMTP negotiation phase (following the RCPT TO) to
> determine if
> the recipient address is valid or not.  Based on my research,
> using exim
> 4.x's ACL facility seems to be the best approach, but I'm a
> little unclear
> on the proper syntax as the manual does not give any examples.
>
> Any pointers would be much appreciated.
>
> ---------------------------------------
> Mike Bacher / mike@sparklogic.com
> SparkLogic Development / ISP Consulting
> Use OptiGold ISP? Check out OptiSkin!
> http://www.sparklogic.com/optiskin/
> ---------------------------------------
>

From raymond at PROLOCATION.NET  Sat Jan  3 11:20:26 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:42 2006
Subject: [Clamav-announce] Critical bug in virus scanning engine (development versions only) (fwd)
Message-ID: <Pine.LNX.4.44.0401031220190.11066-100000@mailbox.prolocation.net>

FYI

---------- Forwarded message ----------
Date: Sat, 3 Jan 2004 11:33:47 +0100
From: Tomasz Kojm <tk@lodz.tpnet.pl>
To: clamav-announce@lists.sourceforge.net
Cc: clamav-users@lists.sourceforge.net, clamav-devel@lists.sourceforge.net
Subject: [Clamav-announce] Critical bug in virus scanning engine
    (development versions only)

Dear Users,

all ClamAV snapshots newer than clamav-20031201 contain a bug that
completely disables detection of polymorphic viruses (Hybris, Magistr)
and other malware with multipart signatures. Please update to the latest
version and make sure the changelog contains the following entry:

* libclamav: fixed handling of multipart signatures (broken since
             Dec 2). The bug was introduced by _me_ and not by the
             Thomas Lamy's patch. Problem found and reported by Ren?
             Bellora <rbellora*tecnoaccion.com.ar>, Jean-Christophe
             Heger <jcheger*acytec.com> and Tomasz Papszun
             <tomek*clamav.net>.  Many thanks !

ClamAV 0.65 is NOT affected by this problem.

Best regards,
Tomasz Kojm
-- 
      oo    .....       tkojm@clamav.net          www.ClamAV.net
     (\/)\.........     http://www.clamav.net/gpg/tkojm.gpg
        \..........._   0DCA5A08407D5288279DB43454822DC8985A444B
          //\   /\      Sat Jan  3 11:27:24 CET 2004


From raymond at PROLOCATION.NET  Sat Jan  3 16:49:06 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:42 2006
Subject: [RFCI-Discuss] New Zone: bogusmx
In-Reply-To: <CE2C8880-3E08-11D8-9E82-000A27AF5202@megacity.org>
Message-ID: <Pine.LNX.4.44.0401031746150.10433-100000@mailbox.prolocation.net>

Hi!

FYI.

> A new zone has been added, per our recent discussions, "bogusmx".
>
> The policy document for this zone can be found at:
>
>       http://www.rfc-ignorant.org/policy-bogusmx.php
>
> "If any publicly listed MX record for /domain/ contains a hostname
> which points to bogus IP address space, such as those documented in RFC
> 3330, or if /domain/ contains an MX RR that points to an IP address, in
> violation of RFC 1035."

Julian, could you add that one to the default ones also ?

RFC-IGNORANT-BOGUSMX                    bogusmx.rfc-ignorant.org

The return code for queries against this zone is 127.0.0.8.

Bye,
Raymond.

From mailscanner at ecs.soton.ac.uk  Sat Jan  3 17:01:48 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: [RFCI-Discuss] New Zone: bogusmx
In-Reply-To: <Pine.LNX.4.44.0401031746150.10433-100000@mailbox.prolocati
              on.net>
References: <CE2C8880-3E08-11D8-9E82-000A27AF5202@megacity.org>
            <Pine.LNX.4.44.0401031746150.10433-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040103170111.041df090@imap.ecs.soton.ac.uk>

At 16:49 03/01/2004, you wrote:
> > A new zone has been added, per our recent discussions, "bogusmx".
> >
> > The policy document for this zone can be found at:
> >
> >       http://www.rfc-ignorant.org/policy-bogusmx.php
> >
> > "If any publicly listed MX record for /domain/ contains a hostname
> > which points to bogus IP address space, such as those documented in RFC
> > 3330, or if /domain/ contains an MX RR that points to an IP address, in
> > violation of RFC 1035."
>
>Julian, could you add that one to the default ones also ?
>
>RFC-IGNORANT-BOGUSMX                    bogusmx.rfc-ignorant.org

Done. Don't forget the "." on the end of the domain name if you put it in
by hand.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at CARLO65.DE  Sat Jan  3 19:35:44 2004
From: mailscanner at CARLO65.DE (Roland Ehle)
Date: Thu Jan 12 21:21:42 2006
Subject: OT: MailScanner in german Computer Magazine
Message-ID: <3FF71990.7050706@carlo65.de>

Hi,

the german Computer Magazine c't (www.heise.de/ct/) had an arcticle
about MailScanner in the latest edition.

If it is interesting for you, I could translate it into english.

Regards,
Roland

From faq at mailscanner.info  Sun Jan  4 00:28:00 2004
From: faq at mailscanner.info (faq@mailscanner.info)
Date: Thu Jan 12 21:21:42 2006
Subject: Faq-O-Matic Error Log
Message-ID: <200401040028.i040S01l013762@seer.ecs.soton.ac.uk>

Errors from MailScanner Faq-O-Matic (v. 2.717):

2003-12-28-04-13-35 2.717 error editPart 24527 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.
<p>Please [<a href="http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/176.html">Return to the FAQ</a>] and start again to make sure no changes are lost. Sorry for the inconvenience.<p>(Sequence number in form: 3; in item: 4)
2003-12-29-05-19-30 2.717 note submitPart 9349 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPart.pm line 248.

2004-01-03-11-08-21 2.717 error editPart 16192 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.
<p>Please [<a href="http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/241.html">Return to the FAQ</a>] and start again to make sure no changes are lost. Sorry for the inconvenience.<p>(Sequence number in form: 4; in item: 5)

From mailscanner at pdscc.com  Sun Jan  4 03:31:10 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>
References: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401040347.TAA03726@sheridan.sibble.net>

On 1 Jan 2004 at 17:39, Darren Fulton - Concept Techn wrote:
> Yes, this sounds like postfix is refusing to receive email from the
> internet.  You may be able to address that by editing your postfix main.cf
> files.  Pay close attention to:

No actually it receives mail from the internet fine, from what I can see in
the logs it looks like the outbound queue /var/spool/postfix is bouncing the
message back after it makes it through the inbound queue

For the outbound queue, these are set as follows

> $relay_domains

relay_domains =

even with relay_domains = $mydestination the result is the same.

> $mydestination
mydestination = $myhostname, localhost.$mydomain, $mydomain

> mynetworks
mynetworks was not explicitly set since, I have the following set

mynetworks_style = subnet

example of a message sent through the mailscanner box, from
/var/log/mail/info

Jan  3 22:22:04 mailscan postfix/smtpd[1928]: connect from defout.telus.net[199.185.220.240]
Jan  3 22:22:04 mailscan postfix/smtpd[1928]: DC8453FA8: client=defout.telus.net[199.185.220.240]
Jan  3 22:22:05 mailscan postfix/cleanup[1929]: DC8453FA8: message-id=<200401040337.TAA03693@sheridan.sibble.net>
Jan  3 22:22:05 mailscan postfix/nqmgr[1813]: DC8453FA8: from=<help@pdscc.com>, size=1607, nrcpt=1 (queue active)
Jan  3 22:22:05 mailscan postfix/nqmgr[1813]: DC8453FA8: to=<harondel.J.Sibble@mailscan.somedomain.com>, relay=none, delay=1, status=deferred (deferred transport)
Jan  3 22:22:05 mailscan postfix/smtpd[1928]: disconnect from defout.telus.net[199.185.220.240]
Jan  3 19:22:07 mailscan MailScanner[1916]: Postfix queue structure is depth 1
Jan  3 19:22:07 mailscan MailScanner[1916]: New Batch: Scanning 1 messages, 1990 bytes
Jan  3 19:22:07 mailscan MailScanner[1915]: Postfix queue structure is depth 1
Jan  3 19:22:07 mailscan MailScanner[1914]: Postfix queue structure is depth 1
Jan  3 19:22:07 mailscan MailScanner[1917]: Postfix queue structure is depth 1
Jan  3 19:22:07 mailscan MailScanner[1908]: Postfix queue structure is depth 1
Jan  3 19:22:08 mailscan MailScanner[1916]: Virus and Content Scanning: Starting
Jan  3 19:22:08 mailscan MailScanner[1916]: Uninfected: Delivered 1 messages
Jan  3 22:22:08 mailscan postfix/nqmgr[1889]: 52CE46F58A: from=<help@pdscc.com>, size=1731, nrcpt=1 (queue active)
Jan  3 19:22:09 mailscan postfix/local[1941]: 52CE46F58A: to=<harondel.J.Sibble@mailscan.somedomain.com>, relay=local, delay=5, status=bounced (unknown user: "harondel.j.sibble")
Jan  3 22:22:09 mailscan postfix/cleanup[1944]: 0E3546F58B: message-id=<20040104032209.0E3546F58B@mailscan.somedomain.com>
Jan  3 22:22:09 mailscan postfix/nqmgr[1889]: 0E3546F58B: from=<>, size=3345, nrcpt=1 (queue active)
Jan  3 22:22:09 mailscan postfix/smtp[1945]: 0E3546F58B: to=<help@pdscc.com>, relay=smtp.netnation.com[204.174.223.62], delay=0, status=sent (250 OK id=1AcypD-0002sf-BI)


--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From miguelk at konsultex.com.br  Sun Jan  4 02:16:07 2004
From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy)
Date: Thu Jan 12 21:21:42 2006
Subject: OT: MailScanner in german Computer Magazine
In-Reply-To: <3FF71990.7050706@carlo65.de>
References: <3FF71990.7050706@carlo65.de>
Message-ID: <20040104021408.M30740@konsultex.com.br>

I would really appreciate if you could send me a scan of the article off topic.

Besten Dank.

Miguel


--
Konsultex Informatica (http://www.konsultex.com.br)

---------- Original Message -----------
From: Roland Ehle <mailscanner@CARLO65.DE>
To: MAILSCANNER@JISCMAIL.AC.UK
Sent: Sat, 3 Jan 2004 20:35:44 +0100
Subject: OT: MailScanner in german Computer Magazine

> Hi,
> 
> the german Computer Magazine c't (www.heise.de/ct/) had an arcticle
> about MailScanner in the latest edition.
> 
> If it is interesting for you, I could translate it into english.
> 
> Regards,
> Roland
------- End of Original Message -------


-- 
Esta mensagem foi verificada pelo sistema de antiv?rus e
 acredita-se estar livre de perigo.


From mailscanner at pdscc.com  Sun Jan  4 05:30:33 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE30B@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401040546.VAA04165@sheridan.sibble.net>

On 31 Dec 2003 at 19:55, Ugo Bellavance wrote:

> Please show us your main.cf.

I'll assume you mean the main.cf governing the outbound queue. Comments and
stuff not modified by me have been removed for ease of reading.  The
mailscanner machine is at 10.10.10.20. The sonicwall nat router allows port
25 in to this box only. The expected behaviour is that once the mailscanner
box has checked the mail, it forwards all mail to the internal mailserver.
The internal mailserver is at 10.10.10.21.

queue_directory = /var/spool/postfix
mail_owner = postfix
myhostname = mailscan.somehost.com
mydomain = somehost.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
local_recipient_maps =
mynetworks_style = subnet
mynetworks = 10.10.10.0/24
relay_domains = $mydestination
#relay_domains =
### added dec 28/03 in conjunction with mailscanner setup
transport_maps = hash:/etc/postfix/transport

contents of the transport file

somedomain.com       smtp:10.10.10.21
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From mailscanner at pdscc.com  Sun Jan  4 05:30:33 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:42 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <200401040347.TAA03726@sheridan.sibble.net>
References: <3996.216.76.146.14.1073000395.squirrel@host1.concepttechnologyinc.com>
Message-ID: <200401040546.VAA04168@sheridan.sibble.net>

On 3 Jan 2004 at 19:31, Harondel J. Sibble wrote:

> No actually it receives mail from the internet fine, from what I can see in
> the logs it looks like the outbound queue /var/spool/postfix is bouncing the
> message back after it makes it through the inbound queue

Strangely enough, there are some addresses that make it through both queues
and get bounced back by the internal server (expected as I haven't gotten
around to adding the appropriate sendmail rule to send mail for unknown users
to a specific existing user on the internal server)
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From chris at trudeau.org  Sun Jan  4 09:02:40 2004
From: chris at trudeau.org (Chris Trudeau)
Date: Thu Jan 12 21:21:42 2006
Subject: Reporting/Summary
In-Reply-To: <67D9E7698329D411936E00508B6590B902773D7F@neelix.lbsltd.co.uk>
Message-ID: <000001c3d2a1$8206b0b0$23c8a8c0@serv>

Steve, didn't even occur to me that MailWatch might have the data.
Probably has all but error report, which is not as important:

<SNIP>

Postfix log summaries for Jan  3

Grand Totals
------------
messages

    102   received
    102   delivered
      0   forwarded
      1   deferred  (1  deferrals)
      0   bounced
      0   rejected

    688k  bytes received
    693k  bytes delivered
     19   senders
     15   sending hosts/domains
      8   recipients
      7   recipient hosts/domains

smtpd

      72   connections
       3   hosts/domains
       2   avg. connect time (seconds)
  0:01:53  total connect time


Per-Hour Traffic Summary
    time          received  delivered   deferred    bounced     rejected
    --------------------------------------------------------------------
    0000-0100           3          1          0          0          0
    0100-0200           0          0          0          0          0
    0200-0300           0          0          1          0          0
    0300-0400           0          0          0          0          0
    0400-0500           0          0          0          0          0
    0500-0600           0          0          0          0          0
    0600-0700           0          0          0          0          0
    0700-0800           0          0          0          0          0
    0800-0900          32         33          0          0          0
    0900-1000          20         20          0          0          0
    1000-1100           4          4          0          0          0
    1100-1200           4          5          0          0          0
    1200-1300           6          6          0          0          0
    1300-1400           2          2          0          0          0
    1400-1500           1          1          0          0          0
    1500-1600           6          6          0          0          0
    1600-1700           2          2          0          0          0
    1700-1800           5          5          0          0          0
    1800-1900           4          4          0          0          0
    1900-2000           3          3          0          0          0
    2000-2100           4          4          0          0          0
    2100-2200           1          1          0          0          0
    2200-2300           4          4          0          0          0
    2300-2400           1          1          0          0          0

Host/Domain Summary: Message Delivery
 sent cnt  bytes   defers   avg dly max dly host/domain
 -------- -------  -------  ------- ------- -----------
     70   382383        1     7.1 m    8.2 h  trudeau.org
     19    44979        0     1.5 m   28.7 m  blackberry.net
      7    21872        0     0.9 s    2.0 s  tester.com
      3     1649        0    13.3 s   39.0 s  root
      1   246968        0    11.0 s   11.0 s  msn.com
      1    10866        0     2.0 s    2.0 s  test.com
      1     1866        0     0.0 s    0.0 s  terst.com

Host/Domain Summary: Messages Received
 msg cnt   bytes   host/domain
 -------- -------  -----------
     34   220372   lists.sourceforge.net
     28   322107   trudeau.org
     16    31160   blackberry.net
      6    23883   jiscmail.ac.uk
      5    11332   google.com
      2    11305   from=<>

Per-Hour SMTPD Connection Summary
    hour        connections    time conn.    avg./conn.   max. time
    --------------------------------------------------------------------
    0000-0100          1         0:00:01           1s           1s
    0800-0900         10         0:00:41           4s          19s
    0900-1000         15         0:00:24           2s           5s
    1000-1100          4         0:00:01           0s           1s
    1100-1200          4         0:00:05           1s           3s
    1200-1300          6         0:00:09           2s           4s
    1300-1400          2         0:00:03           2s           2s
    1400-1500          1         0:00:00           0s           0s
    1500-1600          5         0:00:04           1s           3s
    1600-1700          2         0:00:01           1s           1s
    1700-1800          5         0:00:05           1s           2s
    1800-1900          4         0:00:05           1s           3s
    1900-2000          3         0:00:05           2s           4s
    2000-2100          4         0:00:04           1s           3s
    2100-2200          1         0:00:00           0s           0s
    2200-2300          4         0:00:04           1s           3s
    2300-2400          1         0:00:01           1s           1s

Host/Domain Summary: SMTPD Connections
 connections  time conn.  avg./conn.  max. time  host/domain
 -----------  ----------  ----------  ---------  -----------
      49        0:00:55          1s        19s   1.2.3.4
      17        0:00:56          3s         5s   trudeau.org
       6        0:00:02          0s         1s   3.4.5.6

Senders by message count
------------------------
     32   spamassassin-talk-admin@lists.sourceforge.net
     23   chris@trudeau.org
     16   network@blackberry.net
      6   owner-mailscanner@jiscmail.ac.uk
      5   newsalerts-noreply@google.com
      4   root@trudeau.org
      2   from=<>
      2   etp@etp04.etp.na.blackberry.net
      1   jagent@route.deliverymail.com
      1   ctructru@kx100.net

Recipients by message count
---------------------------
     70   chris@trudeau.org
     19   network@blackberry.net
      5   chris@bellsouth.net
      3   root
      2   support@example.org

Senders by message size
-----------------------
 309744   chris@trudeau.org
 208196   spamassassin-talk-admin@lists.sourceforge.net
  48706   list-bounces@dshield.org
  31160   network@blackberry.net
  23883   owner-mailscanner@jiscmail.ac.uk
  11926   jeff@trudeau.org
  11332   newsalerts-noreply@google.com
  11305   from=<>
  10599   jagent@route.deliverymail.com
   7287   snort-sigs-admin@lists.sourceforge.net
   7198   ctructru@bellsouth.net
   5270   jones@jamison.org
   4889   mailwatch-users-admin@lists.sourceforge.net
   3944   etp@etp04.etp.na.blackberry.net
   2942   balalerts.010304.11436414@alerts.wachovia.com
   2520   machine@host.domain.org
   2001   vf0xgtsj@dubaimail.com
   1974   etp@etp02.etp.na.blackberry.net
    437   traffic@trudeau.org

Recipients by message size
--------------------------
 382383   chris@trudeau.org
 246968   test@eaxmple.com
  44979   test@example.net
  11332   chris@example.org
  10866   example@eample.com
  10540   support@example.net
   1866   test@exampler.net
   1649   root

message deferral detail
-----------------------
  local
         1   bounce failed

message bounce detail (by relay): none

message reject detail: none

smtp delivery failures: none

Warnings
--------
  local
         1   premature end-of-input on public/flush socket while reading
inp...
         1   timeout on private/bounce socket while reading input
attribute ...
         1   premature end-of-input on private/defer socket while
reading in...
         1   9681410F79F: defer service failure
         1   unable to talk to fast flush service
  master
         5   unix_trigger_event: read timeout for service public/flush
         1   process /usr/libexec/postfix/smtp pid 2511 exit status 1
         1   /usr/libexec/postfix/smtp: bad command startup --
throttling
         1   process /usr/libexec/postfix/nqmgr pid 28885 exit status 1
  nqmgr
         1   private/smtp socket: malformed response
         1   premature end-of-input on private/smtp socket while reading
inp...
         1   transport smtp failure -- see a previous
warning/fatal/panic lo...
  smtpd
         6   66.35.146.67: hostname gateway.messagedefense.com
verification ...
         1   connect #7 to subsystem private/proxymap: Connection
refused
         1   connect #2 to subsystem private/proxymap: Connection
refused
         1   connect #3 to subsystem private/proxymap: Connection
refused
         1   connect #4 to subsystem private/proxymap: Connection
refused
         1   connect #1 to subsystem private/proxymap: Connection
refused
         1   connect #9 to subsystem private/proxymap: Connection
refused
         1   connect #5 to subsystem private/proxymap: Connection
refused
         1   connect #8 to subsystem private/proxymap: Connection
refused
         1   connect #6 to subsystem private/proxymap: Connection
refused

Fatal Errors
------------
  master
         1   watchdog timeout
  nqmgr
         1   watchdog timeout
  smtp
         1   config variable inet_interfaces: host not found:
mail.trudeau.org

Panics: none

Master daemon messages
----------------------
      1   daemon started -- version 2.0.7

</SNIP>

-----Original Message-----
From: Steve Freegard [mailto:steve.freegard@lbsltd.co.uk]
Sent: Friday, January 02, 2004 5:42 AM
To: 'Chris Trudeau '; 'MAILSCANNER@JISCMAIL.AC.UK '
Subject: RE: Reporting/Summary

Hi Chris,

If you let me know your requirements - I'll write a cronable job that
will
e-mail you daily stats from MailWatch.

Would that be of use??

Kind regards,
Steve.

-----Original Message-----
From: Chris Trudeau
To: MAILSCANNER@JISCMAIL.AC.UK
Sent: 02/01/04 04:25
Subject: Re: Reporting/Summary

Yep...all of these are good responses and I am using MailWatch
religiously....

I'm looking for more of a summary such as the output of pflogsum for
postfix.  Just a general...here's how many messages processed, how many
are spam viruses etc...that I can batch and email to myself every day...

Thanks again!

CT


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of chris albert
Sent: Tuesday, December 30, 2003 11:16 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Reporting/Summary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Trudeau wrote:

>I'm sure it has been mentioned here, but I can't find it in the
archives...
>
>What tools are you using (home-grown or not) on Sendmail MS systems to
>provide daily summary statistics related to message volume spam
percetnage
>etc...Anything out there?
>
>CT

Have you looked at Mail::Graph which can generate pages like:
http://bloodgate.com/spams/stats.html ?

C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/8aTVkRKXIlZkCr8RAgRkAJ9+vQsO0H1wdU4q8ahTV4gyhlHxvwCfa8Uw
b9kC6pUAKscZlaepHASj3J4=
=lxJV
-----END PGP SIGNATURE-----

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From splee at PLEXIO.COM  Sun Jan  4 09:14:59 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:42 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
Message-ID: <1073207698.8778.151.camel@ralph.plexio.private>

I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
installing MS manually from a tar file and configured Exim to use
separate incoming and outgoing queues. Exim appears to receive incoming
messages and MS picks them up. The problem is that MS takes all messages
and marks them as infected and places them in quarantine. The following
message is generated:

 Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
1068 bytes
Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
Starting
Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
messages
Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages

The warning message contains:

Received: from exim by ugw.united.private with local (Exim 4.24)
        id 1Ad3t1-0003ix-R3
        for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
From: "MailScanner-UGW" <postmaster@ugw.united.private>
To: postmaster@ugw.united.private
Subject: Warning: E-mail viruses detected
Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
Date: Sun, 04 Jan 2004 00:45:27 -0800

The following e-mail messages were found to have viruses in them:

    Sender: postmaster@ugw.united.private
IP Address: 127.0.0.1
 Recipient: postmaster@ugw.united.private
   Subject:  Warning: E-mail viruses detected
 MessageID: 1Ad3lV-0003hp-62
    Report: MailScanner: Could not analyze message


--
MailScanner
Email Virus Scanner
www.mailscanner.info



Each warning message spawns another warning message and in short order
the quarantine directory fills-up.

"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
is set and sweep is not active when set to "Virus Scanners = none".
However, in both cases the same warning message (ie. detected virus) is
generated.

Here are some of the pertinent settings in
/opt/MailScanner/etc/MailScanner.conf:

Run As User = exim
Run As Group = exim
Incoming Queue Dir = /var/spool/exim_incoming/input
Outgoing Queue Dir = /var/spool/exim/input
Quarantine Dir = /var/spool/MailScanner/quarantine
MTA = exim
Sendmail = /usr/local/bin/exim
Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
Virus Scanners = sophos
Quarantine Infections = yes
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
Spam Checks = yes
Use SpamAssassin = no
Split Exim Spool = no

/etc/sysconfig/MailScanner looks like this:

MTA=exim
EXIM=/usr/local/bin/exim
EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
file

The following perl modules were downloaded, compiled and installed with
no issues:

Convert-TNEF-0.17
File-Spec-0.82
File-Temp-0.14
HTML-Parser-3.26
HTML-Tagset-3.03
IO-stringy-2.108
MIME-Base64-2.12
MIME-tools-5.411 (patched version)
MailTools-1.50
Net-CIDR-0.09


Any suggestions on what next or diagnostics you need?

Thanks and Happy New Year!
Stephen

From ryan.finnesey at CORPDSG.COM  Sun Jan  4 09:20:01 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:42 2006
Subject: NetIQ AppManager?
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BF32@dc012.corpdsg.com>

Is anyone Monitoring Mail Scanner with NetIQ AppManager?
 
Ryan Finnesey
Diversified Solutions Group
119 West 72 Street
New York NY 10023
*    ryan.finnesey@corpdsg.com
* 212-920-0000 
*  212-920-0001
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040104/7a1016c8/attachment.html
From mailscanner at ecs.soton.ac.uk  Sun Jan  4 12:20:40 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073207698.8778.151.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
Message-ID: <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>

Check the permissions on your Exim queue directories. For some reason it is
failing to analyse the message at all.

At 09:14 04/01/2004, you wrote:
>I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
>3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
>installing MS manually from a tar file and configured Exim to use
>separate incoming and outgoing queues. Exim appears to receive incoming
>messages and MS picks them up. The problem is that MS takes all messages
>and marks them as infected and places them in quarantine. The following
>message is generated:
>
>  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
>1068 bytes
>Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
>Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
>Starting
>Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
>/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
>Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
>messages
>Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
>
>The warning message contains:
>
>Received: from exim by ugw.united.private with local (Exim 4.24)
>         id 1Ad3t1-0003ix-R3
>         for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
>From: "MailScanner-UGW" <postmaster@ugw.united.private>
>To: postmaster@ugw.united.private
>Subject: Warning: E-mail viruses detected
>Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
>Date: Sun, 04 Jan 2004 00:45:27 -0800
>
>The following e-mail messages were found to have viruses in them:
>
>     Sender: postmaster@ugw.united.private
>IP Address: 127.0.0.1
>  Recipient: postmaster@ugw.united.private
>    Subject:  Warning: E-mail viruses detected
>  MessageID: 1Ad3lV-0003hp-62
>     Report: MailScanner: Could not analyze message
>
>
>--
>MailScanner
>Email Virus Scanner
>www.mailscanner.info
>
>
>
>Each warning message spawns another warning message and in short order
>the quarantine directory fills-up.
>
>"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
>is set and sweep is not active when set to "Virus Scanners = none".
>However, in both cases the same warning message (ie. detected virus) is
>generated.
>
>Here are some of the pertinent settings in
>/opt/MailScanner/etc/MailScanner.conf:
>
>Run As User = exim
>Run As Group = exim
>Incoming Queue Dir = /var/spool/exim_incoming/input
>Outgoing Queue Dir = /var/spool/exim/input
>Quarantine Dir = /var/spool/MailScanner/quarantine
>MTA = exim
>Sendmail = /usr/local/bin/exim
>Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
>Virus Scanners = sophos
>Quarantine Infections = yes
>Quarantine Whole Message = yes
>Quarantine Whole Messages As Queue Files = no
>Spam Checks = yes
>Use SpamAssassin = no
>Split Exim Spool = no
>
>/etc/sysconfig/MailScanner looks like this:
>
>MTA=exim
>EXIM=/usr/local/bin/exim
>EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
>EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
>file
>
>The following perl modules were downloaded, compiled and installed with
>no issues:
>
>Convert-TNEF-0.17
>File-Spec-0.82
>File-Temp-0.14
>HTML-Parser-3.26
>HTML-Tagset-3.03
>IO-stringy-2.108
>MIME-Base64-2.12
>MIME-tools-5.411 (patched version)
>MailTools-1.50
>Net-CIDR-0.09
>
>
>Any suggestions on what next or diagnostics you need?
>
>Thanks and Happy New Year!
>Stephen

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From carsten at WELCOMES-YOU.COM  Sun Jan  4 15:50:19 2004
From: carsten at WELCOMES-YOU.COM (Carsten Aulbert)
Date: Thu Jan 12 21:21:42 2006
Subject: Problems writing to exim4's input directory after mail has been processed
Message-ID: <3FF8363B.2090409@welcomes-you.com>

Hi,

I've just installed and configured exim4 + MailScanner (4.30 + 4.25) for the
first time and tried a few things. It seems to work pretty good, i.e. email
is received by the first exim process and processing starts by MailScanner.

SpamAssassin and both virus scanners seem to work well, but when MailScanner
tries to move a message to the second exim's incoming directory it tries to
save it into a non-existent subdirectory names '9' for unknow reasons.


Here's the log:

Jan  4 15:12:19 wycom MailScanner[16058]: MailScanner E-Mail Virus Scanner
version 4.25-14 starting...
Jan  4 15:12:27 wycom MailScanner[16058]: Using locktype = posix
Jan  4 15:12:27 wycom MailScanner[16058]: Creating hardcoded struct_flock
subroutine for linux (Linux-type)
Jan  4 15:12:27 wycom MailScanner[16058]: New Batch: Scanning 1 messages,
2484 bytes
Jan  4 15:12:27 wycom MailScanner[16058]: MCP Checks completed at 2484 bytes
per second
Jan  4 15:12:27 wycom MailScanner[16058]: Spam Checks: Starting
Jan  4 15:12:29 wycom MailScanner[16060]: MailScanner E-Mail Virus Scanner
version 4.25-14 starting...
Jan  4 15:12:30 wycom MailScanner[16058]: Spam Checks completed at 828 bytes
per second
Jan  4 15:12:30 wycom MailScanner[16058]: Virus and Content Scanning: Starting
Jan  4 15:12:30 wycom MailScanner[16058]:
/var/spool/MailScanner/incoming/16058/1Ad9t9-00048c-Lz/eicar.com  Infection:
EICA
R_Test_File
Jan  4 15:12:30 wycom MailScanner[16058]: Virus Scanning: F-Prot found virus
EICAR_Test_File
Jan  4 15:12:30 wycom MailScanner[16058]: Virus Scanning: F-Prot found 1
infections
Jan  4 15:12:31 wycom MailScanner[16058]:
/var/spool/MailScanner/incoming/16058/./1Ad9t9-00048c-Lz/eicar.com:
Eicar-Test-Si
gnature FOUND
Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning: ClamAV found 1
infections
Jan  4 15:12:31 wycom MailScanner[16058]: Infected message 1Ad9t9-00048c-Lz
came from 134.169.9.55
Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning: Found 1 viruses
Jan  4 15:12:31 wycom MailScanner[16058]: Filename Checks: Windows/DOS
Executable (eicar.com)
Jan  4 15:12:31 wycom MailScanner[16058]: Filename Checks: Allowing
msg-16058-1.txt
Jan  4 15:12:31 wycom MailScanner[16058]: Other Checks: Found 1 problems
Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning completed at 2484
bytes per second
Jan  4 15:12:31 wycom MailScanner[16058]: Saved infected "eicar.com" to
/var/spool/MailScanner/quarantine/20040104/1Ad9t9-0
0048c-Lz
Jan  4 15:12:31 wycom MailScanner[16058]: Could not open file
 >/var/spool/exim4_out/input/9/1Ad9t9-00048c-Lz-D: No such file or directory
Jan  4 15:12:31 wycom MailScanner[16058]: Cannot create + lock clean body
/var/spool/exim4_out/input/9/1Ad9t9-00048c-Lz-D,

 From the conf file:
Incoming Queue Dir = /var/spool/exim4_in/input
Outgoing Queue Dir = /var/spool/exim4_out/input


Any idea where I can fix that/what kind of error that is?

Cheers

Carsten

From mailscanner at ecs.soton.ac.uk  Sun Jan  4 16:15:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:42 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <3FF8363B.2090409@welcomes-you.com>
References: <3FF8363B.2090409@welcomes-you.com>
Message-ID: <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>

Are you using split exim spools? If so, all the split directories need to
exist before MailScanner tries to put a message in them. For each directory
under /var/spool/exim4_in/input, there needs to be a matching one under
/var/spool/exim4_out/input.

I guess I should make it create all these directories at startup if they
don't already exist. What is the complete list of directories needed? 0-9
and a-z or A-Z or A-F or a-f or...?

At 15:50 04/01/2004, you wrote:
>Hi,
>
>I've just installed and configured exim4 + MailScanner (4.30 + 4.25) for the
>first time and tried a few things. It seems to work pretty good, i.e. email
>is received by the first exim process and processing starts by MailScanner.
>
>SpamAssassin and both virus scanners seem to work well, but when MailScanner
>tries to move a message to the second exim's incoming directory it tries to
>save it into a non-existent subdirectory names '9' for unknow reasons.
>
>
>Here's the log:
>
>Jan  4 15:12:19 wycom MailScanner[16058]: MailScanner E-Mail Virus Scanner
>version 4.25-14 starting...
>Jan  4 15:12:27 wycom MailScanner[16058]: Using locktype = posix
>Jan  4 15:12:27 wycom MailScanner[16058]: Creating hardcoded struct_flock
>subroutine for linux (Linux-type)
>Jan  4 15:12:27 wycom MailScanner[16058]: New Batch: Scanning 1 messages,
>2484 bytes
>Jan  4 15:12:27 wycom MailScanner[16058]: MCP Checks completed at 2484 bytes
>per second
>Jan  4 15:12:27 wycom MailScanner[16058]: Spam Checks: Starting
>Jan  4 15:12:29 wycom MailScanner[16060]: MailScanner E-Mail Virus Scanner
>version 4.25-14 starting...
>Jan  4 15:12:30 wycom MailScanner[16058]: Spam Checks completed at 828 bytes
>per second
>Jan  4 15:12:30 wycom MailScanner[16058]: Virus and Content Scanning: Starting
>Jan  4 15:12:30 wycom MailScanner[16058]:
>/var/spool/MailScanner/incoming/16058/1Ad9t9-00048c-Lz/eicar.com  Infection:
>EICA
>R_Test_File
>Jan  4 15:12:30 wycom MailScanner[16058]: Virus Scanning: F-Prot found virus
>EICAR_Test_File
>Jan  4 15:12:30 wycom MailScanner[16058]: Virus Scanning: F-Prot found 1
>infections
>Jan  4 15:12:31 wycom MailScanner[16058]:
>/var/spool/MailScanner/incoming/16058/./1Ad9t9-00048c-Lz/eicar.com:
>Eicar-Test-Si
>gnature FOUND
>Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning: ClamAV found 1
>infections
>Jan  4 15:12:31 wycom MailScanner[16058]: Infected message 1Ad9t9-00048c-Lz
>came from 134.169.9.55
>Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning: Found 1 viruses
>Jan  4 15:12:31 wycom MailScanner[16058]: Filename Checks: Windows/DOS
>Executable (eicar.com)
>Jan  4 15:12:31 wycom MailScanner[16058]: Filename Checks: Allowing
>msg-16058-1.txt
>Jan  4 15:12:31 wycom MailScanner[16058]: Other Checks: Found 1 problems
>Jan  4 15:12:31 wycom MailScanner[16058]: Virus Scanning completed at 2484
>bytes per second
>Jan  4 15:12:31 wycom MailScanner[16058]: Saved infected "eicar.com" to
>/var/spool/MailScanner/quarantine/20040104/1Ad9t9-0
>0048c-Lz
>Jan  4 15:12:31 wycom MailScanner[16058]: Could not open file
> >/var/spool/exim4_out/input/9/1Ad9t9-00048c-Lz-D: No such file or directory
>Jan  4 15:12:31 wycom MailScanner[16058]: Cannot create + lock clean body
>/var/spool/exim4_out/input/9/1Ad9t9-00048c-Lz-D,
>
> From the conf file:
>Incoming Queue Dir = /var/spool/exim4_in/input
>Outgoing Queue Dir = /var/spool/exim4_out/input
>
>
>Any idea where I can fix that/what kind of error that is?
>
>Cheers
>
>Carsten

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From splee at PLEXIO.COM  Sun Jan  4 16:24:01 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:42 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
Message-ID: <1073233440.8598.164.camel@ralph.plexio.private>

That was my first guess but the permissions suggest that it shouldn't be
the problem.

drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/

All subdirectories have the same permissions. I even su'd to exim and
was able to created/deleted files in those directories. Setting them to
777 made no difference. Here's a piece of the exim log:

 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
listening for SMTP on port 25 (IPv4)
2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
/usr/local/etc/exim_outgoing.conf -q15m
2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
listening for SMTP
2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
/usr/local/etc/exim_outgoing.conf -q
2004-01-04 08:22:21 Start queue run: pid=22338
2004-01-04 08:22:21 End queue run: pid=22338
2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
/usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
1AdB0M-0005ni-Nz
2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
found
2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster@ugw.united.private
U=exim P=local S=762

Stephen

On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> Check the permissions on your Exim queue directories. For some reason it is
> failing to analyse the message at all.
>
> At 09:14 04/01/2004, you wrote:
> >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> >installing MS manually from a tar file and configured Exim to use
> >separate incoming and outgoing queues. Exim appears to receive incoming
> >messages and MS picks them up. The problem is that MS takes all messages
> >and marks them as infected and places them in quarantine. The following
> >message is generated:
> >
> >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
> >1068 bytes
> >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> >Starting
> >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> >messages
> >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> >
> >The warning message contains:
> >
> >Received: from exim by ugw.united.private with local (Exim 4.24)
> >         id 1Ad3t1-0003ix-R3
> >         for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
> >From: "MailScanner-UGW" <postmaster@ugw.united.private>
> >To: postmaster@ugw.united.private
> >Subject: Warning: E-mail viruses detected
> >Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
> >Date: Sun, 04 Jan 2004 00:45:27 -0800
> >
> >The following e-mail messages were found to have viruses in them:
> >
> >     Sender: postmaster@ugw.united.private
> >IP Address: 127.0.0.1
> >  Recipient: postmaster@ugw.united.private
> >    Subject:  Warning: E-mail viruses detected
> >  MessageID: 1Ad3lV-0003hp-62
> >     Report: MailScanner: Could not analyze message
> >
> >
> >--
> >MailScanner
> >Email Virus Scanner
> >www.mailscanner.info
> >
> >
> >
> >Each warning message spawns another warning message and in short order
> >the quarantine directory fills-up.
> >
> >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> >is set and sweep is not active when set to "Virus Scanners = none".
> >However, in both cases the same warning message (ie. detected virus) is
> >generated.
> >
> >Here are some of the pertinent settings in
> >/opt/MailScanner/etc/MailScanner.conf:
> >
> >Run As User = exim
> >Run As Group = exim
> >Incoming Queue Dir = /var/spool/exim_incoming/input
> >Outgoing Queue Dir = /var/spool/exim/input
> >Quarantine Dir = /var/spool/MailScanner/quarantine
> >MTA = exim
> >Sendmail = /usr/local/bin/exim
> >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> >Virus Scanners = sophos
> >Quarantine Infections = yes
> >Quarantine Whole Message = yes
> >Quarantine Whole Messages As Queue Files = no
> >Spam Checks = yes
> >Use SpamAssassin = no
> >Split Exim Spool = no
> >
> >/etc/sysconfig/MailScanner looks like this:
> >
> >MTA=exim
> >EXIM=/usr/local/bin/exim
> >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> >file
> >
> >The following perl modules were downloaded, compiled and installed with
> >no issues:
> >
> >Convert-TNEF-0.17
> >File-Spec-0.82
> >File-Temp-0.14
> >HTML-Parser-3.26
> >HTML-Tagset-3.03
> >IO-stringy-2.108
> >MIME-Base64-2.12
> >MIME-tools-5.411 (patched version)
> >MailTools-1.50
> >Net-CIDR-0.09
> >
> >
> >Any suggestions on what next or diagnostics you need?
> >
> >Thanks and Happy New Year!
> >Stephen
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From ugob at CAMO-ROUTE.COM  Sun Jan  4 16:48:01 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE31C@mtlnt501fs.CAMOROUTE.COM>

Sorry, forgot to send to the list...

> -----Message d'origine-----
> De : Harondel J. Sibble [mailto:help@pdscc.com]
> Envoy? : Sunday, January 04, 2004 10:54 AM
> ? : Ugo Bellavance
> Objet : RE: postfix, mailscanner, mail relay
> 
> 
> 
> 
> On 4 Jan 2004 at 8:54, Ugo Bellavance wrote:
> > > contents of the transport file
> > > somedomain.com       smtp:10.10.10.21
> > 
> > here it should be : 
> > somedomain.com      smtp:[10.10.10.21]
> > or
> > somedomain.com      esmtp:[10.10.10.21]
> 
> Ugo, I made that change, but still having same problem... 
> <sigh>. I modified 
> the transport file, rehashed it and restarted MS.
> 

Have you tried deleting the account you want to be relayed to your internal server?

> the /etc/postfix.in/mail.cf is setup thusly.
> 
> queue_directory = /var/spool/postfix.in
> myhostname = mailscan.somedomain.com
> mydomain = somedomain.com
> myorigin = $mydomain
> inet_interfaces = all
> mydestination = $myhostname, localhost.$mydomain, $mydomain
> local_recipient_maps =
> mynetworks_style = subnet
> the mynetworks value is not defined
> relay_domains =
> there is no transport map defined
> alias_maps = hash:/etc/postfix/aliases  # ?should this be 
> changed postfix.in?
> 
> the /etc/postfix/mail.cf is as follows, maybe I've got 
> something crossed 
> between the 2 files?
> 
> > > I'll assume you mean the main.cf governing the outbound 
> > > queue. Comments and
> > > stuff not modified by me have been removed for ease of 
> reading.  The
> > > mailscanner machine is at 10.10.10.20. The sonicwall nat 
> > > router allows port
> > > 25 in to this box only. The expected behaviour is that once 
> > > the mailscanner
> > > box has checked the mail, it forwards all mail to the 
> > > internal mailserver.
> > > The internal mailserver is at 10.10.10.21.
> > > 
> > > queue_directory = /var/spool/postfix
> > > mail_owner = postfix
> > > myhostname = mailscan.somehost.com
> > > mydomain = somehost.com
> > > myorigin = $mydomain
> > > inet_interfaces = all
> > > mydestination = $myhostname, localhost.$mydomain, $mydomain
> > > local_recipient_maps =
> > > mynetworks_style = subnet
> > > mynetworks = 10.10.10.0/24
> > > relay_domains = $mydestination
> > > #relay_domains =
> > > ### added dec 28/03 in conjunction with mailscanner setup
> > > transport_maps = hash:/etc/postfix/transport
> 
> -- 
> Harondel J. Sibble 
> Sibble Computer Consulting
> Creating solutions for the small business and home computer user.
> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
> 
> 
> 


From carsten at WELCOMES-YOU.COM  Sun Jan  4 21:36:11 2004
From: carsten at WELCOMES-YOU.COM (Carsten Aulbert)
Date: Thu Jan 12 21:21:43 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>
References: <3FF8363B.2090409@welcomes-you.com>
            <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>
Message-ID: <3FF8874B.7050409@welcomes-you.com>

Julian Field wrote:
> Are you using split exim spools? If so, all the split directories need to
> exist before MailScanner tries to put a message in them. For each directory
> under /var/spool/exim4_in/input, there needs to be a matching one under
> /var/spool/exim4_out/input.
>

Yes, I do. But since before I was just using exim V3 I think I need to
invest a bit of reading of exim V4 docs. I have not been aware exim is
using subdirectories like that (nor have I found them in the deamon's
input directory, but I'll recheck that).


> I guess I should make it create all these directories at startup if they
> don't already exist. What is the complete list of directories needed? 0-9
> and a-z or A-Z or A-F or a-f or...?
>

I'll do that, thanks a lot and sorry for bothering.

Cheers

Carsten

From mailscanner at pdscc.com  Mon Jan  5 05:34:01 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE31C@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401050550.VAA03790@sheridan.sibble.net>

On 4 Jan 2004 at 11:48, Ugo Bellavance wrote:

> Have you tried deleting the account you want to be relayed to your internal
> server?

No as the account I sending to for testing does not exist on the mail relay,
only the internal server.
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan  5 08:25:46 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:43 2006
Subject: Exim - Using ACLs to verify RCPT TO
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C7FC6@ERWIN.intern.seceidos.de>

> I posted it here because it is directly relevant to the way 
> Exim is set up with MailScanner, and I know several Exim 

Sorry to disagree but this is not true. This problem occurs whenever you
are using Exim in front of MTAs doing the local delivery. This is in no
way MailScanner specific and therefore should go to the Exim mailing
list. BTW: The topic has been covered more than enough there. You can
use all sorts of lookups in the Exim ACLs (LDAP, SQL, CDB etc.).
Personally we are exporting our Exchange 2000 (or Exchange 5.5)
directories (valid e-mail adresses only) every 30 minutes. When they
have changed we create a new database on the Exim/MailScanner proxy and
use this database with a lookup rule in the RCPTTO ACL. 

Disadvantage: Changes take 30-60 minutes to take effect. No problem
here.
Advantage: We need no LDAP lookups from the proxy machine to our
Exchange environment. I simply do not trust Microsoft enough for this.
All I want to allow is SMTP and that's it. :-)

> folks lurk on this list (and, because I'm not subscribed to 
> any Exim lists).

You should be!

Regards,
  JP


From raymond at PROLOCATION.NET  Mon Jan  5 10:52:01 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:43 2006
Subject: O/T Spamhaus Releases Exploits Block List (XBL)
In-Reply-To: <00e601c3d379$129d2d20$0201000a@zajd.com>
Message-ID: <Pine.LNX.4.44.0401051150540.3109-100000@mailbox.prolocation.net>

Hi!

> Spamhaus released XBL 1/1-2004. Anyone tested it yet? Any comments?
> (http://www.spamhaus.org/news.lasso?article=151 and
> http://www.spamhaus.org/xbl)

Did you miss the earlier posts about this? =)

I have been using CBL a long time now and are happy with that, XBL is the
same currently...

Bye,
Raymond.

From daniel at ZAJD.COM  Mon Jan  5 10:45:44 2004
From: daniel at ZAJD.COM (Daniel Zajd)
Date: Thu Jan 12 21:21:43 2006
Subject: O/T Spamhaus Releases Exploits Block List (XBL)
References: <001501c3d0ae$1e908320$1c150fd0@shire>
Message-ID: <00e601c3d379$129d2d20$0201000a@zajd.com>

Hi!

Spamhaus released XBL 1/1-2004. Anyone tested it yet? Any comments?
(http://www.spamhaus.org/news.lasso?article=151 and
http://www.spamhaus.org/xbl)

//Daniel
Mailsystem Sweden (www.mailsystem.net)
Phone: +46706660755

From daniel at ZAJD.COM  Mon Jan  5 11:05:20 2004
From: daniel at ZAJD.COM (Daniel Zajd)
Date: Thu Jan 12 21:21:43 2006
Subject: O/T Spamhaus Releases Exploits Block List (XBL)
References: <Pine.LNX.4.44.0401051150540.3109-100000@mailbox.prolocation.net>
Message-ID: <011c01c3d37b$cf212580$0201000a@zajd.com>

Oh, sorry I did.

But shouldn't sbl-xbl.spamhaus.org be the correct one to use?

//Daniel


----- Original Message -----
From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 05, 2004 11:52 AM
Subject: Re: O/T Spamhaus Releases Exploits Block List (XBL)


> Hi!
>
> > Spamhaus released XBL 1/1-2004. Anyone tested it yet? Any comments?
> > (http://www.spamhaus.org/news.lasso?article=151 and
> > http://www.spamhaus.org/xbl)
>
> Did you miss the earlier posts about this? =)
>
> I have been using CBL a long time now and are happy with that, XBL is the
> same currently...
>
> Bye,
> Raymond.
>
>

From carsten at WELCOMES-YOU.COM  Mon Jan  5 11:05:37 2004
From: carsten at WELCOMES-YOU.COM (Carsten Aulbert)
Date: Thu Jan 12 21:21:43 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>
References: <3FF8363B.2090409@welcomes-you.com>
            <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>
Message-ID: <3FF94501.3050706@welcomes-you.com>

Julian Field wrote:

> I guess I should make it create all these directories at startup if they
> don't already exist. What is the complete list of directories needed? 0-9
> and a-z or A-Z or A-F or a-f or...?
>

I just did a small test and exim4 seems not to like subdirectories under
input too much, at least it gets rid off them any time a queue run occurs.

Do you know why MailScanner tries to write the files into such subdiretories
instead of placing them plainly into the input directory for the outgoing exim4?

Test today:
Could not open file >/var/spool/exim4_out/input/v/1AdSMv-0003NV-2K-D: No
such file or directory

Is this subdirectory necessary for any other client?

Sorry, for not being of much help right now

CA

From raymond at PROLOCATION.NET  Mon Jan  5 11:26:59 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:43 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <3FF94501.3050706@welcomes-you.com>
Message-ID: <Pine.LNX.4.44.0401051224560.7934-100000@mailbox.prolocation.net>

Hi!

> > I guess I should make it create all these directories at startup if they
> > don't already exist. What is the complete list of directories needed? 0-9
> > and a-z or A-Z or A-F or a-f or...?

> Do you know why MailScanner tries to write the files into such subdiretories
> instead of placing them plainly into the input directory for the outgoing exim4?
>
> Test today:
> Could not open file >/var/spool/exim4_out/input/v/1AdSMv-0003NV-2K-D: No
> such file or directory
>
> Is this subdirectory necessary for any other client?
> Sorry, for not being of much help right now

Most likely you have:

Split Exim Spool = yes

In your MailScanner.conf ?

bye,
Raymond.

From dbird at SGHMS.AC.UK  Mon Jan  5 11:30:37 2004
From: dbird at SGHMS.AC.UK (Daniel Bird)
Date: Thu Jan 12 21:21:43 2006
Subject: O/T Spamhaus Releases Exploits Block List (XBL)
References: <Pine.LNX.4.44.0401051150540.3109-100000@mailbox.prolocation.net>
            <011c01c3d37b$cf212580$0201000a@zajd.com>
Message-ID: <3FF94ADD.20306@sghms.ac.uk>

Daniel Zajd wrote:

>Oh, sorry I did.
>
>But shouldn't sbl-xbl.spamhaus.org be the correct one to use?
>
>//Daniel
>
Depends ;-)
If you want to use the combined sbl and xbl, then  yes. If you want to
use one and not the other then the way to go is sbl.spamhaus.org or
xbl.spamhaus.org.

Dan

>
>
>----- Original Message -----
>From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 05, 2004 11:52 AM
>Subject: Re: O/T Spamhaus Releases Exploits Block List (XBL)
>
>
>
>
>>Hi!
>>
>>
>>
>>>Spamhaus released XBL 1/1-2004. Anyone tested it yet? Any comments?
>>>(http://www.spamhaus.org/news.lasso?article=151 and
>>>http://www.spamhaus.org/xbl)
>>>
>>>
>>Did you miss the earlier posts about this? =)
>>
>>I have been using CBL a long time now and are happy with that, XBL is the
>>same currently...
>>
>>Bye,
>>Raymond.
>>
>>
>>
>>
>
>
>

--
____________________________________

Daniel Bird
Network and Systems Manager
Department Of Information Services
St. George's Hospital Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan@sghms.ac.uk
____________________________________

Everything is possible....except skiing through a revolving door




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From mailscanner at ecs.soton.ac.uk  Mon Jan  5 11:39:21 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <3FF94501.3050706@welcomes-you.com>
References: <3FF8363B.2090409@welcomes-you.com>
            <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>
            <3FF94501.3050706@welcomes-you.com>
Message-ID: <6.0.1.1.2.20040105112217.03945ae8@imap.ecs.soton.ac.uk>

If you are using split exim spools, you need to set this in MailScanner.conf:
Split Exim Spool = yes
If you are not using split exim spools, you need to set this in
MailScanner.conf:
Split Exim Spool = no

At 11:05 05/01/2004, you wrote:
>Julian Field wrote:
>
>>I guess I should make it create all these directories at startup if they
>>don't already exist. What is the complete list of directories needed? 0-9
>>and a-z or A-Z or A-F or a-f or...?
>
>I just did a small test and exim4 seems not to like subdirectories under
>input too much, at least it gets rid off them any time a queue run occurs.
>
>Do you know why MailScanner tries to write the files into such subdiretories
>instead of placing them plainly into the input directory for the outgoing
>exim4?
>
>Test today:
>Could not open file >/var/spool/exim4_out/input/v/1AdSMv-0003NV-2K-D: No
>such file or directory
>
>Is this subdirectory necessary for any other client?
>
>Sorry, for not being of much help right now
>
>CA

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From carsten at WELCOMES-YOU.COM  Mon Jan  5 11:51:21 2004
From: carsten at WELCOMES-YOU.COM (Carsten Aulbert)
Date: Thu Jan 12 21:21:43 2006
Subject: Problems writing to exim4's input directory after mail has been processed
In-Reply-To: <6.0.1.1.2.20040105112217.03945ae8@imap.ecs.soton.ac.uk>
References: <3FF8363B.2090409@welcomes-you.com>           
            <6.0.1.1.2.20040104161202.0410cec0@imap.ecs.soton.ac.uk>           
            <3FF94501.3050706@welcomes-you.com>
            <6.0.1.1.2.20040105112217.03945ae8@imap.ecs.soton.ac.uk>
Message-ID: <3FF94FB9.9020309@welcomes-you.com>

Julian Field wrote:
> If you are using split exim spools, you need to set this in
> MailScanner.conf:
> Split Exim Spool = yes
> If you are not using split exim spools, you need to set this in
> MailScanner.conf:
> Split Exim Spool = no
>

Darn, I suppose I've set this option to yes at some point without really
understanding what I was doing. Sorry for bothering and thank you for this
marvelous tool! With no it seems to work like a charm.

Carsten

From isp-list at TULSACONNECT.COM  Mon Jan  5 14:04:08 2004
From: isp-list at TULSACONNECT.COM (ISP List)
Date: Thu Jan 12 21:21:43 2006
Subject: Exim - Using ACLs to verify RCPT TO
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C7FC6@ERWIN.intern.seceid os.de>
Message-ID: <5.2.1.1.2.20040105080245.08153ed0@securemail.tulsaconnect.com>

>Sorry to disagree but this is not true. This problem occurs whenever you
>are using Exim in front of MTAs doing the local delivery. This is in no
>way MailScanner specific and therefore should go to the Exim mailing
>list.

..which is the way most people use Exim with MailScanner I suspect.

> > folks lurk on this list (and, because I'm not subscribed to
> > any Exim lists).
>
>You should be!

FWIW, I've already gotten the ACL working.  I'll post it here once I work
out the problem of people with "catch all" accounts.


---------------------------------------
Mike Bacher / mike@sparklogic.com
SparkLogic Development / ISP Consulting
Use OptiGold ISP? Check out OptiSkin!
http://www.sparklogic.com/optiskin/
---------------------------------------

From ugob at CAMO-ROUTE.COM  Mon Jan  5 14:20:23 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE31F@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Harondel J. Sibble [mailto:mailscanner@pdscc.com]
> Envoy? : Monday, January 05, 2004 12:34 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: postfix, mailscanner, mail relay
> 
> 
> On 4 Jan 2004 at 11:48, Ugo Bellavance wrote:
> 
> > Have you tried deleting the account you want to be relayed 
> to your internal
> > server?
> 
> No as the account I sending to for testing does not exist on 
> the mail relay,
> only the internal server.

Ok, it is just hard to follow your story, I thought that the accounts that made it to your internal server were the ones you haven't created on mailscanner.  I can't help you a lot more, since I zapped my postfix mailscanner, I now use sendmail.

Thanks,

> --
> Harondel J. Sibble
> Sibble Computer Consulting
> Creating solutions for the small business and home computer user.
> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
> 


From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan  5 14:23:20 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:43 2006
Subject: Exim - Using ACLs to verify RCPT TO
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C7FD8@ERWIN.intern.seceidos.de>

> >Sorry to disagree but this is not true. This problem occurs whenever 
> >you are using Exim in front of MTAs doing the local 
> delivery. This is 
> >in no way MailScanner specific and therefore should go to the Exim 
> >mailing list.
> 
> ..which is the way most people use Exim with MailScanner I suspect.

Sure it is. Nevertheless: The question and the solution is Exim specific
and has nothing to do with MailScanner. Sorry to be so stubborn but the
mailing list volume is high enough even without Off Topics... :-)

> FWIW, I've already gotten the ACL working.  I'll post it here 
> once I work out the problem of people with "catch all" accounts.

"catch all" accounts?

Regards,
  JP


From isp-list at TULSACONNECT.COM  Mon Jan  5 14:35:03 2004
From: isp-list at TULSACONNECT.COM (ISP List)
Date: Thu Jan 12 21:21:43 2006
Subject: Exim - Using ACLs to verify RCPT TO
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C7FD8@ERWIN.intern.seceid os.de>
Message-ID: <5.2.1.1.2.20040105083334.07f46e88@securemail.tulsaconnect.com>

>Sure it is. Nevertheless: The question and the solution is Exim specific
>and has nothing to do with MailScanner. Sorry to be so stubborn but the
>mailing list volume is high enough even without Off Topics... :-)

I guess we'll have to agree to disagree that this is of benefit to other
MailScanner users using Exim as the MTA.

>"catch all" accounts?

Domains that are configured to send mail to all "unknown accounts" in that
domain to a single E-mail address.  Some people insist on having them, even
though they are just a spam-magnet IMHO.


---------------------------------------
Mike Bacher / mike@sparklogic.com
SparkLogic Development / ISP Consulting
Use OptiGold ISP? Check out OptiSkin!
http://www.sparklogic.com/optiskin/
---------------------------------------

From splee at PLEXIO.COM  Mon Jan  5 15:29:30 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:43 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073233440.8598.164.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
            <1073233440.8598.164.camel@ralph.plexio.private>
Message-ID: <1073316569.8598.183.camel@ralph.plexio.private>

When the installation instructions say:

However, you must check all the locations of files and commands in
        MailScanner/bin/mailscanner (the first line of it)
        MailScanner/bin/check_mailscanner
        MailScanner/bin/MailScanner/SystemDefs.pm
        MailScanner/etc/mailscanner.conf
        MailScanner/lib/*

Does that mean I have to look in every file under
MailScanner/lib/MailScanner as well?

Thanks,
Stephen

On Sun, 2004-01-04 at 08:24, Stephen Lee wrote:
> That was my first guess but the permissions suggest that it shouldn't be
> the problem.
>
> drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
> drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/
>
> All subdirectories have the same permissions. I even su'd to exim and
> was able to created/deleted files in those directories. Setting them to
> 777 made no difference. Here's a piece of the exim log:
>
>  2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
> listening for SMTP on port 25 (IPv4)
> 2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
> /usr/local/etc/exim_outgoing.conf -q15m
> 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
> listening for SMTP
> 2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
> /usr/local/etc/exim_outgoing.conf -q
> 2004-01-04 08:22:21 Start queue run: pid=22338
> 2004-01-04 08:22:21 End queue run: pid=22338
> 2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
> /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
> 1AdB0M-0005ni-Nz
> 2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
> found
> 2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster@ugw.united.private
> U=exim P=local S=762
>
> Stephen
>
> On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> > Check the permissions on your Exim queue directories. For some reason it is
> > failing to analyse the message at all.
> >
> > At 09:14 04/01/2004, you wrote:
> > >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> > >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> > >installing MS manually from a tar file and configured Exim to use
> > >separate incoming and outgoing queues. Exim appears to receive incoming
> > >messages and MS picks them up. The problem is that MS takes all messages
> > >and marks them as infected and places them in quarantine. The following
> > >message is generated:
> > >
> > >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
> > >1068 bytes
> > >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> > >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> > >Starting
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> > >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> > >messages
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> > >
> > >The warning message contains:
> > >
> > >Received: from exim by ugw.united.private with local (Exim 4.24)
> > >         id 1Ad3t1-0003ix-R3
> > >         for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
> > >From: "MailScanner-UGW" <postmaster@ugw.united.private>
> > >To: postmaster@ugw.united.private
> > >Subject: Warning: E-mail viruses detected
> > >Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
> > >Date: Sun, 04 Jan 2004 00:45:27 -0800
> > >
> > >The following e-mail messages were found to have viruses in them:
> > >
> > >     Sender: postmaster@ugw.united.private
> > >IP Address: 127.0.0.1
> > >  Recipient: postmaster@ugw.united.private
> > >    Subject:  Warning: E-mail viruses detected
> > >  MessageID: 1Ad3lV-0003hp-62
> > >     Report: MailScanner: Could not analyze message
> > >
> > >
> > >--
> > >MailScanner
> > >Email Virus Scanner
> > >www.mailscanner.info
> > >
> > >
> > >
> > >Each warning message spawns another warning message and in short order
> > >the quarantine directory fills-up.
> > >
> > >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> > >is set and sweep is not active when set to "Virus Scanners = none".
> > >However, in both cases the same warning message (ie. detected virus) is
> > >generated.
> > >
> > >Here are some of the pertinent settings in
> > >/opt/MailScanner/etc/MailScanner.conf:
> > >
> > >Run As User = exim
> > >Run As Group = exim
> > >Incoming Queue Dir = /var/spool/exim_incoming/input
> > >Outgoing Queue Dir = /var/spool/exim/input
> > >Quarantine Dir = /var/spool/MailScanner/quarantine
> > >MTA = exim
> > >Sendmail = /usr/local/bin/exim
> > >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> > >Virus Scanners = sophos
> > >Quarantine Infections = yes
> > >Quarantine Whole Message = yes
> > >Quarantine Whole Messages As Queue Files = no
> > >Spam Checks = yes
> > >Use SpamAssassin = no
> > >Split Exim Spool = no
> > >
> > >/etc/sysconfig/MailScanner looks like this:
> > >
> > >MTA=exim
> > >EXIM=/usr/local/bin/exim
> > >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> > >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> > >file
> > >
> > >The following perl modules were downloaded, compiled and installed with
> > >no issues:
> > >
> > >Convert-TNEF-0.17
> > >File-Spec-0.82
> > >File-Temp-0.14
> > >HTML-Parser-3.26
> > >HTML-Tagset-3.03
> > >IO-stringy-2.108
> > >MIME-Base64-2.12
> > >MIME-tools-5.411 (patched version)
> > >MailTools-1.50
> > >Net-CIDR-0.09
> > >
> > >
> > >Any suggestions on what next or diagnostics you need?
> > >
> > >Thanks and Happy New Year!
> > >Stephen
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From drew at THEMARSHALLS.CO.UK  Mon Jan  5 15:46:45 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE31F@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F3629273AE31F@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <50776.194.70.180.170.1073317605.squirrel@net.themarshalls.co.uk>

Sorry, I have just picked this one up halfway through so apologies if I am
duplicating something. How have you told Postfix to forward mail to your
internal server? You will need something like @yourdomain @internal.domain
in /etc/postfix/virtual and add alias_maps = hash:/etc/postfix/virtual to
your main.cf file in /etc/postfix. Don't forget to use 'newaliases' to
generate the database. I would also make sure that you have appropriate
DNS records for internal.domain (Or add an entry to the gateway's hosts
file)

Hope this helps

Drew
-- 


Ugo Bellavance said:
>> -----Message d'origine-----
>> De : Harondel J. Sibble [mailto:mailscanner@pdscc.com]
>> Envoy? : Monday, January 05, 2004 12:34 AM
>> ? : MAILSCANNER@JISCMAIL.AC.UK
>> Objet : Re: postfix, mailscanner, mail relay
>>
>>
>> On 4 Jan 2004 at 11:48, Ugo Bellavance wrote:
>>
>> > Have you tried deleting the account you want to be relayed
>> to your internal
>> > server?
>>
>> No as the account I sending to for testing does not exist on
>> the mail relay,
>> only the internal server.
>
> Ok, it is just hard to follow your story, I thought that the accounts that
> made it to your internal server were the ones you haven't created on
> mailscanner.  I can't help you a lot more, since I zapped my postfix
> mailscanner, I now use sendmail.
>
> Thanks,
>
>> --
>> Harondel J. Sibble
>> Sibble Computer Consulting
>> Creating solutions for the small business and home computer user.
>> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
>> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
>>
>


From ugob at CAMO-ROUTE.COM  Mon Jan  5 15:48:18 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE326@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK]
> Envoy? : Monday, January 05, 2004 10:47 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: postfix, mailscanner, mail relay
> 
> 
> Sorry, I have just picked this one up halfway through so 
> apologies if I am
> duplicating something. How have you told Postfix to forward 
> mail to your
> internal server?

He used the transport map.


> You will need something like @yourdomain 
> @internal.domain
> in /etc/postfix/virtual and add alias_maps = 
> hash:/etc/postfix/virtual to
> your main.cf file in /etc/postfix. Don't forget to use 'newaliases' to
> generate the database. I would also make sure that you have 
> appropriate
> DNS records for internal.domain (Or add an entry to the 
> gateway's hosts
> file)
> 
> Hope this helps
> 
> Drew
> -- 
> 
> 
> Ugo Bellavance said:
> >> -----Message d'origine-----
> >> De : Harondel J. Sibble [mailto:mailscanner@pdscc.com]
> >> Envoy? : Monday, January 05, 2004 12:34 AM
> >> ? : MAILSCANNER@JISCMAIL.AC.UK
> >> Objet : Re: postfix, mailscanner, mail relay
> >>
> >>
> >> On 4 Jan 2004 at 11:48, Ugo Bellavance wrote:
> >>
> >> > Have you tried deleting the account you want to be relayed
> >> to your internal
> >> > server?
> >>
> >> No as the account I sending to for testing does not exist on
> >> the mail relay,
> >> only the internal server.
> >
> > Ok, it is just hard to follow your story, I thought that 
> the accounts that
> > made it to your internal server were the ones you haven't created on
> > mailscanner.  I can't help you a lot more, since I zapped my postfix
> > mailscanner, I now use sendmail.
> >
> > Thanks,
> >
> >> --
> >> Harondel J. Sibble
> >> Sibble Computer Consulting
> >> Creating solutions for the small business and home computer user.
> >> help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
> >> (604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
> >>
> >
> 


From mailscanner at ecs.soton.ac.uk  Mon Jan  5 15:56:28 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073316569.8598.183.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
            <1073233440.8598.164.camel@ralph.plexio.private>
            <1073316569.8598.183.camel@ralph.plexio.private>
Message-ID: <6.0.1.1.2.20040105155612.03d32928@imap.ecs.soton.ac.uk>

At 15:29 05/01/2004, you wrote:
>When the installation instructions say:
>
>However, you must check all the locations of files and commands in
>         MailScanner/bin/mailscanner (the first line of it)
>         MailScanner/bin/check_mailscanner
>         MailScanner/bin/MailScanner/SystemDefs.pm

That one is now irrelevant.

>         MailScanner/etc/mailscanner.conf
>         MailScanner/lib/*
>
>Does that mean I have to look in every file under
>MailScanner/lib/MailScanner as well?

No.


>Thanks,
>Stephen
>
>On Sun, 2004-01-04 at 08:24, Stephen Lee wrote:
> > That was my first guess but the permissions suggest that it shouldn't be
> > the problem.
> >
> > drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
> > drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/
> >
> > All subdirectories have the same permissions. I even su'd to exim and
> > was able to created/deleted files in those directories. Setting them to
> > 777 made no difference. Here's a piece of the exim log:
> >
> >  2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
> > listening for SMTP on port 25 (IPv4)
> > 2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q15m
> > 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
> > listening for SMTP
> > 2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q
> > 2004-01-04 08:22:21 Start queue run: pid=22338
> > 2004-01-04 08:22:21 End queue run: pid=22338
> > 2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
> > /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
> > 1AdB0M-0005ni-Nz
> > 2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
> > found
> > 2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster@ugw.united.private
> > U=exim P=local S=762
> >
> > Stephen
> >
> > On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> > > Check the permissions on your Exim queue directories. For some reason
> it is
> > > failing to analyse the message at all.
> > >
> > > At 09:14 04/01/2004, you wrote:
> > > >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> > > >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> > > >installing MS manually from a tar file and configured Exim to use
> > > >separate incoming and outgoing queues. Exim appears to receive incoming
> > > >messages and MS picks them up. The problem is that MS takes all messages
> > > >and marks them as infected and places them in quarantine. The following
> > > >message is generated:
> > > >
> > > >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1
> messages,
> > > >1068 bytes
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> > > >Starting
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> > > >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> > > >messages
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> > > >
> > > >The warning message contains:
> > > >
> > > >Received: from exim by ugw.united.private with local (Exim 4.24)
> > > >         id 1Ad3t1-0003ix-R3
> > > >         for postmaster@ugw.united.private; Sun, 04 Jan 2004
> 00:45:27 -0800
> > > >From: "MailScanner-UGW" <postmaster@ugw.united.private>
> > > >To: postmaster@ugw.united.private
> > > >Subject: Warning: E-mail viruses detected
> > > >Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
> > > >Date: Sun, 04 Jan 2004 00:45:27 -0800
> > > >
> > > >The following e-mail messages were found to have viruses in them:
> > > >
> > > >     Sender: postmaster@ugw.united.private
> > > >IP Address: 127.0.0.1
> > > >  Recipient: postmaster@ugw.united.private
> > > >    Subject:  Warning: E-mail viruses detected
> > > >  MessageID: 1Ad3lV-0003hp-62
> > > >     Report: MailScanner: Could not analyze message
> > > >
> > > >
> > > >--
> > > >MailScanner
> > > >Email Virus Scanner
> > > >www.mailscanner.info
> > > >
> > > >
> > > >
> > > >Each warning message spawns another warning message and in short order
> > > >the quarantine directory fills-up.
> > > >
> > > >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> > > >is set and sweep is not active when set to "Virus Scanners = none".
> > > >However, in both cases the same warning message (ie. detected virus) is
> > > >generated.
> > > >
> > > >Here are some of the pertinent settings in
> > > >/opt/MailScanner/etc/MailScanner.conf:
> > > >
> > > >Run As User = exim
> > > >Run As Group = exim
> > > >Incoming Queue Dir = /var/spool/exim_incoming/input
> > > >Outgoing Queue Dir = /var/spool/exim/input
> > > >Quarantine Dir = /var/spool/MailScanner/quarantine
> > > >MTA = exim
> > > >Sendmail = /usr/local/bin/exim
> > > >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> > > >Virus Scanners = sophos
> > > >Quarantine Infections = yes
> > > >Quarantine Whole Message = yes
> > > >Quarantine Whole Messages As Queue Files = no
> > > >Spam Checks = yes
> > > >Use SpamAssassin = no
> > > >Split Exim Spool = no
> > > >
> > > >/etc/sysconfig/MailScanner looks like this:
> > > >
> > > >MTA=exim
> > > >EXIM=/usr/local/bin/exim
> > > >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> > > >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> > > >file
> > > >
> > > >The following perl modules were downloaded, compiled and installed with
> > > >no issues:
> > > >
> > > >Convert-TNEF-0.17
> > > >File-Spec-0.82
> > > >File-Temp-0.14
> > > >HTML-Parser-3.26
> > > >HTML-Tagset-3.03
> > > >IO-stringy-2.108
> > > >MIME-Base64-2.12
> > > >MIME-tools-5.411 (patched version)
> > > >MailTools-1.50
> > > >Net-CIDR-0.09
> > > >
> > > >
> > > >Any suggestions on what next or diagnostics you need?
> > > >
> > > >Thanks and Happy New Year!
> > > >Stephen
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at pdscc.com  Mon Jan  5 16:18:14 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE326@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401051634.IAA01462@sheridan.sibble.net>

On 5 Jan 2004 at 10:48, Ugo Bellavance wrote:

> He used the transport map.
> > in /etc/postfix/virtual and add alias_maps =
> > hash:/etc/postfix/virtual to
> > your main.cf file in /etc/postfix. Don't forget to use 'newaliases' to


What's the (dis)advantage of doing it that way rather than a transport map?
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From splee at PLEXIO.COM  Mon Jan  5 16:26:10 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:43 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073233440.8598.164.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
            <1073233440.8598.164.camel@ralph.plexio.private>
Message-ID: <1073319970.8598.194.camel@ralph.plexio.private>

Anything else I should check into?

Thanks,
Stephen

On Sun, 2004-01-04 at 08:24, Stephen Lee wrote:
> That was my first guess but the permissions suggest that it shouldn't be
> the problem.
>
> drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
> drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/
>
> All subdirectories have the same permissions. I even su'd to exim and
> was able to created/deleted files in those directories. Setting them to
> 777 made no difference. Here's a piece of the exim log:
>
>  2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
> listening for SMTP on port 25 (IPv4)
> 2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
> /usr/local/etc/exim_outgoing.conf -q15m
> 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
> listening for SMTP
> 2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
> /usr/local/etc/exim_outgoing.conf -q
> 2004-01-04 08:22:21 Start queue run: pid=22338
> 2004-01-04 08:22:21 End queue run: pid=22338
> 2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
> /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
> 1AdB0M-0005ni-Nz
> 2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
> found
> 2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster@ugw.united.private
> U=exim P=local S=762
>
> Stephen
>
> On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> > Check the permissions on your Exim queue directories. For some reason it is
> > failing to analyse the message at all.
> >
> > At 09:14 04/01/2004, you wrote:
> > >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> > >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> > >installing MS manually from a tar file and configured Exim to use
> > >separate incoming and outgoing queues. Exim appears to receive incoming
> > >messages and MS picks them up. The problem is that MS takes all messages
> > >and marks them as infected and places them in quarantine. The following
> > >message is generated:
> > >
> > >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
> > >1068 bytes
> > >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> > >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> > >Starting
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> > >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> > >messages
> > >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> > >
> > >The warning message contains:
> > >
> > >Received: from exim by ugw.united.private with local (Exim 4.24)
> > >         id 1Ad3t1-0003ix-R3
> > >         for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
> > >From: "MailScanner-UGW" <postmaster@ugw.united.private>
> > >To: postmaster@ugw.united.private
> > >Subject: Warning: E-mail viruses detected
> > >Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
> > >Date: Sun, 04 Jan 2004 00:45:27 -0800
> > >
> > >The following e-mail messages were found to have viruses in them:
> > >
> > >     Sender: postmaster@ugw.united.private
> > >IP Address: 127.0.0.1
> > >  Recipient: postmaster@ugw.united.private
> > >    Subject:  Warning: E-mail viruses detected
> > >  MessageID: 1Ad3lV-0003hp-62
> > >     Report: MailScanner: Could not analyze message
> > >
> > >
> > >--
> > >MailScanner
> > >Email Virus Scanner
> > >www.mailscanner.info
> > >
> > >
> > >
> > >Each warning message spawns another warning message and in short order
> > >the quarantine directory fills-up.
> > >
> > >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> > >is set and sweep is not active when set to "Virus Scanners = none".
> > >However, in both cases the same warning message (ie. detected virus) is
> > >generated.
> > >
> > >Here are some of the pertinent settings in
> > >/opt/MailScanner/etc/MailScanner.conf:
> > >
> > >Run As User = exim
> > >Run As Group = exim
> > >Incoming Queue Dir = /var/spool/exim_incoming/input
> > >Outgoing Queue Dir = /var/spool/exim/input
> > >Quarantine Dir = /var/spool/MailScanner/quarantine
> > >MTA = exim
> > >Sendmail = /usr/local/bin/exim
> > >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> > >Virus Scanners = sophos
> > >Quarantine Infections = yes
> > >Quarantine Whole Message = yes
> > >Quarantine Whole Messages As Queue Files = no
> > >Spam Checks = yes
> > >Use SpamAssassin = no
> > >Split Exim Spool = no
> > >
> > >/etc/sysconfig/MailScanner looks like this:
> > >
> > >MTA=exim
> > >EXIM=/usr/local/bin/exim
> > >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> > >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> > >file
> > >
> > >The following perl modules were downloaded, compiled and installed with
> > >no issues:
> > >
> > >Convert-TNEF-0.17
> > >File-Spec-0.82
> > >File-Temp-0.14
> > >HTML-Parser-3.26
> > >HTML-Tagset-3.03
> > >IO-stringy-2.108
> > >MIME-Base64-2.12
> > >MIME-tools-5.411 (patched version)
> > >MailTools-1.50
> > >Net-CIDR-0.09
> > >
> > >
> > >Any suggestions on what next or diagnostics you need?
> > >
> > >Thanks and Happy New Year!
> > >Stephen
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From t.d.lee at DURHAM.AC.UK  Mon Jan  5 17:17:44 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:21:43 2006
Subject: "Required SpamAssassin Score" and Bayes
Message-ID: <Pine.GSO.4.58.0401051652490.12737@arachne.dur.ac.uk>

Executive summary:  Might a high value of MS "Required SpamAssassin Score"
interact adversely with SA Bayes?

Detail:
We started site-wide use of MailScanner some time ago (mid-2001), and of
SpamAssassin back in 2002.  Because of our worries about false positives,
we adjusted the MailScanner.conf "Required SpamAssassin Score" from its
default of 5 up to 7.

Things have moved on, and we are now happily using SA 2.61 including its
Bayes aspects.  But we find more emails than we would expect still escape
being spam-tagged: their spamscores seem strangely low.  Might it be that
our artificially high "Required SpamAssassin Score = 7" is causing the
Bayes mechanism to auto-learn some "Score = 5" and "6" spams incorrectly
as hams, and perhaps then to cause future occurences of these spams to be
marked down as hams (and thus escape being spam-tagged)?

I think we could reasonably confidently reduce "Required SA Score" from 7
down to 6 or 5, which would both catch a few more spams, and the resultant
Bayes autolearn might then catch more (positive feedback).

Is the above reasoning basically sound?  Or is it fundamentally flawed?




A supplementary question: Our SA/Bayes is currently only self-learning.
Are there any nicely packaged schemes to allow us to supplement this from
emails from validated individuals?  A few of us could then redirect
(bounce) emails to, say, "sa-learn-ham@..." and "sa-learn-spam@..." (but
in such a way that it would verify the redirector/bouncer (or some
equivalent) against a list of trusted folk).


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From mailscanner at ecs.soton.ac.uk  Mon Jan  5 17:24:32 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: "Required SpamAssassin Score" and Bayes
In-Reply-To: <Pine.GSO.4.58.0401051652490.12737@arachne.dur.ac.uk>
References: <Pine.GSO.4.58.0401051652490.12737@arachne.dur.ac.uk>
Message-ID: <6.0.1.1.2.20040105172038.0409ee78@imap.ecs.soton.ac.uk>

At 17:17 05/01/2004, you wrote:
>Executive summary:  Might a high value of MS "Required SpamAssassin Score"
>interact adversely with SA Bayes?
>
>Detail:
>We started site-wide use of MailScanner some time ago (mid-2001), and of
>SpamAssassin back in 2002.  Because of our worries about false positives,
>we adjusted the MailScanner.conf "Required SpamAssassin Score" from its
>default of 5 up to 7.
>
>Things have moved on, and we are now happily using SA 2.61 including its
>Bayes aspects.  But we find more emails than we would expect still escape
>being spam-tagged: their spamscores seem strangely low.  Might it be that
>our artificially high "Required SpamAssassin Score = 7" is causing the
>Bayes mechanism to auto-learn some "Score = 5" and "6" spams incorrectly
>as hams, and perhaps then to cause future occurences of these spams to be
>marked down as hams (and thus escape being spam-tagged)?

No. The auto-learning is triggered by 2 theresholds which are set inside
SpamAssassin. The "Required SpamAssassin Score" is totally different, and
SpamAssassin is never even told what number it is.

>I think we could reasonably confidently reduce "Required SA Score" from 7
>down to 6 or 5, which would both catch a few more spams, and the resultant
>Bayes autolearn might then catch more (positive feedback).

We run at 6 and see no false positives, just a few false negatives. 5 was
too low and we started seeing false positives at that setting.

>Is the above reasoning basically sound?  Or is it fundamentally flawed?

No, and yes :-)

>A supplementary question: Our SA/Bayes is currently only self-learning.
>Are there any nicely packaged schemes to allow us to supplement this from
>emails from validated individuals?  A few of us could then redirect
>(bounce) emails to, say, "sa-learn-ham@..." and "sa-learn-spam@..." (but
>in such a way that it would verify the redirector/bouncer (or some
>equivalent) against a list of trusted folk).

You can control access to addresses using the check_compat stuff inside
sendmail's access DB (the sendmail Bat Book 3rd Edition will tell you how).
You can then just do an hourly learn using the --mbox switch to sa-learn. I
have a cron job which does this which I have posted here several times
before. It might be called learn.spam or something like that. Look for my
postings with attachments (there aren't too many of those).

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Mon Jan  5 17:29:21 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:43 2006
Subject: "Required SpamAssassin Score" and Bayes
In-Reply-To: <Pine.GSO.4.58.0401051652490.12737@arachne.dur.ac.uk>
References: <Pine.GSO.4.58.0401051652490.12737@arachne.dur.ac.uk>
Message-ID: <3FF99EF1.3060201@solid-state-logic.com>

David Lee wrote:
<snip>
>
> A supplementary question: Our SA/Bayes is currently only self-learning.
> Are there any nicely packaged schemes to allow us to supplement this from
> emails from validated individuals?  A few of us could then redirect
> (bounce) emails to, say, "sa-learn-ham@..." and "sa-learn-spam@..." (but
> in such a way that it would verify the redirector/bouncer (or some
> equivalent) against a list of trusted folk).
>

David

I use a shared IMAP folder (or you could use MS-exchange folders I
guess:-) for a few users to drop spam that's been missed and also for
ham that's been wrongly tagged.

I posted the sa-learn front end script for this back in December and it
should be available in the list archives.

BTW I get very very few false positives and I run the default spam score
of 5.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From david at MIDRANGE.COM  Mon Jan  5 18:09:34 2004
From: david at MIDRANGE.COM (David Gibbs)
Date: Thu Jan 12 21:21:43 2006
Subject: SpamAssassin auto-whitelist?
Message-ID: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>

I'm trying to enable SA's auto-whitelist feature from within MailScanner,
but cannot seem to get it to work.

MailScanner.conf contains the following entries ...

SpamAssassin Auto Whitelist = yes
SpamAssassin User State Dir =

... but it doesn't seem to be working.

The $HOME/.spamassassin directory does not contain a auto-whitelist file.

Any suggestions?

david

From mailscanner at ecs.soton.ac.uk  Mon Jan  5 18:12:38 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: SpamAssassin auto-whitelist?
In-Reply-To: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>
References: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040105181152.02d58e70@imap.ecs.soton.ac.uk>

At 18:09 05/01/2004, you wrote:
>I'm trying to enable SA's auto-whitelist feature from within MailScanner,
>but cannot seem to get it to work.
>
>MailScanner.conf contains the following entries ...
>
>SpamAssassin Auto Whitelist = yes
>SpamAssassin User State Dir =
>
>... but it doesn't seem to be working.
>
>The $HOME/.spamassassin directory does not contain a auto-whitelist file.
>
>Any suggestions?

Don't use it. It has been proved to be easy to subvert. I keep forgetting
to remove it from MailScanner altogether.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jacques at MONACO.NET  Mon Jan  5 18:11:36 2004
From: jacques at MONACO.NET (Jacques Caruso)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <200312290219.SAA02723@sheridan.sibble.net>
References: <200312290219.SAA02723@sheridan.sibble.net>
Message-ID: <200401051911.36302.jacques@monaco.net>

Le Lundi 29 D?cembre 2003 03:05, Harondel J. Sibble a ?crit?:
>  In a single instance (standard) setup of postfix, setup to relay for
> the internal server would be accomplished by setting (as per Blum's
> Open Source Email Security)
>
> set postfix to no accept any messges even for localhost
> relay_domains =
>
> setup a transport table
> mydomain.net smtp:internal-mailserver.mydomain.net

I don't know about Mr. Blum's book, but from what I've seen, Postfix 
won't relay for a domain that is only in transport?:

root@aldebaran:~# cat /etc/postfix/relay_domains
root@aldebaran:~# cat /etc/postfix/transport | grep -Ev '^#'
monaco.net                      smtp:sceuzi.monaco.net

>>> MAIL FROM: <>
<<< 250 Ok
>>> RCPT TO: <postmaster@monaco.net>
<<< 554 <postmaster@monaco.net>: Relay access denied

root@aldebaran:~# echo 'monaco.net' > /etc/postfix/relay_domains
root@aldebaran:~# /etc/init.d/postfix reload
Reloading Postfix configuration...done.

>>> MAIL FROM: <>
<<< 250 Ok
>>> RCPT TO: <postmaster@monaco.net>
<<< 250 Ok

(if you're wondering, yes, I've 
'relay_domains?=?/etc/postfix/relay_domains' in main.cf)

> Just want to make sure, in conjunction with Mailscanner, these
> modifcations should be done for the outgoing postfix instance,
> correct? ie the /etc/postfix dir ather than /etc/postfix.in

Ahem... I'm not sure I understand you. The incoming instance needs a way 
to know it should accept the mail going to the internal server, thus 
you'd definitely want this configuration to be present on the incoming 
instance. To scan the messages going to your internal server, you just 
need to list 'smtp' in $defer_transports.

BTW, on my Postfix setup, files like transport, virtual, and so on 
in /etc/postfix.in are hard links to the ones in /etc/postfix (/i.e./, 
they're the same files). It avoids having to resynchronize the 
configuration between the two instances when you modify a parameter.

Hope this helps...

Greets,
-- 
[ Jacques Caruso <jacques@monaco.net>                  D?veloppeur PHP ]
[ Monaco Internet                           http://monaco-internet.mc/ ]
[ T?l : (+377) 93 10 00 43                        Cl? PGP : 0x41F5C63D ]
[ -*-  Quand le doigt montre la lune, l'imb?cile regarde le doigt  -*- ]


From drew at THEMARSHALLS.CO.UK  Mon Jan  5 18:55:27 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:43 2006
Subject: postfix, mailscanner, mail relay
In-Reply-To: <200401051634.IAA01462@sheridan.sibble.net>
References: <200401051634.IAA01462@sheridan.sibble.net>
Message-ID: <3FF9B31F.4040901@themarshalls.co.uk>

Harondel J. Sibble wrote:

>On 5 Jan 2004 at 10:48, Ugo Bellavance wrote:
>
>
>
>>He used the transport map.
>>
>>
>>>in /etc/postfix/virtual and add alias_maps =
>>>hash:/etc/postfix/virtual to
>>>your main.cf file in /etc/postfix. Don't forget to use 'newaliases' to
>>>
>>>
>
>
>What's the (dis)advantage of doing it that way rather than a transport map?
>
>

As I understand, a transport map is just that, a map to provide explicit
routing but your postfix server doesn't understand that mail addressed
to it shouldn't be delivered locally. You need to also tell it either
local mailbox names or, in your instance, to only act as a relay. Hence
you will need some form of alias map (User database) and some method of
telling Postfix how to reach the next host (Transport map).

>--
>Harondel J. Sibble
>Sibble Computer Consulting
>Creating solutions for the small business and home computer user.
>help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
>(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)
>
>
I use transport map to reference a sql database to allow both virtual
and local mail hosting and another table on the database to provide the
alias data.

Hope this help

Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040105/40152168/attachment.html
From mailscanner at LISTS.COM.AR  Mon Jan  5 19:11:33 2004
From: mailscanner at LISTS.COM.AR (Mariano Absatz)
Date: Thu Jan 12 21:21:43 2006
Subject: =?ISO-8859-1?Q?Re:_Bug#225825:_mailscanner:_Proofread_Spanish_messages_=28forwarded_from_Fernando_J._Rodr=EDguez_=28Herr_Groucho=29=29?=
In-Reply-To: <16373.22144.863237.236488@gargle.gargle.HOWL>
Message-ID: <3FF98CB5.25198.A0734999@localhost>

FWIW, and since I made a large part of the Spanish translation, I'm 
perfectly fine with the proposed patches... (in fact, I think I posted a 
patch to change "puntuaci?n" into "puntaje" some time ago).

However, I think the word "spam" shouldn't be capitalized... IIRC, this 
has been discussed here (and in lots of mailing lists) in order to keep 
it consistent with http://www.spam.com/ci/ci_in.htm

I see that the English version is lowcase also.

regards.

El 2 Jan 2004 a las 12:31, Matthias Klose escribi?:

> please find attached a patch for mailscanner forwarded from the Debian
> BTS.

--
Mariano Absatz
El Baby
----------------------------------------------------------
"A system admin's life is a sorry one. The only advantage he has
over Emergency Room doctors is that malpractice suits are rare. On
the other hand, ER doctors never have to deal with patients installing
new versions of their own innards!"
           -- Michael O'Brien


From mkettler at EVI-INC.COM  Mon Jan  5 20:16:09 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:43 2006
Subject: SpamAssassin auto-whitelist?
In-Reply-To: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>
References: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>
Message-ID: <6.0.0.22.0.20040105151346.01df0130@xanadu.evi-inc.com>

At 01:09 PM 1/5/2004, David Gibbs wrote:
>MailScanner.conf contains the following entries ...
>
>SpamAssassin Auto Whitelist = yes
>SpamAssassin User State Dir =
>
>... but it doesn't seem to be working.
>
>The $HOME/.spamassassin directory does not contain a auto-whitelist file.

did you check the correct $HOME? In most non-advanced installs, $HOME is /root/

From mkettler at EVI-INC.COM  Mon Jan  5 20:29:59 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:43 2006
Subject: SpamAssassin auto-whitelist?
In-Reply-To: <6.0.1.1.2.20040105181152.02d58e70@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010518093490@JISCMAIL.AC.UK>
            <6.0.1.1.2.20040105181152.02d58e70@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.0.20040105151628.01df2400@xanadu.evi-inc.com>

At 01:12 PM 1/5/2004, Julian wrote:
> >Any suggestions?
>
>Don't use it. It has been proved to be easy to subvert. I keep forgetting
>to remove it from MailScanner altogether.


Agreed.. it's useful in some cases, but it's a bit questionable in
MailScanner where per-user databases aren't used.

Fortunately somewhere in 2.5x or 2.6x they mitigated the most severe issue,
which was the ALL_SPAM_TO score-smearing issue. Basically all
white/blacklists and GTUBE are handled after the AWL, and don't wind up
pumping it's scores up and down.

The only remaining issue with the AWL is one I discussed in private with
Justin Mason (SA developer), and it was agreed that it's unlikely to be
abused.

I still have some reservations because if spammers start using the
technique I theorized it will be a gigantic pain in everyone's butt, not
just AWL users. (Which is also why I'm not going to discuss this issue in
detail except with the developers as I've already done. I'm a fan of full
disclosure if it's helpful to sysadmins in general, but the details here
aren't really useful to anyone other than the SA developers and spammers. )

I remain a non-fan of the AWL, at least not as a "default on" option, but
it's not nearly as bad as it once was, and it's not likely to be abused
hurtful ways, even with MailScanner.

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan  5 22:35:31 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:43 2006
Subject: New blocklist from Spamhaus
In-Reply-To: <3FF5539C.3010507@sghms.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNKELGCNAA.michele@blacknightsolutions.com>

Should this be showing up in the maillog? I can't see it anywhere :(

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Daniel Bird
> Sent: 02 January 2004 11:19
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: New blocklist from Spamhaus
>
>
> Julian Field wrote:
>
> > Spamhaus have started up a list of known machines which are
> open proxies,
> > spam zombies, etc.
> >
> > To use it, edit you /etc/MailScanner/spam.lists.conf or
> > /opt/MailScanner/etc/spam.lists.conf and add a line that looks
> like this:
> >
> > spamhaus-XBL                    xbl.spamhaus.org.
> >
> > (Don't forget the "." at the end of the line!)
> >
> > Then edit your MailScanner.conf and add
> > spamhaus-XBL
> > to your "Spam List =" setting.
> >
> > Then just restart or reload MailScanner and it will start using the
> > new list.
>
>
> For those that prefer to use SA to bump up the score instead of
> MailScanner's RBL's, something like:
>
> header          RCVD_SPAMHAUS_XBL
> rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
> describe        RCVD_SPAMHAUS_XBL       Found in SpamHaus XBL
> tflags          RCVD_SPAMHAUS_XBL       net
> score           RCVD_SPAMHAUS_XBL       1.5
>
> in spam.assassin.prefs.conf should do the trick...
>
> Dan
>
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>
> --
> ____________________________________
>
> Daniel Bird
> Network and Systems Manager
> Department Of Information Services
> St. George's Hospital Medical School
> Tooting
> London SW17 0RE
>
> P: +44 20 8725 2897
> F: +44 20 8725 3583
> E: dan@sghms.ac.uk
> ____________________________________
>
> Everything is possible....except skiing through a revolving door
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

From mailscanner at CARLO65.DE  Tue Jan  6 07:27:16 2004
From: mailscanner at CARLO65.DE (Roland Ehle)
Date: Thu Jan 12 21:21:43 2006
Subject: OT: MailScanner Logo
Message-ID: <3FFA6354.2070305@carlo65.de>

Hi Julian,

as I am involved in the MailWatch team, I currently design some Logo
proposals. Could you tell me please, which font you used for the
MailScanner Logo?

Thanks.
Regards,
Roland

From dbird at SGHMS.AC.UK  Mon Jan  5 22:51:16 2004
From: dbird at SGHMS.AC.UK (Daniel Bird)
Date: Thu Jan 12 21:21:43 2006
Subject: New blocklist from Spamhaus
In-Reply-To: <LFENLEALDCBDKENCNLCNKELGCNAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNKELGCNAA.michele@blacknightsolutions.com>
Message-ID: <3FF9EA64.8010904@sghms.ac.uk>

Michele Neylon :: Blacknight Solutions wrote:

>Should this be showing up in the maillog? I can't see it anywhere :(
>
>
I would think so ;-)  I only see it listed when it matches, and when the
mail is flagged as spam by MS/SA
i.e

Jan  5 22:46:21 mailhub4 MailScanner[8777]: Message 1AddUJ-0000Jb-Pq
from 24.7.51.155 (tracey_stephensor@carleton.ca) to sghms.ac.uk is spam,
SpamAssassin (score=14.042, required 5, BAYES_99 4.00,
FORGED_OUTLOOK_TAGS 1.00, HTML_50_60 0.10, HTML_IMAGE_ONLY_02 1.23,
HTML_MESSAGE 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71,
RCVD_IN_DYNABLOCK 1.00, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10,
RCVD_IN_SORBS_SOCKS 1.20, RCVD_SPAMHAUS_XBL 1.50)

Dan

PS. Just in case, although I'm sure you have already, make run a
spamassassin --lint on your spam.assassin.prefs.conf to make sure you
don't have any typo's for the rule.

>Mr. Michele Neylon
>Blacknight Internet Solutions Ltd
>http://www.blacknightsolutions.ie/
>http://www.search.ie/
>Tel. + 353 (0)59 9137101
>Lowest price domains in Ireland
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>>Behalf Of Daniel Bird
>>Sent: 02 January 2004 11:19
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: Re: New blocklist from Spamhaus
>>
>>
>>Julian Field wrote:
>>
>>
>>
>>>Spamhaus have started up a list of known machines which are
>>>
>>>
>>open proxies,
>>
>>
>>>spam zombies, etc.
>>>
>>>To use it, edit you /etc/MailScanner/spam.lists.conf or
>>>/opt/MailScanner/etc/spam.lists.conf and add a line that looks
>>>
>>>
>>like this:
>>
>>
>>>spamhaus-XBL                    xbl.spamhaus.org.
>>>
>>>(Don't forget the "." at the end of the line!)
>>>
>>>Then edit your MailScanner.conf and add
>>>spamhaus-XBL
>>>to your "Spam List =" setting.
>>>
>>>Then just restart or reload MailScanner and it will start using the
>>>new list.
>>>
>>>
>>For those that prefer to use SA to bump up the score instead of
>>MailScanner's RBL's, something like:
>>
>>header          RCVD_SPAMHAUS_XBL
>>rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
>>describe        RCVD_SPAMHAUS_XBL       Found in SpamHaus XBL
>>tflags          RCVD_SPAMHAUS_XBL       net
>>score           RCVD_SPAMHAUS_XBL       1.5
>>
>>in spam.assassin.prefs.conf should do the trick...
>>
>>Dan
>>
>>
>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>Professional Support Services at www.MailScanner.biz
>>>MailScanner thanks transtec Computers for their support
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>>
>>--
>>____________________________________
>>
>>Daniel Bird
>>Network and Systems Manager
>>Department Of Information Services
>>St. George's Hospital Medical School
>>Tooting
>>London SW17 0RE
>>
>>P: +44 20 8725 2897
>>F: +44 20 8725 3583
>>E: dan@sghms.ac.uk
>>____________________________________
>>
>>Everything is possible....except skiing through a revolving door
>>
>>
>>
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>
>>
>
>
>


--
____________________________________

Daniel Bird
Network & Systems Manager
St. George's Hospital  Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan@sghms.ac.uk
____________________________________

Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare."



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From clas at MAYER.SE  Mon Jan  5 22:49:03 2004
From: clas at MAYER.SE (Clas Mayer)
Date: Thu Jan 12 21:21:43 2006
Subject: New blocklist from Spamhaus
In-Reply-To: <LFENLEALDCBDKENCNLCNKELGCNAA.michele@blacknightsolutions.com>
References: <3FF5539C.3010507@sghms.ac.uk>
            <LFENLEALDCBDKENCNLCNKELGCNAA.michele@blacknightsolutions.com>
Message-ID: <20040105224806.M39384@mayer.se>

Yes its there
RBL checks: i04Ng9wd089409 found in spamhaus-XBL

---------- Original Message -----------
From: "Michele Neylon :: Blacknight Solutions"
<michele@BLACKNIGHTSOLUTIONS.COM>
To: MAILSCANNER@JISCMAIL.AC.UK
Sent: Mon, 5 Jan 2004 22:35:31 -0000
Subject: Re: New blocklist from Spamhaus

> Should this be showing up in the maillog? I can't see it anywhere :(
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Daniel Bird
> > Sent: 02 January 2004 11:19
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: New blocklist from Spamhaus
> >
> >
> > Julian Field wrote:
> >
> > > Spamhaus have started up a list of known machines which are
> > open proxies,
> > > spam zombies, etc.
> > >
> > > To use it, edit you /etc/MailScanner/spam.lists.conf or
> > > /opt/MailScanner/etc/spam.lists.conf and add a line that looks
> > like this:
> > >
> > > spamhaus-XBL                    xbl.spamhaus.org.
> > >
> > > (Don't forget the "." at the end of the line!)
> > >
> > > Then edit your MailScanner.conf and add
> > > spamhaus-XBL
> > > to your "Spam List =" setting.
> > >
> > > Then just restart or reload MailScanner and it will start using the
> > > new list.
> >
> >
> > For those that prefer to use SA to bump up the score instead of
> > MailScanner's RBL's, something like:
> >
> > header          RCVD_SPAMHAUS_XBL
> > rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
> > describe        RCVD_SPAMHAUS_XBL       Found in SpamHaus XBL
> > tflags          RCVD_SPAMHAUS_XBL       net
> > score           RCVD_SPAMHAUS_XBL       1.5
> >
> > in spam.assassin.prefs.conf should do the trick...
> >
> > Dan
> >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> >
> > --
> > ____________________________________
> >
> > Daniel Bird
> > Network and Systems Manager
> > Department Of Information Services
> > St. George's Hospital Medical School
> > Tooting
> > London SW17 0RE
> >
> > P: +44 20 8725 2897
> > F: +44 20 8725 3583
> > E: dan@sghms.ac.uk
> > ____________________________________
> >
> > Everything is possible....except skiing through a revolving door
> >
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
------- End of Original Message -------

From steve.freegard at LBSLTD.CO.UK  Mon Jan  5 23:08:55 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:43 2006
Subject: "Required SpamAssassin Score" and Bayes
Message-ID: <67D9E7698329D411936E00508B6590B902773D8C@neelix.lbsltd.co.uk>

Hi David,

>>> But we find more emails than we would expect still escape being
spam-tagged: their spamscores seem strangely low.

I too have seen similar patterns of spam scoring strangely low and spent
some time over the weekend using MailWatch to work out why this was
happening.

I checked the 'Received:' headers IP addresses via OpenRBL.org and realised
that although these messages were listed in quite a few RBL's - SpamAssassin
had not picked up on this - further debugging via:

spamassassin -D rbl=-3 -p /etc/MailScanner/spam.assassin.prefs.conf <
message 2>&1 | less

and I discovered that for some reason SA was 'trusting' the first host on
the received line and not checking it against the RBL's.  I ended up adding:

trusted_networks 127.0.0.1 10/8 172.16/12 192.168/16 <<external mx>>
<<external mx>>

in spam.assassin.prefs.conf and double-checked the settings by running SA in
debug across a range of messages to make sure that SA was checking the RBL's
as expected.

For good measure I also added:

# Manually add in the CBL until SA has it by default
header RCVD_IN_CBL      eval:check_rbl_txt('cbl', 'cbl.abuseat.org.')
describe RCVD_IN_CBL    Received via a relay in cbl.abuseat.org
tflags RCVD_IN_CBL      net
score RCVD_IN_CBL       5

And where these low-scoring spam were once slipping through - they aren't
now!

Hope this helps.

Kind regards,
Steve.

-----Original Message-----
From: David Lee
To: MAILSCANNER@JISCMAIL.AC.UK
Sent: 05/01/04 17:17
Subject: "Required SpamAssassin Score" and Bayes

Executive summary:  Might a high value of MS "Required SpamAssassin
Score"
interact adversely with SA Bayes?

Detail:
We started site-wide use of MailScanner some time ago (mid-2001), and of
SpamAssassin back in 2002.  Because of our worries about false
positives,
we adjusted the MailScanner.conf "Required SpamAssassin Score" from its
default of 5 up to 7.

Things have moved on, and we are now happily using SA 2.61 including its
Bayes aspects.  But we find more emails than we would expect still
escape
being spam-tagged: their spamscores seem strangely low.  Might it be
that
our artificially high "Required SpamAssassin Score = 7" is causing the
Bayes mechanism to auto-learn some "Score = 5" and "6" spams incorrectly
as hams, and perhaps then to cause future occurences of these spams to
be
marked down as hams (and thus escape being spam-tagged)?

I think we could reasonably confidently reduce "Required SA Score" from
7
down to 6 or 5, which would both catch a few more spams, and the
resultant
Bayes autolearn might then catch more (positive feedback).

Is the above reasoning basically sound?  Or is it fundamentally flawed?




A supplementary question: Our SA/Bayes is currently only self-learning.
Are there any nicely packaged schemes to allow us to supplement this
from
emails from validated individuals?  A few of us could then redirect
(bounce) emails to, say, "sa-learn-ham@..." and "sa-learn-spam@..." (but
in such a way that it would verify the redirector/bouncer (or some
equivalent) against a list of trusted folk).


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From mailscanner at ecs.soton.ac.uk  Tue Jan  6 09:42:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: OT: MailScanner Logo
In-Reply-To: <3FFA6354.2070305@carlo65.de>
References: <3FFA6354.2070305@carlo65.de>
Message-ID: <6.0.1.1.2.20040106094111.036f7e48@imap.ecs.soton.ac.uk>

At 07:27 06/01/2004, you wrote:
>as I am involved in the MailWatch team, I currently design some Logo
>proposals. Could you tell me please, which font you used for the
>MailScanner Logo?

Sorry, I don't know what font it is. It was designed by a professional, I
just got a couple of bitmaps (lo-res and hi-res) of the result.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Tue Jan  6 10:33:12 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:43 2006
Subject: "Required SpamAssassin Score" and Bayes
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C411@jessica.herefordshire.gov.uk>

Steve Freegard wrote:

> I too have seen similar patterns of spam scoring strangely
> low and spent
> some time over the weekend using MailWatch to work out why this was
> happening.
>
> I checked the 'Received:' headers IP addresses via
> OpenRBL.org and realised
> that although these messages were listed in quite a few RBL's
> - SpamAssassin
> had not picked up on this - further debugging via:
>
> spamassassin -D rbl=-3 -p /etc/MailScanner/spam.assassin.prefs.conf <
> message 2>&1 | less
>
> and I discovered that for some reason SA was 'trusting' the
> first host on
> the received line and not checking it against the RBL's.  I
> ended up adding:
>
> trusted_networks 127.0.0.1 10/8 172.16/12 192.168/16 <<external mx>>
> <<external mx>>
>
> in spam.assassin.prefs.conf and double-checked the settings
> by running SA in
> debug across a range of messages to make sure that SA was
> checking the RBL's
> as expected.
>
> For good measure I also added:
>
> # Manually add in the CBL until SA has it by default
> header RCVD_IN_CBL      eval:check_rbl_txt('cbl', 'cbl.abuseat.org.')
> describe RCVD_IN_CBL    Received via a relay in cbl.abuseat.org
> tflags RCVD_IN_CBL      net
> score RCVD_IN_CBL       5
>
> And where these low-scoring spam were once slipping through -
> they aren't
> now!
>
> Hope this helps.
>
> Kind regards,
> Steve.

Thanks Steve, I'd seen the same problem with omitted RBL checks but hadn't
got around to investigating further.  Good catch!

Cheers,

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From KCollins at NESBITTENGINEERING.COM  Tue Jan  6 13:36:16 2004
From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin)
Date: Thu Jan 12 21:21:43 2006
Subject: Unsubscribe
Message-ID: <2B1F39EA56FA7643A328F66521D41B760EED@magellan.nesbitt.local>

--
Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.

From ls at CREATIVE-WEBNET.DE  Tue Jan  6 14:26:03 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
Message-ID: <LISTSERV%2004010614260376@JISCMAIL.AC.UK>

Jan 6 02:34:39 p15131877 postfix/cleanup[11011]: BC2932940BE: message-
id=<DIIE.00000013000071E3@192.168.0.1>
Jan 6 02:34:39 p15131877 postfix/qmgr[10789]: BC2932940BE:
from=<hello@creative-webnet.de>, size=4391, nrcpt=1 (queue active)
Jan 6 02:34:39 p15131877 postfix/qmgr[10789]: BC2932940BE:
to=<web4p1@creative.webdemo24.de>, orig_to=<support@creative-webnet.de>,
relay=none, delay=4, status=deferred (deferred transport)


I used Postfix 2.0.14 and the newest Version of Mailscanner;

I installed the version more then 10 times as like desripted on the
homepage of mailscanner; and it don?t seems to be work...

Please Help me, because I would like to use Mailscanner!!!


From jacques at MONACO.NET  Tue Jan  6 14:42:31 2004
From: jacques at MONACO.NET (Jacques Caruso)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
In-Reply-To: <LISTSERV%2004010614260376@JISCMAIL.AC.UK>
References: <LISTSERV%2004010614260376@JISCMAIL.AC.UK>
Message-ID: <200401061542.31715.jacques@monaco.net>

Le Mardi 06 Janvier 2004 15:26, Alexander Endl a ?crit?:
> I installed the version more then 10 times as like desripted on the
> homepage of mailscanner; and it don?t seems to be work...

- Do you have the two instances (incoming and outgoing) of Postfix 
running??
- Do you have this in /etc/MailScanner/MailScanner.conf??

        Incoming Queue Dir = /var/spool/postfix.in/deferred
        Outgoing Queue Dir = /var/spool/postfix/incoming

- Is MailScanner running?? I can't see any output from MS in the log 
you've pasted...

> Please Help me, because I would like to use Mailscanner!!!

You don't give enough information for that. You need to paste the 
relevant parts of your Postfix and MS configuration. Otherwise, people 
can't do much than wild guesses as to what isn't working...

Greets,
-- 
[ Jacques Caruso <jacques@monaco.net>                  D?veloppeur PHP ]
[ Monaco Internet                           http://monaco-internet.mc/ ]
[ T?l : (+377) 93 10 00 43                        Cl? PGP : 0x41F5C63D ]
[ -*-  Quand le doigt montre la lune, l'imb?cile regarde le doigt  -*- ]


From ls at CREATIVE-WEBNET.DE  Tue Jan  6 15:06:52 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
Message-ID: <LISTSERV%2004010615065234@JISCMAIL.AC.UK>

On Tue, 6 Jan 2004 15:42:31 +0100, Jacques Caruso <jacques@MONACO.NET>
wrote:

>Le Mardi 06 Janvier 2004 15:26, Alexander Endl a ??crit? :
>> I installed the version more then 10 times as like desripted on the
>> homepage of mailscanner; and it don??t seems to be work...
>
>- Do you have the two instances (incoming and outgoing) of Postfix
>running? ?
>- Do you have this in /etc/MailScanner/MailScanner.conf? ?
>
>        Incoming Queue Dir = /var/spool/postfix.in/deferred
>        Outgoing Queue Dir = /var/spool/postfix/incoming
>
>- Is MailScanner running? ? I can't see any output from MS in the log
>you've pasted...
>
>> Please Help me, because I would like to use Mailscanner!!!
>
>You don't give enough information for that. You need to paste the
>relevant parts of your Postfix and MS configuration. Otherwise, people
>can't do much than wild guesses as to what isn't working...
>
>Greets,
>--
>[ Jacques Caruso <jacques@monaco.net>                  D??veloppeur PHP ]
>[ Monaco Internet                           http://monaco-internet.mc/ ]
>[ T??l : (+377) 93 10 00 43                        Cl?? PGP : 0x41F5C63D ]
>[ -*-  Quand le doigt montre la lune, l'imb??cile regarde le doigt  -*- ]

Jan  6 15:53:27 creative postfix/qmgr[3208]: 4CC442CC0B2:
to=<web4p1@creative.webdemo24.de>, orig_to=<ls@CREATIVE-WEBNET.DE>, relay
=none, delay=0, status=deferred (deferred transport)
Jan  6 15:53:27 creative postfix/smtpd[3474]: disconnect from
smtp.jiscmail.ac.uk[130.246.192.48]
Jan  6 15:53:31 creative postfix/postfix-script: starting the Postfix mail
system
Jan  6 15:53:31 creative postfix/master[3547]: fatal: bind INADDR_ANY port
465: Address already in use
Jan  6 15:53:47 creative postfix/smtpd[3266]: timeout after END-OF-MESSAGE
from shackc.compushack.de[195.145.90.67]
Jan  6 15:53:47 creative postfix/smtpd[3266]: disconnect from
shackc.compushack.de[195.145.90.67]
Jan  6 15:54:01 creative postfix/smtpd[3474]: connect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 15:54:01 creative smtpd[3474]: 387E42CC0B3: client=pD950D3AE.dip.t-
dialin.net[217.80.211.174], sasl_method=LOGIN, sasl_usern
ame=web4p1
Jan  6 15:54:01 creative postfix/trivial-rewrite[3268]: warning: do not
list domain webdemo24.de in BOTH mydestination and virtual_
alias_domains
Jan  6 15:54:01 creative postfix/cleanup[3475]: 387E42CC0B3: message-
id=<DIIE.0000000600007278@192.168.0.1>
Jan  6 15:54:01 creative postfix/qmgr[3208]: 387E42CC0B3:
from=<hello@creative-webnet.de>, size=2476, nrcpt=1 (queue active)
Jan  6 15:54:01 creative postfix/qmgr[3208]: 387E42CC0B3:
to=<web1p1@creative.webdemo24.de>, orig_to=<test@webdemo24.de>, relay=non
e, delay=0, status=deferred (deferred transport)
Jan  6 15:54:01 creative smtpd[3474]: disconnect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 15:55:04 creative popper[3573]: Stats: web5p1 0 0 0 0
p50893F5F.dip.t-dialin.net 80.137.63.95 [pop_updt.c:296]
Jan  6 15:55:05 creative popper[3574]: Stats: web5p1 0 0 0 0
p50893F5F.dip.t-dialin.net 80.137.63.95 [pop_updt.c:296]

This is my MailScanner.conf

# Set location of incoming mail queue
#
# This can be any one of
# 1. A directory name
#    Example: /var/spool/mqueue.in
# 2. A wildcard giving directory names
#    Example: /var/spool/mqueue.in/*
# 3. The name of a file containing a list of directory names,
#    which can in turn contain wildcards.
#    Example: /etc/MailScanner/mqueue.in.list.conf
#
Incoming Queue Dir = /var/spool/postfix.in/deferred

# Set location of outgoing mail queue.
# This can also be the filename of a ruleset.
Outgoing Queue Dir = /var/spool/postfix/incoming

# Set where to unpack incoming messages before scanning them
Incoming Work Dir = /var/spool/MailScanner/incoming

# Set where to store infected and message attachments (if they are kept)
# This can also be the filename of a ruleset.
Quarantine Dir = /var/spool/MailScanner/quarantine

# Set where to store the process id number so you can stop MailScanner
PID file = /var/run/MailScanner.pid

# To avoid resource leaks, re-start periodically
Restart Every = 14400

# Set whether to use postfix, sendmail, exim or zmailer.
# If you are using postfix, then see the "SpamAssassin User State Dir"
# setting near the end of this file
MTA = postfix


This is my /etc/Postfix/Postfix.in/master.cf

#               (yes)   (yes)   (yes)   (never) (50)
#
==========================================================================
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission     inet    n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
flush     unix  n       -       n       1000?   0       flush
smtp      unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#localhost:10025 inet   n       -       n       -       -       smtpd -o
content_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# The Cyrus deliver program has changed incompatibly.
#
cyrus     unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension}
${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
vscan     unix  -       n       n       -       10       pipe
  user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
relay     unix  -       -       n       -       -       smtp
proxymap  unix        -       -       n       -       -       proxymap


and at least the /etc/Postfix/master.cf

#               (yes)   (yes)   (yes)   (never) (50)
#
==========================================================================
#smtp     inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission     inet    n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
flush     unix  n       -       n       1000?   0       flush
smtp      unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#localhost:10025 inet   n       -       n       -       -       smtpd -o
content_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# The Cyrus deliver program has changed incompatibly.
#
cyrus     unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension}
${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
vscan     unix  -       n       n       -       10       pipe
  user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
relay     unix  -       -       n       -       -       smtp
proxymap  unix        -       -       n       -       -       proxymap
~

and like to do in the instruction i put these to lines into
/etc/postfix/main.cf

Tell the incoming Postfix not to deliver mail:
Edit /etc/postfix.in/main.cf and add a line at the top that says this:
defer_transports = smtp local virtual relay
In the same file, look for the definition
queue_directory = /var/spool/postfix

look here (/etc/postfix.in/main.cf):

defer_transports = smtp local virtual relay


# Global Postfix configuration file. This file lists only a subset
# of all 100+ parameters. See the sample-xxx.cf files for a full list.
#
# The general format is lines with parameter = value pairs. Lines
# that begin with whitespace continue the previous line. A value can
# contain references to other $names or ${name}s.
#
# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF
# POSTFIX STILL WORKS AFTER EVERY CHANGE.

# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing.  When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.

queue_directory = /var/spool/postfix


So what goes flase; what I must do that you can help me exactly....

Thx from Germany!!!

Alex...


From ls at CREATIVE-WEBNET.DE  Tue Jan  6 15:31:04 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: Now it seems to be a little bit better!!!
Message-ID: <LISTSERV%2004010615310465@JISCMAIL.AC.UK>

I restarted my System twice; and now the incoming mail will be scanned,
but not delivered back to me....

See the log in /var/loag/mail

Jan  6 16:27:20 creative MailScanner[673]: MailScanner E-Mail Virus
Scanner version 4.25-14 starting...
Jan  6 16:27:20 creative MailScanner[673]: Using locktype = flock
Jan  6 16:27:30 creative MailScanner[693]: MailScanner E-Mail Virus
Scanner version 4.25-14 starting...
Jan  6 16:27:30 creative MailScanner[693]: Using locktype = flock
Jan  6 16:27:40 creative MailScanner[700]: MailScanner E-Mail Virus
Scanner version 4.25-14 starting...
Jan  6 16:27:40 creative MailScanner[700]: Using locktype = flock
Jan  6 16:27:52 creative popper[702]: Stats: web2p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:27:52 creative popper[703]: Stats: web1p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:27:52 creative popper[704]: Stats: web4p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:27:52 creative popper[705]: Stats: web3p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:27:53 creative popper[706]: Stats: web7p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:28:05 creative postfix/smtpd[711]: connect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 16:28:05 creative smtpd[711]: 3E7032CC0B2: client=pD950D3AE.dip.t-
dialin.net[217.80.211.174], sasl_method=LOGIN, sasl_username=web4p1
Jan  6 16:28:05 creative postfix/cleanup[712]: 3E7032CC0B2: message-
id=<DIIE.0000000200007280@192.168.0.1>
Jan  6 16:28:05 creative postfix/qmgr[563]: 3E7032CC0B2:
from=<hello@creative-webnet.de>, size=2462, nrcpt=1 (queue active)
Jan  6 16:28:05 creative smtpd[711]: disconnect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 16:28:05 creative postfix/qmgr[563]: 3E7032CC0B2:
to=<web7p1@creative.webdemo24.de>, orig_to=<test@endl.net>, relay=none,
delay=0, status=deferred (deferre
d transport)
Jan  6 16:28:10 creative MailScanner[693]: Postfix queue structure is
depth 1
Jan  6 16:28:10 creative MailScanner[693]: New Batch: Scanning 1 messages,
2841 bytes
Jan  6 16:28:10 creative MailScanner[700]: Postfix queue structure is
depth 1
Jan  6 16:28:10 creative MailScanner[673]: Postfix queue structure is
depth 1
Jan  6 16:28:10 creative MailScanner[667]: Postfix queue structure is
depth 1
Jan  6 16:28:10 creative MailScanner[693]: Virus and Content Scanning:
Starting
Jan  6 16:29:02 creative popper[726]: Stats: web4p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:29:02 creative popper[727]: Stats: web1p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:29:02 creative popper[728]: Stats: web2p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:29:02 creative popper[729]: Stats: web3p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:29:03 creative popper[730]: Stats: web7p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]

From jacques at MONACO.NET  Tue Jan  6 15:58:41 2004
From: jacques at MONACO.NET (Jacques Caruso)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
In-Reply-To: <LISTSERV%2004010615065234@JISCMAIL.AC.UK>
References: <LISTSERV%2004010615065234@JISCMAIL.AC.UK>
Message-ID: <200401061658.41768.jacques@monaco.net>

Le Mardi 06 Janvier 2004 16:06, Alexander Endl a ?crit?:
> Jan  6 15:53:27 creative postfix/qmgr[3208]: 4CC442CC0B2: to=<web4p1@creative.webdemo24.de>, orig_to=<ls@CREATIVE-WEBNET.DE>, relay =none, delay=0, status=deferred (deferred transport)
> Jan  6 15:53:27 creative postfix/smtpd[3474]: disconnect from smtp.jiscmail.ac.uk[130.246.192.48] Jan  6 15:53:31 creative postfix/postfix-script: starting the Postfix mail system
> Jan  6 15:53:31 creative postfix/master[3547]: fatal: bind INADDR_ANY port 465: Address already in use

Not sure if this is a showstopper, but you should fix this anyway?: your
incoming Postfix seems to listen on SMTPS (port 465), and the
corresponding entry hasn't been disabled on the outgoing instance's
master.cf. See below.

> Jan  6 15:54:01 creative postfix/trivial-rewrite[3268]: warning: do not list domain webdemo24.de in BOTH mydestination and virtual_alias_domains

Another unrelated problem, but I'd advise you to make sure all these
problems are ironed out, so they don't confuse the situation to solve
this, remove the domain from either $mydestination or
$virtual_alias_domains as indicated.

> Incoming Queue Dir = /var/spool/postfix.in/deferred

OK.

> Outgoing Queue Dir = /var/spool/postfix/incoming

OK.

> MTA = postfix

Fine, OK.

> and at least the /etc/Postfix/master.cf
>
> #               (yes)   (yes)   (yes)   (never) (50)
> #
> ==========================================================================
> #smtp     inet  n       -       n       -       -       smtpd 
> smtps     inet  n       -       n       -       -       smtpd #  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

You should comment that line to solve the problem indicated before. Only
the incoming instance should be listening to the network.

> look here (/etc/postfix.in/main.cf):
>
> defer_transports = smtp local virtual relay
>
>
> # Global Postfix configuration file. This file lists only a subset
> # of all 100+ parameters. See the sample-xxx.cf files for a full list.
> [SNIP]
> # environments on different UNIX systems. 
>
> queue_directory = /var/spool/postfix

Is this also in /etc/postfix.in/main.cf?? If so, it should read
/var/spool/postfix.in there.

> So what goes flase; what I must do that you can help me exactly....

Try these commands, you should get values like these?:

[root@sceuzi][~]# postconf -c /etc/postfix defer_transports queue_directory
defer_transports =
queue_directory = /var/spool/postfix
[root@sceuzi][~]# postconf -c /etc/postfix/postfix.in defer_transports queue_directory
defer_transports = smtp local virtual relay
queue_directory = /var/spool/postfix.in

Is that OK?? If it is, check that your two instances of Postfix are running?:

[root@sceuzi][~]# ps aux | grep 'postfix/master'
root     30480  0.2  0.2  2804  952 ?        S    14:25   0:15 /usr/lib/postfix/master
root     31091  0.1  0.2  2804  936 ?        S    14:25   0:08 /usr/lib/postfix/master

If not, try to start them?:

postfix -c /etc/postfix start
postfix -c /etc/postfix.in start

and look for errors like the ones indicated in your log (you can esaily
make a special init.d/postfix.in afterwards to have the two instances
start automatically). When the two Postfixes are running, launch
MailScanner (I don't what distro you're using, on Debian, it amounts to
an /etc/init.d/mailscanner start, but you can just run
'check_mailscanner'), and look if it starts?:

[root@sceuzi][~]# ps aux | grep MailScan
postfix  20926  0.0  0.5 16996 2020 ?        SN   13:50   0:00 /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf
postfix  20927  2.9  4.3 35132 16812 ?       SN   13:50   5:29 /usr/bin/perl -I/usr/share/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf
[...]

If it does, then you're all set. Also make sure you /var/spool/postfix*
are chown and chgrp postfix, ditto for /var/spool/MailScanner, and that
MS is running under the right UID/GID?:

Run As User = postfix
Run As Group = postfix

HTH?!

Greets,
-- 
[ Jacques Caruso <jacques@monaco.net>                  D?veloppeur PHP ]
[ Monaco Internet                           http://monaco-internet.mc/ ]
[ T?l : (+377) 93 10 00 43                        Cl? PGP : 0x41F5C63D ]
[ -*-  Quand le doigt montre la lune, l'imb?cile regarde le doigt  -*- ]


From ls at CREATIVE-WEBNET.DE  Tue Jan  6 16:03:51 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: MailScanning and Outsending!
Message-ID: <LISTSERV%2004010616035158@JISCMAIL.AC.UK>

So now I?ve installe MailScanner very well; everything works...

I  Can send EMAILS through my Server , and they will be Scanned, but the
Shit is:

THEY DONT WANT BE DELIVERED

postfix/qmgr[15673]: EEBBA5A400A: to=<me@mydomain.com>, relay=none,
delay=1, status=deferred (deferred transport)

So I changed the line in /etc/postfix.in/main.cf from this

defer_transports = smtp local virtual relay

to

defer_transports =

and it now works, but I'm not comfortable with it not working like the
website says. I am wondering if anyone could help me figure out why it's
not working like it is supposed to.


But if I do so Mail look after,   <----------------------This I Found
here..

So now mail isnt being scanned by mailscanner though is it? You need to
change the main.cf back.

1.Postfix (inbound) accepts mail for processing, it defers the incoming
mail eg - hold the mail and do nothing else,
2.MailScanner collect the mail and process it, place it in the outbound
queue,
3. Postfix.in (outbound) then discovers mail in the queue ready for
delivery, it does the smtp delivery.

A complete log entry looks like

Dec  4 11:15:35 mail01 postfix/smtpd[4713]: disconnect from
gizmo06bw.bigpond.com[144.140.70.16]
Dec  4 11:15:35 mail01 postfix/qmgr[25649]: EC38633BCD:
to=<user1@domain1.com.au>, relay=none, delay=1, status=deferred
(deferred transport)
Dec  4 11:15:35 mail01 MailScanner[321]: New Batch: Scanning 1 messages,
3869 bytes
Dec  4 11:15:36 mail01 MailScanner[321]: SIGPIPE received - trying new
log socket
Dec  4 11:15:36 mail01 MailScanner[321]: New Batch: Scanning 1 messages,
3869 bytes
Dec  4 11:15:36 mail01 MailScanner[321]: Spam Checks: Starting
Dec  4 11:15:39 mail01 MailScanner[321]: Virus and Content Scanning:
Starting
Dec  4 11:15:41 mail01 postfix/qmgr[25659]: 2C474C6E1:
from=<mentalh@someone.net>, size=3680, nrcpt=1 (queue active)
Dec  4 11:15:41 mail01 MailScanner[321]: Uninfected: Delivered 1 messages
Dec  4 11:15:46 mail01 postfix/smtp[4728]: 2C474C6E1:
to=<user1@domain1.com.au>, relay=203.00.00.90[203.00.00.90], delay=12,
status=sent (250 Message accepted for delivery)

WHAT CAN I DO THAT IT WILL WORK FINE AND CORRECTLY, THE INSTALLATION TIPS
ON THE WEBSITE DONT FUNCTION...

AND I NEED ONLY THE DELIVERY MY LOGS NO SAID THE FOLLOWING, PLEASE HELP
ME!!!

Jan  6 16:56:30 creative MailScanner[677]: MailScanner E-Mail Virus
Scanner version 4.25-14 starting...
Jan  6 16:56:30 creative MailScanner[677]: Using locktype = flock
Jan  6 16:56:40 creative MailScanner[678]: MailScanner E-Mail Virus
Scanner version 4.25-14 starting...
Jan  6 16:56:40 creative MailScanner[678]: Using locktype = flock
Jan  6 16:57:03 creative popper[694]: Stats: web1p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:03 creative popper[696]: Stats: web4p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:03 creative popper[698]: Stats: web3p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:03 creative popper[699]: Stats: web7p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:04 creative popper[695]: Stats: web2p1 2 2122 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:23 creative postfix/smtpd[705]: connect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 16:57:23 creative smtpd[705]: E98BD190042: client=pD950D3AE.dip.t-
dialin.net[217.80.211.174], sasl_method=LOGIN, sasl_username=web4p1
Jan  6 16:57:23 creative postfix/trivial-rewrite[668]: warning: do not
list domain webdemo24.de in BOTH mydestination and virtual_alias_domains
Jan  6 16:57:24 creative postfix/cleanup[667]: E98BD190042: message-
id=<DIIE.0000010700007293@192.168.0.1>
Jan  6 16:57:24 creative postfix/qmgr[561]: E98BD190042:
from=<hello@creative-webnet.de>, size=2474, nrcpt=1 (queue active)
Jan  6 16:57:24 creative postfix/local[670]: E98BD190042:
to=<web1p1@creative.webdemo24.de>, orig_to=<test@webdemo24.de>,
relay=local, delay=1, status=sent (mailbox)
Jan  6 16:57:24 creative smtpd[705]: disconnect from pD950D3AE.dip.t-
dialin.net[217.80.211.174]
Jan  6 16:57:42 creative popper[706]: Stats: web2p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:42 creative popper[708]: Stats: web4p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:42 creative popper[709]: Stats: web3p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:43 creative popper[707]: Stats: web1p1 1 2625 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:57:43 creative popper[710]: Stats: web7p1 0 0 0 0
pD950D3AE.dip.t-dialin.net 217.80.211.174 [pop_updt.c:296]
Jan  6 16:58:29 creative smtpd[705]: connect from mc3.tipp24.de
[212.12.47.89]
Jan  6 16:58:30 creative smtpd[705]: 003CF190042: client=mc3.tipp24.de
[212.12.47.89]
Jan  6 16:58:30 creative postfix/cleanup[667]: 003CF190042: message-
id=<E1Adnr1-0000GR-AX@mc1.tipp24.de>
Jan  6 16:58:30 creative postfix/qmgr[561]: 003CF190042:
from=<service@tipp24.de>, size=1743, nrcpt=1 (queue active)
Jan  6 16:58:30 creative postfix/local[670]: 003CF190042:
to=<web7p1@creative.webdemo24.de>, orig_to=<tipp24@endl.net>, relay=local,
delay=0, status=sent (mailbox)
Jan  6 16:58:30 creative smtpd[705]: disconnect from mc3.tipp24.de
[212.12.47.89]
Jan  6 16:59:31 creative smtpd[705]: connect from smtp.jiscmail.ac.uk
[130.246.192.48]
Jan  6 16:59:31 creative smtpd[705]: 42876190042:
client=smtp.jiscmail.ac.uk[130.246.192.48]
Jan  6 16:59:31 creative postfix/cleanup[667]: 42876190042: message-
id=<200401061658.41768.jacques@monaco.net>
Jan  6 16:59:31 creative postfix/qmgr[561]: 42876190042: from=<owner-
mailscanner@JISCMAIL.AC.UK>, size=6978, nrcpt=1 (queue active)
Jan  6 16:59:31 creative postfix/local[670]: 42876190042:
to=<web4p1@creative.webdemo24.de>, orig_to=<ls@CREATIVE-WEBNET.DE>,
relay=local, delay=0, status=sent (mailbox)
Jan  6 16:59:31 creative smtpd[705]: disconnect from smtp.jiscmail.ac.uk
[130.246.192.48]
Jan  6 17:00:01 creative postfix/postdrop[777]: warning: unable to look up
public/pickup: No such file or directory
Jan  6 17:00:01 creative postfix/postdrop[797]: warning: unable to look up
public/pickup: No such file or directory
Jan  6 17:00:01 creative postfix/postdrop[796]: warning: unable to look up
public/pickup: No such file or directory
Jan  6 17:01:27 creative postfix/smtpd[666]: timeout after END-OF-MESSAGE
from shackc.compushack.de[195.145.90.67]
Jan  6 17:01:27 creative postfix/smtpd[666]: disconnect from
shackc.compushack.de[195.145.90.67]
Jan  6 17:01:28 creative postfix/smtpd[666]: connect from mail2.hessen.de
[141.90.2.53]
Jan  6 17:01:28 creative postfix/smtpd[666]: 739F2190097:
client=mail2.hessen.de[141.90.2.53]
Jan  6 17:01:28 creative postfix/cleanup[896]: 739F2190097: message-
id=<426E03F733C0D71197CE0000E854F04C9E7C91@S0061C>
Jan  6 17:01:28 creative postfix/qmgr[561]: 739F2190097:
from=<evelyn.zell@wiesbaden.de>, size=104035, nrcpt=1 (queue active)
Jan  6 17:01:28 creative postfix/local[897]: 739F2190097:
to=<web5p1@creative.webdemo24.de>, orig_to=<info@rollbunker.de>,
relay=local, delay=0, status=sent (mailbox)

If you have ICQ and can help me please let me Know; my ICQ is 133115107
If anybody can help me quickly i will pay just 30 EURO!!!

Thx Alexander


From ls at CREATIVE-WEBNET.DE  Tue Jan  6 16:24:23 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
Message-ID: <LISTSERV%2004010616242366@JISCMAIL.AC.UK>

>Another unrelated problem, but I'd advise you to make sure all these
>problems are ironed out, so they don't confuse the situation to solve
>this, remove the domain from either $mydestination or
>$virtual_alias_domains as indicated.

How and where this works???


>> and at least the /etc/Postfix/master.cf
>>
>> #               (yes)   (yes)   (yes)   (never) (50)
>> #
>>
==========================================================================
>> #smtp     inet  n       -       n       -       -       smtpd
>> smtps     inet  n       -       n       -       -       smtpd #  -o
smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>
>You should comment that line to solve the problem indicated before. Only
>the incoming instance should be listening to the network.

This is O.K. in my /etc/postfix/master.cf!!!!!!!!!!!!!!


>
>> look here (/etc/postfix.in/main.cf):
>>
>> defer_transports = smtp local virtual relay
>>
>>
>> # Global Postfix configuration file. This file lists only a subset
>> # of all 100+ parameters. See the sample-xxx.cf files for a full list.
>> [SNIP]
>> # environments on different UNIX systems.
>>
>> queue_directory = /var/spool/postfix
>
>Is this also in /etc/postfix.in/main.cf? ? If so, it should read
>/var/spool/postfix.in there.

This I Changed now!!!




>> So what goes flase; what I must do that you can help me exactly....
>
>Try these commands, you should get values like these? :
>
>[root@sceuzi][~]# postconf -c /etc/postfix defer_transports
queue_directory
>defer_transports =
>queue_directory = /var/spool/postfix
>[root@sceuzi][~]# postconf -c /etc/postfix/postfix.in defer_transports
queue_directory
>defer_transports = smtp local virtual relay
>queue_directory = /var/spool/postfix.in
>
>Is that OK? ? If it is, check that your two instances of Postfix are
running? :

THIS IS ALSO O.K.!!!!!!!!!!!!!!!


>
>[root@sceuzi][~]# ps aux | grep 'postfix/master'
>root     30480  0.2  0.2  2804  952 ?        S    14:25
0:15 /usr/lib/postfix/master
>root     31091  0.1  0.2  2804  936 ?        S    14:25
0:08 /usr/lib/postfix/master
>




IF I DO THIS - The Result is:

creative:/etc/postfix.in # ps aux | grep 'postfix/master'
root       548  0.0  0.5  4444 1444 ?        S    16:55
0:00 /usr/lib/postfix/master
creative:/etc/postfix.in #


I TRY postfix -c /etc/postfix.in start

AND THE RESULT IS:

creative:/etc/postfix.in # postfix -c /etc/postfix.in start
postfix/postfix-script: fatal: the Postfix mail system is already running
creative:/etc/postfix.in #



>If not, try to start them? :
>
>postfix -c /etc/postfix start
>postfix -c /etc/postfix.in start
>
>and look for errors like the ones indicated in your log (you can esaily
>make a special init.d/postfix.in afterwards to have the two instances
>start automatically). When the two Postfixes are running, launch
>MailScanner (I don't what distro you're using, on Debian, it amounts to
>an /etc/init.d/mailscanner start, but you can just run
>'check_mailscanner'), and look if it starts? :
>
>[root@sceuzi][~]# ps aux | grep MailScan
>postfix  20926  0.0  0.5 16996 2020 ?        SN   13:50
0:00 /usr/bin/perl -
I/usr/share/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.
conf
>postfix  20927  2.9  4.3 35132 16812 ?       SN   13:50
5:29 /usr/bin/perl -
I/usr/share/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.
conf
>[...]
>
>If it does, then you're all set. Also make sure you /var/spool/postfix*
>are chown and chgrp postfix, ditto for /var/spool/MailScanner, and that
>MS is running under the right UID/GID? :
>
>Run As User = postfix
>Run As Group = postfix
>
>HTH? !
>
>Greets,
>--
>[ Jacques Caruso <jacques@monaco.net>                  D??veloppeur PHP ]
>[ Monaco Internet                           http://monaco-internet.mc/ ]
>[ T??l : (+377) 93 10 00 43                        Cl?? PGP : 0x41F5C63D ]
>[ -*-  Quand le doigt montre la lune, l'imb??cile regarde le doigt  -*- ]


So I think its not a big deal for You - but i dont know what to do???

Please help and read the commenty by me between Your answer!!!

Thx Alex....


From jacques at MONACO.NET  Tue Jan  6 16:28:12 2004
From: jacques at MONACO.NET (Jacques Caruso)
Date: Thu Jan 12 21:21:43 2006
Subject: MailScanning and Outsending!
In-Reply-To: <LISTSERV%2004010616035158@JISCMAIL.AC.UK>
References: <LISTSERV%2004010616035158@JISCMAIL.AC.UK>
Message-ID: <200401061728.12961.jacques@monaco.net>

Le Mardi 06 Janvier 2004 17:03, Alexander Endl a ?crit?:
> So now mail isnt being scanned by mailscanner though is it? You need
> to change the main.cf back.

Exactly. The very point of deferring transport is to let MS collect the
messages for scanning...

> 1.Postfix (inbound) accepts mail for processing, it defers the
> incoming mail eg - hold the mail and do nothing else,

Yes.

> 2.MailScanner collect the mail and process it, place it in the
> outbound queue,

Yes.

> 3. Postfix.in (outbound) then discovers mail in the queue ready for
> delivery, it does the smtp delivery.

Not necessarily the SMTP delivery. If you aren't relaying to another
server, it will use the local agent to deliver to a local mailbox.

> WHAT CAN I DO THAT IT WILL WORK FINE AND CORRECTLY, THE INSTALLATION
> TIPS ON THE WEBSITE DONT FUNCTION...

There is no need to shout. Have you made sure your two postfixes were
running?? Specifically?: is the _outgoing_ Postfix (the one with the
configuration in /etc/postfix) running?? Does a 'postqueue -c
/etc/postfix -p' shows the messages in the /var/spool/postfix/incoming
queue?? If so, can you (1) stop the incoming Postfix, (2) make sure the
outgoing one is running, and (3) do a queue run (with 'postqueue -c
/etc/postfix -f') to see if the messages are delivered?? If they're
still stuck in the queue, what do your logfiles show??

> Jan  6 17:00:01 creative postfix/postdrop[777]: warning: unable to look up public/pickup: No such file or directory
> Jan  6 17:00:01 creative postfix/postdrop[797]: warning: unable to look up public/pickup: No such file or directory
> Jan  6 17:00:01 creative postfix/postdrop[796]: warning: unable to look up public/pickup: No such file or directory

What's this?? Are the queue directories correctly created?? Have you
this in /var/spool??

[root@sceuzi][~]# ls -dl /var/spool/post*
drwxr-xr-x   18 root     root         4096 2003-11-21 18:21 /var/spool/postfix
drwxr-xr-x   18 root     root         4096 2003-09-27 04:42 /var/spool/postfix.in

And have you made sure the subdirectories of these are the same, and
have the correct permissions?? Everything inside should be chown
postfix, and (maildrop|public/*) should be chgrp postdrop...

> If you have ICQ and can help me please let me Know; my ICQ is
> 133115107 If anybody can help me quickly i will pay just 30 EURO!!!

Have you had a look at <http://www.mailscanner.biz/>?? There seem to be
some commercial support available for this product...

Greets,
-- 
[ Jacques Caruso <jacques@monaco.net>                  D?veloppeur PHP ]
[ Monaco Internet                           http://monaco-internet.mc/ ]
[ T?l : (+377) 93 10 00 43                        Cl? PGP : 0x41F5C63D ]
[ -*-  Quand le doigt montre la lune, l'imb?cile regarde le doigt  -*- ]


From jacques at MONACO.NET  Tue Jan  6 16:41:04 2004
From: jacques at MONACO.NET (Jacques Caruso)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
In-Reply-To: <LISTSERV%2004010616242366@JISCMAIL.AC.UK>
References: <LISTSERV%2004010616242366@JISCMAIL.AC.UK>
Message-ID: <200401061741.04690.jacques@monaco.net>

Le Mardi 06 Janvier 2004 17:24, Alexander Endl a ?crit?:
> How and where this works???

man virtual(5)...

Basically, if you've put virtual aliases in /etc/postfix/virtual, like
this?:

somedomain.example              foobar
someone@somedomain.example      someone

you shouldn't list somedomain.example in $mydestination anymore. This
parameter is only for domains where all the local users are valid. But
this is OT on this list...

> This is O.K. in my /etc/postfix/master.cf!!!!!!!!!!!!!!

Well, fine. I was just pointing that because I saw an error in your log
extract. If it has been corrected since, all is well...

> IF I DO THIS - The Result is:
>
> creative:/etc/postfix.in # ps aux | grep 'postfix/master'
> root       548  0.0  0.5  4444 1444 ?        S    16:550:00 /usr/lib/postfix/master

OK. That means one of the two Postfixes is missing (and I suspect it's
the outgoing one, of course).

> I TRY postfix -c /etc/postfix.in start
>
> AND THE RESULT IS:
>
> creative:/etc/postfix.in # postfix -c /etc/postfix.in start
> postfix/postfix-script: fatal: the Postfix mail system is already running

OK. Then, have you tried to start the other Postfix?? (with '-c
/etc/postfix')?? Does it start??

Greets,
-- 
[ Jacques Caruso <jacques@monaco.net>                  D?veloppeur PHP ]
[ Monaco Internet                           http://monaco-internet.mc/ ]
[ T?l : (+377) 93 10 00 43                        Cl? PGP : 0x41F5C63D ]
[ -*-  Quand le doigt montre la lune, l'imb?cile regarde le doigt  -*- ]


From gdoris at rogers.com  Tue Jan  6 16:45:57 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:43 2006
Subject: Strange sendmail behaviour?
Message-ID: <42859.129.80.22.133.1073407557.squirrel@tiger.dorfam.ca>

I know this isn't a direct MailScanner question but I thought I'd ask if
anyone else is seeing this sendmail behaviour.

I'm seeing more and more of the following error messages.  Notice that all
the arg IP's are the same and sendmail thinks that it is an attempt to
relay.  I've starting getting the same behaviour if I try and send mail
from my work account directly to my server.

I can't see anything wrong with sendmail.  Is this some kind of new
Microsoft "feature"???


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan  5 23:00:53 tiger sendmail[23006]: ruleset=check_relay,
arg1=[211.181.197.118], arg2=211.181.197.118, relay=[211.181.197.118],
discard Jan  5 23:00:55 tiger sendmail[23006]: i0640rgL023006: discarded

Jan  5 23:02:51 tiger sendmail[23159]: ruleset=check_relay,
arg1=[218.4.201.246], arg2=218.4.201.246, relay=[218.4.201.246], discard
Jan  5 23:02:54 tiger sendmail[23159]: i0642pgL023159: discarded

From jaearick at COLBY.EDU  Tue Jan  6 16:52:07 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:43 2006
Subject: Strange sendmail behaviour?
In-Reply-To: <42859.129.80.22.133.1073407557.squirrel@tiger.dorfam.ca>
References: <42859.129.80.22.133.1073407557.squirrel@tiger.dorfam.ca>
Message-ID: <Pine.GSO.4.58.0401061151330.11780@cayuga>

Do you have a typo in your access.db file where you declare your discard
mailer entries?

On Tue, 6 Jan 2004, Gerry Doris wrote:

> Date: Tue, 6 Jan 2004 11:45:57 -0500
> From: Gerry Doris <gdoris@rogers.com>
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Strange sendmail behaviour?
>
> I know this isn't a direct MailScanner question but I thought I'd ask if
> anyone else is seeing this sendmail behaviour.
>
> I'm seeing more and more of the following error messages.  Notice that all
> the arg IP's are the same and sendmail thinks that it is an attempt to
> relay.  I've starting getting the same behaviour if I try and send mail
> from my work account directly to my server.
>
> I can't see anything wrong with sendmail.  Is this some kind of new
> Microsoft "feature"???
>
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan  5 23:00:53 tiger sendmail[23006]: ruleset=check_relay,
> arg1=[211.181.197.118], arg2=211.181.197.118, relay=[211.181.197.118],
> discard Jan  5 23:00:55 tiger sendmail[23006]: i0640rgL023006: discarded
>
> Jan  5 23:02:51 tiger sendmail[23159]: ruleset=check_relay,
> arg1=[218.4.201.246], arg2=218.4.201.246, relay=[218.4.201.246], discard
> Jan  5 23:02:54 tiger sendmail[23159]: i0642pgL023159: discarded
>

From ls at CREATIVE-WEBNET.DE  Tue Jan  6 16:54:01 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
Message-ID: <LISTSERV%2004010616540177@JISCMAIL.AC.UK>

creative:/etc/postfix # postfix -c /etc/postfix.in start
postfix/postfix-script: starting the Postfix mail system
creative:/etc/postfix # postfix -c /etc/postfix start
postfix/postfix-script: fatal: the Postfix mail system is already running
creative:/etc/postfix #


This happens if i tried to start the other postfix!!!

From drew at THEMARSHALLS.CO.UK  Tue Jan  6 17:11:29 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:43 2006
Subject: deferred transport - PLEASE HELP
In-Reply-To: <LISTSERV%2004010616242366@JISCMAIL.AC.UK>
References: <LISTSERV%2004010616242366@JISCMAIL.AC.UK>
Message-ID: <51958.194.70.180.170.1073409089.squirrel@net.themarshalls.co.uk>

>>Another unrelated problem, but I'd advise you to make sure all these
>>problems are ironed out, so they don't confuse the situation to solve
>>this, remove the domain from either $mydestination or
>>$virtual_alias_domains as indicated.
>
> How and where this works???
Check *both* main.cf files
>
>
>>> and at least the /etc/Postfix/master.cf
>>>
>>> #               (yes)   (yes)   (yes)   (never) (50)
>>> #
>>>
> =========================================================================>>
> #smtp     inet  n       -       n       -       -       smtpd
>>> smtps     inet  n       -       n       -       -       smtpd #  -o
> smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>>
>>You should comment that line to solve the problem indicated before. Only
>>the incoming instance should be listening to the network.
>
> This is O.K. in my /etc/postfix/master.cf!!!!!!!!!!!!!!
>
>
>>
>>> look here (/etc/postfix.in/main.cf):
>>>
>>> defer_transports = smtp local virtual relay
>>>
>>>
>>> # Global Postfix configuration file. This file lists only a subset
>>> # of all 100+ parameters. See the sample-xxx.cf files for a full list.
>>> [SNIP]
>>> # environments on different UNIX systems.
>>>
>>> queue_directory = /var/spool/postfix
>>
>>Is this also in /etc/postfix.in/main.cf? ? If so, it should read
>>/var/spool/postfix.in there.
>
> This I Changed now!!!
>
>
>
>
>>> So what goes flase; what I must do that you can help me exactly....
>>
>>Try these commands, you should get values like these? :
>>
>>[root@sceuzi][~]# postconf -c /etc/postfix defer_transports
> queue_directory
>>defer_transports >queue_directory = /var/spool/postfix
>>[root@sceuzi][~]# postconf -c /etc/postfix/postfix.in defer_transports
> queue_directory
>>defer_transports = smtp local virtual relay
>>queue_directory = /var/spool/postfix.in
>>
>>Is that OK? ? If it is, check that your two instances of Postfix are
> running? :
>
> THIS IS ALSO O.K.!!!!!!!!!!!!!!!
>
>
>>
>>[root@sceuzi][~]# ps aux | grep 'postfix/master'
>>root     30480  0.2  0.2  2804  952 ?        S    14:25
> 0:15 /usr/lib/postfix/master
>>root     31091  0.1  0.2  2804  936 ?        S    14:25
> 0:08 /usr/lib/postfix/master
>>
>
>
>
>
> IF I DO THIS - The Result is:
>
> creative:/etc/postfix.in # ps aux | grep 'postfix/master'
> root       548  0.0  0.5  4444 1444 ?        S    16:55
> 0:00 /usr/lib/postfix/master
> creative:/etc/postfix.in #
>
>
> I TRY postfix -c /etc/postfix.in start
>
> AND THE RESULT IS:
>
> creative:/etc/postfix.in # postfix -c /etc/postfix.in start
> postfix/postfix-script: fatal: the Postfix mail system is already running
> creative:/etc/postfix.in #

Stop both instances and start again:
# postfix -c /etc/postfix.in stop
# postfix -c /etc/postfix stop

and then same with start at the end.
>
>
>
>>If not, try to start them? :
>>
>>postfix -c /etc/postfix start
>>postfix -c /etc/postfix.in start
>>
>>and look for errors like the ones indicated in your log (you can esaily
>>make a special init.d/postfix.in afterwards to have the two instances
>>start automatically). When the two Postfixes are running, launch
>>MailScanner (I don't what distro you're using, on Debian, it amounts to
>>an /etc/init.d/mailscanner start, but you can just run
>>'check_mailscanner'), and look if it starts? :
>>
>>[root@sceuzi][~]# ps aux | grep MailScan
>>postfix  20926  0.0  0.5 16996 2020 ?        SN   13:50
> 0:00 /usr/bin/perl -
> I/usr/share/MailScanner /usr/sbin/MailScanner
> /etc/MailScanner/MailScanner.
> conf
>>postfix  20927  2.9  4.3 35132 16812 ?       SN   13:50
> 5:29 /usr/bin/perl -
> I/usr/share/MailScanner /usr/sbin/MailScanner
> /etc/MailScanner/MailScanner.
> conf

Try /path to/MailScanner/bin/check_mailscanner

This should start MS (Or report that it is running already. This being the
case kill the first process ID and run the above command again)
>>[...]
>>
>>If it does, then you're all set. Also make sure you /var/spool/postfix*
>>are chown and chgrp postfix, ditto for /var/spool/MailScanner, and that
>>MS is running under the right UID/GID? :
>>
>>Run As User = postfix
>>Run As Group = postfix
>>
>>HTH? !
>>
>>Greets,
>>--
>>[ Jacques Caruso <jacques@monaco.net>                  D??veloppeur PHP ]
>>[ Monaco Internet                           http://monaco-internet.mc/ ]
>>[ T??l : (+377) 93 10 00 43                        Cl?? PGP : 0x41F5C63D
>> ]
>>[ -*-  Quand le doigt montre la lune, l'imb??cile regarde le doigt  -*- ]
>
>
> So I think its not a big deal for You - but i dont know what to do???
>
> Please help and read the commenty by me between Your answer!!!
>
> Thx Alex....
>

Good luck

Drew


From mickey-ml at GREENGLOW.ORG  Tue Jan  6 17:30:42 2004
From: mickey-ml at GREENGLOW.ORG (Mickey Everts)
Date: Thu Jan 12 21:21:43 2006
Subject: spamassassin timeouts question
Message-ID: <008001c3d47a$d031f760$630a0a0a@gyruss>



I don't understand how this can happen with a message.



X-MailScanner-SpamCheck: not spam, SpamAssassin (timed out)



When the configuration is so.



Max SpamAssassin Timeouts = 10



And the only log message I see is..



Jan  6 09:10:43 defender MailScanner[11056]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10



I am not seeing failure 2 of 10 and so on..





Mickey

SLP

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040106/2f12a757/attachment.html
From mailscanner at ecs.soton.ac.uk  Tue Jan  6 17:34:29 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:43 2006
Subject: spamassassin timeouts question
In-Reply-To: <008001c3d47a$d031f760$630a0a0a@gyruss>
References: <008001c3d47a$d031f760$630a0a0a@gyruss>
Message-ID: <6.0.1.1.2.20040106173229.02d82ff8@imap.ecs.soton.ac.uk>

At 17:30 06/01/2004, you wrote:
>
>I don?t understand how this can happen with a message

>
>X-MailScanner-SpamCheck: not spam, SpamAssassin (timed out)
>
>When the configuration is so

>
>Max SpamAssassin Timeouts = 10
>
>And the only log message I see is
.
>
>Jan  6 09:10:43 defender MailScanner[11056]: SpamAssassin timed out and 
>was killed, consecutive failure 1 of 10
>
>I am not seeing failure 2 of 10 and so on
.

It is succeeding some times and failing other times. It needs to hit 10 
consecutive timeouts before SpamAssassin network checks are disabled. 20 
consecutive timeouts (including the above 10) will cause SpamAssassin to be 
disabled altogether. Even if it keeps failing, it's usually due to network 
checks which is why the behaviour is slightly cleverer than the simple 
configuration option suggests.
-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From chris at trudeau.org  Tue Jan  6 19:21:54 2004
From: chris at trudeau.org (Chris Trudeau)
Date: Thu Jan 12 21:21:44 2006
Subject: spamassassin timeouts question
In-Reply-To: <6.0.1.1.2.20040106173229.02d82ff8@imap.ecs.soton.ac.uk>
Message-ID: <018d01c3d48a$58488970$23c8a8c0@serv>

>>I am not seeing failure 2 of 10 and so on..

>It is succeeding some times and failing other times. It needs to hit 10

>consecutive timeouts before SpamAssassin network checks are disabled.
20
>consecutive timeouts (including the above 10) will cause SpamAssassin
to be
>disabled altogether. Even if it keeps failing, it's usually due to
network
>checks which is why the behaviour is slightly cleverer than the simple
>configuration option suggests.

So is it safe to say that while SpamAssassin is timing out 1 of 10 the
message is automatically accepted and allowed through?  I suppose one
might expect that if it failed, it should fail closed instead of open.

I'm puzzled by this problem...because NO SPAM gets through my
MailScanner instance EXCEPT for SpamAssassin timeouts.  Would it be
possible to make this queue and rescan later?  Or at least to make this
configurable?  I know there will be a venerable uprising about holding
mail that is not able to be processed...but I want to stop these from
getting through...

It seems we have created an environment, where if the network checks
timing out can allow false positives to be processed and allowed
through, that fooling SpamAssassin and MailScanner would be as easy as
making network checks unavailable.  Then all messages would time-out and
be accepted by the instance, thus forwarded on to the end MUA.

Chris Trudeau

From steve.swaney at FSL.COM  Tue Jan  6 19:26:50 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:44 2006
Subject: MailScanner Logo
In-Reply-To: <3FFA6354.2070305@carlo65.de>
Message-ID: <20040106192648.3C99E21C29E@mail.fsl.com>

Roland,

I've recreated the MailScanner log in Corel Draw. The fonts M$ uses are:

Humanst531 BT (the www.mailscacnner.info)
AmerType MD BT (MailScanner)

The Amertype is actually condensed slightly from the stock font.

If you can email me off-list I can send you the fonts. I can also export the
actual logo to just about any format you can use and include that if you
wish - just let me know what format you'd prefer,


Steve

Stephen Swaney
President
Fortress Systems Ltd.
Phone: 202 338-1670
Fax: 202 448-2969
steve.swaney@fsl.com
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Roland Ehle
> Sent: Tuesday, January 06, 2004 2:27 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: OT: MailScanner Logo
>
> Hi Julian,
>
> as I am involved in the MailWatch team, I currently design some Logo
> proposals. Could you tell me please, which font you used for the
> MailScanner Logo?
>
> Thanks.
> Regards,
> Roland

From stahl at soest.hawaii.edu  Tue Jan  6 20:29:10 2004
From: stahl at soest.hawaii.edu (No Name)
Date: Thu Jan 12 21:21:44 2006
Subject: patching MIME-tools-5.411
Message-ID: <200401062029.i06KTAAc005671@leka.soest.hawaii.edu>

Thanks a lot Julian!

Aloha, Sharon Stahl

> X-RAL-MFrom: <mailscanner@ecs.soton.ac.uk>
> X-RAL-Connect: <raven.ecs.soton.ac.uk [152.78.70.1]>
> X-Sender: (Unverified)
> Mime-Version: 1.0
> X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more
information
> X-ECS-MailScanner: Found to be clean
> X-Scanned-By: MIMEDefang 2.38
> Date: Fri, 2 Jan 2004 15:05:01 +0000
> From: Julian Field <mailscanner@ecs.soton.ac.uk>
> Subject: Re: patching MIME-tools-5.411
> To: MAILSCANNER@jiscmail.ac.uk
> X-SOEST-MailScanner: Found to be clean
> X-SOEST-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.784, required
5, BIZ_TLD 0.78)
>
> Thanks for the reminder. Finally done it for you. I have updated
> http://www.sng.ecs.soton.ac.uk/mailscanner/install/perl.shtml
> to link to the patched version.
>
> At 14:25 02/01/2004, you wrote:
> >I used the GNU Patch command (from http://www.sunfreeware.com) and it
> >worked.
> >
> >Problems with patching MIME-tools have surfaced on the list several
> >times. I have asked for MIME-tools to be patched on MailScanners web
> >site (they are patched for the Linux distributions of MailScanner) but
> >got no response from Julian. Since we're only allowed to use a single
> >version of MIME-tools they could just as well be patched before we
> >download them. Just my $0.02.
> >
> >/Peter Bonivart
> >
> >--Unix lovers do it in the Sun
> >
> >Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> >SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
> >
> >No Name wrote:
> >>I followed the Solaris 9 install notes on the website but can't get the
> >>files patched.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


*=============================================================*
| UH/SOEST-Research Computer Fac  vox: (808) 956-2616         |
| 1680 East West Rd- POST820    email: stahl@soest.hawaii.edu |
| Honolulu, Hi 96822              fax: (808) 956-5154         |
*=============================================================*

From gdoris at rogers.com  Tue Jan  6 20:29:07 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:44 2006
Subject: Strange sendmail behaviour?
In-Reply-To: <Pine.GSO.4.58.0401061151330.11780@cayuga>
References: <42859.129.80.22.133.1073407557.squirrel@tiger.dorfam.ca>
            <Pine.GSO.4.58.0401061151330.11780@cayuga>
Message-ID: <38787.129.80.22.143.1073420947.squirrel@tiger.dorfam.ca>

> Do you have a typo in your access.db file where you declare your discard
> mailer entries?
>

I don't see anything obvious in the access file.  However, I did have two
hard power hits one after another the other day.  The server wasn't able
to reboot on its own after either outage.  Perhaps the access.db file was
messed up.  I'll rebuild it and see if it makes a difference.

Thanks for the hint!


Gerry

From campbell at CNPAPERS.COM  Tue Jan  6 21:26:04 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:44 2006
Subject: Blacklist question, please
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk>
Message-ID: <000b01c3d49b$b0f261c0$6f01a8c0@cnpapers.net>

I get a lot of spam from a varying domain name which usually takes the form
of:

blahblah@stderr.blahblah.com

(blah represents the varying part)

Is a blacklist entry of the form below valid, and if not, how would someone
suggest I write it:

From:    *@stderr.*    yes

Thanks for the info forthcoming

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

From esandquist at IHMS.NET  Tue Jan  6 21:20:07 2004
From: esandquist at IHMS.NET (Eric Sandquist)
Date: Thu Jan 12 21:21:44 2006
Subject: Maximum Scanned Message Size
In-Reply-To: <5.2.0.9.2.20030930110740.04534638@imap.ecs.soton.ac.uk>
Message-ID: <LAEOJCOHMABIMDAGOHNGOEMJBFAC.esandquist@ihms.net>

Is there a setting, probably is but I'm having trouble finding it right now,
where I can set the maximum size for a message to be scanned.  ie. if the
message is larger than 64k it would just pass through the scanner to the
recipient without being scanned?  If such asetting exists, can there be 2
settings? one for virus scanning and the other for SPAM?

SPAM is genreally a small email, whereas I would like to have everything
scanned for virii...  I think bypassing spam scans on larger files will have
a significant improvement on my server load...

Eric

From dwinkler at ALGORITHMICS.COM  Tue Jan  6 22:07:50 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:44 2006
Subject: Problem with Virus Update
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B10E@tormail2.algorithmics.com>


and solution.

# ./update_virus_scanners
./update_virus_scanners: /opt/MailScanner/lib/drweb-wrapper: Permission
denied
# chmod +x /opt/MailScanner/lib/drweb-wrapper
# ./update_virus_scanners
#

MailScanner 4.25-14 from a tarball install.

What is the drweb-wrapper script for, I use ClamAV and SophosSAVI?

Thanks,

Derek Winkler
Security Administrator
Algorithmics Inc., Toronto
Tel: (416) 217-4107
Fax: (416) 971-6263
www.algorithmics.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040106/8668759a/attachment.html
From mailscanner at ecs.soton.ac.uk  Tue Jan  6 23:05:26 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: spamassassin timeouts question
In-Reply-To: <018d01c3d48a$58488970$23c8a8c0@serv>
References: <6.0.1.1.2.20040106173229.02d82ff8@imap.ecs.soton.ac.uk>
            <018d01c3d48a$58488970$23c8a8c0@serv>
Message-ID: <6.0.1.1.2.20040106230412.02d57ea8@imap.ecs.soton.ac.uk>

At 19:21 06/01/2004, you wrote:
> >>I am not seeing failure 2 of 10 and so on..
>
> >It is succeeding some times and failing other times. It needs to hit 10
>
> >consecutive timeouts before SpamAssassin network checks are disabled.
>20
> >consecutive timeouts (including the above 10) will cause SpamAssassin
>to be
> >disabled altogether. Even if it keeps failing, it's usually due to
>network
> >checks which is why the behaviour is slightly cleverer than the simple
> >configuration option suggests.
>
>So is it safe to say that while SpamAssassin is timing out 1 of 10 the
>message is automatically accepted and allowed through?  I suppose one
>might expect that if it failed, it should fail closed instead of open.
>
>I'm puzzled by this problem...because NO SPAM gets through my
>MailScanner instance EXCEPT for SpamAssassin timeouts.  Would it be
>possible to make this queue and rescan later?  Or at least to make this
>configurable?  I know there will be a venerable uprising about holding
>mail that is not able to be processed...but I want to stop these from
>getting through...
>
>It seems we have created an environment, where if the network checks
>timing out can allow false positives to be processed and allowed
>through, that fooling SpamAssassin and MailScanner would be as easy as
>making network checks unavailable.  Then all messages would time-out and
>be accepted by the instance, thus forwarded on to the end MUA.

And you want all mail blocked because one blacklist RBL is not available?
Sounds like a very straightforward DoS attack to me.
I think it should fail open and not closed. False negatives are a lot less
of a problem then false positives.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan  6 23:07:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: Maximum Scanned Message Size
In-Reply-To: <LAEOJCOHMABIMDAGOHNGOEMJBFAC.esandquist@ihms.net>
References: <5.2.0.9.2.20030930110740.04534638@imap.ecs.soton.ac.uk>
            <LAEOJCOHMABIMDAGOHNGOEMJBFAC.esandquist@ihms.net>
Message-ID: <6.0.1.1.2.20040106230616.02da9e08@imap.ecs.soton.ac.uk>

At 21:20 06/01/2004, you wrote:
>Is there a setting, probably is but I'm having trouble finding it right now,
>where I can set the maximum size for a message to be scanned.  ie. if the
>message is larger than 64k it would just pass through the scanner to the
>recipient without being scanned?  If such asetting exists, can there be 2
>settings? one for virus scanning and the other for SPAM?
>
>SPAM is genreally a small email, whereas I would like to have everything
>scanned for virii...  I think bypassing spam scans on larger files will have
>a significant improvement on my server load...

The only size-dependent thing in the spam scanning is the SpamAssassin
tests, and there is already a configuration option to set the maximum size
of the data passed to SpamAssassin.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan  6 23:07:45 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: Blacklist question, please
In-Reply-To: <000b01c3d49b$b0f261c0$6f01a8c0@cnpapers.net>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk>
            <000b01c3d49b$b0f261c0$6f01a8c0@cnpapers.net>
Message-ID: <6.0.1.1.2.20040106230716.03fa1558@imap.ecs.soton.ac.uk>

At 21:26 06/01/2004, you wrote:
>I get a lot of spam from a varying domain name which usually takes the form
>of:
>
>blahblah@stderr.blahblah.com
>
>(blah represents the varying part)
>
>Is a blacklist entry of the form below valid, and if not, how would someone
>suggest I write it:
>
>From:    *@stderr.*    yes

That should work.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan  6 23:09:06 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: Problem with Virus Update
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B10E@tormail2.algorithmi
              cs.com>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B10E@tormail2.algorithmics.com>
Message-ID: <6.0.1.1.2.20040106230802.03fa42b8@imap.ecs.soton.ac.uk>

At 22:07 06/01/2004, you wrote:

>and solution.
>
># ./update_virus_scanners
>./update_virus_scanners: /opt/MailScanner/lib/drweb-wrapper: Permission
>denied
># chmod +x /opt/MailScanner/lib/drweb-wrapper
># ./update_virus_scanners
>#
>
>MailScanner 4.25-14 from a tarball install.
>
>What is the drweb-wrapper script for, I use ClamAV and SophosSAVI?

Funnily enough, the drweb-wrapper script is for the DrWeb virus scanner.
update_virus_scanners calls all the -wrapper scripts to find out what is
installed, so it knows which to try to update.

Apologies for the permissions mistake.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040106/dabb93de/attachment.html
From mailscanner at BARENDSE.TO  Wed Jan  7 05:06:08 2004
From: mailscanner at BARENDSE.TO (Remco Barendse)
Date: Thu Jan 12 21:21:44 2006
Subject: Spam learning whitelist?
Message-ID: <Pine.LNX.4.44.0401070559320.15819-100000@raveon.barendse.to>

Hi!

I have created 2 mailboxes for spam and nonspam training as descibed on
the MS page.

Was just wondering, should I whitelist mail to these addresses to prevent
MailScanner from stripping them from html and stuff? (I let MS strip all
html of even low scoring spam).

Also I have set up some honeypots that forward all mail to the spam
address (like info@ and sales@) and I don't want to get any spams to those
addresses delivered to the postmaster mailbox (if they score too high i
use delete forward as high scoring spam actions).

Thanks for any input!

Remco

From mkettler at EVI-INC.COM  Tue Jan  6 22:42:04 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:44 2006
Subject: Maximum Scanned Message Size
In-Reply-To: <LAEOJCOHMABIMDAGOHNGOEMJBFAC.esandquist@ihms.net>
References: <5.2.0.9.2.20030930110740.04534638@imap.ecs.soton.ac.uk>
            <LAEOJCOHMABIMDAGOHNGOEMJBFAC.esandquist@ihms.net>
Message-ID: <6.0.0.22.0.20040106174037.02394f60@xanadu.evi-inc.com>

At 04:20 PM 1/6/2004, Eric Sandquist wrote:
>Is there a setting, probably is but I'm having trouble finding it right now,
>where I can set the maximum size for a message to be scanned.  ie. if the
>message is larger than 64k it would just pass through the scanner to the
>recipient without being scanned?  If such asetting exists, can there be 2
>settings? one for virus scanning and the other for SPAM?

I don't think there's a way to exempt messages from virus scanning based on
size, that sounds like a severely bad idea anyway.

spam scanning can be bypassed based on size with:

         Max SpamAssassin Size = 100000

in mailscanner.conf

From peter at UCGBOOK.COM  Tue Jan  6 22:55:32 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:44 2006
Subject: Problem with Virus Update
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B10E@tormail2.algorithmics.com>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B10E@tormail2.algorithmics.com>
Message-ID: <3FFB3CE4.9020001@ucgbook.com>

I mentioned this to Julian so he has fixed it in the beta. The next
stable will not have this minor problem. The fix is as simple as you
wrote yourself.

The update_virus_scanners scripts looks for all supported scanners
regardless if you have them or not. It's the parent script for all the
wrappers running the actual scanners of which DrWeb is one. You don't
have it so it should just exit quietly but since it can't be executed
you get an error.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Derek Winkler wrote:
>
> and solution.
>
> # ./update_virus_scanners
> ./update_virus_scanners: /opt/MailScanner/lib/drweb-wrapper: Permission
> denied
> # chmod +x /opt/MailScanner/lib/drweb-wrapper
> # ./update_virus_scanners
> #
>
> MailScanner 4.25-14 from a tarball install.
>
> What is the drweb-wrapper script for, I use ClamAV and SophosSAVI?

From dpowell at LSSI.NET  Tue Jan  6 23:05:51 2004
From: dpowell at LSSI.NET (Darrin)
Date: Thu Jan 12 21:21:44 2006
Subject: spam bayes giving negative score
Message-ID: <1073430351.1302.4820.camel@powell>

I have been getting a lot of the same type of spam and am unable to
teach bayes. I have been using sa-learn for these messages, but it has
no effect on the scoring. The scoring is always in the negative?


scoring example:

LSSI-SpamCheck: not spam, SpamAssassin (score=-0.804, required 6,
BAYES_30 -0.90, HTML_MESSAGE 0.10)


header:

From: Gross Kim <rdbtn@mail.ru>
To: dpowell@lssi.net
Subject: Re: XQQY, he had been
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [2005hosting.comIP]
Date: Wed, 07 Jan 2004 03:48:58 +0500
Reply-To: Kim Gross <rdbtn@mail.ru>
Content-Type: multipart/alternative;
boundary="--ALT--ETBG38679759672171"
Message-Id: <BLHPQSX-0000550480378@supposable>
X-LssiCorp-EmailScanner-Information: Please contact the ISP for more
information
LSSI-EmailScanner: No virus found
LSSI-SpamCheck: not spam, SpamAssassin (score=-0.804, required 6,
BAYES_30 -0.90, HTML_MESSAGE 0.10)
X-Evolution-Source: imap://dpowell@www.lssi.net/
Return-Path: <rdbtn@mail.ru>
Received: from cm170-115.liwest.at (cm170-115.liwest.at [81.10.170.115])
by www.lssi.net (8.11.6/8.11.6) with SMTP id i06Mo9L15594 for
<dpowell@lssi.net>; Tue, 6 Jan 2004 17:50:09 -0500
Received: from [81.10.170.115] by 2005hosting.comIP with HTTP; Tue, 06
Jan 2004 15:50:58 -0700

message:

Banned CD! Government don't want me to sell it. See Now @

[image] panhandle age wisp koppers astound wheedle alberta diagram
rutherford briefcase precess emolument catherwood flatbed aldrich beater
skim bespectacled beset vertigo captor hijinks embroidery proof
significant hybrid cupboard mound
cliffhang pizzicato ethnography chisel exorbitant siegmund behave
admiration classification lectern accountant strict typography costume
alliance recluse stinky pronto til approval drapery geophysics cramp
photography coincident interrupt
fore tango technocratic deaconess elution capacitive ginsberg psyche
orono shone baden castro matrix preparatory bandwidth fadeout bungalow
coarsen glorious worrisome presentational indochinese metaphor jensen
solecism compile feather assess amber ectoderm biometry attribution
ivanhoe vault eeoc christensen togo workshop ringside inferior ambrose
quarry curia ampere augustus afterlife confirmation galapagos deferral
intoxicant desolate sirius sovkhoz denudation bare chordal tommy
maladaptive dream
guidebook jolly vintner cancer plane brindle curve restrict storehouse
carriage catawba vinson aftereffect
cohesive cried earthy decree mitral sterno heavy obedient morley operate
bistate inappreciable system davies ridden whistleable tailor holmium
declarative mackenzie ahoy gregory idempotent

Can someone help me understand what is happening here?


Thanks in advance
--
Darrin Powell
LSSi Corp
(919) 466-6803
www.lssi.net/~dpowell

From splee at PLEXIO.COM  Wed Jan  7 00:01:56 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:44 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073319970.8598.194.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
            <1073233440.8598.164.camel@ralph.plexio.private>
            <1073319970.8598.194.camel@ralph.plexio.private>
Message-ID: <1073433715.8607.378.camel@ralph.plexio.private>

I noticed that sweep is called as follows:

/usr/local/Sophos/bin/sweep -sc -f -all -rec  ss -archive -loopback
--no-follow-symlinks --no-reset-atime -TNEF .

Note that the "ss" switch is not prefaced with "-". Is this a syntax
error and does it make a difference as to whether sweep will scan the
message?

Stephen


On Mon, 2004-01-05 at 08:26, Stephen Lee wrote:
> Anything else I should check into?
>
> Thanks,
> Stephen
>
> On Sun, 2004-01-04 at 08:24, Stephen Lee wrote:
> > That was my first guess but the permissions suggest that it shouldn't be
> > the problem.
> >
> > drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
> > drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/
> >
> > All subdirectories have the same permissions. I even su'd to exim and
> > was able to created/deleted files in those directories. Setting them to
> > 777 made no difference. Here's a piece of the exim log:
> >
> >  2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
> > listening for SMTP on port 25 (IPv4)
> > 2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q15m
> > 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
> > listening for SMTP
> > 2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q
> > 2004-01-04 08:22:21 Start queue run: pid=22338
> > 2004-01-04 08:22:21 End queue run: pid=22338
> > 2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
> > /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
> > 1AdB0M-0005ni-Nz
> > 2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
> > found
> > 2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster@ugw.united.private
> > U=exim P=local S=762
> >
> > Stephen
> >
> > On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> > > Check the permissions on your Exim queue directories. For some reason it is
> > > failing to analyse the message at all.
> > >
> > > At 09:14 04/01/2004, you wrote:
> > > >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> > > >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> > > >installing MS manually from a tar file and configured Exim to use
> > > >separate incoming and outgoing queues. Exim appears to receive incoming
> > > >messages and MS picks them up. The problem is that MS takes all messages
> > > >and marks them as infected and places them in quarantine. The following
> > > >message is generated:
> > > >
> > > >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
> > > >1068 bytes
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> > > >Starting
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> > > >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> > > >messages
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> > > >
> > > >The warning message contains:
> > > >
> > > >Received: from exim by ugw.united.private with local (Exim 4.24)
> > > >         id 1Ad3t1-0003ix-R3
> > > >         for postmaster@ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
> > > >From: "MailScanner-UGW" <postmaster@ugw.united.private>
> > > >To: postmaster@ugw.united.private
> > > >Subject: Warning: E-mail viruses detected
> > > >Message-Id: <E1Ad3t1-0003ix-R3@ugw.united.private>
> > > >Date: Sun, 04 Jan 2004 00:45:27 -0800
> > > >
> > > >The following e-mail messages were found to have viruses in them:
> > > >
> > > >     Sender: postmaster@ugw.united.private
> > > >IP Address: 127.0.0.1
> > > >  Recipient: postmaster@ugw.united.private
> > > >    Subject:  Warning: E-mail viruses detected
> > > >  MessageID: 1Ad3lV-0003hp-62
> > > >     Report: MailScanner: Could not analyze message
> > > >
> > > >
> > > >--
> > > >MailScanner
> > > >Email Virus Scanner
> > > >www.mailscanner.info
> > > >
> > > >
> > > >
> > > >Each warning message spawns another warning message and in short order
> > > >the quarantine directory fills-up.
> > > >
> > > >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> > > >is set and sweep is not active when set to "Virus Scanners = none".
> > > >However, in both cases the same warning message (ie. detected virus) is
> > > >generated.
> > > >
> > > >Here are some of the pertinent settings in
> > > >/opt/MailScanner/etc/MailScanner.conf:
> > > >
> > > >Run As User = exim
> > > >Run As Group = exim
> > > >Incoming Queue Dir = /var/spool/exim_incoming/input
> > > >Outgoing Queue Dir = /var/spool/exim/input
> > > >Quarantine Dir = /var/spool/MailScanner/quarantine
> > > >MTA = exim
> > > >Sendmail = /usr/local/bin/exim
> > > >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> > > >Virus Scanners = sophos
> > > >Quarantine Infections = yes
> > > >Quarantine Whole Message = yes
> > > >Quarantine Whole Messages As Queue Files = no
> > > >Spam Checks = yes
> > > >Use SpamAssassin = no
> > > >Split Exim Spool = no
> > > >
> > > >/etc/sysconfig/MailScanner looks like this:
> > > >
> > > >MTA=exim
> > > >EXIM=/usr/local/bin/exim
> > > >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> > > >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> > > >file
> > > >
> > > >The following perl modules were downloaded, compiled and installed with
> > > >no issues:
> > > >
> > > >Convert-TNEF-0.17
> > > >File-Spec-0.82
> > > >File-Temp-0.14
> > > >HTML-Parser-3.26
> > > >HTML-Tagset-3.03
> > > >IO-stringy-2.108
> > > >MIME-Base64-2.12
> > > >MIME-tools-5.411 (patched version)
> > > >MailTools-1.50
> > > >Net-CIDR-0.09
> > > >
> > > >
> > > >Any suggestions on what next or diagnostics you need?
> > > >
> > > >Thanks and Happy New Year!
> > > >Stephen
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From splee at PLEXIO.COM  Wed Jan  7 00:19:41 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:44 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <1073433715.8607.378.camel@ralph.plexio.private>
References: <1073207698.8778.151.camel@ralph.plexio.private>
            <6.0.1.1.2.20040104121911.03fc8c10@imap.ecs.soton.ac.uk>
            <1073233440.8598.164.camel@ralph.plexio.private>
            <1073319970.8598.194.camel@ralph.plexio.private>
            <1073433715.8607.378.camel@ralph.plexio.private>
Message-ID: <1073434781.8778.384.camel@ralph.plexio.private>

I should also add that the sweep process below is from "ps -axww". The
strange part is that according to SweepViruses.pm:

  sophos => {
    Name                => 'Sophos',
    Lock                => 'SophosBusy.lock',
    # In next line, '-ss' makes it work nice and quietly
    CommonOptions       => '-sc -f -all -rec -ss -archive -loopback ' .
                           '--no-follow-symlinks --no-reset-atime
-TNEF',

sweep is called with "-ss". What's changing "-ss" to "ss"?

Stephen

On Tue, 2004-01-06 at 16:01, Stephen Lee wrote:
> I noticed that sweep is called as follows:
>
> /usr/local/Sophos/bin/sweep -sc -f -all -rec  ss -archive -loopback
> --no-follow-symlinks --no-reset-atime -TNEF .
>
> Note that the "ss" switch is not prefaced with "-". Is this a syntax
> error and does it make a difference as to whether sweep will scan the
> message?
>
> Stephen
>
>
> On Mon, 2004-01-05 at 08:26, Stephen Lee wrote:
> > Anything else I should check into?
> >
> > Thanks,
> > Stephen
> >
<snip>

From kevins at BMRB.CO.UK  Wed Jan  7 00:32:18 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:44 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21919@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21919@pascal.priv.bmrb.co.uk>
Message-ID: <1073435539.17522.36.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-07 at 00:01, Stephen Lee wrote:

>Note that the "ss" switch is not prefaced with "-". Is this a syntax
>error and does it make a difference as to whether sweep will scan the
>message?

That seems a reasonable assumption (although I don't claim to know the
answer).  If you think the problem might be with the way sweep is being
called have you tried a different scanner?  Maybe install clam (it makes
a good second scanner anyway) and just use clam for a while.
Alternatively you could try building the SAVI module for sophos instead
of calling sweep directly.

From steve.douglas at SBIINCORPORATED.COM  Wed Jan  7 00:46:18 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF395C@mail.gardenbotanika.com>

I have my /etc/MailScanner/spam.assassin.prefs.conf logically linked to
/etc/mail/spamassassin/local.cf.

I issue the following:

"spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf"

My output is as follows:

debug: bayes: DB_File module not installed, cannot use Bayes
debug: Score set 1 chosen.
debug: Initialising learner
debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200

The only item that I know is working is the
"/var/spool/spamassassin/auto-whitelist" as I have it redirected to this
path via the spam.assassin.prefs.conf file.

Any suggestions are appreciated.  Since I upgraded via Perl to SpamAssassin
2.61 and then MS my SA is no longer doing bayse.  I am out of ideas.

My system is configured with RH9, HP PIV, Mirrored IDE 80gb, 1536mb RAM,
running spamassassin 2.61 with MailScanner 4.25-14.

Thank you
sd

From mkettler at EVI-INC.COM  Wed Jan  7 00:58:57 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF395C@mail.gardenbotani
              ka.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF395C@mail.gardenbotanika.com>
Message-ID: <6.0.0.22.0.20040106195435.024088c8@xanadu.evi-inc.com>

As per SA's output, you don't have DB_File support installed in your copy
of perl.

Since SA 2.6x uses standard database files for bayes, instead of it's own
custom code, you need this module for bayes to work.

So, install the DB_File perl module. It's available as an RPM in most
redhat distros, and it's probably in CPAN too.

You may also need to install Berkeley DB support.

At 07:46 PM 1/6/2004, Steve Douglas wrote:

>debug: bayes: DB_File module not installed, cannot use Bayes

From raymond at PROLOCATION.NET  Wed Jan  7 00:57:14 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF395C@mail.gardenbotanika.com>
Message-ID: <Pine.LNX.4.44.0401070151510.26881-100000@mailbox.prolocation.net>

Hi!

> debug: bayes: DB_File module not installed, cannot use Bayes
> debug: Score set 1 chosen.
> debug: Initialising learner
> debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200

> Any suggestions are appreciated.  Since I upgraded via Perl to SpamAssassin
> 2.61 and then MS my SA is no longer doing bayse.  I am out of ideas.

As it tells, install DB_File

Perl -MCPAN -e shell
install DB_File

They moved to another DB format...

Bye,
Raymond.

From kevins at BMRB.CO.UK  Wed Jan  7 00:57:44 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C2191C@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C2191C@pascal.priv.bmrb.co.uk>
Message-ID: <1073437065.17522.41.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-07 at 00:46, Steve Douglas wrote:

> debug: bayes: DB_File module not installed, cannot use Bayes

You need to install the perl-DB_File rpm  (SA recently changed their
database support policy)

Se the notes here http://eu.spamassassin.org/full/2.6x/dist/INSTALL

(most important is that the user mailscanner runs as will need to run
sa-learn --import in order to convert the old bayes databases)

From raymond at PROLOCATION.NET  Wed Jan  7 00:59:27 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <6.0.0.22.0.20040106195435.024088c8@xanadu.evi-inc.com>
Message-ID: <Pine.LNX.4.44.0401070158180.26881-100000@mailbox.prolocation.net>

Hi!

> So, install the DB_File perl module. It's available as an RPM in most
> redhat distros, and it's probably in CPAN too.
>
> You may also need to install Berkeley DB support.

In CPAN there is a newer version listed then the one in the RPM.
DB_File-1.807 is in CPAN, the RH one is 1.804

Bye,
Raymond.

From james at GRAYONLINE.ID.AU  Wed Jan  7 02:43:17 2004
From: james at GRAYONLINE.ID.AU (James Gray)
Date: Thu Jan 12 21:21:44 2006
Subject: Custom SpamAssassin Rules....finally :)
Message-ID: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>

Hi All,

Not sure if my last message made it to the list so I'm resending via the web
interface to the list.  Apologies in advance if this is a duplication.

I've finally got around to organising my customised SpamAssassin rules and
some other useful stuff for MailScanner.  The rest of the info is here:
http://files.grayonline.id.au/  - there is a tar ball with 1100+ custom
rules and other info etc.  Knock yourselves out :)

--James

From kfliong at WOFS.COM  Wed Jan  7 03:55:18 2004
From: kfliong at WOFS.COM (kfliong)
Date: Thu Jan 12 21:21:44 2006
Subject: spamassassin timeout
In-Reply-To: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
Message-ID: <6.0.0.22.0.20040107115120.02e156e0@192.168.10.2>

i am sorry if i am posting this question for the second time as I have not
found any answer yet. So...here goes.

I am getting this error :

Jan  7 11:45:07 ensim MailScanner[19608]: SpamAssassin timed out and was
killed, consecutive failure 1 of 20


I have set the timeout of spamassassin to 60 and i am still getting this
failure. Changing to 90 would only make the time out error come out less
often but that would only make my queues grow bigger. So, anyone have
anyway of solving this besides making the timeout higher?

Thanks in advance.

From james at grayonline.id.au  Wed Jan  7 05:12:52 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:44 2006
Subject: spamassassin timeout
In-Reply-To: <6.0.0.22.0.20040107115120.02e156e0@192.168.10.2>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.0.20040107115120.02e156e0@192.168.10.2>
Message-ID: <200401071612.52894.james@grayonline.id.au>

On Wed, 7 Jan 2004 02:55 pm, kfliong wrote:
> i am sorry if i am posting this question for the second time as I have
> not found any answer yet. So...here goes.
>
> I am getting this error :
>
> Jan  7 11:45:07 ensim MailScanner[19608]: SpamAssassin timed out and was
> killed, consecutive failure 1 of 20
>
>
> I have set the timeout of spamassassin to 60 and i am still getting this
> failure. Changing to 90 would only make the time out error come out less
> often but that would only make my queues grow bigger. So, anyone have
> anyway of solving this besides making the timeout higher?
>
> Thanks in advance.

This is usually the result of 2 things:
1. Insuffient CPU power (or your box is too busy with other "stuff")
2. The network tests are taking too long (DNS blacklists etc).

It could be either or both.  You determine which one it is by simply turning
off all the network tests and seeing if the error goes away.  If it does,
then your problem is the network tests; try to reduce the number of tests
you're doing or look into your network config to make sure there isn't
anything amiss (like DNS/resolver config).

If the problem goes away when you turn off the network tests, the it's the
CPU; either reduce the load on the system to make more resources available
to MailScanner/SpamAssassin, or look at upgrading your hardware.

Cheers,

James
--
Fortune cookies says:
"Turn on, tune up, rock out."
-- Billy Gibbons

From mailscanner at ecs.soton.ac.uk  Wed Jan  7 08:40:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: Custom SpamAssassin Rules....finally :)
In-Reply-To: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>

Please can you change your colour scheme. I can't read black on very dark
blue :-(
And even better, the links appear in dark blue on dark blue...

At 02:43 07/01/2004, you wrote:
>Hi All,
>
>Not sure if my last message made it to the list so I'm resending via the web
>interface to the list.  Apologies in advance if this is a duplication.
>
>I've finally got around to organising my customised SpamAssassin rules and
>some other useful stuff for MailScanner.  The rest of the info is here:
>http://files.grayonline.id.au/ - there is a tar ball with 1100+ custom
>rules and other info etc.  Knock yourselves out :)
>
>--James

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.freegard at LBSLTD.CO.UK  Wed Jan  7 09:31:39 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:44 2006
Subject: spamassassin timeout
Message-ID: <67D9E7698329D411936E00508B6590B902773D97@neelix.lbsltd.co.uk>

Hello,

Why not try running something like:

spamassassin -D rbl=-3 -p /etc/MailScanner/spam.assassin.prefs.conf -t <
message

Where 'message' is a file from your spam quarantine directory (should be
something like
/var/spool/MailScanner/quarantine/<<yyyymmdd>>/spam/<<messageid>>).

You can then see if it 'hangs' in any particular place - this will show you
if bayes, rbl checks, dns or something else is causing your delays.

You also don't mention how many and how often you are getting the timeouts
in relation to the number of messages you process daily - for example I
processed 1912 messages on one of my gateways yesterday with only one
timeout in my logs (0.05%).

Hope this helps.

Kind regards,
Steve.

-----Original Message-----
From: kfliong [mailto:kfliong@WOFS.COM]
Sent: 07 January 2004 03:55
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: spamassassin timeout


i am sorry if i am posting this question for the second time as I have not
found any answer yet. So...here goes.

I am getting this error :

Jan  7 11:45:07 ensim MailScanner[19608]: SpamAssassin timed out and was
killed, consecutive failure 1 of 20


I have set the timeout of spamassassin to 60 and i am still getting this
failure. Changing to 90 would only make the time out error come out less
often but that would only make my queues grow bigger. So, anyone have anyway
of solving this besides making the timeout higher?

Thanks in advance.

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From james at grayonline.id.au  Wed Jan  7 10:35:23 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:44 2006
Subject: Custom SpamAssassin Rules....finally :)
In-Reply-To: <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK> <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
Message-ID: <200401072135.23628.james@grayonline.id.au>

On Wed, 7 Jan 2004 07:40 pm, Julian Field wrote:
> Please can you change your colour scheme. I can't read black on very dark
> blue :-(
> And even better, the links appear in dark blue on dark blue...
>
> At 02:43 07/01/2004, you wrote:
> >Hi All,
> >
> >Not sure if my last message made it to the list so I'm resending via the
> > web interface to the list.  Apologies in advance if this is a
> > duplication.
> >
> >I've finally got around to organising my customised SpamAssassin rules
> > and some other useful stuff for MailScanner.  The rest of the info is
> > here: http://files.grayonline.id.au/ - there is a tar ball with 1100+
> > custom rules and other info etc.  Knock yourselves out :)
> >
> >--James
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Unless you are over-riding the default for the page it should be:
<body BGCOLOR="lightGray" TEXT="black" LINK="darkBlue" ALINK="blue" 
VLINK="darkGreen">

What browser are you using??  I've tested that page with:
Mozilla 1.5
IE 5.5 and 6
Phoenix (?? version, but recent)
Konquerer 3.1.4

...and they all display the page as expected (black text with dark blue 
links on a light gray background)....this is very strange :-/

James
-- 
Fortune cookies says:
Politics and the fate of mankind are formed by men without ideals and 
without
greatness.  Those who have greatness within them do not go in for politics.
		-- Albert Camus


From james at grayonline.id.au  Wed Jan  7 10:35:23 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:44 2006
Subject: Custom SpamAssassin Rules....finally :)
In-Reply-To: <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
Message-ID: <200401072135.23628.james@grayonline.id.au>

On Wed, 7 Jan 2004 07:40 pm, Julian Field wrote:
> Please can you change your colour scheme. I can't read black on very dark
> blue :-(
> And even better, the links appear in dark blue on dark blue...
>
> At 02:43 07/01/2004, you wrote:
> >Hi All,
> >
> >Not sure if my last message made it to the list so I'm resending via the
> > web interface to the list.  Apologies in advance if this is a
> > duplication.
> >
> >I've finally got around to organising my customised SpamAssassin rules
> > and some other useful stuff for MailScanner.  The rest of the info is
> > here: http://files.grayonline.id.au/ - there is a tar ball with 1100+
> > custom rules and other info etc.  Knock yourselves out :)
> >
> >--James
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Unless you are over-riding the default for the page it should be:
<body BGCOLOR="lightGray" TEXT="black" LINK="darkBlue" ALINK="blue"
VLINK="darkGreen">

What browser are you using??  I've tested that page with:
Mozilla 1.5
IE 5.5 and 6
Phoenix (?? version, but recent)
Konquerer 3.1.4

...and they all display the page as expected (black text with dark blue
links on a light gray background)....this is very strange :-/

James
--
Fortune cookies says:
Politics and the fate of mankind are formed by men without ideals and
without
greatness.  Those who have greatness within them do not go in for politics.
                -- Albert Camus

From james at grayonline.id.au  Wed Jan  7 10:44:43 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:44 2006
Subject: Custom SpamAssassin Rules....finally :)
In-Reply-To: <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.1.1.2.20040107084016.035a4760@imap.ecs.soton.ac.uk>
Message-ID: <200401072144.43132.james@grayonline.id.au>

On Wed, 7 Jan 2004 07:40 pm, Julian Field wrote:
> Please can you change your colour scheme. I can't read black on very dark
> blue :-(
> And even better, the links appear in dark blue on dark blue...
>
> At 02:43 07/01/2004, you wrote:
> >Hi All,
> >
> >Not sure if my last message made it to the list so I'm resending via the
> > web interface to the list.  Apologies in advance if this is a
> > duplication.
> >
> >I've finally got around to organising my customised SpamAssassin rules
> > and some other useful stuff for MailScanner.  The rest of the info is
> > here: http://files.grayonline.id.au/ - there is a tar ball with 1100+
> > custom rules and other info etc.  Knock yourselves out :)
> >
> >--James
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

OK - I've redone the page with hex values for the colours instead of their
"names".  Apologies to anyone who who having trouble - I'm still interested
to know which browser you had trouble with though (Browsers+version and
underlying OS would be useful).

Thanks for the heads-up from Peter Nitschke to use hex values :)

James
--
Fortune cookies says:
Do not meddle in the affairs of troff, for it is subtle and quick to anger.

From mailing-oit at tttech.com  Wed Jan  7 14:13:54 2004
From: mailing-oit at tttech.com (Christoph Resch)
Date: Thu Jan 12 21:21:44 2006
Subject: ~ Mailscanner wont run spamassassin ? ~
In-Reply-To: <200312210300.55551.mailing-oit@tttech.com>
References: <LISTSERV%2003102323380779@JISCMAIL.AC.UK>
            <200312210300.55551.mailing-oit@tttech.com>
Message-ID: <200401071513.54280.mailing-oit@tttech.com>

Hi

I fixed this by CPAN-update spamassassin

thanks 4 support

-c-

From jaearick at COLBY.EDU  Wed Jan  7 16:16:41 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:44 2006
Subject: blocking vs scoring (from SANS)
Message-ID: <Pine.GSO.4.58.0401071112560.13166@cayuga>

Gang,

   This was an article in the weekly SANS newsletter (www.sans.org)
on the issue of using DNSBL's to block (ie sendmail) versus spam
scoring (SpamAssassin).  Interesting points.  I've always been in
the "block 'em with sendmail, 500 error" camp, but I'm rethinking.
Of course MailScanner makes retooling easy...

Jeff Earickson
Colby College

 --Spam Filters In An Operational Environment
Analysis by Stephen Northcutt

In SANS/GIAC status report #17,
(http://www.sans.org/newsletters/statusupdates/17.php ) I editorialized
that using research grade spam filters in an operational production
environment could be a bad idea.  I am sticking to my guns, it appears
that Security Focus was blacklisted twice in the past 10 days; the lack
of a whitelist for known leaders during Internet crises is reckless.
Without such a safety mechanism, it would be simple for an attacker to
blacklist, CERT, SANS/dshield/Internet Storm Center, SecurityFocus,
Department of Homeland Security, NIPC just before releasing an attack.
A number of people have written with comments on the editorial ranging
from "Right on" to "SANS loves Spam".  But the most well written/well
reasoned comment was from Charles Oriez and is shown below:

There are several ways to properly manage the use of a Spamcop-like
dnsbl in such a fashion as to protect your resources while at the same
time limiting the damage from false positives.  I have been using
Spamcop on client systems for years with few false positives and few
problems, in part because of the effective safeguards that we put in
place.

For an automated list such as Spamcop where false positives tend to
disappear quickly, consider refusing the connection with a 400 series
transient failure message rather than a 500 series permanent failure
message.  True Spam sources seldom disappear from the Spamcop list
before the sending server gives up, but false positives almost always
will.  Also, during that window of time, the alert systems
administrator, who should be monitoring system logs for this and other
problems anyway, can step in to white list an appropriate CIDR
(65.173.218.0/24 in the case of SANS) fairly quickly.  The 400 series
error being returned at that point would then have cleared up and the
mail would have been delivered.

You can also use Spamcop and any of the other 500 plus dnsbls in a
fashion other than as a binary accept/reject decision point. Spam
Assassin[tm], for instance, uses a scoring system based in part on the
appearance of the originating IPA in Spamcop and other dnsbls, to
determine the likelihood that a particular email is spam. Score high
enough, and the suspect email is diverted to a separate mailbox for
further review.  The system can be adjusted in numerous ways to reduce
the risk of false positives, and since mail is merely diverted instead
of deleted, important missing emails can still be accessed by the end
user.

From splee at PLEXIO.COM  Wed Jan  7 16:35:23 2004
From: splee at PLEXIO.COM (Stephen Lee)
Date: Thu Jan 12 21:21:44 2006
Subject: All messages quarantined on Trustix 2.0/MS 4.25-14 - Solved!
In-Reply-To: <1073435539.17522.36.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21919@pascal.priv.bmrb.co.uk>
            <1073435539.17522.36.camel@bach.kevinspicer.co.uk>
Message-ID: <1073493323.9362.504.camel@ralph.plexio.private>

On Tue, 2004-01-06 at 16:32, Kevin Spicer wrote:
> On Wed, 2004-01-07 at 00:01, Stephen Lee wrote:
>
> >Note that the "ss" switch is not prefaced with "-". Is this a syntax
> >error and does it make a difference as to whether sweep will scan the
> >message?
>
> That seems a reasonable assumption (although I don't claim to know the
> answer).  If you think the problem might be with the way sweep is being
> called have you tried a different scanner?  Maybe install clam (it makes
> a good second scanner anyway) and just use clam for a while.
> Alternatively you could try building the SAVI module for sophos instead
> of calling sweep directly.

Thanks for the suggestion. I tried the SAVI module but that didn't work
initially. It turns out that all of the perl modules required for MS
were install with root-only access. Once I changed permissions to allow
exim access to the modules everything worked!

I'd like to suggest a comment regarding perl module permissions be
checked to be included with the instructions for installing the MS
tarball.

Thanks,
Stephen

From anders.andersson at LTKALMAR.SE  Wed Jan  7 16:46:39 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:21:44 2006
Subject: OT: Sendmail and rbl
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E7F9@lkl61.ltkalmar.se>

Hi folks and hope you had a good start on the new year.
Im trying to add 2 rbls to my sendmail config by adding the following lines
to sendmail.mc
I compard them to the one i used from easynet and the the same accept for
the message part.

FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" found
in dnsbl.sorbs.net"', `') dnl
FEATURE(`dnsbl', `dnsbl.njabl.org', `"Message from "$&{client_addr}"
rejected - see http://njabl.org/"', `') dnl

After creating new sendmail.cf files I get the following error that I cant
figure out why.
[root@ns2 root]# service MailScanner start
Starting MailScanner daemons:
         incoming sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 69:
unknown configuration line "
 Cwlocalhost.localdomain"
[  OK  ]
         outgoing sendmail: /etc/mail/sendmail.cf: line 69: unknown
configuration line "
 Cwlocalhost.localdomain"
[  OK  ]
         MailScanner:       [  OK  ]

All tips are welcome... since I need to block more crap before it enters our
system

Kind regards

/Anders

From mailscanner at ecs.soton.ac.uk  Wed Jan  7 16:54:22 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: OT: Sendmail and rbl
In-Reply-To: <0B646CB9C2952C46B0E819F6C42DA5DB19E7F9@lkl61.ltkalmar.se>
References: <0B646CB9C2952C46B0E819F6C42DA5DB19E7F9@lkl61.ltkalmar.se>
Message-ID: <6.0.1.1.2.20040107165314.041bb800@imap.ecs.soton.ac.uk>

At 16:46 07/01/2004, you wrote:
>Hi folks and hope you had a good start on the new year.
>Im trying to add 2 rbls to my sendmail config by adding the following lines
>to sendmail.mc
>I compard them to the one i used from easynet and the the same accept for
>the message part.
>
>FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" found
>in dnsbl.sorbs.net"', `') dnl

When you close the quotes at the end of the rejection message, close the "
and then the '
Not 100% sure that's what is causing the problem, but it should be
corrected anyway.

>FEATURE(`dnsbl', `dnsbl.njabl.org', `"Message from "$&{client_addr}"
>rejected - see http://njabl.org/"', `') dnl
>
>After creating new sendmail.cf files I get the following error that I cant
>figure out why.
>[root@ns2 root]# service MailScanner start
>Starting MailScanner daemons:
>          incoming sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 69:
>unknown configuration line "
>  Cwlocalhost.localdomain"
>[  OK  ]
>          outgoing sendmail: /etc/mail/sendmail.cf: line 69: unknown
>configuration line "
>  Cwlocalhost.localdomain"
>[  OK  ]
>          MailScanner:       [  OK  ]
>
>All tips are welcome... since I need to block more crap before it enters our
>system
>
>Kind regards
>
>/Anders

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jaearick at COLBY.EDU  Wed Jan  7 17:09:15 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:44 2006
Subject: does MS spam list increase SA score?
Message-ID: <Pine.GSO.4.58.0401071201030.13166@cayuga>

Julian,

   Dumb question, but if I have the "Spam List = " setting
defined, eg:

Spam List = spamcop.net spamhaus.org CBL ORDB-RBL

then does a hit against each list add to the SA score somehow?
It doesn't look like it.  Can hits on these blocklists be used
to raise the score, by way of definitions in spam.assassin.prefs.conf?

I've never really used this feature much before, so I'm a little
puzzled as to what it actually does to a message.  Make sure that
it gets tagged with "{Spam?}"?  Raise the SA score?  I see that 4.25-14
has the "Spam Lists To Reach High Score" feature, but what else happens?

My setup: Sol 9, sendmail 8.12.10, MS 4.25-14, SA 2.61.

Jeff Earickson
Colby College

From mailscanner at ecs.soton.ac.uk  Wed Jan  7 17:30:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:44 2006
Subject: does MS spam list increase SA score?
In-Reply-To: <Pine.GSO.4.58.0401071201030.13166@cayuga>
References: <Pine.GSO.4.58.0401071201030.13166@cayuga>
Message-ID: <6.0.1.1.2.20040107172723.04286508@imap.ecs.soton.ac.uk>

At 17:09 07/01/2004, you wrote:
>Julian,
>
>    Dumb question, but if I have the "Spam List = " setting
>defined, eg:
>
>Spam List = spamcop.net spamhaus.org CBL ORDB-RBL
>
>then does a hit against each list add to the SA score somehow?
>It doesn't look like it.

Correct. It doesn't affect the SA score.

>   Can hits on these blocklists be used
>to raise the score, by way of definitions in spam.assassin.prefs.conf?

You just need to change the scores of the SA rules that match against the
RBLs you are interested in. Copy the relevant lines from 50_scores.cf (in
your SA rules directory) into spam.assassin.prefs.conf and change the
number. They are supplied with 4 numbers, but when changing them yourself
you only really need to specify 1 number.

>I've never really used this feature much before, so I'm a little
>puzzled as to what it actually does to a message.  Make sure that
>it gets tagged with "{Spam?}"?

Yes.

>   Raise the SA score?

No.

>   I see that 4.25-14
>has the "Spam Lists To Reach High Score" feature, but what else happens?

Nothing. The Spam Lists and SA are separate.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From anders.andersson at LTKALMAR.SE  Wed Jan  7 17:33:49 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:21:44 2006
Subject: SV: OT: Sendmail and rbl
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E7FB@lkl61.ltkalmar.se>

> -----Ursprungligt meddelande-----
> Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
> Skickat: den 7 januari 2004 17:54
> At 16:46 07/01/2004, you wrote:
> >Hi folks and hope you had a good start on the new year.
> >Im trying to add 2 rbls to my sendmail config by adding the 
> following 
> >lines to sendmail.mc I compard them to the one i used from 
> easynet and 
> >the the same accept for the message part.
> >
> >FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" 
> >found in dnsbl.sorbs.net"', `') dnl
> 
> When you close the quotes at the end of the rejection 
> message, close the " and then the ' Not 100% sure that's what 
> is causing the problem, but it should be corrected anyway.

Yeah, I did some typo that I could see but copied from another source and
mail are being blocked again :)
Still working on my ldap lookup for email-adresses but a hassle if your a
clever as me and have exchange to work against  ;)


> 
> >FEATURE(`dnsbl', `dnsbl.njabl.org', `"Message from "$&{client_addr}" 
> >rejected - see http://njabl.org/"', `') dnl
> >
> >After creating new sendmail.cf files I get the following 
> error that I 
> >cant figure out why. [root@ns2 root]# service MailScanner start
> >Starting MailScanner daemons:
> >          incoming sendmail: 554 5.0.0 
> /etc/mail/sendmail.cf: line 69:
> >unknown configuration line "
> >  Cwlocalhost.localdomain"
> >[  OK  ]
> >          outgoing sendmail: /etc/mail/sendmail.cf: line 69: unknown
> >configuration line "
> >  Cwlocalhost.localdomain"
> >[  OK  ]
> >          MailScanner:       [  OK  ]
> >
> >All tips are welcome... since I need to block more crap before it 
> >enters our system
> >
> >Kind regards
> >
> >/Anders
> 
> --
> Julian Field


From mike at CAMAROSS.NET  Wed Jan  7 18:53:39 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:44 2006
Subject: Sendmail and rbl
In-Reply-To: <0B646CB9C2952C46B0E819F6C42DA5DB19E7F9@lkl61.ltkalmar.se>
Message-ID: <200401071852.i07Iqm9x026848@avwall.bladeware.com>

Here's how mine look:

FEATURE(enhdnsbl,`relays.ordb.org',`Rejected - see http://ordb.org/')dnl
FEATURE(enhdnsbl,`bl.spamcop.net', `"Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(enhdnsbl,`sbl.spamhaus.org')dnl
FEATURE(enhdnsbl,`xbl.spamhaus.org')dnl

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Anders Andersson, IT
Sent: Wednesday, January 07, 2004 10:47 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: OT: Sendmail and rbl

Hi folks and hope you had a good start on the new year.
Im trying to add 2 rbls to my sendmail config by adding the following lines
to sendmail.mc I compard them to the one i used from easynet and the the
same accept for the message part.

FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" found
in dnsbl.sorbs.net"', `') dnl FEATURE(`dnsbl', `dnsbl.njabl.org', `"Message
from "$&{client_addr}"
rejected - see http://njabl.org/"', `') dnl

After creating new sendmail.cf files I get the following error that I cant
figure out why.
[root@ns2 root]# service MailScanner start Starting MailScanner daemons:
         incoming sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 69:
unknown configuration line "
 Cwlocalhost.localdomain"
[  OK  ]
         outgoing sendmail: /etc/mail/sendmail.cf: line 69: unknown
configuration line "
 Cwlocalhost.localdomain"
[  OK  ]
         MailScanner:       [  OK  ]

All tips are welcome... since I need to block more crap before it enters our
system

Kind regards

/Anders

From steve.douglas at SBIINCORPORATED.COM  Wed Jan  7 21:57:49 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3968@mail.gardenbotanika.com>

I installed this, but now I am receiving the following:

debug: bayes: 15658 tie-ing to DB file R/O var/spool/spamassassin/bayes_toks
Cannot open bayes databases /var/spool/spamassassin/bayes_* R/O: tie failed:
Inappropriate ioctl for device

Maybe it is me, but SA is a pain in the keaster!

-----Original Message-----
From: Matt Kettler [mailto:mkettler@EVI-INC.COM]
Sent: Tuesday, January 06, 2004 6:59 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: SA unable to locate the db_module

As per SA's output, you don't have DB_File support installed in your copy
of perl.

Since SA 2.6x uses standard database files for bayes, instead of it's own
custom code, you need this module for bayes to work.

So, install the DB_File perl module. It's available as an RPM in most
redhat distros, and it's probably in CPAN too.

You may also need to install Berkeley DB support.

At 07:46 PM 1/6/2004, Steve Douglas wrote:

>debug: bayes: DB_File module not installed, cannot use Bayes

From maillist at HELPINTERNET.CO.UK  Wed Jan  7 22:01:57 2004
From: maillist at HELPINTERNET.CO.UK (Richard Sidlin)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
Message-ID: <004601c3d569$e1966c80$0f01a8c0@richie>

I have installed the December Sophos file but get the following error
when it tries to update the IDE's:

 End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of 377_ides.zip or
        377_ides.zip.zip, and cannot find 377_ides.zip.ZIP, period.
Unzipping the new Sophos IDE files failed. This may well be because your
Sophos installation is too old. Please install the latest release of
SophosUnzip failed with error return 9
, Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94.
Done.

What's the problem please?


Richard

From mike at CAMAROSS.NET  Wed Jan  7 22:06:31 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <004601c3d569$e1966c80$0f01a8c0@richie>
Message-ID: <200401072205.i07M5c9x022855@avwall.bladeware.com>

What version of the engine are you running?


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Richard Sidlin
Sent: Wednesday, January 07, 2004 4:02 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Sophos Update Error

I have installed the December Sophos file but get the following error when
it tries to update the IDE's:

 End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of 377_ides.zip or
        377_ides.zip.zip, and cannot find 377_ides.zip.ZIP, period.
Unzipping the new Sophos IDE files failed. This may well be because your
Sophos installation is too old. Please install the latest release of
SophosUnzip failed with error return 9 , Bad file descriptor at
/usr/lib/MailScanner/sophos-autoupdate line 94.
Done.

What's the problem please?


Richard

From Antony at SOFT-SOLUTIONS.CO.UK  Wed Jan  7 22:07:52 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <004601c3d569$e1966c80$0f01a8c0@richie>
References: <004601c3d569$e1966c80$0f01a8c0@richie>
Message-ID: <200401072207.52741.Antony@Soft-Solutions.co.uk>

On Wednesday 07 January 2004 10:01 pm, Richard Sidlin wrote:

> I have installed the December Sophos file but get the following error
> when it tries to update the IDE's:
>
>  End-of-central-directory signature not found.  Either this file is not
>   a zipfile, or it constitutes one disk of a multi-part archive.  In the
>   latter case the central directory and zipfile comment will be found on
>   the last disk(s) of this archive.
> unzip:  cannot find zipfile directory in one of 377_ides.zip or
>         377_ides.zip.zip, and cannot find 377_ides.zip.ZIP, period.
> Unzipping the new Sophos IDE files failed. This may well be because your
> Sophos installation is too old. Please install the latest release of
> SophosUnzip failed with error return 9
> , Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94.
> Done.
>
> What's the problem please?

When did you last update the Sophos engine itself (separately from the IDE
signature files)?

You have to do this at least every three months in order to keep Sophos
running.

I suspect the problem is identified by the phrase "This may well be because
your Sophos installation is too old. Please install the latest release of
Sophos".

Antony.

--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan  7 22:07:11 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <004601c3d569$e1966c80$0f01a8c0@richie>
Message-ID: <007a01c3d56a$9995d910$0501a8c0@darkside>

>I have installed the December Sophos file but get the following error
>when it tries to update the IDE's:

How did you install it?  If you just run the install in the
sav-install directory it won't work.  You need to rerun
"Sophos-install".

When mailscanner fires up, what version of Sophos does
it say it's using (this should be in your logs.)

For example, mine say:

mail.log.0:Jan  6 21:45:50 mail MailScanner[11835]: SophosSAVI 3.77 (engine
2.18) recognizing 86847 viruses

--J(K)

From peter at UCGBOOK.COM  Wed Jan  7 22:11:29 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3968@mail.gardenbotanika.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3968@mail.gardenbotanika.com>
Message-ID: <3FFC8411.3000402@ucgbook.com>

Try "sa-learn --import". If that doesn't get rid of the errors try
"sa-learn --rebuild" and as a last resort delete the files in the bayes
directory.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Steve Douglas wrote:
> I installed this, but now I am receiving the following:
>
> debug: bayes: 15658 tie-ing to DB file R/O var/spool/spamassassin/bayes_toks
> Cannot open bayes databases /var/spool/spamassassin/bayes_* R/O: tie failed:
> Inappropriate ioctl for device

From mark at TIPPINGMAR.COM  Wed Jan  7 22:13:08 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3968@mail.gardenbotanika.com>
Message-ID: <3FFC13F4.32111.B66619B@localhost>

If you are upgrading from SA 2.5 then you have to convert your old Bayes database
to the new format.  See the INSTALL file for details. Alternatively, I suppose you can
remove your old database and let SA start a new one.
Mark

On 7 Jan 2004 at 15:57, Steve Douglas wrote:
> I installed this, but now I am receiving the following:
>
> debug: bayes: 15658 tie-ing to DB file R/O var/spool/spamassassin/bayes_toks
> Cannot open bayes databases /var/spool/spamassassin/bayes_* R/O: tie failed:
> Inappropriate ioctl for device

From maillist at HELPINTERNET.CO.UK  Wed Jan  7 22:17:40 2004
From: maillist at HELPINTERNET.CO.UK (Richard Sidlin)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <007a01c3d56a$9995d910$0501a8c0@darkside>
Message-ID: <200401072218.i07MI6W16605@ns.helpplc.co.uk>

Hi

I ran Sophos.install as usual and when it runs, under "Installing virus data" it says vdl-3.77a.dat.

When I start MailScanner, it just states the version of MailScanner not the version of Sophos. I have rerun Sophos.install but it
did not cure it.

Richard

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki
Sent: 07 January 2004 22:07
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Sophos Update Error

>I have installed the December Sophos file but get the following error
>when it tries to update the IDE's:

How did you install it?  If you just run the install in the sav-install directory it won't work.  You need to rerun
"Sophos-install".

When mailscanner fires up, what version of Sophos does it say it's using (this should be in your logs.)

For example, mine say:

mail.log.0:Jan  6 21:45:50 mail MailScanner[11835]: SophosSAVI 3.77 (engine
2.18) recognizing 86847 viruses

--J(K)

--
This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be
clean. For details on having your email scanned email support@helpinternet.co.uk




--
This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email support@helpinternet.co.uk

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan  7 22:32:24 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <200401072218.i07MI6W16605@ns.helpplc.co.uk>
Message-ID: <007c01c3d56e$1f95b690$0501a8c0@darkside>

>I ran Sophos.install as usual and when it runs, under
>"Installing virus data" it says vdl-3.77a.dat.
>
>When I start MailScanner, it just states the version of
>MailScanner not the version of Sophos. I have rerun
>Sophos.install but it
>did not cure it.

Hmmm.  Have you downloaded more than once to determine
that it's not a corrupt file?

--J(K)

From JFalgout at CO.JEFFERSON.CO.US  Wed Jan  7 22:41:05 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:21:44 2006
Subject: Would you be interested . . .
Message-ID: <sffc28a0.067@gc6.jefferson.co.us>

Hi Julian,

Would you be interested in doing some sort of
presentation/tutorial/talk at the USENIX LISA conference?

Here is the link to the call for papers:

http://www.usenix.org/events/lisa04/cfp/

I think MailScanner would be a great topic.



Best Regards and Happy New Year



Jeff Falgout
Systems Administrator
IT Operations
Jefferson County, CO
Phone: 303.271.8859
Fax: 303.271.8838
Email: jfalgout@jeffco.us

From steve.douglas at SBIINCORPORATED.COM  Wed Jan  7 22:42:54 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3969@mail.gardenbotanika.com>

Thank you!  I wanted to follow up to let you know your advise worked!  It
was invaluable.

From peter at UCGBOOK.COM  Wed Jan  7 22:48:16 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:44 2006
Subject: SA unable to locate the db_module
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3969@mail.gardenbotanika.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3969@mail.gardenbotanika.com>
Message-ID: <3FFC8CB0.3020107@ucgbook.com>

Glad I could be of help and thank you for the nice words. Bayes99 (5.4
points) is my top trap so I wouldn't want to be without it.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Steve Douglas wrote:
> Thank you!  I wanted to follow up to let you know your advise worked!  It
> was invaluable.

From maillist at HELPINTERNET.CO.UK  Wed Jan  7 22:49:37 2004
From: maillist at HELPINTERNET.CO.UK (Richard Sidlin)
Date: Thu Jan 12 21:21:44 2006
Subject: Sophos Update Error
In-Reply-To: <007c01c3d56e$1f95b690$0501a8c0@darkside>
Message-ID: <200401072250.i07Mo1W19459@ns.helpplc.co.uk>

Corrupt. Thanks very much.

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki
> Sent: 07 January 2004 22:32
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Sophos Update Error
>
> >I ran Sophos.install as usual and when it runs, under
> "Installing virus
> >data" it says vdl-3.77a.dat.
> >
> >When I start MailScanner, it just states the version of
> MailScanner not
> >the version of Sophos. I have rerun Sophos.install but it
> did not cure
> >it.
>
> Hmmm.  Have you downloaded more than once to determine that
> it's not a corrupt file?
>
> --J(K)
>
> --
> This message has been scanned for viruses and dangerous
> content by the Help Internet Virus Spam Defence, and is
> believed to be clean. For details on having your email
> scanned email support@helpinternet.co.uk
>
>



--
This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email support@helpinternet.co.uk

From chris at trudeau.org  Thu Jan  8 10:53:30 2004
From: chris at trudeau.org (Chris Trudeau)
Date: Thu Jan 12 21:21:44 2006
Subject: MailScanner ignored?
In-Reply-To: <200401072250.i07Mo1W19459@ns.helpplc.co.uk>
Message-ID: <003201c3d5d5$a6fcedd0$23c8a8c0@serv>

I'm probably missing something, but I've never seen this before.

This message got through mailscanner and no mailscanner headers were
applied.  I checked the logfile on the handling mailserver for the
appropriate MessageID and there is no question that MailScanner checked
the message...

When SPAM gets through (very infrequently) I normally check the headers
to make sure the message was scanned and to evaluate the score received.
Did MailScanner stop processing this message because of the
"X-AntiAbuse" headers?


<SNIP>

Message-ID: <942558110033.P21hl1OpeH3n3U@localhost>
From: "Tierra Best" <xdwquhin@amrer.net>
To: sales@trudeau.org
Subject: Bring Thousands of Visitors to Your Web Site
Date: Thu,  8 Jan 2004 10:25:55 +0000 (GMT)
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - gandalfmail.net
X-AntiAbuse: Original Domain - gandalfmail.net
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"

</SNIP>

Chris

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan  8 11:45:17 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:44 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C419@jessica.herefordshire.gov.uk>

NAI have released new versions of their *n*x commandline scanners,
incorporating the new 4320 scan engine.

Licenced users can get them from the usual www.mcafeeb2b.com download link
(requires your NAI grant number).

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From sistemas at INTI-RAYMI.COM.PE  Thu Jan  8 13:37:12 2004
From: sistemas at INTI-RAYMI.COM.PE (Pepe Chavez)
Date: Thu Jan 12 21:21:44 2006
Subject: ERROR:: The main body of virus data is out of date (542)
Message-ID: <LISTSERV%2004010813371283@JISCMAIL.AC.UK>

Hi, first of all, sorry for my bad english.
In this morning, this message begin to appear...

Jan  8 08:25:21 MailScanner[1689]: ERROR:: The main body of virus data is
out of date (542):: ./i08DP7or002447/msg-1689-9.html
Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: SophosSAVI found 1
infections
Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: Found 1 viruses
Jan  8 08:25:21 MailScanner[1689]: Uninfected: Delivered 1 messages

The MTA still working, but I dont know what to do to fix this.

Thanks for your help

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan  8 13:54:25 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:44 2006
Subject: ERROR:: The main body of virus data is out of date (542)
In-Reply-To: <LISTSERV%2004010813371283@JISCMAIL.AC.UK>
References: <LISTSERV%2004010813371283@JISCMAIL.AC.UK>
Message-ID: <3FFD6111.5070808@solid-state-logic.com>

Pepe Chavez wrote:
> Hi, first of all, sorry for my bad english.
> In this morning, this message begin to appear...
>
> Jan  8 08:25:21 MailScanner[1689]: ERROR:: The main body of virus data is
> out of date (542):: ./i08DP7or002447/msg-1689-9.html
> Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: SophosSAVI found 1
> infections
> Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: Found 1 viruses
> Jan  8 08:25:21 MailScanner[1689]: Uninfected: Delivered 1 messages
>
> The MTA still working, but I dont know what to do to fix this.
>
> Thanks for your help
Pepe

SO what version of Sophos are you running, and are you doing upgrades
every so often to update the main engine (once per month) and the virus
definitions (once an hour).

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From Antony at SOFT-SOLUTIONS.CO.UK  Thu Jan  8 13:55:58 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: ERROR:: The main body of virus data is out of date (542)
In-Reply-To: <LISTSERV%2004010813371283@JISCMAIL.AC.UK>
References: <LISTSERV%2004010813371283@JISCMAIL.AC.UK>
Message-ID: <200401081355.58249.Antony@Soft-Solutions.co.uk>

On Thursday 08 January 2004 1:37 pm, Pepe Chavez wrote:

> Hi, first of all, sorry for my bad english.
> In this morning, this message begin to appear...
>
> Jan  8 08:25:21 MailScanner[1689]: ERROR:: The main body of virus data is
> out of date (542):: ./i08DP7or002447/msg-1689-9.html
> Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: SophosSAVI found 1
> infections
> Jan  8 08:25:21 MailScanner[1689]: Virus Scanning: Found 1 viruses
> Jan  8 08:25:21 MailScanner[1689]: Uninfected: Delivered 1 messages
>
> The MTA still working, but I dont know what to do to fix this.

Looks like you need to update your Sophos IDE files, or possibly the Sophos
engine itself?

Antony.

--
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

From mailscanner at ecs.soton.ac.uk  Thu Jan  8 15:43:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: MailScanner ignored?
In-Reply-To: <003201c3d5d5$a6fcedd0$23c8a8c0@serv>
References: <200401072250.i07Mo1W19459@ns.helpplc.co.uk>
            <003201c3d5d5$a6fcedd0$23c8a8c0@serv>
Message-ID: <6.0.1.1.2.20040108154123.041b30f0@imap.ecs.soton.ac.uk>

At 10:53 08/01/2004, you wrote:
>I'm probably missing something, but I've never seen this before.
>
>This message got through mailscanner and no mailscanner headers were
>applied.  I checked the logfile on the handling mailserver for the
>appropriate MessageID and there is no question that MailScanner checked
>the message...

I've never seen MailScanner just not scan a message. What I suspect is that
you might have sendmail started up incorrectly. Kill *all* the sendmail
processes that are running and then start up MailScanner. You should end up
with 2 or 3 sendmails (I don't know what version of sendmail running or
what your setup is).

>When SPAM gets through (very infrequently) I normally check the headers
>to make sure the message was scanned and to evaluate the score received.
>Did MailScanner stop processing this message because of the
>"X-AntiAbuse" headers?

No, definitely not.



><SNIP>
>
>Message-ID: <942558110033.P21hl1OpeH3n3U@localhost>
>From: "Tierra Best" <xdwquhin@amrer.net>
>To: sales@trudeau.org
>Subject: Bring Thousands of Visitors to Your Web Site
>Date: Thu,  8 Jan 2004 10:25:55 +0000 (GMT)
>X-AntiAbuse: This header was added to track abuse, please include it
>with any abuse report
>X-AntiAbuse: Primary Hostname - gandalfmail.net
>X-AntiAbuse: Original Domain - gandalfmail.net
>X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
>X-AntiAbuse: Sender Address Domain -
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
>
></SNIP>
>
>Chris

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan  8 15:44:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C419@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C419@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040108154341.042c0e40@imap.ecs.soton.ac.uk>

Can someone test them and make sure they all work okay with MailScanner?

At 11:45 08/01/2004, you wrote:
>NAI have released new versions of their *n*x commandline scanners,
>incorporating the new 4320 scan engine.
>
>Licenced users can get them from the usual www.mcafeeb2b.com download link
>(requires your NAI grant number).
>
>Cheers,
>
>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan  8 15:53:54 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:45 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C41C@jessica.herefordshire.gov.uk>

Needless to say I'd tested beore I posted.

I used the Linux Pentium 4 optimised build on Fedora Core 1.  It still
works, still catches viruses, with no (as yet) apparent memory leaks or
problems.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 08 January 2004 15:44
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: New McAfee Commandline Scanner for Unix/Linux is out
>
>
> Can someone test them and make sure they all work okay with
> MailScanner?
>
> At 11:45 08/01/2004, you wrote:
> >NAI have released new versions of their *n*x commandline scanners,
> >incorporating the new 4320 scan engine.
> >
> >Licenced users can get them from the usual www.mcafeeb2b.com
> download link
> >(requires your NAI grant number).
> >
> >Cheers,
> >
> >Phil
> >
> >---------------------------------------------
> >Phil Randal
> >Network Engineer
> >Herefordshire Council
> >Hereford, UK
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From Cleveland at WINNEFOX.ORG  Thu Jan  8 16:08:54 2004
From: Cleveland at WINNEFOX.ORG (Jody Cleveland)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F669@mail.winnefox.org>

Hello,

I've got the latest mailscanner and spamassassin running on redhat 9.
What's happening is I'm trying to run this:
 sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --spam --dir
/var/spool/mail/cleveland

And, I get this error:
Cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/W: lock
failed: File exists

And then just sits there. Any ideas? Is this something I should be
asking the SA list instead?


--
Jody Cleveland
(cleveland@winnefox.org)

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan  8 16:13:09 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F669@mail.winnefox.org>
References: <7D3DDF19D93C3642931C3EB8803165A959F669@mail.winnefox.org>
Message-ID: <3FFD8195.9070208@solid-state-logic.com>

Jody Cleveland wrote:
> Hello,
>
> I've got the latest mailscanner and spamassassin running on redhat 9.
> What's happening is I'm trying to run this:
>  sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --spam --dir
> /var/spool/mail/cleveland
>
> And, I get this error:
> Cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/W: lock
> failed: File exists
>
> And then just sits there. Any ideas? Is this something I should be
> asking the SA list instead?
>
>
> --
> Jody Cleveland
> (cleveland@winnefox.org)
Jody

I had something similar when I upgraded from SA 2.60 to 2.61. The file
persmissions got broke. have a look at the persmissions/ownships and
make sure they are consistent

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From Cleveland at WINNEFOX.ORG  Thu Jan  8 16:20:39 2004
From: Cleveland at WINNEFOX.ORG (Jody Cleveland)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F66C@mail.winnefox.org>

> I had something similar when I upgraded from SA 2.60 to 2.61. The file
> permissions got broke. have a look at the persmissions/ownships and
> make sure they are consistent

What 'should' the permissions be set to?

--
Jody Cleveland
(cleveland@winnefox.org)

From tmiller at INFOTECHFL.COM  Thu Jan  8 16:14:46 2004
From: tmiller at INFOTECHFL.COM (Tom Miller)
Date: Thu Jan 12 21:21:45 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C41C@jessica.herefordshire.gov.uk>; from
              prandal@HEREFORDSHIRE.GOV.UK on Thu, Jan 08,
              2004 at 03:53:54PM -0000
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C41C@jessica.herefordshire.gov.uk>
Message-ID: <20040108111446.A32070@pigeon.infotechfl.com>

I'm running the non-P4 optimized version on two RedHat 7.3 servers and a
RedHat 9 server with no problems.

-Tom

On Thu, Jan 08, 2004 at 03:53:54PM -0000, Randal, Phil wrote:
> Needless to say I'd tested beore I posted.
>
> I used the Linux Pentium 4 optimised build on Fedora Core 1.  It still
> works, still catches viruses, with no (as yet) apparent memory leaks or
> problems.
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK

--
Tom Miller, System Administrator   |   5700 SW 34th St. Suite 1235
Info Tech, Inc.                    |   Gainesville, FL 32608
                                   |   (352)381-4400 Voice
Tom.Miller@infotechfl.com          |   (352)381-4444 Fax

From avalex at connect-personal.ru  Thu Jan  8 16:30:17 2004
From: avalex at connect-personal.ru (=?ISO-8859-1?B?wOLl8Pz/7e7iIMDr5erx4O3k8A==?=)
Date: Thu Jan 12 21:21:45 2006
Subject: unsubscribe
In-Reply-To: <EKECJBACGLPHJCFNKMAEOEGFMGAA.chrisk@os-it.net>
References: <EKECJBACGLPHJCFNKMAEOEGFMGAA.chrisk@os-it.net>
Message-ID: <2731879750.20040108193017@connect-personal.ru>

????????????, Chris.

?? ?????? 18 ??????? 2003 ?., 0:33:15:

> Try a spamassassin -D --lint and see what it says about bayes.

> Chris

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Darrin
> Sent: Wednesday, December 17, 2003 1:06 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: spam_bayes score not showing up for some email?


> I have spam_bayes setup with mailscanner version 4.24-5

> spam_bayes seemed to be working fine, until today. I am receiving spam
> without a spam_bayes listed?


> LSSI-SpamCheck: not spam, SpamAssassin (score=0.1, required 6,
> HTML_MESSAGE 0.10)


> Has anyone seen this?




unsubscribe


From ls at CREATIVE-WEBNET.DE  Thu Jan  8 16:50:04 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:45 2006
Subject: Loops back!! My Last Problem!
Message-ID: <LISTSERV%2004010816500466@JISCMAIL.AC.UK>

Jan  8 17:40:00 creative postfix/smtp[3686]: warning: mailer loop: best MX
host for p15131877.pureserver.info is local
Jan  8 17:40:01 creative postfix/smtp[3686]: E0BE71902B7:
to=<root@p15131877.pureserver.info>, relay=none, delay=0, status=bounced
(mail for p15131877.pureserver.info loops back to myself)


Please can you help me....

I use Postfix 2.0.14 and the newsest MailScanner Version!

THX from Germany

From ugob at CAMO-ROUTE.COM  Thu Jan  8 16:52:18 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:45 2006
Subject: Loops back!! My Last Problem!
Message-ID: <54C38A0B814C8E438EF73FC76F362927410784@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Alexander Endl [mailto:ls@CREATIVE-WEBNET.DE]
> Envoy? : Thursday, January 08, 2004 11:50 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Loops back!! My Last Problem!
> 
> 
> Jan  8 17:40:00 creative postfix/smtp[3686]: warning: mailer 
> loop: best MX
> host for p15131877.pureserver.info is local
> Jan  8 17:40:01 creative postfix/smtp[3686]: E0BE71902B7:
> to=<root@p15131877.pureserver.info>, relay=none, delay=0, 
> status=bounced
> (mail for p15131877.pureserver.info loops back to myself)

This is usually means that when he gets a response from the hello, it is the same name as his.
> 
> 
> Please can you help me....
> 
> I use Postfix 2.0.14 and the newsest MailScanner Version!
> 
> THX from Germany
> 


From martinh at SOLID-STATE-LOGIC.COM  Thu Jan  8 17:17:58 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F66C@mail.winnefox.org>
References: <7D3DDF19D93C3642931C3EB8803165A959F66C@mail.winnefox.org>
Message-ID: <3FFD90C6.1020502@solid-state-logic.com>

Jody Cleveland wrote:
>>I had something similar when I upgraded from SA 2.60 to 2.61. The file
>>permissions got broke. have a look at the persmissions/ownships and
>>make sure they are consistent
>
>
> What 'should' the permissions be set to?
>
> --
> Jody Cleveland
> (cleveland@winnefox.org)
Jody

on mine

-rw-------  1 mailnull  mailnull  18497536 Jan  8 16:30 bayes_seen
-rw-------  1 root      mailnull   5144576 Jan  8 16:30 bayes_toks

I did notice a third file there after the upgrade which I deleted and it
seemed to fix the problem - hey it's been a while (ie more than 5 mins)
so I'm a bit hazy as to what fixed it..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From Mark.Warpool at BENCHMARK-USA.COM  Thu Jan  8 17:09:16 2004
From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool)
Date: Thu Jan 12 21:21:45 2006
Subject: Minor Mailscanner problem
Message-ID: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>

I have a RH9 Linux box running the latest versions of MailScanner and
SpamAssassin.  For the most part, works great.  I have one minor issue;
I have Low Scoring Spam set to deliver a bounce message.  But since most
spam has fake or permanently full mailboxes (or some other silly error),
I get a lot of bounce messages returned to me.  But I don't think it's
ALL of them.

Does any one have any suggestion as to how to stop this.  I have my
Outlook set to just delete them, but I hear that new mail chime going
about every minute or so and it's kind of annoying.

TIA!
Mark Warpool
Benchmark Technologies Corp


From chris at FRACTALWEB.COM  Thu Jan  8 17:23:18 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:45 2006
Subject: Minor Mailscanner problem
In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>
References: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>
Message-ID: <3FFD9206.3050102@fractalweb.com>

Mark Warpool wrote:

>I have a RH9 Linux box running the latest versions of MailScanner and
>SpamAssassin.  For the most part, works great.  I have one minor issue;
>I have Low Scoring Spam set to deliver a bounce message.  But since most
>spam has fake or permanently full mailboxes (or some other silly error),
>I get a lot of bounce messages returned to me.  But I don't think it's
>ALL of them.
>
>Does any one have any suggestion as to how to stop this.  I have my
>Outlook set to just delete them, but I hear that new mail chime going
>about every minute or so and it's kind of annoying.
>
>TIA!
>Mark Warpool
>Benchmark Technologies Corp
>
>
>
Mark,

Don't bounce spam. Once upon a time, it was perhaps good practice. Since
you admit "most spam has fake ... mailboxes" you're likely filling up
the inbox of some innocent person whose email address was used by the
spammer.

Cheers,
Chris

From Antony at SOFT-SOLUTIONS.CO.UK  Thu Jan  8 17:26:43 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Minor Mailscanner problem
In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>
References: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>
Message-ID: <200401081726.43961.Antony@Soft-Solutions.co.uk>

On Thursday 08 January 2004 5:09 pm, Mark Warpool wrote:

> I have a RH9 Linux box running the latest versions of MailScanner and
> SpamAssassin.  For the most part, works great.  I have one minor issue;
> I have Low Scoring Spam set to deliver a bounce message.  But since most
> spam has fake or permanently full mailboxes (or some other silly error),
> I get a lot of bounce messages returned to me.  But I don't think it's
> ALL of them.
>
> Does any one have any suggestion as to how to stop this.

Sure.   Don't bounce spam.

Unless you have an awful lot of false positives (ham which is getting marked
as spam, in which case you should adjust your score threshold), the small
number of inappropriately spam-detected emails which don't get bounced are an
acceptable price to pay for the large quantity of genuine spam which is
detected and discarded without attempting to bounce it.

Antony.

--
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

                                                     Please reply to the list;
                                                           please don't CC me.

From mailscanner at ecs.soton.ac.uk  Thu Jan  8 17:35:17 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: Minor Mailscanner problem
In-Reply-To: <200401081726.43961.Antony@Soft-Solutions.co.uk>
References: <93B43B0A099CFE4AB0AED9B54919346E25672C@srv-btc-2k.corp.benchmark-usa.com>
            <200401081726.43961.Antony@Soft-Solutions.co.uk>
Message-ID: <6.0.1.1.2.20040108173433.0416dc60@imap.ecs.soton.ac.uk>

At 17:26 08/01/2004, you wrote:
>On Thursday 08 January 2004 5:09 pm, Mark Warpool wrote:
>
> > I have a RH9 Linux box running the latest versions of MailScanner and
> > SpamAssassin.  For the most part, works great.  I have one minor issue;
> > I have Low Scoring Spam set to deliver a bounce message.  But since most
> > spam has fake or permanently full mailboxes (or some other silly error),
> > I get a lot of bounce messages returned to me.  But I don't think it's
> > ALL of them.
> >
> > Does any one have any suggestion as to how to stop this.
>
>Sure.   Don't bounce spam.
>
>Unless you have an awful lot of false positives (ham which is getting marked
>as spam, in which case you should adjust your score threshold), the small
>number of inappropriately spam-detected emails which don't get bounced are an
>acceptable price to pay for the large quantity of genuine spam which is
>detected and discarded without attempting to bounce it.

I second that. I get a lot of mail from people annoyed by receiving
MailScanner spam bounce messages.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dsimmons at AFFANT.COM  Thu Jan  8 19:25:52 2004
From: dsimmons at AFFANT.COM (Dave Simmons)
Date: Thu Jan 12 21:21:45 2006
Subject: HTML email modified
Message-ID: <LISTSERV%2004010819255244@JISCMAIL.AC.UK>

We have MailScanner running with SpamAssassin and we have run into a
problem.  We sent an email outbound that was an HTML advertisement.  The
HTML code was modified.  The font color was changed, the font size was
changed and several !!! were inserted into the message.  If the message is
sent internally without passing through MailScanner it remains unchanged.
When sent to our test account through MailScanner the html message gets
modified.  If it the same message is resent more !!! are added to the
message body.  Is this anything anyone has run across before?

I searched the archives but didn't find anything on this subject.

Thank you in advance.

Dave Simmons

From Antony at SOFT-SOLUTIONS.CO.UK  Thu Jan  8 19:42:03 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: HTML email modified
In-Reply-To: <LISTSERV%2004010819255244@JISCMAIL.AC.UK>
References: <LISTSERV%2004010819255244@JISCMAIL.AC.UK>
Message-ID: <200401081942.03232.Antony@Soft-Solutions.co.uk>

On Thursday 08 January 2004 7:25 pm, Dave Simmons wrote:

> We have MailScanner running with SpamAssassin and we have run into a
> problem.  We sent an email outbound that was an HTML advertisement.  The
> HTML code was modified.  The font color was changed, the font size was
> changed and several !!! were inserted into the message.

Well, I guess it saves the people on the receiving end from having to do it
themselves :)

> Is this anything anyone has run across before?
>
> I searched the archives but didn't find anything on this subject.

A couple of things would be useful here:

1. Show us the full headers of the modified email which gets received.

2. Tell us what your MailScanner ruleset is (without comments) - something
like the output of
grep -v "^\($\|#\)" MailScanner.conf
would be good.

Antony.

--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

From steve.swaney at FSL.COM  Thu Jan  8 19:45:31 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:45 2006
Subject: HTML email modified
In-Reply-To: <LISTSERV%2004010819255244@JISCMAIL.AC.UK>
Message-ID: <20040108194734.8C54B21C2FF@mail.fsl.com>

Dave,

You probably want to use rulesets to _NOT_ use MailScanner on outbound
email. In MailScanner.conf set:

Convert Dangerous HTML To Text = %rules-dir%/convert.dangerous.html.rules

Where %rules-dir%/convert.dangerous.html.rules contains:

# Rules to allow Dangerous HTML from certain domains
From:   *@yourdomain.com no
FromOrTo:       default yes


Hope this helps.

Stephen Swaney
President
Fortress Systems Ltd.
steve.swaney@fsl.com


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Dave Simmons
Sent: Thursday, January 08, 2004 2:26 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: HTML email modified

We have MailScanner running with SpamAssassin and we have run into a
problem.  We sent an email outbound that was an HTML advertisement.  The
HTML code was modified.  The font color was changed, the font size was
changed and several !!! were inserted into the message.  If the message is
sent internally without passing through MailScanner it remains unchanged.
When sent to our test account through MailScanner the html message gets
modified.  If it the same message is resent more !!! are added to the
message body.  Is this anything anyone has run across before?

I searched the archives but didn't find anything on this subject.

Thank you in advance.

Dave Simmons

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan  8 20:02:17 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:45 2006
Subject: MailScanner ignored?
In-Reply-To: <6.0.1.1.2.20040108154123.041b30f0@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNCEHCCOAA.michele@blacknightsolutions.com>

If you have multiple MX records it could happen...

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 08 January 2004 15:43
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: MailScanner ignored?
>
>
> At 10:53 08/01/2004, you wrote:
> >I'm probably missing something, but I've never seen this before.
> >
> >This message got through mailscanner and no mailscanner headers were
> >applied.  I checked the logfile on the handling mailserver for the
> >appropriate MessageID and there is no question that MailScanner checked
> >the message...
>
> I've never seen MailScanner just not scan a message. What I
> suspect is that
> you might have sendmail started up incorrectly. Kill *all* the sendmail
> processes that are running and then start up MailScanner. You
> should end up
> with 2 or 3 sendmails (I don't know what version of sendmail running or
> what your setup is).
>
> >When SPAM gets through (very infrequently) I normally check the headers
> >to make sure the message was scanned and to evaluate the score received.
> >Did MailScanner stop processing this message because of the
> >"X-AntiAbuse" headers?
>
> No, definitely not.
>
>
>
> ><SNIP>
> >
> >Message-ID: <942558110033.P21hl1OpeH3n3U@localhost>
> >From: "Tierra Best" <xdwquhin@amrer.net>
> >To: sales@trudeau.org
> >Subject: Bring Thousands of Visitors to Your Web Site
> >Date: Thu,  8 Jan 2004 10:25:55 +0000 (GMT)
> >X-AntiAbuse: This header was added to track abuse, please include it
> >with any abuse report
> >X-AntiAbuse: Primary Hostname - gandalfmail.net
> >X-AntiAbuse: Original Domain - gandalfmail.net
> >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> >X-AntiAbuse: Sender Address Domain -
> >MIME-Version: 1.0
> >Content-Type: multipart/alternative;
> >         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
> >
> ></SNIP>
> >
> >Chris
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From Cleveland at WINNEFOX.ORG  Thu Jan  8 20:09:50 2004
From: Cleveland at WINNEFOX.ORG (Jody Cleveland)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>

Hi Martin,

> > What 'should' the permissions be set to?

> on mine
>
> -rw-------  1 mailnull  mailnull  18497536 Jan  8 16:30 bayes_seen
> -rw-------  1 root      mailnull   5144576 Jan  8 16:30 bayes_toks
>
> I did notice a third file there after the upgrade which I
> deleted and it seemed to fix the problem - hey it's been a while (ie
more
> than 5 mins) so I'm a bit hazy as to what fixed it..

I've got 486 items in there. Most of them look similar to
bayes.lock.mystique.winnefox.org.11373

I noticed I was running it as my local user. So, I restarted it as root.
I haven't gotten any errors, but it's been going for over 2 hours now.
Is this normal?

- Jody

From mailscanner at ecs.soton.ac.uk  Thu Jan  8 23:32:12 2004
From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk)
Date: Thu Jan 12 21:21:45 2006
Subject: NOTIFY-New Guestbook Entry
Message-ID: <200401082332.i08NWCn3006494@seer.ecs.soton.ac.uk>

New Guestbook-Entry from butrus orman

the question to come to mind is what does it do that spamassassin does not do and how do they compare

From peter at UCGBOOK.COM  Thu Jan  8 21:19:37 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>
References: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>
Message-ID: <3FFDC969.5080009@ucgbook.com>

The files that ends in a number are lock files from SA processes using
the Bayes database, the number is the process id.

Can you do "spamassassin -D -t < somespammail"? You have a sample in the
SA distribution you can use for testing, I think it's called sample-spam
or something. Do you get the same errors then?

In that case try "sa-learn --rebuild", if that doesn't work I think you
have to delete the Bayes files to let it start from scratch.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Jody Cleveland wrote:
> I've got 486 items in there. Most of them look similar to
> bayes.lock.mystique.winnefox.org.11373
>
> I noticed I was running it as my local user. So, I restarted it as root.
> I haven't gotten any errors, but it's been going for over 2 hours now.
> Is this normal?

From ls at CREATIVE-WEBNET.DE  Thu Jan  8 23:25:23 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:45 2006
Subject: How can I fix it!!!
Message-ID: <LISTSERV%2004010823252351@JISCMAIL.AC.UK>

warning: mailer loop: best MX host for p15131877.pureserver.info is local

this says mal warnlog!!!!

From kevins at BMRB.CO.UK  Thu Jan  8 23:45:11 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:45 2006
Subject: How can I fix it!!!
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C2195A@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C2195A@pascal.priv.bmrb.co.uk>
Message-ID: <1073605517.20338.11.camel@bach.kevinspicer.co.uk>

On Thu, 2004-01-08 at 23:25, Alexander Endl wrote:

>warning: mailer loop: best MX host for p15131877.pureserver.info is
>local

>this says mal warnlog!!!!

That rather depends on a) exactly what your problem is, b) what MTA you
are using.

Taking these points in turn...
a)
Is your problem 1) affecting some mails leaving your networks, or...
2) all mails entering your network

if 1) then odds are its an external site with misconfigured DNS (some
spammers use MX records of 127.0.0.1 to avoid getting bounces) - in this
case its outside your control.

if 2)    Set your Mailscanner server as secondary MX instead of primary
and ensure your primary MX is firewalled not to accept connections from
the outside world.  Or if you are using sendmail set up mailertable
entries for your local domains to bypass the DNS lookup. (I guess there
are similar techniques on other MTA's)

From lists at TRCINTL.COM  Fri Jan  9 00:28:03 2004
From: lists at TRCINTL.COM (Kyle Harris)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
Message-ID: <LISTSERV%2004010900280366@JISCMAIL.AC.UK>

I have several domains that are covered by MailScanner, some have virus
scanners and some don't.  Easy enough to handle using a rule for the Virus
Scanning variable.  However, I have noticed that this variable also turns
off other things (as is stated in the docs).  One example is that it turns
off MailScanner's ability to mark scanned message with "{Scanned}" at the
beginning of the subject.  There are others, but I'll use that as an
example.  I found what I thought was a work around for this in the FAQ
located at  http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/244.html.

For some reason, I can't get this to work.  Here is what I have:
Virus Scanning is turned on.  Then I
created /etc/MailScanner.filename.all.conf that contains:
    allow    .    -    -    (tabs, not spaces)
In MailScanner.conf I have Filename Rules
= /etc/MailScanner/rules/filename.rules.  That file contains:
    To:    mydomain.com    /etc/MailScanner.filename.all.conf
    FromOrTo:    default    /etc/MailScanner/filename.rules.conf
This is pretty much as the FAQ says, however, when I send the eicar.com
test virus to someone at mydomain.com it flags it as a virus and removes it
instead of letting it pass?  As I understand it, this is not what should
happen.  In MailScanner.conf it says, and I quote " . . . is used to accept
or reject file attachments based on their name, regardless of whether they
are infected or not".  What am I missing?

By the way, the File Command is blank in MailScanner.conf so I shouldn't
have to worry about that.

If anyone knows of a better way of disabling Virus Scanning but keeping ALL
the other features of MailScanner, please let me know.

Thanks much in advance.

P.S.
I know it would be easier to just enable Virus Scanning for all domains,
but in the corporate world sometimes what is easiest is not always possible.

From kevins at BMRB.CO.UK  Fri Jan  9 07:57:32 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C2195C@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C2195C@pascal.priv.bmrb.co.uk>
Message-ID: <1073635056.4711.5.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-09 at 00:28, Kyle Harris wrote:

>As I understand it, this is not what should
>happen.  In MailScanner.conf it says, and I quote " . . . is used to
>accept
>or reject file attachments based on their name, regardless of whether
>they
>are infected or not".  What am I missing?

You are misunderstanding that statement.  filename.rules.conf determines
whether a file should be blocked based on its name (regardless of other
checks) - but will not override the descision of another check (such as
virus scanning) to block the file.

>If anyone knows of a better way of disabling Virus Scanning but keeping
>ALL
>the other features of MailScanner, please let me know.

I think with recent versions you can use a ruleset for 'Virus Scanning'
just to turn virus scanning on or off (In older versions this stopped
all processing - but IIRC this has now been changed)

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan  9 08:55:24 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>
References: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>
Message-ID: <3FFE6C7C.6040601@solid-state-logic.com>

Jody Cleveland wrote:
> Hi Martin,
>
>
>>>What 'should' the permissions be set to?
>
>
>>on mine
>>
>>-rw-------  1 mailnull  mailnull  18497536 Jan  8 16:30 bayes_seen
>>-rw-------  1 root      mailnull   5144576 Jan  8 16:30 bayes_toks
>>
>>I did notice a third file there after the upgrade which I
>>deleted and it seemed to fix the problem - hey it's been a while (ie
>
> more
>
>>than 5 mins) so I'm a bit hazy as to what fixed it..
>
>
> I've got 486 items in there. Most of them look similar to
> bayes.lock.mystique.winnefox.org.11373
>
> I noticed I was running it as my local user. So, I restarted it as root.
> I haven't gotten any errors, but it's been going for over 2 hours now.
> Is this normal?
>
> - Jody
Jody

what is 'it' here - mailscanner, sa-learn.... (confused with no coffee yet)


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From howard at harper-adams.ac.uk  Fri Jan  9 09:32:49 2004
From: howard at harper-adams.ac.uk (Howard Robinson)
Date: Thu Jan 12 21:21:45 2006
Subject: Emails made up of random words
Message-ID: <200401090931.i099V48Q014192@blackhole.harper-adams.ac.uk>

Dear List members,
We are getting increasing numbers of emails containing what look
like a selection of random words. It only started here before
Christmas. Is this a new phenomenon or have we just been lucky
before?
Whilst they are still manageable numbers at the moments & can
be quickly deleted there one or two members of staff are getting
their knickers in a twist about them.
What's the best way to deal with them (the emails not the staff)?

Thanks and happy new year to you all.



Regards

Howard Robinson
(Senior Technical Development Officer)
Harper Adams University College
Edgmond
Newport
Shropshire
TF10 8NB UK

E-mail: hrobinson@harper-adams.ac.uk
Tel.  : +44(0)1952 820280 Via switchboard
      : +44(0)1952 815253 Direct line
Fax.  : +44(0)1952 814783
College Web site http://www.harper-adams.ac.uk

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan  9 09:40:04 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Sa-learn error
In-Reply-To: <3FFE6C7C.6040601@solid-state-logic.com>
References: <7D3DDF19D93C3642931C3EB8803165A959F67D@mail.winnefox.org>
            <3FFE6C7C.6040601@solid-state-logic.com>
Message-ID: <3FFE76F4.4060301@solid-state-logic.com>

Martin Hepworth wrote:
> Jody Cleveland wrote:
>
>> Hi Martin,
>>
>>
>>>> What 'should' the permissions be set to?
>>
>>
>>
>>> on mine
>>>
>>> -rw-------  1 mailnull  mailnull  18497536 Jan  8 16:30 bayes_seen
>>> -rw-------  1 root      mailnull   5144576 Jan  8 16:30 bayes_toks
>>>
>>> I did notice a third file there after the upgrade which I
>>> deleted and it seemed to fix the problem - hey it's been a while (ie
>>
>>
>> more
>>
>>> than 5 mins) so I'm a bit hazy as to what fixed it..
>>
>>
>>
>> I've got 486 items in there. Most of them look similar to
>> bayes.lock.mystique.winnefox.org.11373
>>
>> I noticed I was running it as my local user. So, I restarted it as root.
>> I haven't gotten any errors, but it's been going for over 2 hours now.
>> Is this normal?
>>
>> - Jody
>
> Jody
>
> what is 'it' here - mailscanner, sa-learn.... (confused with no coffee yet)
>
>
Jody

Ok the coffee's kicked in.....:-)

after you upgraded sa did you rebuild the DB? I had to do this when I
went from 2.60 to 2.61 even though I've not seem any doccy about doing
it for this release.

Also could you remind me what version you upgraded from and to? if you
went from 2.5x to 2.6x you'll definitely have to do a rebuild (and make
sure the berkely DB perl modules are install) as they changed the
database format.


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From rcooper at DIMENSION-FLM.COM  Fri Jan  9 11:32:42 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:21:45 2006
Subject: Emails made up of random words
In-Reply-To: <200401090931.i099V48Q014192@blackhole.harper-adams.ac.uk>
Message-ID: <OJEPLLLJIBHDGMFBCCBPOECDDAAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Howard Robinson
> Sent: Friday, January 09, 2004 4:33 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Emails made up of random words
>
>
> Dear List members,
> We are getting increasing numbers of emails containing
> what look
> like a selection of random words. It only started here before
> Christmas. Is this a new phenomenon or have we just been lucky
> before?
> Whilst they are still manageable numbers at the moments & can
> be quickly deleted there one or two members of staff
> are getting
> their knickers in a twist about them.
> What's the best way to deal with them (the emails not
> the staff)?
>
> Thanks and happy new year to you all.
>
>
>
> Regards
>
> Howard Robinson

Go here http://www.emtinc.net/spamhammers.htm and use these rules
if you are not already.
There is much discussion of this topic (bayes poison) on the
spamassassin list and there are a couple of counter measures
being developed so you may want to subscribe to spamassassin-talk
and follow the thread relating to large collections of random
words.

This rule has caught a few for me (they are hiding the words with
0pt font)

rawbody LOCAL_ZERO_FONTSIZE /\bfont-size\:
0pt|font.*size="0"|font.*size=0/i
describe LOCAL_ZERO_FONTSIZE Font has a size of Zero. What is
being hidden?
score LOCAL_ZERO_FONTSIZE 4.5

as has this one

uri BAYES_BUSTER
/rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0

Best thing, follow the sa-talk list

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 12:24:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <200401091208.i09C8vF02292@mailhost.intech.co.uk>
References: <200401091208.i09C8vF02292@mailhost.intech.co.uk>
Message-ID: <6.0.1.1.2.20040109122059.08e78d08@imap.ecs.soton.ac.uk>

At 12:09 09/01/2004, you wrote:
>I have been using MailScanner for a year or so. We used to flag spam
>messages but accept them. As the volumes of spam increased we have now
>started to bounce spam messages. We bounce rather than delete so as to be
>polite to people who send legitimate messages which are 'falsely' marked as
>spam.

Please do *not* bounce spam messages. Virtually all spam these days has a
fake sender address, which belongs to some poor hapless individual who
knows nothing about it. If you bounce spam, they get messages in their
mailbox from MailScanner all about spam they never sent.

Result: They get very annoyed, as they can't see any of their real mail
among all the MailScanner spam bounce messages.
Result of that: They complain to me about it, and I can't help them.
Result of that: MailScanner gets a very bad name, and you have wasted yet
more of my time that I have to spend answering these (often rude, abusive
and threatening) emails.

So please do *NOT* bounce spam.

I may well remove the feature completely very soon as I can't see any valid
use for it any more.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 12:33:57 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <6.0.1.1.2.20040109122059.08e78d08@imap.ecs.soton.ac.uk>
References: <200401091208.i09C8vF02292@mailhost.intech.co.uk>
            <6.0.1.1.2.20040109122059.08e78d08@imap.ecs.soton.ac.uk>
Message-ID: <200401091233.57444.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 12:24 pm, Julian Field wrote:

> Please do *not* bounce spam messages. Virtually all spam these days has a
> fake sender address, which belongs to some poor hapless individual who
> knows nothing about it. If you bounce spam, they get messages in their
> mailbox from MailScanner all about spam they never sent.
>
> I may well remove the feature completely very soon as I can't see any valid
> use for it any more.

Sounds like a very good plan to me.

(PS: The sig below was quite fortuitous, chosen at random by my sigscript...)

Antony.

--
I'm pink, therefore I'm Spam.

                                                     Please reply to the list;
                                                           please don't CC me.

From gdoris at ROGERS.COM  Fri Jan  9 12:38:06 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <6.0.1.1.2.20040109122059.08e78d08@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401090735270.16331-100000@tiger.dorfam.ca>

On Fri, 9 Jan 2004, Julian Field wrote:

> So please do *NOT* bounce spam.
>
> I may well remove the feature completely very soon as I can't see any valid
> use for it any more.

GREAT!!!  I also see no need to bounce spam or virii.  It invariably goes
to the wrong person.

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From Q.G.Campbell at NEWCASTLE.AC.UK  Fri Jan  9 12:59:02 2004
From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
Message-ID: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>

>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
>Sent: 09 January 2004 12:25
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Bouncing Spam
>
>
>At 12:09 09/01/2004, you wrote:
>>I have been using MailScanner for a year or so. We used to flag spam
>>messages but accept them. As the volumes of spam increased we have now
>>started to bounce spam messages. We bounce rather than delete 
>so as to be
>>polite to people who send legitimate messages which are 
>'falsely' marked as
>>spam.
>[snip]
>Result: They get very annoyed, as they can't see any of their real mail
>among all the MailScanner spam bounce messages.
>Result of that: They complain to me about it, and I can't help them.
>Result of that: MailScanner gets a very bad name, and you have 
>wasted yet more of my time that I have to spend answering these (often 
>rude, abusive and threatening) emails.
[snip]

Julian

I sympathise with your problems. However I am equally at risk from
sanctions or abuse from people who think that I am deliberately ignoring
their mail when in fact it was (a false positive) deleted automatically
as probable spam. 

For this reason I have chosen to use the MailScanner option to send an
explanatory message when spam to me is deleted. In truth I am more
concerned about the people who _need_ to know what has happended to
their message to me than I am about the consequences of collateral spam
that results.

One reason I have moved to using MailScanner to delete probable spam is
that we have many mailboxes on Outlook/Exchange. That system cannot
permanently delete tagged messages through the Rules Wizard when Outlook
is switched off. This can be a serious problem and results in mail being
lost if quotas are exceeded (over vacations for example).    

I receive so much spam each day that it is not practical to have tagged
messages delivered then moved to a "spam" folder (by a personal mail
filter) where I am supposed to inspect them for possible false
positives. 

I would be interested to hear what alternative strategies have been
adopted by people in my position.

Quentin
 


From gioia at bclink.it  Fri Jan  9 13:06:24 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:45 2006
Subject: Little Report problem with Postfix
Message-ID: <NGBBLAPAMLLGDEJPHEOAMEGJDAAA.gioia@bclink.it>

Hi guys,

I've I have the seguent Report from Mailscanner when a Virus is found:

*********************************
"The following e-mail messages were found to have viruses in them:

    Sender: admin@mydomain.it
IP Address: xxx.xxx.xxx.xxx
 Recipient: user@mydomain.it, user@mydomain.it
   Subject: your account                         yijefwov
 MessageID: 28A7433F302
    Report: AntiVir: ALERT: [Worm/MiMail.A1 virus] ./28A7433F302/message.zip
<<< Contains signature of the worm Worm/MiMail.A1
            F-Prot:
/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.html
Infection: W32/Mimail.A@mm"
*********************************

It only affects the reporting and doesn't have any impact on message
delivery at all.

I found that someone else (the link below) pointed out this little problem,
but had no response.

http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S=&
P=27533

Just want to know if someone has an idea of why this happen..

I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and F-Prot
software

Thanks all! Thanks Julian

From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 13:18:39 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
Message-ID: <200401091318.39718.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 12:59 pm, Quentin Campbell wrote:

> I sympathise with your problems. However I am equally at risk from
> sanctions or abuse from people who think that I am deliberately ignoring
> their mail when in fact it was (a false positive) deleted automatically
> as probable spam.

There is a certain amount of user education involved here - people simply have
to get used to the fact that email is not a guaranteed delivery system (as it
may some time ago have been considered to be, what with the reliability and
determination of email servers and protocols), therefore there is a greater
than zero chance that a legitimate email will not arrive with the recipient.

> For this reason I have chosen to use the MailScanner option to send an
> explanatory message when spam to me is deleted. In truth I am more
> concerned about the people who _need_ to know what has happended to
> their message to me than I am about the consequences of collateral spam
> that results.

Yours is probably one of the addresses which the rest of us see irrelevant and
unwanted bounce messages from then, when our email address has been forged in
spam sent to you.

> One reason I have moved to using MailScanner to delete probable spam is
> that we have many mailboxes on Outlook/Exchange. That system cannot
> permanently delete tagged messages through the Rules Wizard when Outlook
> is switched off. This can be a serious problem and results in mail being
> lost if quotas are exceeded (over vacations for example).

I agree that deleting spam is a good idea.

Bouncing it is not.

> I receive so much spam each day that it is not practical to have tagged
> messages delivered then moved to a "spam" folder (by a personal mail
> filter) where I am supposed to inspect them for possible false
> positives.

As you say yourself, you "receive so much spam each day...".   Your decision
to send bounce messages in response only adds to the amount received by other
people.   Virtually all spam has a forged address these days, therefore
nearly all your bounce messages will be irrelevant to and unwanted by the
people you are sending them to.

> I would be interested to hear what alternative strategies have been
> adopted by people in my position.

We don't bounce spam, and we make sure people know that a legitimate email
might possibly not arrive.   This is accepted in the normal postal system
(some small percentage of letters, postcards, parcels etc never get
delivered), and email is no different (although the reasons may not be quite
the same).

Regards,

Antony.

--
Success is a lousy teacher.  It seduces smart people into thinking they can't
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

From gioia at bclink.it  Fri Jan  9 13:18:21 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:45 2006
Subject: R: Little Report problem with Postfix
In-Reply-To: <NGBBLAPAMLLGDEJPHEOAMEGJDAAA.gioia@bclink.it>
Message-ID: <NGBBLAPAMLLGDEJPHEOAEEGKDAAA.gioia@bclink.it>

Forgot this:

At every Report I get, I have the recipient duplicated (user@mydomain.it)

-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Gioia Bastioni
Inviato: venerd? 9 gennaio 2004 14.06
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: Little Report problem with Postfix


Hi guys,

I've I have the seguent Report from Mailscanner when a Virus is found:

*********************************
"The following e-mail messages were found to have viruses in them:

    Sender: admin@mydomain.it
IP Address: xxx.xxx.xxx.xxx
 Recipient: user@mydomain.it, user@mydomain.it
   Subject: your account                         yijefwov
 MessageID: 28A7433F302
    Report: AntiVir: ALERT: [Worm/MiMail.A1 virus] ./28A7433F302/message.zip
<<< Contains signature of the worm Worm/MiMail.A1
            F-Prot:
/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.html
Infection: W32/Mimail.A@mm"
*********************************

It only affects the reporting and doesn't have any impact on message
delivery at all.

I found that someone else (the link below) pointed out this little problem,
but had no response.

http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S=&
P=27533

Just want to know if someone has an idea of why this happen..

I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and F-Prot
software

Thanks all! Thanks Julian


From rcooper at DIMENSION-FLM.COM  Fri Jan  9 13:39:12 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
Message-ID: <OJEPLLLJIBHDGMFBCCBPAECHDAAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Quentin Campbell
> Sent: Friday, January 09, 2004 7:59 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Bouncing Spam
>
>
> >-----Original Message-----
> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> >Sent: 09 January 2004 12:25
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: Bouncing Spam
> >
> >
> >At 12:09 09/01/2004, you wrote:
> >>I have been using MailScanner for a year or so. We
> used to flag spam
> >>messages but accept them. As the volumes of spam
> increased we have now
> >>started to bounce spam messages. We bounce rather
> than delete
> >so as to be
> >>polite to people who send legitimate messages which are
> >'falsely' marked as
> >>spam.
> >[snip]
> >Result: They get very annoyed, as they can't see any
> of their real mail
> >among all the MailScanner spam bounce messages.
> >Result of that: They complain to me about it, and I
> can't help them.
> >Result of that: MailScanner gets a very bad name, and
> you have
> >wasted yet more of my time that I have to spend
> answering these (often
> >rude, abusive and threatening) emails.
> [snip]
>
> Julian
>
> I sympathise with your problems. However I am equally
> at risk from
> sanctions or abuse from people who think that I am
> deliberately ignoring
> their mail when in fact it was (a false positive)
> deleted automatically
> as probable spam.
>

I don't delete any spam that has not reached the high scoring
threshold (17)
I deliver the rest of the spam to a special mailbox that I can
look at if I need to, I have a custom script that periodically
sends me a notice of spam from the MailScanner logs If there is a
false positive I forward to the person it was to and I look at
ways to eliminate the FP in the future. (I have modified
MailScanner to include the subject and "To" address(s) in the
log)

MOST importantly, I have the MTA do the RBL checks, it also
requires a FQDN (e)helo, checks to see if the calling host is
attempting to impersonate one of our hosts or IPs, does sender
verification on any non-internal host, drops any host that has
missed on 3 mail addresses in one session, drops any non internal
host that tries to send to more than 5 mail addresses in one
session, checks that the MX record for the sender domain is valid
and not 127.0.0.x, checks the sender IDENT, if available to see
it's not a web server or web proxy, and require sender
authentication from any valid local user... In short, I make sure
the MTA has done everything reasonable to stop spam before it
makes it onto the server. MailScanner doesn't get much spam to
handle as the result.

> For this reason I have chosen to use the MailScanner
> option to send an
> explanatory message when spam to me is deleted. In
> truth I am more
> concerned about the people who _need_ to know what has
> happended to
> their message to me than I am about the consequences
> of collateral spam
> that results.
>

It is the ultimate in rudeness to bounce a message to someone
that did not send it. And the vast majority of normal users do
not have a clue that someone was impersonating them in a spam
message, and would not care if they did understand. When you
bounce spam to someone who did not send it *you have become the
spammer*. In fact this is becoming a more and more popular way to
transmit spam.


> One reason I have moved to using MailScanner to delete
> probable spam is
> that we have many mailboxes on Outlook/Exchange. That
> system cannot
> permanently delete tagged messages through the Rules
> Wizard when Outlook
> is switched off. This can be a serious problem and
> results in mail being
> lost if quotas are exceeded (over vacations for example).
>
> I receive so much spam each day that it is not
> practical to have tagged
> messages delivered then moved to a "spam" folder (by a
> personal mail
> filter) where I am supposed to inspect them for possible false
> positives.
>

Be more vigilant about stopping spam before it is received and
reduce the amount of spam you need to look at. Bouncing spam
notices, and "virus received messages" are just as bad as
originating the offending material yourself. This added work load
form mail admins is just part of life today... not fair but
certainly necessary.

> I would be interested to hear what alternative
> strategies have been
> adopted by people in my position.
>

done :-)


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From Mark.Warpool at BENCHMARK-USA.COM  Fri Jan  9 13:46:35 2004
From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256737@srv-btc-2k.corp.benchmark-usa.com>

Allow me to point out one simple use for it, which is what I have been
using it for recently.  As a sort of "debugging" technique.  I wanted to
get a bead on just how many false-positives that I have been getting,
and so I turned on the bouncing, expecting that the people who get the
bounce would give me a call and let me know.

I will be turning mine off soon, as I'm not getting anywhere near the
amount of false positives I was afraid I was getting.

         Mark Warpool    
Phone: (419) 843-6691
Cell: (419) 356-2298     
 

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Sent: Friday, January 09, 2004 7:25 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Bouncing Spam

At 12:09 09/01/2004, you wrote:
>I have been using MailScanner for a year or so. We used to flag spam
>messages but accept them. As the volumes of spam increased we have now
>started to bounce spam messages. We bounce rather than delete so as to
be
>polite to people who send legitimate messages which are 'falsely'
marked as
>spam.

Please do *not* bounce spam messages. Virtually all spam these days has
a
fake sender address, which belongs to some poor hapless individual who
knows nothing about it. If you bounce spam, they get messages in their
mailbox from MailScanner all about spam they never sent.

Result: They get very annoyed, as they can't see any of their real mail
among all the MailScanner spam bounce messages.
Result of that: They complain to me about it, and I can't help them.
Result of that: MailScanner gets a very bad name, and you have wasted
yet
more of my time that I have to spend answering these (often rude,
abusive
and threatening) emails.

So please do *NOT* bounce spam.

I may well remove the feature completely very soon as I can't see any
valid
use for it any more.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From lists at TRCINTL.COM  Fri Jan  9 13:55:43 2004
From: lists at TRCINTL.COM (Kyle Harris)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
Message-ID: <LISTSERV%2004010913554361@JISCMAIL.AC.UK>

On Fri, 9 Jan 2004 07:57:32 +0000, Kevin Spicer <kevins@BMRB.CO.UK> wrote:

>On Fri, 2004-01-09 at 00:28, Kyle Harris wrote:
>
>>As I understand it, this is not what should
>>happen.  In MailScanner.conf it says, and I quote " . . . is used to
>>accept
>>or reject file attachments based on their name, regardless of whether
>>they
>>are infected or not".  What am I missing?
>
>You are misunderstanding that statement.  filename.rules.conf determines
>whether a file should be blocked based on its name (regardless of other
>checks) - but will not override the descision of another check (such as
>virus scanning) to block the file.

Ya, could be I am misunderstanding that statement, but if that is the case,
what is the purpose of the following FAQ?
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/244.html

>
>>If anyone knows of a better way of disabling Virus Scanning but keeping
>>ALL
>>the other features of MailScanner, please let me know.
>
>I think with recent versions you can use a ruleset for 'Virus Scanning'
>just to turn virus scanning on or off (In older versions this stopped
>all processing - but IIRC this has now been changed)

When Virus Scanning is turned off, MailScanner does not enter {Scanned} at
the beginning of each message subject even if you have it configured to do
so (turning virus scanning on immediately remedies that problem), nor does
it do the other file attachment checks.  That is as of version 4.24-5.  I
am looking for a way to turn virus scanning off for some domains (again, as
previously stated that is easy enough by using a rule) however I still wish
to have ALL other features of MailScanner available.  Currently that
doesn't seem to be possible?  I was hoping that was what the above
mentioned FAQ was attempting to do.

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 14:04:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
In-Reply-To: <LISTSERV%2004010913554361@JISCMAIL.AC.UK>
References: <LISTSERV%2004010913554361@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040109140214.099d1710@imap.ecs.soton.ac.uk>

At 13:55 09/01/2004, you wrote:
>On Fri, 9 Jan 2004 07:57:32 +0000, Kevin Spicer <kevins@BMRB.CO.UK> wrote:
>
> >On Fri, 2004-01-09 at 00:28, Kyle Harris wrote:
> >
> >>As I understand it, this is not what should
> >>happen.  In MailScanner.conf it says, and I quote " . . . is used to
> >>accept
> >>or reject file attachments based on their name, regardless of whether
> >>they
> >>are infected or not".  What am I missing?
> >
> >You are misunderstanding that statement.  filename.rules.conf determines
> >whether a file should be blocked based on its name (regardless of other
> >checks) - but will not override the descision of another check (such as
> >virus scanning) to block the file.
>
>Ya, could be I am misunderstanding that statement, but if that is the case,
>what is the purpose of the following FAQ?
>http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/244.html
>
> >
> >>If anyone knows of a better way of disabling Virus Scanning but keeping
> >>ALL
> >>the other features of MailScanner, please let me know.
> >
> >I think with recent versions you can use a ruleset for 'Virus Scanning'
> >just to turn virus scanning on or off (In older versions this stopped
> >all processing - but IIRC this has now been changed)
>
>When Virus Scanning is turned off, MailScanner does not enter {Scanned} at
>the beginning of each message subject even if you have it configured to do
>so (turning virus scanning on immediately remedies that problem), nor does
>it do the other file attachment checks.  That is as of version 4.24-5.  I
>am looking for a way to turn virus scanning off for some domains (again, as
>previously stated that is easy enough by using a rule) however I still wish
>to have ALL other features of MailScanner available.  Currently that
>doesn't seem to be possible?  I was hoping that was what the above
>mentioned FAQ was attempting to do.

All the other attachment checks cannot be done until the message has been
decoded into its attachments and body (more or less). The virus scanning is
done on the entire batch of messages at once, so selectively removing some
messages from what is scanned is not really possible. So you would gain no
speed at all by not scanning some messages. In fact it would actually slow
it down. So you get all or nothing, there isn't really a way to not scan a
few messages in a batch.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 14:11:58 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: Little Report problem with Postfix
In-Reply-To: <NGBBLAPAMLLGDEJPHEOAMEGJDAAA.gioia@bclink.it>
References: <NGBBLAPAMLLGDEJPHEOAMEGJDAAA.gioia@bclink.it>
Message-ID: <6.0.1.1.2.20040109141113.08eaec70@imap.ecs.soton.ac.uk>

Please try this patch for /usr/lib/MailScanner/MailScanner/Message.pm.

---------SNIP------------
--- Message.pm  2003-12-02 11:44:42.000000000 +0000
+++ Message.pm.new      2004-01-09 14:12:09.000000000 +0000
@@ -2315,11 +2315,17 @@
    my $reportword = MailScanner::Config::LanguageValue($this, "report");
    my $id   = $this->{id};
    my $from = $this->{from};
-  my $to   = join(', ', @{$this->{to}});
+  #my $to   = join(', ', @{$this->{to}});
    my $subj = $this->{subject};
    my $rept = join("    $reportword: ", @everyrept);
    my $ip   = $this->{clientip};

+  my($to, %tolist);
+  foreach $to (@{$this->{to}}) {
+    $tolist{$to} = 1;
+  }
+  $to = join(', ', sort keys %tolist);
+
    my($result, $headers);

    if (MailScanner::Config::Value('hideworkdirinnotice',$this)) {
---------SNIP------------

At 13:06 09/01/2004, you wrote:
>Hi guys,
>
>I've I have the seguent Report from Mailscanner when a Virus is found:
>
>*********************************
>"The following e-mail messages were found to have viruses in them:
>
>     Sender: admin@mydomain.it
>IP Address: xxx.xxx.xxx.xxx
>  Recipient: user@mydomain.it, user@mydomain.it
>    Subject: your account                         yijefwov
>  MessageID: 28A7433F302
>     Report: AntiVir: ALERT: [Worm/MiMail.A1 virus] ./28A7433F302/message.zip
><<< Contains signature of the worm Worm/MiMail.A1
>             F-Prot:
>/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.html
>Infection: W32/Mimail.A@mm"
>*********************************
>
>It only affects the reporting and doesn't have any impact on message
>delivery at all.
>
>I found that someone else (the link below) pointed out this little problem,
>but had no response.
>
>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S=&
>P=27533
>
>Just want to know if someone has an idea of why this happen..
>
>I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and F-Prot
>software
>
>Thanks all! Thanks Julian

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan  9 14:20:52 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
Message-ID: <3FFEB8C4.5010507@solid-state-logic.com>

Quentin Campbell wrote:
<snip>
> Julian
>
> I sympathise with your problems. However I am equally at risk from
> sanctions or abuse from people who think that I am deliberately ignoring
> their mail when in fact it was (a false positive) deleted automatically
> as probable spam.
>
> For this reason I have chosen to use the MailScanner option to send an
> explanatory message when spam to me is deleted. In truth I am more
> concerned about the people who _need_ to know what has happended to
> their message to me than I am about the consequences of collateral spam
> that results.
>
> One reason I have moved to using MailScanner to delete probable spam is
> that we have many mailboxes on Outlook/Exchange. That system cannot
> permanently delete tagged messages through the Rules Wizard when Outlook
> is switched off. This can be a serious problem and results in mail being
> lost if quotas are exceeded (over vacations for example).
>
> I receive so much spam each day that it is not practical to have tagged
> messages delivered then moved to a "spam" folder (by a personal mail
> filter) where I am supposed to inspect them for possible false
> positives.
>
> I would be interested to hear what alternative strategies have been
> adopted by people in my position.
>
> Quentin
>

Let the battle begin - to bounce/deliver or delete....:-)

Here we forward all email but viruses to the indended recipient. It's
then up to the MUA to filter and the user to police any FPs.

It's much better than the previous solution, where we couldn't tag the
subject line.

HOWEVER we are small enough not to have trouble with quota's (myself and
others had over 4,700 spam's alone to come back to after Christmas), and
  only have 100 or so email users.

Can't MS-Exchange put a quota on some folders and not others, so the
filter for spam can't be outside the quota?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 14:01:35 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256737@srv-btc-2k.corp.benchmark-usa.com>
References: <93B43B0A099CFE4AB0AED9B54919346E256737@srv-btc-2k.corp.benchmark-usa.com>
Message-ID: <200401091401.35261.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 1:46 pm, Mark Warpool wrote:

> Allow me to point out one simple use for it, which is what I have been
> using it for recently.  As a sort of "debugging" technique.  I wanted to
> get a bead on just how many false-positives that I have been getting,
> and so I turned on the bouncing, expecting that the people who get the
> bounce would give me a call and let me know.

I think the "success" rate of this technique would be so low as to be
immeasurable.

Consider that a mailshot campaign, where you at least expect the recipients to
be possibly slightly interested in the information, generates a response
around 5%.

Expecting people to bother contacting you for sending them spam is just crazy,
IMHO.

Antony.

--
The difference between theory and practice is that in theory there is no
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

From Kevin.Spicer at BMRB.CO.UK  Fri Jan  9 14:04:45 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649975@pascal.priv.bmrb.co.uk>

Kyle Harris wrote:
> Ya, could be I am misunderstanding that statement, but if that is the
> case, what is the purpose of the following FAQ?
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/244.html

To disable filename checking for specified domains (which to be fair is a question that is fairly frequently asked) 

> When Virus Scanning is turned off, MailScanner does not enter
> {Scanned} at the beginning of each message subject even if you have
> it configured to do so (turning virus scanning on immediately
> remedies that problem), nor does it do the other file attachment
> checks.  That is as of version 4.24-5.  I am looking for a way to
> turn virus scanning off for some domains (again, as previously stated
> that is easy enough by using a rule) however I still wish to have ALL
> other features of MailScanner available.  Currently that doesn't seem
> to be possible?  I was hoping that was what the above mentioned FAQ
> was attempting to do. 

You want to enter prefix "(Scanned)" even to messages that haven't been???

I guess you could achieve a similar effect (unless server load is a worry) by actually scanning every message, but then using rulesets to control what happens when a virus is found (e.g. deliver it anyway).


From lists at TRCINTL.COM  Fri Jan  9 14:19:05 2004
From: lists at TRCINTL.COM (Kyle Harris)
Date: Thu Jan 12 21:21:45 2006
Subject: Not Virus Scanning Some Domains
Message-ID: <LISTSERV%2004010914190577@JISCMAIL.AC.UK>

On Fri, 9 Jan 2004 14:04:45 -0000, Spicer, Kevin <Kevin.Spicer@BMRB.CO.UK>
wrote:

>Kyle Harris wrote:
>> Ya, could be I am misunderstanding that statement, but if that is the
>> case, what is the purpose of the following FAQ?
>> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/244.html
>
>To disable filename checking for specified domains (which to be fair is a
question that is fairly frequently asked)
>
>> When Virus Scanning is turned off, MailScanner does not enter
>> {Scanned} at the beginning of each message subject even if you have
>> it configured to do so (turning virus scanning on immediately
>> remedies that problem), nor does it do the other file attachment
>> checks.  That is as of version 4.24-5.  I am looking for a way to
>> turn virus scanning off for some domains (again, as previously stated
>> that is easy enough by using a rule) however I still wish to have ALL
>> other features of MailScanner available.  Currently that doesn't seem
>> to be possible?  I was hoping that was what the above mentioned FAQ
>> was attempting to do.
>
>You want to enter prefix "(Scanned)" even to messages that haven't been???

Ya, but I would clarify it to say {SPAM Scanned}.  This is very handy if
you recently added a domain to your service by changing a DNS MX record.
As you know, it takes other DNS server some time before they update their
MX recrods.  This way, you can easily tell what messages have been scanned
and which have not.  After a while, this would be removed.
>
>I guess you could achieve a similar effect (unless server load is a worry)
by actually scanning every message, but then using rulesets to control what
happens when a virus is found (e.g. deliver it anyway).

Server load is not a worry, but how would you go about doing this?  That is
what I can't figure out?

From Mark.Warpool at BENCHMARK-USA.COM  Fri Jan  9 14:40:05 2004
From: Mark.Warpool at BENCHMARK-USA.COM (Mark Warpool)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
Message-ID: <93B43B0A099CFE4AB0AED9B54919346E256739@srv-btc-2k.corp.benchmark-usa.com>

I think you misunderstood me.  I wanted people who were falsely getting
their email rejected as spam to contact me and let me know.  For
example, one of my customers had tried to send some email to herself
from her MSN account at home, and it got rejected as spam.  What I
wanted to do was to get an idea as to how often this kind of thing was
happening so I could determine if I needed to adjust my thresholds.

BTW, I'm happy to report I've only had it happen 3 times. :-)

         Mark Warpool    
Phone: (419) 843-6691
Cell: (419) 356-2298     
 

-----Original Message-----
From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] 
Sent: Friday, January 09, 2004 9:02 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Bouncing Spam

On Friday 09 January 2004 1:46 pm, Mark Warpool wrote:

> Allow me to point out one simple use for it, which is what I have been
> using it for recently.  As a sort of "debugging" technique.  I wanted
to
> get a bead on just how many false-positives that I have been getting,
> and so I turned on the bouncing, expecting that the people who get the
> bounce would give me a call and let me know.

I think the "success" rate of this technique would be so low as to be
immeasurable.

Consider that a mailshot campaign, where you at least expect the
recipients to
be possibly slightly interested in the information, generates a response
around 5%.

Expecting people to bother contacting you for sending them spam is just
crazy,
IMHO.

Antony.

--
The difference between theory and practice is that in theory there is no
difference, whereas in practice there is.

                                                     Please reply to the
list;
                                                           please don't
CC me.


From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 14:47:34 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256739@srv-btc-2k.corp.benchmark-usa.com>
References: <93B43B0A099CFE4AB0AED9B54919346E256739@srv-btc-2k.corp.benchmark-usa.com>
Message-ID: <200401091447.34947.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 2:40 pm, Mark Warpool wrote:

> I think you misunderstood me.  I wanted people who were falsely getting
> their email rejected as spam to contact me and let me know.

I think I probably misunderstood you, yes.   I thought you meant you were
bouncing email which was detected as spam, no matter who it appeared to be
sent from.

If you were only bouncing it if it came from people you knew or whose accounts
you were managing, then that's fine (for short-term debugging).

Antony.

--
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                     Please reply to the list;
                                                           please don't CC me.

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan  9 14:48:01 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:45 2006
Subject: Bouncing Spam
In-Reply-To: <93B43B0A099CFE4AB0AED9B54919346E256739@srv-btc-2k.corp.benchmark-usa.com>
References: <93B43B0A099CFE4AB0AED9B54919346E256739@srv-btc-2k.corp.benchmark-usa.com>
Message-ID: <3FFEBF21.4080707@solid-state-logic.com>

Mark Warpool wrote:
> I think you misunderstood me.  I wanted people who were falsely getting
> their email rejected as spam to contact me and let me know.  For
> example, one of my customers had tried to send some email to herself
> from her MSN account at home, and it got rejected as spam.  What I
> wanted to do was to get an idea as to how often this kind of thing was
> happening so I could determine if I needed to adjust my thresholds.
>
> BTW, I'm happy to report I've only had it happen 3 times. :-)
>
>          Mark Warpool
> Phone: (419) 843-6691
> Cell: (419) 356-2298

Mark
I've only had this happen 3 times in the past three months we've been
ruuning MS, and all where email magazine/news type things anyhow. Put
them in ham for bayes and next issue when through fine

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 15:02:19 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <6.0.1.1.2.20040109145946.0970af80@imap.ecs.soton.ac.uk>

I have just released 4.26-4.
There aren't many changes, but hopefully we will have seen the last of the
"message skipped; still being delivered" Postfix errors.

Download as usual from www.mailscanner.info.

The ChangeLog is this:

9/1/2004 New in Version 4.26-4
===============================
* New Features and Improvements *
- Added support for Norman virus scanner (www.norman.de).
- Added logging of ids of dropped silent viruses.
- Added "Too Many Attachments" error report in a message instead of old
   report saying it could not analyse the message.
- Added MCP patches for SpamAssassin 2.61.
- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.
- Spanish translations of languages.conf updated from Debian translators.
- Added bogusmx list to supplied spam.lists.conf.
- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
- No longer stops or restarts after RPM upgrade (this will take 1 version
to propagate).

* Fixes *
- Fix to Postfix message duplication problems. Must find "end of message"
   record now.
- Fixed creation of MCP quarantine directory bug.
- Fix to duplicate recipient listing in postmaster notices.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From anders.andersson at LTKALMAR.SE  Fri Jan  9 15:07:03 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:21:45 2006
Subject: SV: Bouncing Spam
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E808@lkl61.ltkalmar.se>

> -----Ursprungligt meddelande-----
> Fr?n: Quentin Campbell [mailto:Q.G.Campbell@NEWCASTLE.AC.UK] 
> 
> >-----Original Message-----
> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> >
> >At 12:09 09/01/2004, you wrote:
> >>I have been using MailScanner for a year or so. We used to 
> flag spam 
> >>messages but accept them. As the volumes of spam increased 
> we have now 
> >>started to bounce spam messages. We bounce rather than delete
> >so as to be
> >>polite to people who send legitimate messages which are
> >'falsely' marked as
> >>spam.
> >[snip]
> >Result: They get very annoyed, as they can't see any of 
> their real mail 
> >among all the MailScanner spam bounce messages. Result of that: They 
> >complain to me about it, and I can't help them. Result of that: 
> >MailScanner gets a very bad name, and you have wasted yet more of my 
> >time that I have to spend answering these (often rude, abusive and 
> >threatening) emails.
> [snip]
> 
> Julian
> 
> I sympathise with your problems. However I am equally at risk 
> from sanctions or abuse from people who think that I am 
> deliberately ignoring their mail when in fact it was (a false 
> positive) deleted automatically as probable spam. 
> 
> For this reason I have chosen to use the MailScanner option 
> to send an explanatory message when spam to me is deleted. In 
> truth I am more concerned about the people who _need_ to know 
> what has happended to their message to me than I am about the 
> consequences of collateral spam that results.
> 
> One reason I have moved to using MailScanner to delete 
> probable spam is that we have many mailboxes on 
> Outlook/Exchange. That system cannot permanently delete 
> tagged messages through the Rules Wizard when Outlook is 
> switched off. This can be a serious problem and results in mail being
> lost if quotas are exceeded (over vacations for example).    

Since I cant tell what kind of servers you got I only tell you what we've
done. 
First, I never stop incoming mail to a mailbox... that is just the wrong way
to go. I do block ppl sending when they reached quota but never stop
incomming mail. Using an RBL to block about 80-90% of the SPAM before I even
get them, hence nothing will be deleted. If you are running exchange and the
hardware cant stand some SPAM I would consider 2 things... hardware upgrade
or start uing RBL to block the mails from entering you system, dont let
other ppl suffer.
Thinking you solved the problem by bouncing them to innocent ppl most be the
worst solution...  

> I receive so much spam each day that it is not practical to 
> have tagged messages delivered then moved to a "spam" folder 
> (by a personal mail
> filter) where I am supposed to inspect them for possible 
> false positives. 
> 
> I would be interested to hear what alternative strategies 
> have been adopted by people in my position.
> 
> Quentin
>  
> 


From nathan at TCPNETWORKS.NET  Fri Jan  9 15:27:03 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:21:45 2006
Subject: Emails made up of random words
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BC7CE@server1.in.tcpnetworks.com>

Which ruleset (popcorn, weeds, etc.) appears to do the best job against these kinds of spam (based on your experience so far)?
-Nathan

	-----Original Message----- 
	From: Rick Cooper [mailto:rcooper@DIMENSION-FLM.COM] 
	Sent: Fri 1/9/2004 3:32 AM 
	To: MAILSCANNER@JISCMAIL.AC.UK 
	Cc: 
	Subject: Re: Emails made up of random words
	
	

	> -----Original Message-----
	> From: MailScanner mailing list
	> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
	> Behalf Of Howard Robinson
	> Sent: Friday, January 09, 2004 4:33 AM
	> To: MAILSCANNER@JISCMAIL.AC.UK
	> Subject: Emails made up of random words
	>
	>
	> Dear List members,
	> We are getting increasing numbers of emails containing
	> what look
	> like a selection of random words. It only started here before
	> Christmas. Is this a new phenomenon or have we just been lucky
	> before?
	> Whilst they are still manageable numbers at the moments & can
	> be quickly deleted there one or two members of staff
	> are getting
	> their knickers in a twist about them.
	> What's the best way to deal with them (the emails not
	> the staff)?
	>
	> Thanks and happy new year to you all.
	>
	>
	>
	> Regards
	>
	> Howard Robinson
	
	Go here http://www.emtinc.net/spamhammers.htm and use these rules
	if you are not already.
	There is much discussion of this topic (bayes poison) on the
	spamassassin list and there are a couple of counter measures
	being developed so you may want to subscribe to spamassassin-talk
	and follow the thread relating to large collections of random
	words.
	
	This rule has caught a few for me (they are hiding the words with
	0pt font)
	
	rawbody LOCAL_ZERO_FONTSIZE /\bfont-size\:
	0pt|font.*size="0"|font.*size=0/i
	describe LOCAL_ZERO_FONTSIZE Font has a size of Zero. What is
	being hidden?
	score LOCAL_ZERO_FONTSIZE 4.5
	
	as has this one
	
	uri BAYES_BUSTER
	/rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
	describe BAYES_BUSTER Trying to bypass BAYES
	score BAYES_BUSTER 10.0
	
	Best thing, follow the sa-talk list
	
	Rick
	
	
	--
	This message has been scanned for viruses and
	dangerous content by MailScanner, and is
	believed to be clean.
	



From eja at URBAKKEN.DK  Fri Jan  9 15:36:10 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <6.0.1.1.2.20040109145946.0970af80@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040109145946.0970af80@imap.ecs.soton.ac.uk>
Message-ID: <3FFECA6A.9000603@urbakken.dk>

Julian Field wrote:
> I have just released 4.26-4.
> There aren't many changes, but hopefully we will have seen the last of the
> "message skipped; still being delivered" Postfix errors.


Sorry for asking. Is it a beta unstable ?.

> Download as usual from www.mailscanner.info.
>
> The ChangeLog is this:
>
> 9/1/2004 New in Version 4.26-4
> ===============================
> * New Features and Improvements *
> - Added support for Norman virus scanner (www.norman.de).
> - Added logging of ids of dropped silent viruses.
> - Added "Too Many Attachments" error report in a message instead of old
>   report saying it could not analyse the message.
> - Added MCP patches for SpamAssassin 2.61.
> - Added 'SpamAssassin Site Rules Dir' setting to locate
> /etc/mail/spamassassin.
> - Spanish translations of languages.conf updated from Debian translators.
> - Added bogusmx list to supplied spam.lists.conf.
> - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> - No longer stops or restarts after RPM upgrade (this will take 1 version
> to propagate).
>
> * Fixes *
> - Fix to Postfix message duplication problems. Must find "end of message"
>   record now.
> - Fixed creation of MCP quarantine directory bug.
> - Fix to duplicate recipient listing in postmaster notices.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Jan-Peter.Koopmann at SECEIDOS.DE  Fri Jan  9 15:45:15 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8043@ERWIN.intern.seceidos.de>

> Sorry for asking. Is it a beta unstable ?.

Having a look at the subject I tend to answer: Yes... :-)

Regards,
  JP


From dot at DOTAT.AT  Fri Jan  9 15:46:14 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <m2n.1AeyCX-000qjd@chiark.greenend.org.uk>
Message-ID: <E1Aeypy-0000QI-00@chiark.greenend.org.uk>

Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
>
>9/1/2004 New in Version 4.26-4
>===============================
>- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.

This setting looks like it would do the same thing as the SpamAssassin
Local Rules Dir option, except that I can't find any code to implement
its functionality.

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: WEST OR SOUTHWEST 5 OR
6 EASING 4 OR 5 TODAY, BACKING SOUTH OR SOUTHWEST 5 OR 6 OVERNIGHT. BLUSTERY
SHOWERS DYING OUT, PATCHY RAIN LATER. MODERATE OR ROUGH. ROUGH OR VERY ROUGH.

From Jan-Peter.Koopmann at SECEIDOS.DE  Fri Jan  9 16:13:55 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8047@ERWIN.intern.seceidos.de>

Julian,

> ===============================
> * New Features and Improvements *
> - Added support for Norman virus scanner (www.norman.de).
> - Added logging of ids of dropped silent viruses.
> - Added "Too Many Attachments" error report in a message 
> instead of old
>    report saying it could not analyse the message.
> - Added MCP patches for SpamAssassin 2.61.
> - Added 'SpamAssassin Site Rules Dir' setting to locate 
> /etc/mail/spamassassin.
> - Spanish translations of languages.conf updated from Debian 
> translators.
> - Added bogusmx list to supplied spam.lists.conf.
> - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> - No longer stops or restarts after RPM upgrade (this will 
> take 1 version to propagate).

I suppose there are some changes to the docs as well? If so: Could you
please send them to me? :-)

Regards,
 JP


From carles at UNLIMITEDMAIL.ORG  Fri Jan  9 16:12:59 2004
From: carles at UNLIMITEDMAIL.ORG (Carles Xavier Munyoz =?iso-8859-15?q?Bald=F3?=)
Date: Thu Jan 12 21:21:45 2006
Subject: Customized spam actions.
Message-ID: <200401091712.59726.carles@unlimitedmail.org>

Hi,
Is it possible to customize the spam actions by email or by domain ?

Example 1: The owner of the mailboxl user1@test.com wants that all its email 
messages marked as spam be bounced, but the owner of the mailbox 
user2@test.com wants a deliver of its spam messages.

Example 2: I want the spam action delete for all the spam detected mails 
delivered to the domain @dom1.com, but the action deliver for the domain 
@dom2.com.

Is it possible ?
I know that it is possible for the virus scan especify which domains or 
mailboxes will have its email messages scaned using a filename rules, but is 
it possible too for the spam maked messages ?

Greetings.
---
Carles Xavier Munyoz Bald?
carles@unlimitedmail.org
http://www.unlimitedmail.net/
---


From LISTSERV at JISCMAIL.AC.UK  Fri Jan  9 16:31:17 2004
From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e))
Date: Thu Jan 12 21:21:45 2006
Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK
Message-ID: <LISTSERV%2004010916311728@JISCMAIL.AC.UK>

Your message  is being returned to  you unprocessed because it  appears to have
already  been distributed  to the  MAILSCANNER list.  That is,  a message  with
identical text  (but possibly with different  mail headers) has been  posted to
the list recently, either by you or by  someone else. If you have a good reason
to resend this message to the list (for instance because you have been notified
of a hardware failure with loss of  data), please alter the text of the message
in some way and  resend it to the list. Note that  altering the "Subject:" line
or adding blank  lines at the top  or bottom of the message  is not sufficient;
you should  instead add a  sentence or  two at the  top explaining why  you are
resending the  message, so that the  other subscribers understand why  they are
getting two copies of the same message.
-------------- next part --------------
An embedded message was scrubbed...
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
Subject: Re: MailScanner ignored?
Date: Thu, 8 Jan 2004 15:43:27 +0000
Size: 4569
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040109/dac09432/attachment.mht
From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 16:38:07 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: Customized spam actions.
In-Reply-To: <200401091712.59726.carles@unlimitedmail.org>
References: <200401091712.59726.carles@unlimitedmail.org>
Message-ID: <200401091638.07506.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 4:12 pm, Carles Xavier Munyoz Bald? wrote:

> Hi,
> Is it possible to customize the spam actions by email or by domain ?

Yes.   Look in MailScanner/etc/rules/EXAMPLES

Antony

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.


From mailscanner at ecs.soton.ac.uk  Fri Jan  9 16:42:37 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: Customized spam actions.
In-Reply-To: <200401091712.59726.carles@unlimitedmail.org>
References: <200401091712.59726.carles@unlimitedmail.org>
Message-ID: <6.0.1.1.2.20040109164104.097e43b0@imap.ecs.soton.ac.uk>

At 16:12 09/01/2004, you wrote:
>Hi,
>Is it possible to customize the spam actions by email or by domain ?

Yes, using a ruleset. Please read /etc/MailScanner/rules/*

>Example 1: The owner of the mailboxl user1@test.com wants that all its email
>messages marked as spam be bounced, but the owner of the mailbox
>user2@test.com wants a deliver of its spam messages.

To: user1@test.com bounce
To: user2@test.com deliver

>Example 2: I want the spam action delete for all the spam detected mails
>delivered to the domain @dom1.com, but the action deliver for the domain
>@dom2.com.

To: dom1.com delete
To: dom2.com deliver

>Is it possible ?
>I know that it is possible for the virus scan especify which domains or
>mailboxes will have its email messages scaned using a filename rules, but is
>it possible too for the spam maked messages ?

Rulesets apply to virtually all configuration options, as given in the
comment immediately before each configuration option.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 16:32:59 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C8047@ERWIN.intern.seceid os.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8047@ERWIN.intern.seceidos.de>
Message-ID: <6.0.1.1.2.20040109163058.096f6c80@imap.ecs.soton.ac.uk>

At 16:13 09/01/2004, you wrote:
>Julian,
>
> > ===============================
> > * New Features and Improvements *
> > - Added support for Norman virus scanner (www.norman.de).
> > - Added logging of ids of dropped silent viruses.
> > - Added "Too Many Attachments" error report in a message
> > instead of old
> >    report saying it could not analyse the message.
> > - Added MCP patches for SpamAssassin 2.61.
> > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > /etc/mail/spamassassin.
> > - Spanish translations of languages.conf updated from Debian
> > translators.
> > - Added bogusmx list to supplied spam.lists.conf.
> > - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> > - No longer stops or restarts after RPM upgrade (this will
> > take 1 version to propagate).
>
>I suppose there are some changes to the docs as well? If so: Could you
>please send them to me? :-)

The only change is the addition of SpamAssassin Site Rules Dir, which is
just yet another Advanced SpamAssassin setting.

The MailScanner.conf entry says this:

# The site rules are searched for here.
# Normal location on most systems is /etc/mail/spamassassin.
SpamAssassin Site Rules Dir = /etc/mail/spamassassin

(and for all those who noticed the difference between "SpamAssassin" and
"Spam Assassin", it doesn't make any difference to the code :-)
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 16:40:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <E1Aeypy-0000QI-00@chiark.greenend.org.uk>
References: <m2n.1AeyCX-000qjd@chiark.greenend.org.uk>
            <E1Aeypy-0000QI-00@chiark.greenend.org.uk>
Message-ID: <6.0.1.1.2.20040109164011.0389adf0@imap.ecs.soton.ac.uk>

At 15:46 09/01/2004, you wrote:
>Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
> >
> >9/1/2004 New in Version 4.26-4
> >===============================
> >- Added 'SpamAssassin Site Rules Dir' setting to locate
> /etc/mail/spamassassin.
>
>This setting looks like it would do the same thing as the SpamAssassin
>Local Rules Dir option, except that I can't find any code to implement
>its functionality.

Damn. Copied a file the wrong way :-(
But yes, it should do the same as the Local Rules Dir option I think, so
let's just forget about that one for now
:o)
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From robin at PRIMUS.CA  Fri Jan  9 17:00:33 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <E1Aeypy-0000QI-00@chiark.greenend.org.uk>
References: <E1Aeypy-0000QI-00@chiark.greenend.org.uk>
Message-ID: <Pine.LNX.4.58.0401091159060.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Tony Finch wrote:
just a reminder to Julian

please if you see fit change the naming scheme to the standard.

4.26.4 instead of 4.26-4

From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 17:10:38 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:45 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <Pine.LNX.4.58.0401091159060.8393@hephaestus.tor.primus.ca>
References: <E1Aeypy-0000QI-00@chiark.greenend.org.uk>
            <Pine.LNX.4.58.0401091159060.8393@hephaestus.tor.primus.ca>
Message-ID: <200401091710.38129.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 5:00 pm, Robin M. wrote:

> On Fri, 9 Jan 2004, Tony Finch wrote:
> just a reminder to Julian
>
> please if you see fit change the naming scheme to the standard.

Whose/which standard?

> 4.26.4 instead of 4.26-4

Personally I prefer the latter because it more clearly suggests release 4 of
version 4.26, whereas the former doesn't really indicate whether it's an
interim release or just the next one in the series.

Just my 2p, of course.

Antony.

--
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan  9 17:18:42 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <200401091710.38129.Antony@Soft-Solutions.co.uk>
Message-ID: <LFENLEALDCBDKENCNLCNCEMCCOAA.michele@blacknightsolutions.com>

> > please if you see fit change the naming scheme to the standard.
>
> Whose/which standard?
>
> > 4.26.4 instead of 4.26-4
>
> Personally I prefer the latter because it more clearly suggests
> release 4 of
> version 4.26, whereas the former doesn't really indicate whether it's an
> interim release or just the next one in the series.
>

I like the current way Julian names the versions. It makes it easy for me to
keep track.

From robin at PRIMUS.CA  Fri Jan  9 17:38:38 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (fwd)
Message-ID: <Pine.LNX.4.58.0401091238190.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Antony Stone wrote:
> On Friday 09 January 2004 5:00 pm, Robin M. wrote:
>
> > please if you see fit change the naming scheme to the standard.
>
> Whose/which standard?

This is how most software is packaged. Also the rpm documentation suggests
this standard.
Look on rpmfind.net and you will see that every piece of software uses the
version scheme
softwareversion = "majorrelease.minorrelease.revision"

i.e.
proftpd-1.2.5-1.1mlx.i386.rpm
softwarename-softwareversion-rpmbuildnumber.arch.rpm

With the current scheme proper upgrades via rpm cannot be acheived as rpm
does not recognize that the number beyond the dash is an incrementally
more recent version.

From cwharris at MORGAN.NET  Fri Jan  9 17:47:33 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
Message-ID: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>

Hello all,

One of my users is complaining that her yahoo groups mail is not coming
through since I installed MailScanner. Does anyone have any experience with
Yahoo Groups?

Chris

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan  9 17:50:28 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
In-Reply-To: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>
References: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>
Message-ID: <3FFEE9E4.2010601@solid-state-logic.com>

Chris wrote:
> Hello all,
>
> One of my users is complaining that her yahoo groups mail is not coming
> through since I installed MailScanner. Does anyone have any experience with
> Yahoo Groups?
>
> Chris

In what way are they getting stuck? have you added these to the ham
section of the baysian scanner?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan  9 17:52:04 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
In-Reply-To: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>
Message-ID: <LFENLEALDCBDKENCNLCNOEMECOAA.michele@blacknightsolutions.com>

I'm subscribed to one and have never had any problems

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Chris
> Sent: 09 January 2004 17:48
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Yahoo groups
>
>
> Hello all,
>
> One of my users is complaining that her yahoo groups mail is not coming
> through since I installed MailScanner. Does anyone have any
> experience with
> Yahoo Groups?
>
> Chris
>

From Kevin_Miller at CI.JUNEAU.AK.US  Fri Jan  9 17:54:42 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
Message-ID: <08146035CA49D6119A36009027AC822A0264EC7E@CITY-EXCH-NTS>

You should be able to find the reject notice in your logs which will have
the address in it to whitelist.  You may have to wildcard it a bit, as an
outfit like Yahoo probably has several hosts that send out the group mail.
Sorry I can't be more specific, but I either don't have any users getting
Y.G. mail or they haven't noticed that they're not.  Hope this helps...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500


>-----Original Message-----
>From: Chris [mailto:cwharris@MORGAN.NET]
>Sent: Friday, January 09, 2004 8:48 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Yahoo groups
>
>
>Hello all,
>
>One of my users is complaining that her yahoo groups mail is not coming
>through since I installed MailScanner. Does anyone have any
>experience with
>Yahoo Groups?
>
>Chris
>

From robin at PRIMUS.CA  Fri Jan  9 17:59:08 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <LFENLEALDCBDKENCNLCNCEMCCOAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNCEMCCOAA.michele@blacknightsolutions.com>
Message-ID: <Pine.LNX.4.58.0401091244020.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:
>
> > > please if you see fit change the naming scheme to the standard.
> >
> > Whose/which standard?
> >
> > > 4.26.4 instead of 4.26-4
> >
> > Personally I prefer the latter because it more clearly suggests
> > release 4 of
> > version 4.26, whereas the former doesn't really indicate whether it's an
> > interim release or just the next one in the series.
> >
>
> I like the current way Julian names the versions. It makes it easy for me to
> keep track.
>
Another reason for changing it is that there are currently two delimiters
for identifying the version, ( the . and the - ) when most other software
simply uses each field as an identifier and only uses one delimeter ( the
. ) to separate the version identifiers.

i.e
openssh-3.2.3p1.tar.gz
apache-1.3.28.tar.gz
mysql-4.0.17.tar.gz
php-4.3.4.tar.bz2

here is an example of software using a dash delimiter but this is for a
patch level
exim-patch-3.34-3.35.gz

here is another example of how a dash is used for delimiting but this is
to specify a cvs snapshot where the date is after the dash.
postfix-2.0.16-20031231.tar.gz
and here is the stable release
postfix-2.0.16.tar.gz

And here is an example of how the dash is used to delimit a release
candidate.
Mail-SpamAssassin-2.60-rc5.zip

All of the aformentioned software conforms to the standards when building
rpms but MailScanner does not.

MailScanner clearly goes against the versioning scheme
MailScanner-4.25-14.tar.gz

From raymond at PROLOCATION.NET  Fri Jan  9 18:00:27 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
In-Reply-To: <08146035CA49D6119A36009027AC822A0264EC7E@CITY-EXCH-NTS>
Message-ID: <Pine.LNX.4.44.0401091858360.18791-100000@mailbox.prolocation.net>

Hi!

> You should be able to find the reject notice in your logs which will have
> the address in it to whitelist.  You may have to wildcard it a bit, as an
> outfit like Yahoo probably has several hosts that send out the group mail.
> Sorry I can't be more specific, but I either don't have any users getting
> Y.G. mail or they haven't noticed that they're not.  Hope this helps...

we get a lot of YG mail on our servers, it MS would break this i would
have noticed right away.

For example from todays logs:

814 66.218.66.70 (last seen @ 18:58:28) n15.grp.scd.yahoo.com
796 66.218.66.92 (last seen @ 18:57:23) n8.grp.scd.yahoo.com
795 66.218.66.78 (last seen @ 18:56:56) n22.grp.scd.yahoo.com
795 66.218.66.88 (last seen @ 18:58:35) n4.grp.scd.yahoo.com
783 66.218.66.91 (last seen @ 18:54:11) n7.grp.scd.yahoo.com
761 66.218.66.86 (last seen @ 18:57:55) n3.grp.scd.yahoo.com
760 66.218.66.104 (last seen @ 18:57:51) n36.grp.scd.yahoo.com
757 66.218.66.107 (last seen @ 18:57:11) n39.grp.scd.yahoo.com
748 66.218.66.73 (last seen @ 18:57:56) n18.grp.scd.yahoo.com
746 66.218.66.90 (last seen @ 18:55:15) n6.grp.scd.yahoo.com
734 66.218.66.68 (last seen @ 18:53:59) n13.grp.scd.yahoo.com
730 66.218.66.66 (last seen @ 18:58:04) n11.grp.scd.yahoo.com

Thats around 9K messages today to/from yahoo.com

Bye,
Raymond.

From Kevin_Miller at CI.JUNEAU.AK.US  Fri Jan  9 18:09:06 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>

>All of the aformentioned software conforms to the standards
>when building
>rpms but MailScanner does not.

Does it break anything?

>MailScanner clearly goes against the versioning scheme
>MailScanner-4.25-14.tar.gz

That's the beauty of open source - freedom. <g>

When you get right down to it, I rarely type those dots and dashes anyway.
Just type the first few characters of a file and press tab.  Presto, BASH
fills in the rest for me and it never seems to care if it's a '.' or a '-'.

I'm all for standards where not adhering to them breaks things; breaking
one's esthetic sensibilities doesn't count however...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From robin at PRIMUS.CA  Fri Jan  9 18:13:02 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
Message-ID: <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Kevin Miller wrote:
> Does it break anything?
>
Yes rpm does not recognize the versioning scheme, thus "rpm -Uvh" cannot
be performed properly.

From jaearick at COLBY.EDU  Fri Jan  9 18:15:24 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:46 2006
Subject: dash versus dot
In-Reply-To: <Pine.LNX.4.58.0401091244020.8393@hephaestus.tor.primus.ca>
References: <LFENLEALDCBDKENCNLCNCEMCCOAA.michele@blacknightsolutions.com>
            <Pine.LNX.4.58.0401091244020.8393@hephaestus.tor.primus.ca>
Message-ID: <Pine.GSO.4.58.0401091302270.15537@cayuga>

Julian,
   I have to agree with Robin on this one.  The dash has always
bugged me because my fingers find the period (er, "full stop")
easier than that dash on the top row.  Plus, all other UNIX
software seems to use the "major.minor.teeny" syntax.  I just
figured the dash was a UK quirk and never said anything about it...

Jeff Earickson
Colby College

On Fri, 9 Jan 2004, Robin M. wrote:

> Date: Fri, 9 Jan 2004 12:59:08 -0500
> From: Robin M. <robin@PRIMUS.CA>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Unstable release 4.26-4 released
>
> On Fri, 9 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:
> >
> > > > please if you see fit change the naming scheme to the standard.
> > >
> > > Whose/which standard?
> > >
> > > > 4.26.4 instead of 4.26-4
> > >
> > > Personally I prefer the latter because it more clearly suggests
> > > release 4 of
> > > version 4.26, whereas the former doesn't really indicate whether it's an
> > > interim release or just the next one in the series.
> > >
> >
> > I like the current way Julian names the versions. It makes it easy for me to
> > keep track.
> >
> Another reason for changing it is that there are currently two delimiters
> for identifying the version, ( the . and the - ) when most other software
> simply uses each field as an identifier and only uses one delimeter ( the
> . ) to separate the version identifiers.
>
> i.e
> openssh-3.2.3p1.tar.gz
> apache-1.3.28.tar.gz
> mysql-4.0.17.tar.gz
> php-4.3.4.tar.bz2
>
> here is an example of software using a dash delimiter but this is for a
> patch level
> exim-patch-3.34-3.35.gz
>
> here is another example of how a dash is used for delimiting but this is
> to specify a cvs snapshot where the date is after the dash.
> postfix-2.0.16-20031231.tar.gz
> and here is the stable release
> postfix-2.0.16.tar.gz
>
> And here is an example of how the dash is used to delimit a release
> candidate.
> Mail-SpamAssassin-2.60-rc5.zip
>
> All of the aformentioned software conforms to the standards when building
> rpms but MailScanner does not.
>
> MailScanner clearly goes against the versioning scheme
> MailScanner-4.25-14.tar.gz
>

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 18:18:23 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
Message-ID: <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>

At 18:13 09/01/2004, you wrote:
>On Fri, 9 Jan 2004, Kevin Miller wrote:
> > Does it break anything?
> >
>Yes rpm does not recognize the versioning scheme, thus "rpm -Uvh" cannot
>be performed properly.

Que?
I regularly "rpm -Uvh" my MailScanner installations and it works just fine.
How else do you install it?
Please define "cannot be performed properly".
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Jan-Peter.Koopmann at SECEIDOS.DE  Fri Jan  9 18:23:37 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C804E@ERWIN.intern.seceidos.de>

> I have just released 4.26-4.

FYI

The FreeBSD port MailScanner-devel has just been upgraded to 4.26-4 and
is already committed to the ports tree.

Regards,
  JP


From raymond at PROLOCATION.NET  Fri Jan  9 18:23:20 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
Message-ID: <Pine.LNX.4.44.0401091922420.20149-100000@mailbox.prolocation.net>

Hi!

> > Does it break anything?

> Yes rpm does not recognize the versioning scheme, thus "rpm -Uvh" cannot
> be performed properly.

It works just fine. RPM will see it as a minor upgrade, so it will work
just fine.

Bye,
Raymond.

From jrudd at UCSC.EDU  Fri Jan  9 18:23:54 2004
From: jrudd at UCSC.EDU (John Rudd)
Date: Thu Jan 12 21:21:46 2006
Subject: Emails made up of random words
In-Reply-To: <OJEPLLLJIBHDGMFBCCBPOECDDAAA.rcooper@dimension-flm.com>
References: <OJEPLLLJIBHDGMFBCCBPOECDDAAA.rcooper@dimension-flm.com>
Message-ID: <FB1036A8-42D0-11D8-BDBC-003065F939FE@ucsc.edu>

On Jan 9, 2004, at 3:32 AM, Rick Cooper wrote:

>> -----Original Message-----
>> From: MailScanner mailing list
>> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> Behalf Of Howard Robinson
>> Sent: Friday, January 09, 2004 4:33 AM
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: Emails made up of random words
>>
>>
>> Dear List members,
>> We are getting increasing numbers of emails containing
>> what look
>> like a selection of random words. It only started here before
>> Christmas. Is this a new phenomenon or have we just been lucky
>> before?
>> Whilst they are still manageable numbers at the moments & can
>> be quickly deleted there one or two members of staff
>> are getting
>> their knickers in a twist about them.
>> What's the best way to deal with them (the emails not
>> the staff)?
>>
>> Thanks and happy new year to you all.
>>
>>
>>
>> Regards
>>
>> Howard Robinson
>
> Go here http://www.emtinc.net/spamhammers.htm and use these rules
> if you are not already.

Based upon my observation, they miss the point.

> There is much discussion of this topic (bayes poison) on the
> spamassassin list and there are a couple of counter measures
> being developed so you may want to subscribe to spamassassin-talk
> and follow the thread relating to large collections of random
> words.

It's not just a bayes poisoning attack, in my observation.  Most of the
messages I've seen like this have multipart/alternative structure where
the text and html segments don't match (the text segment is gibberish
and the html segment has spam).  Rules that try to identify gibberish
would seem to be rather misguided ... just find a way to check and see
if the two segments don't match in content.

I tried asking about this on the sa-talk list, even re-posting my
question, and have had NO response.  The sa-talk list is rather
annoying in this regard.

Which thread topics are the ones you're talking about?  (there are too
many of them to read each and every one of them to track it down)

From robin at PRIMUS.CA  Fri Jan  9 18:26:35 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Julian Field wrote:
> Que?
> I regularly "rpm -Uvh" my MailScanner installations and it works just fine.
> How else do you install it?
> Please define "cannot be performed properly".

I see that in your spec file (which may be outdated) on the website it
defines

<snip>
%define version 4.12
Version:     %{version}
Source: %{name}-%{version}.tgz
</snip>

you cannot do ....

<snip>
%define version 4.26-4
Version:     %{version}
Source:      %{name}-%{version}.tgz
</snip>

without rpm reporting errors.

From robin at PRIMUS.CA  Fri Jan  9 18:34:17 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
Message-ID: <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Robin M. wrote:
> On Fri, 9 Jan 2004, Julian Field wrote:
> > Que?
> > I regularly "rpm -Uvh" my MailScanner installations and it works just fine.
> > How else do you install it?
> > Please define "cannot be performed properly".
>
> I see that in your spec file (which may be outdated) on the website it
> defines
>
> <snip>
> %define version 4.12
> Version:     %{version}
> Source: %{name}-%{version}.tgz
> </snip>
>
> you cannot do ....
>
> <snip>
> %define version 4.26-4
> Version:     %{version}
> Source:      %{name}-%{version}.tgz
> </snip>
>
> without rpm reporting errors.
>

replying to myself

[hosting /opt/RPM/SPECS]# rpmbuild -ba MailScanner.spec
error: line 4: Illegal char '-' in version: Version:        4.25-14
Exit 1

From cwharris at MORGAN.NET  Fri Jan  9 19:06:21 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
References: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net> 
            <3FFEE9E4.2010601@solid-state-logic.com>
Message-ID: <016601c3d6e3$ab9e62b0$1b9922d0@pub.morgan.net>

I have not ran them through the baysian filter. I will ask her to do that
though, if she has any old list emails.

She didnt give me much to go by. She did however bring by a notice from
YahooGroups a little while ago. It seems that the email from YahooGroups was
being returned undeliverable, and they disabled her account. This explains
why she isnt getting the emails!

I do not have MS set to bounce any messages that I know of. I will
double-check though.

Chris

----- Original Message -----
From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 09, 2004 11:50 AM
Subject: Re: Yahoo groups


> Chris wrote:
> > Hello all,
> >
> > One of my users is complaining that her yahoo groups mail is not coming
> > through since I installed MailScanner. Does anyone have any experience
with
> > Yahoo Groups?
> >
> > Chris
>
> In what way are they getting stuck? have you added these to the ham
> section of the baysian scanner?
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>

From Cleveland at WINNEFOX.ORG  Fri Jan  9 19:16:35 2004
From: Cleveland at WINNEFOX.ORG (Jody Cleveland)
Date: Thu Jan 12 21:21:46 2006
Subject: Sa-learn error
Message-ID: <7D3DDF19D93C3642931C3EB8803165A959F696@mail.winnefox.org>

Hi Martin,

> Ok the coffee's kicked in.....:-)
>
> after you upgraded sa did you rebuild the DB? I had to do this when I
> went from 2.60 to 2.61 even though I've not seem any doccy about doing
> it for this release.
>
> Also could you remind me what version you upgraded from and to? if you
> went from 2.5x to 2.6x you'll definitely have to do a rebuild
> (and make sure the berkely DB perl modules are install) as they
changed the
> database format.

I ended up deleting the lock files. Problem was, I had a -dir switch,
but I was pointing it to a mbox file. So, I changed -dir to -mbox and it
worked fine.

Thanks for taking the time to help.

- Jody

From ccampbell at BRUEGGERS.COM  Fri Jan  9 19:39:35 2004
From: ccampbell at BRUEGGERS.COM (Christian Campbell)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
Message-ID: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.com>

On the site:  http://www.spamhelp.org/software/software.php?cat=3, it notes
that MailScanner has the following ability:

"Pornographic spam can be stripped of all graphical content, protecting
users from obscene content "

I read this as:  If it is pornographic spam, it will remove the graphical
content, otherwise, graphical content is delivered.  However, I have the
feeling it means that MailScanner can strip all graphical content, of which
pornographic content is included, effectively ridding users of porn (and all
other graphics in the process).  Which is it?  I'm assuming the later.

Christian


Christian P. Campbell
Systems Engineer
Information Technology Department
Bruegger's Enterprises, Inc.
Desk: (802) 652-9270
Cell: (802) 734-5023
Email: ccampbell at brueggers dot com
Registered Linux User #319324

PGP public key available via PGP keyservers
or http://www2.brueggers.com/pgp/ccampbell.html

"We all know Linux is great...
it does infinite loops in 5 seconds."
                                                   -- Linus Torvalds

From mailscanner at ecs.soton.ac.uk  Fri Jan  9 19:43:02 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.co m>
References: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.com>
Message-ID: <6.0.1.1.2.20040109194222.03a27c48@imap.ecs.soton.ac.uk>

At 19:39 09/01/2004, you wrote:
>On the site:  http://www.spamhelp.org/software/software.php?cat=3, it notes
>that MailScanner has the following ability:
>
>"Pornographic spam can be stripped of all graphical content, protecting
>users from obscene content "
>
>I read this as:  If it is pornographic spam, it will remove the graphical
>content, otherwise, graphical content is delivered.  However, I have the
>feeling it means that MailScanner can strip all graphical content, of which
>pornographic content is included, effectively ridding users of porn (and all
>other graphics in the process).  Which is it?  I'm assuming the later.

Correct. But it is effective.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Fri Jan  9 19:45:07 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.com>
Message-ID: <Pine.LNX.4.44.0401092043510.7727-100000@mailbox.prolocation.net>

Hi!

> I read this as:  If it is pornographic spam, it will remove the graphical
> content, otherwise, graphical content is delivered.  However, I have the
> feeling it means that MailScanner can strip all graphical content, of which
> pornographic content is included, effectively ridding users of porn (and all
> other graphics in the process).  Which is it?  I'm assuming the later.

It can do this for example with spam, or highspam, but thats it... It wont
know if its pr0n, its just a rule to strip 'things'

In real life most of the time this IS pr0n, but also loads of other crap.

Bye,
Raymond.

From Antony at SOFT-SOLUTIONS.CO.UK  Fri Jan  9 19:46:57 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.com>
References: <B94A1E7CD515D511A97D0002B32C17F40127A41C@esus.brueggers.com>
Message-ID: <200401091946.57681.Antony@Soft-Solutions.co.uk>

On Friday 09 January 2004 7:39 pm, Christian Campbell wrote:

> On the site:  http://www.spamhelp.org/software/software.php?cat=3, it notes
> that MailScanner has the following ability:
>
> "Pornographic spam can be stripped of all graphical content, protecting
> users from obscene content "

It also notes that the developer is "Fortress Systems Ltd", and it's quite
clear that the "automatic learning techniques and over 850 advanced heuristic
tests" are features of SpamAssassin, not MailScanner.

Not a particularly accurate product summary, IMHO.

Antony.

--
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan  9 19:51:17 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <6.0.1.1.2.20040109194222.03a27c48@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNIENCCOAA.michele@blacknightsolutions.com>

> At 19:39 09/01/2004, you wrote:
> >On the site:
> http://www.spamhelp.org/software/software.php?cat=3, it notes
> >that MailScanner has the following ability:
> >
> >"Pornographic spam can be stripped of all graphical content, protecting
> >users from obscene content "
> >
> >I read this as:  If it is pornographic spam, it will remove the graphical
> >content, otherwise, graphical content is delivered.  However, I have the
> >feeling it means that MailScanner can strip all graphical
> content, of which
> >pornographic content is included, effectively ridding users of
> porn (and all
> >other graphics in the process).  Which is it?  I'm assuming the later.
>
> Correct. But it is effective.
> --
Stripping HTML will get rid of p0rn, although it may also block HTML
newsletters. If you wanted to implement this on a per user or per domain
basis you could do so via rulesets. A lot would depend IMHO on the audience
you are catering for.

From rabollinger at COMCAST.NET  Fri Jan  9 20:09:13 2004
From: rabollinger at COMCAST.NET (Richard Bollinger)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
References: <LFENLEALDCBDKENCNLCNCEMCCOAA.michele@blacknightsolutions.com> 
            <Pine.LNX.4.58.0401091244020.8393@hephaestus.tor.primus.ca>
Message-ID: <027501c3d6ec$73c93d20$8b030180@elliottturbo.com>

----- Original Message -----
From: "Robin M." <robin@PRIMUS.CA>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 09, 2004 12:59 PM
Subject: Re: ANNOUNCE: Unstable release 4.26-4 released

>...
> openssh-3.2.3p1.tar.gz
>...

So, why not just tell rpm the version number is 4.26p4, as long as we're considering all options...
it seems happy with the similarly named openssh, and I suspect the meaning of these incremental
versions is close to what the "p1" patch number implies.

From rcooper at DIMENSION-FLM.COM  Fri Jan  9 20:58:00 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:21:46 2006
Subject: Emails made up of random words
In-Reply-To: <CC6008BDBF458A4DB8456380C1BAB3800BC7CE@server1.in.tcpnetworks.com>
Message-ID: <OJEPLLLJIBHDGMFBCCBPMEEBDAAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Nathan Johanson
> Sent: Friday, January 09, 2004 10:27 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Emails made up of random words
> 
> 
> Which ruleset (popcorn, weeds, etc.) appears to do the 
> best job against these kinds of spam (based on your 
> experience so far)?
> -Nathan

I cannot give an honest answer to that because I have just started using those rules over the last couple of weeks. there was however, a noticeable decrease in spam (notably the random words type) without an increase in FPs after installing them.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From steve.swaney at FSL.COM  Fri Jan  9 20:59:24 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <200401091946.57681.Antony@Soft-Solutions.co.uk>
Message-ID: <20040109210126.759F721C2FB@mail.fsl.com>

On Friday January 09, 2004 2:47 PM, [SKS] Anthony Stone wrote:

> On Friday 09 January 2004 7:39 pm, Christian Campbell wrote:
>
> > On the site:  http://www.spamhelp.org/software/software.php?cat=3, it
> notes
> > that MailScanner has the following ability:
> >
> > "Pornographic spam can be stripped of all graphical content, protecting
> > users from obscene content "
>
> It also notes that the developer is "Fortress Systems Ltd", and it's quite
> clear that the "automatic learning techniques and over 850 advanced
> heuristic
> tests" are features of SpamAssassin, not MailScanner.
>
> Not a particularly accurate product summary, IMHO.
>
[SKS]

 Absolutely correct and we were completely unaware of this page and the
mis-statement of the facts it contains. It looks like someone at
spamhelp.org condensed some information on our web site and left out some
very important points.

I believe our web page is quite clear on several points:

1. MailScanner and SpamAssassin are open source software.
2. Julian Field is the creator and maintainer of MailScanner.
3. SpamAssassin provides the anti-spam features described above.

I'll see what I can do to correct the bad information at spamhelp.org.

Thanks Anthony for pointing this out.

Steve
Stephen Swaney
President
Fortress Systems Ltd.
steve.swaney@fsl.com

From mikew at crucis.net  Fri Jan  9 23:02:44 2004
From: mikew at crucis.net (Mike Watson)
Date: Thu Jan 12 21:21:46 2006
Subject: Yahoo groups
In-Reply-To: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>
References: <013401c3d6d8$a968bf00$1b9922d0@pub.morgan.net>
Message-ID: <200401091702.44956.mikew@crucis.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 09 January 2004 11:47 am, you wrote:
> Hello all,
>
> One of my users is complaining that her yahoo groups mail is not
> coming through since I installed MailScanner. Does anyone have any
> experience with Yahoo Groups?
>
> Chris
I had to whitelist them.  If you have RBL activated, Yahoogroups seems 
to get hit every time.

Mike W
- -- 
Registered Linux - 256979   (http://counter.il.org for more information)
NRA Life
ARS: W0TMW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE//zMU5fq6h2uDDlQRAgJMAJ9E0E2f1PKyrCSUeBvUNW5xMsMdOACfQD0Q
ulLLEEUM2XhTtQH2kwt/pho=
=ppTE
-----END PGP SIGNATURE-----


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, 
and is believed to be clean.


From dan at OXNARDSD.ORG  Sat Jan 10 02:18:46 2004
From: dan at OXNARDSD.ORG (Dan Kubilos)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelisting Yahoogroups
Message-ID: <Pine.LNX.4.44.0401091816560.11403-100000@mail.oxnardsd.org>

I'd like to whitelist yahoogroups.

The sender of the quarantined emails shows

n32.grp.scd.yahoo.com

No @.  ??

If you are successfully whitelisting yahoogroups email can you please send
me the rule you are using?

much obliged.

--
Dan Kubilos     __\o_ ^
K-8 Tech Coord
http://www.oxnardsd.org

From email at ace.net.au  Sat Jan 10 03:41:57 2004
From: email at ace.net.au (Peter Nitschke)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelisting Yahoogroups
In-Reply-To: <Pine.LNX.4.44.0401091816560.11403-100000@mail.oxnardsd.org>
References: <Pine.LNX.4.44.0401091816560.11403-100000@mail.oxnardsd.org>
Message-ID: <200401101411570673.0F0A3956@smtp1.ace.net.au>

in /etc/MailScanner/rules/spam.whitelist.rules

From: yahoo.groups.com  yes


Peter


*********** REPLY SEPARATOR  ***********

On 9/01/2004 at 6:18 PM Dan Kubilos wrote:

>I'd like to whitelist yahoogroups.
>
>The sender of the quarantined emails shows
>
>n32.grp.scd.yahoo.com
>
>No @.  ??
>
>If you are successfully whitelisting yahoogroups email can you please send
>me the rule you are using?
>
>much obliged.
>
>--
>Dan Kubilos     __\o_ ^
>K-8 Tech Coord
>http://www.oxnardsd.org

From rcooper at DIMENSION-FLM.COM  Sat Jan 10 11:26:50 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:21:46 2006
Subject: Emails made up of random words
In-Reply-To: <FB1036A8-42D0-11D8-BDBC-003065F939FE@ucsc.edu>
Message-ID: <OJEPLLLJIBHDGMFBCCBPKEFIDAAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of John Rudd
> Sent: Friday, January 09, 2004 1:24 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Emails made up of random words
>
>
> On Jan 9, 2004, at 3:32 AM, Rick Cooper wrote:
>
> >> -----Original Message-----
> >> From: MailScanner mailing list
> >> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >> Behalf Of Howard Robinson
> >> Sent: Friday, January 09, 2004 4:33 AM
> >> To: MAILSCANNER@JISCMAIL.AC.UK
> >> Subject: Emails made up of random words
> >>
> >>
> >> Dear List members,
> >> We are getting increasing numbers of emails containing
> >> what look
> >> like a selection of random words. It only started
> here before
> >> Christmas. Is this a new phenomenon or have we just
> been lucky
> >> before?
> >> Whilst they are still manageable numbers at the
> moments & can
> >> be quickly deleted there one or two members of staff
> >> are getting
> >> their knickers in a twist about them.
> >> What's the best way to deal with them (the emails not
> >> the staff)?
> >>
> >> Thanks and happy new year to you all.
> >>
> >>
> >>
> >> Regards
> >>
> >> Howard Robinson
> >
> > Go here http://www.emtinc.net/spamhammers.htm and
> use these rules
> > if you are not already.
>
> Based upon my observation, they miss the point.
>

They do not in and of themselves look for this specific type of
problem but they do a good job of looking for other problems (big
Evil for instance seems to be working quite well) and the
aggregate of these rules has done well in detecting spam while
passing ham.


> > There is much discussion of this topic (bayes poison) on the
> > spamassassin list and there are a couple of counter measures
> > being developed so you may want to subscribe to
> spamassassin-talk
> > and follow the thread relating to large collections of random
> > words.
>

> It's not just a bayes poisoning attack, in my
> observation.  Most of the
> messages I've seen like this have
> multipart/alternative structure where
> the text and html segments don't match (the text
> segment is gibberish
> and the html segment has spam).  Rules that try to
> identify gibberish
> would seem to be rather misguided ... just find a way
> to check and see
> if the two segments don't match in content.
>

I am not sure what you mean by "match content". I think this type
of spam is going to be a real problem because it's going to be
very difficult to test for gibberish "sentances" in an email. I
suppose you could do grammar tests and score the email based on
how many rules get broken but that would be a tremendous
undertaking to implement in all the various languages (although
it seems most of this spam is english). Right now they are
talking about testing for strings of words that are longer than
four characters with no punctuation but that will be easy for the
spammers to change. It is very much bayes poison since they have
taken to using large volumes of common words in a message that
may/will be tagged as spam thus degrading the ability to
distinguish spam/ham probability. Of course, I think, the main
goal of using these words is to defeat the HTML/image to text
ratio scores that used to trip them up much more commonly when
they began trying image only spam to defeat the word/phrase
checks. If you think back a short time they had began sending the
spam as an image and tacking on a bunch of gibberish at the end
of the message, much easier to catch because of lack of vowels or
too many vowels, extremely long "words", etc. Now they use real
words. When some one comes up with a way to check language syntax
they will just start including parts of Moby Dick in their spams
:-(

BTW: I checked rule hits on the messages of this type yesterday
and the items that were commong among the few I got were multiple
BACKHAIR hits in the same message and FVGT hits , with BigEvil
showing up in nearly every one that made it to very high spam
scores

> I tried asking about this on the sa-talk list, even
> re-posting my
> question, and have had NO response.  The sa-talk list is rather
> annoying in this regard.

This is true, but reading through the volumes of mail on that
list does reward you with some pretty good information, almost
daily.

>
> Which thread topics are the ones you're talking about?
>  (there are too
> many of them to read each and every one of them to
> track it down)
>

The latest thread on this topic is "detecting large collections
of random words"


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From ls at CREATIVE-WEBNET.DE  Sat Jan 10 15:15:21 2004
From: ls at CREATIVE-WEBNET.DE (Alexander Endl)
Date: Thu Jan 12 21:21:46 2006
Subject: all seems to be work, but now :(
Message-ID: <LISTSERV%2004011015152102@JISCMAIL.AC.UK>

Jan 10 16:08:28 creative kernel: 217.160.188.137 sent an invalid ICMP type
3, code 3 error to a broadcast: 0.0.0.0 on eth0
Jan 10 16:08:31 creative kernel: NET: 6 messages suppressed.
Jan 10 16:08:31 creative kernel: 217.160.188.137 sent an invalid ICMP type
3, code 3 error to a broadcast: 0.0.0.0 on eth0
Jan 10 16:08:37 creative kernel: NET: 3 messages suppressed.
Jan 10 16:08:37 creative kernel: 217.160.188.137 sent an invalid ICMP type
3, code 3 error to a broadcast: 0.0.0.0 on eth0
Jan 10 16:08:40 creative kernel: NET: 3 messages suppressed.
Jan 10 16:08:40 creative kernel: 217.160.188.137 sent an invalid ICMP type
3, code 3 error to a broadcast: 0.0.0.0 on eth0
Jan 10 16:08:47 creative kernel: NET: 5 messages suppressed.
Jan 10 16:08:47 creative kernel: 217.160.188.137 sent an invalid ICMP type
3, code 3 error to a broadcast: 0.0.0.0 on eth0

If I Stop Postfix I dont see the error in /var/log/warn
If I Start Postfix the error ist back!

I dont know what to do; can anybody help me?

THX from Germany!

From robin at PRIMUS.CA  Sat Jan 10 17:05:06 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>
Message-ID: <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>

On Fri, 9 Jan 2004, Robin M. wrote:
>
Sorry if this seems like harping.

A couple of people have said they do not get any errors with using rpm and
the current version scheme.

This is the error I get when building an rpm with the current version
scheme.

[hosting /opt/RPM/SPECS]# rpmbuild -ba MailScanner.spec
error: line 4: Illegal char '-' in version: Version:        4.25-14
Exit 1

From mailscanner at ecs.soton.ac.uk  Sat Jan 10 17:24:14 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>
Message-ID: <6.0.1.1.2.20040110172209.02db0d38@imap.ecs.soton.ac.uk>

Try it again with the new file. I don't see how on earth you ever got an
error about a - in line 4. There isn't one.
However, to keep you all happy I have changed the version numbering scheme
for you. I still don't understand all the fuss, I have never seen anything
fail from using the version numbering system I used. But I'm fed up with
the argument :-)

At 17:05 10/01/2004, you wrote:
>On Fri, 9 Jan 2004, Robin M. wrote:
> >
>Sorry if this seems like harping.
>
>A couple of people have said they do not get any errors with using rpm and
>the current version scheme.
>
>This is the error I get when building an rpm with the current version
>scheme.
>
>[hosting /opt/RPM/SPECS]# rpmbuild -ba MailScanner.spec
>error: line 4: Illegal char '-' in version: Version:        4.25-14
>Exit 1

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From faq at mailscanner.info  Sun Jan 11 00:28:01 2004
From: faq at mailscanner.info (faq@mailscanner.info)
Date: Thu Jan 12 21:21:46 2006
Subject: Faq-O-Matic Error Log
Message-ID: <200401110028.i0B0S11l017534@seer.ecs.soton.ac.uk>

Errors from MailScanner Faq-O-Matic (v. 2.717):

2004-01-07-16-21-20 2.717 note submitPart 1353 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPart.pm line 248.

2004-01-10-04-48-16 2.717 error editPart 19663 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.
<p>Please [<a href="/cgi-bin/faq?amp=&file=241">Return to the FAQ</a>] and start again to make sure no changes are lost. Sorry for the inconvenience.<p>(Sequence number in form: 5; in item: 6)
2004-01-10-04-55-40 2.717 error editPart 20471 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.
<p>Please [<a href="/cgi-bin/faq?amp=&file=98">Return to the FAQ</a>] and start again to make sure no changes are lost. Sorry for the inconvenience.<p>(Sequence number in form: 12; in item: 13)
2004-01-10-05-01-39 2.717 error editPart 21340 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.
<p>Please [<a href="/cgi-bin/faq?amp=&file=210">Return to the FAQ</a>] and start again to make sure no changes are lost. Sorry for the inconvenience.<p>(Sequence number in form: 3; in item: 4)

From mikew at crucis.net  Sat Jan 10 18:18:32 2004
From: mikew at crucis.net (Mike Watson)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelisting Yahoogroups
In-Reply-To: <Pine.LNX.4.44.0401091816560.11403-100000@mail.oxnardsd.org>
References: <Pine.LNX.4.44.0401091816560.11403-100000@mail.oxnardsd.org>
Message-ID: <200401101218.33294.mikew@crucis.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 09 January 2004 08:18 pm, you wrote:
> I'd like to whitelist yahoogroups.
>
> The sender of the quarantined emails shows
>
> n32.grp.scd.yahoo.com
>
> No @.  ??
>
> If you are successfully whitelisting yahoogroups email can you please
> send me the rule you are using?
>
> much obliged.

It's easy.  You can either do a blanket white list for Yahoogroups or by 
individual groups.

Just place the rule in spam.whitelist.rules....

Generic:

From:   *@yahoogroups.com               yes

of specific

FromTo:         sass@yahoogroups.com            yes

Mike W

- -- 
Registered Linux - 256979   (http://counter.il.org for more information)
NRA Life
ARS: W0TMW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAAEH55fq6h2uDDlQRAlUgAJ4y6B7YnBzSmWcHYt1TL7PpcJTyggCfccw7
adX6POD7OPD9wKIjTHC22Bw=
=PuLv
-----END PGP SIGNATURE-----


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, 
and is believed to be clean.


From alex at FUZZYCHEESE.COM  Sat Jan 10 17:53:40 2004
From: alex at FUZZYCHEESE.COM (Alex Theodore)
Date: Thu Jan 12 21:21:46 2006
Subject: cannot scan:  /var/lib/MailScanner/bayes_toks
Message-ID: <20040110125340.1942c209.alex@fuzzycheese.com>

I'm trying to verify that the bayes filter is working with my MailScanner installation.. It seems that it cannot open the database.. is there anyway that I can pre-populate this db?

postfix@queenie:~$ spamassassin -D --lint -C /etc/MailScanner/spam.assassin.prefs.conf
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: ignore: using a test message to lint rules
debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for site rules dir
debug: using "/var/spool/postfix/.spamassassin" for user state dir
debug: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file
debug: bayes: no dbs present, cannot scan: /var/lib/MailScanner/bayes_toks
debug: Score set 1 chosen.
debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200
debug: bayes: 25137 untie-ing
debug: bayes: 25137 untie-ing db_toks
[snip...]

TIA

  alex

--
Alex Theodore
alex@fuzzycheese.com
Boca Raton, FL  USA

From steve.swaney at FSL.COM  Sat Jan 10 19:04:30 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:46 2006
Subject: cannot scan:  /var/lib/MailScanner/bayes_toks
In-Reply-To: <20040110125340.1942c209.alex@fuzzycheese.com>
Message-ID: <20040110190632.82D3B21C356@mail.fsl.com>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Alex Theodore
> Sent: Saturday, January 10, 2004 12:54 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: cannot scan: /var/lib/MailScanner/bayes_toks
>
> I'm trying to verify that the bayes filter is working with my MailScanner
> installation.. It seems that it cannot open the database.. is there anyway
> that I can pre-populate this db?
>
> postfix@queenie:~$ spamassassin -D --lint -C
> /etc/MailScanner/spam.assassin.prefs.conf
> debug: Score set 0 chosen.
> debug: running in taint mode? no
> debug: ignore: using a test message to lint rules
> debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for site rules
> dir
> debug: using "/var/spool/postfix/.spamassassin" for user state dir
> debug: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs
> file
> debug: bayes: no dbs present, cannot scan: /var/lib/MailScanner/bayes_toks
> debug: Score set 1 chosen.
> debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200
> debug: bayes: 25137 untie-ing
> debug: bayes: 25137 untie-ing db_toks
> [snip...]
>
>
[SKS]

You can specify the location of your bayes files in the
spam.assassin.prefs.conf:

        bayes_path /etc/MailScanner/bayes/bayes

Where /etc/MailScanner/bayes is the directory where the files:

        bayes_journal
        bayes_toks
        bayes_seen

Reside.

Hint: Check the SpamAssassin configuration documentation at:

http://au.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

A lot of very useful information can be found there.

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com

From ryan.finnesey at CORPDSG.COM  Sat Jan 10 19:33:51 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BFFA@dc012.corpdsg.com>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: Friday, January 09, 2004 2:43 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: MailScanner Features
> 
> At 19:39 09/01/2004, you wrote:
> >On the site:  http://www.spamhelp.org/software/software.php?cat=3, it
> notes
> >that MailScanner has the following ability:
> >
> >"Pornographic spam can be stripped of all graphical content,
protecting
> >users from obscene content "
> >
> >I read this as:  If it is pornographic spam, it will remove the
graphical
> >content, otherwise, graphical content is delivered.  However, I have
the
> >feeling it means that MailScanner can strip all graphical content, of
> which
> >pornographic content is included, effectively ridding users of porn
(and
> all
> >other graphics in the process).  Which is it?  I'm assuming the
later.
> 
> Correct. But it is effective.
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


Is anyone aware of a effective add-on for blocking content like porn?


Ryan


From email at ace.net.au  Sat Jan 10 19:49:06 2004
From: email at ace.net.au (Peter Nitschke)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BFFA@dc012.corpdsg.com>
References: <3041D4D2B8A6F746AD9217BE05AE68C407BFFA@dc012.corpdsg.com>
Message-ID: <200401110619060574.127FACBC@smtp1.ace.net.au>

SpamAssassin with a trained Bayes and some add-on rules eg bigevil will
just about catch them all.  Then you just add the occasional new rule as
something new comes along.

Apart from that, if you can suggest an effective method for identifying
porn, then surely somone will design a filter for that method.

But be careful of breast cancer, magna cum laude(sp?) and how do you
determine the pornographic content of an image?

And of course MailScanner makes it all such a breeze to manage.

Peter


*********** REPLY SEPARATOR  ***********

On 10/01/2004 at 2:33 PM Ryan Finnesey wrote:

>Is anyone aware of a effective add-on for blocking content like porn?
>
>
>Ryan

From Antony at SOFT-SOLUTIONS.CO.UK  Sat Jan 10 19:57:39 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <200401110619060574.127FACBC@smtp1.ace.net.au>
References: <3041D4D2B8A6F746AD9217BE05AE68C407BFFA@dc012.corpdsg.com>
            <200401110619060574.127FACBC@smtp1.ace.net.au>
Message-ID: <200401101957.39835.Antony@Soft-Solutions.co.uk>

On Saturday 10 January 2004 7:49 pm, Peter Nitschke wrote:

> SpamAssassin with a trained Bayes and some add-on rules eg bigevil will
> just about catch them all.  Then you just add the occasional new rule as
> something new comes along.
>
> Apart from that, if you can suggest an effective method for identifying
> porn, then surely somone will design a filter for that method.
>
> But be careful of breast cancer, magna cum laude(sp?) and how do you
> determine the pornographic content of an image?

For example http://www.poesia-filter.org

Antony.

--
This is not a rehearsal.
This is Real Life.

                                                     Please reply to the list;
                                                           please don't CC me.

From email at ace.net.au  Sat Jan 10 20:17:00 2004
From: email at ace.net.au (Peter Nitschke)
Date: Thu Jan 12 21:21:46 2006
Subject: MailScanner Features
In-Reply-To: <200401101957.39835.Antony@Soft-Solutions.co.uk>
References: <3041D4D2B8A6F746AD9217BE05AE68C407BFFA@dc012.corpdsg.com>
            <200401110619060574.127FACBC@smtp1.ace.net.au>
            <200401101957.39835.Antony@Soft-Solutions.co.uk>
Message-ID: <200401110647000011.12993598@smtp1.ace.net.au>

I think they sum up the problems pretty well..

With the setup I previously mentioned my system accepted 3200 emails
yesterday, rejected or trapped 8800 spam.  I had probably 10 junks get
through that shouldn't have and 3 legits got caught.

It will be interesting if they can get that good a success rate.

Peter


*********** REPLY SEPARATOR  ***********

On 10/01/2004 at 7:57 PM Antony Stone wrote:

>On Saturday 10 January 2004 7:49 pm, Peter Nitschke wrote:
>
>> SpamAssassin with a trained Bayes and some add-on rules eg bigevil will
>> just about catch them all.  Then you just add the occasional new rule as
>> something new comes along.
>>
>> Apart from that, if you can suggest an effective method for identifying
>> porn, then surely somone will design a filter for that method.
>>
>> But be careful of breast cancer, magna cum laude(sp?) and how do you
>> determine the pornographic content of an image?
>
>For example http://www.poesia-filter.org
>
>Antony.
>
>--
>This is not a rehearsal.
>This is Real Life.
>
>                                                     Please reply to the
>list;
>                                                           please don't CC
me.

From robin at PRIMUS.CA  Sat Jan 10 20:56:53 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <6.0.1.1.2.20040110172209.02db0d38@imap.ecs.soton.ac.uk>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040110172209.02db0d38@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401101550340.8393@hephaestus.tor.primus.ca>

On Sat, 10 Jan 2004, Julian Field wrote:
>
> Try it again with the new file. I don't see how on earth you ever got an
> error about a - in line 4. There isn't one.

Hi Julian thanks for listening.

I see that you have updated your spec file, but I do not see the updated
corresponding source code on the site...

Just to wrap up this is my spec file

Sorry I snipped lines 1 and 2 ... line 4 is
"Version:        4.25-14"

<snip>
Name:           MailScanner
Version:        4.25-14
Release:        1
Source:         %{software_name}-%{version}.tar.gz
</snip>

when I try to build the rpm..
[hosting /opt/RPM/SPECS]# rpmbuild -ba
MailScanner.spec
error: line 4: Illegal char '-' in version: Version:        4.25-14
Exit 1


> However, to keep you all happy I have changed the version numbering scheme
> for you.

Thanks Julian.

> I still don't understand all the fuss, I have never seen anything
> fail from using the version numbering system I used.

Hopefully it is not something I am doing wroing with rpm to create all the
fuss but I am pretty sure I am correct. Someone please correct me if I am
wrong...

> But I'm fed up with the argument :-)
>
Thanks again for listening Julian.

From dh at UPTIME.AT  Sat Jan 10 21:14:22 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <Pine.LNX.4.58.0401101550340.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>           
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>        
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>           
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>        
            <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>        
            <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>        
            <6.0.1.1.2.20040110172209.02db0d38@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401101550340.8393@hephaestus.tor.primus.ca>
Message-ID: <40006B2E.3070207@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Robin M. wrote:

<snip>

And just to make it interesting, what I learned around 10 years ago was

Major.Minor(.Lesser-patchlevel or EPOCH  )  () == optional

So nya :)

- -d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAAGsyPMoaMn4kKR4RAwT4AJ440vKFn5RvZQzfmptFsXZ4yvs/yACfbJMd
RbOQuxl7cdpbuBMiYWOtGWA=
=bqUb
-----END PGP SIGNATURE-----

From chris at FRACTALWEB.COM  Sat Jan 10 21:58:16 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:46 2006
Subject: Customized spam actions.
In-Reply-To: <200401091712.59726.carles@unlimitedmail.org>
References: <200401091712.59726.carles@unlimitedmail.org>
Message-ID: <40007578.6090400@fractalweb.com>

Carles Xavier Munyoz Bald? wrote:

>Hi,
>Is it possible to customize the spam actions by email or by domain ?
>
>Example 1: The owner of the mailboxl user1@test.com wants that all its email 
>messages marked as spam be bounced, but the owner of the mailbox 
>user2@test.com wants a deliver of its spam messages.
>  
>
Please don't bounce spam. It causes untold grief to the innocent people 
who have had their email addresses forged by spammers. Next thing they 
know, they get 10,000 bounce messages in their inbox.

Cheers,
Chris


From drew at THEMARSHALLS.CO.UK  Sat Jan 10 22:31:35 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:46 2006
Subject: Customized spam actions.
In-Reply-To: <40007578.6090400@fractalweb.com>
References: <200401091712.59726.carles@unlimitedmail.org>
            <40007578.6090400@fractalweb.com>
Message-ID: <40007D47.9010408@themarshalls.co.uk>

Chris Yuzik wrote:

> Carles Xavier Munyoz Bald? wrote:
>
>> Hi,
>> Is it possible to customize the spam actions by email or by domain ?
>>
>> Example 1: The owner of the mailboxl user1@test.com wants that all 
>> its email messages marked as spam be bounced, but the owner of the 
>> mailbox user2@test.com wants a deliver of its spam messages.
>
Yes. Just create an appropriate rule file (Don't forget it must end 
.rules) e.g.
user1@test.com   delete (Don't bounce unless you know the sender. The 
only time I bounce is when I have manually black listed a sender and 
therefore know if they exist or are a forgery)
user2@test.com   deliver

This can be done using any of the available options as shown in the 
MailScanner.conf file. Last thing to do is set the spam actions = to be 
/path/to/rule file.rules

>>  
>>
> Please don't bounce spam. It causes untold grief to the innocent 
> people who have had their email addresses forged by spammers. Next 
> thing they know, they get 10,000 bounce messages in their inbox.

As I mentioned above!

>
> Cheers,
> Chris
>
Good luck
Drew

-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy


From david at MIDRANGE.COM  Sat Jan 10 22:59:07 2004
From: david at MIDRANGE.COM (David Gibbs)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelist options in SA user_prefs not being obeyed?
Message-ID: <400083BB.3040105@midrange.com>

Anyone know why a whitelist_from entry in my SpamAssassin user_prefs
file wouldn't be followed?

I've got the following entries (amoung others):
whitelist_from  joeuser@aol.com
score USER_IN_WHITELIST -100

But when I received a message from Joe, the following headers were
logged ...
> Return-Path: <joeuser@aol.com>
> Received: from qtemp.net (yada yada)
> Date: Sat, 10 Jan 2004 16:51:51 -0600
> From: joeuser@aol.com
> Message-Id: <200401102252.i0AMpUY4030709@linux.midrange.com>
> Apparently-To: david@midrange.com
> X-Mid-MailScanner-Info: Virus scanned at midrange.com
> X-Mid-MailScanner: Clean
> X-Mid-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.185, required 5,
>       BAYES_56 0.00, FROM_ENDS_IN_NUMS 0.99, MSGID_FROM_MTA_SHORT 3.03,
>       NO_REAL_NAME 0.16)
> X-Mid-MailScanner-SpamScore: ssss

Notice there is no USER_IN_WHITELIST tag?

Any suggestions?

btw: I mocked up the mail from joeuser@aol.com to test it.

Thanks!

david

From peter at UCGBOOK.COM  Sat Jan 10 23:32:51 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelist options in SA user_prefs not being obeyed?
In-Reply-To: <400083BB.3040105@midrange.com>
References: <400083BB.3040105@midrange.com>
Message-ID: <40008BA3.2000603@ucgbook.com>

 > Anyone know why a whitelist_from entry in my SpamAssassin user_prefs
 > file wouldn't be followed?
 >
 > I've got the following entries (amoung others):
 > whitelist_from  joeuser@aol.com
 > score USER_IN_WHITELIST -100

Shouldn't you use a ruleset instead? Look in MailScanner.conf:

    Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules

That works, I use it myself.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From david at MIDRANGE.COM  Sun Jan 11 02:41:19 2004
From: david at MIDRANGE.COM (David Gibbs)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelist options in SA user_prefs not being obeyed?
In-Reply-To: <200401110000.i0B00JY4004262@linux.midrange.com>
References: <200401110000.i0B00JY4004262@linux.midrange.com>
Message-ID: <4000B7CF.4010803@midrange.com>

>> Anyone know why a whitelist_from entry in my SpamAssassin user_prefs
>  > file wouldn't be followed?
> Shouldn't you use a ruleset instead? Look in MailScanner.conf:

Not really ... I want my users to be able to control their whitelist's
themselves.  Having all the whitelist rules in a single, MailScanner
controlled, file defeats that.

Regardless of that, however, I have to question what other SpamAssassin
rules MailScanner isn't processing ... if it's causing SA to disregard
the whitelist, what else is it causing SA to disregard?

david

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 10:08:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: whitelist options in SA user_prefs not being obeyed?
In-Reply-To: <4000B7CF.4010803@midrange.com>
References: <200401110000.i0B00JY4004262@linux.midrange.com>
            <4000B7CF.4010803@midrange.com>
Message-ID: <6.0.1.1.2.20040111100412.03fc3ec0@imap.ecs.soton.ac.uk>

At 02:41 11/01/2004, you wrote:
>>>Anyone know why a whitelist_from entry in my SpamAssassin user_prefs
>>  > file wouldn't be followed?
>>Shouldn't you use a ruleset instead? Look in MailScanner.conf:
>
>Not really ... I want my users to be able to control their whitelist's
>themselves.  Having all the whitelist rules in a single, MailScanner
>controlled, file defeats that.

See the per-user and per-domain white/black-listing code in
CustomConfig.pm. It's dead easy to get going, just read the comments at the
top of that bit of CustomConfig.pm (which you will be able to find, believe
me).

SA user_prefs files in individual people's home directories are not
consulted by MailScanner, as it doesn't know nor care where the mail is
going or how to map an email address onto a user's home dir. You can only
do that for local email accounts and even then only at the delivery stage,
which means MailScanner would have to be involved in mail delivery which I
am not prepared to do (lots of other people have implemented local mail
delivery already).

Pretty much all the per-user tweaks that anyone ever wants to do with SA
can be easily implemented as rulesets in MailScanner instead.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 09:59:31 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <Pine.LNX.4.58.0401101550340.8393@hephaestus.tor.primus.ca>
References: <08146035CA49D6119A36009027AC822A0264EC7F@CITY-EXCH-NTS>
            <Pine.LNX.4.58.0401091311350.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040109181723.03862648@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401091324120.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401091333270.8393@hephaestus.tor.primus.ca>
            <Pine.LNX.4.58.0401101203070.8393@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040110172209.02db0d38@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401101550340.8393@hephaestus.tor.primus.ca>
Message-ID: <6.0.1.1.2.20040111095703.04020ec0@imap.ecs.soton.ac.uk>

At 20:56 10/01/2004, you wrote:
>On Sat, 10 Jan 2004, Julian Field wrote:
> >
> > Try it again with the new file. I don't see how on earth you ever got an
> > error about a - in line 4. There isn't one.
>
>Hi Julian thanks for listening.
>
>I see that you have updated your spec file, but I do not see the updated
>corresponding source code on the site...

I haven't done a rebuild of all of it just to change this, no. Didn't see
much point.

>Just to wrap up this is my spec file
>
>Sorry I snipped lines 1 and 2 ... line 4 is
>"Version:        4.25-14"
>
><snip>
>Name:           MailScanner
>Version:        4.25-14
>Release:        1
>Source:         %{software_name}-%{version}.tar.gz
></snip>

That must have been a very old spec file you had. I set the version using a
variable defined at the top of the spec file a very long time ago. That
defined version as 4.25 and Release as 14, which I thought was an
acceptable way of doing it.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Sun Jan 11 10:40:47 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:46 2006
Subject: Antivir
Message-ID: <4001363F.27017.2E4EC7@localhost>

I have installed f-prot, clamav and antivir. I can see, that f-prot and clamav does
viruchecks, but I cannot see, that antivir is doing it.

According to the /etc/MailScanner/virus.scanners.conf file, my antivir autoupdate and
wrapper file is placed correct in /usr/lib/MailScanner. Also the antivir is placed correct
in /usr/lib/AntiVir.

>From the virus.scanners.conf file:
antivir         /usr/lib/MailScanner/antivir-wrapper
/usr/lib/AntiVir

I can see, that antivir does update according to the time
being set.

What can I do to get antivir to run, as It seems not to doing
it ?.

/Erik.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040111/3aa1a9b5/attachment.html
From Jan-Peter.Koopmann at SECEIDOS.DE  Sun Jan 11 12:47:25 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8056@ERWIN.intern.seceidos.de>

Hi Julian,

> However, to keep you all happy I have changed the version 
> numbering scheme for you. I still don't understand all the 

I hope the filenames for the tarballs did not change. Otherwise I need
to fix the FreeBSD ports.... :-(

Regards,
  JP


From mailscanner at ecs.soton.ac.uk  Sun Jan 11 13:15:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C8056@ERWIN.intern.seceid os.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8056@ERWIN.intern.seceidos.de>
Message-ID: <6.0.1.1.2.20040111131439.02dbc0c0@imap.ecs.soton.ac.uk>

At 12:47 11/01/2004, you wrote:
>Hi Julian,
>
> > However, to keep you all happy I have changed the version
> > numbering scheme for you. I still don't understand all the
>
>I hope the filenames for the tarballs did not change. Otherwise I need
>to fix the FreeBSD ports.... :-(

In future they will all be of the form
mailscanner-4.26.4.tar.gz (or .rpm.tar.gz or .suse.tar.gz).
So the FreeBSD ports will have to change too. Sorry!
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 13:20:09 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <6.0.1.1.2.20040111131439.02dbc0c0@imap.ecs.soton.ac.uk>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8056@ERWIN.intern.seceidos.de>
            <6.0.1.1.2.20040111131439.02dbc0c0@imap.ecs.soton.ac.uk>
Message-ID: <200401111320.09659.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 1:15 pm, Julian Field wrote:

> At 12:47 11/01/2004, you wrote:
> >Hi Julian,
> >
> > > However, to keep you all happy I have changed the version
> > > numbering scheme for you. I still don't understand all the
> >
> >I hope the filenames for the tarballs did not change. Otherwise I need
> >to fix the FreeBSD ports.... :-(
>
> In future they will all be of the form
> mailscanner-4.26.4.tar.gz (or .rpm.tar.gz or .suse.tar.gz).
> So the FreeBSD ports will have to change too. Sorry!

Seems like a rather undesirable outcome of something which doesn't appear to
have needed changing in the first place :(

Antony.

--
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                     Please reply to the list;
                                                           please don't CC me.

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 13:24:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <200401111320.09659.Antony@Soft-Solutions.co.uk>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8056@ERWIN.intern.seceidos.de>
            <6.0.1.1.2.20040111131439.02dbc0c0@imap.ecs.soton.ac.uk>
            <200401111320.09659.Antony@Soft-Solutions.co.uk>
Message-ID: <6.0.1.1.2.20040111132336.04192828@imap.ecs.soton.ac.uk>

At 13:20 11/01/2004, you wrote:
>On Sunday 11 January 2004 1:15 pm, Julian Field wrote:
> > In future they will all be of the form
> > mailscanner-4.26.4.tar.gz (or .rpm.tar.gz or .suse.tar.gz).
> > So the FreeBSD ports will have to change too. Sorry!
>
>Seems like a rather undesirable outcome of something which doesn't appear to
>have needed changing in the first place :(

Agreed. But it's done now.
Closed.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Sun Jan 11 13:25:03 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <200401111320.09659.Antony@Soft-Solutions.co.uk>
Message-ID: <Pine.LNX.4.44.0401111422300.26637-100000@mailbox.prolocation.net>

Hi!

> > mailscanner-4.26.4.tar.gz (or .rpm.tar.gz or .suse.tar.gz).
> > So the FreeBSD ports will have to change too. Sorry!
>
> Seems like a rather undesirable outcome of something which doesn't appear to
> have needed changing in the first place :(

I feel the same.

Things like this are pretty normal: wget-1.8.2-4.72.i386.rpm

Its also the way Redhat packages things. Its up to a author to use the
minor.

It also could have been wget-1.8-4.72.i386.rpm for the above example.

This wont break things, and certainly is not invalid.

Could it be duie to the spec file listed on the website that was not what
was used anyway, that was causing confusion?

Bye,
Raymond.

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 13:31:31 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <Pine.LNX.4.44.0401111422300.26637-100000@mailbox.prolocati
              on.net>
References: <200401111320.09659.Antony@Soft-Solutions.co.uk>
            <Pine.LNX.4.44.0401111422300.26637-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040111132740.0400bec0@imap.ecs.soton.ac.uk>

At 13:25 11/01/2004, you wrote:
>Hi!
>
> > > mailscanner-4.26.4.tar.gz (or .rpm.tar.gz or .suse.tar.gz).
> > > So the FreeBSD ports will have to change too. Sorry!
> >
> > Seems like a rather undesirable outcome of something which doesn't
> appear to
> > have needed changing in the first place :(
>
>I feel the same.
>
>Things like this are pretty normal: wget-1.8.2-4.72.i386.rpm
>
>Its also the way Redhat packages things. Its up to a author to use the
>minor.
>
>It also could have been wget-1.8-4.72.i386.rpm for the above example.
>
>This wont break things, and certainly is not invalid.
>
>Could it be duie to the spec file listed on the website that was not what
>was used anyway, that was causing confusion?

Yes, it could well have been.

However, one advantage of the new a.b.c-r is that anyone else who wants to
package it (e.g. RedHat or Fortress Systems) can explicitly say exactly
what version (a.b.c) they are re-packaging, and use the r for their own
release numbers. So it might actually be very helpful at some (unknown)
point in the future.

So it probably is worth it, it just may not be evident for some time.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From juan at sarel.co.il  Sun Jan 11 14:10:26 2004
From: juan at sarel.co.il (=?windows-1255?Q?=E7=E5=E0=EF?=)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>

Hi !!

I am trying to configure sendmail on RH 8 .

whan I issue the command /etc/init.d/sendmail restart I receive:

/etc/init.d/sendmail :line 51: -q1h :command not found  [ok]

whan I issue the command /etc/init.d/mailscanner restart

shuting down mail scanner deamons:

mailscanner   [ok]

incoming sendmail  [ok]

outgoing sendmail  [ok]

starting mailscanner deamons:

incoming sendmail:warning Xclimiter:local socket name /var/run/climiter.sock
missing

the problem is that the server doesnt listen to icoming connections on port
25

what con I do?  please help !!!


thanks very much !!


From juan at SAREL.CO.IL  Sun Jan 11 14:10:26 2004
From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>

Hi !!

I am trying to configure sendmail on RH 8 .

whan I issue the command /etc/init.d/sendmail restart I receive:

/etc/init.d/sendmail :line 51: -q1h :command not found  [ok]

whan I issue the command /etc/init.d/mailscanner restart

shuting down mail scanner deamons:

mailscanner   [ok]

incoming sendmail  [ok]

outgoing sendmail  [ok]

starting mailscanner deamons:

incoming sendmail:warning Xclimiter:local socket name /var/run/climiter.sock
missing

the problem is that the server doesnt listen to icoming connections on port
25

what con I do?  please help !!!


thanks very much !!

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 14:14:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
In-Reply-To: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>
References: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>
Message-ID: <6.0.1.1.2.20040111141256.041a9ec0@imap.ecs.soton.ac.uk>

If using MailScanner, you shouldn't be using /etc/init.d/sendmail at all.
Just run
service MailScanner start
and
service MailScanner stop
to start and stop MailScanner. Kill all your running sendmail processes,
then use the commands above.

At 14:10 11/01/2004, you wrote:
>Hi !!
>
>I am trying to configure sendmail on RH 8 .
>
>whan I issue the command /etc/init.d/sendmail restart I receive:
>
>/etc/init.d/sendmail :line 51: -q1h :command not found  [ok]
>
>whan I issue the command /etc/init.d/mailscanner restart
>
>shuting down mail scanner deamons:
>
>mailscanner   [ok]
>
>incoming sendmail  [ok]
>
>outgoing sendmail  [ok]
>
>starting mailscanner deamons:
>
>incoming sendmail:warning Xclimiter:local socket name /var/run/climiter.sock
>missing
>
>the problem is that the server doesnt listen to icoming connections on port
>25
>
>what con I do?  please help !!!
>
>
>thanks very much !!

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 14:12:08 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
In-Reply-To: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>
References: <AF6CC895D00CD511ACA500508BE7A593C7A835@DISNEYLAND>
Message-ID: <200401111412.08292.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 2:10 pm, ???? wrote:

> Hi !!
>
> I am trying to configure sendmail on RH 8 .
>
> whan I issue the command /etc/init.d/sendmail restart I receive:
>
> /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]

Looks like you've split the sendmail command across two lines - "-q1h" is an 
option which should follow sendmail on the same line.

If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail and 
we'll look in more detail.

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.


From juan at SAREL.CO.IL  Sun Jan 11 15:03:42 2004
From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A837@DISNEYLAND>

O.K !! here is /etc/init.d/sendmail lines 47 to 54

line 47 done
line 48 fi
line 49 deamon /usr/sbin/sendmail -bd OPrivacy=queueonly
-0QUEUEDirectory=/var/spool/mqueue.in
line 50 sendmail q15m
line 51 $([-n "QUEUE" ] && echo -q$QUEUE)
line 52 RETVAL=$?
line 53 echo
line 54[RETVAL -eq0] 77 touch /var/lock/subsys/sendmail

please help

thanks




-----Original Message-----
From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK]
Sent: Sunday, January 11, 2004 4:12 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: problem starting Mailscanner


On Sunday 11 January 2004 2:10 pm, ???? wrote:

> Hi !!
>
> I am trying to configure sendmail on RH 8 .
>
> whan I issue the command /etc/init.d/sendmail restart I receive:
>
> /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]

Looks like you've split the sendmail command across two lines - "-q1h" is an

option which should follow sendmail on the same line.

If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail and 
we'll look in more detail.

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the
list;
                                                           please don't CC
me.


From mailscanner at ecs.soton.ac.uk  Sun Jan 11 15:10:43 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: problem starting Mailscanner
In-Reply-To: <AF6CC895D00CD511ACA500508BE7A593C7A837@DISNEYLAND>
References: <AF6CC895D00CD511ACA500508BE7A593C7A837@DISNEYLAND>
Message-ID: <6.0.1.1.2.20040111150959.02d9aea8@imap.ecs.soton.ac.uk>

Please can you cut and paste the lines into an email, and not retype them. 
There are many apparent typing errors in the lines you have shown us, and 
we really do need to see the exact original lines.

At 15:03 11/01/2004, you wrote:
>O.K !! here is /etc/init.d/sendmail lines 47 to 54
>
>line 47 done
>line 48 fi
>line 49 deamon /usr/sbin/sendmail -bd OPrivacy=queueonly
>-0QUEUEDirectory=/var/spool/mqueue.in
>line 50 sendmail q15m
>line 51 $([-n "QUEUE" ] && echo -q$QUEUE)
>line 52 RETVAL=$?
>line 53 echo
>line 54[RETVAL -eq0] 77 touch /var/lock/subsys/sendmail
>
>please help
>
>thanks
>
>
>
>
>-----Original Message-----
>From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK]
>Sent: Sunday, January 11, 2004 4:12 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: problem starting Mailscanner
>
>
>On Sunday 11 January 2004 2:10 pm, ???? wrote:
>
> > Hi !!
> >
> > I am trying to configure sendmail on RH 8 .
> >
> > whan I issue the command /etc/init.d/sendmail restart I receive:
> >
> > /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]
>
>Looks like you've split the sendmail command across two lines - "-q1h" is an
>
>option which should follow sendmail on the same line.
>
>If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail and
>we'll look in more detail.
>
>Antony.
>
>--
>There are two possible outcomes:
>
>  If the result confirms the hypothesis, then you've made a measurement.
>  If the result is contrary to the hypothesis, then you've made a discovery.
>
>  - Enrico Fermi
>
>                                                      Please reply to the
>list;
>                                                            please don't CC
>me.

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From eja at URBAKKEN.DK  Sun Jan 11 15:37:10 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:46 2006
Subject: Antivir
In-Reply-To: <4001363F.27017.2E4EC7@localhost>
Message-ID: <40017BB6.18728.1CA7408@localhost>

Is nobody having any ideas what can cause the problem ?

>
> I have installed f-prot, clamav and antivir. I can see, that f-prot
> and clamav does viruchecks, but I cannot see, that antivir is doing
> it.
>
> According to the /etc/MailScanner/virus.scanners.conf file, my antivir
> autoupdate and wrapper file is placed correct in /usr/lib/MailScanner.
> Also the antivir is placed correct in /usr/lib/AntiVir.
>
> From the virus.scanners.conf file:
> antivir/usr/lib/MailScanner/antivir-
> wrapper/usr/lib/AntiVir
>
> I can see, that antivir does update according to the time being set.
>
> What can I do to get antivir to run, as It seems not to doing it ?.
>
> /Erik.
>
>


---------
Med venlig hilsen - Best regards
Erik Jakobsen - eja@urbakken.dk
This mail is virusscanned by Norton Internet Security 2003

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 15:45:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:46 2006
Subject: Antivir
In-Reply-To: <40017BB6.18728.1CA7408@localhost>
References: <4001363F.27017.2E4EC7@localhost> <40017BB6.18728.1CA7408@localhost>
Message-ID: <6.0.1.1.2.20040111154355.041608e8@imap.ecs.soton.ac.uk>

What does this produce?

cd /tmp (or somewhere with some viruses in it)
/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot
-rs -z .

(Don't forget the "." at the end of the command!)
That should print something useful about files with viruses in them.
Exactly what output do you get?

At 15:37 11/01/2004, you wrote:
>Is nobody having any ideas what can cause the problem ?
>
> >
> > I have installed f-prot, clamav and antivir. I can see, that f-prot
> > and clamav does viruchecks, but I cannot see, that antivir is doing
> > it.
> >
> > According to the /etc/MailScanner/virus.scanners.conf file, my antivir
> > autoupdate and wrapper file is placed correct in /usr/lib/MailScanner.
> > Also the antivir is placed correct in /usr/lib/AntiVir.
> >
> > From the virus.scanners.conf file:
> > antivir/usr/lib/MailScanner/antivir-
> > wrapper/usr/lib/AntiVir
> >
> > I can see, that antivir does update according to the time being set.
> >
> > What can I do to get antivir to run, as It seems not to doing it ?.
> >
> > /Erik.
> >
> >
>
>
>---------
>Med venlig hilsen - Best regards
>Erik Jakobsen - eja@urbakken.dk
>This mail is virusscanned by Norton Internet Security 2003

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From gdoris at ROGERS.COM  Sun Jan 11 16:23:28 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:46 2006
Subject: SpamAssassin Local Rules change
Message-ID: <1073838208.2429.10.camel@jaguar.dorfam.ca>

In the "for what's it's worth dept"...

I installed the new unstable version of MailScanner and also dropped the
SpamAssassin bigevil rules into /etc/mail/spamassassin.  The SA rules
are recognized without any patches to SA.pm and I've started seeing
evilrule hits in the spam messages.

I'm not sure that bigevil rules is the correct way to go (writing tons
of custom rules) but I guess if someone is willing to maintain
them...why not.


--
Gerry Doris <gdoris@rogers.com>

From robin at PRIMUS.CA  Sun Jan 11 16:51:41 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:47 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (harping)
In-Reply-To: <6.0.1.1.2.20040111132740.0400bec0@imap.ecs.soton.ac.uk>
References: <200401111320.09659.Antony@Soft-Solutions.co.uk>
            <Pine.LNX.4.44.0401111422300.26637-100000@mailbox.prolocation.net>
            <6.0.1.1.2.20040111132740.0400bec0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401111148500.8393@hephaestus.tor.primus.ca>

On Sun, 11 Jan 2004, Julian Field wrote:
On Sun, 11 Jan 2004, Julian Field wrote:
> >Things like this are pretty normal: wget-1.8.2-4.72.i386.rpm
The portion of the wget version which specifies -4 is the rpmbuild release
number which has nothing to do with the software release number.

> >It also could have been wget-1.8-4.72.i386.rpm for the above example.

you are incorrect here again this would mean that the rpm packager has
released build 4.72 of the package which has again is not related to the
actual software being packaged.

> >Could it be duie to the spec file listed on the website that was not
what
> >was used anyway, that was causing confusion?

No it was that if I may say that Julian was using the "Release:" variable
slightly incorrectly. The Release variable as stated above is used for the
rpm packager and not the software maintainer.

> However, one advantage of the new a.b.c-r is that anyone else who wants
> package it (e.g. RedHat or Fortress Systems) can explicitly say exactly
> what version (a.b.c) they are re-packaging, and use the r for their own
> release numbers.

This is exactly the reason :)

> So it might actually be very helpful at some (unknown) point in the future.

Thanks again Julian for putting up with a discussion that seemed like
something so unimportant. I'll stop emailing the list now :)

From cwharris at MORGAN.NET  Sun Jan 11 17:32:34 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
Message-ID: <004901c3d868$e9e42fb0$1c150fd0@shire>

I'm getting some errors and hoping someone can tell me what has cause it and
how I can fix it.

in my messages log:

sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0 not
open: Bad file descriptor
> file: table is full

sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect: cannot
open /dev/null: Too many open files in system


the message file: table is full is repeated over and over.

Any ideas?

Chris

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 17:39:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <004901c3d868$e9e42fb0$1c150fd0@shire>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
Message-ID: <6.0.1.1.2.20040111173750.04387cf8@imap.ecs.soton.ac.uk>

Sounds like you have exceeded the maximum number of open files your OS
allows. Try reducing the maximum batch size in MailScanner.conf and see if
it goes away. To increase the number of open files allowed depends entirely
on your OS which you haven't told us.

At 17:32 11/01/2004, you wrote:
>I'm getting some errors and hoping someone can tell me what has cause it and
>how I can fix it.
>
>in my messages log:
>
>sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0 not
>open: Bad file descriptor
> > file: table is full
>
>sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect: cannot
>open /dev/null: Too many open files in system
>
>
>the message file: table is full is repeated over and over.
>
>Any ideas?
>
>Chris

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 17:38:13 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <004901c3d868$e9e42fb0$1c150fd0@shire>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
Message-ID: <200401111738.13603.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 5:32 pm, Chris Harris wrote:

> I'm getting some errors and hoping someone can tell me what has cause it
> and how I can fix it.
>
> in my messages log:
>
> sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0
> not open: Bad file descriptor
>
> > file: table is full
>
> sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect: cannot
> open /dev/null: Too many open files in system
>
> the message file: table is full is repeated over and over.

What O/S are you running?   What type of file system is mounted?   What size
partition/s are you using?

Antony.

--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

From cwharris at MORGAN.NET  Sun Jan 11 17:49:01 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
References: <004901c3d868$e9e42fb0$1c150fd0@shire> 
            <200401111738.13603.Antony@Soft-Solutions.co.uk>
Message-ID: <005401c3d86b$37d65700$1c150fd0@shire>

FreeBSD 4.6

looks to be a 76 or somethin gig drive partitioned as:

150 MB for /
500 MB for /tmp
and
75 gig for /usr

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 17:55:26 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <005401c3d86b$37d65700$1c150fd0@shire>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
            <200401111738.13603.Antony@Soft-Solutions.co.uk>
            <005401c3d86b$37d65700$1c150fd0@shire>
Message-ID: <200401111755.26011.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 5:49 pm, Chris Harris wrote:

> FreeBSD 4.6
>
> looks to be a 76 or somethin gig drive partitioned as:
>
> 150 MB for /
> 500 MB for /tmp
> and
> 75 gig for /usr

The file system type would be useful to know as well, I think - ext2, ext3,
reiser, etc (sorry if these are not appropriate for BSD; I'm a Linux person,
but this is the type of information I meant).

Antony.

--
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

From cwharris at MORGAN.NET  Sun Jan 11 18:01:10 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
References: <004901c3d868$e9e42fb0$1c150fd0@shire>           
            <200401111738.13603.Antony@Soft-Solutions.co.uk>           
            <005401c3d86b$37d65700$1c150fd0@shire> 
            <200401111755.26011.Antony@Soft-Solutions.co.uk>
Message-ID: <006101c3d86c$e88edc10$1c150fd0@shire>

Antony,

Sorry about that. They are UFS.

Chris

From eja at URBAKKEN.DK  Sun Jan 11 18:10:40 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir.
Message-ID: <400191A0.1050602@urbakken.dk>

I have problems with antivir. It does upgrade ok, but it seems not to
scan. I have f-prot and clamav installed too, and they are scanning ok.

All is placed ok according to the file mentioned where the different
antivirus programs is to be found.

Also I have entered the antivir in the line in
/etc/MailScanner/MailScanner.conf file where scanners are written.

Any good solutions ?.
--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Sun Jan 11 18:39:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir.
In-Reply-To: <400191A0.1050602@urbakken.dk>
References: <400191A0.1050602@urbakken.dk>
Message-ID: <6.0.1.1.2.20040111183840.043c7698@imap.ecs.soton.ac.uk>

What were the results of my previous comments?
Check the list archive if you didn't get them.
Dated 15:45 today.

At 18:10 11/01/2004, you wrote:
>I have problems with antivir. It does upgrade ok, but it seems not to
>scan. I have f-prot and clamav installed too, and they are scanning ok.
>
>All is placed ok according to the file mentioned where the different
>antivirus programs is to be found.
>
>Also I have entered the antivir in the line in
>/etc/MailScanner/MailScanner.conf file where scanners are written.
>
>Any good solutions ?.
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 18:38:41 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir.
In-Reply-To: <400191A0.1050602@urbakken.dk>
References: <400191A0.1050602@urbakken.dk>
Message-ID: <200401111838.41304.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 6:10 pm, Erik Jakobsen wrote:

> I have problems with antivir. It does upgrade ok, but it seems not to
> scan. I have f-prot and clamav installed too, and they are scanning ok.

Does antivir seem to work if you run a manual scan of a file or directory?

Also, the answer to Julian's question earlier would be helpful to work out
what's going on:

On Sunday 11 January 2004 3:45 pm, Julian Field wrote:

> What does this produce?
>
> cd /tmp (or somewhere with some viruses in it)
> /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot
> -rs -z .
>
> (Don't forget the "." at the end of the command!)
> That should print something useful about files with viruses in them.
> Exactly what output do you get?

Regards,

Antony.

--
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                     Please reply to the list;
                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 20:24:08 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 15:45:46 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>What does this produce?
>
>cd /tmp (or somewhere with some viruses in it)
>.

Julian !. I don't know where I have viruses. Or if I have some.

/tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s
-noboot  -rs -z
-bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory


>(Don't forget the "." at the end of the command!)
>That should print something useful about files with viruses in them.
>Exactly what output do you get?
>
>At 15:37 11/01/2004, you wrote:
>>Is nobody having any ideas what can cause the problem ?
>>
>> >
>> > I have installed f-prot, clamav and antivir. I can see, that f-prot
>> > and clamav does viruchecks, but I cannot see, that antivir is doing
>> > it.
>> >
>> > According to the /etc/MailScanner/virus.scanners.conf file, my antivir
>> > autoupdate and wrapper file is placed correct in /usr/lib/MailScanner.
>> > Also the antivir is placed correct in /usr/lib/AntiVir.
>> >
>> > From the virus.scanners.conf file:
>> > antivir/usr/lib/MailScanner/antivir-
>> > wrapper/usr/lib/AntiVir
>> >
>> > I can see, that antivir does update according to the time being set.
>> >
>> > What can I do to get antivir to run, as It seems not to doing it ?.
>> >
>> > /Erik.
>> >
>> >
>>
>>
>>---------
>>Med venlig hilsen - Best regards
>>Erik Jakobsen - eja@urbakken.dk
>>This mail is virusscanned by Norton Internet Security 2003
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Sun Jan 11 20:24:08 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 15:45:46 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>What does this produce?
>
>cd /tmp (or somewhere with some viruses in it)
>.

Julian !. I don't know where I have viruses. Or if I have some.

/tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s
-noboot  -rs -z
-bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory


>(Don't forget the "." at the end of the command!)
>That should print something useful about files with viruses in them.
>Exactly what output do you get?
>
>At 15:37 11/01/2004, you wrote:
>>Is nobody having any ideas what can cause the problem ?
>>
>> >
>> > I have installed f-prot, clamav and antivir. I can see, that f-prot
>> > and clamav does viruchecks, but I cannot see, that antivir is doing
>> > it.
>> >
>> > According to the /etc/MailScanner/virus.scanners.conf file, my antivir
>> > autoupdate and wrapper file is placed correct in /usr/lib/MailScanner.
>> > Also the antivir is placed correct in /usr/lib/AntiVir.
>> >
>> > From the virus.scanners.conf file:
>> > antivir/usr/lib/MailScanner/antivir-
>> > wrapper/usr/lib/AntiVir
>> >
>> > I can see, that antivir does update according to the time being set.
>> >
>> > What can I do to get antivir to run, as It seems not to doing it ?.
>> >
>> > /Erik.
>> >
>> >
>>
>>
>>---------
>>Med venlig hilsen - Best regards
>>Erik Jakobsen - eja@urbakken.dk
>>This mail is virusscanned by Norton Internet Security 2003
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 20:27:08 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
Message-ID: <200401112027.08925.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 8:24 pm, Erik Jakobsen wrote:

> On Sun, 11 Jan 2004 15:45:46 +0000, Julian Field
>
> <mailscanner@ECS.SOTON.AC.UK> wrote:
> >What does this produce?
> >
> >cd /tmp (or somewhere with some viruses in it)
> >.
>
> Julian !. I don't know where I have viruses. Or if I have some.

Get yourself a test "virus" from http://www.eicar.org/anti_virus_test_file.htm

> /tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s
> -noboot  -rs -z
> -bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory

Where did you install MailScanner on your system?

Antony.

--
"Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
Blaster].   However, these products are no longer supported.   Users of these
products are strongly encouraged to upgrade to later versions."

(which *are* affected by MS Blaster...)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

                                                     Please reply to the list;
                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 20:29:23 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011120292386@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 18:39:56 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>What were the results of my previous comments?
>Check the list archive if you didn't get them.
>Dated 15:45 today.

Julian !. I'm very sorry, but the 2 messages from you didn't arrive in my
mailer, due to areason I don't know. Good to have the archives here then
under such circumstances.

>At 18:10 11/01/2004, you wrote:
>>I have problems with antivir. It does upgrade ok, but it seems not to
>>scan. I have f-prot and clamav installed too, and they are scanning ok.
>>
>>All is placed ok according to the file mentioned where the different
>>antivirus programs is to be found.
>>
>>Also I have entered the antivir in the line in
>>/etc/MailScanner/MailScanner.conf file where scanners are written.
>>
>>Any good solutions ?.
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Sun Jan 11 20:29:23 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011120292386@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 18:39:56 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>What were the results of my previous comments?
>Check the list archive if you didn't get them.
>Dated 15:45 today.

Julian !. I'm very sorry, but the 2 messages from you didn't arrive in my
mailer, due to areason I don't know. Good to have the archives here then
under such circumstances.

>At 18:10 11/01/2004, you wrote:
>>I have problems with antivir. It does upgrade ok, but it seems not to
>>scan. I have f-prot and clamav installed too, and they are scanning ok.
>>
>>All is placed ok according to the file mentioned where the different
>>antivirus programs is to be found.
>>
>>Also I have entered the antivir in the line in
>>/etc/MailScanner/MailScanner.conf file where scanners are written.
>>
>>Any good solutions ?.
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.swaney at FSL.COM  Sun Jan 11 20:33:50 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:47 2006
Subject: SpamAssassin Local Rules change
In-Reply-To: <1073838208.2429.10.camel@jaguar.dorfam.ca>
Message-ID: <20040111203552.9458321C277@mail.fsl.com>

On  Sunday, January 11, 2004 11:23 AM, Gerry Doris wrote

>
> In the "for what's it's worth dept"...
>
> I installed the new unstable version of MailScanner and also dropped the
> SpamAssassin bigevil rules into /etc/mail/spamassassin.  The SA rules
> are recognized without any patches to SA.pm and I've started seeing
> evilrule hits in the spam messages.
>
> I'm not sure that bigevil rules is the correct way to go (writing tons
> of custom rules) but I guess if someone is willing to maintain
> them...why not.
>
[SKS]
Putting the additional SA .cf rules in /etc/mail/spamassassin also works
fine on Red Hat systems.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com.

From eja at URBAKKEN.DK  Sun Jan 11 20:41:32 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <200401112027.08925.Antony@Soft-Solutions.co.uk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
            <200401112027.08925.Antony@Soft-Solutions.co.uk>
Message-ID: <4001B4FC.8030206@urbakken.dk>

Antony Stone wrote:
> On Sunday 11 January 2004 8:24 pm, Erik Jakobsen wrote:
>
>
>>On Sun, 11 Jan 2004 15:45:46 +0000, Julian Field
>>
>><mailscanner@ECS.SOTON.AC.UK> wrote:
>>
>>>What does this produce?
>>>
>>>cd /tmp (or somewhere with some viruses in it)
>>>.
>>
>>Julian !. I don't know where I have viruses. Or if I have some.
>
>
> Get yourself a test "virus" from http://www.eicar.org/anti_virus_test_file.htm

Hello Antony. Thanks for the URL. Will get one from there.

>
>>/tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s
>>-noboot  -rs -z
>>-bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory
>
>
> Where did you install MailScanner on your system?

I installed it here :
/var/lock/subsys/MailScanner
/var/run/MailScanner.pid
/var/spool/MailScanner
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/21574
/var/spool/MailScanner/incoming/17783
/var/spool/MailScanner/incoming/8193
/var/spool/MailScanner/incoming/21670
/var/spool/MailScanner/incoming/22563
/var/spool/MailScanner/quarantine








/etc/sysconfig/MailScanner
/etc/rc.d/init.d/MailScanner
/etc/rc.d/rc0.d/K30MailScanner
/etc/rc.d/rc1.d/K30MailScanner
/etc/rc.d/rc2.d/S80MailScanner
/etc/rc.d/rc3.d/S80MailScanner
/etc/rc.d/rc4.d/S80MailScanner
/etc/rc.d/rc5.d/S80MailScanner
/etc/rc.d/rc6.d/K30MailScanner
/etc/cron.hourly/check_MailScanner
/etc/MailScanner
/etc/MailScanner/mcp
/etc/MailScanner/mcp/10_example.cf
/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf
/etc/MailScanner/reports
/etc/MailScanner/reports/cy+en
/etc/MailScanner/reports/cy+en/deleted.filename.message.txt
/etc/MailScanner/reports/cy+en/deleted.content.message.txt
/etc/MailScanner/reports/cy+en/deleted.virus.message.txt
/etc/MailScanner/reports/cy+en/disinfected.report.txt
/etc/MailScanner/reports/cy+en/inline.sig.html
/etc/MailScanner/reports/cy+en/inline.sig.txt
/etc/MailScanner/reports/cy+en/inline.spam.warning.txt
/etc/MailScanner/reports/cy+en/inline.warning.html
/etc/MailScanner/reports/cy+en/inline.warning.txt
/etc/MailScanner/reports/cy+en/languages.conf
/etc/MailScanner/reports/cy+en/sender.content.report.txt
/etc/MailScanner/reports/cy+en/sender.error.report.txt
/etc/MailScanner/reports/cy+en/sender.filename.report.txt
/etc/MailScanner/reports/cy+en/sender.mcp.report.txt
/etc/MailScanner/reports/cy+en/sender.spam.rbl.report.txt
/etc/MailScanner/reports/cy+en/sender.spam.report.txt
/etc/MailScanner/reports/cy+en/sender.spam.sa.report.txt
/etc/MailScanner/reports/cy+en/sender.virus.report.txt
/etc/MailScanner/reports/cy+en/stored.content.message.txt
/etc/MailScanner/reports/cy+en/stored.filename.message.txt
/etc/MailScanner/reports/cy+en/stored.virus.message.txt
/etc/MailScanner/reports/cz
/etc/MailScanner/reports/cz/deleted.filename.message.txt
/etc/MailScanner/reports/cz/deleted.content.message.txt
/etc/MailScanner/reports/cz/deleted.virus.message.txt
/etc/MailScanner/reports/cz/disinfected.report.txt
/etc/MailScanner/reports/cz/inline.sig.html
/etc/MailScanner/reports/cz/inline.sig.txt
/etc/MailScanner/reports/cz/inline.spam.warning.txt
/etc/MailScanner/reports/cz/inline.warning.html
/etc/MailScanner/reports/cz/inline.warning.txt
/etc/MailScanner/reports/cz/languages.conf
/etc/MailScanner/reports/cz/sender.content.report.txt
/etc/MailScanner/reports/cz/sender.error.report.txt
/etc/MailScanner/reports/cz/sender.filename.report.txt





/etc/MailScanner/rules
/etc/MailScanner/rules/spam.whitelist.rules
/etc/MailScanner/rules/EXAMPLES
/etc/MailScanner/rules/README
/etc/MailScanner/spam.assassin.prefs.conf
/etc/MailScanner/MailScanner.conf
/etc/MailScanner/filename.rules.conf
/etc/MailScanner/filetype.rules.conf
/etc/MailScanner/virus.scanners.conf
/etc/MailScanner/spam.lists.conf
/usr/share/doc/mailscanner-4.24/html/man/MailScanner.8.html
/usr/share/doc/mailscanner-4.24/html/man/MailScanner.8
/usr/share/doc/mailscanner-4.24/html/man/MailScanner.conf.5.html
/usr/share/doc/mailscanner-4.24/html/man/MailScanner.conf.5
/usr/share/man/man5/MailScanner.conf.5.gz
/usr/share/man/man8/MailScanner.8.gz
/usr/lib/MailScanner
/usr/lib/MailScanner/MailScanner
/usr/lib/MailScanner/MailScanner/ConfigDefs.pl
/usr/lib/MailScanner/MailScanner/Config.pm
/usr/lib/MailScanner/MailScanner/EximDiskStore.pm
/usr/lib/MailScanner/MailScanner/CustomConfig.pm
/usr/lib/MailScanner/MailScanner/Exim.pm
/usr/lib/MailScanner/MailScanner/MCPMessage.pm
/usr/lib/MailScanner/MailScanner/Lock.pm
/usr/lib/MailScanner/MailScanner/Log.pm
/usr/lib/MailScanner/MailScanner/MCP.pm
/usr/lib/MailScanner/MailScanner/Message.pm
/usr/lib/MailScanner/MailScanner/Mail.pm
/usr/lib/MailScanner/MailScanner/MessageBatch.pm
/usr/lib/MailScanner/MailScanner/PFDiskStore.pm
/usr/lib/MailScanner/MailScanner/Postfix.pm
/usr/lib/MailScanner/MailScanner/Quarantine.pm
/usr/lib/MailScanner/MailScanner/Queue.pm
/usr/lib/MailScanner/MailScanner/RBLs.pm
/usr/lib/MailScanner/MailScanner/SA.pm
/usr/lib/MailScanner/MailScanner/SMDiskStore.pm
/usr/lib/MailScanner/MailScanner/Sendmail.pm
/usr/lib/MailScanner/MailScanner/SweepContent.pm
/usr/lib/MailScanner/MailScanner/SweepOther.pm
/usr/lib/MailScanner/MailScanner/SweepViruses.pm
/usr/lib/MailScanner/MailScanner/SystemDefs.pm
/usr/lib/MailScanner/MailScanner/TNEF.pm
/usr/lib/MailScanner/MailScanner/WorkArea.pm
/usr/lib/MailScanner/MailScanner/ZMDiskStore.pm
/usr/lib/MailScanner/MailScanner/ZMailer.pm
/usr/lib/MailScanner/antivir-autoupdate
/usr/lib/MailScanner/MailScanner.pm
/usr/lib/MailScanner/bitdefender-autoupdate
/usr/lib/MailScanner/antivir-wrapper
/usr/lib/MailScanner/kaspersky-autoupdate




/usr/lib/MailScanner/rav-wrapper
/usr/lib/MailScanner/trend-autoupdate
/usr/lib/MailScanner/sophos-wrapper
/usr/lib/MailScanner/trend-wrapper
/usr/sbin/MailScanner
/usr/sbin/check_MailScanner
/usr/sbin/upgrade_MailScanner_conf
/opt/MailScanner-4.24-5
/opt/MailScanner-4.24-5/perl-Convert-TNEF-0.17-1.src.rpm
/opt/MailScanner-4.24-5/perl-File-Spec-0.82-1.src.rpm
/opt/MailScanner-4.24-5/perl-File-Temp-0.12-1.src.rpm
/opt/MailScanner-4.24-5/perl-HTML-Parser-3.26-2.src.rpm
/opt/MailScanner-4.24-5/perl-HTML-Tagset-3.03-1.src.rpm
/opt/MailScanner-4.24-5/perl-IO-stringy-2.108-1.src.rpm
/opt/MailScanner-4.24-5/perl-MailTools-1.50-1.src.rpm
/opt/MailScanner-4.24-5/perl-MIME-Base64-2.12-1.src.rpm
/opt/MailScanner-4.24-5/perl-MIME-tools-5.411-pl4.2.src.rpm
/opt/MailScanner-4.24-5/perl-TimeDate-1.1301-2.src.rpm
/opt/MailScanner-4.24-5/CheckModuleVersion
/opt/MailScanner-4.24-5/install.sh
/opt/MailScanner-4.24-5/README
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05.tar.gz
/opt/MailScanner-4.24-5/Update-MakeMaker.sh
/opt/MailScanner-4.24-5/tnef-1.1.4-sizelimit1.i386.rpm
/opt/MailScanner-4.24-5/QuickInstall.txt
/opt/MailScanner-4.24-5/mailscanner-4.24-5.noarch.rpm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/problems.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/Builder.pm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/More.pm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/Simple.pm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/TieOut.pm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker/Test
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker/Test/Utils.pm
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/VERSION_FROM.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_OS2.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/testlib.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/Manifest.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_Unix.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_Cygwin.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/Command.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/writemakefile_args.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/backwards.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_BeOS.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/prefixify.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_VMS.t
/opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/INST.t


> Antony.
>
> --
> "Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
> Blaster].   However, these products are no longer supported.   Users of these
> products are strongly encouraged to upgrade to later versions."
>
> (which *are* affected by MS Blaster...)
>
> http://www.microsoft.com/security/security_bulletins/ms03-026.asp
>
>                                                      Please reply to the list;
>                                                            please don't CC me.
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 20:47:00 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001B4FC.8030206@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
            <200401112027.08925.Antony@Soft-Solutions.co.uk>
            <4001B4FC.8030206@urbakken.dk>
Message-ID: <200401112047.00682.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 8:41 pm, Erik Jakobsen wrote:

> Antony Stone wrote:
> >
> > Where did you install MailScanner on your system?
>
> I installed it here :

<<snip snip snip>>

Check that you have execute permission on the following file and then try
Julian's command again:

> /usr/lib/MailScanner/antivir-wrapper

Reminder, Julian's command was:

/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs
-z .

(All on one line, complete with the . at the end, run from a directory with
the Eicar test virus in it)


Antony

--
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 20:52:18 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001B4FC.8030206@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>           
            <200401112027.08925.Antony@Soft-Solutions.co.uk>
            <4001B4FC.8030206@urbakken.dk>
Message-ID: <4001B782.6040009@urbakken.dk>

Hi. I downloaded the 4 files from Eicar, and they are placed in /tmp,
but there's still no change in the result:


/tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles
-s -noboot  -rs -z
-bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory


Erik Jakobsen wrote:
> Antony Stone wrote:
>
>> On Sunday 11 January 2004 8:24 pm, Erik Jakobsen wrote:
>>
>>
>>> On Sun, 11 Jan 2004 15:45:46 +0000, Julian Field
>>>
>>> <mailscanner@ECS.SOTON.AC.UK> wrote:
>>>
>>>> What does this produce?
>>>>
>>>> cd /tmp (or somewhere with some viruses in it)
>>>> .
>>>
>>>
>>> Julian !. I don't know where I have viruses. Or if I have some.
>>
>>
>>
>> Get yourself a test "virus" from
>> http://www.eicar.org/anti_virus_test_file.htm
>
>
> Hello Antony. Thanks for the URL. Will get one from there.
>
>>
>>> /tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir
>>> -allfiles -s
>>> -noboot  -rs -z
>>> -bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory
>>
>>
>>
>> Where did you install MailScanner on your system?
>
>
> I installed it here :
> /var/lock/subsys/MailScanner
> /var/run/MailScanner.pid
> /var/spool/MailScanner
> /var/spool/MailScanner/incoming
> /var/spool/MailScanner/incoming/21574
> /var/spool/MailScanner/incoming/17783
> /var/spool/MailScanner/incoming/8193
> /var/spool/MailScanner/incoming/21670
> /var/spool/MailScanner/incoming/22563
> /var/spool/MailScanner/quarantine
>
>
>
>
>
>
>
>
> /etc/sysconfig/MailScanner
> /etc/rc.d/init.d/MailScanner
> /etc/rc.d/rc0.d/K30MailScanner
> /etc/rc.d/rc1.d/K30MailScanner
> /etc/rc.d/rc2.d/S80MailScanner
> /etc/rc.d/rc3.d/S80MailScanner
> /etc/rc.d/rc4.d/S80MailScanner
> /etc/rc.d/rc5.d/S80MailScanner
> /etc/rc.d/rc6.d/K30MailScanner
> /etc/cron.hourly/check_MailScanner
> /etc/MailScanner
> /etc/MailScanner/mcp
> /etc/MailScanner/mcp/10_example.cf
> /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf
> /etc/MailScanner/reports
> /etc/MailScanner/reports/cy+en
> /etc/MailScanner/reports/cy+en/deleted.filename.message.txt
> /etc/MailScanner/reports/cy+en/deleted.content.message.txt
> /etc/MailScanner/reports/cy+en/deleted.virus.message.txt
> /etc/MailScanner/reports/cy+en/disinfected.report.txt
> /etc/MailScanner/reports/cy+en/inline.sig.html
> /etc/MailScanner/reports/cy+en/inline.sig.txt
> /etc/MailScanner/reports/cy+en/inline.spam.warning.txt
> /etc/MailScanner/reports/cy+en/inline.warning.html
> /etc/MailScanner/reports/cy+en/inline.warning.txt
> /etc/MailScanner/reports/cy+en/languages.conf
> /etc/MailScanner/reports/cy+en/sender.content.report.txt
> /etc/MailScanner/reports/cy+en/sender.error.report.txt
> /etc/MailScanner/reports/cy+en/sender.filename.report.txt
> /etc/MailScanner/reports/cy+en/sender.mcp.report.txt
> /etc/MailScanner/reports/cy+en/sender.spam.rbl.report.txt
> /etc/MailScanner/reports/cy+en/sender.spam.report.txt
> /etc/MailScanner/reports/cy+en/sender.spam.sa.report.txt
> /etc/MailScanner/reports/cy+en/sender.virus.report.txt
> /etc/MailScanner/reports/cy+en/stored.content.message.txt
> /etc/MailScanner/reports/cy+en/stored.filename.message.txt
> /etc/MailScanner/reports/cy+en/stored.virus.message.txt
> /etc/MailScanner/reports/cz
> /etc/MailScanner/reports/cz/deleted.filename.message.txt
> /etc/MailScanner/reports/cz/deleted.content.message.txt
> /etc/MailScanner/reports/cz/deleted.virus.message.txt
> /etc/MailScanner/reports/cz/disinfected.report.txt
> /etc/MailScanner/reports/cz/inline.sig.html
> /etc/MailScanner/reports/cz/inline.sig.txt
> /etc/MailScanner/reports/cz/inline.spam.warning.txt
> /etc/MailScanner/reports/cz/inline.warning.html
> /etc/MailScanner/reports/cz/inline.warning.txt
> /etc/MailScanner/reports/cz/languages.conf
> /etc/MailScanner/reports/cz/sender.content.report.txt
> /etc/MailScanner/reports/cz/sender.error.report.txt
> /etc/MailScanner/reports/cz/sender.filename.report.txt
>
>
>
>
>
> /etc/MailScanner/rules
> /etc/MailScanner/rules/spam.whitelist.rules
> /etc/MailScanner/rules/EXAMPLES
> /etc/MailScanner/rules/README
> /etc/MailScanner/spam.assassin.prefs.conf
> /etc/MailScanner/MailScanner.conf
> /etc/MailScanner/filename.rules.conf
> /etc/MailScanner/filetype.rules.conf
> /etc/MailScanner/virus.scanners.conf
> /etc/MailScanner/spam.lists.conf
> /usr/share/doc/mailscanner-4.24/html/man/MailScanner.8.html
> /usr/share/doc/mailscanner-4.24/html/man/MailScanner.8
> /usr/share/doc/mailscanner-4.24/html/man/MailScanner.conf.5.html
> /usr/share/doc/mailscanner-4.24/html/man/MailScanner.conf.5
> /usr/share/man/man5/MailScanner.conf.5.gz
> /usr/share/man/man8/MailScanner.8.gz
> /usr/lib/MailScanner
> /usr/lib/MailScanner/MailScanner
> /usr/lib/MailScanner/MailScanner/ConfigDefs.pl
> /usr/lib/MailScanner/MailScanner/Config.pm
> /usr/lib/MailScanner/MailScanner/EximDiskStore.pm
> /usr/lib/MailScanner/MailScanner/CustomConfig.pm
> /usr/lib/MailScanner/MailScanner/Exim.pm
> /usr/lib/MailScanner/MailScanner/MCPMessage.pm
> /usr/lib/MailScanner/MailScanner/Lock.pm
> /usr/lib/MailScanner/MailScanner/Log.pm
> /usr/lib/MailScanner/MailScanner/MCP.pm
> /usr/lib/MailScanner/MailScanner/Message.pm
> /usr/lib/MailScanner/MailScanner/Mail.pm
> /usr/lib/MailScanner/MailScanner/MessageBatch.pm
> /usr/lib/MailScanner/MailScanner/PFDiskStore.pm
> /usr/lib/MailScanner/MailScanner/Postfix.pm
> /usr/lib/MailScanner/MailScanner/Quarantine.pm
> /usr/lib/MailScanner/MailScanner/Queue.pm
> /usr/lib/MailScanner/MailScanner/RBLs.pm
> /usr/lib/MailScanner/MailScanner/SA.pm
> /usr/lib/MailScanner/MailScanner/SMDiskStore.pm
> /usr/lib/MailScanner/MailScanner/Sendmail.pm
> /usr/lib/MailScanner/MailScanner/SweepContent.pm
> /usr/lib/MailScanner/MailScanner/SweepOther.pm
> /usr/lib/MailScanner/MailScanner/SweepViruses.pm
> /usr/lib/MailScanner/MailScanner/SystemDefs.pm
> /usr/lib/MailScanner/MailScanner/TNEF.pm
> /usr/lib/MailScanner/MailScanner/WorkArea.pm
> /usr/lib/MailScanner/MailScanner/ZMDiskStore.pm
> /usr/lib/MailScanner/MailScanner/ZMailer.pm
> /usr/lib/MailScanner/antivir-autoupdate
> /usr/lib/MailScanner/MailScanner.pm
> /usr/lib/MailScanner/bitdefender-autoupdate
> /usr/lib/MailScanner/antivir-wrapper
> /usr/lib/MailScanner/kaspersky-autoupdate
>
>
>
>
> /usr/lib/MailScanner/rav-wrapper
> /usr/lib/MailScanner/trend-autoupdate
> /usr/lib/MailScanner/sophos-wrapper
> /usr/lib/MailScanner/trend-wrapper
> /usr/sbin/MailScanner
> /usr/sbin/check_MailScanner
> /usr/sbin/upgrade_MailScanner_conf
> /opt/MailScanner-4.24-5
> /opt/MailScanner-4.24-5/perl-Convert-TNEF-0.17-1.src.rpm
> /opt/MailScanner-4.24-5/perl-File-Spec-0.82-1.src.rpm
> /opt/MailScanner-4.24-5/perl-File-Temp-0.12-1.src.rpm
> /opt/MailScanner-4.24-5/perl-HTML-Parser-3.26-2.src.rpm
> /opt/MailScanner-4.24-5/perl-HTML-Tagset-3.03-1.src.rpm
> /opt/MailScanner-4.24-5/perl-IO-stringy-2.108-1.src.rpm
> /opt/MailScanner-4.24-5/perl-MailTools-1.50-1.src.rpm
> /opt/MailScanner-4.24-5/perl-MIME-Base64-2.12-1.src.rpm
> /opt/MailScanner-4.24-5/perl-MIME-tools-5.411-pl4.2.src.rpm
> /opt/MailScanner-4.24-5/perl-TimeDate-1.1301-2.src.rpm
> /opt/MailScanner-4.24-5/CheckModuleVersion
> /opt/MailScanner-4.24-5/install.sh
> /opt/MailScanner-4.24-5/README
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05.tar.gz
> /opt/MailScanner-4.24-5/Update-MakeMaker.sh
> /opt/MailScanner-4.24-5/tnef-1.1.4-sizelimit1.i386.rpm
> /opt/MailScanner-4.24-5/QuickInstall.txt
> /opt/MailScanner-4.24-5/mailscanner-4.24-5.noarch.rpm
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/problems.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/Builder.pm
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/More.pm
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/Test/Simple.pm
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/TieOut.pm
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker/Test
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/lib/MakeMaker/Test/Utils.pm
>
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/VERSION_FROM.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_OS2.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/testlib.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/Manifest.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_Unix.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_Cygwin.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/Command.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/writemakefile_args.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/backwards.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_BeOS.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/prefixify.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/MM_VMS.t
> /opt/MailScanner-4.24-5/ExtUtils-MakeMaker-6.05/t/INST.t
>
>
>> Antony.
>>
>> --
>> "Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
>> Blaster].   However, these products are no longer supported.   Users
>> of these
>> products are strongly encouraged to upgrade to later versions."
>>
>> (which *are* affected by MS Blaster...)
>>
>> http://www.microsoft.com/security/security_bulletins/ms03-026.asp
>>
>>                                                      Please reply to
>> the list;
>>                                                            please
>> don't CC me.
>>
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja@urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 20:58:32 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001B782.6040009@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
            <4001B4FC.8030206@urbakken.dk> <4001B782.6040009@urbakken.dk>
Message-ID: <200401112058.32216.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 8:52 pm, Erik Jakobsen wrote:

> Hi. I downloaded the 4 files from Eicar, and they are placed in /tmp,
> but there's still no change in the result:
>
>
> /tmp # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles
> -s -noboot  -rs -z
> -bash: /usr/lib/MailScanner/antivir-wrapper: No such file or directory

Okay then - where did you install antivir (just the short answer, please - the
location of the antivir executable will do - I don't need an output from find
or locate).

Did you try the test I suggested earlier, by the way - can you successfully
run antivir manually to do a virus check?

Antony.

--
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the list;
                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 21:07:29 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <200401112058.32216.Antony@Soft-Solutions.co.uk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>           
            <4001B4FC.8030206@urbakken.dk> <4001B782.6040009@urbakken.dk>
            <200401112058.32216.Antony@Soft-Solutions.co.uk>
Message-ID: <4001BB11.3070809@urbakken.dk>

> Okay then - where did you install antivir (just the short answer, please - the
> location of the antivir executable will do - I don't need an output from find
> or locate).

Sorry for having done that Antony. Hope this is better ?. :-((

# which antivir
/usr/bin/antivir

> Did you try the test I suggested earlier, by the way - can you successfully
> run antivir manually to do a virus check?

I donwloaded the 4 files from Eicar, but it seems they were not treated
as viruses according to the output shown below. Yes I ran the antivir
manually ok.


# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/  -allfiles -s
-noboot  -rs -z .
AntiVir / Linux Version 2.0.9-9
Copyright (c) 1994-2003 by H+BEDV Datentechnik GmbH.
All rights reserved.

Loading /usr/lib/AntiVir/antivir.vdf ...



VDF version: 6.23.0.28 created 09 Jan 2004



For private, non-commercial use only.
AntiVir license: 1111111111 for xxxx yyyyy,   zzzzz



checking drive/path (list): .





----- scan results -----


  directories:        5


        files:       10


       alerts:        0


    scan time: 00:00:01


------------------------


Thank you for using AntiVir.


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sun Jan 11 21:09:34 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001BB11.3070809@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>                      
            <4001B4FC.8030206@urbakken.dk> <4001B782.6040009@urbakken.dk>      
            <200401112058.32216.Antony@Soft-Solutions.co.uk>
            <4001BB11.3070809@urbakken.dk>
Message-ID: <4001BB8E.3070604@urbakken.dk>

The result of my f-prot and clamav shows ok:

At Sun Jan 11 21:59:24 2004 the virus scanner said:
    F-Prot: fbjxff.exe  Infection: W32/Swen.A@mm
    ClamAV: fbjxff.exe contains Worm.Gibe.F
    MailScanner: Executable DOS/Windows programs are dangerous in email
(fbjxff.exe)
--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 21:19:14 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001BB11.3070809@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
            <200401112058.32216.Antony@Soft-Solutions.co.uk>
            <4001BB11.3070809@urbakken.dk>
Message-ID: <200401112119.14225.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 9:07 pm, Erik Jakobsen wrote:

> > Okay then - where did you install antivir (just the short answer, please
> > - the location of the antivir executable will do - I don't need an output
> > from find or locate).
>
> Sorry for having done that Antony. Hope this is better ?. :-((
>
> # which antivir
> /usr/bin/antivir

Much better :)

> > Did you try the test I suggested earlier, by the way - can you
> > successfully run antivir manually to do a virus check?
>
> I donwloaded the 4 files from Eicar, but it seems they were not treated
> as viruses according to the output shown below. Yes I ran the antivir
> manually ok.
>
>
> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/  -allfiles -s
> -noboot  -rs -z .
> AntiVir / Linux Version 2.0.9-9
> Copyright (c) 1994-2003 by H+BEDV Datentechnik GmbH.
> All rights reserved.

This does not make sense if you installed antivir in /usr/bin (as you say
above).   You should specify the directory in which the binary is located on
the command line for antivir-wrapper:

/usr/lib/MailScanner/antivir-wrapper /usr/bin/  -allfiles -s -noboot  -rs -z .

Antony.

--
The idea that Bill Gates appeared like a knight in shining armour to lead all
customers out of a mire of technological chaos neatly ignores the fact that
it was he who, by peddling second-rate technology, led them into it in the
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 21:24:01 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011121240128@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 20:47:00 +0000, Antony Stone
<Antony@SOFT-SOLUTIONS.CO.UK> wrote:

>On Sunday 11 January 2004 8:41 pm, Erik Jakobsen wrote:
>
>> Antony Stone wrote:
>> >
>> > Where did you install MailScanner on your system?
>>
>> I installed it here :
>
><<snip snip snip>>
>
>Check that you have execute permission on the following file and then try
>Julian's command again:

Permission for the antivir-wrapper or ?.

>> /usr/lib/MailScanner/antivir-wrapper
>
>Reminder, Julian's command was:
Yes ok.
>/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir -allfiles -s -noboot -rs
>-z .
>
>(All on one line, complete with the . at the end, run from a directory with
>the Eicar test virus in it)

Thanks, I'm aware of it.
>
>Antony
>
>--
>Never write it in Perl if you can do it in Awk.
>Never do it in Awk if sed can handle it.
>Never use sed when tr can do the job.
>Never invoke tr when cat is sufficient.
>Avoid using cat whenever possible.
>
>                                                     Please reply to the list;
>                                                           please don't CC me.

From eja at URBAKKEN.DK  Sun Jan 11 21:31:01 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <200401112119.14225.Antony@Soft-Solutions.co.uk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>           
            <200401112058.32216.Antony@Soft-Solutions.co.uk>           
            <4001BB11.3070809@urbakken.dk>
            <200401112119.14225.Antony@Soft-Solutions.co.uk>
Message-ID: <4001C095.6090901@urbakken.dk>

>># which antivir
>>/usr/bin/antivir
>
>
> Much better :)
>

Thanks !.


> This does not make sense if you installed antivir in /usr/bin (as you say
> above).   You should specify the directory in which the binary is located on
> the command line for antivir-wrapper:

Of course it doesn't.


> /usr/lib/MailScanner/antivir-wrapper /usr/bin/  -allfiles -s -noboot  -rs -z .


ls -l /usr/bin/antivir

lrwxrwxrwx    1 root     root           24 Dec 18 09:45 /usr/bin/antivir
-> /usr/lib/AntiVir/antivir

Oh its a symbloic link to /usr/lib/AntiVir/antivir.

What to do then Antony ?.

I'll read your reply tomorrow, as I have to enter the bed now :-)
--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Antony at SOFT-SOLUTIONS.CO.UK  Sun Jan 11 21:38:10 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4001C095.6090901@urbakken.dk>
References: <LISTSERV%2004011120240861@JISCMAIL.AC.UK>
            <200401112119.14225.Antony@Soft-Solutions.co.uk>
            <4001C095.6090901@urbakken.dk>
Message-ID: <200401112138.10382.Antony@Soft-Solutions.co.uk>

On Sunday 11 January 2004 9:31 pm, Erik Jakobsen wrote:

> ls -l /usr/bin/antivir
>
> lrwxrwxrwx    1 root     root           24 Dec 18 09:45 /usr/bin/antivir
> -> /usr/lib/AntiVir/antivir
>
> Oh its a symbloic link to /usr/lib/AntiVir/antivir.

Okay, so we're back to square one regarding the location of the binary then -
anyone else got any ideas about what caused the original error message?

Antony.

--
In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
the mechanics are German, the lovers are French, the entertainment is
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American,
the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

From alex at FUZZYCHEESE.COM  Sun Jan 11 22:15:28 2004
From: alex at FUZZYCHEESE.COM (Alex Theodore)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <004901c3d868$e9e42fb0$1c150fd0@shire>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
Message-ID: <20040111171528.4fcf0495.alex@fuzzycheese.com>

You will need to recompile your FreeBSD Kernel with a higher value for the MAXUSER parameter.  Try doubling or tripling it.  You can also dynamically reconfigure this kernel  parameter via sysctl(8) command.

Regards,

  Alex

On Sun, 11 Jan 2004 11:32:34 -0600
Chris Harris <cwharris@MORGAN.NET> wrote:

> I'm getting some errors and hoping someone can tell me what has cause it and
> how I can fix it.
>
> in my messages log:
>
> sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0 not
> open: Bad file descriptor
> > file: table is full
>
> sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect: cannot
> open /dev/null: Too many open files in system
>
>
> the message file: table is full is repeated over and over.
>
> Any ideas?
>
> Chris
>


--
Alex Theodore
alex@fuzzycheese.com
Boca Raton, FL  USA

From so-mlist-alias at all-about-shift.com  Sun Jan 11 23:30:25 2004
From: so-mlist-alias at all-about-shift.com (Soeren Gerlach)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <20040111171528.4fcf0495.alex@fuzzycheese.com>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
            <20040111171528.4fcf0495.alex@fuzzycheese.com>
Message-ID: <1746.10.1.1.99.1073863825.squirrel@miyako.all-about-shift.com>

Eventually this is much easier resolved: Try "ulimit -n 4096" in the
context of your sendmail (?) process which causes the error regarding your
first mail. I.e: If you start sendmail via a script just insert the above
statement before this. This could also be added somewhere in the
/etc/init-script if this is the way you are running it.
The statement increases the number of open file descriptors for a single
process to 4096; I don't know about FreeBSD but usually this is the limit
for most small unixes like linux and bsd.

Hth,
Soeren

> You will need to recompile your FreeBSD Kernel with a higher value for the
> MAXUSER parameter.  Try doubling or tripling it.  You can also dynamically
> reconfigure this kernel  parameter via sysctl(8) command.
>
> Regards,
>
>   Alex
>
> On Sun, 11 Jan 2004 11:32:34 -0600
> Chris Harris <cwharris@MORGAN.NET> wrote:
>
>> I'm getting some errors and hoping someone can tell me what has cause it
>> and
>> how I can fix it.
>>
>> in my messages log:
>>
>> sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0
>> not
>> open: Bad file descriptor
>> > file: table is full
>>
>> sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect:
>> cannot
>> open /dev/null: Too many open files in system
>>
>>
>> the message file: table is full is repeated over and over.
>>
>> Any ideas?
>>
>> Chris
>>
>
>
> --
> Alex Theodore
> alex@fuzzycheese.com
> Boca Raton, FL  USA
>
> --
> Scanned for virus & SPAM at all-about-shift.com
>
>


----------------------------------------------------------
Heute schon gelacht?  http://all-about-shift.com/dailystrips/

From chris at FRACTALWEB.COM  Sun Jan 11 23:39:15 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:47 2006
Subject: IE URL vulnerability exploits have begun
Message-ID: <4001DEA3.3070508@fractalweb.com>

Hi Everyone,

I was looking through the MailWatch reports and noticed a couple very
high scoring spam...well over 100. Upon closer inspection, the emails
had triggered the custom rule many of us added that severely punishes
any message that attempts to obscure the "real" url by exploiting (yet
another) gaping hole in Internet Explorer.

This email comes in "allegedly" from the Bank of America asking the user
to verify their account information. Yeah...ok. Here's the href part of
the anchor tag:
www.bankofamerica.com
(line breaks added by me)
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01@%32%31%31%2E%32%33%2E%36%35%2E%38%34:%38%30/%77%77
%77/%62%6F%61/%73%74%61%74%65%5F%63%67%69%2E%70%68%70

Decoded, the above URL seems to be (assuming my hex to dec to ascii
conversion is correct): "211.23.65.84:80/www/boa/srare_cgi.pnp"

I've looked up the IP at samspade.org and it's owned by:

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

I tried to visit the site but perhaps it's already been shut down...or
perhaps it's too busy to handle my request.

If you haven't already done so, I strongly suggest everyone get medieval
on this exploit and kill it before it arrives in your user's inboxes.
This time it was Bank of America. Next it will be Visa, Mastercard,
Amex, or who knows.

I have the following rule in spam.assassin.prefs.conf:
uri     IE_VULN         /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
score   IE_VULN         100.0
describe        IE_VULN Internet Explorer vulnerability

I can't help but ask myself why Microsoft refuses to fix this
vulnerability. Mozilla doesn't suffer from it and Konqueror doesn't
either (long live open source). It's not like it was just discovered
yesterday. Does anyone have a good conspiracy theory?

Cheers,
Chris

From kevins at BMRB.CO.UK  Mon Jan 12 00:07:46 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:47 2006
Subject: IE URL vulnerability exploits have begun
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C219DE@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C219DE@pascal.priv.bmrb.co.uk>
Message-ID: <1073866066.17299.10.camel@bach.kevinspicer.co.uk>

On Sun, 2004-01-11 at 23:39, Chris Yuzik wrote:

>I've looked up the IP at samspade.org and it's owned by:

>OrgName:    Asia Pacific Network Information Centre

Actually APNIC is the registrar for that netblock,  by searching APNIC's
whois database you find that this address is part of a netblock further
delegated to TWNIC (taiwan Network Information Centre).  Searching
further through APNIC's and TWNICS whois databases you find the IP is
owned by....

Lu Pen Technology Co., Ltd.
   No. 101-10, Shenduen Li, Juenli City, Taoyung
   Taoyung
   TW

   Netname: LU-PEN-TECHN-TY-NET
   Netblock: 211.23.65.80/29

From david at MIDRANGE.COM  Mon Jan 12 00:09:47 2004
From: david at MIDRANGE.COM (David Gibbs)
Date: Thu Jan 12 21:21:47 2006
Subject: whitelist options in SA user_prefs not being obeyed?
In-Reply-To: <200401120000.i0C00RoB002879@linux.midrange.com>
References: <200401120000.i0C00RoB002879@linux.midrange.com>
Message-ID: <4001E5CB.6090609@midrange.com>

> SA user_prefs files in individual people's home directories are not
> consulted by MailScanner, as it doesn't know nor care where the mail is
> going or how to map an email address onto a user's home dir. You can only
> do that for local email accounts and even then only at the delivery stage,
> which means MailScanner would have to be involved in mail delivery which I
> am not prepared to do (lots of other people have implemented local mail
> delivery already).

Um, then what is the "SpamAssassin User State Dir" setting for?

 From the comments in the config file, I gathered that ~/.spamassassin
is consulted as well as the directories identified in this setting.

david

From Antony at SOFT-SOLUTIONS.CO.UK  Mon Jan 12 00:25:51 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: whitelist options in SA user_prefs not being obeyed?
In-Reply-To: <4001E5CB.6090609@midrange.com>
References: <200401120000.i0C00RoB002879@linux.midrange.com>
            <4001E5CB.6090609@midrange.com>
Message-ID: <200401120025.51036.Antony@Soft-Solutions.co.uk>

On Monday 12 January 2004 12:09 am, David Gibbs wrote:

> > SA user_prefs files in individual people's home directories are not
> > consulted by MailScanner, as it doesn't know nor care where the mail is
> > going or how to map an email address onto a user's home dir. You can only
> > do that for local email accounts and even then only at the delivery
> > stage, which means MailScanner would have to be involved in mail delivery
> > which I am not prepared to do (lots of other people have implemented
> > local mail delivery already).
>
> Um, then what is the "SpamAssassin User State Dir" setting for?

This is the diurectory where SpamAssassin should store its state information
for things like the Bayes database.   It avoids having them pile up somewhere
unhelpful such as /root or /home/smmsp.

Note that only one directory can be specified, therefore it does not apply for
each user on the system; there is only one setting.

>  From the comments in the config file, I gathered that ~/.spamassassin
> is consulted as well as the directories identified in this setting.

This is correct, for certain restricted values of ~ :-)

Specifically, ~ here refers to the home directory of the mail user (which is
why this section of the config file's comments keep referring to the postfix
user, as this is another of the odd quirks of postfix which make it different
from other MTAs).   ~ does not refer to each user on the machine.

Hope this helps,

Antony.

--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

                                                     Please reply to the list;
                                                           please don't CC me.

From james at grayonline.id.au  Mon Jan 12 01:54:40 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:47 2006
Subject: IE URL vulnerability exploits have begun
In-Reply-To: <4001DEA3.3070508@fractalweb.com>
References: <4001DEA3.3070508@fractalweb.com>
Message-ID: <200401121254.40695.james@grayonline.id.au>

On Mon, 12 Jan 2004 10:39 am, Chris Yuzik wrote:

> If you haven't already done so, I strongly suggest everyone get medieval
> on this exploit and kill it before it arrives in your user's inboxes.
> This time it was Bank of America. Next it will be Visa, Mastercard,
> Amex, or who knows.
>
> I have the following rule in spam.assassin.prefs.conf:
> uri     IE_VULN         /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
> score   IE_VULN         100.0
> describe        IE_VULN Internet Explorer vulnerability
>
> I can't help but ask myself why Microsoft refuses to fix this
> vulnerability. Mozilla doesn't suffer from it and Konqueror doesn't
> either (long live open source). It's not like it was just discovered
> yesterday. Does anyone have a good conspiracy theory?
>
> Cheers,
> Chris

McAfee Virus Scan picks up these IE exploits as "Exploit-URLSpoof trojan"
which is kinda neat.  If you are using NAI/McAfee command line scanner, you
need as a minimum:
DAT:    4311 (24-Dec-2004)
Engine: 4.2.40

Read about it here: http://vil.nai.com/vil/content/v_100927.htm

James
--
Fortune cookies says:
"If value corrupts then absolute value corrupts absolutely."

From james at grayonline.id.au  Mon Jan 12 02:02:15 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:47 2006
Subject: IE URL vulnerability exploits have begun
In-Reply-To: <200401121254.40695.james@grayonline.id.au>
References: <4001DEA3.3070508@fractalweb.com>
            <200401121254.40695.james@grayonline.id.au>
Message-ID: <200401121302.15640.james@grayonline.id.au>

On Mon, 12 Jan 2004 12:54 pm, James Gray wrote:

> DAT:    4311 (24-Dec-2004)
                       ^^^^
Obviously this should be 24-Dec-2003.  Serves me right for not proof reading
it before hitting the send button!

James
--
Fortune cookies says:
We are what we pretend to be.
                -- Kurt Vonnegut, Jr.

From james at grayonline.id.au  Mon Jan 12 04:45:38 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:47 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <20040108111446.A32070@pigeon.infotechfl.com>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C41C@jessica.herefordshire.gov.uk>
            <20040108111446.A32070@pigeon.infotechfl.com>
Message-ID: <200401121545.38600.james@grayonline.id.au>

On Fri, 9 Jan 2004 03:14 am, Tom Miller wrote:
> I'm running the non-P4 optimized version on two RedHat 7.3 servers and a
> RedHat 9 server with no problems.
>
> -Tom
>
> On Thu, Jan 08, 2004 at 03:53:54PM -0000, Randal, Phil wrote:
> > Needless to say I'd tested beore I posted.
> >
> > I used the Linux Pentium 4 optimised build on Fedora Core 1.  It still
> > works, still catches viruses, with no (as yet) apparent memory leaks or
> > problems.
> >
> > Cheers,
> >
> > Phil

OK - trap for young players:
DO NOT USE THE PENTIUM-OPTIMISED VERSION ON PENTIUM CLASSIC!!

I've just wasted an hour or so trying to figure out why it wasn't working.
According to McAfee/NAI release notes for the optimised version:
The product has been optimised for Pentium 4 but is fully compatible with
all Intel Pentium processors.

This is not quite right.  If I install the non-optimised version on my (poor
antiquated) P-133 mail gateway everything is fine.  It's running Debian
(Woody) and MailScanner 4.23-11 plus SpamAssassin 2.61.  No special updates
or jiggery-pokery required.  Actually, the non-optimised version is a
no-brainer!

Now install the the P4 optimised version on the same system and it will
complain that it can't load libstdc++.so.5.  You can manually symlink this:
ln -s /usr/lib/libstdc++.so.3.0.4 /usr/lib/libstdc++.so.5

Now uvscan will run but you'll get stuff like this:
./uvscan: /usr/lib/libstdc++.so.5: no version information available
(required by ./uvscan)
./uvscan: /usr/lib/libstdc++.so.5: no version information available
(required by ./uvscan)
./uvscan: /usr/lib/libstdc++.so.5: no version information available
(required by /usr/local/lib/liblnxfv.so.4)
./uvscan: /usr/lib/libstdc++.so.5: no version information available
(required by /usr/local/lib/liblnxfv.so.4)

Ugly.

So in short, be careful about trying to use the P4 optimised McAfee/NAI
scanner on earlier Pentium's.  The Pentium-classic (pre MMX) is a definite
no-no.  Not sure how you'd go with the P166MMX-P233MMX (essentially the
classic with MMX extensions) or the PII series.  P3/P4 should be OK though.

James
--
Fortune cookies says:
"Mind if I smoke?"
        "Yes, I'd like to see that, does it come out of your ears or what?"

From eja at URBAKKEN.DK  Mon Jan 12 05:52:41 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011205524106@JISCMAIL.AC.UK>

On Sun, 11 Jan 2004 21:38:10 +0000, Antony Stone
<Antony@SOFT-SOLUTIONS.CO.UK> wrote:

>On Sunday 11 January 2004 9:31 pm, Erik Jakobsen wrote:
>
>> ls -l /usr/bin/antivir
>>
>> lrwxrwxrwx    1 root     root           24 Dec 18 09:45 /usr/bin/antivir
>> -> /usr/lib/AntiVir/antivir
>>
>> Oh its a symbloic link to /usr/lib/AntiVir/antivir.
>
>Okay, so we're back to square one regarding the location of the binary then -
>anyone else got any ideas about what caused the original error message?

Indeed we are.


>Antony.
>
>--
>In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
>the mechanics are German, the lovers are French, the entertainment is
>American, and everything is organised by the Swiss.
>
>In Hell, the police are German, the chefs are British, the beer is American,
>the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
>and everything is organised by the Italians.
>
>                                                     Please reply to the list;
>                                                           please don't CC me.

Erik.

From eja at URBAKKEN.DK  Mon Jan 12 06:07:40 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
Message-ID: <LISTSERV%2004011206074014@JISCMAIL.AC.UK>

On Fri, 9 Jan 2004 16:45:15 +0100, Jan-Peter Koopmann
<Jan-Peter.Koopmann@SECEIDOS.DE> wrote:

>> Sorry for asking. Is it a beta unstable ?.
>
>Having a look at the subject I tend to answer: Yes... :-)

Ok, thanks.

>Regards,
>  JP

Erik.

From eja at URBAKKEN.DK  Mon Jan 12 07:43:57 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <LISTSERV%2004011205524106@JISCMAIL.AC.UK>
References: <LISTSERV%2004011205524106@JISCMAIL.AC.UK>
Message-ID: <4002503D.3010204@urbakken.dk>

Antony !.

You asked if my manual use of antivir worked. Here's the final of a test
I just made:

# antivir / -s

/var/spool/MailScanner/quarantine/20040112/8FDCE46F8C/gbzyuqk.exe


  Date: 12.01.2004  Time: 07:06:09  Size: 106496


  ALERT: [Worm/Gibe.C.1 virus]
/var/spool/MailScanner/quarantine/20040112/8FDCE46F8C/gbzyuqk.exe <<<
Contains signature of the worm Worm/Gibe.C.1



/var/spool/MailScanner/quarantine/20040112/6842846F8D/INSTALLER926.exe


  Date: 12.01.2004  Time: 07:44:28  Size: 106496


  ALERT: [Worm/Gibe.C.1 virus]
/var/spool/MailScanner/quarantine/20040112/6842846F8D/INSTALLER926.exe
<<< Contains signature of the worm Worm/Gibe.C.1









----- scan results -----


  directories:    13160


        files:    26997


       alerts:      752


     repaired:        0


      deleted:        0


      renamed:        0


    scan time: 00:08:10


------------------------


Thank you for using AntiVir.


And this is the antivir using the:

# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/  -allfiles -s
-noboot  -rs -z .

Its just a sample :-)

ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040111/29D9E46F8C/fbjxff.exe <<<
Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/C7D0C46F8D/installation462.exe
<<< Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/5E97E46F90/evud.exe <<<
Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/8FDCE46F8C/gbzyuqk.exe <<<
Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/6842846F8D/INSTALLER926.exe
<<< Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/3A7FB46F8D/Patch2474.exe <<<
Contains signature of the worm Worm/Gibe.C.1
ALERT: [Worm/Gibe.C.1 virus]
./var/spool/MailScanner/quarantine/20040112/2C88446F8F/dxrjxis.exe <<<
Contains signature of the worm Worm/Gibe.C.1
archive: ./opt/clamav-0.65/test/rarfail.rar --> test1 extract error
(Unknown or unsupported compression method.)








----- scan results -----


  directories:    13162


        files:   111125


       alerts:      754


     repaired:        0


      deleted:        0


      renamed:        0


    scan time: 00:22:54


------------------------


Thank you for using AntiVir.




--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Antony at SOFT-SOLUTIONS.CO.UK  Mon Jan 12 08:55:03 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
In-Reply-To: <4002503D.3010204@urbakken.dk>
References: <LISTSERV%2004011205524106@JISCMAIL.AC.UK>
            <4002503D.3010204@urbakken.dk>
Message-ID: <200401120855.03504.Antony@Soft-Solutions.co.uk>

On Monday 12 January 2004 7:43 am, Erik Jakobsen wrote:

> Antony !.
>
> You asked if my manual use of antivir worked. Here's the final of a test
> I just made:
>
> # antivir / -s
>
>   ALERT: [Worm/Gibe.C.1 virus]
> /var/spool/MailScanner/quarantine/20040112/8FDCE46F8C/gbzyuqk.exe <<<
> Contains signature of the worm Worm/Gibe.C.1
>
> ----- scan results -----
>
>   directories:    13160
>         files:    26997
>        alerts:      752
>      repaired:        0
>       deleted:        0
>       renamed:        0
>     scan time: 00:08:10
>
> ------------------------
>
> And this is the antivir using the:
>
> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/  -allfiles -s
> -noboot  -rs -z .
>
> ----- scan results -----
>
>   directories:    13162
>         files:   111125
>        alerts:      754
>      repaired:        0
>       deleted:        0
>       renamed:        0
>     scan time: 00:22:54
>
> ------------------------

Good, so a manual run works, and now the wrapper program is working too - what
happens if you feed youself an eicar virus through MailScanner - does antivir
pick it up as well as f-prot and clamav?

Antony.

--
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 12 09:01:43 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
In-Reply-To: <20040111171528.4fcf0495.alex@fuzzycheese.com>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
            <20040111171528.4fcf0495.alex@fuzzycheese.com>
Message-ID: <40026277.7030604@solid-state-logic.com>

Alex Theodore wrote:
> You will need to recompile your FreeBSD Kernel with a higher value for the MAXUSER parameter.  Try doubling or tripling it.  You can also dynamically reconfigure this kernel  parameter via sysctl(8) command.
>
> Regards,
>
>   Alex
>


You don't need to recompile, add kern.maxfiles=2048 to /etc/sysctl.conf
to change the default on boot and use '

sysctl kern.maxfiles

to find out what the value is now and

sysctl kern.maxfiles 2048

to change the value to 2048 on the fly. Obviously you can alter the 2048
to whatever value you want, but 2048 works well for my email server
running imap, so lots of users opening lots of files!


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From eja at URBAKKEN.DK  Mon Jan 12 10:02:18 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011210021874@JISCMAIL.AC.UK>

On Mon, 12 Jan 2004 08:55:03 +0000, Antony Stone
<Antony@SOFT-SOLUTIONS.CO.UK> wrote:

>On Monday 12 January 2004 7:43 am, Erik Jakobsen wrote:
>
>> Antony !.
>>
>> You asked if my manual use of antivir worked. Here's the final of a test
>> I just made:
>>
>> # antivir / -s
>>
>>   ALERT: [Worm/Gibe.C.1 virus]
>> /var/spool/MailScanner/quarantine/20040112/8FDCE46F8C/gbzyuqk.exe <<<
>> Contains signature of the worm Worm/Gibe.C.1
>>
>> ----- scan results -----
>>
>>   directories:    13160
>>         files:    26997
>>        alerts:      752
>>      repaired:        0
>>       deleted:        0
>>       renamed:        0
>>     scan time: 00:08:10
>>
>> ------------------------
>>
>> And this is the antivir using the:
>>
>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/  -allfiles -s
>> -noboot  -rs -z .
>>
>> ----- scan results -----
>>
>>   directories:    13162
>>         files:   111125
>>        alerts:      754
>>      repaired:        0
>>       deleted:        0
>>       renamed:        0
>>     scan time: 00:22:54
>>
>> ------------------------
>
>Good, so a manual run works, and now the wrapper program is working too - what
>happens if you feed youself an eicar virus through MailScanner - does antivir
>pick it up as well as f-prot and clamav?

First. Its good to have this archive list, as some mails are not comming to
my mailer. Yes the manual run works, and so do the wrapper program.
How is the command line for testing the eicar files ?. They are placed in /tmp.

/Erik.


>Antony.
>
>--
>Ramdisk is not an installation procedure.
>
>                                                     Please reply to the list;
>                                                           please don't CC me.

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 10:19:28 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
Message-ID: <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>

Morning all,

Thought I would do a little check that my spam settings are doing okay.
So I have been checking my spam for the past week.

In the past 7 days, I have received 2,977 bits of spam personally addressed
to me.
That's about 425 every day, which is about half my mail. (Boy, am I glad of
that MailScanner thingy!)

In that time, there have been 0 false positives, and 23 false negatives.
This gives success rates of 100% and 99.2% respectively.

Which I reckon is pretty good :-)

Setup details:
Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
Max SpamAssassin Size = 40000
Required SpamAssassin Score = 6
SA 2.61 with BigEvil list added
DCC
Razor2

The most amusing subject line of them all has to be this one:
         A lean, fit and younger mailer-daemon

Yes, I did think my current mailer-daemon was looking a bit ragged round
the edges :-)
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Mon Jan 12 11:15:52 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
Message-ID: <LISTSERV%2004011211155210@JISCMAIL.AC.UK>

On Mon, 12 Jan 2004 10:19:28 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>Morning all,
>
>Thought I would do a little check that my spam settings are doing okay.
>So I have been checking my spam for the past week.
>
>In the past 7 days, I have received 2,977 bits of spam personally addressed
>to me.
>That's about 425 every day, which is about half my mail. (Boy, am I glad of
>that MailScanner thingy!)
>
>In that time, there have been 0 false positives, and 23 false negatives.
>This gives success rates of 100% and 99.2% respectively.
>
>Which I reckon is pretty good :-)
>
>Setup details:
>Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
>Max SpamAssassin Size = 40000
>Required SpamAssassin Score = 6
>SA 2.61 with BigEvil list added
>DCC
>Razor2

Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it SA 2.61, that is
running on the MailScanner ?.

How did you set up DCC and Razor2.

If to be found somewhere, forget the question.

/Erik.


>The most amusing subject line of them all has to be this one:
>         A lean, fit and younger mailer-daemon
>
>Yes, I did think my current mailer-daemon was looking a bit ragged round
>the edges :-)
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Mon Jan 12 11:59:19 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <LISTSERV%2004011211155210@JISCMAIL.AC.UK>
Message-ID: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>

Hello Erik,

> >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
> >Max SpamAssassin Size = 40000
> >Required SpamAssassin Score = 6
> >SA 2.61 with BigEvil list added
> >DCC
> >Razor2

> Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it SA 2.61, that is
> running on the MailScanner ?.

Thats pretty simple, just add in in your /etc/mail/spamassassin dir and
restart mailscanner.

You can fetch the file on:

http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf

I have seen some hits that would have passed otherwise:

Jan 12 12:50:38 vmx02 MailScanner[5139]: Message 1Ag0a2-0001VV-Af from
213.73.255.38 (600148832@bounces.spamcop.net) to multikabel.nl is spam,
SpamAssassin (score=5.917, required 5, BAYES_44 -0.00, BigEvilList_193
3.00, DATE_IN_PAST_03_06 0.42, FROM_ALL_NUMS 0.69, FROM_ENDS_IN_NUMS 0.99,
HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10,
ORDER_NOW 0.35)

from 600148832@bounces.spamcop.net, with a ORDER_NOW, rite :)

> How did you set up DCC and Razor2.

Those 2 are also pretty straight forward. Just read the docs, its a matter
of just reading whats inside and SA picks then up automaticly. I also use
Pyzor here, also nice to have.

Bye,
Raymond.

From eja at URBAKKEN.DK  Mon Jan 12 12:21:29 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>
Message-ID: <40029149.9020909@urbakken.dk>

Raymond Dijkxhoorn wrote:
> Hello Erik,

Hello Raymond.

>
>>>Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
>>>Max SpamAssassin Size = 40000
>>>Required SpamAssassin Score = 6
>>>SA 2.61 with BigEvil list added
>>>DCC
>>>Razor2
>
>
>>Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it SA 2.61, that is
>>running on the MailScanner ?.
>
>
> Thats pretty simple, just add in in your /etc/mail/spamassassin dir and
> restart mailscanner.

Ok.

> You can fetch the file on:
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf

Thanks, that I'll try.


> I have seen some hits that would have passed otherwise:
>
> Jan 12 12:50:38 vmx02 MailScanner[5139]: Message 1Ag0a2-0001VV-Af from
> 213.73.255.38 (600148832@bounces.spamcop.net) to multikabel.nl is spam,
> SpamAssassin (score=5.917, required 5, BAYES_44 -0.00, BigEvilList_193
> 3.00, DATE_IN_PAST_03_06 0.42, FROM_ALL_NUMS 0.69, FROM_ENDS_IN_NUMS 0.99,
> HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10,
> ORDER_NOW 0.35)
>
> from 600148832@bounces.spamcop.net, with a ORDER_NOW, rite :)
>

Ok :-)



>>How did you set up DCC and Razor2.
>
>
> Those 2 are also pretty straight forward. Just read the docs, its a matter
> of just reading whats inside and SA picks then up automaticly. I also use
> Pyzor here, also nice to have.

I'll try it, but I feel its not as good as understandbale, as I want it :-)



> Bye,
> Raymond.
>
Bye, Erik.

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Mon Jan 12 12:31:04 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>
Message-ID: <40029388.4020406@urbakken.dk>

> Those 2 are also pretty straight forward. Just read the docs, its a matter
> of just reading whats inside and SA picks then up automaticly. I also use
> Pyzor here, also nice to have.

What does DCC ?. Is razor the Vipul's Razor ?.

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From jaearick at COLBY.EDU  Mon Jan 12 12:46:35 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.58.0401120745230.29525@emerald>

Julian,
   Curious...  What is your high spam value, and what action
do you take with high spam?

Jeff

From P.G.M.Peters at utwente.nl  Mon Jan 12 13:13:20 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:47 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released
In-Reply-To: <6.0.1.1.2.20040109145946.0970af80@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040109145946.0970af80@imap.ecs.soton.ac.uk>
Message-ID: <ad6500l0urqvsjjv581eo3njenbun6jlge@4ax.com>

On Fri, 9 Jan 2004 15:02:19 +0000, you wrote:

>- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.

BEcause of this I had a look at some spamassassin related files. I
noticed spam.assassin.prefs.conf still has (in my version at least):

|# For spam and notspam bins
|bayes_ignore_header X-MailScanner
|bayes_ignore_header X-MailScanner-SpamCheck
|bayes_ignore_header X-MailScanner-SpamScore
|bayes_ignore_header X-MailScanner-Information

With %org-name% this could change. I would suggest adding the following
text to the comment for %org-name%:

# Note: When changing %org% you should also change the corresponding
# bayes_ignore_header lines in spam.assassin.prefs.

And changing the default lines in spam.assassin.prefs to
|# For spam and notspam bins
|bayes_ignore_header X-yoursite-MailScanner
|bayes_ignore_header X-yoursite-MailScanner-SpamCheck
|bayes_ignore_header X-yoursite-MailScanner-SpamScore
|bayes_ignore_header X-yoursite-MailScanner-Information

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From raymond at PROLOCATION.NET  Mon Jan 12 13:27:38 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <Pine.LNX.4.44.0401121256350.13536-100000@mailbox.prolocation.net>
Message-ID: <Pine.LNX.4.44.0401121425300.25712-100000@mailbox.prolocation.net>

Hi!

> http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
>
> I have seen some hits that would have passed otherwise:

I altered the auto update scrpt that was posted for the bigevil list.
Might be of interest for other people also:

#!/bin/sh
## This file updates the big evil policy file for spam assassin
DATE=`date +"%Y%m%d-%H%M"`

[ -f /tmp/bigevil.cf ] && rm -f /tmp/bigevil.cf
wget -N http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf -O
/tmp/bigevil.cf 2>&1 | grep -q 'saved'
  if [ $? = 0 ] ; then
   cmp -s /tmp/bigevil.cf /etc/mail/spamassassin/bigevil.cf || {
   # do the mv's and emails here
   [ -f /etc/mail/spamassassin/bigevil.cf ] && mv -f
/etc/mail/spamassassin/bigevil.cf /etc/mail/spamassassin/bigevil.cf.$DATE
   [ -f /tmp/bigevil.cf ] && mv -f /tmp/bigevil.cf
/etc/mail/spamassassin/bigevil.cf
   echo "BIG EVIL has changed on `hostname`.  The new evil is \ `head -n 1
/etc/mail/spamassassin/bigevil.cf`" | mail your@addy.here -s "The
big evil
 policy has been updated" < /etc/mail/spamassassin/bigevil.cf
      /etc/rc.d/init.d/MailScanner reload > /dev/null 2>&1
    }
fi
## EOF

Will fetch the list and check if its updated, just put in your cron.daily
or something.

bye,
Raymond.

From juan at SAREL.CO.IL  Mon Jan 12 14:11:23 2004
From: juan at SAREL.CO.IL (JUAN)
Date: Thu Jan 12 21:21:47 2006
Subject: problem starting Mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A83C@DISNEYLAND>

here I cut and paste ( its changes whan I cut and paste):

  47           done
     48         fi
     49         daemon /usr/sbin/sendmail -bd
OPrivacyMode=queueonly -OQueueDir       
ectory=/var/spool/mqueue.in
     50                          sendmail -q15m
     51                                 $([ -n
"$QUEUE" ] && echo -q$QUEUE)
     52         RETVAL=$?
     53         echo
     54         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail

I also attched the file /etc/init.d/sendmail

thaks!!!





-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Sent: Sunday, January 11, 2004 5:11 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: problem starting Mailscanner


Please can you cut and paste the lines into an email, and not retype them. 
There are many apparent typing errors in the lines you have shown us, and 
we really do need to see the exact original lines.

At 15:03 11/01/2004, you wrote:
>O.K !! here is /etc/init.d/sendmail lines 47 to 54
>
>line 47 done
>line 48 fi
>line 49 deamon /usr/sbin/sendmail -bd OPrivacy=queueonly
>-0QUEUEDirectory=/var/spool/mqueue.in
>line 50 sendmail q15m
>line 51 $([-n "QUEUE" ] && echo -q$QUEUE)
>line 52 RETVAL=$?
>line 53 echo
>line 54[RETVAL -eq0] 77 touch /var/lock/subsys/sendmail
>
>please help
>
>thanks
>
>
>
>
>-----Original Message-----
>From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK]
>Sent: Sunday, January 11, 2004 4:12 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: problem starting Mailscanner
>
>
>On Sunday 11 January 2004 2:10 pm, ???? wrote:
>
> > Hi !!
> >
> > I am trying to configure sendmail on RH 8 .
> >
> > whan I issue the command /etc/init.d/sendmail restart I receive:
> >
> > /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]
>
>Looks like you've split the sendmail command across two lines - "-q1h" is
an
>
>option which should follow sendmail on the same line.
>
>If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail and
>we'll look in more detail.
>
>Antony.
>
>--
>There are two possible outcomes:
>
>  If the result confirms the hypothesis, then you've made a measurement.
>  If the result is contrary to the hypothesis, then you've made a
discovery.
>
>  - Enrico Fermi
>
>                                                      Please reply to the
>list;
>                                                            please don't CC
>me.

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sendmail
Type: application/octet-stream
Size: 2986 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040112/31cb7f97/sendmail.obj
From mailscanner at ecs.soton.ac.uk  Mon Jan 12 14:00:43 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: 1 week's spam
In-Reply-To: <Pine.GSO.4.58.0401120745230.29525@emerald>
References: <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
            <Pine.GSO.4.58.0401120745230.29525@emerald>
Message-ID: <6.0.1.1.2.20040112140020.09ecdab0@imap.ecs.soton.ac.uk>

At 12:46 12/01/2004, you wrote:
>Julian,
>    Curious...  What is your high spam value, and what action
>do you take with high spam?

I don't use the high spam value, I deliver everything (with tagged subject
lines).
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 14:18:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: problem starting Mailscanner
In-Reply-To: <AF6CC895D00CD511ACA500508BE7A593C7A83C@DISNEYLAND>
References: <AF6CC895D00CD511ACA500508BE7A593C7A83C@DISNEYLAND>
Message-ID: <6.0.1.1.2.20040112141524.0a0ac5f8@imap.ecs.soton.ac.uk>

At 14:11 12/01/2004, you wrote:
>here I cut and paste ( its changes whan I cut and paste):
>
>   47           done
>      48         fi
>      49         daemon /usr/sbin/sendmail -bd
>OPrivacyMode=queueonly -OQueueDir
>ectory=/var/spool/mqueue.in

That's wrong. You have confused the settings. Please go and check the 
documentation again and correct the settings for this command.
It should say this (all on 1 line)
daemon /usr/sbin/sendmail -bd -OPrivacyOptions=noetrn 
-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in
You have missed a "-", confused PrivacyMode with DeliveryMode and missed 
the PrivacyOptions settings entirely.

>      50                          sendmail -q15m
>      51                                 $([ -n
>"$QUEUE" ] && echo -q$QUEUE)
>      52         RETVAL=$?
>      53         echo
>      54         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail
>
>I also attched the file /etc/init.d/sendmail
>
>thaks!!!
>
>
>
>
>
>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Sent: Sunday, January 11, 2004 5:11 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: problem starting Mailscanner
>
>
>Please can you cut and paste the lines into an email, and not retype them.
>There are many apparent typing errors in the lines you have shown us, and
>we really do need to see the exact original lines.
>
>At 15:03 11/01/2004, you wrote:
> >O.K !! here is /etc/init.d/sendmail lines 47 to 54
> >
> >line 47 done
> >line 48 fi
> >line 49 deamon /usr/sbin/sendmail -bd OPrivacy=queueonly
> >-0QUEUEDirectory=/var/spool/mqueue.in
> >line 50 sendmail q15m
> >line 51 $([-n "QUEUE" ] && echo -q$QUEUE)
> >line 52 RETVAL=$?
> >line 53 echo
> >line 54[RETVAL -eq0] 77 touch /var/lock/subsys/sendmail
> >
> >please help
> >
> >thanks
> >
> >
> >
> >
> >-----Original Message-----
> >From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK]
> >Sent: Sunday, January 11, 2004 4:12 PM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: problem starting Mailscanner
> >
> >
> >On Sunday 11 January 2004 2:10 pm, ???? wrote:
> >
> > > Hi !!
> > >
> > > I am trying to configure sendmail on RH 8 .
> > >
> > > whan I issue the command /etc/init.d/sendmail restart I receive:
> > >
> > > /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]
> >
> >Looks like you've split the sendmail command across two lines - "-q1h" is
>an
> >
> >option which should follow sendmail on the same line.
> >
> >If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail and
> >we'll look in more detail.
> >
> >Antony.
> >
> >--
> >There are two possible outcomes:
> >
> >  If the result confirms the hypothesis, then you've made a measurement.
> >  If the result is contrary to the hypothesis, then you've made a
>discovery.
> >
> >  - Enrico Fermi
> >
> >                                                      Please reply to the
> >list;
> >                                                            please don't CC
> >me.
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From rc at ITSS.NERC.AC.UK  Mon Jan 12 14:41:58 2004
From: rc at ITSS.NERC.AC.UK (Ron Campbell)
Date: Thu Jan 12 21:21:47 2006
Subject: habeas.com
Message-ID: <4002B236.6060303@itss.nerc.ac.uk>

  we have recently started recieving spam (viagra etc) with the habeas
headers


X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.


SA gives this a score of -8 so it is well-nigh certain to get through
with no flag.

  HABEAS_SWE -8.00


Has anyone else noticed this ? I think I am going to disable this
test in SA

(This is SA 2.60)


                 Thanks ...  Ron

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 14:42:39 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: habeas.com
In-Reply-To: <4002B236.6060303@itss.nerc.ac.uk>
References: <4002B236.6060303@itss.nerc.ac.uk>
Message-ID: <6.0.1.1.2.20040112144202.09eb2e40@imap.ecs.soton.ac.uk>

Yes, I have received a load today and submitted them to habeas.com.
I have reduced the rule score to about 3 which seems to working okay.

At 14:41 12/01/2004, you wrote:
>  we have recently started recieving spam (viagra etc) with the habeas
>headers
>
>
>X-Habeas-SWE-1: winter into spring
>X-Habeas-SWE-2: brightly anticipated
>X-Habeas-SWE-3: like Habeas SWE (tm)
>X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
>X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
>X-Habeas-SWE-6: email in exchange for a license for this Habeas
>X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
>X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
>X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
>
>
>SA gives this a score of -8 so it is well-nigh certain to get through
>with no flag.
>
>  HABEAS_SWE -8.00
>
>
>Has anyone else noticed this ? I think I am going to disable this
>test in SA
>
>(This is SA 2.60)
>
>
>                 Thanks ...  Ron

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 12 14:53:09 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:47 2006
Subject: habeas.com
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C42C@jessica.herefordshire.gov.uk>

On the spamassassin-talk list someone suggested this rule - depends who's
abusing the habeas stuff, though.

uri WWW_PHARMACOURT_BIZ         /pharmacourt.biz/
describe WWW_PHARMACOURT_BIZ    Links to frequently spamvertised site
score WWW_PHARMACOURT_BIZ 12.0 12.0 12.0 12.0

Cheers,

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Ron Campbell
> Sent: 12 January 2004 14:42
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: habeas.com
>
>
>   we have recently started recieving spam (viagra etc) with the habeas
> headers
>
>
> X-Habeas-SWE-1: winter into spring
> X-Habeas-SWE-2: brightly anticipated
> X-Habeas-SWE-3: like Habeas SWE (tm)
> X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
> X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
> X-Habeas-SWE-6: email in exchange for a license for this Habeas
> X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
> X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
> X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
>
>
> SA gives this a score of -8 so it is well-nigh certain to get through
> with no flag.
>
>   HABEAS_SWE -8.00
>
>
> Has anyone else noticed this ? I think I am going to disable this
> test in SA
>
> (This is SA 2.60)
>
>
>                  Thanks ...  Ron
>

From cwharris at MORGAN.NET  Mon Jan 12 15:01:09 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:47 2006
Subject: File Table Full
References: <004901c3d868$e9e42fb0$1c150fd0@shire>           
            <20040111171528.4fcf0495.alex@fuzzycheese.com> 
            <40026277.7030604@solid-state-logic.com>
Message-ID: <009001c3d91c$e975a9a0$2105a8c0@pub.morgan.net>

When I do this it shows my maxfiles currently set to 4136. I would assume
this to enough. I'm still not sure why this happened. I have had 2 instances
of my mqueue.in backing up. I think it backed up and MailScanner went into
"emergency mode" and this cause my File Table to become full. But im still a
newb and thats just a guess.




----- Original Message -----
From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 12, 2004 3:01 AM
Subject: Re: File Table Full


> Alex Theodore wrote:
> > You will need to recompile your FreeBSD Kernel with a higher value for
the MAXUSER parameter.  Try doubling or tripling it.  You can also
dynamically reconfigure this kernel  parameter via sysctl(8) command.
> >
> > Regards,
> >
> >   Alex
> >
>
>
> You don't need to recompile, add kern.maxfiles=2048 to /etc/sysctl.conf
> to change the default on boot and use '
>
> sysctl kern.maxfiles
>
> to find out what the value is now and
>
> sysctl kern.maxfiles 2048
>
> to change the value to 2048 on the fly. Obviously you can alter the 2048
> to whatever value you want, but 2048 works well for my email server
> running imap, so lots of users opening lots of files!
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>

From steve.swaney at FSL.COM  Mon Jan 12 15:02:48 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:47 2006
Subject: HABEAS_SWE -8.00 score
Message-ID: <20040112150450.9935421C391@mail.fsl.com>

The piece of spam below was not caught by SpamAssassin - apparently because
it contained X-Habeas-SWE* lines in the header, it received a HABEAS_SWE
-8.00 score from SpamAssassin. 

I?m seeing more and more of this type of Spam and will probably disable any
HABEAS minus scoring as a result.

The Spam (stripped of HTML:

Improving the quality of people's lives is what prescription medications are
designed to do and PharmaCourt believes that you deserve access to these
medications. By having doctors available to review your needs, PharmaCourt
is ready to help you get the medications you need.
You can now order V??gr?, V?l??m, X?n?x securely and discreetly.
Make it easy for you to order meds. 
We ship WORLDWIDE!... No forms to fill out... We respect your Privacy
EVERYONE is approved

The headers:

Return-Path: <aoPollard@wport.com>
Received: from web01.fsl.com ([unix socket])
        by web01.fsl.com (Cyrus v2.1.15-Invoca-RPM-2.1.15-1) with LMTP; Sun,
11 Jan 2004 20:54:09 -0500
X-Sieve: CMU Sieve 2.2
Received: from scan01.fsl.com (scan01.fsl.com [63.210.25.100])
        by mail.fsl.com (Postfix) with ESMTP id CF50821C39E
        for <webmaster@fsl.com>; Sun, 11 Jan 2004 20:53:40 -0500 (EST)
Received: from adsl-68-92-246-96.dsl.ksc2mo.swbell.net
(adsl-68-92-246-96.dsl.ksc2mo.swbell.net [68.92.246.96])
        by scan01.fsl.com (8.12.8/8.12.8) with SMTP id i0C1qlN4011281;
        Sun, 11 Jan 2004 20:53:02 -0500
Received: from 68.253.56.224 by 68.92.246.96; Sun, 11 Jan 2004 18:52:53
-0700
Message-ID: <JNXPMLUAVOCZUJDHALQR@digdat.com>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
From: "Damien H. Yates" <aoPollard@wport.com>
Reply-To: "Damien H. Yates" <aoPollard@wport.com>
To: richardd@fsl.com
Cc: dino@fsl.com, webmaster@fsl.com, weisen@fsl.com, pchkm@fsl.com,
        postmaster@fsl.com
Date: Mon, 12 Jan 2004 07:51:53 +0600
X-Mailer: Direct Mail for Mac OS X
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--9364418333149260"
X-Priority: 5
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.914, required 5,
        BIZ_TLD 0.78, HABEAS_SWE -8.00, HTML_40_50 0.47, HTML_MESSAGE 0.00,
        MIME_HTML_ONLY 0.10, MIME_HTML_ONLY_MULTI 1.10, NO_FORMS 1.34,
        RAZOR2_CF_RANGE_51_100 1.55, RAZOR2_CHECK 0.90,
        RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10,
        RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10, SAVINGS 0.40)
X-MailScanner-SpamScore: s
Subject: Fwd: Save Big on V|@gra,ValX(u)m,X(a)n@x SvD2FF


Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com


From lou.baccari at HP.COM  Mon Jan 12 15:10:14 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:47 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>

Hello,

It appears that today I can not send any mail to myself without it being marked as spam. I even added myself to the white list and the problem continues.  Any ideas?

Lou.

==== Mail H ============

Subject: **SPAM** Restarted Named on 
X-HPLC-MailScanner: Found to be clean
X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
        required 5, BAYES_00 -4.90)
X-HPLC-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
        BAYES_40 -0.00)
Return-Path: root@crl-ns1b.crl.dec.com
X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC) FILETIME=[9FE379B0:01C3D91D]

==== spam.whitelist.rules ============

FromTo:   *@192.58.206.19                  yes
FromTo:   *@*192.58.206.19                  yes
FromTo:   *@16.11.1.22                     yes
FromTo:   *@*16.11.1.22                    yes


From mailscanner at ecs.soton.ac.uk  Mon Jan 12 15:17:14 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:47 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas
              .cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>
Message-ID: <6.0.1.1.2.20040112151600.03907418@imap.ecs.soton.ac.uk>

At 15:10 12/01/2004, you wrote:
>Hello,
>
>It appears that today I can not send any mail to myself without it being
>marked as spam. I even added myself to the white list and the problem
>continues.  Any ideas?
>
>Lou.
>
>==== Mail H ============
>
>Subject: **SPAM** Restarted Named on
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
>         BAYES_40 -0.00)
>Return-Path: root@crl-ns1b.crl.dec.com
>X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
>FILETIME=[9FE379B0:01C3D91D]
>
>==== spam.whitelist.rules ============
>
>FromTo:   *@192.58.206.19                  yes
>FromTo:   *@*192.58.206.19                  yes
>FromTo:   *@16.11.1.22                     yes
>FromTo:   *@*16.11.1.22                    yes

You whitelist rules are wrong. You can whitelist IP addresses, but IP
addresses and email addresses are totally different things. You should be
using these lines instead:

FromTo:   192.58.206.19                  yes
FromTo:   16.11.1.22                     yes

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Antony at SOFT-SOLUTIONS.CO.UK  Mon Jan 12 15:13:50 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:47 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>
Message-ID: <200401121513.50439.Antony@Soft-Solutions.co.uk>

On Monday 12 January 2004 3:10 pm, Baccari, Lou wrote:

> Hello,
>
> It appears that today I can not send any mail to myself without it being
> marked as spam. I even added myself to the white list and the problem
> continues.  Any ideas?

When were you last able to send yourself email and what have you changed since
then?

Antony.

--
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.

From hassan at cotas.net  Mon Jan 12 15:05:19 2004
From: hassan at cotas.net (Hassan Khashashneh)
Date: Thu Jan 12 21:21:47 2006
Subject: Error
In-Reply-To: <AGEOIGPLODPJLOFELEFIEEPICFAA.hassan@tropicaltours.com.bo>
Message-ID: <AGEOIGPLODPJLOFELEFIAEPJCFAA.hassan@cotas.net>

I'm Using MailScanner 4-25.14 with send mail and everytime i try to send
email i got the following error:

Our virus detector failed to completely analyse a message you sent:-
  To: hassan@dns
  Subject:
  Date: Mon Jan 12 10:42:01 2004
Any parts of the message that could not be analysed will not have been
delivered.

If you are using Microsoft Outlook, we strongly recommend you change your
outgoing message format from "Rich Text" to "HTML" or "Plain Text".

1) Click on the "Tools" menu and choose "Options..."
2) Got to the "Mail Format" tab
3) For message format, select "HTML" or "Plain text"
4) Click OK

The virus detector said this about the message:
Report: MailScanner: Could not analyze message


Hassan Khashashneh
Dpto Sistemas
Tropical Tours RADIUS.
Tel: +591 (3) 3331888
Fax: +591 (3) 3361430
hassan@tropicaltours.com.bo
http://www.tropicaltours.com.bo
Santa Cruz - Bolivia.

From lou.baccari at HP.COM  Mon Jan 12 15:18:05 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:47 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8E9@tayexc17.americas.cpqcorp.net>

Sorry, I should have provide more detail.

I haven't changed anything for a few weeks and the last time I was able to receive mail correctly was sometime yesterday, 01/11/04, morning after 9am.

Thanks
Lou.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Antony Stone
Sent: Monday, January 12, 2004 10:14 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


On Monday 12 January 2004 3:10 pm, Baccari, Lou wrote:

> Hello,
>
> It appears that today I can not send any mail to myself without it being
> marked as spam. I even added myself to the white list and the problem
> continues.  Any ideas?

When were you last able to send yourself email and what have you changed since
then?

Antony.

--
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.


From Denis.Beauchemin at USHERBROOKE.CA  Mon Jan 12 15:23:56 2004
From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin)
Date: Thu Jan 12 21:21:47 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8E8@tayexc17.americas.cpqcorp.net>
Message-ID: <1073921036.2565.57.camel@dbeauchemin.sti.usherbrooke.ca>

Le lun 12/01/2004 ? 10:10, Baccari, Lou a ?crit :
> Hello,
> 
> It appears that today I can not send any mail to myself without it being marked as spam. I even added myself to the white list and the problem continues.  Any ideas?
> 
> Lou.
> 
> ==== Mail H ============
> 
> Subject: **SPAM** Restarted Named on 
> X-HPLC-MailScanner: Found to be clean
> X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)

It appears your system is listed in SORBS-DNSBL!

Denis
-- 
Denis Beauchemin, analyste
Universit? de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045


From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 12 15:28:27 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:48 2006
Subject: File Table Full
In-Reply-To: <009001c3d91c$e975a9a0$2105a8c0@pub.morgan.net>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>                      
            <20040111171528.4fcf0495.alex@fuzzycheese.com>            
            <40026277.7030604@solid-state-logic.com>
            <009001c3d91c$e975a9a0$2105a8c0@pub.morgan.net>
Message-ID: <4002BD1B.8000804@solid-state-logic.com>

Chris wrote:
> When I do this it shows my maxfiles currently set to 4136. I would assume
> this to enough. I'm still not sure why this happened. I have had 2 instances
> of my mqueue.in backing up. I think it backed up and MailScanner went into
> "emergency mode" and this cause my File Table to become full. But im still a
> newb and thats just a guess.
>
>
>
>

Chris

might be worth having a look at all the logs (maillog / messages etc)
around the time things started going odd and see if there's anything there..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From ugob at CAMO-ROUTE.COM  Mon Jan 12 15:37:57 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:48 2006
Subject: Antivir
Message-ID: <54C38A0B814C8E438EF73FC76F362927410790@mtlnt501fs.CAMOROUTE.COM>

> 
> First. Its good to have this archive list, as some mails are 
> not comming to
> my mailer. Yes the manual run works, and so do the wrapper program.
> How is the command line for testing the eicar files ?. They 
> are placed in /tmp.
> 
> /Erik.
> 

What I usually do is send it to myself from my Yahoo! Account.

Ugo

> 
> >Antony.
> >
> >--
> >Ramdisk is not an installation procedure.
> >
> >                                                     Please 
> reply to the list;
> >                                                           
> please don't CC me.
> 


From michael at emdy.com  Mon Jan 12 15:16:22 2004
From: michael at emdy.com (Michael Emdy)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
In-Reply-To: <6.0.1.1.2.20040112141524.0a0ac5f8@imap.ecs.soton.ac.uk>
Message-ID: <A9893894C3763640BC3936ADAE75B9AC077D9783@tfl_hib_exc_00.ztel.com>

Help! We run an MS Exchange server internally and we have been plagued
with high load and crashes until we implemented a linux gateway and
chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
spamcop), and use the sa-learn script to train our bayesian DB.  Now we
gained stability internally, but the # of msgs per day are steadily
climbing and at this rate should overwhelm even our linux gateway.  We
are taking upwards of 70-100k msgs a day for a company with just under
1000 employees.  Our biggest problem currently is email destined for
user email addresses that do not exist within our company.  What finally
happens is the "Bad Mail" queues up on our MS Exchange server and cannot
be delivered and just gets shoved into a folder for the admin to deal
with.  Which basically we just have to go in on an hourly basis and
delete the mail.  Before figured out what was happening we had about
25GB of mail to delete from the folder, now we do it hourly until we can
find a solution.

I've configured Sendmail to not accept unresolvable domains, and I
implemented the domain lookup as well.  We still seem to be getting
slammed by something.  We are running out of options.

Does anyone have any suggestions on what else we could do to start
cutting down our daily msg intake?

Any help would be greatly appreciated !

Thanks in advance,

MTE

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 15:56:31 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
In-Reply-To: <A9893894C3763640BC3936ADAE75B9AC077D9783@tfl_hib_exc_00.zt
              el.com>
References: <6.0.1.1.2.20040112141524.0a0ac5f8@imap.ecs.soton.ac.uk>
            <A9893894C3763640BC3936ADAE75B9AC077D9783@tfl_hib_exc_00.ztel.com>
Message-ID: <6.0.1.1.2.20040112155511.041c8e98@imap.ecs.soton.ac.uk>

What you need is for sendmail to check for valid users at SMTP level (ie.
at RCPT time). This has, I believe, been discussed here before, and is
certainly documented in the O'Reilly sendmail books. So search the list
archive for RCPT and go and buy the O'Reilly sendmail book (latest
edition). It's the "access" database which you need to set up.

At 15:16 12/01/2004, you wrote:
>Help! We run an MS Exchange server internally and we have been plagued
>with high load and crashes until we implemented a linux gateway and
>chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
>spamcop), and use the sa-learn script to train our bayesian DB.  Now we
>gained stability internally, but the # of msgs per day are steadily
>climbing and at this rate should overwhelm even our linux gateway.  We
>are taking upwards of 70-100k msgs a day for a company with just under
>1000 employees.  Our biggest problem currently is email destined for
>user email addresses that do not exist within our company.  What finally
>happens is the "Bad Mail" queues up on our MS Exchange server and cannot
>be delivered and just gets shoved into a folder for the admin to deal
>with.  Which basically we just have to go in on an hourly basis and
>delete the mail.  Before figured out what was happening we had about
>25GB of mail to delete from the folder, now we do it hourly until we can
>find a solution.
>
>I've configured Sendmail to not accept unresolvable domains, and I
>implemented the domain lookup as well.  We still seem to be getting
>slammed by something.  We are running out of options.
>
>Does anyone have any suggestions on what else we could do to start
>cutting down our daily msg intake?
>
>Any help would be greatly appreciated !
>
>Thanks in advance,
>
>MTE

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From gioia at bclink.it  Mon Jan 12 15:55:58 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:48 2006
Subject: R: Little Report problem with Postfix
In-Reply-To: <6.0.1.1.2.20040109141113.08eaec70@imap.ecs.soton.ac.uk>
Message-ID: <NGBBLAPAMLLGDEJPHEOAEEIDDAAA.gioia@bclink.it>

Hi Julian,
I've just had the time to try it

sol@mydomain:/opt/MailScanner/lib/MailScanner/patch#
rwxr-xr-x    2 root     root         4096 Jan 12 16:49 ./
drwxr-xr-x    3 root     root         4096 Jan 12 16:49 ../
-rwxr-xr-x    1 root     root       106825 Jan 12 16:49 Message.pm
-rw-r--r--    1 root     root            0 Jan 12 16:46 patch.txt

patch -p0 < patch.txt

and replace the new Message.pm in /opt/MailScanner/lib/MailScanner

stop and restart postfix and MailScanner and I've still the same problem ..
 Recipient: user@mydomain.it, user@mydomain.it

here's the new Message.pm


-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Julian Field
Inviato: venerd? 9 gennaio 2004 15.12
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: Re: Little Report problem with Postfix


Please try this patch for /usr/lib/MailScanner/MailScanner/Message.pm.

---------SNIP------------
--- Message.pm  2003-12-02 11:44:42.000000000 +0000
+++ Message.pm.new      2004-01-09 14:12:09.000000000 +0000
@@ -2315,11 +2315,17 @@
    my $reportword = MailScanner::Config::LanguageValue($this, "report");
    my $id   = $this->{id};
    my $from = $this->{from};
-  my $to   = join(', ', @{$this->{to}});
+  #my $to   = join(', ', @{$this->{to}});
    my $subj = $this->{subject};
    my $rept = join("    $reportword: ", @everyrept);
    my $ip   = $this->{clientip};

+  my($to, %tolist);
+  foreach $to (@{$this->{to}}) {
+    $tolist{$to} = 1;
+  }
+  $to = join(', ', sort keys %tolist);
+
    my($result, $headers);

    if (MailScanner::Config::Value('hideworkdirinnotice',$this)) {
---------SNIP------------

At 13:06 09/01/2004, you wrote:
>Hi guys,
>
>I've I have the seguent Report from Mailscanner when a Virus is found:
>
>*********************************
>"The following e-mail messages were found to have viruses in them:
>
>     Sender: admin@mydomain.it
>IP Address: xxx.xxx.xxx.xxx
>  Recipient: user@mydomain.it, user@mydomain.it
>    Subject: your account                         yijefwov
>  MessageID: 28A7433F302
>     Report: AntiVir: ALERT: [Worm/MiMail.A1 virus]
./28A7433F302/message.zip
><<< Contains signature of the worm Worm/MiMail.A1
>             F-Prot:
>/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.html
>Infection: W32/Mimail.A@mm"
>*********************************
>
>It only affects the reporting and doesn't have any impact on message
>delivery at all.
>
>I found that someone else (the link below) pointed out this little problem,
>but had no response.
>
>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S=
&
>P=27533
>
>Just want to know if someone has an idea of why this happen..
>
>I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and F-Prot
>software
>
>Thanks all! Thanks Julian

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Message.pm
Type: application/octet-stream
Size: 107377 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040112/1d58eca5/Message.obj
From nerijus at USERS.SOURCEFORGE.NET  Mon Jan 12 15:59:18 2004
From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas)
Date: Thu Jan 12 21:21:48 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <200401121545.38600.james@grayonline.id.au>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C41C@jessica.herefordshire.gov.uk><20040108111446.A32070@pigeon.infotechfl.com>
            <200401121545.38600.james@grayonline.id.au>
Message-ID: <20040112155806.EA76D5D92@mx.ktv.lt>

On Mon, 12 Jan 2004 15:45:38 +1100 James Gray <james@grayonline.id.au> wrote:

> OK - trap for young players:
> DO NOT USE THE PENTIUM-OPTIMISED VERSION ON PENTIUM CLASSIC!!

> Now install the the P4 optimised version on the same system and it will
> complain that it can't load libstdc++.so.5.  You can manually symlink this:
> ln -s /usr/lib/libstdc++.so.3.0.4 /usr/lib/libstdc++.so.5

No no no! C++ ABI is not compatible between major versions, so it
probably does not work because you cannot symlink like that!
Please get libstdc++.so.5 for your distribution.

> Now uvscan will run but you'll get stuff like this:
> ./uvscan: /usr/lib/libstdc++.so.5: no version information available
> (required by ./uvscan)

Regards,
Nerijus

From lou.baccari at HP.COM  Mon Jan 12 16:05:01 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:48 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8EA@tayexc17.americas.cpqcorp.net>

Thanks,  I Tried your suggestion and I now see the following error:

an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1 messages, 874 bytes
Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match against  destination IP address when resolving configuration
 option  "spamwhitelist"
Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match against  destination IP address when resolving configuration
 option  "spamwhitelist"

=== spam.whitelist.rules =======
#
FromTo:   192.58.206.19                  yes
FromTo:   16.11.1.22                    yes


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Monday, January 12, 2004 10:17 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


At 15:10 12/01/2004, you wrote:
>Hello,
>
>It appears that today I can not send any mail to myself without it being
>marked as spam. I even added myself to the white list and the problem
>continues.  Any ideas?
>
>Lou.
>
>==== Mail H ============
>
>Subject: **SPAM** Restarted Named on
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
>         BAYES_40 -0.00)
>Return-Path: root@crl-ns1b.crl.dec.com
>X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
>FILETIME=[9FE379B0:01C3D91D]
>
>==== spam.whitelist.rules ============
>
>FromTo:   *@192.58.206.19                  yes
>FromTo:   *@*192.58.206.19                  yes
>FromTo:   *@16.11.1.22                     yes
>FromTo:   *@*16.11.1.22                    yes

You whitelist rules are wrong. You can whitelist IP addresses, but IP
addresses and email addresses are totally different things. You should be
using these lines instead:

FromTo:   192.58.206.19                  yes
FromTo:   16.11.1.22                     yes

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From lou.baccari at HP.COM  Mon Jan 12 16:08:34 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:48 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8EB@tayexc17.americas.cpqcorp.net>

I also notice SORBS-DNSBL and I went to http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers there and they came up clean, i.e. 'No entry found'.

Lou,.


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Denis Beauchemin
Sent: Monday, January 12, 2004 10:24 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


Le lun 12/01/2004 ? 10:10, Baccari, Lou a ?crit :
> Hello,
> 
> It appears that today I can not send any mail to myself without it being marked as spam. I even added myself to the white list and the problem continues.  Any ideas?
> 
> Lou.
> 
> ==== Mail H ============
> 
> Subject: **SPAM** Restarted Named on 
> X-HPLC-MailScanner: Found to be clean
> X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)

It appears your system is listed in SORBS-DNSBL!

Denis
-- 
Denis Beauchemin, analyste
Universit? de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045


From mailscanner at ecs.soton.ac.uk  Mon Jan 12 16:13:22 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8EA@tayexc17.americas
              .cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8EA@tayexc17.americas.cpqcorp.net>
Message-ID: <6.0.1.1.2.20040112161253.041e07d8@imap.ecs.soton.ac.uk>

At 16:05 12/01/2004, you wrote:
>Thanks,  I Tried your suggestion and I now see the following error:
>
>an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
>messages, 874 bytes
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"

Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.


>=== spam.whitelist.rules =======
>#
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                    yes
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Monday, January 12, 2004 10:17 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>At 15:10 12/01/2004, you wrote:
> >Hello,
> >
> >It appears that today I can not send any mail to myself without it being
> >marked as spam. I even added myself to the white list and the problem
> >continues.  Any ideas?
> >
> >Lou.
> >
> >==== Mail H ============
> >
> >Subject: **SPAM** Restarted Named on
> >X-HPLC-MailScanner: Found to be clean
> >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
> >         required 5, BAYES_00 -4.90)
> >X-HPLC-MailScanner-Information: Please contact the ISP for more information
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
> >         BAYES_40 -0.00)
> >Return-Path: root@crl-ns1b.crl.dec.com
> >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> >FILETIME=[9FE379B0:01C3D91D]
> >
> >==== spam.whitelist.rules ============
> >
> >FromTo:   *@192.58.206.19                  yes
> >FromTo:   *@*192.58.206.19                  yes
> >FromTo:   *@16.11.1.22                     yes
> >FromTo:   *@*16.11.1.22                    yes
>
>You whitelist rules are wrong. You can whitelist IP addresses, but IP
>addresses and email addresses are totally different things. You should be
>using these lines instead:
>
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                     yes
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From drew at THEMARSHALLS.CO.UK  Mon Jan 12 16:25:30 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:48 2006
Subject: R: Little Report problem with Postfix
In-Reply-To: <NGBBLAPAMLLGDEJPHEOAEEIDDAAA.gioia@bclink.it>
References: <6.0.1.1.2.20040109141113.08eaec70@imap.ecs.soton.ac.uk>
            <NGBBLAPAMLLGDEJPHEOAEEIDDAAA.gioia@bclink.it>
Message-ID: <57715.194.70.180.170.1073924730.squirrel@net.themarshalls.co.uk>

I patched mine and it works fine but I think I guessed the command as

#patch Message.pm < patch.txt

Which reported as patched and it works :-) so thought no more of it...

Drew
-- 


Gioia Bastioni said:
> Hi Julian,
> I've just had the time to try it
>
> sol@mydomain:/opt/MailScanner/lib/MailScanner/patch#
> rwxr-xr-x    2 root     root         4096 Jan 12 16:49 ./
> drwxr-xr-x    3 root     root         4096 Jan 12 16:49 ../
> -rwxr-xr-x    1 root     root       106825 Jan 12 16:49 Message.pm
> -rw-r--r--    1 root     root            0 Jan 12 16:46 patch.txt
>
> patch -p0 < patch.txt
>
> and replace the new Message.pm in /opt/MailScanner/lib/MailScanner
>
> stop and restart postfix and MailScanner and I've still the same problem
> ..
>  Recipient: user@mydomain.it, user@mydomain.it
>
> here's the new Message.pm
>
>
> -----Messaggio originale-----
> Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
> conto di Julian Field
> Inviato: venerd? 9 gennaio 2004 15.12
> A: MAILSCANNER@JISCMAIL.AC.UK
> Oggetto: Re: Little Report problem with Postfix
>
>
> Please try this patch for /usr/lib/MailScanner/MailScanner/Message.pm.
>
> ---------SNIP------------
> --- Message.pm  2003-12-02 11:44:42.000000000 +0000
> +++ Message.pm.new      2004-01-09 14:12:09.000000000 +0000
> @@ -2315,11 +2315,17 @@
>     my $reportword = MailScanner::Config::LanguageValue($this, "report");
>     my $id   = $this->{id};
>     my $from = $this->{from};
> -  my $to   = join(', ', @{$this->{to}});
> +  #my $to   = join(', ', @{$this->{to}});
>     my $subj = $this->{subject};
>     my $rept = join("    $reportword: ", @everyrept);
>     my $ip   = $this->{clientip};
>
> +  my($to, %tolist);
> +  foreach $to (@{$this->{to}}) {
> +    $tolist{$to} = 1;
> +  }
> +  $to = join(', ', sort keys %tolist);
> +
>     my($result, $headers);
>
>     if (MailScanner::Config::Value('hideworkdirinnotice',$this)) {
> ---------SNIP------------
>
> At 13:06 09/01/2004, you wrote:
>>Hi guys,
>>
>>I've I have the seguent Report from Mailscanner when a Virus is found:
>>
>>*********************************
>>"The following e-mail messages were found to have viruses in them:
>>
>>     Sender: admin@mydomain.it
>>IP Address: xxx.xxx.xxx.xxx
>>  Recipient: user@mydomain.it, user@mydomain.it
>>    Subject: your account                         yijefwov
>>  MessageID: 28A7433F302
>>     Report: AntiVir: ALERT: [Worm/MiMail.A1 virus]
> ./28A7433F302/message.zip
>><<< Contains signature of the worm Worm/MiMail.A1
>>             F-Prot:
>>/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.html
>>Infection: W32/Mimail.A@mm"
>>*********************************
>>
>>It only affects the reporting and doesn't have any impact on message
>>delivery at all.
>>
>>I found that someone else (the link below) pointed out this little
>> problem,
>>but had no response.
>>
>>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S&
>>P=27533
>>
>>Just want to know if someone has an idea of why this happen..
>>
>>I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and
>> F-Prot
>>software
>>
>>Thanks all! Thanks Julian
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>


-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy


From lou.baccari at HP.COM  Mon Jan 12 16:26:24 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:48 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8EC@tayexc17.americas.cpqcorp.net>

Julian,

 Thanks, that corrected the "Config Error:" problem, but mail from root still gets flagged as spam.

 I also tried removing SORBS-DNSBL from MailScanner.conf and mail from root passes.  I've provide the header below.

 As stated earlier I checked http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers there and they came up clean, i.e. 'No entry found'.  What could have happen since yesterday?  Is there an other means of testing SORBS-DNSBL list?

Lou.



==== Mail H =======

X-HPLC-MailScanner: Found to be clean
X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 5,
        BAYES_00 -4.90)
X-HPLC-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
        BAYES_30 -0.90)
X-PMX-Version: 4.1.1.86173




-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Monday, January 12, 2004 11:13 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


At 16:05 12/01/2004, you wrote:
>Thanks,  I Tried your suggestion and I now see the following error:
>
>an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
>messages, 874 bytes
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"

Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.


>=== spam.whitelist.rules =======
>#
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                    yes
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Monday, January 12, 2004 10:17 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>At 15:10 12/01/2004, you wrote:
> >Hello,
> >
> >It appears that today I can not send any mail to myself without it being
> >marked as spam. I even added myself to the white list and the problem
> >continues.  Any ideas?
> >
> >Lou.
> >
> >==== Mail H ============
> >
> >Subject: **SPAM** Restarted Named on
> >X-HPLC-MailScanner: Found to be clean
> >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
> >         required 5, BAYES_00 -4.90)
> >X-HPLC-MailScanner-Information: Please contact the ISP for more information
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
> >         BAYES_40 -0.00)
> >Return-Path: root@crl-ns1b.crl.dec.com
> >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> >FILETIME=[9FE379B0:01C3D91D]
> >
> >==== spam.whitelist.rules ============
> >
> >FromTo:   *@192.58.206.19                  yes
> >FromTo:   *@*192.58.206.19                  yes
> >FromTo:   *@16.11.1.22                     yes
> >FromTo:   *@*16.11.1.22                    yes
>
>You whitelist rules are wrong. You can whitelist IP addresses, but IP
>addresses and email addresses are totally different things. You should be
>using these lines instead:
>
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                     yes
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From gdoris at ROGERS.COM  Mon Jan 12 16:26:51 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:48 2006
Subject: HABEAS_SWE -8.00 score
In-Reply-To: <20040112150450.9935421C391@mail.fsl.com>
Message-ID: <Pine.LNX.4.44.0401121122480.5604-100000@tiger.dorfam.ca>

On Mon, 12 Jan 2004, Stephen Swaney wrote:

> The piece of spam below was not caught by SpamAssassin - apparently because
> it contained X-Habeas-SWE* lines in the header, it received a HABEAS_SWE
> -8.00 score from SpamAssassin. 
> 
> I?m seeing more and more of this type of Spam and will probably disable any
> HABEAS minus scoring as a result.
> 
> The Spam (stripped of HTML:

It seems like the entire internet got hit with the latest viagra habeus 
forged spam.

Personally, I believe the SpamAssassin folks messed up badly by scoring 
these habeus jokers with a -8.  I've now set the scoring for habeus at 0.  
They apparently claim they will sue anyone forging their name...I'm afraid 
if I hold my breath I'm turn blue and die waiting.

-- 
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer


From drew at THEMARSHALLS.CO.UK  Mon Jan 12 16:32:10 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
Message-ID: <57751.194.70.180.170.1073925130.squirrel@net.themarshalls.co.uk>

--


A set up like this must do user look up at the gateway. Not using Sendmail
I am not familiar with how to implement this but it is possible with
Postfix. It can be set up to do either LDAP (Active Directory look ups) or
make user db from the Exchange v5 user accounts. This will then allow your
mail gateway to bounce the invalid receipts not the Exchange machine hence
stopping the self inflicted damage.

Drew

Ref: http://www.postfix.org/docs.html about half way down!
--


Michael Emdy said:
> Help! We run an MS Exchange server internally and we have been plagued
with high load and crashes until we implemented a linux gateway and
chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
spamcop), and use the sa-learn script to train our bayesian DB.  Now we
gained stability internally, but the # of msgs per day are steadily
climbing and at this rate should overwhelm even our linux gateway.  We
are taking upwards of 70-100k msgs a day for a company with just under
1000 employees.  Our biggest problem currently is email destined for
user email addresses that do not exist within our company.  What finally
happens is the "Bad Mail" queues up on our MS Exchange server and cannot
be delivered and just gets shoved into a folder for the admin to deal
with.  Which basically we just have to go in on an hourly basis and
delete the mail.  Before figured out what was happening we had about
25GB of mail to delete from the folder, now we do it hourly until we can
find a solution.
>
> I've configured Sendmail to not accept unresolvable domains, and I
implemented the domain lookup as well.  We still seem to be getting
slammed by something.  We are running out of options.
>
> Does anyone have any suggestions on what else we could do to start
cutting down our daily msg intake?
>
> Any help would be greatly appreciated !
>
> Thanks in advance,
>
> MTE
>




--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From michael at emdy.com  Mon Jan 12 16:27:58 2004
From: michael at emdy.com (Michael Emdy)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
In-Reply-To: <6.0.1.1.2.20040112155511.041c8e98@imap.ecs.soton.ac.uk>
Message-ID: <A9893894C3763640BC3936ADAE75B9AC077D9786@tfl_hib_exc_00.ztel.com>

Is this the feature your referring to in Sendmail

>From my sendmail config:

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl



-----Original Message-----
From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] 
Sent: Monday, January 12, 2004 10:57 AM
To: michael@emdy.com
Cc: mailscanner@jiscmail.ac.uk
Subject: Re: Drowing in an ocean of email

What you need is for sendmail to check for valid users at SMTP level
(ie. 
at RCPT time). This has, I believe, been discussed here before, and is 
certainly documented in the O'Reilly sendmail books. So search the list 
archive for RCPT and go and buy the O'Reilly sendmail book (latest 
edition). It's the "access" database which you need to set up.

At 15:16 12/01/2004, you wrote:
>Help! We run an MS Exchange server internally and we have been plagued
>with high load and crashes until we implemented a linux gateway and
>chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
>spamcop), and use the sa-learn script to train our bayesian DB.  Now we
>gained stability internally, but the # of msgs per day are steadily
>climbing and at this rate should overwhelm even our linux gateway.  We
>are taking upwards of 70-100k msgs a day for a company with just under
>1000 employees.  Our biggest problem currently is email destined for
>user email addresses that do not exist within our company.  What
finally
>happens is the "Bad Mail" queues up on our MS Exchange server and
cannot
>be delivered and just gets shoved into a folder for the admin to deal
>with.  Which basically we just have to go in on an hourly basis and
>delete the mail.  Before figured out what was happening we had about
>25GB of mail to delete from the folder, now we do it hourly until we
can
>find a solution.
>
>I've configured Sendmail to not accept unresolvable domains, and I
>implemented the domain lookup as well.  We still seem to be getting
>slammed by something.  We are running out of options.
>
>Does anyone have any suggestions on what else we could do to start
>cutting down our daily msg intake?
>
>Any help would be greatly appreciated !
>
>Thanks in advance,
>
>MTE

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From michael at emdy.com  Mon Jan 12 16:27:58 2004
From: michael at emdy.com (Michael Emdy)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
In-Reply-To: <6.0.1.1.2.20040112155511.041c8e98@imap.ecs.soton.ac.uk>
Message-ID: <A9893894C3763640BC3936ADAE75B9AC077D9786@tfl_hib_exc_00.ztel.com>

Is this the feature your referring to in Sendmail

>From my sendmail config:

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl



-----Original Message-----
From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk]
Sent: Monday, January 12, 2004 10:57 AM
To: michael@emdy.com
Cc: mailscanner@jiscmail.ac.uk
Subject: Re: Drowing in an ocean of email

What you need is for sendmail to check for valid users at SMTP level
(ie.
at RCPT time). This has, I believe, been discussed here before, and is
certainly documented in the O'Reilly sendmail books. So search the list
archive for RCPT and go and buy the O'Reilly sendmail book (latest
edition). It's the "access" database which you need to set up.

At 15:16 12/01/2004, you wrote:
>Help! We run an MS Exchange server internally and we have been plagued
>with high load and crashes until we implemented a linux gateway and
>chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
>spamcop), and use the sa-learn script to train our bayesian DB.  Now we
>gained stability internally, but the # of msgs per day are steadily
>climbing and at this rate should overwhelm even our linux gateway.  We
>are taking upwards of 70-100k msgs a day for a company with just under
>1000 employees.  Our biggest problem currently is email destined for
>user email addresses that do not exist within our company.  What
finally
>happens is the "Bad Mail" queues up on our MS Exchange server and
cannot
>be delivered and just gets shoved into a folder for the admin to deal
>with.  Which basically we just have to go in on an hourly basis and
>delete the mail.  Before figured out what was happening we had about
>25GB of mail to delete from the folder, now we do it hourly until we
can
>find a solution.
>
>I've configured Sendmail to not accept unresolvable domains, and I
>implemented the domain lookup as well.  We still seem to be getting
>slammed by something.  We are running out of options.
>
>Does anyone have any suggestions on what else we could do to start
>cutting down our daily msg intake?
>
>Any help would be greatly appreciated !
>
>Thanks in advance,
>
>MTE

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 12 17:07:40 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:48 2006
Subject: exim equivalent of sendmail's access_db
Message-ID: <4002D45C.4080805@solid-state-logic.com>

Hi all

I'm trying to setup my 'listening' exim config so it rejects email to
non-existant addresses, but still relays for outbonnd email

With sendmail I could use the access_db feature and put all the valid
email addresses in a file (not that many).

I've not yet set up an ldap config with all the aliases etc in, so
what's the easiest way of getting exim to reject email's that are for
non-existent users?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From A.Barker at UCL.AC.UK  Mon Jan 12 17:04:15 2004
From: A.Barker at UCL.AC.UK (Adrian Barker)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: Your message of "Mon, 12 Jan 2004 10:19:28 GMT." 
              <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
Message-ID: <200401121704.i0CH4F808963@sun-226.is-eisd.ucl.ac.uk>

 >Morning all,
 >
 >Thought I would do a little check that my spam settings are doing okay.
 >So I have been checking my spam for the past week.
 >
 >In the past 7 days, I have received 2,977 bits of spam personally addressed
 >to me.
 >That's about 425 every day, which is about half my mail. (Boy, am I glad of
 >that MailScanner thingy!)
 >
 >In that time, there have been 0 false positives, and 23 false negatives.
 >This gives success rates of 100% and 99.2% respectively.
 >
 >Which I reckon is pretty good :-)
 >
 >Setup details:
 >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
 >Max SpamAssassin Size = 40000
 >Required SpamAssassin Score = 6
 >SA 2.61 with BigEvil list added
 >DCC
 >Razor2
 >

Are the RBL lists being used by the mta, MailScanner or Spamassassin ?


Adrian Barker, Information Systems
University College London, Gower Street, London WC1E 6BT
External phone: (+44) 020 7679  2795,  Fax (+44) 20 7388 5406
Internal phone: x 32795
Email: A.Barker@ucl.ac.uk




 >The most amusing subject line of them all has to be this one:
 >         A lean, fit and younger mailer-daemon
 >
 >Yes, I did think my current mailer-daemon was looking a bit ragged round
 >the edges :-)
 >--
 >Julian Field
 >www.MailScanner.info
 >MailScanner thanks transtec Computers for their support
 >
 >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 17:16:26 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: <200401121704.i0CH4F808963@sun-226.is-eisd.ucl.ac.uk>
References: <Your message of "Mon, 12 Jan 2004 10:19:28 GMT."  
            <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
            <200401121704.i0CH4F808963@sun-226.is-eisd.ucl.ac.uk>
Message-ID: <6.0.1.1.2.20040112171550.04019008@imap.ecs.soton.ac.uk>

At 17:04 12/01/2004, you wrote:
>  >Morning all,
>  >
>  >Thought I would do a little check that my spam settings are doing okay.
>  >So I have been checking my spam for the past week.
>  >
>  >In the past 7 days, I have received 2,977 bits of spam personally addressed
>  >to me.
>  >That's about 425 every day, which is about half my mail. (Boy, am I glad of
>  >that MailScanner thingy!)
>  >
>  >In that time, there have been 0 false positives, and 23 false negatives.
>  >This gives success rates of 100% and 99.2% respectively.
>  >
>  >Which I reckon is pretty good :-)
>  >
>  >Setup details:
>  >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
>  >Max SpamAssassin Size = 40000
>  >Required SpamAssassin Score = 6
>  >SA 2.61 with BigEvil list added
>  >DCC
>  >Razor2
>  >
>
>Are the RBL lists being used by the mta, MailScanner or Spamassassin ?

MailScanner. Appearance in any of them results in a spam tag.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Mon Jan 12 17:17:28 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:48 2006
Subject: exim equivalent of sendmail's access_db
In-Reply-To: <4002D45C.4080805@solid-state-logic.com>
Message-ID: <Pine.LNX.4.44.0401121816340.14045-100000@mailbox.prolocation.net>

Hi!

> I'm trying to setup my 'listening' exim config so it rejects email to
> non-existant addresses, but still relays for outbonnd email
>
> With sendmail I could use the access_db feature and put all the valid
> email addresses in a file (not that many).

If you have a static file you can use a lookup for this... On rcpt or
sender.

Could provide you some samples, little offtopic here.

Bye,
Raymond.

From sevans at FOUNDATION.SDSU.EDU  Mon Jan 12 17:18:30 2004
From: sevans at FOUNDATION.SDSU.EDU (Steve Evans)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
Message-ID: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sdsu.edu>

I thought putting bigevil in /etc/mail/spamassassin didn't work with
MailScanner until the latest version (which is still in beta)


Steve Evans
SDSU Foundation

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Raymond Dijkxhoorn
Sent: Monday, January 12, 2004 3:59 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 1 week's spam

Hello Erik,

> >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL Max 
> >SpamAssassin Size = 40000 Required SpamAssassin Score = 6 SA 2.61 
> >with BigEvil list added DCC
> >Razor2

> Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it SA 2.61, that

> is running on the MailScanner ?.

Thats pretty simple, just add in in your /etc/mail/spamassassin dir and
restart mailscanner.

You can fetch the file on:

http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf

I have seen some hits that would have passed otherwise:

Jan 12 12:50:38 vmx02 MailScanner[5139]: Message 1Ag0a2-0001VV-Af from
213.73.255.38 (600148832@bounces.spamcop.net) to multikabel.nl is spam,
SpamAssassin (score=5.917, required 5, BAYES_44 -0.00, BigEvilList_193
3.00, DATE_IN_PAST_03_06 0.42, FROM_ALL_NUMS 0.69, FROM_ENDS_IN_NUMS
0.99, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE
0.10, ORDER_NOW 0.35)

from 600148832@bounces.spamcop.net, with a ORDER_NOW, rite :)

> How did you set up DCC and Razor2.

Those 2 are also pretty straight forward. Just read the docs, its a
matter of just reading whats inside and SA picks then up automaticly. I
also use Pyzor here, also nice to have.

Bye,
Raymond.


From eja at URBAKKEN.DK  Mon Jan 12 17:18:45 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:48 2006
Subject: Antivir
In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410790@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F362927410790@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <4002D6F5.5080802@urbakken.dk>

Ugo Bellavance wrote:
>>First. Its good to have this archive list, as some mails are
>>not comming to
>>my mailer. Yes the manual run works, and so do the wrapper program.
>>How is the command line for testing the eicar files ?. They
>>are placed in /tmp.
>>
>>/Erik.
>>
>
>
> What I usually do is send it to myself from my Yahoo! Account.

Thanks Ugo. I'll do the same here :-)

> Ugo
>
>
>>>Antony.
>>>
>>>--
>>>Ramdisk is not an installation procedure.
>>>
>>>                                                    Please
>>
>>reply to the list;
>>
>>>
>>
>>please don't CC me.
>
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From raymond at PROLOCATION.NET  Mon Jan 12 17:20:22 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sdsu.edu>
Message-ID: <Pine.LNX.4.44.0401121820070.14045-100000@mailbox.prolocation.net>

Hi!

> I thought putting bigevil in /etc/mail/spamassassin didn't work with
> MailScanner until the latest version (which is still in beta)

It works just fine here.

Bye,
Raymond.

From ka at PACIFIC.NET  Mon Jan 12 17:21:36 2004
From: ka at PACIFIC.NET (Ken Anderson)
Date: Thu Jan 12 21:21:48 2006
Subject: Drowing in an ocean of email
In-Reply-To: <A9893894C3763640BC3936ADAE75B9AC077D9786@tfl_hib_exc_00.ztel.com>
References: <A9893894C3763640BC3936ADAE75B9AC077D9786@tfl_hib_exc_00.ztel.com>
Message-ID: <4002D7A0.60500@pacific.net>

The sendmail access db can contain a line for each user allowing mail,
and a default line denying mail like so:

TO:user1@yourdomain.com     RELAY
TO:user2@yourdomain.com     RELAY
TO:user3@yourdomain.com     RELAY
TO:domain.com    ERROR:5.1.1:550 User unknown

See http://www.sendmail.org/m4/anti_spam.html#access_db_fine for more info.

Ken A
Pacific.Net


Michael Emdy wrote:

> Is this the feature your referring to in Sendmail
>
>>From my sendmail config:
>
> FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
>
>
>
> -----Original Message-----
> From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk]
> Sent: Monday, January 12, 2004 10:57 AM
> To: michael@emdy.com
> Cc: mailscanner@jiscmail.ac.uk
> Subject: Re: Drowing in an ocean of email
>
> What you need is for sendmail to check for valid users at SMTP level
> (ie.
> at RCPT time). This has, I believe, been discussed here before, and is
> certainly documented in the O'Reilly sendmail books. So search the list
> archive for RCPT and go and buy the O'Reilly sendmail book (latest
> edition). It's the "access" database which you need to set up.
>
> At 15:16 12/01/2004, you wrote:
>
>>Help! We run an MS Exchange server internally and we have been plagued
>>with high load and crashes until we implemented a linux gateway and
>>chose to run MailScanner with Spam Assassin, RBL's (spamhaus and
>>spamcop), and use the sa-learn script to train our bayesian DB.  Now we
>>gained stability internally, but the # of msgs per day are steadily
>>climbing and at this rate should overwhelm even our linux gateway.  We
>>are taking upwards of 70-100k msgs a day for a company with just under
>>1000 employees.  Our biggest problem currently is email destined for
>>user email addresses that do not exist within our company.  What
>
> finally
>
>>happens is the "Bad Mail" queues up on our MS Exchange server and
>
> cannot
>
>>be delivered and just gets shoved into a folder for the admin to deal
>>with.  Which basically we just have to go in on an hourly basis and
>>delete the mail.  Before figured out what was happening we had about
>>25GB of mail to delete from the folder, now we do it hourly until we
>
> can
>
>>find a solution.
>>
>>I've configured Sendmail to not accept unresolvable domains, and I
>>implemented the domain lookup as well.  We still seem to be getting
>>slammed by something.  We are running out of options.
>>
>>Does anyone have any suggestions on what else we could do to start
>>cutting down our daily msg intake?
>>
>>Any help would be greatly appreciated !
>>
>>Thanks in advance,
>>
>>MTE
>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 17:26:06 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sd
              su.edu>
References: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sdsu.edu>
Message-ID: <6.0.1.1.2.20040112172500.042fdee8@imap.ecs.soton.ac.uk>

Exactly what dirs it searches on its own is somewhat OS-dependent. So it's
not a simple answer I'm afraid. Try putting some rules in there and "ls
-lu" to find the last-access datestamp to see if they are being read or not.

At 17:18 12/01/2004, you wrote:
>I thought putting bigevil in /etc/mail/spamassassin didn't work with
>MailScanner until the latest version (which is still in beta)
>
>
>Steve Evans
>SDSU Foundation
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Raymond Dijkxhoorn
>Sent: Monday, January 12, 2004 3:59 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 1 week's spam
>
>Hello Erik,
>
> > >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL Max
> > >SpamAssassin Size = 40000 Required SpamAssassin Score = 6 SA 2.61
> > >with BigEvil list added DCC
> > >Razor2
>
> > Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it SA 2.61, that
>
> > is running on the MailScanner ?.
>
>Thats pretty simple, just add in in your /etc/mail/spamassassin dir and
>restart mailscanner.
>
>You can fetch the file on:
>
>http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
>
>I have seen some hits that would have passed otherwise:
>
>Jan 12 12:50:38 vmx02 MailScanner[5139]: Message 1Ag0a2-0001VV-Af from
>213.73.255.38 (600148832@bounces.spamcop.net) to multikabel.nl is spam,
>SpamAssassin (score=5.917, required 5, BAYES_44 -0.00, BigEvilList_193
>3.00, DATE_IN_PAST_03_06 0.42, FROM_ALL_NUMS 0.69, FROM_ENDS_IN_NUMS
>0.99, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE
>0.10, ORDER_NOW 0.35)
>
>from 600148832@bounces.spamcop.net, with a ORDER_NOW, rite :)
>
> > How did you set up DCC and Razor2.
>
>Those 2 are also pretty straight forward. Just read the docs, its a
>matter of just reading whats inside and SA picks then up automaticly. I
>also use Pyzor here, also nice to have.
>
>Bye,
>Raymond.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 12 17:26:28 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:48 2006
Subject: exim equivalent of sendmail's access_db
In-Reply-To: <Pine.LNX.4.44.0401121816340.14045-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401121816340.14045-100000@mailbox.prolocation.net>
Message-ID: <4002D8C4.8050905@solid-state-logic.com>

Raymond Dijkxhoorn wrote:
> Hi!
>
>
>>I'm trying to setup my 'listening' exim config so it rejects email to
>>non-existant addresses, but still relays for outbonnd email
>>
>>With sendmail I could use the access_db feature and put all the valid
>>email addresses in a file (not that many).
>
>
> If you have a static file you can use a lookup for this... On rcpt or
> sender.
>
> Could provide you some samples, little offtopic here.
>
> Bye,
> Raymond.
Yeah I know - but it saves having to subscribe to the exim list (and
explaining how MailScanner works etc, and there are some Exim guru's
lurking here..)

Anyway I have a list of valid email addresses...

martinh@solid-state-logic.com
martin.hepworth@solid-state-logic.com
postmaster@solid-state-logic.com
......

if the email is from the 'outside' then it should check the list. If on
the list then queue_only (as it does now). If not on the list reject the
email.

If the email is from the internal network (ie our relay host), then
queue_only.

This will stop exim (and MailScanner) processing all the spam I get for
non-existant users.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mike at ZANKER.ORG  Mon Jan 12 17:32:47 2004
From: mike at ZANKER.ORG (Mike Zanker)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sdsu.edu>
References: <3A411846CD3C0D4CB3D8704F937353702E227F@be-00.foundation.sds u.edu>
Message-ID: <198744890.1073928767@jemima.zanker.org>

On 12 January 2004 09:18 -0800 Steve Evans <sevans@FOUNDATION.SDSU.EDU>
wrote:

> I thought putting bigevil in /etc/mail/spamassassin didn't work with
> MailScanner until the latest version (which is still in beta)

I set

SpamAssassin Local Rules Dir = /etc/MailScanner/spamassassin

in MailScanner.conf and dropped bigevil.cf in there. It works fine.

Mike.

From mike at CAMAROSS.NET  Mon Jan 12 17:38:45 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
In-Reply-To: <Pine.LNX.4.44.0401121820070.14045-100000@mailbox.prolocation.net>
Message-ID: <200401121733.i0CHXmsA023530@avwall.bladeware.com>

Here too

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn
> Sent: Monday, January 12, 2004 11:20 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: 1 week's spam
>
> Hi!
>
> > I thought putting bigevil in /etc/mail/spamassassin didn't
> work with
> > MailScanner until the latest version (which is still in beta)
>
> It works just fine here.
>
> Bye,
> Raymond.
>

From cwharris at MORGAN.NET  Mon Jan 12 17:42:32 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:48 2006
Subject: Still having some problems with queue
Message-ID: <002401c3d933$74cce390$2105a8c0@pub.morgan.net>

Ok just so I dont forget...

Im running FreeBSD 4.6 with Sendmail 8.12.3 , MailScanner 4.20 , and SA
2.61.

For some reason my queue keeps getting backed up. Yesterday I took 60,000+
messages out of mqueue.in and got it below 2000 messages and it caught up
fine. this morning I took 1000 messages and put them in the queue, and now
it has gone from 1000 messages up to 3500 messages. Should I mess with any
of the MailScanner.conf settings to see if I can make it process the queue
faster? Im sorry if there is a simple answer to this that Im overlooking but
I'm still new to MailScanner and can't seem to fix this.

Chris

From wppiphoto at WPPI.COM  Mon Jan 12 17:47:03 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
Message-ID: <003101c3d934$19a275b0$0e01a8c0@Toshiba>

I just found out that Mailscanner/Spamassassin rejectes e-mails coming from
our web form which customer fill out. How do I get Mailscanner/Spamassassin
to see them as not spam? The problem I'm having is that the way the web form
is setup is that each e-mail that gets received has the person's e-mail
address as the "From" field so it's impossible to add a 'whitelist' based on
e-mail addresses because that will be different each time someone fills out
the web form.

Thanks,

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From steve.swaney at FSL.COM  Mon Jan 12 17:48:23 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <003101c3d934$19a275b0$0e01a8c0@Toshiba>
Message-ID: <20040112175025.A7B0D21C367@mail.fsl.com>

More information would be useful.

Why are the emails being rejected? What rules are triggering the rejection?

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of SW
> Sent: Monday, January 12, 2004 12:47 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Whitelist web form e-mails {Scanned}
>
> I just found out that Mailscanner/Spamassassin rejectes e-mails coming
> from
> our web form which customer fill out. How do I get
> Mailscanner/Spamassassin
> to see them as not spam? The problem I'm having is that the way the web
> form
> is setup is that each e-mail that gets received has the person's e-mail
> address as the "From" field so it's impossible to add a 'whitelist' based
> on
> e-mail addresses because that will be different each time someone fills
> out
> the web form.
>
> Thanks,
>
> SW
>
>
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>

From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 12 17:52:38 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:48 2006
Subject: Still having some problems with queue
In-Reply-To: <002401c3d933$74cce390$2105a8c0@pub.morgan.net>
References: <002401c3d933$74cce390$2105a8c0@pub.morgan.net>
Message-ID: <4002DEE6.3070808@solid-state-logic.com>

Chris wrote:
> Ok just so I dont forget...
>
> Im running FreeBSD 4.6 with Sendmail 8.12.3 , MailScanner 4.20 , and SA
> 2.61.
>
> For some reason my queue keeps getting backed up. Yesterday I took 60,000+
> messages out of mqueue.in and got it below 2000 messages and it caught up
> fine. this morning I took 1000 messages and put them in the queue, and now
> it has gone from 1000 messages up to 3500 messages. Should I mess with any
> of the MailScanner.conf settings to see if I can make it process the queue
> faster? Im sorry if there is a simple answer to this that Im overlooking but
> I'm still new to MailScanner and can't seem to fix this.
>
> Chris
Chris

about to head off home, so just a few things to consider...

have you got the mail queue dir's on a separate disk?

have you checked the RBL's, and made sure non of them are timing out?
What RBL's are you running?

have you got softupdates configured on the file system with the message
queue and MailScanner working directory.

How much memory have you got, and how much swap are you running? (top
will show how much is being used). What CPU is running on the system,
and is the load showing above high when you get these backlogs?

It really sounds like something is slowing the system down, is there
anything in the maillog to indicate this? have you checked the SA files
with --lint?

What happens if you run MailScanner in debug mode, any indications of
slow down/timeouts there..


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan 12 17:52:58 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <003101c3d934$19a275b0$0e01a8c0@Toshiba>
Message-ID: <LFENLEALDCBDKENCNLCNAEEICPAA.michele@blacknightsolutions.com>

That's a little mad.
What is pushing it up so high that you get it tagged as spam?
We use web based forms, as do most of our clients and nobody has ever had
any issues

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of SW
> Sent: 12 January 2004 17:47
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Whitelist web form e-mails {Scanned}
>
>
> I just found out that Mailscanner/Spamassassin rejectes e-mails
> coming from
> our web form which customer fill out. How do I get
> Mailscanner/Spamassassin
> to see them as not spam? The problem I'm having is that the way
> the web form
> is setup is that each e-mail that gets received has the person's e-mail
> address as the "From" field so it's impossible to add a
> 'whitelist' based on
> e-mail addresses because that will be different each time someone
> fills out
> the web form.
>
> Thanks,
>
> SW
>
>
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 17:54:51 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <003101c3d934$19a275b0$0e01a8c0@Toshiba>
References: <003101c3d934$19a275b0$0e01a8c0@Toshiba>
Message-ID: <6.0.1.1.2.20040112175349.04075c98@imap.ecs.soton.ac.uk>

At 17:47 12/01/2004, you wrote:
>I just found out that Mailscanner/Spamassassin rejectes e-mails coming from
>our web form which customer fill out. How do I get Mailscanner/Spamassassin
>to see them as not spam? The problem I'm having is that the way the web form
>is setup is that each e-mail that gets received has the person's e-mail
>address as the "From" field so it's impossible to add a 'whitelist' based on
>e-mail addresses because that will be different each time someone fills out
>the web form.

Try whitelisting 127.0.0.1 and the machine's own IP address. See
/etc/MailScanner/rules/* for help and examples on setting up a ruleset to
do this.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 12 17:53:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:48 2006
Subject: Still having some problems with queue
In-Reply-To: <002401c3d933$74cce390$2105a8c0@pub.morgan.net>
References: <002401c3d933$74cce390$2105a8c0@pub.morgan.net>
Message-ID: <6.0.1.1.2.20040112174739.0430dda0@imap.ecs.soton.ac.uk>

At 17:42 12/01/2004, you wrote:
>Ok just so I dont forget...
>
>Im running FreeBSD 4.6 with Sendmail 8.12.3 , MailScanner 4.20 , and SA
>2.61.
>
>For some reason my queue keeps getting backed up. Yesterday I took 60,000+
>messages out of mqueue.in and got it below 2000 messages and it caught up
>fine. this morning I took 1000 messages and put them in the queue, and now
>it has gone from 1000 messages up to 3500 messages. Should I mess with any
>of the MailScanner.conf settings to see if I can make it process the queue
>faster? Im sorry if there is a simple answer to this that Im overlooking but
>I'm still new to MailScanner and can't seem to fix this.

Try disabling various things:
1) SpamAssassin
2) "Spam List" setting
3) All the HTML tag tests. Set them all to "yes" except for the HTML tag
logging options which you should set to "no"
4) Reduce "Max SpamAssassin Size" to 20000 or so
5) Try setting "SuperSafe" to false in your sendmail.cf
6) Try switching to an operating system that has tmpfs (I appreciate this
is non-trivial)
7) Try a newer version of MailScanner (4.24-5 or newer) as this has an
automatic accelerated "queue clearing mode" which will make it behave a lot
better with large queues

Do 7 first, and see if it helps. After that try 4,1,2,3. Then 5 and finally
6 if you still can't make it run fast enough.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 12 17:55:00 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:48 2006
Subject: 1 week's spam
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C42D@jessica.herefordshire.gov.uk>

The easy way is to do the following:

  spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint

Then you'll see lines like these:

  debug: using "/usr/share/spamassassin" for default rules dir
  debug: using "/etc/mail/spamassassin" for site rules dir
  debug: using "/root/.spamassassin" for user state dir
  debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs
file

Cheers,

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 12 January 2004 17:26
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: 1 week's spam
>
>
> Exactly what dirs it searches on its own is somewhat
> OS-dependent. So it's
> not a simple answer I'm afraid. Try putting some rules in
> there and "ls
> -lu" to find the last-access datestamp to see if they are
> being read or not.
>
> At 17:18 12/01/2004, you wrote:
> >I thought putting bigevil in /etc/mail/spamassassin didn't work with
> >MailScanner until the latest version (which is still in beta)
> >
> >
> >Steve Evans
> >SDSU Foundation
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> >Behalf Of Raymond Dijkxhoorn
> >Sent: Monday, January 12, 2004 3:59 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: 1 week's spam
> >
> >Hello Erik,
> >
> > > >Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL Max
> > > >SpamAssassin Size = 40000 Required SpamAssassin Score = 6 SA 2.61
> > > >with BigEvil list added DCC
> > > >Razor2
> >
> > > Hi Julian. How did you add SA 2.61 with BigEvil ?. Is it
> SA 2.61, that
> >
> > > is running on the MailScanner ?.
> >
> >Thats pretty simple, just add in in your
> /etc/mail/spamassassin dir and
> >restart mailscanner.
> >
> >You can fetch the file on:
> >
> >http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> >
> >I have seen some hits that would have passed otherwise:
> >
> >Jan 12 12:50:38 vmx02 MailScanner[5139]: Message
> 1Ag0a2-0001VV-Af from
> >213.73.255.38 (600148832@bounces.spamcop.net) to
> multikabel.nl is spam,
> >SpamAssassin (score=5.917, required 5, BAYES_44 -0.00,
> BigEvilList_193
> >3.00, DATE_IN_PAST_03_06 0.42, FROM_ALL_NUMS 0.69, FROM_ENDS_IN_NUMS
> >0.99, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE
> >0.10, ORDER_NOW 0.35)
> >
> >from 600148832@bounces.spamcop.net, with a ORDER_NOW, rite :)
> >
> > > How did you set up DCC and Razor2.
> >
> >Those 2 are also pretty straight forward. Just read the docs, its a
> >matter of just reading whats inside and SA picks then up
> automaticly. I
> >also use Pyzor here, also nice to have.
> >
> >Bye,
> >Raymond.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From wppiphoto at WPPI.COM  Mon Jan 12 18:07:29 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
References: <20040112175025.A7B0D21C367@mail.fsl.com>
Message-ID: <004601c3d936$f45776e0$0e01a8c0@Toshiba>

> "Stephen Swaney" <steve.swaney@FSL.COM> wrote:

> Why are the emails being rejected? What rules are triggering the
rejection?

The e-mails are being tagged by spamassassin as spam due to their content.
I'm not sure why the content is seen as spam but that's what I'm getting.

Thanks,

SW

----- Original Message -----
From: "Stephen Swaney" <steve.swaney@FSL.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 12, 2004 12:48 PM
Subject: Re: Whitelist web form e-mails {Scanned}


> More information would be useful.
>

>
> Steve
>
> Stephen Swaney
> President
> Fortress Systems Ltd.
> Steve.Swaney@FSL.com
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of SW
> > Sent: Monday, January 12, 2004 12:47 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Whitelist web form e-mails {Scanned}
> >
> > I just found out that Mailscanner/Spamassassin rejectes e-mails coming
> > from
> > our web form which customer fill out. How do I get
> > Mailscanner/Spamassassin
> > to see them as not spam? The problem I'm having is that the way the web
> > form
> > is setup is that each e-mail that gets received has the person's e-mail
> > address as the "From" field so it's impossible to add a 'whitelist'
based
> > on
> > e-mail addresses because that will be different each time someone fills
> > out
> > the web form.
> >
> > Thanks,
> >
> > SW
> >
> >
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > Fortress Systems Ltd.
> > www.fsl.com
> >
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From steve.swaney at FSL.COM  Mon Jan 12 18:18:35 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <004601c3d936$f45776e0$0e01a8c0@Toshiba>
Message-ID: <20040112182037.D7ED521C438@mail.fsl.com>

First - Are the emails getting rejected (deleted) or marked as spam?

Second - Look at the full header of one of the emails, you should see
something like:


X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.383, required 5,
        HTML_60_70 0.10, HTML_FONT_INVISIBLE 0.45, HTML_IMAGE_ONLY_04 1.53,
        HTML_MESSAGE 0.00, HTML_WEB_BUGS 0.59, MIME_HTML_ONLY 0.10,
        MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
        RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10,
        RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10)

If you don't see this information in the header, please modify
MailScanner.conf to set:

        Detailed Spam Report = yes
        Include Scores In SpamAssassin Report = yes

And when you get another rejection, send us the details of why it was
rejected.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of SW
> Sent: Monday, January 12, 2004 1:07 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Whitelist web form e-mails {Scanned}
>
> > "Stephen Swaney" <steve.swaney@FSL.COM> wrote:
>
> > Why are the emails being rejected? What rules are triggering the
> rejection?
>
> The e-mails are being tagged by spamassassin as spam due to their content.
> I'm not sure why the content is seen as spam but that's what I'm getting.
>
> Thanks,
>
> SW
>
> ----- Original Message -----
> From: "Stephen Swaney" <steve.swaney@FSL.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 12, 2004 12:48 PM
> Subject: Re: Whitelist web form e-mails {Scanned}
>
>
> > More information would be useful.
> >
>
> >
> > Steve
> >
> > Stephen Swaney
> > President
> > Fortress Systems Ltd.
> > Steve.Swaney@FSL.com
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of SW
> > > Sent: Monday, January 12, 2004 12:47 PM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Whitelist web form e-mails {Scanned}
> > >
> > > I just found out that Mailscanner/Spamassassin rejectes e-mails coming
> > > from
> > > our web form which customer fill out. How do I get
> > > Mailscanner/Spamassassin
> > > to see them as not spam? The problem I'm having is that the way the
> web
> > > form
> > > is setup is that each e-mail that gets received has the person's e-
> mail
> > > address as the "From" field so it's impossible to add a 'whitelist'
> based
> > > on
> > > e-mail addresses because that will be different each time someone
> fills
> > > out
> > > the web form.
> > >
> > > Thanks,
> > >
> > > SW
> > >
> > >
> > >
> > > -------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > > -------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > > Fortress Systems Ltd.
> > > www.fsl.com
> > >
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> >
>
>
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>

From wppiphoto at WPPI.COM  Mon Jan 12 18:37:35 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
References: <003101c3d934$19a275b0$0e01a8c0@Toshiba> 
            <6.0.1.1.2.20040112175349.04075c98@imap.ecs.soton.ac.uk>
Message-ID: <004e01c3d93b$28ff1750$0e01a8c0@Toshiba>

Julian wrote:

> Try whitelisting 127.0.0.1 and the machine's own IP address.

I added the mailserver which the form is being sent from and it now works.
Interesting thing is that the spamassassin score seems to be pretty high for
stuff that is not spam (score=7.288) which is why it got rejected to being
with. This makes me wonder what else is being tagged as spam which is not?

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From ugob at CAMO-ROUTE.COM  Mon Jan 12 18:39:17 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
Message-ID: <54C38A0B814C8E438EF73FC76F362927410791@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : SW [mailto:wppiphoto@WPPI.COM]
> Envoy? : Monday, January 12, 2004 1:38 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Whitelist web form e-mails {Scanned}
> 
> 
> Julian wrote:
> 
> > Try whitelisting 127.0.0.1 and the machine's own IP address.
> 
> I added the mailserver which the form is being sent from and 
> it now works.
> Interesting thing is that the spamassassin score seems to be 
> pretty high for
> stuff that is not spam (score=7.288) which is why it got 
> rejected to being
> with. This makes me wonder what else is being tagged as spam 
> which is not?

As Stephen said, check the headers or your logs, you'll get the answer.

Ugo
> 
> SW
> 
> 
> 
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
> 


From wppiphoto at WPPI.COM  Mon Jan 12 18:42:13 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
References: <20040112182037.D7ED521C438@mail.fsl.com>
Message-ID: <005a01c3d93b$ce30ac20$0e01a8c0@Toshiba>

Stephen:

> First - Are the emails getting rejected (deleted) or marked as spam?
e-mails are being rejected as I have it setup in mailscanner to do so

> And when you get another rejection, send us the details of why it was
> rejected
I'm not able to get the rejection for some reason. It's trying to bouce back
to the sending server and something happens to it. But, I got it to work by
adding the ip address of the sending e-mail server to the whitelist. Here is
what comes now after adding that mailserver to the whitelist:

X-WPPi-MailScanner-SpamCheck: not spam (whitelisted),
SpamAssassin (score=7.288, required 4, BAYES_44 -0.00,
FORGED_RCVD_NET_HELO 4.10, MSGID_FROM_MTA_SHORT 3.03,
NO_REAL_NAME 0.16)

Thanks,

SW

----- Original Message -----
From: "Stephen Swaney" <steve.swaney@FSL.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 12, 2004 1:18 PM
Subject: Re: Whitelist web form e-mails {Scanned}



>
> Second - Look at the full header of one of the emails, you should see
> something like:
>
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.383, required 5,
>         HTML_60_70 0.10, HTML_FONT_INVISIBLE 0.45, HTML_IMAGE_ONLY_04
1.53,
>         HTML_MESSAGE 0.00, HTML_WEB_BUGS 0.59, MIME_HTML_ONLY 0.10,
>         MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
>         RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10,
>         RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10)
>
> If you don't see this information in the header, please modify
> MailScanner.conf to set:
>
>         Detailed Spam Report = yes
>         Include Scores In SpamAssassin Report = yes
>
> And when you get another rejection, send us the details of why it was
> rejected.
>
> Steve
>
> Stephen Swaney
> President
> Fortress Systems Ltd.
> Steve.Swaney@FSL.com
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of SW
> > Sent: Monday, January 12, 2004 1:07 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Whitelist web form e-mails {Scanned}
> >
> > > "Stephen Swaney" <steve.swaney@FSL.COM> wrote:
> >
> > > Why are the emails being rejected? What rules are triggering the
> > rejection?
> >
> > The e-mails are being tagged by spamassassin as spam due to their
content.
> > I'm not sure why the content is seen as spam but that's what I'm
getting.
> >
> > Thanks,
> >
> > SW
> >
> > ----- Original Message -----
> > From: "Stephen Swaney" <steve.swaney@FSL.COM>
> > To: <MAILSCANNER@JISCMAIL.AC.UK>
> > Sent: Monday, January 12, 2004 12:48 PM
> > Subject: Re: Whitelist web form e-mails {Scanned}
> >
> >
> > > More information would be useful.
> > >
> >
> > >
> > > Steve
> > >
> > > Stephen Swaney
> > > President
> > > Fortress Systems Ltd.
> > > Steve.Swaney@FSL.com
> > >
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
On
> > > > Behalf Of SW
> > > > Sent: Monday, January 12, 2004 12:47 PM
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: Whitelist web form e-mails {Scanned}
> > > >
> > > > I just found out that Mailscanner/Spamassassin rejectes e-mails
coming
> > > > from
> > > > our web form which customer fill out. How do I get
> > > > Mailscanner/Spamassassin
> > > > to see them as not spam? The problem I'm having is that the way the
> > web
> > > > form
> > > > is setup is that each e-mail that gets received has the person's e-
> > mail
> > > > address as the "From" field so it's impossible to add a 'whitelist'
> > based
> > > > on
> > > > e-mail addresses because that will be different each time someone
> > fills
> > > > out
> > > > the web form.
> > > >
> > > > Thanks,
> > > >
> > > > SW
> > > >
> > > >
> > > >
> > > > -------------------------------------------------
> > > >         WPPi.com        |        WPPi.Net
> > > > -------------------------------------------------
> > > >   http://www.wppi.com   |  http://www.wppi.net
> > > > -------------------------------------------------
> > > > WPPi.com & WPPi.Net MailScanner Signature
> > > > This message has been scanned for viruses
> > > > and dangerous content by WPPi MailScanner,
> > > > and has been found to be clean.
> > > > -------------------------------------------------
> > > >
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content by MailScanner, and is
> > > > believed to be clean.
> > > >
> > > > Fortress Systems Ltd.
> > > > www.fsl.com
> > > >
> > >
> > > -------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > > -------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> > >
> > >
> >
> >
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > Fortress Systems Ltd.
> > www.fsl.com
> >
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From peter at UCGBOOK.COM  Mon Jan 12 18:49:20 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <005a01c3d93b$ce30ac20$0e01a8c0@Toshiba>
References: <20040112182037.D7ED521C438@mail.fsl.com>
            <005a01c3d93b$ce30ac20$0e01a8c0@Toshiba>
Message-ID: <4002EC30.5010804@ucgbook.com>

You said you used a web based form to send the e-mails. I assume you use
something like ASP, Perl or PHP then to send the mail from the web
server. I'm just guessing but those mail modules might not be fully RFC
compliant.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

SW wrote:
> X-WPPi-MailScanner-SpamCheck: not spam (whitelisted),
> SpamAssassin (score=7.288, required 4, BAYES_44 -0.00,
> FORGED_RCVD_NET_HELO 4.10, MSGID_FROM_MTA_SHORT 3.03,
> NO_REAL_NAME 0.16)

From mkettler at EVI-INC.COM  Mon Jan 12 18:57:43 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:48 2006
Subject: HABEAS_SWE -8.00 score
In-Reply-To: <Pine.LNX.4.44.0401121122480.5604-100000@tiger.dorfam.ca>
References: <20040112150450.9935421C391@mail.fsl.com>
            <Pine.LNX.4.44.0401121122480.5604-100000@tiger.dorfam.ca>
Message-ID: <6.0.0.22.0.20040112135024.02dffef0@xanadu.evi-inc.com>

At 11:26 AM 1/12/2004, Gerry Doris wrote:
>It seems like the entire internet got hit with the latest viagra habeus
>forged spam.
>
>Personally, I believe the SpamAssassin folks messed up badly by scoring
>these habeus jokers with a -8.  I've now set the scoring for habeus at 0.
>They apparently claim they will sue anyone forging their name...I'm afraid
>if I hold my breath I'm turn blue and die waiting.

Reducing the score to 0 seems reasonable to me, but to call Habeas "Jokers"
is uncalled for and a grossly uneducated knee-jerk reaction at the absolute
best.

In 2003, Habeas successfully sued Dale Heller. They also settled with Avalend.

They are no joke whatsoever.. They have, and likely will continue to,
successfully sue infringers as they pop up.

However, I've always been skeptical of -8 as a score for habeas.. It's a
bit strong for my liking...

  But then again, that makes it tempting for spammers to try to abuse and
makes them a fat target for a lawsuit with good success.

Probably the best way to eliminate spammers is to tempt them to do
something sufficiently illegal that they get sued into the ground or jailed.

From eja at URBAKKEN.DK  Mon Jan 12 19:03:04 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:48 2006
Subject: Antivir
Message-ID: <LISTSERV%2004011219030402@JISCMAIL.AC.UK>

Hello folks.

>> What I usually do is send it to myself from my Yahoo! Account.
>
>Thanks Ugo. I'll do the same here :-)
>
>> Ugo

I did send one of the Eicar testfiles to myself. It was detected by f-prot
and clamav, but unfortunately not by antivir :-)

What the heck is wrong here ?. Any suggestions ?.

**************************************************************************

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "eicar.com"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Mon Jan 12 19:57:43 2004 the virus scanner said:
   F-Prot: eicar.com  Infection: EICAR_Test_File
   ClamAV: eicar.com contains Eicar-Test-Signature
   MailScanner: Executable DOS/Windows programs are dangerous in email
(eicar.com)

Note to Help Desk: Look on the MailScanner in
/var/spool/MailScanner/quarantine/20040112 (message AE0F146F9D).
-- Postmaster MailScanner thanks transtec Computers for their support

/Erik.

From steve.swaney at FSL.COM  Mon Jan 12 19:02:21 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:48 2006
Subject: Whitelist web form e-mails {Scanned}
In-Reply-To: <005a01c3d93b$ce30ac20$0e01a8c0@Toshiba>
Message-ID: <20040112190422.E0A3521C28E@mail.fsl.com>

I take it that you're now receiving the emails from the web form, correct?

Your web form email was triggering several SpamAssassin tests. The worst two
were:

FORGED_RCVD_NET_HELO 4.10:

        header FORGED_RCVD_HELO         eval:check_for_forged_received_hel
        describe FORGED_RCVD_HELO       Received: contains a forged HELO

MSGID_FROM_MTA_SHORT 3.03:

        header MSGID_FROM_MTA_SHORT     eval:mta_added_message_id('short'
        describe MSGID_FROM_MTA_SHORT   Message-Id was added by a relay

You'd have to work through the SpamAssassin code to see exactly what header
setting in you web form created header layout triggered the problem, but I
suspect that the web form's use of the sender's email address in the From:
filed in a message (apparently) from your web server is the root of the
problem.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of SW
> Sent: Monday, January 12, 2004 1:42 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Whitelist web form e-mails {Scanned}
>
> Stephen:
>
> > First - Are the emails getting rejected (deleted) or marked as spam?
> e-mails are being rejected as I have it setup in mailscanner to do so
>
> > And when you get another rejection, send us the details of why it was
> > rejected
> I'm not able to get the rejection for some reason. It's trying to bouce
> back
> to the sending server and something happens to it. But, I got it to work
> by
> adding the ip address of the sending e-mail server to the whitelist. Here
> is
> what comes now after adding that mailserver to the whitelist:
>
> X-WPPi-MailScanner-SpamCheck: not spam (whitelisted),
> SpamAssassin (score=7.288, required 4, BAYES_44 -0.00,
> FORGED_RCVD_NET_HELO 4.10, MSGID_FROM_MTA_SHORT 3.03,
> NO_REAL_NAME 0.16)
>
> Thanks,
>
> SW
>
> ----- Original Message -----
> From: "Stephen Swaney" <steve.swaney@FSL.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 12, 2004 1:18 PM
> Subject: Re: Whitelist web form e-mails {Scanned}
>
>
>
> >
> > Second - Look at the full header of one of the emails, you should see
> > something like:
> >
> >
> > X-MailScanner-SpamCheck: spam, SpamAssassin (score=9.383, required 5,
> >         HTML_60_70 0.10, HTML_FONT_INVISIBLE 0.45, HTML_IMAGE_ONLY_04
> 1.53,
> >         HTML_MESSAGE 0.00, HTML_WEB_BUGS 0.59, MIME_HTML_ONLY 0.10,
> >         MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
> >         RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10,
> >         RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10)
> >
> > If you don't see this information in the header, please modify
> > MailScanner.conf to set:
> >
> >         Detailed Spam Report = yes
> >         Include Scores In SpamAssassin Report = yes
> >
> > And when you get another rejection, send us the details of why it was
> > rejected.
> >
> > Steve
> >
> > Stephen Swaney
> > President
> > Fortress Systems Ltd.
> > Steve.Swaney@FSL.com
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of SW
> > > Sent: Monday, January 12, 2004 1:07 PM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Whitelist web form e-mails {Scanned}
> > >
> > > > "Stephen Swaney" <steve.swaney@FSL.COM> wrote:
> > >
> > > > Why are the emails being rejected? What rules are triggering the
> > > rejection?
> > >
> > > The e-mails are being tagged by spamassassin as spam due to their
> content.
> > > I'm not sure why the content is seen as spam but that's what I'm
> getting.
> > >
> > > Thanks,
> > >
> > > SW
> > >
> > > ----- Original Message -----
> > > From: "Stephen Swaney" <steve.swaney@FSL.COM>
> > > To: <MAILSCANNER@JISCMAIL.AC.UK>
> > > Sent: Monday, January 12, 2004 12:48 PM
> > > Subject: Re: Whitelist web form e-mails {Scanned}
> > >
> > >
> > > > More information would be useful.
> > > >
> > >
> > > >
> > > > Steve
> > > >
> > > > Stephen Swaney
> > > > President
> > > > Fortress Systems Ltd.
> > > > Steve.Swaney@FSL.com
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
> On
> > > > > Behalf Of SW
> > > > > Sent: Monday, January 12, 2004 12:47 PM
> > > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > > Subject: Whitelist web form e-mails {Scanned}
> > > > >
> > > > > I just found out that Mailscanner/Spamassassin rejectes e-mails
> coming
> > > > > from
> > > > > our web form which customer fill out. How do I get
> > > > > Mailscanner/Spamassassin
> > > > > to see them as not spam? The problem I'm having is that the way
> the
> > > web
> > > > > form
> > > > > is setup is
> > > mail that each e-mail that gets received has the person's
> e-
> > > > > address as the "From" field so it's impossible to add a
> 'whitelist'
> > > based
> > > > > on
> > > > > e-mail addresses because that will be different each time someone
> > > fills
> > > > > out
> > > > > the web form.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > SW
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------
> > > > >         WPPi.com        |        WPPi.Net
> > > > > -------------------------------------------------
> > > > >   http://www.wppi.com   |  http://www.wppi.net
> > > > > -------------------------------------------------
> > > > > WPPi.com & WPPi.Net MailScanner Signature
> > > > > This message has been scanned for viruses
> > > > > and dangerous content by WPPi MailScanner,
> > > > > and has been found to be clean.
> > > > > -------------------------------------------------
> > > > >
> > > > > --
> > > > > This message has been scanned for viruses and
> > > > > dangerous content by MailScanner, and is
> > > > > believed to be clean.
> > > > >
> > > > > Fortress Systems Ltd.
> > > > > www.fsl.com
> > > > >
> > > >
> > > > -------------------------------------------------
> > > >         WPPi.com        |        WPPi.Net
> > > > -------------------------------------------------
> > > >   http://www.wppi.com   |  http://www.wppi.net
> > > > -------------------------------------------------
> > > > WPPi.com & WPPi.Net MailScanner Signature
> > > > This message has been scanned for viruses
> > > > and dangerous content by WPPi MailScanner,
> > > > and has been found to be clean.
> > > > -------------------------------------------------
> > > >
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > > -------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > > Fortress Systems Ltd.
> > > www.fsl.com
> > >
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> >
>
>
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>

From chris at FRACTALWEB.COM  Mon Jan 12 19:20:41 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:48 2006
Subject: IE URL vulnerability exploits have begun
In-Reply-To: <1073866066.17299.10.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C219DE@pascal.priv.bmrb.co.uk>
            <1073866066.17299.10.camel@bach.kevinspicer.co.uk>
Message-ID: <4002F389.4070405@fractalweb.com>

Kevin Spicer wrote:

>Actually APNIC is the registrar for that netblock,  by searching APNIC's
>whois database you find that this address is part of a netblock further
>delegated to TWNIC (taiwan Network Information Centre).  Searching
>further through APNIC's and TWNICS whois databases you find the IP is
>owned by....
>
>Lu Pen Technology Co., Ltd.
>   No. 101-10, Shenduen Li, Juenli City, Taoyung
>   Taoyung
>   TW
>
>   Netname: LU-PEN-TECHN-TY-NET
>   Netblock: 211.23.65.80/29
>
>
Kevin,

Now that's some great sleuthing. :-)

The site seems to be shut down, fortunately.

Cheers,
Chris

From steve.douglas at SBIINCORPORATED.COM  Mon Jan 12 19:25:46 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:48 2006
Subject: Mail log in debug mode
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3995@mail.gardenbotanika.com>

I am temporarily running in debug mode.  My log shows the following:

++++Jan 12 13:17:07 hprh sendmail[6158]: NOQUEUE: SYSERR(root):
opendaemonsocket: daemon MTA: cannot bind: Address already in use
++++Jan 12 13:17:07 hprh sendmail[6158]: daemon MTA: problem creating SMTP
socket

Does this imply a serious error or that a good process already is using it?
Thanks.

I am running 4.25-14, RH9, Sendmail, 1.5 GB RAM, 80 GB drive, SA 2.61,
tmpfs, latest release of f-prot

SD :-)

From mark at TIPPINGMAR.COM  Mon Jan 12 19:39:50 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:21:49 2006
Subject: 1 week's spam
In-Reply-To: <6.0.1.1.2.20040112092311.03a74880@imap.ecs.soton.ac.uk>
Message-ID: <40028786.1951.13A35693@localhost>

It sounds like Julian's experience would indicate that the RBLs in his Spam List never
return a false positive (at least they didn't in the 1 week test).  If that is the case, then
those of us using the same RBLs in SpamAssassin might consider increasing the
scores for these.  After all, using the RBLs in MailScanner's Spam List is roughly
equivalent to using them in SpamAssassin with high scores, so that hitting one RBL
test is sufficient to consider the message as spam.

Of course, those of us using the "high scoring" method to delete spam should be a
little more careful about the score assigned.  Julian's system of delivering everything
is more tolerant of a false positive.
---
Mark

On 12 Jan 2004 at 10:19, Julian Field wrote:
> In the past 7 days, I have received 2,977 bits of spam personally addressed
> to me.
> That's about 425 every day, which is about half my mail. (Boy, am I glad of
> that MailScanner thingy!)
>
> In that time, there have been 0 false positives, and 23 false negatives.
> This gives success rates of 100% and 99.2% respectively.
>
> Which I reckon is pretty good :-)
>
> Setup details:
> Spam List = ORDB-RBL MAPS-RBL+ spamhaus.org spamhaus-XBL
> Max SpamAssassin Size = 40000
> Required SpamAssassin Score = 6
> SA 2.61 with BigEvil list added
> DCC
> Razor2
> --
> Julian Field

--
Mark W. Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave, Berkeley, CA  94704
visit our website at http://www.tippingmar.com

From Antony at SOFT-SOLUTIONS.CO.UK  Mon Jan 12 19:57:10 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:49 2006
Subject: Mail log in debug mode
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3995@mail.gardenbotanika.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3995@mail.gardenbotanika.com>
Message-ID: <200401121957.10670.Antony@Soft-Solutions.co.uk>

On Monday 12 January 2004 7:25 pm, Steve Douglas wrote:

> I am temporarily running in debug mode.  My log shows the following:
>
> ++++Jan 12 13:17:07 hprh sendmail[6158]: NOQUEUE: SYSERR(root):
> opendaemonsocket: daemon MTA: cannot bind: Address already in use
> ++++Jan 12 13:17:07 hprh sendmail[6158]: daemon MTA: problem creating SMTP
> socket
>
> Does this imply a serious error or that a good process already is using it?

Try (as root) "netstat -lp" (that's a lower case L and a lower case P).

It will tell you what program is listening on the smtp port, then you can
decide whether it's serious or not :)

Antony.

--
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

From ugob at CAMO-ROUTE.COM  Mon Jan 12 20:07:34 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:49 2006
Subject: Antivir
Message-ID: <54C38A0B814C8E438EF73FC76F362927410792@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Erik Jakobsen [mailto:eja@URBAKKEN.DK]
> Envoy? : Monday, January 12, 2004 2:03 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Antivir
> 
> 
> Hello folks.
> 
> >> What I usually do is send it to myself from my Yahoo! Account.
> >
> >Thanks Ugo. I'll do the same here :-)
> >
> >> Ugo
> 
> I did send one of the Eicar testfiles to myself. It was 
> detected by f-prot
> and clamav, but unfortunately not by antivir :-)
> 
> What the heck is wrong here ?. Any suggestions ?.
> 
> **************************************************************
> ************

Anything weird in your logs?

could you copy/paste the section of MailScanner.conf about virus scanners settings?

> 
> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment "eicar.com"
> was believed to be infected by a virus and has been replaced 
> by this warning
> message.
> 
> If you wish to receive a copy of the *infected* attachment, please
> e-mail helpdesk and include the whole of this message
> in your request. Alternatively, you can call them, with
> the contents of this message to hand when you call.
> 
> At Mon Jan 12 19:57:43 2004 the virus scanner said:
>    F-Prot: eicar.com  Infection: EICAR_Test_File
>    ClamAV: eicar.com contains Eicar-Test-Signature
>    MailScanner: Executable DOS/Windows programs are dangerous in email
> (eicar.com)
> 
> Note to Help Desk: Look on the MailScanner in
> /var/spool/MailScanner/quarantine/20040112 (message AE0F146F9D).
> -- Postmaster MailScanner thanks transtec Computers for their support
> 
> /Erik.
> 


From ugob at CAMO-ROUTE.COM  Mon Jan 12 20:09:13 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:49 2006
Subject: Mail log in debug mode
Message-ID: <54C38A0B814C8E438EF73FC76F362927410793@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM]
> Envoy? : Monday, January 12, 2004 2:26 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Mail log in debug mode
> 
> 
> I am temporarily running in debug mode.  My log shows the following:
> 
> ++++Jan 12 13:17:07 hprh sendmail[6158]: NOQUEUE: SYSERR(root):
> opendaemonsocket: daemon MTA: cannot bind: Address already in use
> ++++Jan 12 13:17:07 hprh sendmail[6158]: daemon MTA: problem 
> creating SMTP
> socket
> 
> Does this imply a serious error or that a good process 
> already is using it?

a netstat -tlnp will tell you what process is binding to port 25.  Probably just your plain sendmail.  You must deactivate the original sendmail, keep only mailscanner.

Ugo

> Thanks.
> 
> I am running 4.25-14, RH9, Sendmail, 1.5 GB RAM, 80 GB drive, SA 2.61,
> tmpfs, latest release of f-prot
> 
> SD :-)
> 


From gdoris at ROGERS.COM  Mon Jan 12 20:18:38 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:49 2006
Subject: HABEAS_SWE -8.00 score
In-Reply-To: <6.0.0.22.0.20040112135024.02dffef0@xanadu.evi-inc.com>
References: <20040112150450.9935421C391@mail.fsl.com>
            <Pine.LNX.4.44.0401121122480.5604-100000@tiger.dorfam.ca>
            <6.0.0.22.0.20040112135024.02dffef0@xanadu.evi-inc.com>
Message-ID: <1073938718.1672.7.camel@jaguar.dorfam.ca>

On Mon, 2004-01-12 at 13:57, Matt Kettler wrote:
> At 11:26 AM 1/12/2004, Gerry Doris wrote:
> >It seems like the entire internet got hit with the latest viagra habeus
> >forged spam.
> >
> >Personally, I believe the SpamAssassin folks messed up badly by scoring
> >these habeus jokers with a -8.  I've now set the scoring for habeus at 0.
> >They apparently claim they will sue anyone forging their name...I'm afraid
> >if I hold my breath I'm turn blue and die waiting.
>
> Reducing the score to 0 seems reasonable to me, but to call Habeas "Jokers"
> is uncalled for and a grossly uneducated knee-jerk reaction at the absolute
> best.
>
> In 2003, Habeas successfully sued Dale Heller. They also settled with Avalend.
>
> They are no joke whatsoever.. They have, and likely will continue to,
> successfully sue infringers as they pop up.
>
> However, I've always been skeptical of -8 as a score for habeas.. It's a
> bit strong for my liking...
>
>   But then again, that makes it tempting for spammers to try to abuse and
> makes them a fat target for a lawsuit with good success.
>
> Probably the best way to eliminate spammers is to tempt them to do
> something sufficiently illegal that they get sued into the ground or jailed.

Yes, you're correct.  It was uncalled for and a knee-jerk reaction.  A
score of -8 totally caught me by surprise.  I had absolutely no idea it
was there...and I suspect quite a few spammers weren't aware of it
either.

I fully expect to see an onslaught of these now and I'm skeptical that
Hebeas will be able to stem the tide.  However, based on your confidence
in them I'll start holding my breath and see what happens <g>!

--
Gerry Doris <gdoris@rogers.com>

From peter at UCGBOOK.COM  Mon Jan 12 20:26:29 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:49 2006
Subject: Mail log in debug mode
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3995@mail.gardenbotanika.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3995@mail.gardenbotanika.com>
Message-ID: <400302F5.5060800@ucgbook.com>

That looks like the the message you get when trying to start Sendmail
with it already running. Use "chkconfig --list" to see at which
runlevels Sendmail and MailScanner are set to be started, Sendmail
should be off at all levels. Use "service sendmail stop" and then
"service mailscanner restart" to get rid of rogue Sendmail processes and
start fresh with MailScanner.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Steve Douglas wrote:
> ++++Jan 12 13:17:07 hprh sendmail[6158]: NOQUEUE: SYSERR(root):
> opendaemonsocket: daemon MTA: cannot bind: Address already in use
> ++++Jan 12 13:17:07 hprh sendmail[6158]: daemon MTA: problem creating SMTP
> socket

From mkettler at EVI-INC.COM  Mon Jan 12 20:39:31 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:49 2006
Subject: HABEAS_SWE -8.00 score
In-Reply-To: <1073938718.1672.7.camel@jaguar.dorfam.ca>
References: <20040112150450.9935421C391@mail.fsl.com>
            <Pine.LNX.4.44.0401121122480.5604-100000@tiger.dorfam.ca>
            <6.0.0.22.0.20040112135024.02dffef0@xanadu.evi-inc.com>
            <1073938718.1672.7.camel@jaguar.dorfam.ca>
Message-ID: <6.0.0.22.0.20040112152831.02e1b3b0@xanadu.evi-inc.com>

At 03:18 PM 1/12/2004, Gerry Doris wrote:
>I fully expect to see an onslaught of these now and I'm skeptical that
>Hebeas will be able to stem the tide.  However, based on your confidence
>in them I'll start holding my breath and see what happens <g>!

For reference, I've been running with the following in my
spam.assassin.prefs.conf ever since SWE was added to SA:

         score HABEAS_SWE -3.0


I also tend to reign in the score of RCVD_IN_BSP_TRUSTED a bit as well.


Even so, I've been having to use some custom rules to catch this wave. One
of them still came in at +3.174, even with the SWE only giving -3.0.
Without SWE at all it would have just barely been over the line at +6.174.


I've been using this case-sensitive rule, among others, to catch this
particular wave and force them to hit some heavy scores:

body LOCAL_SPAMMER_PRIVACY              /\.\.\. We respect your Privacy\b/
score LOCAL_SPAMMER_PRIVACY             5.0
describe LOCAL_SPAMMER_PRIVACY  this spammer respects our privacy, but not
our mailboxes

If you look at several of the emails there's a few pieces of text that
don't vary across any of them.. You can write a bunch of simple rules to
match those parts.

From jendries at PRAGMETA.COM  Mon Jan 12 20:57:04 2004
From: jendries at PRAGMETA.COM (Josh Endries)
Date: Thu Jan 12 21:21:49 2006
Subject: Bouncing Spam
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964CC6D@pinewood.ncl.ac.uk>
Message-ID: <40030A20.4090301@pragmeta.com>

Quentin Campbell wrote:
> I receive so much spam each day that it is not practical to have tagged
> messages delivered then moved to a "spam" folder (by a personal mail
> filter) where I am supposed to inspect them for possible false
> positives.
>
> I would be interested to hear what alternative strategies have been
> adopted by people in my position.

We're currently testing an implementation to see if it works well, which
it seems to so far. A couple problems are keeping me from rolling it out
100% (bayes training/permission issues). We deliver all email to the
intended recipient after tagging it. Our philosophy is to let the user
do whatever they want with their email. We've never had quota problems,
but it's possible to make different areas of a user's mailbox (like a
"spam" folder) have different quotas in Cyrus, which is nifty. Anyway
this works well with SpamAssassin and some additional rule sets. I've
gotten (and still have, for when we get Bayes working ;)) thousands of
spam messages and can't currently remember a single false positive (I
would say 3 FPs max in the past 6 months, if any). I check for false
positives sometimes though I don't need to, but I still have the option
in case I'm expecting something. I get maybe 5 uncaught spams each week
(this is all without Bayes). Other users have had similar success so it
seems to work fine.

The only problem with this is when a user sets their email to forward to
another address. Some people will block a message at the MTA, which
bounces back to us, and in turn bounces back to the original sender
(usually forged), which then bounces back to me (postmaster@). I have
yet to get MailScanner to do RBL checking/blocking correctly for these
users, but haven't spent much time on it (only two users do this). Last
try, it was looking for spamassassin even though I had that part turned
off (we use spamc/spamd outside of MailScanner). Theoretically
MailScanner will fix this problem but as yet I haven't gotten it to do so.

Bouncing spam/virii is a horrible way to go, IMO.

From krice at SERVERSANDSOLUTIONS.COM  Mon Jan 12 21:20:20 2004
From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice)
Date: Thu Jan 12 21:21:49 2006
Subject: 1 week's spam
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C42D@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C42D@jessica.herefordshire.gov.uk>
Message-ID: <20040112162020.064f7589@inside.serversandsolutions.com>

On Mon, 12 Jan 2004 17:55:00 -0000
"Randal, Phil" <prandal@HEREFORDSHIRE.GOV.UK> wrote:

> The easy way is to do the following:
>
>   spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint
>
> Then you'll see lines like these:
>
>   debug: using "/usr/share/spamassassin" for default rules dir
>   debug: using "/etc/mail/spamassassin" for site rules dir
>   debug: using "/root/.spamassassin" for user state dir
>   debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs
> file

I hadn't noticed this before, and I've just upgraded to MailScanner-4.26-4 this weekend:
"debug: Language possibly: en,sco"

sco?

GREAT Software and a Great List. Amazing what one can add to one's brain just by lurking here.

Ken Rice
The Library Corporation
Inwood, WV US

From cwharris at MORGAN.NET  Mon Jan 12 21:41:16 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:49 2006
Subject: Still having some problems with queue
References: <002401c3d933$74cce390$2105a8c0@pub.morgan.net> 
            <4002DEE6.3070808@solid-state-logic.com>
Message-ID: <001a01c3d954$cf471bd0$2105a8c0@pub.morgan.net>

The queue is on the same disk.

I am not checking any RBL's.

I do however have Razor, DCC and Pyzor installed.

Not sure what Softupdates is.

if I do top it looks like this:

CPU states: 53.9% user,  0.0% nice, 21.3% system,  0.8% interrupt, 24.0%
idle
Mem: 215M Active, 141M Inact, 109M Wired, 23M Cache, 61M Buf, 14M Free
Swap: 1008M Total, 12M Used, 996M Free, 1% Inuse

Comp is a Pentium 4 2.53GHz


----- Original Message -----
From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 12, 2004 11:52 AM
Subject: Re: Still having some problems with queue
> about to head off home, so just a few things to consider...
>
> have you got the mail queue dir's on a separate disk?
>
> have you checked the RBL's, and made sure non of them are timing out?
> What RBL's are you running?
>
> have you got softupdates configured on the file system with the message
> queue and MailScanner working directory.
>
> How much memory have you got, and how much swap are you running? (top
> will show how much is being used). What CPU is running on the system,
> and is the load showing above high when you get these backlogs?
>
> It really sounds like something is slowing the system down, is there
> anything in the maillog to indicate this? have you checked the SA files
> with --lint?
>
> What happens if you run MailScanner in debug mode, any indications of
> slow down/timeouts there..
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>

From strgout at UNIXJUNKIE.COM  Mon Jan 12 22:14:43 2004
From: strgout at UNIXJUNKIE.COM (John)
Date: Thu Jan 12 21:21:49 2006
Subject: File Table Full
In-Reply-To: <004901c3d868$e9e42fb0$1c150fd0@shire>
References: <004901c3d868$e9e42fb0$1c150fd0@shire>
Message-ID: <20040112221442.GA15957@mail.unixjunkie.com>

i know this is kind of a old thread, but i just wanted to throw my bits in.

man tuning (FreeBSDism) is a good thing.

"...
     The kern.maxfiles sysctl determines how many open files the system sup-
     ports.  The default is typically a few thousand but you may need to bump
     this up to ten or twenty thousand if you are running databases or large
     descriptor-heavy daemons.  The read-only kern.openfiles sysctl may be
     interrogated to determine the current number of open files on the system.
.."

sysctl kern.maxfiles
kern.maxfiles: 8136

sysctl kern.openfiles
kern.openfiles: 149

On Sun, Jan 11, 2004 at 11:32:34AM -0600, Chris Harris wrote:
> I'm getting some errors and hoping someone can tell me what has cause it and
> how I can fix it.
>
> in my messages log:
>
> sendmail[54147]: i0B9PGr5054147: SYSERR(root): fill_fd: disconnect: fd 0 not
> open: Bad file descriptor
> > file: table is full
>
> sendmail[54227]: i0B9Per5054227: SYSERR(root): fill_fd: disconnect: cannot
> open /dev/null: Too many open files in system
>
>
> the message file: table is full is repeated over and over.
>
> Any ideas?
>
> Chris

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 04:18:56 2004
From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk)
Date: Thu Jan 12 21:21:49 2006
Subject: NOTIFY-New Guestbook Entry
Message-ID: <200401130418.i0D4IumV007632@seer.ecs.soton.ac.uk>

New Guestbook-Entry from Jeffrey Eaton

Our Company, Isolated Networks gives friends and family alike free e-mail accounts to use for everyday usage. Thus being family some are not very computer friendly. MailScanner has helped reduce unwanted mail and viruses by over 94.3%<br />
<BR>My inbox now gets only 3 spam through per day where as before i would get atleast 50.<br />
<BR><br />
<BR>MailScanner Developers should push their product harder as I think it could become a standard on some linux releases.

From cwharris at MORGAN.NET  Mon Jan 12 23:01:35 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
Message-ID: <000f01c3d960$070c4bc0$2105a8c0@pub.morgan.net>

Ok I did as Julian suggested and disabled spamassassin, and its kickin
through my backed up queue without a problem. But I kinda need spamassassin.
Is there a way to speed up SA?

Chris

From mike at CAMAROSS.NET  Mon Jan 12 23:11:15 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
In-Reply-To: <000f01c3d960$070c4bc0$2105a8c0@pub.morgan.net>
Message-ID: <200401122306.i0CN6DsA032555@avwall.bladeware.com>

You might entertain throwing some more RAM in that box.  Also, are you
running a caching-only nameserver on your mail box?

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris
> Sent: Monday, January 12, 2004 5:02 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Progress on Queue
>
> Ok I did as Julian suggested and disabled spamassassin, and
> its kickin through my backed up queue without a problem. But
> I kinda need spamassassin.
> Is there a way to speed up SA?
>
> Chris
>

From ivan at NUCCI.COM.BR  Mon Jan 12 23:06:59 2004
From: ivan at NUCCI.COM.BR (Ivan Mirisola)
Date: Thu Jan 12 21:21:49 2006
Subject: Startup Script in RPM
In-Reply-To: <3FE84FAE.2060403@networking4all.com>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A606FE@inex1.herffjones.hj-int>
            <3FE84FAE.2060403@networking4all.com>
Message-ID: <40032893.6080400@nucci.com.br>

Hi Guys,

I have noticed that the scripts that came with the RPM package for Red 
Hat 9 doesn?t quite show the status correctly.
Whenever I run it more then twice to shutdown MS, I still get the 
response as been [OK]

Does anyone know how to fix it?

TIA
Ivan


From darren at CONCEPTTECHNOLOGYINC.COM  Tue Jan 13 00:48:28 2004
From: darren at CONCEPTTECHNOLOGYINC.COM (Darren Fulton - Concept Technology)
Date: Thu Jan 12 21:21:49 2006
Subject: clamscan - oversized zip, workaround?
Message-ID: <4003405C.3000001@concepttechnologyinc.com>

Recently I've run into a problem with ClamAV that causes it to
quarantine attached zip files if the compression ratio is too high.
Specifically, a ~30 MB tif file compressed using zip to ~1 1/2 MB.  The
message attached reads, "...

At Mon Jan 12 18:05:43 2004 the virus scanner said:
   ClamAV: ad_tif.zip contains Oversized Zip "

This is a known issue with ClamAV and I was wondering if anyone had a good workaround.  If not a good work around, how can I disable scanning the contents of zip files.  I modified /usr/lib/MailScanner/clamav-wrapper as below and restarted MailScanner but that didn't seem to do the trick.

ScanOptions=""

# ScanOptions modified by darren to prevent Oversized Zip problem
#ScanOptions="$ScanOptions --unzip"             # unzip archives too
# Extra options we try to pass to clam but we handle it failing
#ExtraScanOptions="--unzip --unarj --unrar --tar --tgz --lha"
ExtraScanOptions="--unarj --unrar --tar --tgz --lha"


More info about the Oversized Zip issue is here:  http://www.mail-archive.com/clamav-users@lists.sourceforge.net/msg03258.html

Thanks for the help.

Darren

From ugob at CAMO-ROUTE.COM  Tue Jan 13 01:00:34 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:49 2006
Subject: Still having some problems with queue
Message-ID: <54C38A0B814C8E438EF73FC76F362927410794@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Chris [mailto:cwharris@MORGAN.NET]
> Envoy? : Monday, January 12, 2004 4:41 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Still having some problems with queue
> 
> 
> The queue is on the same disk.
> 
> I am not checking any RBL's.
> 
> I do however have Razor, DCC and Pyzor installed.
> 
> Not sure what Softupdates is.

One of the most basic concepts in FreeBSD.  Have you read the FreeBSD handbook?  Very good book.  I think it is enabled by default, but I'm not sure.  It is a way to treat writes on a disk.

> 
> if I do top it looks like this:
> 
> CPU states: 53.9% user,  0.0% nice, 21.3% system,  0.8% 
> interrupt, 24.0%
> idle
> Mem: 215M Active, 141M Inact, 109M Wired, 23M Cache, 61M Buf, 14M Free
> Swap: 1008M Total, 12M Used, 996M Free, 1% Inuse
> 
> Comp is a Pentium 4 2.53GHz
> 
> 
> ----- Original Message -----
> From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 12, 2004 11:52 AM
> Subject: Re: Still having some problems with queue
> > about to head off home, so just a few things to consider...
> >
> > have you got the mail queue dir's on a separate disk?
> >
> > have you checked the RBL's, and made sure non of them are 
> timing out?
> > What RBL's are you running?
> >
> > have you got softupdates configured on the file system with 
> the message
> > queue and MailScanner working directory.
> >
> > How much memory have you got, and how much swap are you 
> running? (top
> > will show how much is being used). What CPU is running on 
> the system,
> > and is the load showing above high when you get these backlogs?
> >
> > It really sounds like something is slowing the system down, is there
> > anything in the maillog to indicate this? have you checked 
> the SA files
> > with --lint?
> >
> > What happens if you run MailScanner in debug mode, any 
> indications of
> > slow down/timeouts there..
> >
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > 
> **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error 
> please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > 
> **********************************************************************
> >
> >
> 


From ugob at CAMO-ROUTE.COM  Tue Jan 13 01:03:02 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
Message-ID: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Chris [mailto:cwharris@MORGAN.NET]
> Envoy? : Monday, January 12, 2004 6:02 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Progress on Queue
> 
> 
> Ok I did as Julian suggested and disabled spamassassin, and its kickin
> through my backed up queue without a problem. But I kinda 
> need spamassassin.
> Is there a way to speed up SA?

Not really speed up, but optimize.  Please let us know your config... any errors or timeouts in the logfile?
> 
> Chris
> 


From james at GRAYONLINE.ID.AU  Tue Jan 13 01:31:41 2004
From: james at GRAYONLINE.ID.AU (James Gray)
Date: Thu Jan 12 21:21:49 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <20040112155806.EA76D5D92@mx.ktv.lt>
References: <200401121545.38600.james@grayonline.id.au>
            <20040112155806.EA76D5D92@mx.ktv.lt>
Message-ID: <20040113013141.GA30349@highlander.grayonline.id.au>

On Mon, Jan 12, 2004 at 05:59:18PM +0200, Nerijus Baliunas wrote:
> On Mon, 12 Jan 2004 15:45:38 +1100 James Gray <james@grayonline.id.au> wrote:
>
> > OK - trap for young players:
> > DO NOT USE THE PENTIUM-OPTIMISED VERSION ON PENTIUM CLASSIC!!
>
> > Now install the the P4 optimised version on the same system and it will
> > complain that it can't load libstdc++.so.5.  You can manually symlink this:
> > ln -s /usr/lib/libstdc++.so.3.0.4 /usr/lib/libstdc++.so.5
>
> No no no! C++ ABI is not compatible between major versions, so it
> probably does not work because you cannot symlink like that!
> Please get libstdc++.so.5 for your distribution.

I realise this but there isn't (as far as I'm aware) a libstdc++.so.5 for Debian
Woody.  Can anyone set the record straight here??

--James

From eja at URBAKKEN.DK  Tue Jan 13 06:02:43 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:49 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011306024310@JISCMAIL.AC.UK>

Hi.

I can see in the /var/log/messages file, that antivir has scanned fine
yesterday when I executed the antivir manual.

But due to a reason, I don't know it will not do it automatically from the
MailScanner.

F-prot is not set up as a user during its install, but clamav is. Should
antivir also have been set as a user ?.

/Erik.

From robin at PRIMUS.CA  Tue Jan 13 07:20:32 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:49 2006
Subject: ANNOUNCE: Unstable release 4.26-4 released (fwd)
In-Reply-To: <20040113060827.GC2996@hoiho.nz.lemon-computing.com>
References: <Pine.LNX.4.58.0401091238190.8393@hephaestus.tor.primus.ca>
            <20040113060827.GC2996@hoiho.nz.lemon-computing.com>
Message-ID: <Pine.LNX.4.58.0401130219070.8393@hephaestus.tor.primus.ca>

On Tue, 13 Jan 2004, Nick Phillips wrote:

> On Fri, Jan 09, 2004 at 12:38:38PM -0500, Robin M. wrote:
>
> > i.e.
> > proftpd-1.2.5-1.1mlx.i386.rpm
> > softwarename-softwareversion-rpmbuildnumber.arch.rpm
> >
> > With the current scheme proper upgrades via rpm cannot be acheived as rpm
> > does not recognize that the number beyond the dash is an incrementally
> > more recent version.
>
> So what are you supposed to do when the actual software hasn't changed, but
> the RPM packaging has?
>
this has been explained further in the thread. If you need a further
explanation I will email you off list.

From nerijus at USERS.SOURCEFORGE.NET  Tue Jan 13 03:19:32 2004
From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas)
Date: Thu Jan 12 21:21:49 2006
Subject: New McAfee Commandline Scanner for Unix/Linux is out
In-Reply-To: <20040113013141.GA30349@highlander.grayonline.id.au>
References: <200401121545.38600.james@grayonline.id.au><20040112155806.EA76D5D92@mx.ktv.lt>
            <20040113013141.GA30349@highlander.grayonline.id.au>
Message-ID: <20040113031804.6A00064BA@mx.ktv.lt>

On Tue, 13 Jan 2004 12:31:41 +1100 James Gray <james@GRAYONLINE.ID.AU> wrote:

> > > Now install the the P4 optimised version on the same system and it will
> > > complain that it can't load libstdc++.so.5.  You can manually symlink this:
> > > ln -s /usr/lib/libstdc++.so.3.0.4 /usr/lib/libstdc++.so.5
> >
> > No no no! C++ ABI is not compatible between major versions, so it
> > probably does not work because you cannot symlink like that!
> > Please get libstdc++.so.5 for your distribution.
>
> I realise this but there isn't (as far as I'm aware) a libstdc++.so.5 for Debian
> Woody.  Can anyone set the record straight here??

You should compile gcc 3.2 yourself (IIRC libstdc++.so.5 is from g++ 3.2)
or try to find a package at http://www.backports.org/, http://www.apt-get.org/
or some other place.

Regards,
Nerijus

From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 13 08:47:00 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:49 2006
Subject: clamscan - oversized zip, workaround?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>

Hi Darren,
 
> At Mon Jan 12 18:05:43 2004 the virus scanner said:
>    ClamAV: ad_tif.zip contains Oversized Zip "
> 
> This is a known issue with ClamAV and I was wondering if 
> anyone had a good workaround.  If not a good work around, how 
> can I disable scanning the contents of zip files.  I modified 
> /usr/lib/MailScanner/clamav-wrapper as below and restarted 
> MailScanner but that didn't seem to do the trick.

Edit libclamav/scanners.c and change

#define ZIPOSDET 20 /* FIXME: Make it user definable */

to 

#define ZIPOSDET 50 /* FIXME: Make it user definable */


Works like a charm on my installations.

Regards,
  JP


From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 13 08:55:30 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:49 2006
Subject: clamscan - oversized zip, workaround?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>
Message-ID: <4003B282.3070604@solid-state-logic.com>

Jan-Peter Koopmann wrote:
> Hi Darren,
>
>
>>At Mon Jan 12 18:05:43 2004 the virus scanner said:
>>   ClamAV: ad_tif.zip contains Oversized Zip "
>>
>>This is a known issue with ClamAV and I was wondering if
>>anyone had a good workaround.  If not a good work around, how
>>can I disable scanning the contents of zip files.  I modified
>>/usr/lib/MailScanner/clamav-wrapper as below and restarted
>>MailScanner but that didn't seem to do the trick.
>
>
> Edit libclamav/scanners.c and change
>
> #define ZIPOSDET 20 /* FIXME: Make it user definable */
>
> to
>
> #define ZIPOSDET 50 /* FIXME: Make it user definable */
>
>
> Works like a charm on my installations.
>
> Regards,
>   JP

Earlier discusion on this suggests a value of 70 or more *may* be needed..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From gioia at bclink.it  Tue Jan 13 09:00:10 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:49 2006
Subject: R: R: Little Report problem with Postfix
In-Reply-To: <57715.194.70.180.170.1073924730.squirrel@net.themarshalls.co.uk>
Message-ID: <NGBBLAPAMLLGDEJPHEOAEEIPDAAA.gioia@bclink.it>

Hi Drew,

well I repeated the Message.pm patching but still have the same recipients
duplication..
when I run the
patch Message.pm < patch.txt
it does not report to me if patched or not, just noticed that it seem to be
modified after doing that,
possibly I'm doing something wrong ? Or it may depends on what system we are
using ?
I'm using postfix 2.0.16 - MailScanner-4.24-5 - F-prot - Antivir
on Slackware

thanks,

-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Drew Marshall
Inviato: luned? 12 gennaio 2004 17.26
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: Re: R: Little Report problem with Postfix


I patched mine and it works fine but I think I guessed the command as

#patch Message.pm < patch.txt

Which reported as patched and it works :-) so thought no more of it...

Drew
--


Gioia Bastioni said:
> Hi Julian,
> I've just had the time to try it
>
> sol@mydomain:/opt/MailScanner/lib/MailScanner/patch#
> rwxr-xr-x    2 root     root         4096 Jan 12 16:49 ./
> drwxr-xr-x    3 root     root         4096 Jan 12 16:49 ../
> -rwxr-xr-x    1 root     root       106825 Jan 12 16:49 Message.pm
> -rw-r--r--    1 root     root            0 Jan 12 16:46 patch.txt
>
> patch -p0 < patch.txt
>
> and replace the new Message.pm in /opt/MailScanner/lib/MailScanner
>
> stop and restart postfix and MailScanner and I've still the same problem
> ..
>  Recipient: user@mydomain.it, user@mydomain.it
>
> here's the new Message.pm
>
>
> -----Messaggio originale-----
> Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
> conto di Julian Field
> Inviato: venerd? 9 gennaio 2004 15.12
> A: MAILSCANNER@JISCMAIL.AC.UK
> Oggetto: Re: Little Report problem with Postfix
>
>
> Please try this patch for /usr/lib/MailScanner/MailScanner/Message.pm.
>
> ---------SNIP------------
> --- Message.pm  2003-12-02 11:44:42.000000000 +0000
> +++ Message.pm.new      2004-01-09 14:12:09.000000000 +0000
> @@ -2315,11 +2315,17 @@
>     my $reportword = MailScanner::Config::LanguageValue($this, "report");
>     my $id   = $this->{id};
>     my $from = $this->{from};
> -  my $to   = join(', ', @{$this->{to}});
> +  #my $to   = join(', ', @{$this->{to}});
>     my $subj = $this->{subject};
>     my $rept = join("    $reportword: ", @everyrept);
>     my $ip   = $this->{clientip};
>
> +  my($to, %tolist);
> +  foreach $to (@{$this->{to}}) {
> +    $tolist{$to} = 1;
> +  }
> +  $to = join(', ', sort keys %tolist);
> +
>     my($result, $headers);
>
>     if (MailScanner::Config::Value('hideworkdirinnotice',$this)) {
> ---------SNIP------------
>
> At 13:06 09/01/2004, you wrote:
>>Hi guys,
>>
>>I've I have the seguent Report from Mailscanner when a Virus is found:
>>
>>*********************************
>>"The following e-mail messages were found to have viruses in them:
>>
>>     Sender: admin@mydomain.it
>>IP Address: xxx.xxx.xxx.xxx
>>  Recipient: user@mydomain.it, user@mydomain.it
>>    Subject: your account                         yijefwov
>>  MessageID: 28A7433F302
>>     Report: AntiVir: ALERT: [Worm/MiMail.A1 virus]
> ./28A7433F302/message.zip
>><<< Contains signature of the worm Worm/MiMail.A1
>>             F-Prot:
>>/var/spool/MailScanner/incoming/12726/28A7433F302/message.zip->message.htm
l
>>Infection: W32/Mimail.A@mm"
>>*********************************
>>
>>It only affects the reporting and doesn't have any impact on message
>>delivery at all.
>>
>>I found that someone else (the link below) pointed out this little
>> problem,
>>but had no response.
>>
>>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0311&L=mailscanner&T=0&F=&S
&
>>P=27533
>>
>>Just want to know if someone has an idea of why this happen..
>>
>>I'm using Postfix MTA with Mailscanner 4-24.5 with both Antivir and
>> F-Prot
>>software
>>
>>Thanks all! Thanks Julian
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy


From Kevin.Spicer at BMRB.CO.UK  Tue Jan 13 09:04:17 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:21:49 2006
Subject: Antivir.
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB00164997B@pascal.priv.bmrb.co.uk>

Erik Jakobsen wrote:
> Hi.
> 
> I can see in the /var/log/messages file, that antivir has scanned fine
> yesterday when I executed the antivir manual.
> 
Did you try running it manually as the same user MailScanner runs as?  It may be that user doesn't have permission to read some files and/or use temp space.


From cwharris at MORGAN.NET  Tue Jan 13 14:55:33 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>

Last night I enabled SpamAssassin again, but turned off bayes and razor and
it seems to be working better.

But to answer your question, I do get timeouts now and then on SpamAssassin.

My /etc/mail/spamassassin/local.cf looks like this:

rewrite_subject 1
report_safe     1
use_bayes       0
auto_learn      1
skip_rbl_checks 1
use_razor1      0
use_razor2      0
use_pyzor       1
use_dcc 1

dns_available   yes
bayes_path /var/spool/MailScanner/spamassassin/bayes


I havent touched spam.assassin.prefs.conf

And these are the settings I have in the SA section of MailScanner.conf

Use SpamAssassin = yes
Max SpamAssassin Size = 20000
Required SpamAssassin Score = 5
High SpamAssassin Score = 20
SpamAssassin Auto Whitelist = no
SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf
SpamAssassin Timeout = 40
Max SpamAssassin Timeouts = 20
Check SpamAssassin If On Spam List = yes
Always Include SpamAssassin Report = no
Spam Score = yes
Spam Actions = deliver
High Scoring Spam Actions = deliver
Non Spam Actions = deliver
Sender Spam Report         = %report-dir%/sender.spam.report.txt
Sender Spam List Report    = %report-dir%/sender.spam.rbl.report.txt
Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
Inline Spam Warning = %report-dir%/inline.spam.warning.txt

If I need to include anything else let me know.
Chris


----- Original Message ----- 
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 12, 2004 7:03 PM
Subject: Re: Progress on Queue


> > -----Message d'origine-----
> > De : Chris [mailto:cwharris@MORGAN.NET]
> > Envoy? : Monday, January 12, 2004 6:02 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Progress on Queue
> >
> >
> > Ok I did as Julian suggested and disabled spamassassin, and its kickin
> > through my backed up queue without a problem. But I kinda
> > need spamassassin.
> > Is there a way to speed up SA?
>
> Not really speed up, but optimize.  Please let us know your config... any
errors or timeouts in the logfile?
> >
> > Chris
> >
>
>
>


From lou.baccari at HP.COM  Tue Jan 13 14:58:48 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8F8@tayexc17.americas.cpqcorp.net>

I'm still having problems with my servers be blocked by SORBS-DNSBL and I've sent mail to them for help. So for the short time I've removed SORBS-DNSBL from MailSCanner.conf.

I was looking over the conf file looking for alternatives and I felt the Spam Whitelist file should have corrected the problems by *never* marking the messages as spam once I added my servers address to it,  am I correct to assume this?

Lou


-----Original Message-----
From: Baccari, Lou 
Sent: Monday, January 12, 2004 11:26 AM
To: 'MailScanner mailing list'
Subject: RE: 4.9 marked as spam.



Julian,

 Thanks, that corrected the "Config Error:" problem, but mail from root still gets flagged as spam.

 I also tried removing SORBS-DNSBL from MailScanner.conf and mail from root passes.  I've provide the header below.

 As stated earlier I checked http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers there and they came up clean, i.e. 'No entry found'.  What could have happen since yesterday?  Is there an other means of testing SORBS-DNSBL list?

Lou.



==== Mail H =======

X-HPLC-MailScanner: Found to be clean
X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 5,
        BAYES_00 -4.90)
X-HPLC-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
        BAYES_30 -0.90)
X-PMX-Version: 4.1.1.86173




-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Monday, January 12, 2004 11:13 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


At 16:05 12/01/2004, you wrote:
>Thanks,  I Tried your suggestion and I now see the following error:
>
>an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
>messages, 874 bytes
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"
>Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
>against  destination IP address when resolving configuration
>  option  "spamwhitelist"

Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.


>=== spam.whitelist.rules =======
>#
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                    yes
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Monday, January 12, 2004 10:17 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>At 15:10 12/01/2004, you wrote:
> >Hello,
> >
> >It appears that today I can not send any mail to myself without it being
> >marked as spam. I even added myself to the white list and the problem
> >continues.  Any ideas?
> >
> >Lou.
> >
> >==== Mail H ============
> >
> >Subject: **SPAM** Restarted Named on
> >X-HPLC-MailScanner: Found to be clean
> >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
> >         required 5, BAYES_00 -4.90)
> >X-HPLC-MailScanner-Information: Please contact the ISP for more information
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
> >         BAYES_40 -0.00)
> >Return-Path: root@crl-ns1b.crl.dec.com
> >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> >FILETIME=[9FE379B0:01C3D91D]
> >
> >==== spam.whitelist.rules ============
> >
> >FromTo:   *@192.58.206.19                  yes
> >FromTo:   *@*192.58.206.19                  yes
> >FromTo:   *@16.11.1.22                     yes
> >FromTo:   *@*16.11.1.22                    yes
>
>You whitelist rules are wrong. You can whitelist IP addresses, but IP
>addresses and email addresses are totally different things. You should be
>using these lines instead:
>
>FromTo:   192.58.206.19                  yes
>FromTo:   16.11.1.22                     yes
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Tue Jan 13 15:01:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8F8@tayexc17.americas
              .cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8F8@tayexc17.americas.cpqcorp.net>
Message-ID: <6.0.1.1.2.20040113150047.074eafa0@imap.ecs.soton.ac.uk>

You are correct. What are the entries for your server?

At 14:58 13/01/2004, you wrote:
>I was looking over the conf file looking for alternatives and I felt the
>Spam Whitelist file should have corrected the problems by *never* marking
>the messages as spam once I added my servers address to it,  am I correct
>to assume this?
>
>Lou
>
>
>-----Original Message-----
>From: Baccari, Lou
>Sent: Monday, January 12, 2004 11:26 AM
>To: 'MailScanner mailing list'
>Subject: RE: 4.9 marked as spam.
>
>
>
>Julian,
>
>  Thanks, that corrected the "Config Error:" problem, but mail from root
> still gets flagged as spam.
>
>  I also tried removing SORBS-DNSBL from MailScanner.conf and mail from
> root passes.  I've provide the header below.
>
>  As stated earlier I checked
> http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers
> there and they came up clean, i.e. 'No entry found'.  What could have
> happen since yesterday?  Is there an other means of testing SORBS-DNSBL list?
>
>Lou.
>
>
>
>==== Mail H =======
>
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 5,
>         BAYES_00 -4.90)
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
>         BAYES_30 -0.90)
>X-PMX-Version: 4.1.1.86173
>
>
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Monday, January 12, 2004 11:13 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>At 16:05 12/01/2004, you wrote:
> >Thanks,  I Tried your suggestion and I now see the following error:
> >
> >an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
> >messages, 874 bytes
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> >against  destination IP address when resolving configuration
> >  option  "spamwhitelist"
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> >against  destination IP address when resolving configuration
> >  option  "spamwhitelist"
>
>Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.
>
>
> >=== spam.whitelist.rules =======
> >#
> >FromTo:   192.58.206.19                  yes
> >FromTo:   16.11.1.22                    yes
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >Behalf Of Julian Field
> >Sent: Monday, January 12, 2004 10:17 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: 4.9 marked as spam.
> >
> >
> >At 15:10 12/01/2004, you wrote:
> > >Hello,
> > >
> > >It appears that today I can not send any mail to myself without it being
> > >marked as spam. I even added myself to the white list and the problem
> > >continues.  Any ideas?
> > >
> > >Lou.
> > >
> > >==== Mail H ============
> > >
> > >Subject: **SPAM** Restarted Named on
> > >X-HPLC-MailScanner: Found to be clean
> > >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
> > >         required 5, BAYES_00 -4.90)
> > >X-HPLC-MailScanner-Information: Please contact the ISP for more
> information
> > >X-MailScanner: Found to be clean
> > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
> > >         BAYES_40 -0.00)
> > >Return-Path: root@crl-ns1b.crl.dec.com
> > >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> > >FILETIME=[9FE379B0:01C3D91D]
> > >
> > >==== spam.whitelist.rules ============
> > >
> > >FromTo:   *@192.58.206.19                  yes
> > >FromTo:   *@*192.58.206.19                  yes
> > >FromTo:   *@16.11.1.22                     yes
> > >FromTo:   *@*16.11.1.22                    yes
> >
> >You whitelist rules are wrong. You can whitelist IP addresses, but IP
> >addresses and email addresses are totally different things. You should be
> >using these lines instead:
> >
> >FromTo:   192.58.206.19                  yes
> >FromTo:   16.11.1.22                     yes
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 15:06:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
Message-ID: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>

There were reports of the wrong message being archived or the warning
message or something like that.

Please can someone confirm exactly what the problem was, and when it
occurs. Otherwise I can't fix it.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 13 15:10:26 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
In-Reply-To: <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>
Message-ID: <40040A62.100@solid-state-logic.com>

Chris wrote:
> Last night I enabled SpamAssassin again, but turned off bayes and razor and
> it seems to be working better.
>
> But to answer your question, I do get timeouts now and then on SpamAssassin.
>
> My /etc/mail/spamassassin/local.cf looks like this:
>
> rewrite_subject 1
> report_safe     1
> use_bayes       0
> auto_learn      1
> skip_rbl_checks 1
> use_razor1      0
> use_razor2      0
> use_pyzor       1
> use_dcc 1
>
> dns_available   yes
> bayes_path /var/spool/MailScanner/spamassassin/bayes
>
>
> I havent touched spam.assassin.prefs.conf
>
> And these are the settings I have in the SA section of MailScanner.conf
>
> Use SpamAssassin = yes
> Max SpamAssassin Size = 20000
> Required SpamAssassin Score = 5
> High SpamAssassin Score = 20
> SpamAssassin Auto Whitelist = no
> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf
> SpamAssassin Timeout = 40
> Max SpamAssassin Timeouts = 20
> Check SpamAssassin If On Spam List = yes
> Always Include SpamAssassin Report = no
> Spam Score = yes
> Spam Actions = deliver
> High Scoring Spam Actions = deliver
> Non Spam Actions = deliver
> Sender Spam Report         = %report-dir%/sender.spam.report.txt
> Sender Spam List Report    = %report-dir%/sender.spam.rbl.report.txt
> Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
> Inline Spam Warning = %report-dir%/inline.spam.warning.txt
>
> If I need to include anything else let me know.
> Chris
>
>

What's the spam.assassin.prefs.conf look like, esp the RBL section?

When you installed/upgraded SA 2.61 did you dump and reload the bayes DB?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From thisismyphlist at YAHOO.COM  Tue Jan 13 15:05:22 2004
From: thisismyphlist at YAHOO.COM (Henry Harvey)
Date: Thu Jan 12 21:21:49 2006
Subject: mailscanner with sophos and postfix
Message-ID: <20040113150522.70244.qmail@web60808.mail.yahoo.com>

Hello.
I am new to MailScanner. I have read
in the website that it doesn't have
support for Postfix. But on the new
version, there was an addendum there
that says it has direct support for
Postfix now. Anyone using MailScanner
with Postfix? Any problems with doing
so? and with Sophos too?
Thank you

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

From jah at CALEOTECH.COM  Tue Jan 13 15:17:58 2004
From: jah at CALEOTECH.COM (Jens Ahlin)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
Message-ID: <NFBBLFHPCMJHEHDKFBMJGEMLEIAA.jah@caleotech.com>

This may be obsolete...
In MS 4.24-5 blocked HTML messages with IForms is not archived correctly.
The archive file contains the warning message.

        Jens

> There were reports of the wrong message being archived or the warning
> message or something like that.
>
> Please can someone confirm exactly what the problem was, and when it
> occurs. Otherwise I can't fix it.

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 15:20:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: mailscanner with sophos and postfix
In-Reply-To: <20040113150522.70244.qmail@web60808.mail.yahoo.com>
References: <20040113150522.70244.qmail@web60808.mail.yahoo.com>
Message-ID: <6.0.1.1.2.20040113151755.077a6f20@imap.ecs.soton.ac.uk>

At 15:05 13/01/2004, you wrote:
>Hello.
>I am new to MailScanner. I have read
>in the website that it doesn't have
>support for Postfix. But on the new
>version, there was an addendum there
>that says it has direct support for
>Postfix now. Anyone using MailScanner
>with Postfix? Any problems with doing
>so?

Should work just fine. There are some docs on setting it up with Postfix at
http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml

Get the latest beta release, as I have hopefully now sorted the last of the
Postfix problems.

>  and with Sophos too?

Sophos was the very first virus scanner it supported, and works fine. Get
it working with the "sophos" setting before you start getting "sophossavi"
going (which is faster). Use the "Sophos.install" script to install your
copy of Sophos, don't follow Sophos's instructions.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From cwharris at MORGAN.NET  Tue Jan 13 15:34:01 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>  
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net> 
            <40040A62.100@solid-state-logic.com>
Message-ID: <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net>

spam.assassin.prefs.conf looks like this:


header   FRIEND_GREETINGS       Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS       Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS       100.0
header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card from/i
describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
score    FRIEND_GREETINGS2      100.0
required_hits           5
auto_whitelist_path
/var/spool/MailScanner/spamassassin/auto-whitelist
auto_whitelist_file_mode   0600
bayes_path                 /var/spool/MailScanner/spamassassin/bayes
bayes_file_mode            0600
whitelist_from          monty@roscom.com
ok_locales              en
skip_rbl_checks 1
dcc_path /usr/local/bin/dccproc
rbl_timeout 20
razor_timeout 10
pyzor_timeout 10
# Osirusoft is dead
score RCVD_IN_OSIRUSOFT_COM 0.0
score X_OSIRU_OPEN_RELAY 0.0
score X_OSIRU_DUL 0.0
score X_OSIRU_SPAM_SRC 0.0
score X_OSIRU_SPAMWARE_SITE 0.0
score X_OSIRU_DUL_FH 0.0
# For spam and notspam bins
bayes_ignore_header X-MailScanner
bayes_ignore_header X-MailScanner-SpamCheck
bayes_ignore_header X-MailScanner-SpamScore
bayes_ignore_header X-MailScanner-Information


And yeah 2.61 is a new install and the bayes db is new.

Chris


----- Original Message -----
From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 13, 2004 9:10 AM
Subject: Re: Progress on Queue


> Chris wrote:
> > Last night I enabled SpamAssassin again, but turned off bayes and razor
and
> > it seems to be working better.
> >
> > But to answer your question, I do get timeouts now and then on
SpamAssassin.
> >
> > My /etc/mail/spamassassin/local.cf looks like this:
> >
> > rewrite_subject 1
> > report_safe     1
> > use_bayes       0
> > auto_learn      1
> > skip_rbl_checks 1
> > use_razor1      0
> > use_razor2      0
> > use_pyzor       1
> > use_dcc 1
> >
> > dns_available   yes
> > bayes_path /var/spool/MailScanner/spamassassin/bayes
> >
> >
> > I havent touched spam.assassin.prefs.conf
> >
> > And these are the settings I have in the SA section of MailScanner.conf
> >
> > Use SpamAssassin = yes
> > Max SpamAssassin Size = 20000
> > Required SpamAssassin Score = 5
> > High SpamAssassin Score = 20
> > SpamAssassin Auto Whitelist = no
> > SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf
> > SpamAssassin Timeout = 40
> > Max SpamAssassin Timeouts = 20
> > Check SpamAssassin If On Spam List = yes
> > Always Include SpamAssassin Report = no
> > Spam Score = yes
> > Spam Actions = deliver
> > High Scoring Spam Actions = deliver
> > Non Spam Actions = deliver
> > Sender Spam Report         = %report-dir%/sender.spam.report.txt
> > Sender Spam List Report    = %report-dir%/sender.spam.rbl.report.txt
> > Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt
> > Inline Spam Warning = %report-dir%/inline.spam.warning.txt
> >
> > If I need to include anything else let me know.
> > Chris
> >
> >
>
> What's the spam.assassin.prefs.conf look like, esp the RBL section?
>
> When you installed/upgraded SA 2.61 did you dump and reload the bayes DB?
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>

From mailing-oit at tttech.com  Tue Jan 13 15:41:57 2004
From: mailing-oit at tttech.com (Christoph Resch)
Date: Thu Jan 12 21:21:49 2006
Subject: SA userprefs
Message-ID: <200401131641.57722.mailing-oit@tttech.com>

Hi ,

i try to bring my user-specified spamassassin-rules to work (SA is run via
MailScanner. ) on a debain woody.

i defined  a whitelist_from in the ~/.spamassassin/user_prefs file of a user
(=sysop) reading:

whitelist_from  root@mydomain.com

i want to run the GTUBE-Spam test, with fictional the result that the
GTUBE-Mail sent by root to sysop will be whitelisted and not refused by SA .

but after running this test i get the root-mail as spam .. but shouldnt it
even been whitelisted with score a score of 1000 ??? .. should be i think !

~/.spamassassin and the file within ( user_prefs) are chmod 700

what do i have to take care of , to make use of the user-based configs
additionally to the global preferences ?

are user-sided configs deisabled by default ?

thanks for advice

regs

-c-

From dwinkler at ALGORITHMICS.COM  Tue Jan 13 15:44:34 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:49 2006
Subject: Error disabling Filetype Rules
Message-ID: <200401131544.i0DFiNr06861@lime.algorithmics.com>

I got the following errors when trying to disable Filetype Rules as described in the config file:

Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration file:
Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword "filetyperules" at line 577
Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in /opt/MailScanner/etc/MailScanner.conf.

I set the config parameter Filetype Rules to blank.

This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.

Thanks,

Derek
˙ě.

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 13 15:48:26 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:49 2006
Subject: Progress on Queue
In-Reply-To: <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net>
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>  
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>            
            <40040A62.100@solid-state-logic.com>
            <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net>
Message-ID: <4004134A.3020807@solid-state-logic.com>

Chris wrote:
> spam.assassin.prefs.conf looks like this:
>
>
> header   FRIEND_GREETINGS       Subject =~ /you have an E-Card from/i
> describe FRIEND_GREETINGS       Nasty E-card from FriendGreetings.com
> score    FRIEND_GREETINGS       100.0
> header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card from/i
> describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
> score    FRIEND_GREETINGS2      100.0
> required_hits           5
> auto_whitelist_path
> /var/spool/MailScanner/spamassassin/auto-whitelist
> auto_whitelist_file_mode   0600
> bayes_path                 /var/spool/MailScanner/spamassassin/bayes
> bayes_file_mode            0600
> whitelist_from          monty@roscom.com
> ok_locales              en
> skip_rbl_checks 1
> dcc_path /usr/local/bin/dccproc
> rbl_timeout 20
> razor_timeout 10
> pyzor_timeout 10
> # Osirusoft is dead
> score RCVD_IN_OSIRUSOFT_COM 0.0
> score X_OSIRU_OPEN_RELAY 0.0
> score X_OSIRU_DUL 0.0
> score X_OSIRU_SPAM_SRC 0.0
> score X_OSIRU_SPAMWARE_SITE 0.0
> score X_OSIRU_DUL_FH 0.0
> # For spam and notspam bins
> bayes_ignore_header X-MailScanner
> bayes_ignore_header X-MailScanner-SpamCheck
> bayes_ignore_header X-MailScanner-SpamScore
> bayes_ignore_header X-MailScanner-Information
>
>
> And yeah 2.61 is a new install and the bayes db is new.
>
> Chris
>

This all looks very very similar to my starting piont on my freebsd 4.8
box.  (good!)

have you checked the razor path etc. also try turning just razor on,
then just the bayes to see which one is causing the issue.


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From gioia at bclink.it  Tue Jan 13 15:46:32 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:49 2006
Subject: R: mailscanner with sophos and postfix
In-Reply-To: <20040113150522.70244.qmail@web60808.mail.yahoo.com>
Message-ID: <NGBBLAPAMLLGDEJPHEOAAEJEDAAA.gioia@bclink.it>

Hi Harvey,
I'm currently using Postfix+MailScanner on a Slackware box with no problem
at all, Sophos is a great Antivirus software,
my personal experience is that all few problems I had, were only due for
some lack of experience or attention doing it..
and btw, for every problem I get, I found my solution here..
there's a great number of people here that surely will able to help you if
you might need to!
:)

-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Henry Harvey
Inviato: marted? 13 gennaio 2004 16.05
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: mailscanner with sophos and postfix


Hello.
I am new to MailScanner. I have read
in the website that it doesn't have
support for Postfix. But on the new
version, there was an addendum there
that says it has direct support for
Postfix now. Anyone using MailScanner
with Postfix? Any problems with doing
so? and with Sophos too?
Thank you

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


From thisismyphlist at YAHOO.COM  Tue Jan 13 15:24:58 2004
From: thisismyphlist at YAHOO.COM (Henry Harvey)
Date: Thu Jan 12 21:21:49 2006
Subject: mailscanner with sophos and postfix
In-Reply-To: <6.0.1.1.2.20040113151755.077a6f20@imap.ecs.soton.ac.uk>
Message-ID: <20040113152458.19846.qmail@web60802.mail.yahoo.com>

Oh, btw, my machine is a Mandrake 9.0
box. Any feedback on that?

Sorry for being so paranoid but I just
wanted to gather as much feedback as I
could before doing the actual install. Thank you.

> Should work just fine. There are some docs on
> setting it up with Postfix at
>
http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml
>
> Get the latest beta release, as I have hopefully now
> sorted the last of the
> Postfix problems.
>
> >  and with Sophos too?
>
> Sophos was the very first virus scanner it
> supported, and works fine. Get
> it working with the "sophos" setting before you
> start getting "sophossavi"
> going (which is faster). Use the "Sophos.install"
> script to install your
> copy of Sophos, don't follow Sophos's instructions.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their
> support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
> 5947 1415 B654


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

From lou.baccari at HP.COM  Tue Jan 13 15:25:16 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8F9@tayexc17.americas.cpqcorp.net>

As you had ask me to:
From:   192.58.206.19                  yes
From:   16.11.1.22                    yes

I've also tried:
From:   root@192.58.206.19                  yes
From:   root@16.11.1.22                    yes

mail H ============================

Subject: **SPAM** #111 Named on  
X-HPLC-MailScanner-Information: Please contact the ISP for more information
X-HPLC-MailScanner: Found to be clean
X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
        required 5, BAYES_00 -4.90)


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Tuesday, January 13, 2004 10:01 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


You are correct. What are the entries for your server?

At 14:58 13/01/2004, you wrote:
>I was looking over the conf file looking for alternatives and I felt the
>Spam Whitelist file should have corrected the problems by *never* marking
>the messages as spam once I added my servers address to it,  am I correct
>to assume this?
>
>Lou
>
>
>-----Original Message-----
>From: Baccari, Lou
>Sent: Monday, January 12, 2004 11:26 AM
>To: 'MailScanner mailing list'
>Subject: RE: 4.9 marked as spam.
>
>
>
>Julian,
>
>  Thanks, that corrected the "Config Error:" problem, but mail from root
> still gets flagged as spam.
>
>  I also tried removing SORBS-DNSBL from MailScanner.conf and mail from
> root passes.  I've provide the header below.
>
>  As stated earlier I checked
> http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers
> there and they came up clean, i.e. 'No entry found'.  What could have
> happen since yesterday?  Is there an other means of testing SORBS-DNSBL list?
>
>Lou.
>
>
>
>==== Mail H =======
>
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 5,
>         BAYES_00 -4.90)
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
>         BAYES_30 -0.90)
>X-PMX-Version: 4.1.1.86173
>
>
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Monday, January 12, 2004 11:13 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>At 16:05 12/01/2004, you wrote:
> >Thanks,  I Tried your suggestion and I now see the following error:
> >
> >an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1 messages
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
> >messages, 874 bytes
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> >against  destination IP address when resolving configuration
> >  option  "spamwhitelist"
> >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> >against  destination IP address when resolving configuration
> >  option  "spamwhitelist"
>
>Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.
>
>
> >=== spam.whitelist.rules =======
> >#
> >FromTo:   192.58.206.19                  yes
> >FromTo:   16.11.1.22                    yes
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >Behalf Of Julian Field
> >Sent: Monday, January 12, 2004 10:17 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: 4.9 marked as spam.
> >
> >
> >At 15:10 12/01/2004, you wrote:
> > >Hello,
> > >
> > >It appears that today I can not send any mail to myself without it being
> > >marked as spam. I even added myself to the white list and the problem
> > >continues.  Any ideas?
> > >
> > >Lou.
> > >
> > >==== Mail H ============
> > >
> > >Subject: **SPAM** Restarted Named on
> > >X-HPLC-MailScanner: Found to be clean
> > >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
> > >         required 5, BAYES_00 -4.90)
> > >X-HPLC-MailScanner-Information: Please contact the ISP for more
> information
> > >X-MailScanner: Found to be clean
> > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001, required 5,
> > >         BAYES_40 -0.00)
> > >Return-Path: root@crl-ns1b.crl.dec.com
> > >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> > >FILETIME=[9FE379B0:01C3D91D]
> > >
> > >==== spam.whitelist.rules ============
> > >
> > >FromTo:   *@192.58.206.19                  yes
> > >FromTo:   *@*192.58.206.19                  yes
> > >FromTo:   *@16.11.1.22                     yes
> > >FromTo:   *@*16.11.1.22                    yes
> >
> >You whitelist rules are wrong. You can whitelist IP addresses, but IP
> >addresses and email addresses are totally different things. You should be
> >using these lines instead:
> >
> >FromTo:   192.58.206.19                  yes
> >FromTo:   16.11.1.22                     yes
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From Antony at SOFT-SOLUTIONS.CO.UK  Tue Jan 13 15:29:22 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8F9@tayexc17.americas.cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8F9@tayexc17.americas.cpqcorp.net>
Message-ID: <200401131529.22841.Antony@Soft-Solutions.co.uk>

On Tuesday 13 January 2004 3:25 pm, Baccari, Lou wrote:

> As you had ask me to:
> From:   192.58.206.19                  yes
> From:   16.11.1.22                    yes
>
> I've also tried:
> From:   root@192.58.206.19                  yes
> From:   root@16.11.1.22                    yes

No - these are not email addresses.   They are the IP addresses of mail
servers.   You cannot include a username and @ in them - it makes no sense.

Antony.

--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.

                                                     Please reply to the list;
                                                           please don't CC me.

From raymond at PROLOCATION.NET  Tue Jan 13 16:05:07 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401131703450.25124-100000@mailbox.prolocation.net>

Hi!

> There were reports of the wrong message being archived or the warning
> message or something like that.
>
> Please can someone confirm exactly what the problem was, and when it
> occurs. Otherwise I can't fix it.

It was if i recall correctly, filename rules, i had to lookup some files
for people who reported files were stripped, and all i found was the error
template, instrad of the actual files of that user.

I mailed a detailed report around the time you were in .nl, but i guess
thats lost ? :))

Bye,
Raymond.

From raymond at PROLOCATION.NET  Tue Jan 13 16:10:02 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <NFBBLFHPCMJHEHDKFBMJGEMLEIAA.jah@caleotech.com>
Message-ID: <Pine.LNX.4.44.0401131709410.25124-100000@mailbox.prolocation.net>

Hi!

> This may be obsolete...
> In MS 4.24-5 blocked HTML messages with IForms is not archived correctly.
> The archive file contains the warning message.
>
>         Jens
>
> > There were reports of the wrong message being archived or the warning
> > message or something like that.
> >
> > Please can someone confirm exactly what the problem was, and when it
> > occurs. Otherwise I can't fix it.

Yeah, that was the one, correct.

Bye,
Raymond.

From lou.baccari at HP.COM  Tue Jan 13 16:10:38 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8FA@tayexc17.americas.cpqcorp.net>

I've now change my whitelist to the following:

From:   root@crl-mail2.crl.dec.com       yes
From:   root@crl-ns1b.crl.dec.com       yes

The problem with SORBS-DNSBL is now corrected,  but why wouldn't using the ip address of the server have also corrected the problem? 

Thanks,

Lou

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Antony Stone
Sent: Tuesday, January 13, 2004 10:29 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


On Tuesday 13 January 2004 3:25 pm, Baccari, Lou wrote:

> As you had ask me to:
> From:   192.58.206.19                  yes
> From:   16.11.1.22                    yes
>
> I've also tried:
> From:   root@192.58.206.19                  yes
> From:   root@16.11.1.22                    yes

No - these are not email addresses.   They are the IP addresses of mail
servers.   You cannot include a username and @ in them - it makes no sense.

Antony.

--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.

                                                     Please reply to the list;
                                                           please don't CC me.


From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 13 16:12:44 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:49 2006
Subject: [OT] at last the reason for all those oddly spelled spams
Message-ID: <400418FC.7070601@solid-state-logic.com>

very unpolitically correct, but humourous non the less

http://www.theregister.co.uk/content/28/34840.html


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From martinh at solid-state-logic.com  Tue Jan 13 16:12:44 2004
From: martinh at solid-state-logic.com (Martin Hepworth)
Date: Thu Jan 12 21:21:49 2006
Subject: [SAtalk] [OT] at last the reason for all those oddly spelled spams
Message-ID: <400418FC.7070601@solid-state-logic.com>


very unpolitically correct, but humourous non the less

http://www.theregister.co.uk/content/28/34840.html


-- 
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
Spamassassin-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

From eja at URBAKKEN.DK  Tue Jan 13 16:24:45 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:49 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011316244548@JISCMAIL.AC.UK>

On Tue, 13 Jan 2004 09:04:17 -0000, Spicer, Kevin <Kevin.Spicer@BMRB.CO.UK>
wrote:

>Erik Jakobsen wrote:
>> Hi.
>>
>> I can see in the /var/log/messages file, that antivir has scanned fine
>> yesterday when I executed the antivir manual.
>>
>Did you try running it manually as the same user MailScanner runs as?  It
may be that user doesn't have permission to read some files and/or use temp
space.

Hi Kevin, and thanks for your kind reply. Yes I did. Please look above this:

"when I executed the antivir manual" :-)

The problem is, that antivir is not shown in the messages from MailScanner.
F-prot and Clamav is ok. I can see the antivir message telling me about its
updating.

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 16:21:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Error disabling Filetype Rules
In-Reply-To: <200401131544.i0DFiNr06861@lime.algorithmics.com>
References: <200401131544.i0DFiNr06861@lime.algorithmics.com>
Message-ID: <6.0.1.1.2.20040113162029.0752ec90@imap.ecs.soton.ac.uk>

At 15:44 13/01/2004, you wrote:
>I got the following errors when trying to disable Filetype Rules as
>described in the config file:
>
>Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
>file:
>Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
>"filetyperules" at line 577
>Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
>/opt/MailScanner/etc/MailScanner.conf.
>
>I set the config parameter Filetype Rules to blank.
>
>This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.

What do you get when you put a filename in instead of making it blank?
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 16:18:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
In-Reply-To: <B11A8088B27BA84B821319DBE2DA76CD0392F8F9@tayexc17.americas
              .cpqcorp.net>
References: <B11A8088B27BA84B821319DBE2DA76CD0392F8F9@tayexc17.americas.cpqcorp.net>
Message-ID: <6.0.1.1.2.20040113161756.039ffeb0@imap.ecs.soton.ac.uk>

At 15:25 13/01/2004, you wrote:
>As you had ask me to:
>From:   192.58.206.19                  yes
>From:   16.11.1.22                    yes

Check your maillog to see where it thinks the SMTP connection came from.
You might need to add
From:   127.0.0.1       yes
to the list as well.

>I've also tried:
>From:   root@192.58.206.19                  yes
>From:   root@16.11.1.22                    yes

As Antony said, these can't possibly work.


>mail H ============================
>
>Subject: **SPAM** #111 Named on
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Tuesday, January 13, 2004 10:01 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>You are correct. What are the entries for your server?
>
>At 14:58 13/01/2004, you wrote:
> >I was looking over the conf file looking for alternatives and I felt the
> >Spam Whitelist file should have corrected the problems by *never* marking
> >the messages as spam once I added my servers address to it,  am I correct
> >to assume this?
> >
> >Lou
> >
> >
> >-----Original Message-----
> >From: Baccari, Lou
> >Sent: Monday, January 12, 2004 11:26 AM
> >To: 'MailScanner mailing list'
> >Subject: RE: 4.9 marked as spam.
> >
> >
> >
> >Julian,
> >
> >  Thanks, that corrected the "Config Error:" problem, but mail from root
> > still gets flagged as spam.
> >
> >  I also tried removing SORBS-DNSBL from MailScanner.conf and mail from
> > root passes.  I've provide the header below.
> >
> >  As stated earlier I checked
> > http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers
> > there and they came up clean, i.e. 'No entry found'.  What could have
> > happen since yesterday?  Is there an other means of testing SORBS-DNSBL
> list?
> >
> >Lou.
> >
> >
> >
> >==== Mail H =======
> >
> >X-HPLC-MailScanner: Found to be clean
> >X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9,
> required 5,
> >         BAYES_00 -4.90)
> >X-HPLC-MailScanner-Information: Please contact the ISP for more information
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
> >         BAYES_30 -0.90)
> >X-PMX-Version: 4.1.1.86173
> >
> >
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >Behalf Of Julian Field
> >Sent: Monday, January 12, 2004 11:13 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: 4.9 marked as spam.
> >
> >
> >At 16:05 12/01/2004, you wrote:
> > >Thanks,  I Tried your suggestion and I now see the following error:
> > >
> > >an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1
> messages
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
> > >messages, 874 bytes
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> > >against  destination IP address when resolving configuration
> > >  option  "spamwhitelist"
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> > >against  destination IP address when resolving configuration
> > >  option  "spamwhitelist"
> >
> >Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.
> >
> >
> > >=== spam.whitelist.rules =======
> > >#
> > >FromTo:   192.58.206.19                  yes
> > >FromTo:   16.11.1.22                    yes
> > >
> > >
> > >-----Original Message-----
> > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > >Behalf Of Julian Field
> > >Sent: Monday, January 12, 2004 10:17 AM
> > >To: MAILSCANNER@JISCMAIL.AC.UK
> > >Subject: Re: 4.9 marked as spam.
> > >
> > >
> > >At 15:10 12/01/2004, you wrote:
> > > >Hello,
> > > >
> > > >It appears that today I can not send any mail to myself without it being
> > > >marked as spam. I even added myself to the white list and the problem
> > > >continues.  Any ideas?
> > > >
> > > >Lou.
> > > >
> > > >==== Mail H ============
> > > >
> > > >Subject: **SPAM** Restarted Named on
> > > >X-HPLC-MailScanner: Found to be clean
> > > >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin
> (score=-4.9,
> > > >         required 5, BAYES_00 -4.90)
> > > >X-HPLC-MailScanner-Information: Please contact the ISP for more
> > information
> > > >X-MailScanner: Found to be clean
> > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001,
> required 5,
> > > >         BAYES_40 -0.00)
> > > >Return-Path: root@crl-ns1b.crl.dec.com
> > > >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> > > >FILETIME=[9FE379B0:01C3D91D]
> > > >
> > > >==== spam.whitelist.rules ============
> > > >
> > > >FromTo:   *@192.58.206.19                  yes
> > > >FromTo:   *@*192.58.206.19                  yes
> > > >FromTo:   *@16.11.1.22                     yes
> > > >FromTo:   *@*16.11.1.22                    yes
> > >
> > >You whitelist rules are wrong. You can whitelist IP addresses, but IP
> > >addresses and email addresses are totally different things. You should be
> > >using these lines instead:
> > >
> > >FromTo:   192.58.206.19                  yes
> > >FromTo:   16.11.1.22                     yes
> > >
> > >--
> > >Julian Field
> > >www.MailScanner.info
> > >MailScanner thanks transtec Computers for their support
> > >
> > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz
> >MailScanner thanks transtec Computers for their support
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 16:29:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <Pine.LNX.4.44.0401131703450.25124-100000@mailbox.prolocati
              on.net>
References: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401131703450.25124-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>

At 16:05 13/01/2004, you wrote:
>Hi!
>
> > There were reports of the wrong message being archived or the warning
> > message or something like that.
> >
> > Please can someone confirm exactly what the problem was, and when it
> > occurs. Otherwise I can't fix it.
>
>It was if i recall correctly, filename rules, i had to lookup some files
>for people who reported files were stripped, and all i found was the error
>template, instrad of the actual files of that user.
>
>I mailed a detailed report around the time you were in .nl, but i guess
>thats lost ? :))

I can't find it, have hunted all over the place for it. Have you still got
a copy of it or can you describe it again please?
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dwinkler at ALGORITHMICS.COM  Tue Jan 13 16:45:06 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:49 2006
Subject: Error disabling Filetype Rules
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B11E@tormail2.algorithmics.com>

Oddly enough, when I leave it as it's default,
"%etc-dir%/filetype.rules.conf", no error.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Tuesday, January 13, 2004 11:21 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Error disabling Filetype Rules


At 15:44 13/01/2004, you wrote:
>I got the following errors when trying to disable Filetype Rules as
>described in the config file:
>
>Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
>file:
>Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
>"filetyperules" at line 577
>Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
>/opt/MailScanner/etc/MailScanner.conf.
>
>I set the config parameter Filetype Rules to blank.
>
>This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.

What do you get when you put a filename in instead of making it blank?
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040113/e480c5ef/attachment.html
From mailscanner at ecs.soton.ac.uk  Tue Jan 13 16:48:41 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Error disabling Filetype Rules
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B11E@tormail2.algorithmi
              cs.com>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B11E@tormail2.algorithmics.com>
Message-ID: <6.0.1.1.2.20040113164805.03a10318@imap.ecs.soton.ac.uk>

In which case for now, please set
File Command =
Filetype Rules = %etc-dir%/filetype.rules.conf
as that will also disable it.

At 16:45 13/01/2004, you wrote:

>Oddly enough, when I leave it as it's default,
>"%etc-dir%/filetype.rules.conf", no error.
>
>-----Original Message-----
>From: MailScanner mailing list
>[<mailto:MAILSCANNER@JISCMAIL.AC.UK>mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Tuesday, January 13, 2004 11:21 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Error disabling Filetype Rules
>
>At 15:44 13/01/2004, you wrote:
> >I got the following errors when trying to disable Filetype Rules as
> >described in the config file:
> >
> >Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
> >file:
> >Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
> >"filetyperules" at line 577
> >Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
> >/opt/MailScanner/etc/MailScanner.conf.
> >
> >I set the config parameter Filetype Rules to blank.
> >
> >This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.
>
>What do you get when you put a filename in instead of making it blank?
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 16:58:48 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Error disabling Filetype Rules
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B11E@tormail2.algorithmi
              cs.com>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B11E@tormail2.algorithmics.com>
Message-ID: <6.0.1.1.2.20040113165329.075e16c0@imap.ecs.soton.ac.uk>

Can you try this please.

Edit ConfigDefs.pl (probably in /usr/lib/MailScanner/MailScanner).
Right near the bottom of the file you will find 2 lines saying

FilenameRules
FiletypeRules

Please move them from the "[All,File]" section to the "[All,Other]" section
which is just below it.

That should allow the filenames to be left blank in MailScanner.conf.

At 16:45 13/01/2004, you wrote:

>Oddly enough, when I leave it as it's default,
>"%etc-dir%/filetype.rules.conf", no error.
>
>-----Original Message-----
>From: MailScanner mailing list
>[<mailto:MAILSCANNER@JISCMAIL.AC.UK>mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Tuesday, January 13, 2004 11:21 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Error disabling Filetype Rules
>
>At 15:44 13/01/2004, you wrote:
> >I got the following errors when trying to disable Filetype Rules as
> >described in the config file:
> >
> >Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
> >file:
> >Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
> >"filetyperules" at line 577
> >Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
> >/opt/MailScanner/etc/MailScanner.conf.
> >
> >I set the config parameter Filetype Rules to blank.
> >
> >This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.
>
>What do you get when you put a filename in instead of making it blank?
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From drew at THEMARSHALLS.CO.UK  Tue Jan 13 17:02:30 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:49 2006
Subject: R: mailscanner with sophos and postfix
In-Reply-To: <NGBBLAPAMLLGDEJPHEOAAEJEDAAA.gioia@bclink.it>
References: <20040113150522.70244.qmail@web60808.mail.yahoo.com>
            <NGBBLAPAMLLGDEJPHEOAAEJEDAAA.gioia@bclink.it>
Message-ID: <59279.194.70.180.170.1074013350.squirrel@net.themarshalls.co.uk>

And I use Postfix & MailScanner on Gentoo (I used to use it on Slackware,
also without problems). As it is only a 'home' machine I don't use Sophos
preferring Antivir and F-prot both of which are free licences for home
use. Both work fine, fast and secure on legacy kit :-). I would thoroughly
recommend this setup as they are both easy to configure. For extra spam
protection I block at SMTP (through Postfix) using the Spamhaus RBLs as
they are a fairly conservative list and then use SpamAssassin to be more
aggressive, tagging messages so as not to possibly block false positives.

Good luck!

Drew
-- 


Gioia Bastioni said:
> Hi Harvey,
> I'm currently using Postfix+MailScanner on a Slackware box with no problem
> at all, Sophos is a great Antivirus software,
> my personal experience is that all few problems I had, were only due for
> some lack of experience or attention doing it..
> and btw, for every problem I get, I found my solution here..
> there's a great number of people here that surely will able to help you if
> you might need to!
> :)
>
> -----Messaggio originale-----
> Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
> conto di Henry Harvey
> Inviato: marted? 13 gennaio 2004 16.05
> A: MAILSCANNER@JISCMAIL.AC.UK
> Oggetto: mailscanner with sophos and postfix
>
>
> Hello.
> I am new to MailScanner. I have read
> in the website that it doesn't have
> support for Postfix. But on the new
> version, there was an addendum there
> that says it has direct support for
> Postfix now. Anyone using MailScanner
> with Postfix? Any problems with doing
> so? and with Sophos too?
> Thank you
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> http://hotjobs.sweepstakes.yahoo.com/signingbonus
>


-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy


From rc at ITSS.NERC.AC.UK  Tue Jan 13 17:10:44 2004
From: rc at ITSS.NERC.AC.UK (Ron Campbell)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>           
            <Pine.LNX.4.44.0401131703450.25124-100000@mailbox.prolocation.net>
            <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>
Message-ID: <40042694.3020800@itss.nerc.ac.uk>

Julian Field wrote:
> At 16:05 13/01/2004, you wrote:
>
>> Hi!
>>
>> > There were reports of the wrong message being archived or the warning
>> > message or something like that.
>> >
>> > Please can someone confirm exactly what the problem was, and when it
>> > occurs. Otherwise I can't fix it.
>>
>> It was if i recall correctly, filename rules, i had to lookup some files
>> for people who reported files were stripped, and all i found was the
>> error
>> template, instrad of the actual files of that user.
>>
>> I mailed a detailed report around the time you were in .nl, but i guess
>> thats lost ? :))
>
>
> I can't find it, have hunted all over the place for it. Have you still got
> a copy of it or can you describe it again please?


Following is in $report

    MailScanner: Found a form in HTML message

The original message is replaced with a warning correctly.
But the quarantine contains the warning message instead of the original
message.


I think I have seen this for IFrame tags as well but am not 100%
certain.

This is version 4.24-5

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 17:46:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:49 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <40042694.3020800@itss.nerc.ac.uk>
References: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401131703450.25124-100000@mailbox.prolocation.net>
            <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>
            <40042694.3020800@itss.nerc.ac.uk>
Message-ID: <6.0.1.1.2.20040113174430.02c43ec0@imap.ecs.soton.ac.uk>

At 17:10 13/01/2004, you wrote:
>Julian Field wrote:
>>At 16:05 13/01/2004, you wrote:
>>> > There were reports of the wrong message being archived or the warning
>>> > message or something like that.
>>> >
>>> > Please can someone confirm exactly what the problem was, and when it
>>> > occurs. Otherwise I can't fix it.
>>>
>>>It was if i recall correctly, filename rules, i had to lookup some files
>>>for people who reported files were stripped, and all i found was the
>>>error
>>>template, instrad of the actual files of that user.
>>>
>>>I mailed a detailed report around the time you were in .nl, but i guess
>>>thats lost ? :))
>>
>>I can't find it, have hunted all over the place for it. Have you still got
>>a copy of it or can you describe it again please?
>
>
>Following is in $report
>
>    MailScanner: Found a form in HTML message
>
>The original message is replaced with a warning correctly.
>But the quarantine contains the warning message instead of the original
>message.

Can you give me your Quarantine settings please? I've just tried with Raw
Queue Files set to yes and no, and Quarantine Whole Message as yes and no,
and it saves a little html file containing the original contents of the
message.
Does it only happen when something else is wrong with the message too perhaps?
I can't reproduce the bug :-(
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mkettler at EVI-INC.COM  Tue Jan 13 18:48:56 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:49 2006
Subject: SA userprefs
In-Reply-To: <200401131641.57722.mailing-oit@tttech.com>
References: <200401131641.57722.mailing-oit@tttech.com>
Message-ID: <6.0.0.22.0.20040113134304.02a18ee8@xanadu.evi-inc.com>

At 10:41 AM 1/13/2004, Christoph Resch wrote:
>Hi ,
>
>i try to bring my user-specified spamassassin-rules to work (SA is run via
>MailScanner. ) on a debain woody.
>
>i defined  a whitelist_from in the ~/.spamassassin/user_prefs file of a user
>(=sysop) reading:


The user-prefs file in ~/.spamassassin is not used when running SA under
mailscanner.. it's replaced by spam.assassin.prefs.conf.


>whitelist_from  root@mydomain.com
>
>i want to run the GTUBE-Spam test, with fictional the result that the
>GTUBE-Mail sent by root to sysop will be whitelisted and not refused by SA .
>
>but after running this test i get the root-mail as spam .. but shouldnt it
>even been whitelisted with score a score of 1000 ??? .. should be i think !

No.. that's not how SA's whitelist works, and it's not how GTUBE works.

First, GTUBE is designed to be a 100% sure-fire way to ensure a message
gets declared to be spam by SA. No matter what the whitelists, etc say, if
it's got a GTUBE, SA will always declare it to be spam. No exceptions,
unless something in SA is bugged.

The SA whitelist_from system only deducts 100 points from the score...
whitelist+gtube = 900 point email = tag.

However, MailScanner has it's own whitelist system, and that whitelist will
allow the message to go untagged, no matter what SA declares it to be
(although it will report what SA had to say about the message)

From lou.baccari at HP.COM  Tue Jan 13 19:09:44 2004
From: lou.baccari at HP.COM (Baccari, Lou)
Date: Thu Jan 12 21:21:49 2006
Subject: 4.9 marked as spam.
Message-ID: <B11A8088B27BA84B821319DBE2DA76CD0392F8FB@tayexc17.americas.cpqcorp.net>

Julie,

 Yes 127.0.0.1 corrected the problem as well.  Thanks,

Lou



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Tuesday, January 13, 2004 11:19 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: 4.9 marked as spam.


At 15:25 13/01/2004, you wrote:
>As you had ask me to:
>From:   192.58.206.19                  yes
>From:   16.11.1.22                    yes

Check your maillog to see where it thinks the SMTP connection came from.
You might need to add
From:   127.0.0.1       yes
to the list as well.

>I've also tried:
>From:   root@192.58.206.19                  yes
>From:   root@16.11.1.22                    yes

As Antony said, these can't possibly work.


>mail H ============================
>
>Subject: **SPAM** #111 Named on
>X-HPLC-MailScanner-Information: Please contact the ISP for more information
>X-HPLC-MailScanner: Found to be clean
>X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (score=-4.9,
>         required 5, BAYES_00 -4.90)
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Julian Field
>Sent: Tuesday, January 13, 2004 10:01 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: 4.9 marked as spam.
>
>
>You are correct. What are the entries for your server?
>
>At 14:58 13/01/2004, you wrote:
> >I was looking over the conf file looking for alternatives and I felt the
> >Spam Whitelist file should have corrected the problems by *never* marking
> >the messages as spam once I added my servers address to it,  am I correct
> >to assume this?
> >
> >Lou
> >
> >
> >-----Original Message-----
> >From: Baccari, Lou
> >Sent: Monday, January 12, 2004 11:26 AM
> >To: 'MailScanner mailing list'
> >Subject: RE: 4.9 marked as spam.
> >
> >
> >
> >Julian,
> >
> >  Thanks, that corrected the "Config Error:" problem, but mail from root
> > still gets flagged as spam.
> >
> >  I also tried removing SORBS-DNSBL from MailScanner.conf and mail from
> > root passes.  I've provide the header below.
> >
> >  As stated earlier I checked
> > http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?js&IP= and tested my servers
> > there and they came up clean, i.e. 'No entry found'.  What could have
> > happen since yesterday?  Is there an other means of testing SORBS-DNSBL
> list?
> >
> >Lou.
> >
> >
> >
> >==== Mail H =======
> >
> >X-HPLC-MailScanner: Found to be clean
> >X-HPLC-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9,
> required 5,
> >         BAYES_00 -4.90)
> >X-HPLC-MailScanner-Information: Please contact the ISP for more information
> >X-MailScanner: Found to be clean
> >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.904, required 5,
> >         BAYES_30 -0.90)
> >X-PMX-Version: 4.1.1.86173
> >
> >
> >
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >Behalf Of Julian Field
> >Sent: Monday, January 12, 2004 11:13 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: 4.9 marked as spam.
> >
> >
> >At 16:05 12/01/2004, you wrote:
> > >Thanks,  I Tried your suggestion and I now see the following error:
> > >
> > >an 12 11:03:50 crl-ns1b MailScanner[20125]: Uninfected: Delivered 1
> messages
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: New Batch: Scanning 1
> > >messages, 874 bytes
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> > >against  destination IP address when resolving configuration
> > >  option  "spamwhitelist"
> > >Jan 12 11:03:50 crl-ns1b MailScanner[20125]: Config Error: Cannot match
> > >against  destination IP address when resolving configuration
> > >  option  "spamwhitelist"
> >
> >Sorry, my mistake. Put "From:" instead of "FromTo:" in both of those rules.
> >
> >
> > >=== spam.whitelist.rules =======
> > >#
> > >FromTo:   192.58.206.19                  yes
> > >FromTo:   16.11.1.22                    yes
> > >
> > >
> > >-----Original Message-----
> > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > >Behalf Of Julian Field
> > >Sent: Monday, January 12, 2004 10:17 AM
> > >To: MAILSCANNER@JISCMAIL.AC.UK
> > >Subject: Re: 4.9 marked as spam.
> > >
> > >
> > >At 15:10 12/01/2004, you wrote:
> > > >Hello,
> > > >
> > > >It appears that today I can not send any mail to myself without it being
> > > >marked as spam. I even added myself to the white list and the problem
> > > >continues.  Any ideas?
> > > >
> > > >Lou.
> > > >
> > > >==== Mail H ============
> > > >
> > > >Subject: **SPAM** Restarted Named on
> > > >X-HPLC-MailScanner: Found to be clean
> > > >X-HPLC-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin
> (score=-4.9,
> > > >         required 5, BAYES_00 -4.90)
> > > >X-HPLC-MailScanner-Information: Please contact the ISP for more
> > information
> > > >X-MailScanner: Found to be clean
> > > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.001,
> required 5,
> > > >         BAYES_40 -0.00)
> > > >Return-Path: root@crl-ns1b.crl.dec.com
> > > >X-OriginalArrivalTime: 12 Jan 2004 15:06:15.0627 (UTC)
> > > >FILETIME=[9FE379B0:01C3D91D]
> > > >
> > > >==== spam.whitelist.rules ============
> > > >
> > > >FromTo:   *@192.58.206.19                  yes
> > > >FromTo:   *@*192.58.206.19                  yes
> > > >FromTo:   *@16.11.1.22                     yes
> > > >FromTo:   *@*16.11.1.22                    yes
> > >
> > >You whitelist rules are wrong. You can whitelist IP addresses, but IP
> > >addresses and email addresses are totally different things. You should be
> > >using these lines instead:
> > >
> > >FromTo:   192.58.206.19                  yes
> > >FromTo:   16.11.1.22                     yes
> > >
> > >--
> > >Julian Field
> > >www.MailScanner.info
> > >MailScanner thanks transtec Computers for their support
> > >
> > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz
> >MailScanner thanks transtec Computers for their support
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From doko at CS.TU-BERLIN.DE  Tue Jan 13 21:22:52 2004
From: doko at CS.TU-BERLIN.DE (Matthias Klose)
Date: Thu Jan 12 21:21:50 2006
Subject: [patch] mailscanner does not erase input spool per-message log files when using exim
Message-ID: <16388.25004.580372.490030@gargle.gargle.HOWL>

Package: mailscanner
Version: 4.25-14

The /var/spool/exim4_input/msglog keeps growing ...

diff -ur lib/MailScanner.old/Exim.pm lib/MailScanner/Exim.pm
--- lib/MailScanner.old/Exim.pm 2003-11-26 17:35:29.000000000 +0100
+++ lib/MailScanner/Exim.pm     2003-12-23 21:47:10.000000000 +0100
@@ -238,6 +238,11 @@
 #    return "$global::sed -e '1d' \"$dfile\" | $global::cat \"$hfile\" -";
 #  }

+sub LFileName {
+  my($this, $id) = @_;
+  return "../msglog/$id";
+}
+
 sub ReadQf {
   my($this, $message) = @_;

diff -ur lib/MailScanner.old/EximDiskStore.pm lib/MailScanner/EximDiskStore.pm
--- lib/MailScanner.old/EximDiskStore.pm        2003-11-07 13:41:40.000000000 +0100
+++ lib/MailScanner/EximDiskStore.pm    2003-12-24 13:08:33.000000000 +0100
@@ -88,9 +88,11 @@
   $this->{dname} = $mta->DFileName($id);
   $this->{hname} = $mta->HFileName($id);
   $this->{tname} = $mta->TFileName($id);
+  $this->{lname} = $mta->LFileName($id);

   $this->{dpath} = $dir . '/' . $this->{dname};
   $this->{hpath} = $dir . '/' . $this->{hname};
+  $this->{lpath} = $dir . '/' . $this->{lname};

   $this->{inhhandle} = new FileHandle;
   $this->{indhandle} = new FileHandle;
@@ -154,7 +156,7 @@

   unlink($this->{hpath});
   unlink($this->{dpath});
-
+  unlink($this->{lpath});
   # Clear list of pending deletes
   @DeletesPending = ();
 }
@@ -193,6 +195,9 @@
   # while we unlink and unlock both, then locks the FD it
   # has for the open (but unlinked) -D file??
   # What happens if we do the same?
+
+  # print STDERR "Log da menssagem " . $this->{lpath} . "\n";
+  unlink($this->{lpath});

   # Clear list of pending deletes
   @DeletesPending = ();

From cwharris at MORGAN.NET  Tue Jan 13 21:41:11 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:50 2006
Subject: Progress on Queue
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>  
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>                    
            <40040A62.100@solid-state-logic.com>           
            <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net> 
            <4004134A.3020807@solid-state-logic.com>
Message-ID: <000401c3da1d$f60a4200$2105a8c0@pub.morgan.net>

I have narrowed my problem down to Razor. I turned razor back on and before
I knew it my queue was backed up again. Any way to fix this?

Chris

----- Original Message -----
From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 13, 2004 9:48 AM
Subject: Re: Progress on Queue


> Chris wrote:
> > spam.assassin.prefs.conf looks like this:
> >
> >
> > header   FRIEND_GREETINGS       Subject =~ /you have an E-Card from/i
> > describe FRIEND_GREETINGS       Nasty E-card from FriendGreetings.com
> > score    FRIEND_GREETINGS       100.0
> > header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card
from/i
> > describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
> > score    FRIEND_GREETINGS2      100.0
> > required_hits           5
> > auto_whitelist_path
> > /var/spool/MailScanner/spamassassin/auto-whitelist
> > auto_whitelist_file_mode   0600
> > bayes_path                 /var/spool/MailScanner/spamassassin/bayes
> > bayes_file_mode            0600
> > whitelist_from          monty@roscom.com
> > ok_locales              en
> > skip_rbl_checks 1
> > dcc_path /usr/local/bin/dccproc
> > rbl_timeout 20
> > razor_timeout 10
> > pyzor_timeout 10
> > # Osirusoft is dead
> > score RCVD_IN_OSIRUSOFT_COM 0.0
> > score X_OSIRU_OPEN_RELAY 0.0
> > score X_OSIRU_DUL 0.0
> > score X_OSIRU_SPAM_SRC 0.0
> > score X_OSIRU_SPAMWARE_SITE 0.0
> > score X_OSIRU_DUL_FH 0.0
> > # For spam and notspam bins
> > bayes_ignore_header X-MailScanner
> > bayes_ignore_header X-MailScanner-SpamCheck
> > bayes_ignore_header X-MailScanner-SpamScore
> > bayes_ignore_header X-MailScanner-Information
> >
> >
> > And yeah 2.61 is a new install and the bayes db is new.
> >
> > Chris
> >
>
> This all looks very very similar to my starting piont on my freebsd 4.8
> box.  (good!)
>
> have you checked the razor path etc. also try turning just razor on,
> then just the bayes to see which one is causing the issue.
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
>

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 21:43:35 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: [patch] mailscanner does not erase input spool per-message log files when using exim
In-Reply-To: <16388.25004.580372.490030@gargle.gargle.HOWL>
References: <16388.25004.580372.490030@gargle.gargle.HOWL>
Message-ID: <6.0.1.1.2.20040113214146.03e02878@imap.ecs.soton.ac.uk>

All looks good except for in EximDiskStore.pm you forgot a couple of lines
that need changing:

   @DeletesPending = ($this->{hpath}, $this->{dpath});
needs changing to
   @DeletesPending = ($this->{hpath}, $this->{dpath}, $this->{lpath});

or else the lpath file won't be deleted if the MailScanner child process
receives a SIGHUP or a SIGTERM while it is in the middle of deleting a message.

Thanks for the patch!

At 21:22 13/01/2004, you wrote:
>Package: mailscanner
>Version: 4.25-14
>
>The /var/spool/exim4_input/msglog keeps growing ...
>
>diff -ur lib/MailScanner.old/Exim.pm lib/MailScanner/Exim.pm
>--- lib/MailScanner.old/Exim.pm 2003-11-26 17:35:29.000000000 +0100
>+++ lib/MailScanner/Exim.pm     2003-12-23 21:47:10.000000000 +0100
>@@ -238,6 +238,11 @@
>  #    return "$global::sed -e '1d' \"$dfile\" | $global::cat \"$hfile\" -";
>  #  }
>
>+sub LFileName {
>+  my($this, $id) = @_;
>+  return "../msglog/$id";
>+}
>+
>  sub ReadQf {
>    my($this, $message) = @_;
>
>diff -ur lib/MailScanner.old/EximDiskStore.pm lib/MailScanner/EximDiskStore.pm
>--- lib/MailScanner.old/EximDiskStore.pm        2003-11-07
>13:41:40.000000000 +0100
>+++ lib/MailScanner/EximDiskStore.pm    2003-12-24 13:08:33.000000000 +0100
>@@ -88,9 +88,11 @@
>    $this->{dname} = $mta->DFileName($id);
>    $this->{hname} = $mta->HFileName($id);
>    $this->{tname} = $mta->TFileName($id);
>+  $this->{lname} = $mta->LFileName($id);
>
>    $this->{dpath} = $dir . '/' . $this->{dname};
>    $this->{hpath} = $dir . '/' . $this->{hname};
>+  $this->{lpath} = $dir . '/' . $this->{lname};
>
>    $this->{inhhandle} = new FileHandle;
>    $this->{indhandle} = new FileHandle;
>@@ -154,7 +156,7 @@
>
>    unlink($this->{hpath});
>    unlink($this->{dpath});
>-
>+  unlink($this->{lpath});
>    # Clear list of pending deletes
>    @DeletesPending = ();
>  }
>@@ -193,6 +195,9 @@
>    # while we unlink and unlock both, then locks the FD it
>    # has for the open (but unlinked) -D file??
>    # What happens if we do the same?
>+
>+  # print STDERR "Log da menssagem " . $this->{lpath} . "\n";
>+  unlink($this->{lpath});
>
>    # Clear list of pending deletes
>    @DeletesPending = ();

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 13 21:44:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Progress on Queue
In-Reply-To: <000401c3da1d$f60a4200$2105a8c0@pub.morgan.net>
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>
            <40040A62.100@solid-state-logic.com>
            <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net>
            <4004134A.3020807@solid-state-logic.com>
            <000401c3da1d$f60a4200$2105a8c0@pub.morgan.net>
Message-ID: <6.0.1.1.2.20040113214345.03e06c20@imap.ecs.soton.ac.uk>

Do a
razor-admin -discover
as you may be using old razor servers. You'll have to use "locate" or
"find" to find your razor-admin, its location is very OS-dependent.

At 21:41 13/01/2004, you wrote:
>I have narrowed my problem down to Razor. I turned razor back on and before
>I knew it my queue was backed up again. Any way to fix this?
>
>Chris
>
>----- Original Message -----
>From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Tuesday, January 13, 2004 9:48 AM
>Subject: Re: Progress on Queue
>
>
> > Chris wrote:
> > > spam.assassin.prefs.conf looks like this:
> > >
> > >
> > > header   FRIEND_GREETINGS       Subject =~ /you have an E-Card from/i
> > > describe FRIEND_GREETINGS       Nasty E-card from FriendGreetings.com
> > > score    FRIEND_GREETINGS       100.0
> > > header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card
>from/i
> > > describe FRIEND_GREETINGS2      Nasty E-card from FriendGreetings.com
> > > score    FRIEND_GREETINGS2      100.0
> > > required_hits           5
> > > auto_whitelist_path
> > > /var/spool/MailScanner/spamassassin/auto-whitelist
> > > auto_whitelist_file_mode   0600
> > > bayes_path                 /var/spool/MailScanner/spamassassin/bayes
> > > bayes_file_mode            0600
> > > whitelist_from          monty@roscom.com
> > > ok_locales              en
> > > skip_rbl_checks 1
> > > dcc_path /usr/local/bin/dccproc
> > > rbl_timeout 20
> > > razor_timeout 10
> > > pyzor_timeout 10
> > > # Osirusoft is dead
> > > score RCVD_IN_OSIRUSOFT_COM 0.0
> > > score X_OSIRU_OPEN_RELAY 0.0
> > > score X_OSIRU_DUL 0.0
> > > score X_OSIRU_SPAM_SRC 0.0
> > > score X_OSIRU_SPAMWARE_SITE 0.0
> > > score X_OSIRU_DUL_FH 0.0
> > > # For spam and notspam bins
> > > bayes_ignore_header X-MailScanner
> > > bayes_ignore_header X-MailScanner-SpamCheck
> > > bayes_ignore_header X-MailScanner-SpamScore
> > > bayes_ignore_header X-MailScanner-Information
> > >
> > >
> > > And yeah 2.61 is a new install and the bayes db is new.
> > >
> > > Chris
> > >
> >
> > This all looks very very similar to my starting piont on my freebsd 4.8
> > box.  (good!)
> >
> > have you checked the razor path etc. also try turning just razor on,
> > then just the bayes to see which one is causing the issue.
> >
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **********************************************************************
> >
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Tue Jan 13 21:56:06 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:50 2006
Subject: [patch] mailscanner does not erase input spool per-message log files when using exim
In-Reply-To: <16388.25004.580372.490030@gargle.gargle.HOWL>
Message-ID: <Pine.LNX.4.44.0401132255030.31806-100000@mailbox.prolocation.net>

Hi!

> The /var/spool/exim4_input/msglog keeps growing ...
>
> diff -ur lib/MailScanner.old/Exim.pm lib/MailScanner/Exim.pm
> --- lib/MailScanner.old/Exim.pm 2003-11-26 17:35:29.000000000 +0100
> +++ lib/MailScanner/Exim.pm     2003-12-23 21:47:10.000000000 +0100

This patch isnt needed at all, you can 1st symlink the two dirs, so it
wont have the need to do this. 2nd, you can disable the logs, its only a
waste of io anyway :)

This was also pointed out i nthe FAQ i posted ...

Bye,
Raymond.

From cwharris at MORGAN.NET  Tue Jan 13 22:11:06 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:50 2006
Subject: Progress on Queue
References: <54C38A0B814C8E438EF73FC76F362927410795@mtlnt501fs.CAMOROUTE.COM>  
            <000801c3d9e5$4eb181e0$2105a8c0@pub.morgan.net>           
            <40040A62.100@solid-state-logic.com>           
            <001501c3d9ea$ab3d45c0$2105a8c0@pub.morgan.net>           
            <4004134A.3020807@solid-state-logic.com>           
            <000401c3da1d$f60a4200$2105a8c0@pub.morgan.net> 
            <6.0.1.1.2.20040113214345.03e06c20@imap.ecs.soton.ac.uk>
Message-ID: <000401c3da22$24580f80$2105a8c0@pub.morgan.net>

I have a cronjob setup to update my razor servers nightly. Anythign else I
could do?

----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 13, 2004 3:44 PM
Subject: Re: Progress on Queue


> Do a
> razor-admin -discover
> as you may be using old razor servers. You'll have to use "locate" or
> "find" to find your razor-admin, its location is very OS-dependent.
>
> At 21:41 13/01/2004, you wrote:
> >I have narrowed my problem down to Razor. I turned razor back on and
before
> >I knew it my queue was backed up again. Any way to fix this?
> >
> >Chris
> >
> >----- Original Message -----
> >From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Tuesday, January 13, 2004 9:48 AM
> >Subject: Re: Progress on Queue
> >
> >
> > > Chris wrote:
> > > > spam.assassin.prefs.conf looks like this:
> > > >
> > > >
> > > > header   FRIEND_GREETINGS       Subject =~ /you have an E-Card
from/i
> > > > describe FRIEND_GREETINGS       Nasty E-card from
FriendGreetings.com
> > > > score    FRIEND_GREETINGS       100.0
> > > > header   FRIEND_GREETINGS2      Subject =~ /you have a greeting card
> >from/i
> > > > describe FRIEND_GREETINGS2      Nasty E-card from
FriendGreetings.com
> > > > score    FRIEND_GREETINGS2      100.0
> > > > required_hits           5
> > > > auto_whitelist_path
> > > > /var/spool/MailScanner/spamassassin/auto-whitelist
> > > > auto_whitelist_file_mode   0600
> > > > bayes_path                 /var/spool/MailScanner/spamassassin/bayes
> > > > bayes_file_mode            0600
> > > > whitelist_from          monty@roscom.com
> > > > ok_locales              en
> > > > skip_rbl_checks 1
> > > > dcc_path /usr/local/bin/dccproc
> > > > rbl_timeout 20
> > > > razor_timeout 10
> > > > pyzor_timeout 10
> > > > # Osirusoft is dead
> > > > score RCVD_IN_OSIRUSOFT_COM 0.0
> > > > score X_OSIRU_OPEN_RELAY 0.0
> > > > score X_OSIRU_DUL 0.0
> > > > score X_OSIRU_SPAM_SRC 0.0
> > > > score X_OSIRU_SPAMWARE_SITE 0.0
> > > > score X_OSIRU_DUL_FH 0.0
> > > > # For spam and notspam bins
> > > > bayes_ignore_header X-MailScanner
> > > > bayes_ignore_header X-MailScanner-SpamCheck
> > > > bayes_ignore_header X-MailScanner-SpamScore
> > > > bayes_ignore_header X-MailScanner-Information
> > > >
> > > >
> > > > And yeah 2.61 is a new install and the bayes db is new.
> > > >
> > > > Chris
> > > >
> > >
> > > This all looks very very similar to my starting piont on my freebsd
4.8
> > > box.  (good!)
> > >
> > > have you checked the razor path etc. also try turning just razor on,
> > > then just the bayes to see which one is causing the issue.
> > >
> > >
> > > --
> > > Martin Hepworth
> > > Snr Systems Administrator
> > > Solid State Logic
> > > Tel: +44 (0)1865 842300
> > >
> > >
> > > **********************************************************************
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual or entity to whom they
> > > are addressed. If you have received this email in error please notify
> > > the system manager.
> > >
> > > This footnote confirms that this email message has been swept
> > > for the presence of computer viruses and is believed to be clean.
> > >
> > > **********************************************************************
> > >
> > >
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From pete at eatathome.com.au  Tue Jan 13 22:58:36 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:50 2006
Subject: Bayes again
Message-ID: <4004781C.5030103@eatathome.com.au>

I have batyes set up and working, but we only use autolearning - no
manual learning. I was reading through the archives and some have said
not to use bayes at all if i am not using manual leanring? I have found
over the past month that more and more spam is getting through, all with
negative scores

I saw Julians recent post on his setup and have decided to try similar,
I will install DCC and razor2 and add the RBLs (to SA), i have just
added bigevil and will then upgrade SA to 2.61. I am hoping this mean
our system is more fire and forget - we use high spam scores to stop
spam, we use no tagging features.

Any tips on bayes? Should i stop using it in this configuration and use
the other tools to try and get this system to chug along with less
administritive effort?

Currently have postfix 2.016 red hat 9 MS 4.25-4 and SA 2.6

From raymond at PROLOCATION.NET  Tue Jan 13 23:42:42 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:50 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401140039390.10932-100000@mailbox.prolocation.net>

Hi!

> >I mailed a detailed report around the time you were in .nl, but i guess
> >thats lost ? :))
>
> I can't find it, have hunted all over the place for it. Have you still got
> a copy of it or can you describe it again please?

Found one in my quarantine dir ... =)

This should contain the bad message, but its holding the error template... :

[root@vmx01 1Ag3gn-0004KM-5u]# ls -al
total 12
drwx------    2 exim     exim         4096 Jan 12 16:09 .
drwx------   67 exim     exim         4096 Jan 12 23:58 ..
-rw-------    1 exim     exim         1065 Jan 12 16:09 msg-15123-14.html
[root@vmx01 1Ag3gn-0004KM-5u]# more msg-15123-14.html

Warning: This message has had one or more attachments removed
Warning: (the entire message).
Warning: Please read the "VirusWarning.txt" attachment(s) for more
information.

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail message contained potentially dangerous content,
which has been removed for your safety.

The content is dangerous as it is often used to spread viruses or to gain
personal or confidential information from you, such as passwords or credit
card numbers.

If you wish to receive a copy of the original email, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Mon Jan 12 16:09:16 2004 the content filters said:
   MailScanner: Found dangerous Object Codebase tag in HTML message

Note to Help Desk: Look on MailScanner in
/var/spool/MailScanner/quarantine/20040112 (message 1Ag3gn-0004KM-5u).
--
Postmaster

I also looked up in my logs what happened with this one:

[root@fallback vmx01]# grep 1Ag3gn-0004KM-5u maillog-20040112
Jan 12 16:09:13 vmx01 exim[16638]: 2004-01-12 16:09:13 1Ag3gn-0004KM-5u <=
ciccio@allgratis.zzn.com H=ns3.prolocation.net (toverdoos.prolocation.net)
[194.171.240.23] P=esmtp S=3511
id=200401121509.i0CF95026049@toverdoos.prolocation.net
Jan 12 16:09:15 vmx01 MailScanner[15123]: Message 1Ag3gn-0004KM-5u from
194.171.240.23 (ciccio@allgratis.zzn.com) to n-vision.nl is spam,
SpamAssassin (score=9.625, required 5, BAYES_50 0.00, DATE_IN_PAST_12_24
0.75, FORGED_MUA_OUTLOOK 2.57, HTML_70_80 0.10, HTML_FONT_INVISIBLE 0.60,
HTML_MESSAGE 0.10, HTML_TITLE_UNTITLED 0.43, MAILTO_SUBJ_REMOVE 0.89,
MIME_HTML_ONLY 0.32, RAZOR2_CF_RANGE_11_50 0.88, RAZOR2_CHECK 1.05,
REMOVE_REMOVAL_2WORD 1.95)
Jan 12 16:09:15 vmx01 MailScanner[15123]: Spam Actions: message
1Ag3gn-0004KM-5u actions are deliver
Jan 12 16:09:16 vmx01 MailScanner[15123]: Content Checks: Detected
HTML-specific exploits in 1Ag3gn-0004KM-5u
Jan 12 16:09:16 vmx01 MailScanner[15123]: Saved infected
"msg-15123-14.html" to
/var/spool/MailScanner/quarantine/20040112/1Ag3gn-0004KM-5u
Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u =>
a3@n-vision.nl R=mailertable_router T=remote_smtp
H=cleanfeed.prolocation.net [81.23.230.7]
Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u
Completed

Hope this helps, can lookup some more if needed, but i guess they all look
about the same.

Bye,
Raymond.

From ugob at CAMO-ROUTE.COM  Wed Jan 14 02:34:19 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:50 2006
Subject: Progress on Queue
Message-ID: <54C38A0B814C8E438EF73FC76F362927410798@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Chris [mailto:cwharris@MORGAN.NET]
> Envoy? : Tuesday, January 13, 2004 4:41 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Progress on Queue
> 
> 
> I have narrowed my problem down to Razor. I turned razor back 
> on and before
> I knew it my queue was backed up again. Any way to fix this?
> 

is your firewall blocking the ports for razor?  See the faqs for the ports.  Searching for firewall and/or ports should do it.

hth\

Ugo

> Chris
> 
> ----- Original Message -----
> From: "Martin Hepworth" <martinh@SOLID-STATE-LOGIC.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Tuesday, January 13, 2004 9:48 AM
> Subject: Re: Progress on Queue
> 
> 
> > Chris wrote:
> > > spam.assassin.prefs.conf looks like this:
> > >
> > >
> > > header   FRIEND_GREETINGS       Subject =~ /you have an 
> E-Card from/i
> > > describe FRIEND_GREETINGS       Nasty E-card from 
> FriendGreetings.com
> > > score    FRIEND_GREETINGS       100.0
> > > header   FRIEND_GREETINGS2      Subject =~ /you have a 
> greeting card
> from/i
> > > describe FRIEND_GREETINGS2      Nasty E-card from 
> FriendGreetings.com
> > > score    FRIEND_GREETINGS2      100.0
> > > required_hits           5
> > > auto_whitelist_path
> > > /var/spool/MailScanner/spamassassin/auto-whitelist
> > > auto_whitelist_file_mode   0600
> > > bayes_path                 
> /var/spool/MailScanner/spamassassin/bayes
> > > bayes_file_mode            0600
> > > whitelist_from          monty@roscom.com
> > > ok_locales              en
> > > skip_rbl_checks 1
> > > dcc_path /usr/local/bin/dccproc
> > > rbl_timeout 20
> > > razor_timeout 10
> > > pyzor_timeout 10
> > > # Osirusoft is dead
> > > score RCVD_IN_OSIRUSOFT_COM 0.0
> > > score X_OSIRU_OPEN_RELAY 0.0
> > > score X_OSIRU_DUL 0.0
> > > score X_OSIRU_SPAM_SRC 0.0
> > > score X_OSIRU_SPAMWARE_SITE 0.0
> > > score X_OSIRU_DUL_FH 0.0
> > > # For spam and notspam bins
> > > bayes_ignore_header X-MailScanner
> > > bayes_ignore_header X-MailScanner-SpamCheck
> > > bayes_ignore_header X-MailScanner-SpamScore
> > > bayes_ignore_header X-MailScanner-Information
> > >
> > >
> > > And yeah 2.61 is a new install and the bayes db is new.
> > >
> > > Chris
> > >
> >
> > This all looks very very similar to my starting piont on my 
> freebsd 4.8
> > box.  (good!)
> >
> > have you checked the razor path etc. also try turning just razor on,
> > then just the bayes to see which one is causing the issue.
> >
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > 
> **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error 
> please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > 
> **********************************************************************
> >
> >
> 


From Antony at SOFT-SOLUTIONS.CO.UK  Wed Jan 14 02:43:11 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:50 2006
Subject: Progress on Queue
In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410798@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F362927410798@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401140243.11681.Antony@Soft-Solutions.co.uk>

On Wednesday 14 January 2004 2:34 am, Ugo Bellavance wrote:

> > -----Message d'origine-----
> > De : Chris [mailto:cwharris@MORGAN.NET]
> > Envoy? : Tuesday, January 13, 2004 4:41 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Re: Progress on Queue
> >
> >
> > I have narrowed my problem down to Razor. I turned razor back
> > on and before
> > I knew it my queue was backed up again. Any way to fix this?
>
> is your firewall blocking the ports for razor?  See the faqs for the ports.
>  Searching for firewall and/or ports should do it.

http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0312&L=mailscanner&P=55185

Antony.

-- 
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Novel Prizewinner in Physics

                                                     Please reply to the list;
                                                           please don't CC me.


From eja at URBAKKEN.DK  Wed Jan 14 08:28:49 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:50 2006
Subject: Antivir.
In-Reply-To: <LISTSERV%2004011306024310@JISCMAIL.AC.UK>
References: <LISTSERV%2004011306024310@JISCMAIL.AC.UK>
Message-ID: <4004FDC1.2050102@urbakken.dk>

Hi.

My antivir is still not running with MailScanner. As I have told before,
it is running ok, if I run a manual antivir.

I have here the antivir-wrapper file. Is it ok ?.

#!/bin/sh

# antivir-wrapper --    invoke Antivir for use with mailscanner
#
#   MailScanner - SMTP E-Mail Virus Scanner
#   Copyright (C) 2001  Julian Field
#
#   $Id: antivir-wrapper,v 1.5.2.1 2003/08/09 11:04:02 jkf Exp $
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
  USA
#
#   The author, Julian Field, can be contacted by email at
#      Jules@JulianField.net
#   or by paper mail at
#      Julian Field
#      Dept of Electronics & Computer Science
#      University of Southampton
#      Southampton
#      SO17 1BJ
#      United Kingdom
#
#

# ScanOptions was -q but that stops it producing output with new version
ScanOptions=""
PackageDir=$1
shift
prog=antivir

if [ "x$1" = "x-IsItInstalled" ]; then
   [ -x ${PackageDir}/$prog ] && exit 0
   exit 1
fi

exec ${PackageDir}/$prog $ScanOptions "$@"



--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Q.G.Campbell at NEWCASTLE.AC.UK  Wed Jan 14 09:28:36 2004
From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell)
Date: Thu Jan 12 21:21:50 2006
Subject: Sendmail 8.12.* and multiple queues
Message-ID: <74BC2BBF06470148911E64E2B48FE13964CDBB@pinewood.ncl.ac.uk>

Is anyone running MailScanner + sendmail-8.12 with multiple queue
directories (qf/df/xf files split into separate subdirectories)?

What about with queue groups?

How does MailScanner decide how it must move the qf/df file for an
arbitary sendmail setup given that in some cases the df file path is
hard coded into the qf file?

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 


From mailscanner at ecs.soton.ac.uk  Wed Jan 14 09:46:20 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Thankyou for the DVDs!
Message-ID: <6.0.1.1.2.20040114094431.0372a410@imap.ecs.soton.ac.uk>

To whoever bought me the Family Guy DVD's from my Amazon.co.uk wishlist, a
very big thankyou!

It is much appreciated.

:o)

Thanks again,
Jules.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 09:38:32 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Antivir.
In-Reply-To: <4004FDC1.2050102@urbakken.dk>
References: <LISTSERV%2004011306024310@JISCMAIL.AC.UK>
            <4004FDC1.2050102@urbakken.dk>
Message-ID: <6.0.1.1.2.20040114093757.03724438@imap.ecs.soton.ac.uk>

Any chance of external ssh access to your system, it's probably something
really simple that we are all missing.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 09:44:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Sendmail 8.12.* and multiple queues
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964CDBB@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964CDBB@pinewood.ncl.ac.uk>
Message-ID: <6.0.1.1.2.20040114093901.0372b3f8@imap.ecs.soton.ac.uk>

At 09:28 14/01/2004, you wrote:
>Is anyone running MailScanner + sendmail-8.12 with multiple queue
>directories (qf/df/xf files split into separate subdirectories)?

I don't support that. You can use a ruleset to produce the "Outgoing Queue
Dir" to separate messages into different queues, but that's all. If you
have a setup where corresponding qf/df/xf sets are all in the same
directory, but there are several of these directories, then you can use
wildcards in the setting of "Incoming Queue Dir" or specify multiple paths.

But the qf/df/xf triplet all have to be in the same directory.

>What about with queue groups?

As long as the messages end up in the same directory, you can do it. So you
can, for example, split messages so they have only 1 recipient per message.
This is a configuration used by quite a few people.

>How does MailScanner decide how it must move the qf/df file for an
>arbitary sendmail setup given that in some cases the df file path is
>hard coded into the qf file?

As above, the qf+df are assumed to be in the same directory.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 09:53:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <Pine.LNX.4.44.0401140039390.10932-100000@mailbox.prolocati
              on.net>
References: <6.0.1.1.2.20040113162839.07a14548@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401140039390.10932-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040114095051.03f28cb0@imap.ecs.soton.ac.uk>

Well I've tried

Allow Form Tags = no
Quarantine Infections = yes

with a message with a form tag in it, and the correct original message
segment (with the form tag still in it) is put into the quarantine.

So maybe I've already fixed this and forgot? Quite possible!

That was done using the latest beta 4.26-4.

So unless someone finds it still does the wrong thing for them with 4.26-4,
I'll consider this one closed.

Any more outstanding bugs that anyone knows about, and I haven't fixed?

At 23:42 13/01/2004, you wrote:
>Hi!
>
> > >I mailed a detailed report around the time you were in .nl, but i guess
> > >thats lost ? :))
> >
> > I can't find it, have hunted all over the place for it. Have you still got
> > a copy of it or can you describe it again please?
>
>Found one in my quarantine dir ... =)
>
>This should contain the bad message, but its holding the error template... :
>
>[root@vmx01 1Ag3gn-0004KM-5u]# ls -al
>total 12
>drwx------    2 exim     exim         4096 Jan 12 16:09 .
>drwx------   67 exim     exim         4096 Jan 12 23:58 ..
>-rw-------    1 exim     exim         1065 Jan 12 16:09 msg-15123-14.html
>[root@vmx01 1Ag3gn-0004KM-5u]# more msg-15123-14.html
>
>Warning: This message has had one or more attachments removed
>Warning: (the entire message).
>Warning: Please read the "VirusWarning.txt" attachment(s) for more
>information.
>
>This is a message from the MailScanner E-Mail Virus Protection Service
>----------------------------------------------------------------------
>The original e-mail message contained potentially dangerous content,
>which has been removed for your safety.
>
>The content is dangerous as it is often used to spread viruses or to gain
>personal or confidential information from you, such as passwords or credit
>card numbers.
>
>If you wish to receive a copy of the original email, please
>e-mail helpdesk and include the whole of this message
>in your request. Alternatively, you can call them, with
>the contents of this message to hand when you call.
>
>At Mon Jan 12 16:09:16 2004 the content filters said:
>    MailScanner: Found dangerous Object Codebase tag in HTML message
>
>Note to Help Desk: Look on MailScanner in
>/var/spool/MailScanner/quarantine/20040112 (message 1Ag3gn-0004KM-5u).
>--
>Postmaster
>
>I also looked up in my logs what happened with this one:
>
>[root@fallback vmx01]# grep 1Ag3gn-0004KM-5u maillog-20040112
>Jan 12 16:09:13 vmx01 exim[16638]: 2004-01-12 16:09:13 1Ag3gn-0004KM-5u <=
>ciccio@allgratis.zzn.com H=ns3.prolocation.net (toverdoos.prolocation.net)
>[194.171.240.23] P=esmtp S=3511
>id=200401121509.i0CF95026049@toverdoos.prolocation.net
>Jan 12 16:09:15 vmx01 MailScanner[15123]: Message 1Ag3gn-0004KM-5u from
>194.171.240.23 (ciccio@allgratis.zzn.com) to n-vision.nl is spam,
>SpamAssassin (score=9.625, required 5, BAYES_50 0.00, DATE_IN_PAST_12_24
>0.75, FORGED_MUA_OUTLOOK 2.57, HTML_70_80 0.10, HTML_FONT_INVISIBLE 0.60,
>HTML_MESSAGE 0.10, HTML_TITLE_UNTITLED 0.43, MAILTO_SUBJ_REMOVE 0.89,
>MIME_HTML_ONLY 0.32, RAZOR2_CF_RANGE_11_50 0.88, RAZOR2_CHECK 1.05,
>REMOVE_REMOVAL_2WORD 1.95)
>Jan 12 16:09:15 vmx01 MailScanner[15123]: Spam Actions: message
>1Ag3gn-0004KM-5u actions are deliver
>Jan 12 16:09:16 vmx01 MailScanner[15123]: Content Checks: Detected
>HTML-specific exploits in 1Ag3gn-0004KM-5u
>Jan 12 16:09:16 vmx01 MailScanner[15123]: Saved infected
>"msg-15123-14.html" to
>/var/spool/MailScanner/quarantine/20040112/1Ag3gn-0004KM-5u
>Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u =>
>a3@n-vision.nl R=mailertable_router T=remote_smtp
>H=cleanfeed.prolocation.net [81.23.230.7]
>Jan 12 16:09:17 vmx01 exim[16671]: 2004-01-12 16:09:17 1Ag3gn-0004KM-5u
>Completed
>
>Hope this helps, can lookup some more if needed, but i guess they all look
>about the same.
>
>Bye,
>Raymond.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 10:20:20 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: FoundForm = Found a form in HTML message
In-Reply-To: <5.0.2.1.2.20040114110935.01db1260@127.0.0.1>
References: <5.0.2.1.2.20040114110935.01db1260@127.0.0.1>
Message-ID: <6.0.1.1.2.20040114101937.03c07268@imap.ecs.soton.ac.uk>

You can simply set
Allow Form Tags = yes
or you can use a ruleset to allow form tags from some addresses (or to some 
users) and not others. If you want to do that, read about rulesets in 
/etc/MailScanner/rules/*

At 10:11 14/01/2004, you wrote:
>                         Hello,
>how to disable stopping messages with "FoundForm = Found a form in HTML 
>message" ?
>Because some of newsletters are blocked by mailscanner and users doesn't like.
>
>Thanks a lot
>
>
>____________________________________________________________
>
>Nicolas Viers               |  Service Commun Informatique
>M?l: viers@unilim.fr        |  123, avenue Albert Thomas
>                             |     87060 Limoges cedex
>Tel: 05-55-45-77-09         |  Fax: 05-55-45-75-95
>                   http://www.unilim.fr/sci
>____________________________________________________________
>

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From juan at sarel.co.il  Wed Jan 14 14:54:59 2004
From: juan at sarel.co.il (JUAN)
Date: Thu Jan 12 21:21:50 2006
Subject: problem starting Mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A863@DISNEYLAND>



ok !

I changed what u told me in /etc/init.d/sendmail  , now whan I do
/etc/init.d/Mailscanner restart I receive :

starting Mailscanner deamons:

incoming sendmail: 

warning:Xclimiter": local socket name /var/run/climiter.sock' missing 	[ok]

what is going wrong ?

thanks in advance!!







-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Sent: Monday, January 12, 2004 4:18 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: problem starting Mailscanner


At 14:11 12/01/2004, you wrote:
>here I cut and paste ( its changes whan I cut and paste):
>
>   47           done
>      48         fi
>      49         daemon /usr/sbin/sendmail -bd
>OPrivacyMode=queueonly -OQueueDir
>ectory=/var/spool/mqueue.in

That's wrong. You have confused the settings. Please go and check the 
documentation again and correct the settings for this command.
It should say this (all on 1 line)
daemon /usr/sbin/sendmail -bd -OPrivacyOptions=noetrn 
-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in
You have missed a "-", confused PrivacyMode with DeliveryMode and missed 
the PrivacyOptions settings entirely.

>      50                          sendmail -q15m
>      51                                 $([ -n
>"$QUEUE" ] && echo -q$QUEUE)
>      52         RETVAL=$?
>      53         echo
>      54         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail
>
>I also attched the file /etc/init.d/sendmail
>
>thaks!!!
>
>
>
>
>
>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Sent: Sunday, January 11, 2004 5:11 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: problem starting Mailscanner
>
>
>Please can you cut and paste the lines into an email, and not retype them.
>There are many apparent typing errors in the lines you have shown us, and
>we really do need to see the exact original lines.
>
>At 15:03 11/01/2004, you wrote:
> >O.K !! here is /etc/init.d/sendmail lines 47 to 54
> >
> >line 47 done
> >line 48 fi
> >line 49 deamon /usr/sbin/sendmail -bd OPrivacy=queueonly
> >-0QUEUEDirectory=/var/spool/mqueue.in
> >line 50 sendmail q15m
> >line 51 $([-n "QUEUE" ] && echo -q$QUEUE)
> >line 52 RETVAL=$?
> >line 53 echo
> >line 54[RETVAL -eq0] 77 touch /var/lock/subsys/sendmail
> >
> >please help
> >
> >thanks
> >
> >
> >
> >
> >-----Original Message-----
> >From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK]
> >Sent: Sunday, January 11, 2004 4:12 PM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: problem starting Mailscanner
> >
> >
> >On Sunday 11 January 2004 2:10 pm, ???? wrote:
> >
> > > Hi !!
> > >
> > > I am trying to configure sendmail on RH 8 .
> > >
> > > whan I issue the command /etc/init.d/sendmail restart I receive:
> > >
> > > /etc/init.d/sendmail :line 51: -q1h :command not found  [ok]
> >
> >Looks like you've split the sendmail command across two lines - "-q1h" is
>an
> >
> >option which should follow sendmail on the same line.
> >
> >If that doesn't answer it, post lines 47 to 54 of /etc/init.d/sendmail
and
> >we'll look in more detail.
> >
> >Antony.
> >
> >--
> >There are two possible outcomes:
> >
> >  If the result confirms the hypothesis, then you've made a measurement.
> >  If the result is contrary to the hypothesis, then you've made a
>discovery.
> >
> >  - Enrico Fermi
> >
> >                                                      Please reply to the
> >list;
> >                                                            please don't
CC
> >me.
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From campbell at CNPAPERS.COM  Wed Jan 14 14:53:09 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:50 2006
Subject: Outstanding mail archiving bug
References: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
Message-ID: <00c401c3daae$204a22c0$da01a8c0@cnpapers.net>

Mr. Field,

I had responded to the original message indicating that I too had seen this
situation. But due to the fact that I normally do not have to release
quarantineed files that much (perhaps only three times), I have not seen
this since I responded.

I'm sorry, but I can not provide any more details, and was only responding
to indicate that there were more than one site seeing this. I will try to
find a few to help out. I can only say that I am running SA 2.61, MailWatch
0.04, and MS 4.24-5 on a Sendmail 8.11 RH 7.3 box.

It does not happen all of the time, though, as only once has it happened,
and I did not pay any attention to it then.

Thanks, though, for the concern

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 13, 2004 10:06 AM
Subject: Outstanding mail archiving bug


> There were reports of the wrong message being archived or the warning
> message or something like that.
>
> Please can someone confirm exactly what the problem was, and when it
> occurs. Otherwise I can't fix it.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wppiphoto at WPPI.COM  Wed Jan 14 14:57:58 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
Message-ID: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>

Hi folks,

I'm just trying to figure out how lately lots of spam gets a 'negative'
score resulting in not being seen as spam? Do I need to make some changes in
Mailscanner.conf to fix this problem or is this a known loophole spammers
use?

Here is an example of an e-mail w/ a Spamassassin score of -4.7:

Return-Path: <bqwkhmczr@el-nacional.com>
Received: from dhcp15-67.cable.conwaycorp.net
(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be forged))
 by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
 for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
 Wed, 14 Jan 2004 14:49:27 +0100
From: "Chasity" <bqwkhmczr@el-nacional.com>
To: ae@wppi.com
Subject: Re: YQBNAMQ, voice resounded over {Scanned}
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [3001hosting.comIP]
Date: Wed, 14 Jan 2004 14:58:27 +0100
Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
Content-Type: multipart/alternative;
 boundary="--ALT--VKRT28948427261974"
Message-Id: <KUHJGFR-0003467606015@cruelty>
X-WPPi-MailScanner-Information: Please contact WPPi for more information
X-WPPi-MailScanner: Found to be clean
X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7, required
4,
 BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
X-UIDL: joV"!$mT"!"!E!!%!3!!



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan 14 15:01:27 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:21:50 2006
Subject: Thankyou for the DVDs!
In-Reply-To: <6.0.1.1.2.20040114094431.0372a410@imap.ecs.soton.ac.uk>
Message-ID: <008601c3daaf$491a53e0$0501a8c0@darkside>

>To whoever bought me the Family Guy DVD's from my Amazon.co.uk
>wishlist, a
>very big thankyou!

You mean all you gotta do to get free stuff is to write a software
app that benefits millions of people every day and give it away
for free?  Man, have I missed the boat.

>It is much appreciated.

The safe word is banana.

--J(K)

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 15:06:21 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
Message-ID: <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>

They have managed to poison your Bayes database enough that it is convinced
this message is not spam (BAYES_00 -4.90 in the headers you included).

You may want to change the score of the low-numbered BAYES_xx rules so they
are a lot smaller. But then you will need to keep an eye open for false
positives. The other option is to disable bayes altogether with
use_bayes 0
in spam.assassin.prefs.conf

At 14:57 14/01/2004, you wrote:
>Hi folks,
>
>I'm just trying to figure out how lately lots of spam gets a 'negative'
>score resulting in not being seen as spam? Do I need to make some changes in
>Mailscanner.conf to fix this problem or is this a known loophole spammers
>use?
>
>Here is an example of an e-mail w/ a Spamassassin score of -4.7:
>
>Return-Path: <bqwkhmczr@el-nacional.com>
>Received: from dhcp15-67.cable.conwaycorp.net
>(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be forged))
>  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
>  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
>Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
>  Wed, 14 Jan 2004 14:49:27 +0100
>From: "Chasity" <bqwkhmczr@el-nacional.com>
>To: ae@wppi.com
>Subject: Re: YQBNAMQ, voice resounded over {Scanned}
>Mime-Version: 1.0
>X-Mailer: mPOP Web-Mail 2.19
>X-Originating-IP: [3001hosting.comIP]
>Date: Wed, 14 Jan 2004 14:58:27 +0100
>Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
>Content-Type: multipart/alternative;
>  boundary="--ALT--VKRT28948427261974"
>Message-Id: <KUHJGFR-0003467606015@cruelty>
>X-WPPi-MailScanner-Information: Please contact WPPi for more information
>X-WPPi-MailScanner: Found to be clean
>X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7, required
>4,
>  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>X-UIDL: joV"!$mT"!"!E!!%!3!!
>
>
>
>-------------------------------------------------
>         WPPi.com        |        WPPi.Net
>-------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
>-------------------------------------------------
>WPPi.com & WPPi.Net MailScanner Signature
>This message has been scanned for viruses
>and dangerous content by WPPi MailScanner,
>and has been found to be clean.
>-------------------------------------------------

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wppiphoto at WPPI.COM  Wed Jan 14 15:22:08 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba> 
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
Message-ID: <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>

Julian,

If I disable bayes, will they still be tagged as spam? Also, I just ran
accross the BigEvilList Version 2.06g in some old posts and wondering if
this will work better?

Thanks as always for all the help and the awsome work you do!!!

SW
----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 14, 2004 10:06 AM
Subject: Re: Spamassassin negative score? {Scanned}


> They have managed to poison your Bayes database enough that it is
convinced
> this message is not spam (BAYES_00 -4.90 in the headers you included).
>
> You may want to change the score of the low-numbered BAYES_xx rules so
they
> are a lot smaller. But then you will need to keep an eye open for false
> positives. The other option is to disable bayes altogether with
> use_bayes 0
> in spam.assassin.prefs.conf
>
> At 14:57 14/01/2004, you wrote:
> >Hi folks,
> >
> >I'm just trying to figure out how lately lots of spam gets a 'negative'
> >score resulting in not being seen as spam? Do I need to make some changes
in
> >Mailscanner.conf to fix this problem or is this a known loophole spammers
> >use?
> >
> >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
> >
> >Return-Path: <bqwkhmczr@el-nacional.com>
> >Received: from dhcp15-67.cable.conwaycorp.net
> >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
forged))
> >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
> >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
> >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
> >  Wed, 14 Jan 2004 14:49:27 +0100
> >From: "Chasity" <bqwkhmczr@el-nacional.com>
> >To: ae@wppi.com
> >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
> >Mime-Version: 1.0
> >X-Mailer: mPOP Web-Mail 2.19
> >X-Originating-IP: [3001hosting.comIP]
> >Date: Wed, 14 Jan 2004 14:58:27 +0100
> >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
> >Content-Type: multipart/alternative;
> >  boundary="--ALT--VKRT28948427261974"
> >Message-Id: <KUHJGFR-0003467606015@cruelty>
> >X-WPPi-MailScanner-Information: Please contact WPPi for more information
> >X-WPPi-MailScanner: Found to be clean
> >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
required
> >4,
> >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
> >X-UIDL: joV"!$mT"!"!E!!%!3!!
> >
> >
> >
> >-------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> >-------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> >-------------------------------------------------
> >WPPi.com & WPPi.Net MailScanner Signature
> >This message has been scanned for viruses
> >and dangerous content by WPPi MailScanner,
> >and has been found to be clean.
> >-------------------------------------------------
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From brent at MIRABITO.COM  Wed Jan 14 15:25:02 2004
From: brent at MIRABITO.COM (Brent Strignano)
Date: Thu Jan 12 21:21:50 2006
Subject: HTML Actions Header
Message-ID: <62E46E0C3CB8024C807447814E1B20A501CCED@granitemail.mirabito.com>

Hello Julian,

Is it possible that a future release could include the option of
creating a header for the other MailScanner actions that are performed
on a message. Something along the lines of:

X-%org-name%-MailScanner-Actions: I-Frame Tag Removed, Form Tag Removed,
striphtml.

Could be useful here.

Thanks for your consideration,

Brent Strignano
System Administrator
Granite Capital Holdings
Sidney, NY
 


From mailscanner at ecs.soton.ac.uk  Wed Jan 14 15:31:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: HTML Actions Header
In-Reply-To: <62E46E0C3CB8024C807447814E1B20A501CCED@granitemail.mirabit o.com>
References: <62E46E0C3CB8024C807447814E1B20A501CCED@granitemail.mirabito.com>
Message-ID: <6.0.1.1.2.20040114153054.0387f018@imap.ecs.soton.ac.uk>

I'll take a look and see how big a job it would be. No promises.

At 15:25 14/01/2004, you wrote:
>Hello Julian,
>
>Is it possible that a future release could include the option of
>creating a header for the other MailScanner actions that are performed
>on a message. Something along the lines of:
>
>X-%org-name%-MailScanner-Actions: I-Frame Tag Removed, Form Tag Removed,
>striphtml.
>
>Could be useful here.
>
>Thanks for your consideration,
>
>Brent Strignano
>System Administrator
>Granite Capital Holdings
>Sidney, NY
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 15:30:16 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
            <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>
Message-ID: <6.0.1.1.2.20040114152915.03ab1008@imap.ecs.soton.ac.uk>

No, it still wouldn't have been marked as spam. The score from the other
rules is too low.

Definitely worth adding the BigEvil.cf list, it helps quite a bit.
And make sure you are using the spamhaus xbl or xbl-sbl lists.

At 15:22 14/01/2004, you wrote:
>Julian,
>
>If I disable bayes, will they still be tagged as spam? Also, I just ran
>accross the BigEvilList Version 2.06g in some old posts and wondering if
>this will work better?
>
>Thanks as always for all the help and the awsome work you do!!!
>
>SW
>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Wednesday, January 14, 2004 10:06 AM
>Subject: Re: Spamassassin negative score? {Scanned}
>
>
> > They have managed to poison your Bayes database enough that it is
>convinced
> > this message is not spam (BAYES_00 -4.90 in the headers you included).
> >
> > You may want to change the score of the low-numbered BAYES_xx rules so
>they
> > are a lot smaller. But then you will need to keep an eye open for false
> > positives. The other option is to disable bayes altogether with
> > use_bayes 0
> > in spam.assassin.prefs.conf
> >
> > At 14:57 14/01/2004, you wrote:
> > >Hi folks,
> > >
> > >I'm just trying to figure out how lately lots of spam gets a 'negative'
> > >score resulting in not being seen as spam? Do I need to make some changes
>in
> > >Mailscanner.conf to fix this problem or is this a known loophole spammers
> > >use?
> > >
> > >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
> > >
> > >Return-Path: <bqwkhmczr@el-nacional.com>
> > >Received: from dhcp15-67.cable.conwaycorp.net
> > >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
>forged))
> > >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
> > >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
> > >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
> > >  Wed, 14 Jan 2004 14:49:27 +0100
> > >From: "Chasity" <bqwkhmczr@el-nacional.com>
> > >To: ae@wppi.com
> > >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
> > >Mime-Version: 1.0
> > >X-Mailer: mPOP Web-Mail 2.19
> > >X-Originating-IP: [3001hosting.comIP]
> > >Date: Wed, 14 Jan 2004 14:58:27 +0100
> > >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
> > >Content-Type: multipart/alternative;
> > >  boundary="--ALT--VKRT28948427261974"
> > >Message-Id: <KUHJGFR-0003467606015@cruelty>
> > >X-WPPi-MailScanner-Information: Please contact WPPi for more information
> > >X-WPPi-MailScanner: Found to be clean
> > >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>required
> > >4,
> > >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
> > >X-UIDL: joV"!$mT"!"!E!!%!3!!
> > >
> > >
> > >
> > >-------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > >-------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > >-------------------------------------------------
> > >WPPi.com & WPPi.Net MailScanner Signature
> > >This message has been scanned for viruses
> > >and dangerous content by WPPi MailScanner,
> > >and has been found to be clean.
> > >-------------------------------------------------
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
>
>
>
>-------------------------------------------------
>         WPPi.com        |        WPPi.Net
>-------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
>-------------------------------------------------
>WPPi.com & WPPi.Net MailScanner Signature
>This message has been scanned for viruses
>and dangerous content by WPPi MailScanner,
>and has been found to be clean.
>-------------------------------------------------

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wppiphoto at WPPI.COM  Wed Jan 14 15:41:48 2004
From: wppiphoto at WPPI.COM (SW)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>           
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>           
            <040901c3dab2$2ffa9110$0e01a8c0@Toshiba> 
            <6.0.1.1.2.20040114152915.03ab1008@imap.ecs.soton.ac.uk>
Message-ID: <041701c3dab4$ef18bc50$0e01a8c0@Toshiba>

Julian wrote:
> And make sure you are using the spamhaus xbl or xbl-sbl lists.

Yeah, I'm using the following and still about 200 spam e-mails daily come
through:

Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL

Am I missing some others (other than the paid services that is)?

Thanks,

SW
----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 14, 2004 10:30 AM
Subject: Re: Spamassassin negative score? {Scanned}


> No, it still wouldn't have been marked as spam. The score from the other
> rules is too low.
>
> Definitely worth adding the BigEvil.cf list, it helps quite a bit.
> And make sure you are using the spamhaus xbl or xbl-sbl lists.
>
> At 15:22 14/01/2004, you wrote:
> >Julian,
> >
> >If I disable bayes, will they still be tagged as spam? Also, I just ran
> >accross the BigEvilList Version 2.06g in some old posts and wondering if
> >this will work better?
> >
> >Thanks as always for all the help and the awsome work you do!!!
> >
> >SW
> >----- Original Message -----
> >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Wednesday, January 14, 2004 10:06 AM
> >Subject: Re: Spamassassin negative score? {Scanned}
> >
> >
> > > They have managed to poison your Bayes database enough that it is
> >convinced
> > > this message is not spam (BAYES_00 -4.90 in the headers you included).
> > >
> > > You may want to change the score of the low-numbered BAYES_xx rules so
> >they
> > > are a lot smaller. But then you will need to keep an eye open for
false
> > > positives. The other option is to disable bayes altogether with
> > > use_bayes 0
> > > in spam.assassin.prefs.conf
> > >
> > > At 14:57 14/01/2004, you wrote:
> > > >Hi folks,
> > > >
> > > >I'm just trying to figure out how lately lots of spam gets a
'negative'
> > > >score resulting in not being seen as spam? Do I need to make some
changes
> >in
> > > >Mailscanner.conf to fix this problem or is this a known loophole
spammers
> > > >use?
> > > >
> > > >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
> > > >
> > > >Return-Path: <bqwkhmczr@el-nacional.com>
> > > >Received: from dhcp15-67.cable.conwaycorp.net
> > > >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
> >forged))
> > > >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
> > > >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
> > > >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
> > > >  Wed, 14 Jan 2004 14:49:27 +0100
> > > >From: "Chasity" <bqwkhmczr@el-nacional.com>
> > > >To: ae@wppi.com
> > > >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
> > > >Mime-Version: 1.0
> > > >X-Mailer: mPOP Web-Mail 2.19
> > > >X-Originating-IP: [3001hosting.comIP]
> > > >Date: Wed, 14 Jan 2004 14:58:27 +0100
> > > >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
> > > >Content-Type: multipart/alternative;
> > > >  boundary="--ALT--VKRT28948427261974"
> > > >Message-Id: <KUHJGFR-0003467606015@cruelty>
> > > >X-WPPi-MailScanner-Information: Please contact WPPi for more
information
> > > >X-WPPi-MailScanner: Found to be clean
> > > >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
> >required
> > > >4,
> > > >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
> > > >X-UIDL: joV"!$mT"!"!E!!%!3!!
> > > >
> > > >
> > > >
> > > >-------------------------------------------------
> > > >         WPPi.com        |        WPPi.Net
> > > >-------------------------------------------------
> > > >   http://www.wppi.com   |  http://www.wppi.net
> > > >-------------------------------------------------
> > > >WPPi.com & WPPi.Net MailScanner Signature
> > > >This message has been scanned for viruses
> > > >and dangerous content by WPPi MailScanner,
> > > >and has been found to be clean.
> > > >-------------------------------------------------
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > > -------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > > -------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > > -------------------------------------------------
> > > WPPi.com & WPPi.Net MailScanner Signature
> > > This message has been scanned for viruses
> > > and dangerous content by WPPi MailScanner,
> > > and has been found to be clean.
> > > -------------------------------------------------
> > >
> >
> >
> >
> >-------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> >-------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> >-------------------------------------------------
> >WPPi.com & WPPi.Net MailScanner Signature
> >This message has been scanned for viruses
> >and dangerous content by WPPi MailScanner,
> >and has been found to be clean.
> >-------------------------------------------------
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From mkettler at EVI-INC.COM  Wed Jan 14 16:13:59 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
Message-ID: <6.0.0.22.0.20040114110939.024d2978@xanadu.evi-inc.com>

At 09:57 AM 1/14/2004, SW wrote:
>Hi folks,
>
>I'm just trying to figure out how lately lots of spam gets a 'negative'
>score resulting in not being seen as spam? Do I need to make some changes in
>Mailscanner.conf to fix this problem or is this a known loophole spammers
>use?
<snip>

>X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7, required
>4,
>  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>X-UIDL: joV"!$mT"!"!E!!%!3!!

It looks like your bayes database is poison. It's giving the message a 0%
chance of spam based on your training database.

If you're not doing manual training, disable bayes.. autolearning is NOT
sufficient to have a working bayes database.

Unfortunately the SA default is to have bayes and autolearning enabled, so
many people don't realize they need to manually train in the default
config, resulting in badly trained bayes databases.

From martinh at SOLID-STATE-LOGIC.COM  Wed Jan 14 16:22:22 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <6.0.0.22.0.20040114110939.024d2978@xanadu.evi-inc.com>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <6.0.0.22.0.20040114110939.024d2978@xanadu.evi-inc.com>
Message-ID: <40056CBE.8010003@solid-state-logic.com>

Matt Kettler wrote:
> At 09:57 AM 1/14/2004, SW wrote:
>
>> Hi folks,
>>
>> I'm just trying to figure out how lately lots of spam gets a 'negative'
>> score resulting in not being seen as spam? Do I need to make some
>> changes in
>> Mailscanner.conf to fix this problem or is this a known loophole spammers
>> use?
>
> <snip>
>
>> X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>> required
>> 4,
>>  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>> X-UIDL: joV"!$mT"!"!E!!%!3!!
>
>
> It looks like your bayes database is poison. It's giving the message a 0%
> chance of spam based on your training database.
>
> If you're not doing manual training, disable bayes.. autolearning is NOT
> sufficient to have a working bayes database.
>
> Unfortunately the SA default is to have bayes and autolearning enabled, so
> many people don't realize they need to manually train in the default
> config, resulting in badly trained bayes databases.

I'm using the following rules to trap 10+ random work and odd font
definitions...and about to try an fake habaes rule as well (last rule)

rawbody LOCAL_ZERO_FONTSIZE /\bfont-size\: 0pt|font.*size="0"|font.*size=0/i
describe LOCAL_ZERO_FONTSIZE Font has a size of Zero. What is being hidden?
score LOCAL_ZERO_FONTSIZE 4.5

uri BAYES_BUSTER /rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0

## Chris Petersen Rules
## 01-09-04
## v1.1

## I've noticed that a lot of spams recently have been following the
random-words technique,
## with very little "spam" content - often just an image or some
obfuscated text.  Has anyone
## given any thought to writing up a rule that detects a LACK of
punctuation, or a lack of
## short words like a/and/the?  It'd be easy for spammers to get around,
but at
least it would
## keep them out of inboxes for awhile.


rawbody  CP_RANDOMWORD_10
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
describe CP_RANDOMWORD_10       string of 10+ random words
score    CP_RANDOMWORD_10       0.5

rawbody  CP_RANDOMWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describe CP_RANDOMWORD_15       string of 15+ random words
score    CP_RANDOMWORD_15       2.5




# Jan 2004 : Fake Habeas
header __HABEAS_SWE                eval:message_is_habeas_swe( )

header __HAB_FORGE_BOUND            Content-Type =~
/boundary="--[0-9]{15,20}"/
header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/

meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND &&
__HAB_FORGE_MID && __HABEAS_SWE)
meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
# -8.0 for default Habeas score.
describe HABEAS_FORGERY             Common Habeas Forgery
lang fr describe  HABEAS_FORGERY    Spammeur utilisant Habeas sans
autorisation
score HABEAS_FORGERY                3.5




as ever watch those line breaks...

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From email at ace.net.au  Wed Jan 14 16:24:50 2004
From: email at ace.net.au (Peter Nitschke)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
Message-ID: <200401150254500689.01DFBF95@smtp1.ace.net.au>

Was just reading on the SA list that apparently this is a giveaway.

> X-Mailer: mPOP Web-Mail 2.19

So suggested rule to add to SA is:

header    RM_hxm_mPOPwebMail     X-Mailer =~ /mPOP Web-Mail/
score   RM_hxm_mPOPwebMail      5.0

Peter



*********** REPLY SEPARATOR  ***********

On 14/01/2004 at 9:57 AM SW wrote:

>Hi folks,
>
>I'm just trying to figure out how lately lots of spam gets a 'negative'
>score resulting in not being seen as spam? Do I need to make some changes
>in
>Mailscanner.conf to fix this problem or is this a known loophole spammers
>use?
>
>Here is an example of an e-mail w/ a Spamassassin score of -4.7:
>
>Return-Path: <bqwkhmczr@el-nacional.com>
>Received: from dhcp15-67.cable.conwaycorp.net
>(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be forged))
> by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
> for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
>Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
> Wed, 14 Jan 2004 14:49:27 +0100
>From: "Chasity" <bqwkhmczr@el-nacional.com>
>To: ae@wppi.com
>Subject: Re: YQBNAMQ, voice resounded over {Scanned}
>Mime-Version: 1.0
>X-Mailer: mPOP Web-Mail 2.19
>X-Originating-IP: [3001hosting.comIP]
>Date: Wed, 14 Jan 2004 14:58:27 +0100
>Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
>Content-Type: multipart/alternative;
> boundary="--ALT--VKRT28948427261974"
>Message-Id: <KUHJGFR-0003467606015@cruelty>
>X-WPPi-MailScanner-Information: Please contact WPPi for more information
>X-WPPi-MailScanner: Found to be clean
>X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7, required
>4,
> BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>X-UIDL: joV"!$mT"!"!E!!%!3!!
>
>
>
>-------------------------------------------------
>        WPPi.com        |        WPPi.Net
>-------------------------------------------------
>  http://www.wppi.com   |  http://www.wppi.net
>-------------------------------------------------
>WPPi.com & WPPi.Net MailScanner Signature
>This message has been scanned for viruses
>and dangerous content by WPPi MailScanner,
>and has been found to be clean.
>-------------------------------------------------

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 16:36:05 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <041701c3dab4$ef18bc50$0e01a8c0@Toshiba>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
            <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114152915.03ab1008@imap.ecs.soton.ac.uk>
            <041701c3dab4$ef18bc50$0e01a8c0@Toshiba>
Message-ID: <6.0.1.1.2.20040114162755.038f3d70@imap.ecs.soton.ac.uk>

At 15:41 14/01/2004, you wrote:
>Julian wrote:
> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
>
>Yeah, I'm using the following and still about 200 spam e-mails daily come
>through:
>
>Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL
>
>Am I missing some others (other than the paid services that is)?

Yes. Add a line into spam.lists.conf that says this:

SBL+XBL             sbl-xbl.spamhaus.org.

then in your "Spam List =" setting above, remove "spamhaus.org" and replace
it with "SBL+XBL". This will catch significantly more spam.

Obviously you need to "reload" or "restart" MailScanner after changing
these two things.

>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Wednesday, January 14, 2004 10:30 AM
>Subject: Re: Spamassassin negative score? {Scanned}
>
>
> > No, it still wouldn't have been marked as spam. The score from the other
> > rules is too low.
> >
> > Definitely worth adding the BigEvil.cf list, it helps quite a bit.
> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
> >
> > At 15:22 14/01/2004, you wrote:
> > >Julian,
> > >
> > >If I disable bayes, will they still be tagged as spam? Also, I just ran
> > >accross the BigEvilList Version 2.06g in some old posts and wondering if
> > >this will work better?
> > >
> > >Thanks as always for all the help and the awsome work you do!!!
> > >
> > >SW
> > >----- Original Message -----
> > >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
> > >Sent: Wednesday, January 14, 2004 10:06 AM
> > >Subject: Re: Spamassassin negative score? {Scanned}
> > >
> > >
> > > > They have managed to poison your Bayes database enough that it is
> > >convinced
> > > > this message is not spam (BAYES_00 -4.90 in the headers you included).
> > > >
> > > > You may want to change the score of the low-numbered BAYES_xx rules so
> > >they
> > > > are a lot smaller. But then you will need to keep an eye open for
>false
> > > > positives. The other option is to disable bayes altogether with
> > > > use_bayes 0
> > > > in spam.assassin.prefs.conf
> > > >
> > > > At 14:57 14/01/2004, you wrote:
> > > > >Hi folks,
> > > > >
> > > > >I'm just trying to figure out how lately lots of spam gets a
>'negative'
> > > > >score resulting in not being seen as spam? Do I need to make some
>changes
> > >in
> > > > >Mailscanner.conf to fix this problem or is this a known loophole
>spammers
> > > > >use?
> > > > >
> > > > >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
> > > > >
> > > > >Return-Path: <bqwkhmczr@el-nacional.com>
> > > > >Received: from dhcp15-67.cable.conwaycorp.net
> > > > >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
> > >forged))
> > > > >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
> > > > >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
> > > > >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
> > > > >  Wed, 14 Jan 2004 14:49:27 +0100
> > > > >From: "Chasity" <bqwkhmczr@el-nacional.com>
> > > > >To: ae@wppi.com
> > > > >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
> > > > >Mime-Version: 1.0
> > > > >X-Mailer: mPOP Web-Mail 2.19
> > > > >X-Originating-IP: [3001hosting.comIP]
> > > > >Date: Wed, 14 Jan 2004 14:58:27 +0100
> > > > >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
> > > > >Content-Type: multipart/alternative;
> > > > >  boundary="--ALT--VKRT28948427261974"
> > > > >Message-Id: <KUHJGFR-0003467606015@cruelty>
> > > > >X-WPPi-MailScanner-Information: Please contact WPPi for more
>information
> > > > >X-WPPi-MailScanner: Found to be clean
> > > > >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
> > >required
> > > > >4,
> > > > >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
> > > > >X-UIDL: joV"!$mT"!"!E!!%!3!!
> > > > >
> > > > >
> > > > >
> > > > >-------------------------------------------------
> > > > >         WPPi.com        |        WPPi.Net
> > > > >-------------------------------------------------
> > > > >   http://www.wppi.com   |  http://www.wppi.net
> > > > >-------------------------------------------------
> > > > >WPPi.com & WPPi.Net MailScanner Signature
> > > > >This message has been scanned for viruses
> > > > >and dangerous content by WPPi MailScanner,
> > > > >and has been found to be clean.
> > > > >-------------------------------------------------
> > > >
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > > > -------------------------------------------------
> > > >         WPPi.com        |        WPPi.Net
> > > > -------------------------------------------------
> > > >   http://www.wppi.com   |  http://www.wppi.net
> > > > -------------------------------------------------
> > > > WPPi.com & WPPi.Net MailScanner Signature
> > > > This message has been scanned for viruses
> > > > and dangerous content by WPPi MailScanner,
> > > > and has been found to be clean.
> > > > -------------------------------------------------
> > > >
> > >
> > >
> > >
> > >-------------------------------------------------
> > >         WPPi.com        |        WPPi.Net
> > >-------------------------------------------------
> > >   http://www.wppi.com   |  http://www.wppi.net
> > >-------------------------------------------------
> > >WPPi.com & WPPi.Net MailScanner Signature
> > >This message has been scanned for viruses
> > >and dangerous content by WPPi MailScanner,
> > >and has been found to be clean.
> > >-------------------------------------------------
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > -------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> > -------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> > -------------------------------------------------
> > WPPi.com & WPPi.Net MailScanner Signature
> > This message has been scanned for viruses
> > and dangerous content by WPPi MailScanner,
> > and has been found to be clean.
> > -------------------------------------------------
> >
> >
>
>
>
>-------------------------------------------------
>         WPPi.com        |        WPPi.Net
>-------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
>-------------------------------------------------
>WPPi.com & WPPi.Net MailScanner Signature
>This message has been scanned for viruses
>and dangerous content by WPPi MailScanner,
>and has been found to be clean.
>-------------------------------------------------

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mkettler at EVI-INC.COM  Wed Jan 14 16:49:41 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:50 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <200401150254500689.01DFBF95@smtp1.ace.net.au>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <200401150254500689.01DFBF95@smtp1.ace.net.au>
Message-ID: <6.0.0.22.0.20040114114415.02637c80@xanadu.evi-inc.com>

At 11:24 AM 1/14/2004, Peter Nitschke wrote:
> > X-Mailer: mPOP Web-Mail 2.19
>
>So suggested rule to add to SA is:
>
>header    RM_hxm_mPOPwebMail     X-Mailer =~ /mPOP Web-Mail/
>score   RM_hxm_mPOPwebMail      5.0

I'd not go that far as to give it 5 points.. I've received at least one
legit message with this X-Mailer on the snort-users mailinglist... it seems
to be uncommon, outside of spam, but it isn't pure ratware. It seems to be
mostly used by Russian posters.


Here's a web archive of a legit post using this mailer.

  http://list-archive.xemacs.org/xemacs-users-ru/xemacs-users-ru.200112

From raymond at PROLOCATION.NET  Wed Jan 14 18:12:33 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:51 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040114095051.03f28cb0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401141911240.19258-100000@mailbox.prolocation.net>

Hi!

> Allow Form Tags = no
> Quarantine Infections = yes
>
> with a message with a form tag in it, and the correct original message
> segment (with the form tag still in it) is put into the quarantine.
>
> So maybe I've already fixed this and forgot? Quite possible!
>
> That was done using the latest beta 4.26-4.

I had it still with 4.25-14, i can try 4.26-4 and see if i can still catch
some, did you change the code for that part since 4.25-14 ??

Bye,
Raymond.

From sw at INTERNETX.DE  Wed Jan 14 18:14:18 2004
From: sw at INTERNETX.DE (Sebastian Wiesinger)
Date: Thu Jan 12 21:21:51 2006
Subject: MailScanner is leaving sendmail qf-Files behind
Message-ID: <20040114181418.GA24010@lain.intern.internetx.de>

Hi, I asked this some time ago, but now the problem appears again.
MailScanner doesn't delete some qf-files from the incoming queue after delivering
a message:

Jan 14 18:32:33 postoffice sm-mta[24906]: i0EHWWTi024906: from=<bounce-debian-isp=sw=internetx.de@lists.debian.org>, size=4833, class=-30, nrcpts=1, msgid=<PbU65B.A.PhE.b0XBAB@murphy>, proto=ESMTP, daemon=MTA, relay=gate2.mailgate.de [62.116.129.39]
Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Found 7 messages waiting
Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Forwarding 3 unscanned messages, 30633 bytes
Jan 14 18:32:33 postoffice MailScanner[19732]: Spam Checks: Starting
Jan 14 18:32:33 postoffice MailScanner[19732]: Unscanned: Delivered 3 messages
Jan 14 18:32:33 postoffice MailScanner[19732]: Virus and Content Scanning: Starting
Jan 14 18:32:34 postoffice sendmail[24913]: i0EHWWTi024906: to=<xya@localhost>, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=176347, dsn=2.0.0, stat=Sent

After this, the file qfi0EHWWTi024906 remains in mqueue.in.

The first time I posted this, it was assumed to be a sendmail problem,
but as sendmail has completed delivery of the mail it must be
MailScanner who leaves behind this queuefile....

It leaves approx. 6-12 files per day.

Greetings
Sebastian

From andy at WILDBRAIN.COM  Wed Jan 14 18:23:22 2004
From: andy at WILDBRAIN.COM (Andy Moran)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
Message-ID: <4005891A.5000006@wildbrain.com>

MailScanner seems to correctly scan the vast majority of our messages at 
our company, but we've been getting some which do not have any score as 
if MailScanner decided to skip the SpamAssassin test.    I thought at 
first SpamAssassin was timing out (and perhaps it is?), but I have the 
timeout set to 100 and I don't notice any spamassassin processes stuck 
around.

Below is the headers of one such message that slipped through.  YOu will 
notice there is no X-WB-MailScanner-SpamCheck like the vast majority of 
our messages have.  One of our users suggested that perhaps MailScanner 
honored those  Habeus headers..  I was almost insulted at the suggestion.

Is there any way I can figure out why MailScanner isn't giving these a 
spam score?


Return-Path: <bkSullivan@lodinet.com>
Received: from cpe-66-91-172-137.hawaii.rr.com 
(cpe-66-91-172-137.hawaii.rr.com [66.91.172.137])
        by hermes.wildbrain.com (8.12.8/8.12.8) with SMTP id i0E65UMh005081
        for <manager@wildbrain.com>; Tue, 13 Jan 2004 22:05:31 -0800
Received: from 178.200.121.78 by 66.91.172.137; Tue, 13 Jan 2004 
13:55:15 -0400
Message-ID: <AHGHTRUCPCGXTUYXABBXDNVNF@hooger.ch>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
From: "Jocelyn M. Vasquez" <bkSullivan@lodinet.com>
Reply-To: "Jocelyn M. Vasquez" <bkSullivan@lodinet.com>
To: manager@wildbrain.com
Date: Tue, 13 Jan 2004 20:51:15 +0300
X-Mailer: Direct Mail for Mac OS X
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--095455287252454"
X-Priority: 5
X-WB-MailScanner: Found to be clean
Subject: LOw Cost X(a)n@x, Val?(u)m, Viagr@, Som@ Di3t Pills Many M3ds 
VOMydclN0U8HR5x


From peter at UCGBOOK.COM  Wed Jan 14 18:41:45 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <4005891A.5000006@wildbrain.com>
References: <4005891A.5000006@wildbrain.com>
Message-ID: <40058D69.6090504@ucgbook.com>

I know it's not because of the HABEAS headers because I get those as
well as the SA report. Could it be that you had a timeout from SA? Look
for "timed out" in your mail log.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Andy Moran wrote:
> One of our users suggested that perhaps MailScanner
> honored those  Habeus headers..  I was almost insulted at the suggestion.
>
> Is there any way I can figure out why MailScanner isn't giving these a
> spam score?

From steve.swaney at FSL.COM  Wed Jan 14 18:45:07 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <4005891A.5000006@wildbrain.com>
Message-ID: <20040114184507.5BE3721C304@mail.fsl.com>

By default SpamAssassin actually assigns a -8.0 score to messages containing
the Habeas watermark.

As a result of last weekends spam storm with forged Habeas headers, many of
us have disabled or substantially reduced the SpamAssassin Habeas scoring.

You can reset the Habeas score by adding something like:

score HABEAS_SWE -2.0

to your spam.assassin.prefs.conf where -2.0 is replaced by the value you
want to use.

Hope this helps,

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com
 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Andy Moran
> Sent: Wednesday, January 14, 2004 1:23 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Some messages not being spam scanned?
> 
> MailScanner seems to correctly scan the vast majority of our messages at
> our company, but we've been getting some which do not have any score as
> if MailScanner decided to skip the SpamAssassin test.    I thought at
> first SpamAssassin was timing out (and perhaps it is?), but I have the
> timeout set to 100 and I don't notice any spamassassin processes stuck
> around.
> 
> Below is the headers of one such message that slipped through.  YOu will
> notice there is no X-WB-MailScanner-SpamCheck like the vast majority of
> our messages have.  One of our users suggested that perhaps MailScanner
> honored those  Habeus headers..  I was almost insulted at the suggestion.
> 
> Is there any way I can figure out why MailScanner isn't giving these a
> spam score?
> 
> 
> Return-Path: <bkSullivan@lodinet.com>
> Received: from cpe-66-91-172-137.hawaii.rr.com
> (cpe-66-91-172-137.hawaii.rr.com [66.91.172.137])
>         by hermes.wildbrain.com (8.12.8/8.12.8) with SMTP id
> i0E65UMh005081
>         for <manager@wildbrain.com>; Tue, 13 Jan 2004 22:05:31 -0800
> Received: from 178.200.121.78 by 66.91.172.137; Tue, 13 Jan 2004
> 13:55:15 -0400
> Message-ID: <AHGHTRUCPCGXTUYXABBXDNVNF@hooger.ch>
> X-Habeas-SWE-1: winter into spring
> X-Habeas-SWE-2: brightly anticipated
> X-Habeas-SWE-3: like Habeas SWE (tm)
> X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
> X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
> X-Habeas-SWE-6: email in exchange for a license for this Habeas
> X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
> X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
> X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
> From: "Jocelyn M. Vasquez" <bkSullivan@lodinet.com>
> Reply-To: "Jocelyn M. Vasquez" <bkSullivan@lodinet.com>
> To: manager@wildbrain.com
> Date: Tue, 13 Jan 2004 20:51:15 +0300
> X-Mailer: Direct Mail for Mac OS X
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary="--095455287252454"
> X-Priority: 5
> X-WB-MailScanner: Found to be clean
> Subject: LOw Cost X(a)n@x, Val?(u)m, Viagr@, Som@ Di3t Pills Many M3ds
> VOMydclN0U8HR5x
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> Fortress Systems Ltd.
> www.fsl.com
> 


From tristanr at CI.GRANDJCT.CO.US  Wed Jan 14 18:57:53 2004
From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes)
Date: Thu Jan 12 21:21:51 2006
Subject: Listing MailScanner on Sourceforge.net
Message-ID: <s0052ecc.037@email-fs.ci.grandjct.co.us>

Greetings,

I saw that MailScanner is listed on Freshmeat.net, but not SourceForge.net.  I'm sure MailScanner would get a lot more attention if it was posted on SourceForge.  It wouldn't have to be hosted there, it can simply link to the current MailScanner site.  A link to the SourceForge.net logo would be required to generate visitor statistics.

In my opinion, MailScanner would be a great candidate for Project of the Month at Sourceforge.  If you haven't already, please rate MailScanner on the Freshmeat.net site.

Thanks,

Tristan Rhodes


From andy at WILDBRAIN.COM  Wed Jan 14 18:59:57 2004
From: andy at WILDBRAIN.COM (Andy Moran)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <40058D69.6090504@ucgbook.com>
References: <4005891A.5000006@wildbrain.com> <40058D69.6090504@ucgbook.com>
Message-ID: <400591AD.8040009@wildbrain.com>

I do have lots of  "timed out" messages from MailScanner in my maillog,
but they are all RBL Check timeouts l ike so:

Jan 14 03:01:18 hermes MailScanner[1812]: RBL Check ORDB-RBL timed out
and was killed, consecutive failure 1 of 7
Jan 14 03:02:10 hermes MailScanner[7565]: RBL Check Infinite-Monkeys
timed out and was killed, consecutive failure 1 of 7

But it's never consecutive enough to disable those RBL checks for good..
  I don't see any "timed out" messages for SpamAssassin...

Could these RBL timeouts cause MailScanner to skip the spamassassin test?

--Andy

Peter Bonivart wrote:
> I know it's not because of the HABEAS headers because I get those as
> well as the SA report. Could it be that you had a timeout from SA? Look
> for "timed out" in your mail log.
>
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
> Andy Moran wrote:
>
>> One of our users suggested that perhaps MailScanner
>> honored those  Habeus headers..  I was almost insulted at the suggestion.
>>
>> Is there any way I can figure out why MailScanner isn't giving these a
>> spam score?

From juan at SAREL.CO.IL  Wed Jan 14 19:05:07 2004
From: juan at SAREL.CO.IL (=?windows-1255?Q?=E7=E5=E0=EF?=)
Date: Thu Jan 12 21:21:51 2006
Subject: problem starting mailscanner
Message-ID: <AF6CC895D00CD511ACA500508BE7A593C7A866@DISNEYLAND>

Hi !

I use RH with sendmail as mail relay with mailscanner whan I

do
/etc/init.d/Mailscanner restart I receive :

starting Mailscanner deamons:

incoming sendmail:

warning:Xclimiter": local socket name /var/run/climiter.sock' missing   [ok]



>what is going wrong ?
>
>thanks in advance!!
>

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 19:07:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <400591AD.8040009@wildbrain.com>
References: <4005891A.5000006@wildbrain.com> <40058D69.6090504@ucgbook.com>
            <400591AD.8040009@wildbrain.com>
Message-ID: <6.0.1.1.2.20040114190728.042379b0@imap.ecs.soton.ac.uk>

Stop using Infinite-Monkeys. I don't think it exists any more.

At 18:59 14/01/2004, you wrote:
>I do have lots of  "timed out" messages from MailScanner in my maillog,
>but they are all RBL Check timeouts l ike so:
>
>Jan 14 03:01:18 hermes MailScanner[1812]: RBL Check ORDB-RBL timed out
>and was killed, consecutive failure 1 of 7
>Jan 14 03:02:10 hermes MailScanner[7565]: RBL Check Infinite-Monkeys
>timed out and was killed, consecutive failure 1 of 7
>
>But it's never consecutive enough to disable those RBL checks for good..
>  I don't see any "timed out" messages for SpamAssassin...
>
>Could these RBL timeouts cause MailScanner to skip the spamassassin test?
>
>--Andy
>
>Peter Bonivart wrote:
>>I know it's not because of the HABEAS headers because I get those as
>>well as the SA report. Could it be that you had a timeout from SA? Look
>>for "timed out" in your mail log.
>>
>>/Peter Bonivart
>>
>>--Unix lovers do it in the Sun
>>
>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>>SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>>
>>Andy Moran wrote:
>>
>>>One of our users suggested that perhaps MailScanner
>>>honored those  Habeus headers..  I was almost insulted at the suggestion.
>>>
>>>Is there any way I can figure out why MailScanner isn't giving these a
>>>spam score?

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 19:05:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:51 2006
Subject: MailScanner is leaving sendmail qf-Files behind
In-Reply-To: <20040114181418.GA24010@lain.intern.internetx.de>
References: <20040114181418.GA24010@lain.intern.internetx.de>
Message-ID: <6.0.1.1.2.20040114190531.04230f08@imap.ecs.soton.ac.uk>

Are mqueue.in and mqueue on the same filesystem?

At 18:14 14/01/2004, you wrote:
>Hi, I asked this some time ago, but now the problem appears again.
>MailScanner doesn't delete some qf-files from the incoming queue after
>delivering
>a message:
>
>Jan 14 18:32:33 postoffice sm-mta[24906]: i0EHWWTi024906:
>from=<bounce-debian-isp=sw=internetx.de@lists.debian.org>, size=4833,
>class=-30, nrcpts=1, msgid=<PbU65B.A.PhE.b0XBAB@murphy>, proto=ESMTP,
>daemon=MTA, relay=gate2.mailgate.de [62.116.129.39]
>Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Found 7 messages
>waiting
>Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Forwarding 3
>unscanned messages, 30633 bytes
>Jan 14 18:32:33 postoffice MailScanner[19732]: Spam Checks: Starting
>Jan 14 18:32:33 postoffice MailScanner[19732]: Unscanned: Delivered 3 messages
>Jan 14 18:32:33 postoffice MailScanner[19732]: Virus and Content Scanning:
>Starting
>Jan 14 18:32:34 postoffice sendmail[24913]: i0EHWWTi024906:
>to=<xya@localhost>, delay=00:00:01, xdelay=00:00:00, mailer=local,
>pri=176347, dsn=2.0.0, stat=Sent
>
>After this, the file qfi0EHWWTi024906 remains in mqueue.in.
>
>The first time I posted this, it was assumed to be a sendmail problem,
>but as sendmail has completed delivery of the mail it must be
>MailScanner who leaves behind this queuefile....
>
>It leaves approx. 6-12 files per day.
>
>Greetings
>Sebastian

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 19:05:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:51 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <Pine.LNX.4.44.0401141911240.19258-100000@mailbox.prolocati
              on.net>
References: <6.0.1.1.2.20040114095051.03f28cb0@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401141911240.19258-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040114190439.040b4828@imap.ecs.soton.ac.uk>

At 18:12 14/01/2004, you wrote:
>Hi!
>
> > Allow Form Tags = no
> > Quarantine Infections = yes
> >
> > with a message with a form tag in it, and the correct original message
> > segment (with the form tag still in it) is put into the quarantine.
> >
> > So maybe I've already fixed this and forgot? Quite possible!
> >
> > That was done using the latest beta 4.26-4.
>
>I had it still with 4.25-14, i can try 4.26-4 and see if i can still catch
>some, did you change the code for that part since 4.25-14 ??

I don't think so, but I can't reproduce the problem.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chrisk at OS-IT.NET  Wed Jan 14 20:52:22 2004
From: chrisk at OS-IT.NET (Chris Kissinger)
Date: Thu Jan 12 21:21:51 2006
Subject: Custom spamassassin rules files
Message-ID: <EKECJBACGLPHJCFNKMAEGECCMOAA.chrisk@os-it.net>

Okay... I give up. I can not trace why whese rules aren't kicking in.

I've tried to add the popcorn, chickenpox, and weeds rules that are out
there. I've thrown the cf files in both /etc/mail/spamassassin/ and
/usr/share/spamassassin/ trying to make this work. There have been plenty of
spams that should have triggered these but it just isn't working.

Setup has MailScanner running on a gateway sendmail server so nothing is a
true "local" address. Mail is definately being scanned, just not picking up
the custom rules.

I'm just at a loss why this isn't working, trying to stay away from needing
to add these to spam.assassin.prefs.conf but I have no other solutions.

Any ideas would be helpful.

Thanks,
Chris

From mailscanner at ecs.soton.ac.uk  Wed Jan 14 21:03:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:51 2006
Subject: Custom spamassassin rules files
In-Reply-To: <EKECJBACGLPHJCFNKMAEGECCMOAA.chrisk@os-it.net>
References: <EKECJBACGLPHJCFNKMAEGECCMOAA.chrisk@os-it.net>
Message-ID: <6.0.1.1.2.20040114210143.0432fbf0@imap.ecs.soton.ac.uk>

At 20:52 14/01/2004, you wrote:
>Okay... I give up. I can not trace why whese rules aren't kicking in.
>
>I've tried to add the popcorn, chickenpox, and weeds rules that are out
>there. I've thrown the cf files in both /etc/mail/spamassassin/ and
>/usr/share/spamassassin/ trying to make this work. There have been plenty of
>spams that should have triggered these but it just isn't working.
>
>Setup has MailScanner running on a gateway sendmail server so nothing is a
>true "local" address. Mail is definately being scanned, just not picking up
>the custom rules.
>
>I'm just at a loss why this isn't working, trying to stay away from needing
>to add these to spam.assassin.prefs.conf but I have no other solutions.
>
>Any ideas would be helpful.

Find where your 50_scores.cf file is located and put them in the same
directory. However, check they are Unix text files and not DOS text files.
od -c bigevil.cf | head
should show the end of line sequence is just "\n" and not "\n\r". If it is
"\n\r" then they need to be converted to Unix text files. See the
"dos2unix" program for details on how to easily convert them.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.swaney at FSL.COM  Wed Jan 14 21:05:08 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:51 2006
Subject: Custom spamassassin rules files
In-Reply-To: <EKECJBACGLPHJCFNKMAEGECCMOAA.chrisk@os-it.net>
Message-ID: <20040114210509.6DB1521C304@mail.fsl.com>

Chris,

Try:

spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf  --lint

where -P <[dir]/spam.assassin.prefs.conf> is correct path to
spam.assassin.prefs.conf on your system. You should see some lines like:

debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/root/.spamassassin" for user state dir

If the .cf files are in one rules dir listed by your system, check the
permissions on the files.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Chris Kissinger
> Sent: Wednesday, January 14, 2004 3:52 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Custom spamassassin rules files
>
> Okay... I give up. I can not trace why whese rules aren't kicking in.
>
> I've tried to add the popcorn, chickenpox, and weeds rules that are out
> there. I've thrown the cf files in both /etc/mail/spamassassin/ and
> /usr/share/spamassassin/ trying to make this work. There have been plenty
> of
> spams that should have triggered these but it just isn't working.
>
> Setup has MailScanner running on a gateway sendmail server so nothing is a
> true "local" address. Mail is definately being scanned, just not picking
> up
> the custom rules.
>
> I'm just at a loss why this isn't working, trying to stay away from
> needing
> to add these to spam.assassin.prefs.conf but I have no other solutions.
>
> Any ideas would be helpful.
>
> Thanks,
> Chris
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>

From pete at eatathome.com.au  Wed Jan 14 21:36:34 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:51 2006
Subject: RBLs in MailScanner or SpamAssassin?
In-Reply-To: <40057C95.1050901@fractalweb.com>
References: <40057C95.1050901@fractalweb.com>
Message-ID: <4005B662.40302@eatathome.com.au>

Chris Yuzik wrote:

> Hi everyone,
>
> Something I've been wondering for quite some time: Am I better to use
> the RBLs in MailScanner directly, or to have SpamAssassin use them...or
> is a combination of the two best? As I understand it, when used in
> MailScanner, the message is immediately tagged as spam if it is in the
> RBL whereas in Spamassassin, it's simply added to the score.
>
> Currently, I have the following line in my MailScanner.conf file:
> Spam List = ORDB-RBL Infinite-Monkeys Easynet-DNSBL
>
> In spam.assassin.prefs.conf, I have added:
> header          RCVD_SPAMHAUS_XBL
> rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org')
> describe        RCVD_SPAMHAUS_XBL       net
> score           RCVD_SPAMHAUS_XBL       1.5
>
> Cheers,
> Chris
>
>
>
www.mailscanner.info and go to the faq, there are some entries in there
which cover your question in detail - afew minutes ago i saw a post from
Julian saying Infinite Monkeyts is now gone, so dont attempt to use that.

Pete

From jfraley at glenraven.com  Wed Jan 14 21:39:58 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:21:51 2006
Subject: clamscan - oversized zip, workaround?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>
Message-ID: <1074116398.22834.96.camel@jfraleyx.glenraven.com>

On Tue, 2004-01-13 at 03:47, Jan-Peter Koopmann wrote:
> Hi Darren,
>
> > At Mon Jan 12 18:05:43 2004 the virus scanner said:
> >    ClamAV: ad_tif.zip contains Oversized Zip "
> >
> > This is a known issue with ClamAV and I was wondering if
> > anyone had a good workaround.  If not a good work around, how
> > can I disable scanning the contents of zip files.  I modified
> > /usr/lib/MailScanner/clamav-wrapper as below and restarted
> > MailScanner but that didn't seem to do the trick.
>
> Edit libclamav/scanners.c and change
>
> #define ZIPOSDET 20 /* FIXME: Make it user definable */
>
> to
>
> #define ZIPOSDET 50 /* FIXME: Make it user definable */
>
>
> Works like a charm on my installations.
>
> Regards,
>   JP

After making this change, do I just need to re-install clamav?

Jon

From Jan-Peter.Koopmann at SECEIDOS.DE  Wed Jan 14 21:44:57 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:51 2006
Subject: clamscan - oversized zip, workaround?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8087@ERWIN.intern.seceidos.de>

> After making this change, do I just need to re-install clamav?

Yes. Keep in mind that others proposed a value of 70. I do not really
know what this value does. 50 fixed it for me so far but I cannot give a
guarantee.. :-)


Regards,
  JP


From Antony at SOFT-SOLUTIONS.CO.UK  Wed Jan 14 21:45:28 2004
From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone)
Date: Thu Jan 12 21:21:51 2006
Subject: clamscan - oversized zip, workaround?
In-Reply-To: <1074116398.22834.96.camel@jfraleyx.glenraven.com>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C806A@ERWIN.intern.seceidos.de>
            <1074116398.22834.96.camel@jfraleyx.glenraven.com>
Message-ID: <200401142145.28144.Antony@Soft-Solutions.co.uk>

On Wednesday 14 January 2004 9:39 pm, Jon Fraley wrote:

> On Tue, 2004-01-13 at 03:47, Jan-Peter Koopmann wrote:
>
> > Edit libclamav/scanners.c and change
> >
> > #define ZIPOSDET 20 /* FIXME: Make it user definable */
> > to
> > #define ZIPOSDET 50 /* FIXME: Make it user definable */
> >
> > Works like a charm on my installations.
>
> After making this change, do I just need to re-install clamav?

Recompile and reinstall, yes.

Antony.

--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.

                                                     Please reply to the list;
                                                           please don't CC me.

From pete at eatathome.com.au  Wed Jan 14 21:46:37 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:51 2006
Subject: problem starting mailscanner
In-Reply-To: <AF6CC895D00CD511ACA500508BE7A593C7A866@DISNEYLAND>
References: <AF6CC895D00CD511ACA500508BE7A593C7A866@DISNEYLAND>
Message-ID: <4005B8BD.2030603@eatathome.com.au>

???? wrote:

>Hi !
>
>I use RH with sendmail as mail relay with mailscanner whan I
>
>do
>/etc/init.d/Mailscanner restart I receive :
>
>starting Mailscanner deamons:
>
>incoming sendmail:
>
>warning:Xclimiter": local socket name /var/run/climiter.sock' missing   [ok]
>
>
>
>  
>
>>what is going wrong ?
>>
>>thanks in advance!!
>>
>>    
>>
>
>
>
>  
>
In RH you should
#service MailScanner start
Whetherthis will fix your problem or not i dont know, but this is the 
command for starting MS in Red Hat


From dwinkler at ALGORITHMICS.COM  Wed Jan 14 21:44:02 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:51 2006
Subject: clamscan - oversized zip, workaround?
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B12D@tormail2.algorithmics.com>

I used 70 and still get oversized zip messages.

The next version of clam is supposed to make this run-time configurable.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Jan-Peter Koopmann
Sent: Wednesday, January 14, 2004 4:45 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: clamscan - oversized zip, workaround?


> After making this change, do I just need to re-install clamav?

Yes. Keep in mind that others proposed a value of 70. I do not really
know what this value does. 50 fixed it for me so far but I cannot give a
guarantee.. :-)


Regards,
  JP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040114/76683830/attachment.html
From pete at eatathome.com.au  Wed Jan 14 21:54:43 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:51 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <6.0.1.1.2.20040114162755.038f3d70@imap.ecs.soton.ac.uk>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>           
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>           
            <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>           
            <6.0.1.1.2.20040114152915.03ab1008@imap.ecs.soton.ac.uk>           
            <041701c3dab4$ef18bc50$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114162755.038f3d70@imap.ecs.soton.ac.uk>
Message-ID: <4005BAA3.5060508@eatathome.com.au>

JuSt to be clear, i used RBL in Sa - do i just add
SBL+XBL             sbl-xbl.spamhaus.org.
to /etc/MailScanner/spam.list.conf  ?

Should i remove anything else? i commented out the paid and monkeys ones
already - using 4.24.5

thanks
Pete


Julian Field wrote:

> At 15:41 14/01/2004, you wrote:
>
>> Julian wrote:
>> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
>>
>> Yeah, I'm using the following and still about 200 spam e-mails daily
>> come
>> through:
>>
>> Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL
>>
>> Am I missing some others (other than the paid services that is)?
>
>
> Yes. Add a line into spam.lists.conf that says this:
>
> SBL+XBL             sbl-xbl.spamhaus.org.
>
> then in your "Spam List =" setting above, remove "spamhaus.org" and
> replace
> it with "SBL+XBL". This will catch significantly more spam.
>
> Obviously you need to "reload" or "restart" MailScanner after changing
> these two things.
>
>> ----- Original Message -----
>> From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>> To: <MAILSCANNER@JISCMAIL.AC.UK>
>> Sent: Wednesday, January 14, 2004 10:30 AM
>> Subject: Re: Spamassassin negative score? {Scanned}
>>
>>
>> > No, it still wouldn't have been marked as spam. The score from the
>> other
>> > rules is too low.
>> >
>> > Definitely worth adding the BigEvil.cf list, it helps quite a bit.
>> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
>> >
>> > At 15:22 14/01/2004, you wrote:
>> > >Julian,
>> > >
>> > >If I disable bayes, will they still be tagged as spam? Also, I
>> just ran
>> > >accross the BigEvilList Version 2.06g in some old posts and
>> wondering if
>> > >this will work better?
>> > >
>> > >Thanks as always for all the help and the awsome work you do!!!
>> > >
>> > >SW
>> > >----- Original Message -----
>> > >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
>> > >Sent: Wednesday, January 14, 2004 10:06 AM
>> > >Subject: Re: Spamassassin negative score? {Scanned}
>> > >
>> > >
>> > > > They have managed to poison your Bayes database enough that it is
>> > >convinced
>> > > > this message is not spam (BAYES_00 -4.90 in the headers you
>> included).
>> > > >
>> > > > You may want to change the score of the low-numbered BAYES_xx
>> rules so
>> > >they
>> > > > are a lot smaller. But then you will need to keep an eye open for
>> false
>> > > > positives. The other option is to disable bayes altogether with
>> > > > use_bayes 0
>> > > > in spam.assassin.prefs.conf
>> > > >
>> > > > At 14:57 14/01/2004, you wrote:
>> > > > >Hi folks,
>> > > > >
>> > > > >I'm just trying to figure out how lately lots of spam gets a
>> 'negative'
>> > > > >score resulting in not being seen as spam? Do I need to make some
>> changes
>> > >in
>> > > > >Mailscanner.conf to fix this problem or is this a known loophole
>> spammers
>> > > > >use?
>> > > > >
>> > > > >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
>> > > > >
>> > > > >Return-Path: <bqwkhmczr@el-nacional.com>
>> > > > >Received: from dhcp15-67.cable.conwaycorp.net
>> > > > >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
>> > >forged))
>> > > > >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
>> > > > >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
>> > > > >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
>> > > > >  Wed, 14 Jan 2004 14:49:27 +0100
>> > > > >From: "Chasity" <bqwkhmczr@el-nacional.com>
>> > > > >To: ae@wppi.com
>> > > > >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
>> > > > >Mime-Version: 1.0
>> > > > >X-Mailer: mPOP Web-Mail 2.19
>> > > > >X-Originating-IP: [3001hosting.comIP]
>> > > > >Date: Wed, 14 Jan 2004 14:58:27 +0100
>> > > > >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
>> > > > >Content-Type: multipart/alternative;
>> > > > >  boundary="--ALT--VKRT28948427261974"
>> > > > >Message-Id: <KUHJGFR-0003467606015@cruelty>
>> > > > >X-WPPi-MailScanner-Information: Please contact WPPi for more
>> information
>> > > > >X-WPPi-MailScanner: Found to be clean
>> > > > >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>> > >required
>> > > > >4,
>> > > > >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>> > > > >X-UIDL: joV"!$mT"!"!E!!%!3!!
>> > > > >
>> > > > >
>> > > > >
>> > > > >-------------------------------------------------
>> > > > >         WPPi.com        |        WPPi.Net
>> > > > >-------------------------------------------------
>> > > > >   http://www.wppi.com   |  http://www.wppi.net
>> > > > >-------------------------------------------------
>> > > > >WPPi.com & WPPi.Net MailScanner Signature
>> > > > >This message has been scanned for viruses
>> > > > >and dangerous content by WPPi MailScanner,
>> > > > >and has been found to be clean.
>> > > > >-------------------------------------------------
>> > > >
>> > > > --
>> > > > Julian Field
>> > > > www.MailScanner.info
>> > > > MailScanner thanks transtec Computers for their support
>> > > >
>> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> > > >
>> > > > -------------------------------------------------
>> > > >         WPPi.com        |        WPPi.Net
>> > > > -------------------------------------------------
>> > > >   http://www.wppi.com   |  http://www.wppi.net
>> > > > -------------------------------------------------
>> > > > WPPi.com & WPPi.Net MailScanner Signature
>> > > > This message has been scanned for viruses
>> > > > and dangerous content by WPPi MailScanner,
>> > > > and has been found to be clean.
>> > > > -------------------------------------------------
>> > > >
>> > >
>> > >
>> > >
>> > >-------------------------------------------------
>> > >         WPPi.com        |        WPPi.Net
>> > >-------------------------------------------------
>> > >   http://www.wppi.com   |  http://www.wppi.net
>> > >-------------------------------------------------
>> > >WPPi.com & WPPi.Net MailScanner Signature
>> > >This message has been scanned for viruses
>> > >and dangerous content by WPPi MailScanner,
>> > >and has been found to be clean.
>> > >-------------------------------------------------
>> >
>> > --
>> > Julian Field
>> > www.MailScanner.info
>> > MailScanner thanks transtec Computers for their support
>> >
>> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> >
>> > -------------------------------------------------
>> >         WPPi.com        |        WPPi.Net
>> > -------------------------------------------------
>> >   http://www.wppi.com   |  http://www.wppi.net
>> > -------------------------------------------------
>> > WPPi.com & WPPi.Net MailScanner Signature
>> > This message has been scanned for viruses
>> > and dangerous content by WPPi MailScanner,
>> > and has been found to be clean.
>> > -------------------------------------------------
>> >
>> >
>>
>>
>>
>> -------------------------------------------------
>>         WPPi.com        |        WPPi.Net
>> -------------------------------------------------
>>   http://www.wppi.com   |  http://www.wppi.net
>> -------------------------------------------------
>> WPPi.com & WPPi.Net MailScanner Signature
>> This message has been scanned for viruses
>> and dangerous content by WPPi MailScanner,
>> and has been found to be clean.
>> -------------------------------------------------
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>

From peter at UCGBOOK.COM  Wed Jan 14 23:07:00 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:51 2006
Subject: clamscan - oversized zip, workaround?
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B12D@tormail2.algorithmics.com>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B12D@tormail2.algorithmics.com>
Message-ID: <4005CB94.6070005@ucgbook.com>

 > Yes. Keep in mind that others proposed a value of 70. I do not really
 > know what this value does. 50 fixed it for me so far but I cannot
give > a guarantee.. :-)

The value is simply the compression ratio allowed before it's considered
to be a Zip of Death which is a sort of denial of service attack.

The default value of 20 allows zip files compressed to 1/20th the size
of the original.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From steve.douglas at SBIINCORPORATED.COM  Wed Jan 14 23:53:36 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:51 2006
Subject: Mail log in debug mode
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF39EB@mail.gardenbotanika.com>

Thanks for the information.  Everything appears to be working.

-----Original Message-----
From: Peter Bonivart [mailto:peter@UCGBOOK.COM]
Sent: Monday, January 12, 2004 2:26 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Mail log in debug mode

That looks like the the message you get when trying to start Sendmail
with it already running. Use "chkconfig --list" to see at which
runlevels Sendmail and MailScanner are set to be started, Sendmail
should be off at all levels. Use "service sendmail stop" and then
"service mailscanner restart" to get rid of rogue Sendmail processes and
start fresh with MailScanner.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Steve Douglas wrote:
> ++++Jan 12 13:17:07 hprh sendmail[6158]: NOQUEUE: SYSERR(root):
> opendaemonsocket: daemon MTA: cannot bind: Address already in use
> ++++Jan 12 13:17:07 hprh sendmail[6158]: daemon MTA: problem creating SMTP
> socket

From steve.douglas at SBIINCORPORATED.COM  Thu Jan 15 00:13:34 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:51 2006
Subject: New Year.
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF39EC@mail.gardenbotanika.com>

Donate then.  :-)

-----Original Message-----
From: Ryan Finnesey [mailto:ryan.finnesey@CORPDSG.COM]
Sent: Thursday, January 01, 2004 1:45 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: New Year.

I would also like to wish everyone a happy New Year!


Ryan



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Erik Jakobsen
> Sent: Wednesday, December 31, 2003 12:55 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: New Year.
>
> With this I want to pass a Happy New Year to all members of the list
here.
>
> Also I want to thank you Julian for your huge job with MailScanner.
Its
> a nice piece of software, and you have done it good for all of us, but
> the spammers.
>
> Cheers, Erik.
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja@urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter,
http://counter.li.org.

From nicholas_esborn at AFFYMETRIX.COM  Thu Jan 15 00:22:17 2004
From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn)
Date: Thu Jan 12 21:21:51 2006
Subject: Habeas blacklist
Message-ID: <20040115002216.GG59681@affymetrix.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Habeas has a blacklist of IPs which have abused their SWE mark:

  http://www.habeas.com/supportBlackList.html

- -nick

- --
Nicholas Esborn | UNIX Systems Administrator | CIS
Affymetrix, Inc. | 6550 Vallejo St. | Emeryville, CA 94608
Tel: 510/428.8505 | Fax: 408-731-5380

Every message cryptographically signed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFABd04niCIkLLhb34RAj2OAJ9HUW2EAaW2T9FdsOfxwPWXQyY2ZACeIqNt
wO7RnB7VTroiVxDGyehyhBY=
=yfqp
-----END PGP SIGNATURE-----

From andy at WILDBRAIN.COM  Thu Jan 15 01:06:18 2004
From: andy at WILDBRAIN.COM (Andy Moran)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <6.0.1.1.2.20040114190728.042379b0@imap.ecs.soton.ac.uk>
References: <4005891A.5000006@wildbrain.com> <40058D69.6090504@ucgbook.com>    
            <400591AD.8040009@wildbrain.com>
            <6.0.1.1.2.20040114190728.042379b0@imap.ecs.soton.ac.uk>
Message-ID: <4005E78A.2020404@wildbrain.com>

I removed the Infinite-Monkeys RBL.

But I still get occasional messages with no Spam header as if
MailScanners skipped it.. and I don't see any SpamAssassin timeout
messages in the logs.

Any other thoughts?

--Andy

Julian Field wrote:
> Stop using Infinite-Monkeys. I don't think it exists any more.
>
> At 18:59 14/01/2004, you wrote:
>
>> I do have lots of  "timed out" messages from MailScanner in my maillog,
>> but they are all RBL Check timeouts l ike so:
>>
>> Jan 14 03:01:18 hermes MailScanner[1812]: RBL Check ORDB-RBL timed out
>> and was killed, consecutive failure 1 of 7
>> Jan 14 03:02:10 hermes MailScanner[7565]: RBL Check Infinite-Monkeys
>> timed out and was killed, consecutive failure 1 of 7
>>
>> But it's never consecutive enough to disable those RBL checks for good..
>>  I don't see any "timed out" messages for SpamAssassin...
>>
>> Could these RBL timeouts cause MailScanner to skip the spamassassin test?
>>
>> --Andy
>>
>> Peter Bonivart wrote:
>>
>>> I know it's not because of the HABEAS headers because I get those as
>>> well as the SA report. Could it be that you had a timeout from SA? Look
>>> for "timed out" in your mail log.
>>>
>>> /Peter Bonivart
>>>
>>> --Unix lovers do it in the Sun
>>>
>>> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>>> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>>>
>>> Andy Moran wrote:
>>>
>>>> One of our users suggested that perhaps MailScanner
>>>> honored those  Habeus headers..  I was almost insulted at the
>>>> suggestion.
>>>>
>>>> Is there any way I can figure out why MailScanner isn't giving these a
>>>> spam score?
>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mark at TIPPINGMAR.COM  Thu Jan 15 04:47:53 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:21:51 2006
Subject: Some  messages not being spam scanned?
In-Reply-To: <4005E78A.2020404@wildbrain.com>
Message-ID: <FABC8435-4715-11D8-A262-0003939C8BF6@tippingmar.com>

Did you set this in mailscanner.conf?

# Do you want to always include the Spam Report in the SpamCheck
# header, even if the message wasn't spam?
# This can also be the filename of a ruleset.
Always Include SpamAssassin Report = yes

If you don't, then you won't see a report if it doesn't score more than
your spam threshold.
Mark

On Wednesday, January 14, 2004, at 05:06  PM, Andy Moran wrote:

> I removed the Infinite-Monkeys RBL.
>
> But I still get occasional messages with no Spam header as if
> MailScanners skipped it.. and I don't see any SpamAssassin timeout
> messages in the logs.
>
> Any other thoughts?
>
> --Andy
>
> Julian Field wrote:
>> Stop using Infinite-Monkeys. I don't think it exists any more.
>>
>> At 18:59 14/01/2004, you wrote:
>>
>>> I do have lots of  "timed out" messages from MailScanner in my
>>> maillog,
>>> but they are all RBL Check timeouts l ike so:
>>>
>>> Jan 14 03:01:18 hermes MailScanner[1812]: RBL Check ORDB-RBL timed
>>> out
>>> and was killed, consecutive failure 1 of 7
>>> Jan 14 03:02:10 hermes MailScanner[7565]: RBL Check Infinite-Monkeys
>>> timed out and was killed, consecutive failure 1 of 7
>>>
>>> But it's never consecutive enough to disable those RBL checks for
>>> good..
>>>  I don't see any "timed out" messages for SpamAssassin...
>>>
>>> Could these RBL timeouts cause MailScanner to skip the spamassassin
>>> test?
>>>
>>> --Andy
>>>
>>> Peter Bonivart wrote:
>>>
>>>> I know it's not because of the HABEAS headers because I get those as
>>>> well as the SA report. Could it be that you had a timeout from SA?
>>>> Look
>>>> for "timed out" in your mail log.
>>>>
>>>> /Peter Bonivart
>>>>
>>>> --Unix lovers do it in the Sun
>>>>
>>>> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>>>> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>>>>
>>>> Andy Moran wrote:
>>>>
>>>>> One of our users suggested that perhaps MailScanner
>>>>> honored those  Habeus headers..  I was almost insulted at the
>>>>> suggestion.
>>>>>
>>>>> Is there any way I can figure out why MailScanner isn't giving
>>>>> these a
>>>>> spam score?
>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Professional Support Services at www.MailScanner.biz
>> MailScanner thanks transtec Computers for their support
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 15 08:38:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:51 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <4005BAA3.5060508@eatathome.com.au>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
            <040901c3dab2$2ffa9110$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114152915.03ab1008@imap.ecs.soton.ac.uk>
            <041701c3dab4$ef18bc50$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114162755.038f3d70@imap.ecs.soton.ac.uk>
            <4005BAA3.5060508@eatathome.com.au>
Message-ID: <6.0.1.1.2.20040115083733.035f9980@imap.ecs.soton.ac.uk>

At 21:54 14/01/2004, you wrote:
>JuSt to be clear, i used RBL in Sa - do i just add
>SBL+XBL             sbl-xbl.spamhaus.org.
>to /etc/MailScanner/spam.list.conf  ?

That file is for MailScanner's blacklisting, not SA's. You will have to add
more rules to spam.assassin.prefs.conf with scores to use this. Someone
else can provide the syntax if you are unsure, I'm can't remember it right now.

>Should i remove anything else? i commented out the paid and monkeys ones
>already - using 4.24.5
>
>thanks
>Pete
>
>
>Julian Field wrote:
>
>>At 15:41 14/01/2004, you wrote:
>>
>>>Julian wrote:
>>> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
>>>
>>>Yeah, I'm using the following and still about 200 spam e-mails daily
>>>come
>>>through:
>>>
>>>Spam List = ORDB-RBL spamhaus.org spamcop.net NJABL
>>>
>>>Am I missing some others (other than the paid services that is)?
>>
>>
>>Yes. Add a line into spam.lists.conf that says this:
>>
>>SBL+XBL             sbl-xbl.spamhaus.org.
>>
>>then in your "Spam List =" setting above, remove "spamhaus.org" and
>>replace
>>it with "SBL+XBL". This will catch significantly more spam.
>>
>>Obviously you need to "reload" or "restart" MailScanner after changing
>>these two things.
>>
>>>----- Original Message -----
>>>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>>>To: <MAILSCANNER@JISCMAIL.AC.UK>
>>>Sent: Wednesday, January 14, 2004 10:30 AM
>>>Subject: Re: Spamassassin negative score? {Scanned}
>>>
>>>
>>> > No, it still wouldn't have been marked as spam. The score from the
>>>other
>>> > rules is too low.
>>> >
>>> > Definitely worth adding the BigEvil.cf list, it helps quite a bit.
>>> > And make sure you are using the spamhaus xbl or xbl-sbl lists.
>>> >
>>> > At 15:22 14/01/2004, you wrote:
>>> > >Julian,
>>> > >
>>> > >If I disable bayes, will they still be tagged as spam? Also, I
>>>just ran
>>> > >accross the BigEvilList Version 2.06g in some old posts and
>>>wondering if
>>> > >this will work better?
>>> > >
>>> > >Thanks as always for all the help and the awsome work you do!!!
>>> > >
>>> > >SW
>>> > >----- Original Message -----
>>> > >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>>> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
>>> > >Sent: Wednesday, January 14, 2004 10:06 AM
>>> > >Subject: Re: Spamassassin negative score? {Scanned}
>>> > >
>>> > >
>>> > > > They have managed to poison your Bayes database enough that it is
>>> > >convinced
>>> > > > this message is not spam (BAYES_00 -4.90 in the headers you
>>>included).
>>> > > >
>>> > > > You may want to change the score of the low-numbered BAYES_xx
>>>rules so
>>> > >they
>>> > > > are a lot smaller. But then you will need to keep an eye open for
>>>false
>>> > > > positives. The other option is to disable bayes altogether with
>>> > > > use_bayes 0
>>> > > > in spam.assassin.prefs.conf
>>> > > >
>>> > > > At 14:57 14/01/2004, you wrote:
>>> > > > >Hi folks,
>>> > > > >
>>> > > > >I'm just trying to figure out how lately lots of spam gets a
>>>'negative'
>>> > > > >score resulting in not being seen as spam? Do I need to make some
>>>changes
>>> > >in
>>> > > > >Mailscanner.conf to fix this problem or is this a known loophole
>>>spammers
>>> > > > >use?
>>> > > > >
>>> > > > >Here is an example of an e-mail w/ a Spamassassin score of -4.7:
>>> > > > >
>>> > > > >Return-Path: <bqwkhmczr@el-nacional.com>
>>> > > > >Received: from dhcp15-67.cable.conwaycorp.net
>>> > > > >(JeW_91122_@dhcp15-67.cable.conwaycorp.net [24.144.15.67] (may be
>>> > >forged))
>>> > > > >  by wppi.com (8.10.2/8.10.2) with SMTP id i0EDvdf00591
>>> > > > >  for <ae@wppi.com>; Wed, 14 Jan 2004 08:57:39 -0500
>>> > > > >Received: from [24.144.15.67] by 3001hosting.comIP with HTTP;
>>> > > > >  Wed, 14 Jan 2004 14:49:27 +0100
>>> > > > >From: "Chasity" <bqwkhmczr@el-nacional.com>
>>> > > > >To: ae@wppi.com
>>> > > > >Subject: Re: YQBNAMQ, voice resounded over {Scanned}
>>> > > > >Mime-Version: 1.0
>>> > > > >X-Mailer: mPOP Web-Mail 2.19
>>> > > > >X-Originating-IP: [3001hosting.comIP]
>>> > > > >Date: Wed, 14 Jan 2004 14:58:27 +0100
>>> > > > >Reply-To: "Sorensen" <bqwkhmczr@el-nacional.com>
>>> > > > >Content-Type: multipart/alternative;
>>> > > > >  boundary="--ALT--VKRT28948427261974"
>>> > > > >Message-Id: <KUHJGFR-0003467606015@cruelty>
>>> > > > >X-WPPi-MailScanner-Information: Please contact WPPi for more
>>>information
>>> > > > >X-WPPi-MailScanner: Found to be clean
>>> > > > >X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.7,
>>> > >required
>>> > > > >4,
>>> > > > >  BAYES_00 -4.90, HTML_MESSAGE 0.10, NORMAL_HTTP_TO_IP 0.10)
>>> > > > >X-UIDL: joV"!$mT"!"!E!!%!3!!
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >-------------------------------------------------
>>> > > > >         WPPi.com        |        WPPi.Net
>>> > > > >-------------------------------------------------
>>> > > > >   http://www.wppi.com  |  http://www.wppi.net
>>> > > > >-------------------------------------------------
>>> > > > >WPPi.com & WPPi.Net MailScanner Signature
>>> > > > >This message has been scanned for viruses
>>> > > > >and dangerous content by WPPi MailScanner,
>>> > > > >and has been found to be clean.
>>> > > > >-------------------------------------------------
>>> > > >
>>> > > > --
>>> > > > Julian Field
>>> > > > www.MailScanner.info
>>> > > > MailScanner thanks transtec Computers for their support
>>> > > >
>>> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>> > > >
>>> > > > -------------------------------------------------
>>> > > >         WPPi.com        |        WPPi.Net
>>> > > > -------------------------------------------------
>>> > > >   http://www.wppi.com  |  http://www.wppi.net
>>> > > > -------------------------------------------------
>>> > > > WPPi.com & WPPi.Net MailScanner Signature
>>> > > > This message has been scanned for viruses
>>> > > > and dangerous content by WPPi MailScanner,
>>> > > > and has been found to be clean.
>>> > > > -------------------------------------------------
>>> > > >
>>> > >
>>> > >
>>> > >
>>> > >-------------------------------------------------
>>> > >         WPPi.com        |        WPPi.Net
>>> > >-------------------------------------------------
>>> > >   http://www.wppi.com  |  http://www.wppi.net
>>> > >-------------------------------------------------
>>> > >WPPi.com & WPPi.Net MailScanner Signature
>>> > >This message has been scanned for viruses
>>> > >and dangerous content by WPPi MailScanner,
>>> > >and has been found to be clean.
>>> > >-------------------------------------------------
>>> >
>>> > --
>>> > Julian Field
>>> > www.MailScanner.info
>>> > MailScanner thanks transtec Computers for their support
>>> >
>>> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>> >
>>> > -------------------------------------------------
>>> >         WPPi.com        |        WPPi.Net
>>> > -------------------------------------------------
>>> >   http://www.wppi.com  |  http://www.wppi.net
>>> > -------------------------------------------------
>>> > WPPi.com & WPPi.Net MailScanner Signature
>>> > This message has been scanned for viruses
>>> > and dangerous content by WPPi MailScanner,
>>> > and has been found to be clean.
>>> > -------------------------------------------------
>>> >
>>> >
>>>
>>>
>>>
>>>-------------------------------------------------
>>>         WPPi.com        |        WPPi.Net
>>>-------------------------------------------------
>>>   http://www.wppi.com  |  http://www.wppi.net
>>>-------------------------------------------------
>>>WPPi.com & WPPi.Net MailScanner Signature
>>>This message has been scanned for viruses
>>>and dangerous content by WPPi MailScanner,
>>>and has been found to be clean.
>>>-------------------------------------------------
>>
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 15 08:48:31 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
Message-ID: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>

Hi

We've been asked to investigate putting together a hotmail-type solution for
a very large client, which would have up to 13000 users.
What would people recommend?

Thanks,

Michele


Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 15 09:01:18 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
Message-ID: <400656DE.5050304@solid-state-logic.com>

Michele Neylon :: Blacknight Solutions wrote:
> Hi
>
> We've been asked to investigate putting together a hotmail-type solution for
> a very large client, which would have up to 13000 users.
> What would people recommend?
>
> Thanks,
>
> Michele
>
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland

Michelle

Cyrus imapd with Horde Imp for the GUI.

would need cluster I guess and some very fast disks(SCSI or SATA) with RAID

Also checkout http://www.ispman.org/ for some glue...

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From chris at FRACTALWEB.COM  Thu Jan 15 09:36:05 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:51 2006
Subject: can't seem to teach with MailWatch
Message-ID: <40065F05.2040007@fractalweb.com>

Hi,

I'm really liking MailWatch. I've got a couple of quirks though.

When I try to teach a message "as ham", I get "SA Learn: error code 127
returned from sa-learn". I'm not sure how to fix this.

When I log in as root and use sa-learn, it works fine.

Cheers,
Chris

From Peter.Bates at LSHTM.AC.UK  Thu Jan 15 09:50:09 2004
From: Peter.Bates at LSHTM.AC.UK (Peter Bates)
Date: Thu Jan 12 21:21:51 2006
Subject: Bayesian shenanigans (i.e. problems)
Message-ID: <s0066255.060@s-nst5.lshtm.ac.uk>

Hello all...

Just before Christmas (a great time for things to happen!), I had
general problems with SpamAssassin timing out constantly with
MailScanner.
This was naturally leading to a lot of unwanted material sneaking
through.

I upgraded to MS 4.25 (RPM version), and SA 2.61, but eventually
shifted to disabling Bayes with 'use_bayes 0'. I'm also using DCC and
Razor, so thought my 'hit-rate' would still be reasonable...

I'm running with Postfix, hence all the files being owned by
postfix:postfix.

I have in spam.assassin.prefs.conf :

bayes_path                 /var/spool/MailScanner/spamassassin/bayes
bayes_file_mode            0600

Here's an 'ls -lh':

-rw-------    1 postfix  postfix       661 Dec 27 23:06 bayes_journal
-rw-r--r--    1 postfix  postfix       40M Dec 27 23:06 bayes_seen
-rw-------    1 postfix  postfix      265M Dec 27 23:06 bayes_toks
-rw-------    1 postfix  postfix      2.7G Dec 27 23:01 bayes_toks.new
-rw-r--r--    1 postfix  postfix      4.8M Oct 15 09:22 old_bayes_seen
-rw-r--r--    1 postfix  postfix       22M Oct 15 09:22 old_bayes_toks

This system has only been auto-learning, and I've also tried sa-learn
--rebuild.

Are these unreasonable sizes? Should I be setting some other
configuration parameter to ensure smaller sizes? Which of these files
(presumably not the 2.7G one!) is actually being used anyway?

I still have Bayes off for now, but would like to reinstate it, but at
the moment I'm almost tempted to desire each message to run once through
the Bayes stuff, and then be run again through SA even if that times
out... with the Bayes, the timeouts were very clear to see.

... any advice would be most appreciated!



--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838

From drew at THEMARSHALLS.CO.UK  Thu Jan 15 09:46:36 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
Message-ID: <61037.194.70.180.170.1074159996.squirrel@net.themarshalls.co.uk>

Hi

I use Postfix, MailScanner, Courier-IMAP (For POP & IMAP) and Squirrel
Mail (On Apache - obviously!) which is great. It's set up similarly to
this http://www.gentoo.org/doc/en/virt-mail-howto.xml (A document I found
after I set most of it up). The bigger benefits of this set up is the
MySQL user admin. Quick, easy and a load less hassle for 13000 users! It
also gives lots of different ways for people to collect mail (Webmail,
IMAP, POP3)

My 2p, for what it's worth.

Drew
--


Michele Neylon :: Blacknight Solutions said:
> Hi
>
> We've been asked to investigate putting together a hotmail-type solution
> for
> a very large client, which would have up to 13000 users.
> What would people recommend?
>
> Thanks,
>
> Michele
>
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From john at TRADOC.FR  Thu Jan 15 10:07:47 2004
From: john at TRADOC.FR (John Wilcock)
Date: Thu Jan 12 21:21:51 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <s0066255.060@s-nst5.lshtm.ac.uk>
References: <s0066255.060@s-nst5.lshtm.ac.uk>
Message-ID: <g2pc00t8hkqahnhm9jflmgbi8r6e4url22@tradoc.fr>

On Thu, 15 Jan 2004 09:50:09 +0000, Peter Bates wrote:
> I still have Bayes off for now, but would like to reinstate it, but at
> the moment I'm almost tempted to desire each message to run once through
> the Bayes stuff, and then be run again through SA even if that times
> out... with the Bayes, the timeouts were very clear to see.

I had similar timeouts after upgrading to SA 2.60. I eventually
realised that they were due to a bayes autolearn triggering the expiry
process, which took up to three minutes when run separately (running
on a Pentium Pro 200, though my files are rather smaller than yours).
SA 2.61 claimed "dramatically reduced memory usage of Bayes expiry"
but it doesn't seem to have improved the speed much. 

My workaround has been to add a short script to my cron.daily to
ensure that it never has to do the expiry as part of an auto-learn.

| #!/bin/sh
| sa-learn --force-expire --rebuild
| chown postfix.postfix /var/spool/MailScanner/spamassassin/bayes*


John.

-- 
-- Over 2000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr


From steve.freegard at LBSLTD.CO.UK  Thu Jan 15 10:29:28 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:51 2006
Subject: can't seem to teach with MailWatch
Message-ID: <67D9E7698329D411936E00508B6590B902773DC3@neelix.lbsltd.co.uk>

Hi Chris,

This is probably a permissions problem - try running this:

chown root:apache /etc/MailScanner/bayes
chmod g+s /etc/MailScanner/bayes
chown root:apache -R /etc/MailScanner/bayes
chmod -R ug+rw /etc/MailScanner/bayes

You'll need to modify the above to suit you configuration e.g. path to the
bayes files and the users.

Also, if you haven't already done so - please subscribe to
mailwatch-users@lists.sourceforge.net as post MailWatch questions there as
this is a bit off-topic for the MailScanner list.

Kind regards,
Steve.

-----Original Message-----
From: Chris Yuzik [mailto:chris@FRACTALWEB.COM]
Sent: 15 January 2004 09:36
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: can't seem to teach with MailWatch


Hi,

I'm really liking MailWatch. I've got a couple of quirks though.

When I try to teach a message "as ham", I get "SA Learn: error code 127
returned from sa-learn". I'm not sure how to fix this.

When I log in as root and use sa-learn, it works fine.

Cheers,
Chris

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From P.G.M.Peters at utwente.nl  Thu Jan 15 10:35:46 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:51 2006
Subject: Spamassassin negative score? {Scanned}
In-Reply-To: <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
References: <03db01c3daaf$1cb87b10$0e01a8c0@Toshiba>
            <6.0.1.1.2.20040114150439.09060120@imap.ecs.soton.ac.uk>
Message-ID: <86rc00touh4b2pv9gg5cugbmojupuhdlm7@4ax.com>

On Wed, 14 Jan 2004 15:06:21 +0000, you wrote:

>They have managed to poison your Bayes database enough that it is convinced
>this message is not spam (BAYES_00 -4.90 in the headers you included).
>
>You may want to change the score of the low-numbered BAYES_xx rules so they
>are a lot smaller. But then you will need to keep an eye open for false
>positives. The other option is to disable bayes altogether with
>use_bayes 0
>in spam.assassin.prefs.conf

I filter on low-numbered BAYES_xx rules to a different mailbox. I check
that box for false positives and feed the rest to sa-learn as spam.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From t.d.lee at DURHAM.AC.UK  Thu Jan 15 10:38:23 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:21:51 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <s0066255.060@s-nst5.lshtm.ac.uk>
References: <s0066255.060@s-nst5.lshtm.ac.uk>
Message-ID: <Pine.GSO.4.58.0401151029460.24673@arachne.dur.ac.uk>

On Thu, 15 Jan 2004, Peter Bates wrote:

> [...]
> I upgraded to MS 4.25 (RPM version), and SA 2.61 [...]
>
> Here's an 'ls -lh':
>
> -rw-------    1 postfix  postfix       661 Dec 27 23:06 bayes_journal
> -rw-r--r--    1 postfix  postfix       40M Dec 27 23:06 bayes_seen
> -rw-------    1 postfix  postfix      265M Dec 27 23:06 bayes_toks
> -rw-------    1 postfix  postfix      2.7G Dec 27 23:01 bayes_toks.new
> -rw-r--r--    1 postfix  postfix      4.8M Oct 15 09:22 old_bayes_seen
> -rw-r--r--    1 postfix  postfix       22M Oct 15 09:22 old_bayes_toks
>
> This system has only been auto-learning, and I've also tried sa-learn
> --rebuild.
>
> Are these unreasonable sizes? Should I be setting some other
> configuration parameter to ensure smaller sizes? Which of these files
> (presumably not the 2.7G one!) is actually being used anyway?

"Me, too!" (bayes_toks ~ 50MB, bayes_toks.new ~ 1.4GB).  Glad I'm not
alone.

This doesn't feel right.  Both the bayes_toks and bayes_toks.new seem to
maintain recent update times for a day or so.  Eventually the ".new" seems
to become quiet (and thus old(!)) but still hangs around.

An "sa-learn --rebuild" seems to fix it (for paranoia I shut down MS when
doing this).  But all this feels somewhat sub-optimal.


> ... any advice would be most appreciated!

Ditto.


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From sylvain.phaneuf at IMSU.OXFORD.AC.UK  Thu Jan 15 12:59:03 2004
From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
Message-ID: <s0068eb8.024@gwmail.jr2.ox.ac.uk>

I use MS 4.24-5, with SA 2.60 and Sophos Sweep 3.76 on RH 8. We get
about 30k messages per day and all is going fine except that I find with
MailStats that the average message delay goes up in the 100's of seconds
nearly everyday from about mid-day.

Are these delays normal?

Anyway, I thought that I would give a go at using Sophossavi and
installed SAVI-Perl version 0.15 as instructed in Julian's "MailScanner
Installation Guide - Perl SAVI Module". If I restart MS with "Virus
Scanners = sophossavi" in the conf file, Sophossavi starts well, but the
messages are delayed even more. The number of messages in mqueue.in rise
within a 20-30 minutes well above 500 at which point, I get nervous, I
kill MS and restart with just sophos. The maillog file doesn't show any
error messages. With the regular sophos, the number of messages in
mqueue.in rarely goes above 50. Is what I get with sophossavi normal?

I would be very grateful for any advice.



Sylvain

===========================================================
Sylvain Phaneuf --- Computing Manager   | phone : +44 (0)1865 221323
Information Management Services Unit  -  Medical Sciences Division
Oxford University                               | email :
sylvain.phaneuf@imsu.ox.ac.uk
Room 3A25B John Radcliffe Hospital      | fax :  +44 (0) 1865 221322
Oxford   OX3 9DU   England
===========================================================

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 15 13:48:31 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
In-Reply-To: <s0068eb8.024@gwmail.jr2.ox.ac.uk>
References: <s0068eb8.024@gwmail.jr2.ox.ac.uk>
Message-ID: <40069A2F.6030703@solid-state-logic.com>

Sylvain Phaneuf wrote:
> I use MS 4.24-5, with SA 2.60 and Sophos Sweep 3.76 on RH 8. We get
> about 30k messages per day and all is going fine except that I find with
> MailStats that the average message delay goes up in the 100's of seconds
> nearly everyday from about mid-day.
>
> Are these delays normal?
>
> Anyway, I thought that I would give a go at using Sophossavi and
> installed SAVI-Perl version 0.15 as instructed in Julian's "MailScanner
> Installation Guide - Perl SAVI Module". If I restart MS with "Virus
> Scanners = sophossavi" in the conf file, Sophossavi starts well, but the
> messages are delayed even more. The number of messages in mqueue.in rise
> within a 20-30 minutes well above 500 at which point, I get nervous, I
> kill MS and restart with just sophos. The maillog file doesn't show any
> error messages. With the regular sophos, the number of messages in
> mqueue.in rarely goes above 50. Is what I get with sophossavi normal?
>
> I would be very grateful for any advice.
>
>
>
> Sylvain

Sylvain

running Sophossavi myself on FreeBSD4.8 with SA 2.61 and MS 4.24-5 with
about 9k messages ago. Delay in processing about 4 seconds throughout
the day.

Have you got any RBL's the might be timing out, or razor etc. These are
most likely to cause the delays.

I'd run MS in debug mode and see where the delays are, also have a look
at the network to see if there's any corresponding traffic increase when
processing delay goes up..

PS - I'm about 4 miles up the road from you in Begbroke! I definitely
think all the Oxford people should meet up somewhen, we'd be able to
fill a small pub!
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From robin at PRIMUS.CA  Thu Jan 15 13:54:16 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNAEBPDAAA.michele@blacknightsolutions.com>
Message-ID: <Pine.LNX.4.58.0401150853320.8393@hephaestus.tor.primus.ca>

On Thu, 15 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:
> Hi
>
> We've been asked to investigate putting together a hotmail-type solution for
> a very large client, which would have up to 13000 users.
> What would people recommend?
>
Hi I have re-done squirrelmail to look like hotmail. The backend is
postfix cyrus and ldap.

From sylvain.phaneuf at IMSU.OXFORD.AC.UK  Thu Jan 15 14:17:11 2004
From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
Message-ID: <s006a0f7.055@gwmail.jr2.ox.ac.uk>

Thanks Martin,

No, we don't let MS or SA do any RBL checks - I should have included
that in my original message. Our ISP runs the RBL checks for us.

We should organise an Oxford MS convention...

Sylvain


>>> martinh@SOLID-STATE-LOGIC.COM 15/01/2004 13:48:31 >>>
Sylvain Phaneuf wrote:
> I use MS 4.24-5, with SA 2.60 and Sophos Sweep 3.76 on RH 8. We get
> about 30k messages per day and all is going fine except that I find
with
> MailStats that the average message delay goes up in the 100's of
seconds
> nearly everyday from about mid-day.
>
> Are these delays normal?
>
> Anyway, I thought that I would give a go at using Sophossavi and
> installed SAVI-Perl version 0.15 as instructed in Julian's
"MailScanner
> Installation Guide - Perl SAVI Module". If I restart MS with "Virus
> Scanners = sophossavi" in the conf file, Sophossavi starts well, but
the
> messages are delayed even more. The number of messages in mqueue.in
rise
> within a 20-30 minutes well above 500 at which point, I get nervous,
I
> kill MS and restart with just sophos. The maillog file doesn't show
any
> error messages. With the regular sophos, the number of messages in
> mqueue.in rarely goes above 50. Is what I get with sophossavi
normal?
>
> I would be very grateful for any advice.
>
>
>
> Sylvain

Sylvain

running Sophossavi myself on FreeBSD4.8 with SA 2.61 and MS 4.24-5
with
about 9k messages ago. Delay in processing about 4 seconds throughout
the day.

Have you got any RBL's the might be timing out, or razor etc. These
are
most likely to cause the delays.

I'd run MS in debug mode and see where the delays are, also have a
look
at the network to see if there's any corresponding traffic increase
when
processing delay goes up..

PS - I'm about 4 miles up the road from you in Begbroke! I definitely
think all the Oxford people should meet up somewhen, we'd be able to
fill a small pub!
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From rob at thehostmasters.com  Thu Jan 15 14:25:53 2004
From: rob at thehostmasters.com (Rob Charles)
Date: Thu Jan 12 21:21:51 2006
Subject: Habeas blacklist
References: <20040115002216.GG59681@affymetrix.com>
Message-ID: <000f01c3db73$7bf01740$0d01a8c0@basement>

I have been getting 100's of spam emails with Habeas headers in it. Its
driving me crazy!

Its all form the same guy a Viagr@ spam....

I am kind of new to MailScanner, is there a simple file/list where I can put
words that if in an email would reject the email?

Thanks...


Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob@TheHostMasters.com
http://www.TheHostMasters.com



----- Original Message -----
From: "Nicholas Esborn" <nicholas_esborn@AFFYMETRIX.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 14, 2004 7:22 PM
Subject: Habeas blacklist


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Habeas has a blacklist of IPs which have abused their SWE mark:
>
>   http://www.habeas.com/supportBlackList.html
>
> - -nick
>
> - --
> Nicholas Esborn | UNIX Systems Administrator | CIS
> Affymetrix, Inc. | 6550 Vallejo St. | Emeryville, CA 94608
> Tel: 510/428.8505 | Fax: 408-731-5380
>
> Every message cryptographically signed
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (FreeBSD)
>
> iD8DBQFABd04niCIkLLhb34RAj2OAJ9HUW2EAaW2T9FdsOfxwPWXQyY2ZACeIqNt
> wO7RnB7VTroiVxDGyehyhBY=
> =yfqp
> -----END PGP SIGNATURE-----
>

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 15 14:32:50 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
In-Reply-To: <s006a0f7.055@gwmail.jr2.ox.ac.uk>
References: <s006a0f7.055@gwmail.jr2.ox.ac.uk>
Message-ID: <4006A492.3040607@solid-state-logic.com>

Sylvain Phaneuf wrote:
> Thanks Martin,
>
> No, we don't let MS or SA do any RBL checks - I should have included
> that in my original message. Our ISP runs the RBL checks for us.
>
> We should organise an Oxford MS convention...
>
> Sylvain
>
>
>

Ok, I'd run MS in debug mode ane make sure there's no errors. Also worth
while 'linting' the SA setup...

spamassassin -C /path/to/spam.assassin.prefs.conf --lint

Sounds like you've not got Sophos setup right to me. Latest Sophos is
3.77. I stuffed the majorupdate up a couple of weeks ago and the thing
just ground to a halt....took 2 hours to clear the backlog of about
8,000 messages!

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 15 14:37:59 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:51 2006
Subject: Habeas blacklist
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C441@jessica.herefordshire.gov.uk>

In your /etc/MailScanner/spam.assassin.prefs.conf add the line

score HABEAS_SWE 0

They are forged headers, but it means that the HABEAS headers can no longer
be considered trustworthy.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Rob Charles
> Sent: 15 January 2004 14:26
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Habeas blacklist
>
>
> I have been getting 100's of spam emails with Habeas headers
> in it. Its
> driving me crazy!
>
> Its all form the same guy a Viagr@ spam....
>
> I am kind of new to MailScanner, is there a simple file/list
> where I can put
> words that if in an email would reject the email?
>
> Thanks...
>
>
> Rob Charles
> TheHostMasters
> Montreal, Canada
> 514-846-0006
> Rob@TheHostMasters.com
> http://www.TheHostMasters.com
>
>
>
> ----- Original Message -----
> From: "Nicholas Esborn" <nicholas_esborn@AFFYMETRIX.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Wednesday, January 14, 2004 7:22 PM
> Subject: Habeas blacklist
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Habeas has a blacklist of IPs which have abused their SWE mark:
> >
> >   http://www.habeas.com/supportBlackList.html
> >
> > - -nick
> >
> > - --
> > Nicholas Esborn | UNIX Systems Administrator | CIS
> > Affymetrix, Inc. | 6550 Vallejo St. | Emeryville, CA 94608
> > Tel: 510/428.8505 | Fax: 408-731-5380
> >
> > Every message cryptographically signed
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (FreeBSD)
> >
> > iD8DBQFABd04niCIkLLhb34RAj2OAJ9HUW2EAaW2T9FdsOfxwPWXQyY2ZACeIqNt
> > wO7RnB7VTroiVxDGyehyhBY=
> > =yfqp
> > -----END PGP SIGNATURE-----
> >
>

From jfraley at glenraven.com  Thu Jan 15 14:52:03 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:21:51 2006
Subject: Content Blocked report
Message-ID: <1074178322.22834.114.camel@jfraleyx.glenraven.com>

Some of my users are getting Content Blocked messages as such:

Subject: {Blocked Content} PAF Shipment Upload 01/14/04


Warning: This message has had one or more attachments removed
Warning: (not named).
Warning: Please read the "Glen_Raven-Attachment-Warning.txt"
attachment(s)
for more information.


However the only attachment is an:





application/ms-tnef attachment (winmail.dat)




and not the Warning.txt file.  I have verified that the attachment is
winmail.dat format.

This is the notice sent to postmaster of the block:


> The following e-mail messages were found to have viruses in them:
>
>     Sender: XXXXXXXXXXXXXXXXXXXXXXXXXXXX.comm
> IP Address: 198.85.139.28
>  Recipient: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.com
>    Subject: PAF Shipment Upload 01/14/04
>  MessageID: i0EGtSgU010766
>     Report: Could not parse Outlook Rich Text attachment
>

This has happened with four messages in two months, I was able to send
the message to the user from the quarantine directory.  I can not figure
out exactly why the attachment is not correct.  We are using
MailScanner-4.25-14.

Thanks,

Jon

From eja at URBAKKEN.DK  Thu Jan 15 14:56:15 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:51 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011514561599@JISCMAIL.AC.UK>

Julian !

Maybe you could reply to me here, if you get in here or not ?.

Erik.

From eja at URBAKKEN.DK  Thu Jan 15 14:56:15 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:51 2006
Subject: Antivir.
Message-ID: <LISTSERV%2004011514561599@JISCMAIL.AC.UK>

Julian !

Maybe you could reply to me here, if you get in here or not ?.

Erik.

From gareth at GRIFFIN.NET.UK  Thu Jan 15 15:18:20 2004
From: gareth at GRIFFIN.NET.UK (Gareth Campling)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
Message-ID: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>

Is this availble for download. ? :o) 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Robin M.
Sent: 15 January 2004 13:54
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: OT: Advice please

On Thu, 15 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:
> Hi
>
> We've been asked to investigate putting together a hotmail-type 
> solution for a very large client, which would have up to 13000 users.
> What would people recommend?
>
Hi I have re-done squirrelmail to look like hotmail. The backend is
postfix cyrus and ldap.


From robin at PRIMUS.CA  Thu Jan 15 15:26:50 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>
References: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>
Message-ID: <Pine.LNX.4.58.0401151024090.8393@hephaestus.tor.primus.ca>

On Thu, 15 Jan 2004, Gareth Campling wrote:
> Is this availble for download. ? :o)
>
I can make it available for you. Do you need the whole package. I have
compiled everything into rpm format including MailScanner, apache, postfix
cyrus, ldap etc etc to install into a chrooted environment. It is kinda
rought around the edges right now but it is very stable multi-domain
support.

Email me off list.

From mkettler at EVI-INC.COM  Thu Jan 15 15:56:50 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:51 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <Pine.GSO.4.58.0401151029460.24673@arachne.dur.ac.uk>
References: <s0066255.060@s-nst5.lshtm.ac.uk>
            <Pine.GSO.4.58.0401151029460.24673@arachne.dur.ac.uk>
Message-ID: <6.0.0.22.0.20040115105440.02569f50@xanadu.evi-inc.com>

At 05:38 AM 1/15/2004, David Lee wrote:
>"Me, too!" (bayes_toks ~ 50MB, bayes_toks.new ~ 1.4GB).  Glad I'm not
>alone.
>
>This doesn't feel right.  Both the bayes_toks and bayes_toks.new seem to
>maintain recent update times for a day or so.  Eventually the ".new" seems
>to become quiet (and thus old(!)) but still hangs around.

Yes those sizes are unreasonable... It sounds like expiry is never running
on your system.

SA will _try_ to do expiry on an opportunistic basis, but only if no other
processes are using the bayes DB at the same time. A busy mailscanner
server will likely never succeed at opportunistic expiry.

Try running expiry manualy using sa-learn --force-expire and see if it
clears things up.

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 15 16:01:32 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <61037.194.70.180.170.1074159996.squirrel@net.themarshalls.co.uk>
Message-ID: <LFENLEALDCBDKENCNLCNOEEMDAAA.michele@blacknightsolutions.com>

Sounds good, but what about administration? My main concern beyond the
system's capabaility ot handle the users is the adminstration side of
things.


Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Drew Marshall
> Sent: 15 January 2004 09:47
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: OT: Advice please
>
>
> Hi
>
> I use Postfix, MailScanner, Courier-IMAP (For POP & IMAP) and Squirrel
> Mail (On Apache - obviously!) which is great. It's set up similarly to
> this http://www.gentoo.org/doc/en/virt-mail-howto.xml (A document I found
> after I set most of it up). The bigger benefits of this set up is the
> MySQL user admin. Quick, easy and a load less hassle for 13000 users! It
> also gives lots of different ways for people to collect mail (Webmail,
> IMAP, POP3)
>
> My 2p, for what it's worth.
>
> Drew
> --
>
>
> Michele Neylon :: Blacknight Solutions said:
> > Hi
> >
> > We've been asked to investigate putting together a hotmail-type solution
> > for
> > a very large client, which would have up to 13000 users.
> > What would people recommend?
> >
> > Thanks,
> >
> > Michele
> >
> >
> > Mr. Michele Neylon
> > Blacknight Internet Solutions Ltd
> > http://www.blacknightsolutions.ie/
> > http://www.search.ie/
> > Tel. + 353 (0)59 9137101
> > Lowest price domains in Ireland
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>

From jfraley at glenraven.com  Thu Jan 15 16:10:42 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:21:51 2006
Subject: OT-Web based mail archive reader
Message-ID: <1074183041.22834.121.camel@jfraleyx.glenraven.com>

I was wondering if anyone could recommend a web based mail archive
reader.  Basically, all I need is the ability to access the archive via
a browser.

Thanks -- Jon

From drew at THEMARSHALLS.CO.UK  Thu Jan 15 16:19:23 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <LFENLEALDCBDKENCNLCNOEEMDAAA.michele@blacknightsolutions.com>
References: <61037.194.70.180.170.1074159996.squirrel@net.themarshalls.co.uk>
            <LFENLEALDCBDKENCNLCNOEEMDAAA.michele@blacknightsolutions.com>
Message-ID: <61825.194.70.180.170.1074183563.squirrel@net.themarshalls.co.uk>

Personally, I use phpmyadmin for the user, virtual user, domain etc
administration. It gives the benefit of searches against any criteria you
require (user, email address etc) and being web based just about any one
could do it. Just fill in the boxes :-)

Drew

--


Michele Neylon :: Blacknight Solutions said:
> Sounds good, but what about administration? My main concern beyond the
> system's capabaility ot handle the users is the adminstration side of
> things.
>
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> Behalf Of Drew Marshall
>> Sent: 15 January 2004 09:47
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: Re: OT: Advice please
>>
>>
>> Hi
>>
>> I use Postfix, MailScanner, Courier-IMAP (For POP & IMAP) and Squirrel
>> Mail (On Apache - obviously!) which is great. It's set up similarly to
>> this http://www.gentoo.org/doc/en/virt-mail-howto.xml (A document I
>> found
>> after I set most of it up). The bigger benefits of this set up is the
>> MySQL user admin. Quick, easy and a load less hassle for 13000 users! It
>> also gives lots of different ways for people to collect mail (Webmail,
>> IMAP, POP3)
>>
>> My 2p, for what it's worth.
>>
>> Drew
>> --
>>
>>
>> Michele Neylon :: Blacknight Solutions said:
>> > Hi
>> >
>> > We've been asked to investigate putting together a hotmail-type
>> solution
>> > for
>> > a very large client, which would have up to 13000 users.
>> > What would people recommend?
>> >
>> > Thanks,
>> >
>> > Michele
>> >
>> >
>> > Mr. Michele Neylon
>> > Blacknight Internet Solutions Ltd
>> > http://www.blacknightsolutions.ie/
>> > http://www.search.ie/
>> > Tel. + 353 (0)59 9137101
>> > Lowest price domains in Ireland
>> >
>>
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>>
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 15 16:25:17 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <61825.194.70.180.170.1074183563.squirrel@net.themarshalls.co.uk>
Message-ID: <LFENLEALDCBDKENCNLCNIEFADAAA.michele@blacknightsolutions.com>

So a php/mysql frontend could be used to manage it?


Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Drew Marshall
> Sent: 15 January 2004 16:19
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: OT: Advice please
>
>
> Personally, I use phpmyadmin for the user, virtual user, domain etc
> administration. It gives the benefit of searches against any criteria you
> require (user, email address etc) and being web based just about any one
> could do it. Just fill in the boxes :-)
>
> Drew
>
> --
>
>
> Michele Neylon :: Blacknight Solutions said:
> > Sounds good, but what about administration? My main concern beyond the
> > system's capabaility ot handle the users is the adminstration side of
> > things.
> >
> >
> > Mr. Michele Neylon
> > Blacknight Internet Solutions Ltd
> > http://www.blacknightsolutions.ie/
> > http://www.search.ie/
> > Tel. + 353 (0)59 9137101
> > Lowest price domains in Ireland
> >
> >> -----Original Message-----
> >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >> Behalf Of Drew Marshall
> >> Sent: 15 January 2004 09:47
> >> To: MAILSCANNER@JISCMAIL.AC.UK
> >> Subject: Re: OT: Advice please
> >>
> >>
> >> Hi
> >>
> >> I use Postfix, MailScanner, Courier-IMAP (For POP & IMAP) and Squirrel
> >> Mail (On Apache - obviously!) which is great. It's set up similarly to
> >> this http://www.gentoo.org/doc/en/virt-mail-howto.xml (A document I
> >> found
> >> after I set most of it up). The bigger benefits of this set up is the
> >> MySQL user admin. Quick, easy and a load less hassle for 13000
> users! It
> >> also gives lots of different ways for people to collect mail (Webmail,
> >> IMAP, POP3)
> >>
> >> My 2p, for what it's worth.
> >>
> >> Drew
> >> --
> >>
> >>
> >> Michele Neylon :: Blacknight Solutions said:
> >> > Hi
> >> >
> >> > We've been asked to investigate putting together a hotmail-type
> >> solution
> >> > for
> >> > a very large client, which would have up to 13000 users.
> >> > What would people recommend?
> >> >
> >> > Thanks,
> >> >
> >> > Michele
> >> >
> >> >
> >> > Mr. Michele Neylon
> >> > Blacknight Internet Solutions Ltd
> >> > http://www.blacknightsolutions.ie/
> >> > http://www.search.ie/
> >> > Tel. + 353 (0)59 9137101
> >> > Lowest price domains in Ireland
> >> >
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >>
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>

From sylvain.phaneuf at IMSU.OXFORD.AC.UK  Thu Jan 15 16:30:01 2004
From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
Message-ID: <s006c022.076@gwmail.jr2.ox.ac.uk>

Just tried MS and SA in debug mode = no errors.

'linting' SA = no error

I will install 3.77 tomorow I think.

Thanlks for your help


>>> martinh@SOLID-STATE-LOGIC.COM 15/01/2004 14:32:50 >>>
Sylvain Phaneuf wrote:
> Thanks Martin,
>
> No, we don't let MS or SA do any RBL checks - I should have included
> that in my original message. Our ISP runs the RBL checks for us.
>
> We should organise an Oxford MS convention...
>
> Sylvain
>
>
>

Ok, I'd run MS in debug mode ane make sure there's no errors. Also
worth
while 'linting' the SA setup...

spamassassin -C /path/to/spam.assassin.prefs.conf --lint

Sounds like you've not got Sophos setup right to me. Latest Sophos is
3.77. I stuffed the majorupdate up a couple of weeks ago and the thing
just ground to a halt....took 2 hours to clear the backlog of about
8,000 messages!

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From drew at THEMARSHALLS.CO.UK  Thu Jan 15 16:42:41 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <LFENLEALDCBDKENCNLCNIEFADAAA.michele@blacknightsolutions.com>
References: <61825.194.70.180.170.1074183563.squirrel@net.themarshalls.co.uk>
            <LFENLEALDCBDKENCNLCNIEFADAAA.michele@blacknightsolutions.com>
Message-ID: <61864.194.70.180.170.1074184961.squirrel@net.themarshalls.co.uk>

I don't run a userbase as large as you are talking but my ISP does and I
believe they use mysql to handle their mail platform (It's also linked to
their Radius servers to handle login, mailboxes and generate webspace
etc). All their web based services are run from php - see
http://portal.plus.net see what you think.

Drew
--


Michele Neylon :: Blacknight Solutions said:
> So a php/mysql frontend could be used to manage it?
>
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> Behalf Of Drew Marshall
>> Sent: 15 January 2004 16:19
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: Re: OT: Advice please
>>
>>
>> Personally, I use phpmyadmin for the user, virtual user, domain etc
>> administration. It gives the benefit of searches against any criteria
>> you
>> require (user, email address etc) and being web based just about any one
>> could do it. Just fill in the boxes :-)
>>
>> Drew
>>
>> --
>>
>>
>> Michele Neylon :: Blacknight Solutions said:
>> > Sounds good, but what about administration? My main concern beyond the
>> > system's capabaility ot handle the users is the adminstration side of
>> > things.
>> >
>> >
>> > Mr. Michele Neylon
>> > Blacknight Internet Solutions Ltd
>> > http://www.blacknightsolutions.ie/
>> > http://www.search.ie/
>> > Tel. + 353 (0)59 9137101
>> > Lowest price domains in Ireland
>> >
>> >> -----Original Message-----
>> >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> >> Behalf Of Drew Marshall
>> >> Sent: 15 January 2004 09:47
>> >> To: MAILSCANNER@JISCMAIL.AC.UK
>> >> Subject: Re: OT: Advice please
>> >>
>> >>
>> >> Hi
>> >>
>> >> I use Postfix, MailScanner, Courier-IMAP (For POP & IMAP) and
>> Squirrel
>> >> Mail (On Apache - obviously!) which is great. It's set up similarly
>> to
>> >> this http://www.gentoo.org/doc/en/virt-mail-howto.xml (A document I
>> >> found
>> >> after I set most of it up). The bigger benefits of this set up is the
>> >> MySQL user admin. Quick, easy and a load less hassle for 13000
>> users! It
>> >> also gives lots of different ways for people to collect mail
>> (Webmail,
>> >> IMAP, POP3)
>> >>
>> >> My 2p, for what it's worth.
>> >>
>> >> Drew
>> >> --
>> >>
>> >>
>> >> Michele Neylon :: Blacknight Solutions said:
>> >> > Hi
>> >> >
>> >> > We've been asked to investigate putting together a hotmail-type
>> >> solution
>> >> > for
>> >> > a very large client, which would have up to 13000 users.
>> >> > What would people recommend?
>> >> >
>> >> > Thanks,
>> >> >
>> >> > Michele
>> >> >
>> >> >
>> >> > Mr. Michele Neylon
>> >> > Blacknight Internet Solutions Ltd
>> >> > http://www.blacknightsolutions.ie/
>> >> > http://www.search.ie/
>> >> > Tel. + 353 (0)59 9137101
>> >> > Lowest price domains in Ireland
>> >> >
>> >>
>> >>
>> >> --
>> >> In line with our policy, this message has
>> >> been scanned for viruses and dangerous
>> >> content by MailScanner, and is believed to be clean.
>> >> www.themarshalls.co.uk/policy
>> >>
>> >
>>
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>>
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From shrek-m at GMX.DE  Thu Jan 15 17:31:06 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:21:51 2006
Subject: slightly OT: sophossavi
In-Reply-To: <s006c022.076@gwmail.jr2.ox.ac.uk>
References: <s006c022.076@gwmail.jr2.ox.ac.uk>
Message-ID: <4006CE5A.3090007@gmx.de>

Sylvain Phaneuf schrieb:

>I will install 3.77 tomorow I think.
>
>

FYI


---- snip - mail from 2004-01-12 xxx@sophos.de ----

The (current) web version is 3.77a (engine 2.18-5). This has a bug in it
that can cause it to go in to an infinite loop when scanning some types of
mime.

I've had a word and a new "fixed" version 3.77b (engine 2.18-6) will be
made available shortly.

In fact, while writing this email, 3.77b has appeared on the web!

http://www.sophos.com/misc/<file name>

e.g.

http://www.sophos.com/misc/linux.intel.libc6.tar.Z
http://www.sophos.com/misc/solaris.sparc.tar.Z
etc...

NOTE: You should completely remove previous installations prior to
installing 3.77b.

----snap----

From pete at eatathome.com.au  Thu Jan 15 22:56:23 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:51 2006
Subject: OT: Advice please
In-Reply-To: <Pine.LNX.4.58.0401151024090.8393@hephaestus.tor.primus.ca>
References: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>
            <Pine.LNX.4.58.0401151024090.8393@hephaestus.tor.primus.ca>
Message-ID: <40071A97.9020803@eatathome.com.au>

Robin M. wrote:

>On Thu, 15 Jan 2004, Gareth Campling wrote:
>
>
>>Is this availble for download. ? :o)
>>
>>
>>
>I can make it available for you. Do you need the whole package. I have
>compiled everything into rpm format including MailScanner, apache, postfix
>cyrus, ldap etc etc to install into a chrooted environment. It is kinda
>rought around the edges right now but it is very stable multi-domain
>support.
>
>Email me off list.
>
>
>
>
>
I would also LOVE to see a package like this. I have been charged with
converting a 300 user Domino inotes system into 'a Linux based
solution'. But i am really stuglling trying tie all these different apps
together - more importantly i want it to use Win2k AD for
authentication, i use a perl script to query the AD and retrieve the
email addresses and use this to build an access list in Postfix - what i
want postfix/courier/cyrus to do for new users is to see if it has ever
recieved mail for user X before, if not then create the mail folders.
maybe i could adapt your package to do this? do you use AD at all, or
only openldap?

From sanjay.patel at REXWIRE.COM  Fri Jan 16 03:40:42 2004
From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
Message-ID: <200401160352.i0G3q5nn013089@mx.sargam.com>

We host mail for 5 domains. But we want to restrict one domain from
receiving or sending mail aol.com.

How can we do this with MailScanner.

SKP

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040115/4ad1d92f/attachment.html
From ugob at CAMO-ROUTE.COM  Fri Jan 16 03:42:40 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
Message-ID: <54C38A0B814C8E438EF73FC76F3629274107B6@mtlnt501fs.CAMOROUTE.COM>

 

-----Message d'origine-----
De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM]
Envoy? : Thursday, January 15, 2004 10:41 PM
? : MAILSCANNER@JISCMAIL.AC.UK
Objet : How-to restrict certain domains



We host mail for 5 domains. But we want to restrict one domain from receiving or sending mail aol.com. 

How can we do this with MailScanner. 

SKP 
[Ugo Bellavance] 

See the ruleset tutorial : http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040115/165a28ae/attachment.html
From robin at PRIMUS.CA  Fri Jan 16 04:20:22 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
Message-ID: <Pine.LNX.4.58.0401152319350.8393@hephaestus.tor.primus.ca>

What rule is it that triggers this message.

If you are using Microsoft Outlook, we strongly recommend you change
your
outgoing message format from "Rich Text" to "HTML" or "Plain Text".

From mike at CAMAROSS.NET  Fri Jan 16 04:27:16 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274107B6@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <200401160426.i0G4Q7iG003792@avwall.bladeware.com>

I don't think that tutorial quite covers what he wants to do.

Seems he'd need a ruleset like this:

Non Spam Actions = /etc/MailScanner/rules/noaol.rules

FromTo:         *@mydomain.com  FromTo:*@aol.com                bounce 
FromTo: default deliver

To my knowledge, such a ruleset is not possible (yet)

Am I thinking wrong?

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Ugo Bellavance
Sent: Thursday, January 15, 2004 9:43 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: How-to restrict certain domains

 

        -----Message d'origine-----
        De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM]
        Envoy? : Thursday, January 15, 2004 10:41 PM
        ? : MAILSCANNER@JISCMAIL.AC.UK
        Objet : How-to restrict certain domains
	
	

        We host mail for 5 domains. But we want to restrict one domain from
receiving or sending mail aol.com. 

        How can we do this with MailScanner. 

        SKP 
        [Ugo Bellavance] 

        See the ruleset tutorial :
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html 


From mike at CAMAROSS.NET  Fri Jan 16 04:31:56 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
In-Reply-To: <Pine.LNX.4.58.0401152319350.8393@hephaestus.tor.primus.ca>
Message-ID: <200401160430.i0G4UliG004142@avwall.bladeware.com>

Sender Error Report

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Robin M.
Sent: Thursday, January 15, 2004 10:20 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: what rule triggers this

What rule is it that triggers this message.

If you are using Microsoft Outlook, we strongly recommend you change your
outgoing message format from "Rich Text" to "HTML" or "Plain Text".

From robin at PRIMUS.CA  Fri Jan 16 04:43:18 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
In-Reply-To: <200401160430.i0G4UliG004142@avwall.bladeware.com>
References: <200401160430.i0G4UliG004142@avwall.bladeware.com>
Message-ID: <Pine.LNX.4.58.0401152335230.8393@hephaestus.tor.primus.ca>

On Thu, 15 Jan 2004, Mike Kercher wrote:
>
> > What rule is it that triggers this message.
> >
> > If you are using Microsoft Outlook, we strongly recommend you change
> > your outgoing message format from "Rich Text" to "HTML" or "Plain
> > Text".
>
>
> Sender Error Report

but how can I prevent this check from happening. The thing is that alot of
exchange users will need to send Rich Text email.

From mike at CAMAROSS.NET  Fri Jan 16 04:56:12 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
In-Reply-To: <Pine.LNX.4.58.0401152335230.8393@hephaestus.tor.primus.ca>
Message-ID: <200401160455.i0G4t6iG005183@avwall.bladeware.com>

I *think* it has something to do with the tnef checks.  I can't say for sure
though.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Robin M.
Sent: Thursday, January 15, 2004 10:43 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: what rule triggers this

On Thu, 15 Jan 2004, Mike Kercher wrote:
>
> > What rule is it that triggers this message.
> >
> > If you are using Microsoft Outlook, we strongly recommend you change
> > your outgoing message format from "Rich Text" to "HTML" or "Plain
> > Text".
>
>
> Sender Error Report

but how can I prevent this check from happening. The thing is that alot of
exchange users will need to send Rich Text email.

From nupur at THEARGONCOMPANY.COM  Fri Jan 16 04:57:59 2004
From: nupur at THEARGONCOMPANY.COM (Nupur Dave)
Date: Thu Jan 12 21:21:52 2006
Subject: Quarantine file path
Message-ID: <200401161027.59083.nupur@theargoncompany.com>

What options need to be set in MailScanner.conf such that when a virus is
being detected by MailScanner the Warning mail going to the system
administrator contains the path of the quarantined file?
--
Regards
Nupur

From eja at URBAKKEN.DK  Fri Jan 16 05:11:51 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:52 2006
Subject: Antivir.
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00164997B@pascal.priv.bmrb.co.uk>
Message-ID: <400780A7.18397.1EBB86@localhost>

> Did you try running it manually as the same user MailScanner runs as?
> It may be that user doesn't have permission to read some files and/or
> use temp space.

You can try it again now Julian. Due to a reason I don't know, that mailscanner is
blocking some mails. For instance this one you have sent to me. Its now visible, as I
have stopped MailScanner. Not to say, that MailScanner is doing anything, that I have
ordered it to do, but I cannot recall what I have done.
---------
Med venlig hilsen - Best regards
Erik Jakobsen - eja@urbakken.dk
This mail is virusscanned by Norton Internet Security 2003

From anders.andersson at LTKALMAR.SE  Fri Jan 16 08:49:21 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:21:52 2006
Subject: SV: what rule triggers this
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E81E@lkl61.ltkalmar.se>

> -----Ursprungligt meddelande-----
> Fr?n: Robin M. [mailto:robin@PRIMUS.CA] 
> Skickat: den 16 januari 2004 05:43
> Till: MAILSCANNER@JISCMAIL.AC.UK
> ?mne: Re: what rule triggers this
> 
> On Thu, 15 Jan 2004, Mike Kercher wrote:
> >
> > > What rule is it that triggers this message.
> > >
> > > If you are using Microsoft Outlook, we strongly recommend 
> you change 
> > > your outgoing message format from "Rich Text" to "HTML" or "Plain 
> > > Text".
> >
> >
> > Sender Error Report
> 
> but how can I prevent this check from happening. The thing is 
> that alot of exchange users will need to send Rich Text email.

Why not change so exchange doesnt use RTF as outgoing format for external
mail.... That will probably solve other issues with ppl not being able to
read messages 

/Anders


From mk at quadstone.com  Fri Jan 16 09:35:34 2004
From: mk at quadstone.com (Michael Keightley)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
Message-ID: <20040116093534.GA14274@quadstone.com>

Been getting lots of Spam recently which just contains lots of random words.
These aren't being marked as Spam (using MailScanner-4.25-14 + SA-2.61).
I've attached a couple of examples.  Is there anyway to stop this stuff?

Michael

--
Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131 240 3137
Systems Manager, Quadstone Limited,                    Fax: +44 131 220 4492
16 Chester Street, Edinburgh EH3 7RA, Scotland         http://www.quadstone.com
-------------- next part --------------
An embedded message was scrubbed...
From: "West Anita" <iqwhekk@cnnic.net.cn>
Subject: Re: OEMHWQ, the storm cloud
Date: Thu, 15 Jan 2004 11:33:04 -0500
Size: 3868
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/05a7cc89/attachment.mht
-------------- next part --------------
An embedded message was scrubbed...
From: "Paul Mclaughlin" <cyqydyw@msn.com>
Subject: chromosphere cistern ecstasy aviate caustic
Date: Thu, 15 Jan 2004 13:27:08 -0700
Size: 5571
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/05a7cc89/attachment-0001.mht
From Kevin.Spicer at BMRB.CO.UK  Fri Jan 16 09:50:14 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:21:52 2006
Subject: {Spam???} Spam full of random words not being stopped
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649997@pascal.priv.bmrb.co.uk>

Michael Keightley wrote:
> Our MailScanner believes that the attachment to this message sent to
> you 
> 
>     From: owner-mailscanner@jiscmail.ac.uk
>  Subject: Spam full of random words not being stopped

Please don't send example spams to the list, you'll find they tend to get blocked...


From john at TRADOC.FR  Fri Jan 16 09:57:00 2004
From: john at TRADOC.FR (John Wilcock)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <20040116093534.GA14274@quadstone.com>
References: <20040116093534.GA14274@quadstone.com>
Message-ID: <3scf00t2vg4jqfovab5087u4mkfc02hmio@tradoc.fr>

On Fri, 16 Jan 2004 09:35:34 +0000, Michael Keightley wrote:
> Been getting lots of Spam recently which just contains lots of random words.
> These aren't being marked as Spam (using MailScanner-4.25-14 + SA-2.61).
> I've attached a couple of examples.  Is there anyway to stop this stuff?
...
> nighttime current finland pestilential
> cruickshank edmondson collateral spitz cavalry
> dark russet lemuel buzzword expert

Various rules to stop this type of spam have been discussed recently
on the SA-talk list. 

Some successful ones that I'm using are given below:

| rawbody  local_WORDWORD_10    /(?:\b(?!=(?:from|even|have|here|more|this|were|with)\b)[a-z]{4,12}\s+){10}/
| describe local_WORDWORD_10    String of 10 or more random words (none with less than 4 letters)
| score    local_WORDWORD_10    0.5
| 
| rawbody  local_WORDWORD_15    /(?:\b(?!=(?:from|even|have|here|more|this|were|with)\b)[a-z]{4,12}\s+){15}/
| describe local_WORDWORD_15    String of 15 or more random words (none with less than 4 letters)
| score    local_WORDWORD_15    2.5

One common form of this spam also has random words in the X-Mailer
header, hence this rule:

| header   local_XMAILER_BOGUS  X-Mailer =~ /^[a-z][^A-Z0-9]*$/
| describe local_XMAILER_BOGUS  X-Mailer header has no uppercase letters or digits at all
| score    local_XMAILER_BOGUS  2.0
|


John.

-- 
-- Over 2000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr


From P.G.M.Peters at utwente.nl  Fri Jan 16 09:58:03 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:52 2006
Subject: Habeas blacklist
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C441@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C441@jessica.herefordshire.gov.uk>
Message-ID: <g9df00hjs7tn611vtijqtmcdm4n655a7tb@4ax.com>

On Thu, 15 Jan 2004 14:37:59 -0000, you wrote:

>In your /etc/MailScanner/spam.assassin.prefs.conf add the line
>
>score HABEAS_SWE 0
>
>They are forged headers, but it means that the HABEAS headers can no longer
>be considered trustworthy.

I have the following in my local cf in /etc/mail/spamassassin:

|# Jan 2004 : Fake Habeas
|header __HABEAS_SWE                eval:message_is_habeas_swe( )
|header __HAB_FORGE_BOUND            Content-Type =~ /boundary="--[0-9]{15,20}"/
|header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/
|
|meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND && __HAB_FORGE_MID && __HABEAS_SWE)
|meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
|# -8.0 for default Habeas score.
|describe HABEAS_FORGERY             Common Habeas Forgery
|score HABEAS_FORGERY                3.5

I don't remember where I got it. It could be nanae.

It should work with SA2.60 and higher because of the evaluations.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 10:01:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: Quarantine file path
In-Reply-To: <200401161027.59083.nupur@theargoncompany.com>
References: <200401161027.59083.nupur@theargoncompany.com>
Message-ID: <6.0.1.1.2.20040116100149.03d2a170@imap.ecs.soton.ac.uk>

At 04:57 16/01/2004, you wrote:
>What options need to be set in MailScanner.conf such that when a virus is
>being detected by MailScanner the Warning mail going to the system
>administrator contains the path of the quarantined file?
>--
>Regards
>Nupur

# Hide the directory path from all the system administrator notices.
# The extra directory paths give away information about your setup, and
# tend to just confuse users but are still useful for local sys admins.
# This can also be the filename of a ruleset.
Hide Incoming Work Dir in Notices = no

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 10:04:16 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <20040116093534.GA14274@quadstone.com>
References: <20040116093534.GA14274@quadstone.com>
Message-ID: <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk>

At 09:35 16/01/2004, you wrote:
>Been getting lots of Spam recently which just contains lots of random words.
>These aren't being marked as Spam (using MailScanner-4.25-14 + SA-2.61).
>I've attached a couple of examples.  Is there anyway to stop this stuff?

Try adding the BigEvil.cf rules file to your SA setup, as it may well help
with this.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 10:01:07 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
In-Reply-To: <200401160455.i0G4t6iG005183@avwall.bladeware.com>
References: <Pine.LNX.4.58.0401152335230.8393@hephaestus.tor.primus.ca>
            <200401160455.i0G4t6iG005183@avwall.bladeware.com>
Message-ID: <6.0.1.1.2.20040116100025.03d486e0@imap.ecs.soton.ac.uk>

If you are having trouble with the TNEF decoder, try setting
TNEF Expander = internal
and see if it works better for you.

At 04:56 16/01/2004, you wrote:
>I *think* it has something to do with the tnef checks.  I can't say for sure
>though.
>
>Mike
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
>Of Robin M.
>Sent: Thursday, January 15, 2004 10:43 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: what rule triggers this
>
>On Thu, 15 Jan 2004, Mike Kercher wrote:
> >
> > > What rule is it that triggers this message.
> > >
> > > If you are using Microsoft Outlook, we strongly recommend you change
> > > your outgoing message format from "Rich Text" to "HTML" or "Plain
> > > Text".
> >
> >
> > Sender Error Report
>
>but how can I prevent this check from happening. The thing is that alot of
>exchange users will need to send Rich Text email.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 09:59:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: OT: Advice please
In-Reply-To: <40071A97.9020803@eatathome.com.au>
References: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>
            <Pine.LNX.4.58.0401151024090.8393@hephaestus.tor.primus.ca>
            <40071A97.9020803@eatathome.com.au>
Message-ID: <6.0.1.1.2.20040116093944.03d68180@imap.ecs.soton.ac.uk>

At 22:56 15/01/2004, Pete wrote:
>Robin M. wrote:
>>On Thu, 15 Jan 2004, Gareth Campling wrote:
>>>Is this availble for download. ? :o)
>>I can make it available for you. Do you need the whole package. I have
>>compiled everything into rpm format including MailScanner, apache, postfix
>>cyrus, ldap etc etc to install into a chrooted environment. It is kinda
>>rought around the edges right now but it is very stable multi-domain
>>support.
>>
>>Email me off list.
>I would also LOVE to see a package like this. I have been charged with
>converting a 300 user Domino inotes system into 'a Linux based
>solution'. But i am really stuglling trying tie all these different apps
>together - more importantly i want it to use Win2k AD for
>authentication,

<plug type="blatant">
If you want AD authentication for users to be able to set up their own spam
settings, etc. then contact Steve.Swaney@fsl.com about MailScanner
Enterprise Edition, it may well be the solution you are looking for. It's
good old MailScanner in the middle with ease-of-administration/reporting
packages built around it. Much cheaper, faster and better than any of the
competition.
</plug>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From sylvain.phaneuf at IMSU.OXFORD.AC.UK  Fri Jan 16 10:41:22 2004
From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
Message-ID: <s007bfdb.011@gwmail.jr2.ox.ac.uk>

I see today they have 194 rules in the BigEvil list. Is it known whether
the number of custom rules like those have an impact on the performance
of MS or SA?



Sylvain

===========================================================
Sylvain Phaneuf --- Computing Manager   | phone : +44 (0)1865 221323
Information Management Services Unit  -  Medical Sciences Division
Oxford University                               | email :
sylvain.phaneuf@imsu.ox.ac.uk
Room 3A25B John Radcliffe Hospital      | fax :  +44 (0) 1865 221322
Oxford   OX3 9DU   England
===========================================================

>>> mailscanner@ECS.SOTON.AC.UK 16/01/2004 10:04:16 >>>
At 09:35 16/01/2004, you wrote:
>Been getting lots of Spam recently which just contains lots of random
words.
>These aren't being marked as Spam (using MailScanner-4.25-14 +
SA-2.61).
>I've attached a couple of examples.  Is there anyway to stop this
stuff?

Try adding the BigEvil.cf rules file to your SA setup, as it may well
help
with this.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan 16 10:46:03 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <s007bfdb.011@gwmail.jr2.ox.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNKEIKDAAA.michele@blacknightsolutions.com>

I read somewhere that increases the memory usage slightly, but not
significantly

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Sylvain Phaneuf
> Sent: 16 January 2004 10:41
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Spam full of random words not being stopped
>
>
> I see today they have 194 rules in the BigEvil list. Is it known whether
> the number of custom rules like those have an impact on the performance
> of MS or SA?
>
>
>
> Sylvain
>
> ===========================================================
> Sylvain Phaneuf --- Computing Manager   | phone : +44 (0)1865 221323
> Information Management Services Unit  -  Medical Sciences Division
> Oxford University                               | email :
> sylvain.phaneuf@imsu.ox.ac.uk
> Room 3A25B John Radcliffe Hospital      | fax :  +44 (0) 1865 221322
> Oxford   OX3 9DU   England
> ===========================================================
>
> >>> mailscanner@ECS.SOTON.AC.UK 16/01/2004 10:04:16 >>>
> At 09:35 16/01/2004, you wrote:
> >Been getting lots of Spam recently which just contains lots of random
> words.
> >These aren't being marked as Spam (using MailScanner-4.25-14 +
> SA-2.61).
> >I've attached a couple of examples.  Is there anyway to stop this
> stuff?
>
> Try adding the BigEvil.cf rules file to your SA setup, as it may well
> help
> with this.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 16 10:49:36 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <s007bfdb.011@gwmail.jr2.ox.ac.uk>
References: <s007bfdb.011@gwmail.jr2.ox.ac.uk>
Message-ID: <4007C1C0.9020104@solid-state-logic.com>

Sylvain Phaneuf wrote:
> I see today they have 194 rules in the BigEvil list. Is it known whether
> the number of custom rules like those have an impact on the performance
> of MS or SA?
>
>
>
> Sylvain
>

Very little - I'm running quite a lot of custom rules and still running
fine.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mk at quadstone.com  Fri Jan 16 11:40:59 2004
From: mk at quadstone.com (Michael Keightley)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk>
References: <20040116093534.GA14274@quadstone.com>
            <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk>
Message-ID: <20040116114059.GA900@quadstone.com>

Do you just add contents of this file to spam.assassin.prefs.conf, or can you
do an include?

Michael
On Fri, Jan 16, 2004 at 10:04:16AM +0000, Julian Field wrote:
> At 09:35 16/01/2004, you wrote:
> >Been getting lots of Spam recently which just contains lots of random
> >words.
> >These aren't being marked as Spam (using MailScanner-4.25-14 + SA-2.61).
> >I've attached a couple of examples.  Is there anyway to stop this stuff?
>
> Try adding the BigEvil.cf rules file to your SA setup, as it may well help
> with this.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131 240 3137
Systems Manager, Quadstone Limited,                    Fax: +44 131 220 4492
16 Chester Street, Edinburgh EH3 7RA, Scotland         http://www.quadstone.com

From robin at PRIMUS.CA  Fri Jan 16 13:01:03 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
In-Reply-To: <6.0.1.1.2.20040116100025.03d486e0@imap.ecs.soton.ac.uk>
References: <Pine.LNX.4.58.0401152335230.8393@hephaestus.tor.primus.ca>
            <200401160455.i0G4t6iG005183@avwall.bladeware.com>
            <6.0.1.1.2.20040116100025.03d486e0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401160800080.8393@hephaestus.tor.primus.ca>

On Fri, 16 Jan 2004, Julian Field wrote:

> If you are having trouble with the TNEF decoder, try setting
> TNEF Expander = internal
> and see if it works better for you.
>
That setting was already on. I'll try to figure it out and report back if
I find anything.

From robin at PRIMUS.CA  Fri Jan 16 13:04:10 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:52 2006
Subject: SV: what rule triggers this
In-Reply-To: <0B646CB9C2952C46B0E819F6C42DA5DB19E81E@lkl61.ltkalmar.se>
References: <0B646CB9C2952C46B0E819F6C42DA5DB19E81E@lkl61.ltkalmar.se>
Message-ID: <Pine.LNX.4.58.0401160803200.8393@hephaestus.tor.primus.ca>

On Fri, 16 Jan 2004, Anders Andersson, IT wrote:
>
> Why not change so exchange doesnt use RTF as outgoing format for external
> mail.... That will probably solve other issues with ppl not being able to
> read messages
>
Exchange users need to send RTF to eachother.

From P.G.M.Peters at utwente.nl  Fri Jan 16 13:37:09 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:52 2006
Subject: Habeas blacklist
In-Reply-To: <g9df00hjs7tn611vtijqtmcdm4n655a7tb@4ax.com>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C441@jessica.herefordshire.gov.uk>
            <g9df00hjs7tn611vtijqtmcdm4n655a7tb@4ax.com>
Message-ID: <j5qf0057rbat7uv5mgms8qivtaebgtgmkp@4ax.com>

On Fri, 16 Jan 2004 10:58:03 +0100, you wrote:

>I have the following in my local cf in /etc/mail/spamassassin:
>
>|# Jan 2004 : Fake Habeas
>|header __HABEAS_SWE                eval:message_is_habeas_swe( )
>|header __HAB_FORGE_BOUND            Content-Type =~ /boundary="--[0-9]{15,20}"/
>|header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/
>|
>|meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND && __HAB_FORGE_MID && __HABEAS_SWE)
>|meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
>|# -8.0 for default Habeas score.
>|describe HABEAS_FORGERY             Common Habeas Forgery
>|score HABEAS_FORGERY                3.5

I got some spam with habeas headers and it has HABEAS_FORGERY tags. But
also without that tag it would have hit my limit (54 and 56 SA score).

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From m.sapsed at BANGOR.AC.UK  Fri Jan 16 14:02:32 2004
From: m.sapsed at BANGOR.AC.UK (Martin Sapsed)
Date: Thu Jan 12 21:21:52 2006
Subject: what rule triggers this
References: <200401160430.i0G4UliG004142@avwall.bladeware.com>
            <Pine.LNX.4.58.0401152335230.8393@hephaestus.tor.primus.ca>
Message-ID: <4007EEF8.6020303@bangor.ac.uk>

Robin M. wrote:
> On Thu, 15 Jan 2004, Mike Kercher wrote:
>>>What rule is it that triggers this message.
>>>
>>>If you are using Microsoft Outlook, we strongly recommend you change
>>>your outgoing message format from "Rich Text" to "HTML" or "Plain
>>>Text".
>>
>>Sender Error Report
>
> but how can I prevent this check from happening. The thing is that alot of
> exchange users will need to send Rich Text email.

If (as several people have suggested) this is a TNEF issue, can't you
configure things such that your users' Rich Text e-mail is mime-encoded
rather than using horrible TNEF stuff?

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

From rob at thehostmasters.com  Fri Jan 16 14:05:54 2004
From: rob at thehostmasters.com (Rob Charles)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
References: <20040116093534.GA14274@quadstone.com>           
            <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk> 
            <20040116114059.GA900@quadstone.com>
Message-ID: <003401c3dc39$dbb0a7a0$0d01a8c0@basement>

Someone here on this list simply told me to add the bigevil.cf file in
either /etc/mail/spamassassin or wherever your 50_scores.cf file is.

And restart

But how or can you tell if a rule set is being used?

 I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0 to my
/etc/Mailscanner/spam.assassin.prefs.conf

Its a little confusing to me being a newbie to mailscanner, knowing where to
add rules and such... can they just not go all in one file somewhere?

Thanks


Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob@TheHostMasters.com
http://www.TheHostMasters.com



----- Original Message -----
From: "Michael Keightley" <mk@quadstone.com>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 16, 2004 6:40 AM
Subject: Re: Spam full of random words not being stopped


> Do you just add contents of this file to spam.assassin.prefs.conf, or can
you
> do an include?
>
> Michael
> On Fri, Jan 16, 2004 at 10:04:16AM +0000, Julian Field wrote:
> > At 09:35 16/01/2004, you wrote:
> > >Been getting lots of Spam recently which just contains lots of random
> > >words.
> > >These aren't being marked as Spam (using MailScanner-4.25-14 +
SA-2.61).
> > >I've attached a couple of examples.  Is there anyway to stop this
stuff?
> >
> > Try adding the BigEvil.cf rules file to your SA setup, as it may well
help
> > with this.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131 240
3137
> Systems Manager, Quadstone Limited,                    Fax: +44 131 220
4492
> 16 Chester Street, Edinburgh EH3 7RA, Scotland
http://www.quadstone.com
>

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 14:19:02 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
References: <20040116093534.GA14274@quadstone.com>
            <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk>
            <20040116114059.GA900@quadstone.com>
            <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
Message-ID: <6.0.1.1.2.20040116141754.086b9298@imap.ecs.soton.ac.uk>

At 14:05 16/01/2004, you wrote:
>Someone here on this list simply told me to add the bigevil.cf file in
>either /etc/mail/spamassassin or wherever your 50_scores.cf file is.
>
>And restart
>
>But how or can you tell if a rule set is being used?

Leave it a few hours and look for BIGEVIL in the lists of rules that hit
some of your spam.

>  I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0 to my
>/etc/Mailscanner/spam.assassin.prefs.conf
>
>Its a little confusing to me being a newbie to mailscanner, knowing where to
>add rules and such... can they just not go all in one file somewhere?

They can all just go in spam.assassin.prefs.conf, but the BigEvil list
changes very frequently so it's easier to replace if you keep it in a
separate file.


>Thanks
>
>
>Rob Charles
>TheHostMasters
>Montreal, Canada
>514-846-0006
>Rob@TheHostMasters.com
>http://www.TheHostMasters.com
>
>
>
>----- Original Message -----
>From: "Michael Keightley" <mk@quadstone.com>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Friday, January 16, 2004 6:40 AM
>Subject: Re: Spam full of random words not being stopped
>
>
> > Do you just add contents of this file to spam.assassin.prefs.conf, or can
>you
> > do an include?
> >
> > Michael
> > On Fri, Jan 16, 2004 at 10:04:16AM +0000, Julian Field wrote:
> > > At 09:35 16/01/2004, you wrote:
> > > >Been getting lots of Spam recently which just contains lots of random
> > > >words.
> > > >These aren't being marked as Spam (using MailScanner-4.25-14 +
>SA-2.61).
> > > >I've attached a couple of examples.  Is there anyway to stop this
>stuff?
> > >
> > > Try adding the BigEvil.cf rules file to your SA setup, as it may well
>help
> > > with this.
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > --
> > Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131 240
>3137
> > Systems Manager, Quadstone Limited,                    Fax: +44 131 220
>4492
> > 16 Chester Street, Edinburgh EH3 7RA, Scotland
>http://www.quadstone.com
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Denis.Beauchemin at USHERBROOKE.CA  Fri Jan 16 14:20:57 2004
From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin)
Date: Thu Jan 12 21:21:52 2006
Subject: {POLLURIEL?} Re: Spam full of random words not being stopped
In-Reply-To: <3scf00t2vg4jqfovab5087u4mkfc02hmio@tradoc.fr>
References: <20040116093534.GA14274@quadstone.com>
            <3scf00t2vg4jqfovab5087u4mkfc02hmio@tradoc.fr>
Message-ID: <1074262857.2540.24.camel@dbeauchemin.sti.usherbrooke.ca>

Notre d?tecteur de polluriel croit que la pi?ce jointe ? ce courriel,
re?ue:

    De: denis.beauchemin@usherbrooke.ca
 Sujet: Re: Spam full of random words not being stopped

est un courriel commercial non sollicit? (polluriel ou spam).

Nous vous conseillons de d?truire ce courriel sans ouvrir la pi?ce
jointe, ? moins que vous n'ayez une bonne raison de croire que notre
logiciel ait pris une mauvaise d?cision.

Si vous ouvrez un polluriel, vous risquez d'indiquer ? l'?metteur que
votre adresse de courriel est active, ce qui va l'encourager ? vous en
envoyer d'autres.

Si vous jugez que ce courriel a ?t? d?clar? polluriel alors qu'il n'en
?tait pas un, SVP faire suivre l'avis au complet ? 
demandes-polluriel@USherbrooke.ca, UNIQUEMENT S'IL PROVIENT D'UNE LISTE 
DE DISTRIBUTION. Prenez soin d'inclure toutes ses ent?tes (voir le 
site suivant pour de plus amples informations: 
http://www.si.USherb.ca/nouvelles/polluriel.htm )

Si le courriel provient d'un individu, nous vous sugg?rons plut?t de
cr?er une r?gle de classement avec l'adresse de votre correspondant
(voir au https://www.USherbrooke.ca/courriel/gestion/  section filtres),
puis de placer le filtre de polluriel APR?S vos propres r?gles.

-------------- next part --------------
An embedded message was scrubbed...
From: Denis Beauchemin <Denis.Beauchemin@USherbrooke.ca>
Subject: Re: Spam full of random words not being stopped
Date: Fri, 16 Jan 2004 09:20:57 -0500
Size: 3033
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/edae1e97/attachment.mht
From rob at thehostmasters.com  Fri Jan 16 14:27:39 2004
From: rob at thehostmasters.com (Rob Charles)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
References: <20040116093534.GA14274@quadstone.com> <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk> <20040116114059.GA900@quadstone.com> <003401c3dc39$dbb0a7a0$0d01a8c0@basement> <6.0.1.1.2.20040116141754.086b9298@imap.ecs.soton.ac.uk>
Message-ID: <008c01c3dc3c$e54293c0$0d01a8c0@basement>

Thanks for clearing that up....

:)


Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob@TheHostMasters.com
http://www.TheHostMasters.com



----- Original Message -----
From: "Julian Field" <mailscanner@ecs.soton.ac.uk>
To: "Rob Charles" <rob@thehostmasters.com>
Cc: <mailscanner@jiscmail.ac.uk>
Sent: Friday, January 16, 2004 9:19 AM
Subject: Re: Spam full of random words not being stopped


> At 14:05 16/01/2004, you wrote:
> >Someone here on this list simply told me to add the bigevil.cf file in
> >either /etc/mail/spamassassin or wherever your 50_scores.cf file is.
> >
> >And restart
> >
> >But how or can you tell if a rule set is being used?
>
> Leave it a few hours and look for BIGEVIL in the lists of rules that hit
> some of your spam.
>
> >  I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0
to my
> >/etc/Mailscanner/spam.assassin.prefs.conf
> >
> >Its a little confusing to me being a newbie to mailscanner, knowing where
to
> >add rules and such... can they just not go all in one file somewhere?
>
> They can all just go in spam.assassin.prefs.conf, but the BigEvil list
> changes very frequently so it's easier to replace if you keep it in a
> separate file.
>
>
> >Thanks
> >
> >
> >Rob Charles
> >TheHostMasters
> >Montreal, Canada
> >514-846-0006
> >Rob@TheHostMasters.com
> >http://www.TheHostMasters.com
> >
> >
> >
> >----- Original Message -----
> >From: "Michael Keightley" <mk@quadstone.com>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Friday, January 16, 2004 6:40 AM
> >Subject: Re: Spam full of random words not being stopped
> >
> >
> > > Do you just add contents of this file to spam.assassin.prefs.conf, or
can
> >you
> > > do an include?
> > >
> > > Michael
> > > On Fri, Jan 16, 2004 at 10:04:16AM +0000, Julian Field wrote:
> > > > At 09:35 16/01/2004, you wrote:
> > > > >Been getting lots of Spam recently which just contains lots of
random
> > > > >words.
> > > > >These aren't being marked as Spam (using MailScanner-4.25-14 +
> >SA-2.61).
> > > > >I've attached a couple of examples.  Is there anyway to stop this
> >stuff?
> > > >
> > > > Try adding the BigEvil.cf rules file to your SA setup, as it may
well
> >help
> > > > with this.
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > > --
> > > Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131
240
> >3137
> > > Systems Manager, Quadstone Limited,                    Fax: +44 131
220
> >4492
> > > 16 Chester Street, Edinburgh EH3 7RA, Scotland
> >http://www.quadstone.com
> > >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>


From rob at thehostmasters.com  Fri Jan 16 14:27:39 2004
From: rob at thehostmasters.com (Rob Charles)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
References: <20040116093534.GA14274@quadstone.com>
            <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk>
            <20040116114059.GA900@quadstone.com>
            <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
            <6.0.1.1.2.20040116141754.086b9298@imap.ecs.soton.ac.uk>
Message-ID: <008c01c3dc3c$e54293c0$0d01a8c0@basement>

Thanks for clearing that up....

:)


Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob@TheHostMasters.com
http://www.TheHostMasters.com



----- Original Message -----
From: "Julian Field" <mailscanner@ecs.soton.ac.uk>
To: "Rob Charles" <rob@thehostmasters.com>
Cc: <mailscanner@jiscmail.ac.uk>
Sent: Friday, January 16, 2004 9:19 AM
Subject: Re: Spam full of random words not being stopped


> At 14:05 16/01/2004, you wrote:
> >Someone here on this list simply told me to add the bigevil.cf file in
> >either /etc/mail/spamassassin or wherever your 50_scores.cf file is.
> >
> >And restart
> >
> >But how or can you tell if a rule set is being used?
>
> Leave it a few hours and look for BIGEVIL in the lists of rules that hit
> some of your spam.
>
> >  I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0
to my
> >/etc/Mailscanner/spam.assassin.prefs.conf
> >
> >Its a little confusing to me being a newbie to mailscanner, knowing where
to
> >add rules and such... can they just not go all in one file somewhere?
>
> They can all just go in spam.assassin.prefs.conf, but the BigEvil list
> changes very frequently so it's easier to replace if you keep it in a
> separate file.
>
>
> >Thanks
> >
> >
> >Rob Charles
> >TheHostMasters
> >Montreal, Canada
> >514-846-0006
> >Rob@TheHostMasters.com
> >http://www.TheHostMasters.com
> >
> >
> >
> >----- Original Message -----
> >From: "Michael Keightley" <mk@quadstone.com>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Friday, January 16, 2004 6:40 AM
> >Subject: Re: Spam full of random words not being stopped
> >
> >
> > > Do you just add contents of this file to spam.assassin.prefs.conf, or
can
> >you
> > > do an include?
> > >
> > > Michael
> > > On Fri, Jan 16, 2004 at 10:04:16AM +0000, Julian Field wrote:
> > > > At 09:35 16/01/2004, you wrote:
> > > > >Been getting lots of Spam recently which just contains lots of
random
> > > > >words.
> > > > >These aren't being marked as Spam (using MailScanner-4.25-14 +
> >SA-2.61).
> > > > >I've attached a couple of examples.  Is there anyway to stop this
> >stuff?
> > > >
> > > > Try adding the BigEvil.cf rules file to your SA setup, as it may
well
> >help
> > > > with this.
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > > --
> > > Michael Keightley <Michael.Keightley@quadstone.com>    Tel: +44 131
240
> >3137
> > > Systems Manager, Quadstone Limited,                    Fax: +44 131
220
> >4492
> > > 16 Chester Street, Edinburgh EH3 7RA, Scotland
> >http://www.quadstone.com
> > >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From Peter.Bates at LSHTM.AC.UK  Fri Jan 16 14:53:35 2004
From: Peter.Bates at LSHTM.AC.UK (Peter Bates)
Date: Thu Jan 12 21:21:52 2006
Subject: Bayesian shenanigans (i.e. problems)
Message-ID: <s007faf8.000@s-nst5.lshtm.ac.uk>

Hello all...

> mkettler@EVI-INC.COM 15/01/04 15:56:50 >>>
At 05:38 AM 1/15/2004, David Lee wrote:
>"Me, too!" (bayes_toks ~ 50MB, bayes_toks.new ~ 1.4GB).  Glad I'm not
>alone.
>Yes those sizes are unreasonable... It sounds like expiry is never
running
>on your system.

>Try running expiry manualy using sa-learn --force-expire and see if
it
>clears things up.

Well, I've done a --force-expire, and got:

-rw-r--r--    1 postfix  postfix       40M Jan 16 14:51 bayes_seen
-rw-------    1 postfix  postfix      123k Jan 16 14:51 bayes_journal
-rw-------    1 postfix  postfix      265M Jan 16 14:51 bayes_toks
-rw-------    1 postfix  postfix      2.7G Jan 16 13:08 bayes_toks.new
-rw-r--r--    1 postfix  postfix      4.8M Oct 15 09:22 old_bayes_seen
-rw-r--r--    1 postfix  postfix       22M Oct 15 09:22 old_bayes_toks

now... and my SA/MS is timing out once again, now I've re-enabled Bayes
with use_bayes...

I'm almost tempted to have a normal SA run without Bayes, and then use
MCP to reprocess the message again with Bayes (or vice versa)... the
fact that the Bayes is making it time out, and then effectively timing
out the rest of the stuff despite it probably being 'positive' in a lot
of cases is proving far from jolly...



--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838

From P.G.M.Peters at utwente.nl  Fri Jan 16 15:10:08 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
References: <20040116093534.GA14274@quadstone.com>           
            <6.0.1.1.2.20040116100351.038953d8@imap.ecs.soton.ac.uk> 
            <20040116114059.GA900@quadstone.com>
            <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
Message-ID: <uivf00ppam0n5b2hq5ru454obl3f0cqtb5@4ax.com>

On Fri, 16 Jan 2004 09:05:54 -0500, you wrote:

> I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0 to my
>/etc/Mailscanner/spam.assassin.prefs.conf

I noticed SA doesn't allways seem to find the habeas headers. Sometimes
I get the -8 score for habeas but I also get the scores for
forged-habeas headers so it gives a good +. But sometimes I get spam
that is tagged as spam and it has habeas headers inside but no -8 score
for habeas.

And yes, the SA versions are the same (or at least they are installed
that way).

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From raymond at PROLOCATION.NET  Fri Jan 16 15:14:47 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:52 2006
Subject: Spam full of random words not being stopped
In-Reply-To: <003401c3dc39$dbb0a7a0$0d01a8c0@basement>
Message-ID: <Pine.LNX.4.44.0401161614120.28498-100000@mailbox.prolocation.net>

Hi!

> But how or can you tell if a rule set is being used?
>
>  I am still getting Habeas stuff to after adding score HABEAS_SWE -3.0 to my
> /etc/Mailscanner/spam.assassin.prefs.conf
>
> Its a little confusing to me being a newbie to mailscanner, knowing where to
> add rules and such... can they just not go all in one file somewhere?

Grep on BigEvil in your maillog ... will show some hits for sure if its
used :)

Bye,
Raymond.

From cwharris at MORGAN.NET  Fri Jan 16 15:19:03 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:52 2006
Subject: Bayes problem
Message-ID: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>

Hey all,

I asked this on SATalk but never got a response.

Got a question about Bayes. I have run into this a few times now and not
sure what is causing it.

When I run a sa-learn command, if I am training something or maintenance, I
get this error:

Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/O:
tie failed: I
nappropriate file type or format
Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W:
tie failed: I
nappropriate file type or format
Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W:
tie failed: I
nappropriate file type or format

What is this saying and how to I fix it?

Chris

From P.G.M.Peters at utwente.nl  Fri Jan 16 15:23:24 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:21:52 2006
Subject: Bayes problem
In-Reply-To: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>
References: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>
Message-ID: <0c0g009a9pfsaha4qdh5fjh48sqadn9dd1@4ax.com>

On Fri, 16 Jan 2004 09:19:03 -0600, you wrote:

>I asked this on SATalk but never got a response.
>
>Got a question about Bayes. I have run into this a few times now and not
>sure what is causing it.
>
>When I run a sa-learn command, if I am training something or maintenance, I
>get this error:
>
>Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/O:
>tie failed: I
>nappropriate file type or format
>Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W:
>tie failed: I
>nappropriate file type or format
>Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W:
>tie failed: I
>nappropriate file type or format
>
>What is this saying and how to I fix it?

It means some other program is updating the bayes files and have them
locked. You can wait untill that program releases the lock. Probably it
is SA called by MS. So I do a "MailScanner stop", "MailScanner startin"
before the sa-learn. After that I do a "MailScanner start".

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From mkettler at EVI-INC.COM  Fri Jan 16 15:33:44 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:52 2006
Subject: Bayes problem
In-Reply-To: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>
References: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>
Message-ID: <6.0.0.22.0.20040116103105.029d2bb8@xanadu.evi-inc.com>

At 10:19 AM 1/16/2004, Chris wrote:
>Got a question about Bayes. I have run into this a few times now and not
>sure what is causing it.
>
>When I run a sa-learn command, if I am training something or maintenance, I
>get this error:
>
>Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/O:
>tie failed: Inappropriate file type or format

Looks like your bayes databases are corrupted and are no longer a Berkeley
DB file.

From eja at URBAKKEN.DK  Fri Jan 16 15:33:39 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:52 2006
Subject: MailScanner errors.
Message-ID: <40080453.9020002@urbakken.dk>

Hi.

I have just reinstalled MailScanner on a new server here. I use postfix,
but I'm receiving the following when MailScanner shall start:

[root@gateway /]# service MailScanner status
Checking MailScanner daemons:
          MailScanner:                                      [  OK  ]
          incoming sendmail: head: /var/run/sendmail.in.pid: No such
file or directory
                                                            [FAILED]
          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
file or directory
                                                            [FAILED]

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mkettler at EVI-INC.COM  Fri Jan 16 15:36:53 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:52 2006
Subject: Bayes problem
In-Reply-To: <0c0g009a9pfsaha4qdh5fjh48sqadn9dd1@4ax.com>
References: <003e01c3dc44$139785d0$2105a8c0@pub.morgan.net>
            <0c0g009a9pfsaha4qdh5fjh48sqadn9dd1@4ax.com>
Message-ID: <6.0.0.22.0.20040116103355.029d2630@xanadu.evi-inc.com>

At 10:23 AM 1/16/2004, Peter Peters wrote:
>It means some other program is updating the bayes files and have them
>locked. You can wait untill that program releases the lock. Probably it
>is SA called by MS. So I do a "MailScanner stop", "MailScanner startin"
>before the sa-learn. After that I do a "MailScanner start".

Not so.. that would be if the tie failed with a lock file exists message..

This is tie failing because of an inappropriate file format. Corrupted
database.

From howard at harper-adams.ac.uk  Fri Jan 16 15:33:57 2004
From: howard at harper-adams.ac.uk (Howard Robinson)
Date: Thu Jan 12 21:21:52 2006
Subject: Bigevil.cf
Message-ID: <200401161531.i0GFVb8O028869@blackhole.harper-adams.ac.uk>

Sorry I missed the location of the bigevil.cf file
on google it appears to be
http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
Is this the 'proper' version?




Regards

Howard Robinson
(Senior Technical Development Officer)
Harper Adams University College
Edgmond
Newport
Shropshire
TF10 8NB UK

E-mail: hrobinson@harper-adams.ac.uk
Tel.  : +44(0)1952 820280 Via switchboard
      : +44(0)1952 815253 Direct line
Fax.  : +44(0)1952 814783
College Web site http://www.harper-adams.ac.uk

From rob at thehostmasters.com  Fri Jan 16 15:38:42 2004
From: rob at thehostmasters.com (Rob Charles)
Date: Thu Jan 12 21:21:52 2006
Subject: Bigevil.cf
References: <200401161531.i0GFVb8O028869@blackhole.harper-adams.ac.uk>
Message-ID: <011f01c3dc46$d29afd20$0d01a8c0@basement>

That's what I use....


Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob@TheHostMasters.com
http://www.TheHostMasters.com



----- Original Message -----
From: "Howard Robinson" <howard@harper-adams.ac.uk>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 16, 2004 10:33 AM
Subject: Bigevil.cf


> Sorry I missed the location of the bigevil.cf file
> on google it appears to be
> http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> Is this the 'proper' version?
>
>
>
>
> Regards
>
> Howard Robinson
> (Senior Technical Development Officer)
> Harper Adams University College
> Edgmond
> Newport
> Shropshire
> TF10 8NB UK
>
> E-mail: hrobinson@harper-adams.ac.uk
> Tel.  : +44(0)1952 820280 Via switchboard
>       : +44(0)1952 815253 Direct line
> Fax.  : +44(0)1952 814783
> College Web site http://www.harper-adams.ac.uk
>

From anders.andersson at LTKALMAR.SE  Fri Jan 16 15:40:54 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:21:52 2006
Subject: SV: SV: what rule triggers this
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E821@lkl61.ltkalmar.se>

> -----Ursprungligt meddelande-----
> Fr?n: Robin M. [mailto:robin@PRIMUS.CA] 
> Skickat: den 16 januari 2004 14:04
> Till: MAILSCANNER@JISCMAIL.AC.UK
> ?mne: Re: SV: what rule triggers this
> 
> On Fri, 16 Jan 2004, Anders Andersson, IT wrote:
> >
> > Why not change so exchange doesnt use RTF as outgoing format for 
> > external mail.... That will probably solve other issues 
> with ppl not 
> > being able to read messages
> >
> Exchange users need to send RTF to eachother.

Okay, I thought you only needed RTF for internal mail. We had to many
complaints that external users could not read mail sent from us and 99% of
the time it was related of RTF, so I turned it off  :) 


From eja at URBAKKEN.DK  Fri Jan 16 16:11:37 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:52 2006
Subject: [Fwd: MailScanner errors.]
Message-ID: <40080D39.4010902@urbakken.dk>

-------- Original Message --------
Subject: MailScanner errors.
Date: Fri, 16 Jan 2004 16:33:39 +0100
From: Erik Jakobsen <eja@urbakken.dk>
To: MAILSCANNER@JISCMAIL.AC.UK

Hi.

I have just reinstalled MailScanner on a new server here. I use postfix,
but I'm receiving the following when MailScanner shall start:

[root@gateway /]# service MailScanner status
Checking MailScanner daemons:
          MailScanner:                                      [  OK  ]
          incoming sendmail: head: /var/run/sendmail.in.pid: No such
file or directory
                                                            [FAILED]
          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
file or directory
                                                            [FAILED]

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 16:10:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: MailScanner errors.
In-Reply-To: <40080453.9020002@urbakken.dk>
References: <40080453.9020002@urbakken.dk>
Message-ID: <6.0.1.1.2.20040116161034.086ff298@imap.ecs.soton.ac.uk>

mkdir /var/run
then try it again.

At 15:33 16/01/2004, you wrote:
>Hi.
>
>I have just reinstalled MailScanner on a new server here. I use postfix,
>but I'm receiving the following when MailScanner shall start:
>
>[root@gateway /]# service MailScanner status
>Checking MailScanner daemons:
>          MailScanner:                                      [  OK  ]
>          incoming sendmail: head: /var/run/sendmail.in.pid: No such
>file or directory
>                                                            [FAILED]
>          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>file or directory
>                                                            [FAILED]
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Fri Jan 16 16:26:32 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:52 2006
Subject: MailScanner errors.
In-Reply-To: <6.0.1.1.2.20040116161034.086ff298@imap.ecs.soton.ac.uk>
References: <40080453.9020002@urbakken.dk>
            <6.0.1.1.2.20040116161034.086ff298@imap.ecs.soton.ac.uk>
Message-ID: <400810B8.4000507@urbakken.dk>

It has been made the /var/run directory:

# ls -al /var/run
total 132
drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppoe
-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.start
-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
drwx------    2 root     root         4096 Jan 25  2003 sudo
-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid


Julian Field wrote:
> mkdir /var/run
> then try it again.
>
> At 15:33 16/01/2004, you wrote:
>
>> Hi.
>>
>> I have just reinstalled MailScanner on a new server here. I use postfix,
>> but I'm receiving the following when MailScanner shall start:
>>
>> [root@gateway /]# service MailScanner status
>> Checking MailScanner daemons:
>>          MailScanner:                                      [  OK  ]
>>          incoming sendmail: head: /var/run/sendmail.in.pid: No such
>> file or directory
>>                                                            [FAILED]
>>          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>> file or directory
>>                                                            [FAILED]
>>
>> --
>> Med venlig hilsen - Best regards.
>> Erik Jakobsen - eja@urbakken.dk.
>> Licensed radioamateur with the callsign OZ4KK.
>> SuSE Linux 8.2 Proff.
>> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From sanjay.patel at REXWIRE.COM  Fri Jan 16 16:34:25 2004
From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
In-Reply-To: <200401160426.i0G4Q7iG003792@avwall.bladeware.com>
Message-ID: <200401161645.i0GGjunn005271@mx.sargam.com>

So I take it this is not possible? 

-SKP 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Mike Kercher
Sent: Thursday, January 15, 2004 11:27 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: How-to restrict certain domains

I don't think that tutorial quite covers what he wants to do.

Seems he'd need a ruleset like this:

Non Spam Actions = /etc/MailScanner/rules/noaol.rules

FromTo:         *@mydomain.com  FromTo:*@aol.com                bounce 
FromTo: default deliver

To my knowledge, such a ruleset is not possible (yet)

Am I thinking wrong?

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Ugo Bellavance
Sent: Thursday, January 15, 2004 9:43 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: How-to restrict certain domains

 

        -----Message d'origine-----
        De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM]
        Envoy? : Thursday, January 15, 2004 10:41 PM
        ? : MAILSCANNER@JISCMAIL.AC.UK
        Objet : How-to restrict certain domains
	
	

        We host mail for 5 domains. But we want to restrict one domain from
receiving or sending mail aol.com. 

        How can we do this with MailScanner. 

        SKP 
        [Ugo Bellavance] 

        See the ruleset tutorial :
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html 


From dan.farmer at PHONEDIR.COM  Fri Jan 16 16:49:36 2004
From: dan.farmer at PHONEDIR.COM (Dan Farmer)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
In-Reply-To: <200401161645.i0GGjunn005271@mx.sargam.com>
References: <200401161645.i0GGjunn005271@mx.sargam.com>
Message-ID: <F7EFD448-4843-11D8-A752-0030656E138E@phonedir.com>

Someone correct me if I'm wrong, but it's not possible in the current 
rulesets, but it is possible to do per-domain blacklists in 
CustomConfig.pm, right? I've never messed about in it, but I've seen it 
mentioned often enough and a quick glance through it looks right...

dan

On Jan 16, 2004, at 9:34 AM, Sanjay K. Patel wrote:

> So I take it this is not possible?
>
> -SKP
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On 
> Behalf
> Of Mike Kercher
> Sent: Thursday, January 15, 2004 11:27 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: How-to restrict certain domains
>
> I don't think that tutorial quite covers what he wants to do.
>
> Seems he'd need a ruleset like this:
>
> Non Spam Actions = /etc/MailScanner/rules/noaol.rules
>
> FromTo:         *@mydomain.com  FromTo:*@aol.com                bounce
> FromTo: default deliver
>
> To my knowledge, such a ruleset is not possible (yet)
>
> Am I thinking wrong?
>
> Mike
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On 
> Behalf
> Of Ugo Bellavance
> Sent: Thursday, January 15, 2004 9:43 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: How-to restrict certain domains
>
>
>
>         -----Message d'origine-----
>         De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM]
>         Envoy? : Thursday, January 15, 2004 10:41 PM
>         ? : MAILSCANNER@JISCMAIL.AC.UK
>         Objet : How-to restrict certain domains
> 	
> 	
>
>         We host mail for 5 domains. But we want to restrict one domain 
> from
> receiving or sending mail aol.com.
>
>         How can we do this with MailScanner.
>
>         SKP
>         [Ugo Bellavance]
>
>         See the ruleset tutorial :
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html
>


From mailscanner at ecs.soton.ac.uk  Fri Jan 16 16:52:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
Message-ID: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>

SSIA
:o)

Time for a glass of Chablis or two...
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 16:52:26 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: How-to restrict certain domains
In-Reply-To: <200401161645.i0GGjunn005271@mx.sargam.com>
References: <200401160426.i0G4Q7iG003792@avwall.bladeware.com>
            <200401161645.i0GGjunn005271@mx.sargam.com>
Message-ID: <6.0.1.1.2.20040116163722.075182d8@imap.ecs.soton.ac.uk>

At 16:34 16/01/2004, you wrote:
>So I take it this is not possible?

There are limits to what the rulesets can do. However you could do it very 
easily with a Custom Function. You just need to look at 
$message->{fromdomain} and @{$message->{todomain}} and see if either 
contains aol.com.

Tie that Custom Function into "Non Spam Actions" and you're away.
The Perl to do this is dead simple, take a look at the start of 
CustomConfig.pm for examples.
You  might find the result looks almost exactly like this (bung this in 
CustomConfig.pm somewhere near the top)
-----------SNIP------------
my $NoAOLDomain = 'cant-talk-to-AOL.com';

sub InitAOLCheck {
   # No initialisation needs doing here at all.
   MailScanner::Log::InfoLog("Initialising AOLCheck for $NoAOLDomain");
}

sub EndAOLCheck {
   # No shutdown code needed here at all.
   # This function could log total stats, close databases, etc.
   MailScanner::Log::InfoLog("Ending AOLCheck");
}

# This will return 1 for all messages except those generated by this
# computer.
sub AOLCheck {
   my($message) = @_;

   return "deliver" unless $message; # Default if no message passed in

   # Is it to or from AOL?
   my($InvolvesNoAOLDomain, $InvolvesAOL, $domain);
   $InvolvesNoAOLDomain = 0;
   $InvolvesAOL = 0;
   foreach $domain ($message->{fromdomain}, @{$message->{todomain}}) {
     $InvolvesAOL = 1 if $domain =~ /aol\.com$/i; # Does it end in aol.com?
     $InvolvesNoAOLDomain = 1 if $domain =~ /$NoAOLDomain$/io;
   }

   # Bounce the message if it involved our non-AOL-domain and AOL
   return "bounce" if $InvolvesAOL && $InvolvesNoAOLDomain;
   # Otherwise deliver it
   return "deliver";
}
-----------SNIP------------

Then set in MailScanner.conf:

Non Spam Actions = &AOLCheck

and restart MailScanner. First time set "Debug = yes" so you can see any 
Perl syntax errors I have made.

Have a good weekend!

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
>Of Mike Kercher
>Sent: Thursday, January 15, 2004 11:27 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: How-to restrict certain domains
>
>I don't think that tutorial quite covers what he wants to do.
>
>Seems he'd need a ruleset like this:
>
>Non Spam Actions = /etc/MailScanner/rules/noaol.rules
>
>FromTo:         *@mydomain.com  FromTo:*@aol.com                bounce
>FromTo: default deliver
>
>To my knowledge, such a ruleset is not possible (yet)
>
>Am I thinking wrong?
>
>Mike
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
>Of Ugo Bellavance
>Sent: Thursday, January 15, 2004 9:43 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: How-to restrict certain domains
>
>
>
>         -----Message d'origine-----
>         De : Sanjay K. Patel [mailto:sanjay.patel@REXWIRE.COM]
>         Envoy? : Thursday, January 15, 2004 10:41 PM
>         ? : MAILSCANNER@JISCMAIL.AC.UK
>         Objet : How-to restrict certain domains
>
>
>
>         We host mail for 5 domains. But we want to restrict one domain from
>receiving or sending mail aol.com.
>
>         How can we do this with MailScanner.
>
>         SKP
>         [Ugo Bellavance]
>
>         See the ruleset tutorial :
>http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From eja at URBAKKEN.DK  Fri Jan 16 16:57:48 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:52 2006
Subject: MailScanner errors.
In-Reply-To: <400810B8.4000507@urbakken.dk>
References: <40080453.9020002@urbakken.dk>           
            <6.0.1.1.2.20040116161034.086ff298@imap.ecs.soton.ac.uk>
            <400810B8.4000507@urbakken.dk>
Message-ID: <4008180C.8040302@urbakken.dk>

Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
but I'm not using sendmail ?.

Erik Jakobsen wrote:
> It has been made the /var/run directory:
>
> # ls -al /var/run
> total 132
> drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
> drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
> drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
> -rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
> -rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
> -rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
> -rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
> drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
> -rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
> -rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
> -rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
> -rw-r--r--    1 root     root            5 Jan 16 16:31
> pppoe-adsl.pid.pppoe
> -rw-r--r--    1 root     root            5 Jan 16 16:31
> pppoe-adsl.pid.start
> -rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
> drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
> -rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
> drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
> drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
> -rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
> -rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
> drwx------    2 root     root         4096 Jan 25  2003 sudo
> -rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
> -rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
> -rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
> -rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>
>
> Julian Field wrote:
>
>> mkdir /var/run
>> then try it again.
>>
>> At 15:33 16/01/2004, you wrote:
>>
>>> Hi.
>>>
>>> I have just reinstalled MailScanner on a new server here. I use postfix,
>>> but I'm receiving the following when MailScanner shall start:
>>>
>>> [root@gateway /]# service MailScanner status
>>> Checking MailScanner daemons:
>>>          MailScanner:                                      [  OK  ]
>>>          incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>> file or directory
>>>                                                            [FAILED]
>>>          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>> file or directory
>>>                                                            [FAILED]
>>>
>>> --
>>> Med venlig hilsen - Best regards.
>>> Erik Jakobsen - eja@urbakken.dk.
>>> Licensed radioamateur with the callsign OZ4KK.
>>> SuSE Linux 8.2 Proff.
>>> Registered as user #319488 with the Linux Counter,
>>> http://counter.li.org.
>>
>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja@urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 16:57:10 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: MailScanner errors.
In-Reply-To: <4008180C.8040302@urbakken.dk>
References: <40080453.9020002@urbakken.dk>
            <6.0.1.1.2.20040116161034.086ff298@imap.ecs.soton.ac.uk>
            <400810B8.4000507@urbakken.dk> <4008180C.8040302@urbakken.dk>
Message-ID: <6.0.1.1.2.20040116165640.075e10a0@imap.ecs.soton.ac.uk>

At 16:57 16/01/2004, you wrote:
>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>but I'm not using sendmail ?.

Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
which MTA the MailScanner init.d script will start up.


>Erik Jakobsen wrote:
>>It has been made the /var/run directory:
>>
>># ls -al /var/run
>>total 132
>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>pppoe-adsl.pid.pppoe
>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>pppoe-adsl.pid.start
>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>
>>
>>Julian Field wrote:
>>
>>>mkdir /var/run
>>>then try it again.
>>>
>>>At 15:33 16/01/2004, you wrote:
>>>
>>>>Hi.
>>>>
>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>but I'm receiving the following when MailScanner shall start:
>>>>
>>>>[root@gateway /]# service MailScanner status
>>>>Checking MailScanner daemons:
>>>>          MailScanner:                                      [  OK  ]
>>>>          incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>file or directory
>>>>                                                            [FAILED]
>>>>          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>file or directory
>>>>                                                            [FAILED]
>>>>
>>>>--
>>>>Med venlig hilsen - Best regards.
>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>SuSE Linux 8.2 Proff.
>>>>Registered as user #319488 with the Linux Counter,
>>>>http://counter.li.org.
>>>
>>>
>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>>
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 17:00:39 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
In-Reply-To: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040116165935.03926918@imap.ecs.soton.ac.uk>

Oh, if anyone feels a desperate urge to buy me a Birthday present, my wish
list at www.amazon.co.uk has plenty on it...
;->

I hear a bar calling me! Have a good weekend one and all.

At 16:52 16/01/2004, you wrote:
>SSIA
>:o)
>
>Time for a glass of Chablis or two...

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mkipness at GENIANT.COM  Fri Jan 16 18:01:43 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:21:52 2006
Subject: SpamAssassin score missing?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C220604C8@dalsxc01.geniant.net>

Hi,
 
I've been getting a lot of messages (spam) this morning that have no
spam score. Some messages when looking the headers this morning do have:
 
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, required 8,
HTML_80_90 0.50)
 
But some just have:
 
X-MailScanner-SpamCheck:
 
With nothing after the colon. Does this mean SpamAssassin is timing out?
I see no indication of any problem in the mail logs. 
 
How can I fix?
 
Thanks,
Max


From Peter.Bates at LSHTM.AC.UK  Fri Jan 16 18:04:40 2004
From: Peter.Bates at LSHTM.AC.UK (Peter Bates)
Date: Thu Jan 12 21:21:52 2006
Subject: Seemingly unscanned mail weirdness...
Message-ID: <s00827c9.091@s-nst5.lshtm.ac.uk>

Hello all (obviously not the birthday boy, of course :) ...)

Had a rash of spammy stuff today from 'x@tom.com', where
x is the usual sort of randomly generated stuff.
I've now resorted to address verification for this domain, but was
still intrigued by one email passed to me from a member of staff...

We're running MS 4.25, SA 2.61, with Postfix (2-something or other)...

According to our MUA (Novell GroupWise is where the mail eventually
ends up), the entire content of the message is:

Return-path: <crhfcdirahaei@tom.com>
Received: from postbox.lshtm.ac.uk
        (mailgw.lshtm.ac.uk [193.63.251.36])
        by s-nst5.lshtm.ac.uk; Fri, 16 Jan 2004 17:24:18 +0000
Received: from customer-148-233-202-142.uninet.net.mx
(customer-148-233-202-142.uninet.net.mx [148.233.202.142])
        by postbox.lshtm.ac.uk (Postfix) with SMTP id 2D901156066
        for <brian.furner@lshtm.ac.uk>; Fri, 16 Jan 2004 17:23:57 +0000
(GMT)
Received: from [148.233.202.142] by 3001hosting.comIP with HTTP;
        Fri, 16 Jan 2004 12:14:27 +0600
From: postmaster@lshtm.ac.uk
Message-Id: <20040116172357.2D901156066@postbox.lshtm.ac.uk>
Date: Fri, 16 Jan 2004 17:23:57 +0000 (GMT)
To: undisclosed-recipients:;


crhfcdirahaei@tom.com


... what I'm curious about is the total lack of any MailScanner mention
here, and this should have definitely passed through (in fact, there
isn't really a mechanism whereby it doesn't pass through MS).

Is our MUA not reporting the entire content here, or is the 'To:
undisclosed-recipients:;' being used in a tricksy fashion?

...



--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838

From lists at STHOMAS.NET  Fri Jan 16 18:20:21 2004
From: lists at STHOMAS.NET (Steve Thomas)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
In-Reply-To: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>; from
              mailscanner@ECS.SOTON.AC.UK on Fri, Jan 16,
              2004 at 04:52:56PM +0000
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
Message-ID: <20040116102021.A27216@sthomas.net>

Mine's on Sunday - Yay for Capricorns! :)

Happy Birthday, Julian. Take the day off!


On Fri, Jan 16, 2004 at 04:52:56PM +0000, Julian Field is rumored to have said:
>
> SSIA
> :o)
>
> Time for a glass of Chablis or two...
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
"It is much more comfortable to be mad and know it, than to be sane and have one's doubts."
- G. B. Burgin

From raymond at PROLOCATION.NET  Fri Jan 16 18:40:55 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
In-Reply-To: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401161940380.28692-100000@mailbox.prolocation.net>

Hi!

> SSIA
> :o)
>
> Time for a glass of Chablis or two...

Congrats!

Bye,
Raymond.

From peter at UCGBOOK.COM  Fri Jan 16 18:46:54 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
In-Reply-To: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
Message-ID: <4008319E.50701@ucgbook.com>

Happy Birthday!

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Julian Field wrote:
> SSIA
> :o)
>
> Time for a glass of Chablis or two...
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From dwinkler at ALGORITHMICS.COM  Fri Jan 16 18:58:46 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:52 2006
Subject: Happy Birthday to me!
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B139@tormail2.algorithmics.com>

Happy Birthday!

Derek Winkler
Security Administrator
Algorithmics Inc., Toronto
Tel: (416) 217-4107
Fax: (416) 971-6263
www.algorithmics.com


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Friday, January 16, 2004 11:53 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Happy Birthday to me!


SSIA
:o)

Time for a glass of Chablis or two...
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From acschmitt at BPA.GOV  Fri Jan 16 18:56:29 2004
From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2)
Date: Thu Jan 12 21:21:52 2006
Subject: Trend's trouble with some zipfiles
Message-ID: <242663BECAD80B4DAAF2E62788F96917473B08@exhq01.bud.bpa.gov>

I'm running MailScanner with Spamassassin and Trend Antivirus.  I noticed that on a couple viruses in zipfiles, Trend was unable to open the zip due to a slightly corrupted zip header.  unzip was able to open it just fine, and so were users' zip programs.  The error from vscan was "Scan error -82".

I just got on the list, and did this a while ago, but I wondered if anyone else running Trend had a problem with it.  Anyway, this is my workaround in SweepViruses.pm, at the end of sub ProcessTrendOutput, just before the "return 0;" statement.

  # ACS 11-03-03 -- This bit of code blocks files when decompression fails.
  if ( $line =~ /Scan error -82/i )
   {
    my($virus ) = "Unopenable ZIP file";

    my ($dot, $id, $part, @rest) = split (/\//, $trend_prevline);
    $infections->{$id}{$part} .= $Name . ': ' if $Name;
    $infections->{$id}{$part} .= "Found virus $virus in file $trend_prevline\n";
    $types->{$id}{$part}      .= "v";
    return 1;
   }

From gdoris at rogers.com  Fri Jan 16 19:18:56 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:53 2006
Subject: Trend's trouble with some zipfiles
In-Reply-To: <242663BECAD80B4DAAF2E62788F96917473B08@exhq01.bud.bpa.gov>
References: <242663BECAD80B4DAAF2E62788F96917473B08@exhq01.bud.bpa.gov>
Message-ID: <43501.129.80.22.143.1074280736.squirrel@tiger.dorfam.ca>

> I'm running MailScanner with Spamassassin and Trend Antivirus.  I noticed
> that on a couple viruses in zipfiles, Trend was unable to open the zip due
> to a slightly corrupted zip header.  unzip was able to open it just fine,
> and so were users' zip programs.  The error from vscan was "Scan error
> -82".
>
> I just got on the list, and did this a while ago, but I wondered if anyone
> else running Trend had a problem with it.  Anyway, this is my workaround
> in SweepViruses.pm, at the end of sub ProcessTrendOutput, just before the
> "return 0;" statement.
>
>   # ACS 11-03-03 -- This bit of code blocks files when decompression
> fails.
>   if ( $line =~ /Scan error -82/i )
>    {
>     my($virus ) = "Unopenable ZIP file";
>
>     my ($dot, $id, $part, @rest) = split (/\//, $trend_prevline);
>     $infections->{$id}{$part} .= $Name . ': ' if $Name;
>     $infections->{$id}{$part} .= "Found virus $virus in file
> $trend_prevline\n";
>     $types->{$id}{$part}      .= "v";
>     return 1;
>    }
>

I've been running Trend for months now and never noticed this error.  Then
again I may not have had a corrupted zip header???

Is this occurring with the latest Trend code?


Gerry

From jason at ROBARTS.CA  Fri Jan 16 19:31:15 2004
From: jason at ROBARTS.CA (Jason)
Date: Thu Jan 12 21:21:53 2006
Subject: Trend's trouble with some zipfiles
In-Reply-To: <43501.129.80.22.143.1074280736.squirrel@tiger.dorfam.ca>
Message-ID: <200401161927.i0GJRAaA001323@doom.robarts.ca>

Try to update your trend virus scan engine to see if this resolves the
problem I haven't noticed anything either.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Gerry Doris
Sent: Friday, January 16, 2004 2:19 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Trend's trouble with some zipfiles

> I'm running MailScanner with Spamassassin and Trend Antivirus.  I
> noticed that on a couple viruses in zipfiles, Trend was unable to open
> the zip due to a slightly corrupted zip header.  unzip was able to
> open it just fine, and so were users' zip programs.  The error from
> vscan was "Scan error -82".
>
> I just got on the list, and did this a while ago, but I wondered if
> anyone else running Trend had a problem with it.  Anyway, this is my
> workaround in SweepViruses.pm, at the end of sub ProcessTrendOutput,
> just before the "return 0;" statement.
>
>   # ACS 11-03-03 -- This bit of code blocks files when decompression
> fails.
>   if ( $line =~ /Scan error -82/i )
>    {
>     my($virus ) = "Unopenable ZIP file";
>
>     my ($dot, $id, $part, @rest) = split (/\//, $trend_prevline);
>     $infections->{$id}{$part} .= $Name . ': ' if $Name;
>     $infections->{$id}{$part} .= "Found virus $virus in file
> $trend_prevline\n";
>     $types->{$id}{$part}      .= "v";
>     return 1;
>    }
>

I've been running Trend for months now and never noticed this error.  Then
again I may not have had a corrupted zip header???

Is this occurring with the latest Trend code?


Gerry

From gdoris at rogers.com  Fri Jan 16 19:30:52 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:53 2006
Subject: Happy Birthday Julian!
Message-ID: <58244.129.80.22.143.1074281452.squirrel@tiger.dorfam.ca>

While you're sipping your wine in front of the fireplace and becoming
mellow I thought you might enjoy looking at what is happening here in
North America in the little cold spell we're enjoying...


Gerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Frozenpipesinthegarage.jpg
Type: image/pjpeg
Size: 93576 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/f9b393da/Frozenpipesinthegarage.bin
From acschmitt at BPA.GOV  Fri Jan 16 19:36:49 2004
From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2)
Date: Thu Jan 12 21:21:53 2006
Subject: Trend's trouble with some zipfiles
Message-ID: <242663BECAD80B4DAAF2E62788F96917044F33CB@exhq01.bud.bpa.gov>

I haven't seen any information on whether the latest has the problem, and Google-searches don't show any useful information about a "scan error -82". Our version is probably a couple years old, so it quite easily could have been fixed.

However, in those two years, this is the first time I saw such a problem.  I wonder if it's such a special case that it just hasn't gotten any recognition.  It happened specifically on some zipfiles warned to contain header corruption by unzip.

Andy Schmitt

-----Original Message-----
From: Gerry Doris [mailto:gdoris@rogers.com]
Sent: Friday, January 16, 2004 11:19 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Trend's trouble with some zipfiles


> I'm running MailScanner with Spamassassin and Trend Antivirus.  I noticed
> that on a couple viruses in zipfiles, Trend was unable to open the zip due
> to a slightly corrupted zip header.  unzip was able to open it just fine,
> and so were users' zip programs.  The error from vscan was "Scan error
> -82".
>
> I just got on the list, and did this a while ago, but I wondered if anyone
> else running Trend had a problem with it.  Anyway, this is my workaround
> in SweepViruses.pm, at the end of sub ProcessTrendOutput, just before the
> "return 0;" statement.
>
>   # ACS 11-03-03 -- This bit of code blocks files when decompression
> fails.
>   if ( $line =~ /Scan error -82/i )
>    {
>     my($virus ) = "Unopenable ZIP file";
>
>     my ($dot, $id, $part, @rest) = split (/\//, $trend_prevline);
>     $infections->{$id}{$part} .= $Name . ': ' if $Name;
>     $infections->{$id}{$part} .= "Found virus $virus in file
> $trend_prevline\n";
>     $types->{$id}{$part}      .= "v";
>     return 1;
>    }
>

I've been running Trend for months now and never noticed this error.  Then
again I may not have had a corrupted zip header???

Is this occurring with the latest Trend code?


Gerry

From rzewnickie at RFA.ORG  Fri Jan 16 19:44:36 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:21:53 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <00c401c3daae$204a22c0$da01a8c0@cnpapers.net>
References: <6.0.1.1.2.20040113150305.07711790@imap.ecs.soton.ac.uk>
            <00c401c3daae$204a22c0$da01a8c0@cnpapers.net>
Message-ID: <20040116194436.GE11234@rfa.org>

I've seen this, too. Using SA 2.61 MS 4.24-5 w/postfix on debian stable.

I've gotten around it by saving the quarantine files as postfix queue
files.
Quarantine Whole Messages As Queue Files = yes

This works well since I can do a 'postdrop < queuefile' to deliver
to the user any HTML newsletters (or whatever) that get blocked for
having iframe, object codebase or form tags in them. And 'postcat
queuefile | head' to get the sender for adding to the rules.

It doesn't happen all the time. I haven't been able to tie it down to
any pattern. But, I do know it's not just form tags.

-Eric Rz.

On Wed, Jan 14, 2004 at 09:53:09AM -0500, Stephe Campbell wrote:
> Mr. Field,
>
> I had responded to the original message indicating that I too had seen this
> situation. But due to the fact that I normally do not have to release
> quarantineed files that much (perhaps only three times), I have not seen
> this since I responded.
>
> I'm sorry, but I can not provide any more details, and was only responding
> to indicate that there were more than one site seeing this. I will try to
> find a few to help out. I can only say that I am running SA 2.61, MailWatch
> 0.04, and MS 4.24-5 on a Sendmail 8.11 RH 7.3 box.
>
> It does not happen all of the time, though, as only once has it happened,
> and I did not pay any attention to it then.
>
> Thanks, though, for the concern
>
> Steve Campbell
> campbell@cnpapers.com
> Charleston Newspapers
>
>
> ----- Original Message -----
> From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Tuesday, January 13, 2004 10:06 AM
> Subject: Outstanding mail archiving bug
>
>
> > There were reports of the wrong message being archived or the warning
> > message or something like that.
> >
> > Please can someone confirm exactly what the problem was, and when it
> > occurs. Otherwise I can't fix it.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From gdoris at rogers.com  Fri Jan 16 19:52:56 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:53 2006
Subject: Trend's trouble with some zipfiles
In-Reply-To: <242663BECAD80B4DAAF2E62788F96917044F33CB@exhq01.bud.bpa.gov>
References: <242663BECAD80B4DAAF2E62788F96917044F33CB@exhq01.bud.bpa.gov>
Message-ID: <42752.129.80.22.133.1074282776.squirrel@tiger.dorfam.ca>

> I haven't seen any information on whether the latest has the problem, and
> Google-searches don't show any useful information about a "scan error
> -82". Our version is probably a couple years old, so it quite easily could
> have been fixed.
>
> However, in those two years, this is the first time I saw such a problem.
> I wonder if it's such a special case that it just hasn't gotten any
> recognition.  It happened specifically on some zipfiles warned to contain
> header corruption by unzip.
>
> Andy Schmitt

I have the latest Trend installed.  If you are able to send me one of the
problem files I'll let you know if my version of Trend has a problem.


Gerry

From Denis.Beauchemin at USHERBROOKE.CA  Fri Jan 16 19:54:41 2004
From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin)
Date: Thu Jan 12 21:21:53 2006
Subject: Happy Birthday to me!
In-Reply-To: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
Message-ID: <1074282880.2540.26.camel@dbeauchemin.sti.usherbrooke.ca>

Happy birthday Julian!  Have a nice and quiet week-end.

Denis

Le ven 16/01/2004 ? 11:52, Julian Field a ?crit :
> SSIA
> :o)
> 
> Time for a glass of Chablis or two...
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-- 
Denis Beauchemin, analyste
Universit? de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045


From robert at FENLANARENA.CO.UK  Fri Jan 16 19:42:18 2004
From: robert at FENLANARENA.CO.UK (Robert Harpham)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk> 
            <4008319E.50701@ucgbook.com>
Message-ID: <001101c3dc6d$0c5ec7f0$2101a8c0@robert>

Hi

i have a e-mail in quaratine i know what it is and all but how can i get it
back and feed it back to user with out mail scanner repicking it up?

the attached file from mailscanner says its here
/var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).

thansk for help
robert

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan 16 20:17:51 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
Message-ID: <LFENLEALDCBDKENCNLCNCEMODAAA.michele@blacknightsolutions.com>

Simple solution is to tar it and send it from root

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Robert Harpham
> Sent: 16 January 2004 19:42
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: getting a quarantined e-mail back?
>
>
> Hi
>
> i have a e-mail in quaratine i know what it is and all but how
> can i get it
> back and feed it back to user with out mail scanner repicking it up?
>
> the attached file from mailscanner says its here
> /var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).
>
> thansk for help
> robert
>

From mkettler at EVI-INC.COM  Fri Jan 16 20:29:53 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
            <4008319E.50701@ucgbook.com> <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
Message-ID: <6.0.0.22.0.20040116152502.023d5ba0@xanadu.evi-inc.com>

At 02:42 PM 1/16/2004, you wrote:
>i have a e-mail in quaratine i know what it is and all but how can i get it
>back and feed it back to user with out mail scanner repicking it up?
>
>the attached file from mailscanner says its here
>/var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).

I find that messages sent using mutt on the local system get queued
directly without going through mailscanner.

So when I want to yank a file from the quarantine, I just cd over to the
quarantine and do a quick little mutt command line that will attach a
specified file:

echo "body text" | mutt user@mydomain.com -a filename -s "subject line"

From garry at GLENDOWN.DE  Fri Jan 16 20:30:59 2004
From: garry at GLENDOWN.DE (Garry Glendown)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>           
            <4008319E.50701@ucgbook.com> <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
Message-ID: <40084A03.8020906@glendown.de>

Robert Harpham wrote:
> Hi
>
> i have a e-mail in quaratine i know what it is and all but how can i get it
> back and feed it back to user with out mail scanner repicking it up?
>
> the attached file from mailscanner says its here
> /var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).

If you have a webserver running on the machine, why don't you set up a
PHP script or so to download the file(s)?

-gg

From drew at THEMARSHALLS.CO.UK  Fri Jan 16 20:45:39 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:53 2006
Subject: Little Report problem with Postfix - continued
Message-ID: <40084D73.7090005@themarshalls.co.uk>

I run postfix and have patched the Message.pm file (Which works great
thanks Julian - oh and by the way, Happy Birthday!) but now I get:

mailto --> postmaster        = OK no duplicated recipients (Fixed!)
mailto --> recipient             = Works normally
mailto --> sender of Virus = recipients duplicated!!

Where (And I guess what) do I need to patch to fix the warning message
to only show the one recipient?

TIA

Drew

--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/27a41325/attachment.html
From mailscanner at ecs.soton.ac.uk  Fri Jan 16 20:59:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:53 2006
Subject: Little Report problem with Postfix - continued
In-Reply-To: <40084D73.7090005@themarshalls.co.uk>
References: <40084D73.7090005@themarshalls.co.uk>
Message-ID: <6.0.1.1.2.20040116205850.03a8d378@imap.ecs.soton.ac.uk>

At 20:45 16/01/2004, you wrote:
>I run postfix and have patched the Message.pm file (Which works great
>thanks Julian - oh and by the way, Happy Birthday!) but now I get:
>
>mailto --> postmaster        = OK no duplicated recipients (Fixed!)
>mailto --> recipient             = Works normally
>mailto --> sender of Virus = recipients duplicated!!
>
>Where (And I guess what) do I need to patch to fix the warning message to
>only show the one recipient?

Have you tried the latest beta release of MailScanner?
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/88893002/attachment.html
From peter at UCGBOOK.COM  Fri Jan 16 21:11:20 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>           
            <4008319E.50701@ucgbook.com> <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
Message-ID: <40085378.5090208@ucgbook.com>

If you have Sendmail and "Quarantine Whole Messages As Queue Files" set
to yes you can just drop the matching qf- and df-files in the outgoing
queue (default /var/spool/mqueue).

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

Robert Harpham wrote:
> Hi
>
> i have a e-mail in quaratine i know what it is and all but how can i get it
> back and feed it back to user with out mail scanner repicking it up?
>
> the attached file from mailscanner says its here
> /var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).
>
> thansk for help
> robert
>

From wppiphoto at wppi.com  Fri Jan 16 21:14:43 2004
From: wppiphoto at wppi.com (SW)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
Message-ID: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>

Hi folks,

Thanks to all for the help everyone has offered in the past!!! But, I'm
trying to figure out why the following spam e-mail is still coming through.
I have disabled 'Bayes' per the request of Julian (Thank you for all of your
help, Julian) which was getting poisned. I have added all the available rbls
(non-paying ones) to my Mailscanner.conf file and I'm just wondering what is
causing the e-mail to get a negative score?

Here is the header info.:

X-Symantec-TimeoutProtection: 0
Return-Path: <ECain@mysingtel.com.sg>
Received: from 68.166.149.37 ([210.77.99.104])
 by wppi.com (8.10.2/8.10.2) with SMTP id i0G9Y0A07950
 for <postmaster@wppi.com>; Fri, 16 Jan 2004 04:34:02 -0500
Received: from 50.162.34.206 by 210.77.99.104; Thu, 15 Jan 2004 22:28:59
+0100
Message-ID: <CXSMRLJRKBDTLGHNDDICZIT@integrityol.com>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
From: "Davis Roberson" <ECain@mysingtel.com.sg>
Reply-To: "Davis Roberson" <ECain@mysingtel.com.sg>
To: postmaster@wppi.com
Date: Thu, 15 Jan 2004 18:29:59 -0300
X-Mailer: PocoMail 2.61 (1049) - Licensed Version
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--836054348850655"
X-Priority: 5
X-WPPi-MailScanner-Information: Please contact WPPi for more information
X-WPPi-MailScanner: Found to be clean
X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.039,
 required 4, BIZ_TLD 0.78, GAPPY_SUBJECT 1.32, HABEAS_SWE -8.00,
 HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
 MIME_HTML_ONLY_MULTI 1.10, WHY_WAIT 0.48)
Subject: Want X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A Diet Pills any Meds?
gldiEwFoulnM {Scanned}
X-UIDL: m$[!!,1S"!!AU"!%L5"!


Thanks,

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From mkettler at EVI-INC.COM  Fri Jan 16 21:29:02 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
In-Reply-To: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>
Message-ID: <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>

At 04:14 PM 1/16/2004, SW wrote:
>Thanks to all for the help everyone has offered in the past!!! But, I'm
>trying to figure out why the following spam e-mail is still coming through.
>I have disabled 'Bayes' per the request of Julian (Thank you for all of your
>help, Julian) which was getting poisned. I have added all the available rbls
>(non-paying ones) to my Mailscanner.conf file and I'm just wondering what is
>causing the e-mail to get a negative score?

  HABEAS_SWE scores -8.0 in the default config and a spammer is abusing it.

I'd suggest the following short-term fix for the SWE problem:

score HABEAS_SWE -0.5

(or just set it to 0.. I personally keep mine on so I can monitor it)

You might also want to look at my new antidrug add-on ruleset, which
heavily targets pill spammers:
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

From pages at ntin.net  Fri Jan 16 21:39:40 2004
From: pages at ntin.net (NTIN Page Guy)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
In-Reply-To: <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>
Message-ID: <165543265.20040116153940@ntin.net>

Hello Matt,

Apparently SpamAssassin considers http://www.habeas.com a legit
antispam source,  personally I have never heard of them.

Shouldn't he also report the spam to habeas.com?

 Friday, January 16, 2004, you wrote:


MK> At 04:14 PM 1/16/2004, SW wrote:
>>Thanks to all for the help everyone has offered in the past!!! But, I'm
>>trying to figure out why the following spam e-mail is still coming through.
>>I have disabled 'Bayes' per the request of Julian (Thank you for all of your
>>help, Julian) which was getting poisned. I have added all the available rbls
>>(non-paying ones) to my Mailscanner.conf file and I'm just wondering what is
>>causing the e-mail to get a negative score?

MK>   HABEAS_SWE scores -8.0 in the default config and a spammer is abusing it.

MK> I'd suggest the following short-term fix for the SWE problem:

MK> score HABEAS_SWE -0.5

MK> (or just set it to 0.. I personally keep mine on so I can monitor it)

MK> You might also want to look at my new antidrug add-on ruleset, which
MK> heavily targets pill spammers:
MK> http://mywebpages.comcast.net/mkettler/sa/antidrug.cf



Best regards,
Robert B, NTIN                           mailto:pages@ntin.net

From drew at THEMARSHALLS.CO.UK  Fri Jan 16 21:45:05 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:53 2006
Subject: Little Report problem with Postfix - continued
In-Reply-To: <6.0.1.1.2.20040116205850.03a8d378@imap.ecs.soton.ac.uk>
References: <40084D73.7090005@themarshalls.co.uk>
            <6.0.1.1.2.20040116205850.03a8d378@imap.ecs.soton.ac.uk>
Message-ID: <40085B61.90408@themarshalls.co.uk>

Julian Field wrote:

> At 20:45 16/01/2004, you wrote:
>
>> I run postfix and have patched the Message.pm file (Which works great
>> thanks Julian - oh and by the way, Happy Birthday!) but now I get:
>>
>> mailto --> postmaster        = OK no duplicated recipients (Fixed!)
>> mailto --> recipient             = Works normally
>> mailto --> sender of Virus = recipients duplicated!!
>>
>> Where (And I guess what) do I need to patch to fix the warning
>> message to only show the one recipient?
>
>
> Have you tried the latest beta release of MailScanner?
> --
> Julian Field
> www.MailScanner.info <http://www.mailscanner.info/>
> Professional Support Services at www.MailScanner.biz
> <http://www.mailscanner.biz/>
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


Julian

Yes, I have just upgraded and get:

Our virus detector has just been triggered by a message you sent:-
To: drew@themarshalls.co.uk,
<javascript:sendMail('drew@themarshalls.it,')> drew@themarshalls.co.uk
<javascript:sendMail('drew@themarshalls.it')>
Subject: A test
Date: Fri Jan 16 21:39:22 2004
Any infected parts of the message (eicarcom2.zip)
have not been delivered.
<Snip..>

The postmaster message is fine.

Drew

PS I thought you were supposed to be sipping wine with your feet up as
you are the birthday boy :-)


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/aacd25c8/attachment.html
From mkettler at EVI-INC.COM  Fri Jan 16 21:52:57 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
In-Reply-To: <165543265.20040116153940@ntin.net>
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>
            <165543265.20040116153940@ntin.net>
Message-ID: <6.0.0.22.0.20040116164652.01db3b18@xanadu.evi-inc.com>

At 04:39 PM 1/16/2004, NTIN Page Guy wrote:
>Apparently SpamAssassin considers http://www.habeas.com a legit
>antispam source,  personally I have never heard of them.

Surprised you've never heard of them.. Particularly considering the
HUNDREDS of posts on the topic this week between here and
spamassassin-talk. (I counted over 120 a few days ago for sa-talk alone).

I also consider them legit, but they are, and always been, vulnerable to
forgery... However, forgery is a copyright violation, making the spammer a
much easier legal target.. It's almost like a bait and trap type system.

Not really worth re-hashing all this over again in this thread though. Read
the existing threads, they pretty much debate every strength, weakness, and
feature of SWE dozens of time over.


>Shouldn't he also report the spam to habeas.com?

Yes. Habeas has issued a statement about this spammer, asking for people to
submit abusive spams so they can work on listing all the spam trojan boxes
he's using in the HIL, and to assist them in tracking the guy down.

From rzewnickie at RFA.ORG  Fri Jan 16 22:01:08 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:21:53 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <40085378.5090208@ucgbook.com>
References: <6.0.1.1.2.20040116165228.040fad48@imap.ecs.soton.ac.uk>
            <4008319E.50701@ucgbook.com>
            <001101c3dc6d$0c5ec7f0$2101a8c0@robert>
            <40085378.5090208@ucgbook.com>
Message-ID: <20040116220108.GG11234@rfa.org>

or if you have postfix you can do:

postdrop < queuefile

-Eric Rz.

On Fri, Jan 16, 2004 at 10:11:20PM +0100, Peter Bonivart wrote:
> If you have Sendmail and "Quarantine Whole Messages As Queue Files" set
> to yes you can just drop the matching qf- and df-files in the outgoing
> queue (default /var/spool/mqueue).
>
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
> Robert Harpham wrote:
> >Hi
> >
> >i have a e-mail in quaratine i know what it is and all but how can i get it
> >back and feed it back to user with out mail scanner repicking it up?
> >
> >the attached file from mailscanner says its here
> >/var/spool/MailScanner/quarantine/20040116 (message i0GJS6VF002638).
> >
> >thansk for help
> >robert
> >

From mailscanner at ecs.soton.ac.uk  Fri Jan 16 22:40:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:53 2006
Subject: Little Report problem with Postfix - continued
In-Reply-To: <40085B61.90408@themarshalls.co.uk>
References: <40084D73.7090005@themarshalls.co.uk>
            <6.0.1.1.2.20040116205850.03a8d378@imap.ecs.soton.ac.uk>
            <40085B61.90408@themarshalls.co.uk>
Message-ID: <6.0.1.1.2.20040116223840.03ea4ec0@imap.ecs.soton.ac.uk>

At 21:45 16/01/2004, you wrote:
>Julian Field wrote:
>>At 20:45 16/01/2004, you wrote:
>>>I run postfix and have patched the Message.pm file (Which works great
>>>thanks Julian - oh and by the way, Happy Birthday!) but now I get:
>>>
>>>mailto --> postmaster        = OK no duplicated recipients (Fixed!)
>>>mailto --> recipient             = Works normally
>>>mailto --> sender of Virus = recipients duplicated!!
>>>
>>>Where (And I guess what) do I need to patch to fix the warning message
>>>to only show the one recipient?
>>
>>Have you tried the latest beta release of MailScanner?
>
>Julian
>
>Yes, I have just upgraded and get:
>
>Our virus detector has just been triggered by a message you sent:-
>To: <javascript:sendMail('drew@themarshalls.it,')>drew@themarshalls.co.uk,
><javascript:sendMail('drew@themarshalls.it')>drew@themarshalls.co.uk
>Subject: A test
>Date: Fri Jan 16 21:39:22 2004
>Any infected parts of the message (eicarcom2.zip)
>have not been delivered.
><Snip..>
>
>The postmaster message is fine.

Try the attached Message.pm, this should fix the remaining recipient
duplication problems.

>PS I thought you were supposed to be sipping wine with your feet up as you
>are the birthday boy :-)

I have been, about to go and get some sleep :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Message.pm
Type: application/octet-stream
Size: 115755 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040116/8cca47d5/Message.obj
-------------- next part --------------
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
From drew at THEMARSHALLS.CO.UK  Fri Jan 16 23:01:35 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:53 2006
Subject: Little Report problem with Postfix - continued
In-Reply-To: <6.0.1.1.2.20040116223840.03ea4ec0@imap.ecs.soton.ac.uk>
References: <40084D73.7090005@themarshalls.co.uk>           
            <6.0.1.1.2.20040116205850.03a8d378@imap.ecs.soton.ac.uk>           
            <40085B61.90408@themarshalls.co.uk>
            <6.0.1.1.2.20040116223840.03ea4ec0@imap.ecs.soton.ac.uk>
Message-ID: <40086D4F.5060304@themarshalls.co.uk>

Julian Field wrote:

> At 21:45 16/01/2004, you wrote:
>
>> Julian Field wrote:
>>
>>> At 20:45 16/01/2004, you wrote:
>>>
>>>> I run postfix and have patched the Message.pm file (Which works great
>>>> thanks Julian - oh and by the way, Happy Birthday!) but now I get:
>>>>
>>>> mailto --> postmaster        = OK no duplicated recipients (Fixed!)
>>>> mailto --> recipient             = Works normally
>>>> mailto --> sender of Virus = recipients duplicated!!
>>>>
>>>> Where (And I guess what) do I need to patch to fix the warning message
>>>> to only show the one recipient?
>>>
>>>
>>> Have you tried the latest beta release of MailScanner?
>>
>>
>> Julian
>>
>> Yes, I have just upgraded and get:
>>
>> Our virus detector has just been triggered by a message you sent:-
>> To:
>> <javascript:sendMail('drew@themarshalls.it,')>drew@themarshalls.co.uk,
>> <javascript:sendMail('drew@themarshalls.it')>drew@themarshalls.co.uk
>> Subject: A test
>> Date: Fri Jan 16 21:39:22 2004
>> Any infected parts of the message (eicarcom2.zip)
>> have not been delivered.
>> <Snip..>
>>
>> The postmaster message is fine.
>
>
> Try the attached Message.pm, this should fix the remaining recipient
> duplication problems.

Our virus detector has just been triggered by a message you sent:-
To: drew@themarshalls.co.uk
Subject: Another test
Date: Fri Jan 16 22:57:11 2004
Any infected parts of the message (eicarcom2.zip)
have not been delivered.

<Snip..>
Beautiful. Julian thanks very much (Again!) your efforts above and
beyond the call of duty.

>
>> PS I thought you were supposed to be sipping wine with your feet up
>> as you
>> are the birthday boy :-)
>
>
> I have been, about to go and get some sleep :-)

Night, night :-)

> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


Drew

--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From raymond at PROLOCATION.NET  Fri Jan 16 23:45:47 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:53 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040114190439.040b4828@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401170044540.26897-100000@mailbox.prolocation.net>

Hi!

> > > That was done using the latest beta 4.26-4.
> >
> >I had it still with 4.25-14, i can try 4.26-4 and see if i can still catch
> >some, did you change the code for that part since 4.25-14 ??
>
> I don't think so, but I can't reproduce the problem.

Upgraded to MailScanner-4.26-4, dont think it will be gone, but worth a
try :) If its not gone what can we do to tackle this ?

Bye,
Raymond.

From wppiphoto at wppi.com  Sat Jan 17 02:05:44 2004
From: wppiphoto at wppi.com (SW)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba> 
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>
Message-ID: <005c01c3dc9e$6dc3d540$0e01a8c0@Toshiba>

Matt wrote:

> I'd suggest the following short-term fix for the SWE problem:
>
> score HABEAS_SWE -0.5

I've looked at MailScanner.conf and spam.assassin.prefs.conf and can't seem
to fine a reference to HABEAS? Can you tell me where I make this change?

Thanks,

SW

----- Original Message -----
From: "Matt Kettler" <mkettler@EVI-INC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 16, 2004 4:29 PM
Subject: Re: How do i prevent this? {Scanned}


> At 04:14 PM 1/16/2004, SW wrote:
> >Thanks to all for the help everyone has offered in the past!!! But, I'm
> >trying to figure out why the following spam e-mail is still coming
through.
> >I have disabled 'Bayes' per the request of Julian (Thank you for all of
your
> >help, Julian) which was getting poisned. I have added all the available
rbls
> >(non-paying ones) to my Mailscanner.conf file and I'm just wondering what
is
> >causing the e-mail to get a negative score?
>
>   HABEAS_SWE scores -8.0 in the default config and a spammer is abusing
it.
>
> I'd suggest the following short-term fix for the SWE problem:
>
> score HABEAS_SWE -0.5
>
> (or just set it to 0.. I personally keep mine on so I can monitor it)
>
> You might also want to look at my new antidrug add-on ruleset, which
> heavily targets pill spammers:
> http://mywebpages.comcast.net/mkettler/sa/antidrug.cf
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From peter at UCGBOOK.COM  Sat Jan 17 02:11:28 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
In-Reply-To: <005c01c3dc9e$6dc3d540$0e01a8c0@Toshiba>
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>            
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>
            <005c01c3dc9e$6dc3d540$0e01a8c0@Toshiba>
Message-ID: <400899D0.1010303@ucgbook.com>

 > I've looked at MailScanner.conf and spam.assassin.prefs.conf and
can't seem
 > to fine a reference to HABEAS? Can you tell me where I make this change?

The original scores are found in /usr/local/share/spamassassin/50_scores
but you change them by inserting a value in your
spam.assassin.prefs.conf. That will override the default.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From wppiphoto at wppi.com  Sat Jan 17 02:21:20 2004
From: wppiphoto at wppi.com (SW)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>                       
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>           
            <005c01c3dc9e$6dc3d540$0e01a8c0@Toshiba> 
            <400899D0.1010303@ucgbook.com>
Message-ID: <007401c3dca0$9b7574b0$0e01a8c0@Toshiba>

Peter Bonivart wrote:

> but you change them by inserting a value in your
> spam.assassin.prefs.conf. That will override the default.

Thanks, Peter! Hopefully by setting it to zero, it will stop the abuser of
Hebeas from getting in.

Thanks,

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From peter at UCGBOOK.COM  Sat Jan 17 02:47:19 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:53 2006
Subject: How do i prevent this? {Scanned}
In-Reply-To: <007401c3dca0$9b7574b0$0e01a8c0@Toshiba>
References: <003501c3dc75$d3c47da0$0e01a8c0@Toshiba>                           
            <6.0.0.22.0.20040116162655.01f4edf8@xanadu.evi-inc.com>            
            <005c01c3dc9e$6dc3d540$0e01a8c0@Toshiba>            
            <400899D0.1010303@ucgbook.com>
            <007401c3dca0$9b7574b0$0e01a8c0@Toshiba>
Message-ID: <4008A237.5000602@ucgbook.com>

 > Thanks, Peter! Hopefully by setting it to zero, it will stop the
abuser of
 > Hebeas from getting in.

Yes, but by setting it to 0 you will cancel the test, it might be a good
idea to, as mentioned in an earlier post, give it -0.5 so you can keep
track of it in the logs.

I think they are catching up though, I get a lot of hits with
HABEAS_VIOLATOR which scores +16.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From vanhorn at WHIDBEY.COM  Fri Jan 16 07:06:39 2004
From: vanhorn at WHIDBEY.COM (G. Armour Van Horn)
Date: Thu Jan 12 21:21:53 2006
Subject: Quarantine loses mail
In-Reply-To: <200401161027.59083.nupur@theargoncompany.com>
References: <200401161027.59083.nupur@theargoncompany.com>
Message-ID: <40078D7F.5000201@whidbey.com>

Greetings, all,

I got a message from a client, quoting a cleaned message message:

> This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail message contained potentially dangerous content,
> which has been removed for your safety.
>
> The content is dangerous as it is often used to spread viruses or to gain
> personal or confidential information from you, such as passwords or credit
> card numbers.
>
> If you wish to receive a copy of the original email, please
> e-mail admin@bogachiel.net and include the whole of this message
> in your request.
>
> At Mon Jan 12 19:32:54 2004 the content filters said:
>    MailScanner: Found a form in HTML message
>
> Note to Help Desk: Look on Bogachiel Guard Station in

> /var/spool/MailScanner/quarantine/20040112 (message i0D3WeWx002953).


I went to the suggested folder and looked at the message, to check if it was valid content that I should forward to them. To my surprise, it was the warning message quoted above, *not* the original message. I believe I've seen this before a couple of times.

Is there a bug? Or did I screw something up?

This was under 4.24-5, which I've been running up until about an hour ago when I reved to SA 2.61 and MS 4.25-14.

Van






--
----------------------------------------------------------
Sign up now for Quotes of the Day, a handful of quotations
on a theme delivered every morning.
Enlightenment! Daily, for free!
mailto:twisted@whidbey.com?subject=Subscribe_QOTD

For web hosting and maintenance,
visit Van's home page: http://www.domainvanhorn.com/van/
----------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040115/8c673326/attachment.html
From gebhard at EPOST.DE  Sat Jan 17 05:20:48 2004
From: gebhard at EPOST.DE (Holger)
Date: Thu Jan 12 21:21:53 2006
Subject: feature request
Message-ID: <LISTSERV%2004011705204823@JISCMAIL.AC.UK>

Hi Julian,

is it possible to add a Ruleset funktion to "Virus Scanners" in
MailScanner.conf?


Reason:

If some Domains, or Users don?t want Virus Scanning but Content-Tests...
Or Domain1 want to use Sophos and Domain2 want to use Clamav...

Here is a example to explain what i mean:

To:           admin@domain1.com      none
To:           @Domain1.com           sophos
To:           @Domain2.com           clamav
To:           @Domain3.com           sophos clamav
FromOrTo:     default                none


I think this would be a good feature?


Thanks


Holger


From eja at URBAKKEN.DK  Sat Jan 17 06:23:05 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
Message-ID: <LISTSERV%2004011706230594@JISCMAIL.AC.UK>

On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>At 16:57 16/01/2004, you wrote:
>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>but I'm not using sendmail ?.
>
>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>which MTA the MailScanner init.d script will start up.
>

Oh no. I have overseen that in the postfix instruction.

But there seems to be a problem now with sending mails according to this
sample of /var/log/maillog, which I have tried to send once before:

Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
in 0.9 seconds, 938 bytes.
Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
configuration directory name: /etc/postfix.in
Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
end-of-input from /usr/sbin/postdrop -r while reading input attribute name
Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
unable to execute /usr/sbin/postdrop -r: Success
Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
relay=ccfilter, delay=3, status=bounced (service unavailable. Command
output: postdrop: error: untrusted configuration directory name:
/etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
/etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
end-of-input from /usr/sbin/postdrop -r while reading input attribute name
sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
-r: Success )



>>Erik Jakobsen wrote:
>>>It has been made the /var/run directory:
>>>
>>># ls -al /var/run
>>>total 132
>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>pppoe-adsl.pid.pppoe
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>pppoe-adsl.pid.start
>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>
>>>
>>>Julian Field wrote:
>>>
>>>>mkdir /var/run
>>>>then try it again.
>>>>
>>>>At 15:33 16/01/2004, you wrote:
>>>>
>>>>>Hi.
>>>>>
>>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>
>>>>>[root@gateway /]# service MailScanner status
>>>>>Checking MailScanner daemons:
>>>>>          MailScanner:                                      [  OK  ]
>>>>>          incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>file or directory
>>>>>                                                            [FAILED]
>>>>>          outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>file or directory
>>>>>                                                            [FAILED]
>>>>>
>>>>>--
>>>>>Med venlig hilsen - Best regards.
>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>SuSE Linux 8.2 Proff.
>>>>>Registered as user #319488 with the Linux Counter,
>>>>>http://counter.li.org.
>>>>
>>>>
>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>--
>>>Med venlig hilsen - Best regards.
>>>Erik Jakobsen - eja@urbakken.dk.
>>>Licensed radioamateur with the callsign OZ4KK.
>>>SuSE Linux 8.2 Proff.
>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Sat Jan 17 06:43:06 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
In-Reply-To: <LISTSERV%2004011706230594@JISCMAIL.AC.UK>
References: <LISTSERV%2004011706230594@JISCMAIL.AC.UK>
Message-ID: <4008D97A.3090209@urbakken.dk>

I added the line to my /etc/postfix/main.cf, and it seems to work now.

"alternate_config_directories = /etc/postfix.in"

Erik Jakobsen wrote:
> On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
> <mailscanner@ECS.SOTON.AC.UK> wrote:
>
>
>>At 16:57 16/01/2004, you wrote:
>>
>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>but I'm not using sendmail ?.
>>
>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>which MTA the MailScanner init.d script will start up.
>>
>
>
> Oh no. I have overseen that in the postfix instruction.
>
> But there seems to be a problem now with sending mails according to this
> sample of /var/log/maillog, which I have tried to send once before:
>
> Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
> in 0.9 seconds, 938 bytes.
> Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
> configuration directory name: /etc/postfix.in
> Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
> "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
> Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
> end-of-input from /usr/sbin/postdrop -r while reading input attribute name
> Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
> unable to execute /usr/sbin/postdrop -r: Success
> Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
> relay=ccfilter, delay=3, status=bounced (service unavailable. Command
> output: postdrop: error: untrusted configuration directory name:
> /etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
> /etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
> end-of-input from /usr/sbin/postdrop -r while reading input attribute name
> sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
> -r: Success )
>
>
>
>
>>>Erik Jakobsen wrote:
>>>
>>>>It has been made the /var/run directory:
>>>>
>>>># ls -al /var/run
>>>>total 132
>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>pppoe-adsl.pid.pppoe
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>pppoe-adsl.pid.start
>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>
>>>>
>>>>Julian Field wrote:
>>>>
>>>>
>>>>>mkdir /var/run
>>>>>then try it again.
>>>>>
>>>>>At 15:33 16/01/2004, you wrote:
>>>>>
>>>>>
>>>>>>Hi.
>>>>>>
>>>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>
>>>>>>[root@gateway /]# service MailScanner status
>>>>>>Checking MailScanner daemons:
>>>>>>         MailScanner:                                      [  OK  ]
>>>>>>         incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>file or directory
>>>>>>                                                           [FAILED]
>>>>>>         outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>file or directory
>>>>>>                                                           [FAILED]
>>>>>>
>>>>>>--
>>>>>>Med venlig hilsen - Best regards.
>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>SuSE Linux 8.2 Proff.
>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>http://counter.li.org.
>>>>>
>>>>>
>>>>>
>>>>>--
>>>>>Julian Field
>>>>>www.MailScanner.info
>>>>>MailScanner thanks transtec Computers for their support
>>>>>
>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>--
>>>>Med venlig hilsen - Best regards.
>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>SuSE Linux 8.2 Proff.
>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>
>>>--
>>>Med venlig hilsen - Best regards.
>>>Erik Jakobsen - eja@urbakken.dk.
>>>Licensed radioamateur with the callsign OZ4KK.
>>>SuSE Linux 8.2 Proff.
>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sat Jan 17 08:12:23 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
Message-ID: <LISTSERV%2004011708122334@JISCMAIL.AC.UK>

On Sat, 17 Jan 2004 07:43:06 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:

I see this mail in the archive now. It should also have been sent to me. I
think it has, but due to a reason I don't know it has not been visbile in my
mailing program.

I wonder really what is going on here, or not going on.


>I added the line to my /etc/postfix/main.cf, and it seems to work now.
>
>"alternate_config_directories = /etc/postfix.in"
>
>Erik Jakobsen wrote:
>> On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
>> <mailscanner@ECS.SOTON.AC.UK> wrote:
>>
>>
>>>At 16:57 16/01/2004, you wrote:
>>>
>>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>>but I'm not using sendmail ?.
>>>
>>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>>which MTA the MailScanner init.d script will start up.
>>>
>>
>>
>> Oh no. I have overseen that in the postfix instruction.
>>
>> But there seems to be a problem now with sending mails according to this
>> sample of /var/log/maillog, which I have tried to send once before:
>>
>> Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
>> in 0.9 seconds, 938 bytes.
>> Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
>> configuration directory name: /etc/postfix.in
>> Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
>> "alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
>> Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
>> end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>> Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
>> unable to execute /usr/sbin/postdrop -r: Success
>> Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
>> relay=ccfilter, delay=3, status=bounced (service unavailable. Command
>> output: postdrop: error: untrusted configuration directory name:
>> /etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
>> /etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
>> end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>> sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
>> -r: Success )
>>
>>
>>
>>
>>>>Erik Jakobsen wrote:
>>>>
>>>>>It has been made the /var/run directory:
>>>>>
>>>>># ls -al /var/run
>>>>>total 132
>>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>pppoe-adsl.pid.pppoe
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>pppoe-adsl.pid.start
>>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>>
>>>>>
>>>>>Julian Field wrote:
>>>>>
>>>>>
>>>>>>mkdir /var/run
>>>>>>then try it again.
>>>>>>
>>>>>>At 15:33 16/01/2004, you wrote:
>>>>>>
>>>>>>
>>>>>>>Hi.
>>>>>>>
>>>>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>>
>>>>>>>[root@gateway /]# service MailScanner status
>>>>>>>Checking MailScanner daemons:
>>>>>>>         MailScanner:                                      [  OK  ]
>>>>>>>         incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>>file or directory
>>>>>>>                                                           [FAILED]
>>>>>>>         outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>>file or directory
>>>>>>>                                                           [FAILED]
>>>>>>>
>>>>>>>--
>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>>http://counter.li.org.
>>>>>>
>>>>>>
>>>>>>
>>>>>>--
>>>>>>Julian Field
>>>>>>www.MailScanner.info
>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>
>>>>>--
>>>>>Med venlig hilsen - Best regards.
>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>SuSE Linux 8.2 Proff.
>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>
>>>>--
>>>>Med venlig hilsen - Best regards.
>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>SuSE Linux 8.2 Proff.
>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>>
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sat Jan 17 08:19:51 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
In-Reply-To: <LISTSERV%2004011708122334@JISCMAIL.AC.UK>
References: <LISTSERV%2004011708122334@JISCMAIL.AC.UK>
Message-ID: <4008F027.4080801@urbakken.dk>

The reply made in the archives list arrived here now -its this one, that
I reply to-, Now I will see if this one also arrives from the list to me
again -as it should-.

Erik Jakobsen wrote:
> On Sat, 17 Jan 2004 07:43:06 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>
> I see this mail in the archive now. It should also have been sent to me. I
> think it has, but due to a reason I don't know it has not been visbile in my
> mailing program.
>
> I wonder really what is going on here, or not going on.
>
>
>
>>I added the line to my /etc/postfix/main.cf, and it seems to work now.
>>
>>"alternate_config_directories = /etc/postfix.in"
>>
>>Erik Jakobsen wrote:
>>
>>>On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
>>><mailscanner@ECS.SOTON.AC.UK> wrote:
>>>
>>>
>>>
>>>>At 16:57 16/01/2004, you wrote:
>>>>
>>>>
>>>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>>>but I'm not using sendmail ?.
>>>>
>>>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>>>which MTA the MailScanner init.d script will start up.
>>>>
>>>
>>>
>>>Oh no. I have overseen that in the postfix instruction.
>>>
>>>But there seems to be a problem now with sending mails according to this
>>>sample of /var/log/maillog, which I have tried to send once before:
>>>
>>>Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
>>>in 0.9 seconds, 938 bytes.
>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
>>>configuration directory name: /etc/postfix.in
>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
>>>"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
>>>unable to execute /usr/sbin/postdrop -r: Success
>>>Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
>>>relay=ccfilter, delay=3, status=bounced (service unavailable. Command
>>>output: postdrop: error: untrusted configuration directory name:
>>>/etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
>>>/etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
>>>-r: Success )
>>>
>>>
>>>
>>>
>>>
>>>>>Erik Jakobsen wrote:
>>>>>
>>>>>
>>>>>>It has been made the /var/run directory:
>>>>>>
>>>>>># ls -al /var/run
>>>>>>total 132
>>>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>pppoe-adsl.pid.pppoe
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>pppoe-adsl.pid.start
>>>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>>>
>>>>>>
>>>>>>Julian Field wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>mkdir /var/run
>>>>>>>then try it again.
>>>>>>>
>>>>>>>At 15:33 16/01/2004, you wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Hi.
>>>>>>>>
>>>>>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>>>
>>>>>>>>[root@gateway /]# service MailScanner status
>>>>>>>>Checking MailScanner daemons:
>>>>>>>>        MailScanner:                                      [  OK  ]
>>>>>>>>        incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>>>file or directory
>>>>>>>>                                                          [FAILED]
>>>>>>>>        outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>>>file or directory
>>>>>>>>                                                          [FAILED]
>>>>>>>>
>>>>>>>>--
>>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>>>http://counter.li.org.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>--
>>>>>>>Julian Field
>>>>>>>www.MailScanner.info
>>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>>
>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>
>>>>>>--
>>>>>>Med venlig hilsen - Best regards.
>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>SuSE Linux 8.2 Proff.
>>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>>
>>>>>--
>>>>>Med venlig hilsen - Best regards.
>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>SuSE Linux 8.2 Proff.
>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sat Jan 17 08:25:36 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
In-Reply-To: <LISTSERV%2004011708122334@JISCMAIL.AC.UK>
References: <LISTSERV%2004011708122334@JISCMAIL.AC.UK>
Message-ID: <4008F180.6020904@urbakken.dk>

I have not seen the mail I wrote and sent to MailScanner list, but think
its this one:


Jan 17 09:20:06 gateway ipop3d[8457]: Auth user=eja host=[192.168.1.253]
nmsgs=0/0
Jan 17 09:20:06 gateway ipop3d[8457]: Logout user=eja
host=[192.168.1.253] nmsgs=0 ndele=0
Jan 17 08:20:23 gateway postfix/smtpd[8278]: connect from
unknown[195.41.53.68]
Jan 17 08:20:23 gateway postfix/smtpd[8278]: 5F212C042:
client=unknown[195.41.53.68]
Jan 17 08:20:23 gateway postfix/smtpd[8278]: warning: restriction
`check_client_access' after `check_relay_domains' is ignored
Jan 17 08:20:23 gateway postfix/cleanup[8279]: 5F212C042: message-id=
<4008F027.4080801@urbakken.dk>
Jan 17 08:20:23 gateway postfix/smtpd[8278]: disconnect from
unknown[195.41.53.68]
Jan 17 08:20:23 gateway postfix/nqmgr[1986]: 5F212C042:
from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10360, nrcpt=1 (queue active)
Jan 17 09:20:24 gateway spamd[2105]: connection from
localhost.localdomain [127.0.0.1] at port 32859
Jan 17 09:20:24 gateway spamd[8460]: info: setuid to filter succeeded
Jan 17 09:20:24 gateway spamd[8460]: processing message
<4008F027.4080801@urbakken.dk> for filter:100.
Jan 17 09:20:27 gateway spamd[8460]: clean message (0.0/5.0) for
filter:100 in 3.1 seconds, 10172 bytes.
Jan 17 09:20:27 gateway postfix/pipe[8281]: 5F212C042:
to=<eja@URBAKKEN.DK>, relay=ccfilter, delay=4, status=sent (urbakken.dk)
Jan 17 08:20:27 gateway postfix/pickup[6644]: 44D48C049: uid=100
from=<owner-mailscanner@JISCMAIL.AC.UK>
Jan 17 08:20:27 gateway postfix/cleanup[8279]: 44D48C049:
message-id=<4008F027.4080801@urbakken.dk>
Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10435, nrcpt=1 (queue active)
Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
to=<eja@URBAKKEN.DK>, relay=none, delay=0, status=deferred (deferred
transport)
Jan 17 09:20:28 gateway MailScanner[2403]: New Batch: Scanning 1
messages, 10604 bytes
Jan 17 09:20:28 gateway MailScanner[2403]: Virus and Content Scanning:
Starting
Jan 17 03:20:29 gateway postfix/nqmgr[2033]: AAD4E23B05:
from=<owner-mailscanner@jiscmail.ac.uk>, size=10454, nrcpt=1 (queue active)
Jan 17 09:20:29 gateway MailScanner[2403]: Uninfected: Delivered 1 messages
Jan 17 09:20:29 gateway postfix/local[8477]: AAD4E23B05:
to=<eja@URBAKKEN.DK>, relay=local, delay=2, status=sent (mailbox)


But so far the mail has not yet arrived in my mailprogram.



Erik Jakobsen wrote:
> On Sat, 17 Jan 2004 07:43:06 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>
> I see this mail in the archive now. It should also have been sent to me. I
> think it has, but due to a reason I don't know it has not been visbile in my
> mailing program.
>
> I wonder really what is going on here, or not going on.
>
>
>
>>I added the line to my /etc/postfix/main.cf, and it seems to work now.
>>
>>"alternate_config_directories = /etc/postfix.in"
>>
>>Erik Jakobsen wrote:
>>
>>>On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
>>><mailscanner@ECS.SOTON.AC.UK> wrote:
>>>
>>>
>>>
>>>>At 16:57 16/01/2004, you wrote:
>>>>
>>>>
>>>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>>>but I'm not using sendmail ?.
>>>>
>>>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>>>which MTA the MailScanner init.d script will start up.
>>>>
>>>
>>>
>>>Oh no. I have overseen that in the postfix instruction.
>>>
>>>But there seems to be a problem now with sending mails according to this
>>>sample of /var/log/maillog, which I have tried to send once before:
>>>
>>>Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
>>>in 0.9 seconds, 938 bytes.
>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
>>>configuration directory name: /etc/postfix.in
>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
>>>"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
>>>unable to execute /usr/sbin/postdrop -r: Success
>>>Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
>>>relay=ccfilter, delay=3, status=bounced (service unavailable. Command
>>>output: postdrop: error: untrusted configuration directory name:
>>>/etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
>>>/etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
>>>-r: Success )
>>>
>>>
>>>
>>>
>>>
>>>>>Erik Jakobsen wrote:
>>>>>
>>>>>
>>>>>>It has been made the /var/run directory:
>>>>>>
>>>>>># ls -al /var/run
>>>>>>total 132
>>>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid.pppd
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>pppoe-adsl.pid.pppoe
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>pppoe-adsl.pid.start
>>>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>>>
>>>>>>
>>>>>>Julian Field wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>mkdir /var/run
>>>>>>>then try it again.
>>>>>>>
>>>>>>>At 15:33 16/01/2004, you wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Hi.
>>>>>>>>
>>>>>>>>I have just reinstalled MailScanner on a new server here. I use postfix,
>>>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>>>
>>>>>>>>[root@gateway /]# service MailScanner status
>>>>>>>>Checking MailScanner daemons:
>>>>>>>>        MailScanner:                                      [  OK  ]
>>>>>>>>        incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>>>file or directory
>>>>>>>>                                                          [FAILED]
>>>>>>>>        outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>>>file or directory
>>>>>>>>                                                          [FAILED]
>>>>>>>>
>>>>>>>>--
>>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>>>http://counter.li.org.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>--
>>>>>>>Julian Field
>>>>>>>www.MailScanner.info
>>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>>
>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>
>>>>>>--
>>>>>>Med venlig hilsen - Best regards.
>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>SuSE Linux 8.2 Proff.
>>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>>
>>>>>--
>>>>>Med venlig hilsen - Best regards.
>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>SuSE Linux 8.2 Proff.
>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sat Jan 17 08:52:34 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:53 2006
Subject: MailScanner errors.
Message-ID: <LISTSERV%2004011708523427@JISCMAIL.AC.UK>

On Sat, 17 Jan 2004 09:25:36 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:

I did not received this mail to myself. I have sent 5 mails to myself via
another e-mail address that I have, and they all arrived here.

Its a mystery -I think-.

>I have not seen the mail I wrote and sent to MailScanner list, but think
>its this one:
>
>
>Jan 17 09:20:06 gateway ipop3d[8457]: Auth user=eja host=[192.168.1.253]
>nmsgs=0/0
>Jan 17 09:20:06 gateway ipop3d[8457]: Logout user=eja
>host=[192.168.1.253] nmsgs=0 ndele=0
>Jan 17 08:20:23 gateway postfix/smtpd[8278]: connect from
>unknown[195.41.53.68]
>Jan 17 08:20:23 gateway postfix/smtpd[8278]: 5F212C042:
>client=unknown[195.41.53.68]
>Jan 17 08:20:23 gateway postfix/smtpd[8278]: warning: restriction
>`check_client_access' after `check_relay_domains' is ignored
>Jan 17 08:20:23 gateway postfix/cleanup[8279]: 5F212C042: message-id=
><4008F027.4080801@urbakken.dk>
>Jan 17 08:20:23 gateway postfix/smtpd[8278]: disconnect from
>unknown[195.41.53.68]
>Jan 17 08:20:23 gateway postfix/nqmgr[1986]: 5F212C042:
>from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10360, nrcpt=1 (queue active)
>Jan 17 09:20:24 gateway spamd[2105]: connection from
>localhost.localdomain [127.0.0.1] at port 32859
>Jan 17 09:20:24 gateway spamd[8460]: info: setuid to filter succeeded
>Jan 17 09:20:24 gateway spamd[8460]: processing message
><4008F027.4080801@urbakken.dk> for filter:100.
>Jan 17 09:20:27 gateway spamd[8460]: clean message (0.0/5.0) for
>filter:100 in 3.1 seconds, 10172 bytes.
>Jan 17 09:20:27 gateway postfix/pipe[8281]: 5F212C042:
>to=<eja@URBAKKEN.DK>, relay=ccfilter, delay=4, status=sent (urbakken.dk)
>Jan 17 08:20:27 gateway postfix/pickup[6644]: 44D48C049: uid=100
>from=<owner-mailscanner@JISCMAIL.AC.UK>
>Jan 17 08:20:27 gateway postfix/cleanup[8279]: 44D48C049:
>message-id=<4008F027.4080801@urbakken.dk>
>Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
>from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10435, nrcpt=1 (queue active)
>Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
>to=<eja@URBAKKEN.DK>, relay=none, delay=0, status=deferred (deferred
>transport)
>Jan 17 09:20:28 gateway MailScanner[2403]: New Batch: Scanning 1
>messages, 10604 bytes
>Jan 17 09:20:28 gateway MailScanner[2403]: Virus and Content Scanning:
>Starting
>Jan 17 03:20:29 gateway postfix/nqmgr[2033]: AAD4E23B05:
>from=<owner-mailscanner@jiscmail.ac.uk>, size=10454, nrcpt=1 (queue active)
>Jan 17 09:20:29 gateway MailScanner[2403]: Uninfected: Delivered 1 messages
>Jan 17 09:20:29 gateway postfix/local[8477]: AAD4E23B05:
>to=<eja@URBAKKEN.DK>, relay=local, delay=2, status=sent (mailbox)
>
>
>But so far the mail has not yet arrived in my mailprogram.
>
>
>
>Erik Jakobsen wrote:
>> On Sat, 17 Jan 2004 07:43:06 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>>
>> I see this mail in the archive now. It should also have been sent to me. I
>> think it has, but due to a reason I don't know it has not been visbile in my
>> mailing program.
>>
>> I wonder really what is going on here, or not going on.
>>
>>
>>
>>>I added the line to my /etc/postfix/main.cf, and it seems to work now.
>>>
>>>"alternate_config_directories = /etc/postfix.in"
>>>
>>>Erik Jakobsen wrote:
>>>
>>>>On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
>>>><mailscanner@ECS.SOTON.AC.UK> wrote:
>>>>
>>>>
>>>>
>>>>>At 16:57 16/01/2004, you wrote:
>>>>>
>>>>>
>>>>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>>>>but I'm not using sendmail ?.
>>>>>
>>>>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>>>>which MTA the MailScanner init.d script will start up.
>>>>>
>>>>
>>>>
>>>>Oh no. I have overseen that in the postfix instruction.
>>>>
>>>>But there seems to be a problem now with sending mails according to this
>>>>sample of /var/log/maillog, which I have tried to send once before:
>>>>
>>>>Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
>>>>in 0.9 seconds, 938 bytes.
>>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
>>>>configuration directory name: /etc/postfix.in
>>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
>>>>"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
>>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
>>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal: eja@urbakken.dk(100):
>>>>unable to execute /usr/sbin/postdrop -r: Success
>>>>Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
>>>>relay=ccfilter, delay=3, status=bounced (service unavailable. Command
>>>>output: postdrop: error: untrusted configuration directory name:
>>>>/etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
>>>>/etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
>>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>>sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
>>>>-r: Success )
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>Erik Jakobsen wrote:
>>>>>>
>>>>>>
>>>>>>>It has been made the /var/run directory:
>>>>>>>
>>>>>>># ls -al /var/run
>>>>>>>total 132
>>>>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
pppoe-adsl.pid.pppd
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>>pppoe-adsl.pid.pppoe
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>>pppoe-adsl.pid.start
>>>>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>>>>
>>>>>>>
>>>>>>>Julian Field wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>mkdir /var/run
>>>>>>>>then try it again.
>>>>>>>>
>>>>>>>>At 15:33 16/01/2004, you wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Hi.
>>>>>>>>>
>>>>>>>>>I have just reinstalled MailScanner on a new server here. I use
postfix,
>>>>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>>>>
>>>>>>>>>[root@gateway /]# service MailScanner status
>>>>>>>>>Checking MailScanner daemons:
>>>>>>>>>        MailScanner:                                      [  OK  ]
>>>>>>>>>        incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>>>>file or directory
>>>>>>>>>                                                          [FAILED]
>>>>>>>>>        outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>>>>file or directory
>>>>>>>>>                                                          [FAILED]
>>>>>>>>>
>>>>>>>>>--
>>>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>>>>http://counter.li.org.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>--
>>>>>>>>Julian Field
>>>>>>>>www.MailScanner.info
>>>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>>>
>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>
>>>>>>>--
>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>>>
>>>>>>--
>>>>>>Med venlig hilsen - Best regards.
>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>SuSE Linux 8.2 Proff.
>>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>>
>>>>>--
>>>>>Julian Field
>>>>>www.MailScanner.info
>>>>>MailScanner thanks transtec Computers for their support
>>>>>
>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>
>>>--
>>>Med venlig hilsen - Best regards.
>>>Erik Jakobsen - eja@urbakken.dk.
>>>Licensed radioamateur with the callsign OZ4KK.
>>>SuSE Linux 8.2 Proff.
>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>
>>
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

From eja at URBAKKEN.DK  Sat Jan 17 09:05:12 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: MailScanner errors.
Message-ID: <LISTSERV%2004011709051266@JISCMAIL.AC.UK>

On Sat, 17 Jan 2004 08:52:34 +0000, Erik Jakobsen <eja@URBAKKEN.DK> wrote:

This mail didn't arrive to :-((

>On Sat, 17 Jan 2004 09:25:36 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>
>I did not received this mail to myself. I have sent 5 mails to myself via
>another e-mail address that I have, and they all arrived here.
>
>Its a mystery -I think-.
>
>>I have not seen the mail I wrote and sent to MailScanner list, but think
>>its this one:
>>
>>
>>Jan 17 09:20:06 gateway ipop3d[8457]: Auth user=eja host=[192.168.1.253]
>>nmsgs=0/0
>>Jan 17 09:20:06 gateway ipop3d[8457]: Logout user=eja
>>host=[192.168.1.253] nmsgs=0 ndele=0
>>Jan 17 08:20:23 gateway postfix/smtpd[8278]: connect from
>>unknown[195.41.53.68]
>>Jan 17 08:20:23 gateway postfix/smtpd[8278]: 5F212C042:
>>client=unknown[195.41.53.68]
>>Jan 17 08:20:23 gateway postfix/smtpd[8278]: warning: restriction
>>`check_client_access' after `check_relay_domains' is ignored
>>Jan 17 08:20:23 gateway postfix/cleanup[8279]: 5F212C042: message-id=
>><4008F027.4080801@urbakken.dk>
>>Jan 17 08:20:23 gateway postfix/smtpd[8278]: disconnect from
>>unknown[195.41.53.68]
>>Jan 17 08:20:23 gateway postfix/nqmgr[1986]: 5F212C042:
>>from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10360, nrcpt=1 (queue active)
>>Jan 17 09:20:24 gateway spamd[2105]: connection from
>>localhost.localdomain [127.0.0.1] at port 32859
>>Jan 17 09:20:24 gateway spamd[8460]: info: setuid to filter succeeded
>>Jan 17 09:20:24 gateway spamd[8460]: processing message
>><4008F027.4080801@urbakken.dk> for filter:100.
>>Jan 17 09:20:27 gateway spamd[8460]: clean message (0.0/5.0) for
>>filter:100 in 3.1 seconds, 10172 bytes.
>>Jan 17 09:20:27 gateway postfix/pipe[8281]: 5F212C042:
>>to=<eja@URBAKKEN.DK>, relay=ccfilter, delay=4, status=sent (urbakken.dk)
>>Jan 17 08:20:27 gateway postfix/pickup[6644]: 44D48C049: uid=100
>>from=<owner-mailscanner@JISCMAIL.AC.UK>
>>Jan 17 08:20:27 gateway postfix/cleanup[8279]: 44D48C049:
>>message-id=<4008F027.4080801@urbakken.dk>
>>Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
>>from=<owner-mailscanner@JISCMAIL.AC.UK>, size=10435, nrcpt=1 (queue active)
>>Jan 17 08:20:27 gateway postfix/nqmgr[1986]: 44D48C049:
>>to=<eja@URBAKKEN.DK>, relay=none, delay=0, status=deferred (deferred
>>transport)
>>Jan 17 09:20:28 gateway MailScanner[2403]: New Batch: Scanning 1
>>messages, 10604 bytes
>>Jan 17 09:20:28 gateway MailScanner[2403]: Virus and Content Scanning:
>>Starting
>>Jan 17 03:20:29 gateway postfix/nqmgr[2033]: AAD4E23B05:
>>from=<owner-mailscanner@jiscmail.ac.uk>, size=10454, nrcpt=1 (queue active)
>>Jan 17 09:20:29 gateway MailScanner[2403]: Uninfected: Delivered 1 messages
>>Jan 17 09:20:29 gateway postfix/local[8477]: AAD4E23B05:
>>to=<eja@URBAKKEN.DK>, relay=local, delay=2, status=sent (mailbox)
>>
>>
>>But so far the mail has not yet arrived in my mailprogram.
>>
>>
>>
>>Erik Jakobsen wrote:
>>> On Sat, 17 Jan 2004 07:43:06 +0100, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>>>
>>> I see this mail in the archive now. It should also have been sent to me. I
>>> think it has, but due to a reason I don't know it has not been visbile in my
>>> mailing program.
>>>
>>> I wonder really what is going on here, or not going on.
>>>
>>>
>>>
>>>>I added the line to my /etc/postfix/main.cf, and it seems to work now.
>>>>
>>>>"alternate_config_directories = /etc/postfix.in"
>>>>
>>>>Erik Jakobsen wrote:
>>>>
>>>>>On Fri, 16 Jan 2004 16:57:10 +0000, Julian Field
>>>>><mailscanner@ECS.SOTON.AC.UK> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>At 16:57 16/01/2004, you wrote:
>>>>>>
>>>>>>
>>>>>>>Then it must be the sendmail.in.pid and the sendmail.out.pid that lacks,
>>>>>>>but I'm not using sendmail ?.
>>>>>>
>>>>>>Have you set the correct MTA in /etc/sysconfig/MailScanner? That controls
>>>>>>which MTA the MailScanner init.d script will start up.
>>>>>>
>>>>>
>>>>>
>>>>>Oh no. I have overseen that in the postfix instruction.
>>>>>
>>>>>But there seems to be a problem now with sending mails according to this
>>>>>sample of /var/log/maillog, which I have tried to send once before:
>>>>>
>>>>>Jan 16 19:13:01 gateway spamd[5340]: clean message (0.0/5.0) for filter:100
>>>>>in 0.9 seconds, 938 bytes.
>>>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: error: untrusted
>>>>>configuration directory name: /etc/postfix.in
>>>>>Jan 16 19:13:01 gateway postfix/postdrop[5349]: fatal: specify
>>>>>"alternate_config_directories = /etc/postfix.in" in /etc/postfix/main.cf
>>>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: warning: premature
>>>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>>>Jan 16 19:13:02 gateway postfix/sendmail[5348]: fatal:
eja@urbakken.dk(100):
>>>>>unable to execute /usr/sbin/postdrop -r: Success
>>>>>Jan 16 19:13:03 gateway postfix/pipe[5337]: 1D93EC045: to=<oh2bns@sral.fi>,
>>>>>relay=ccfilter, delay=3, status=bounced (service unavailable. Command
>>>>>output: postdrop: error: untrusted configuration directory name:
>>>>>/etc/postfix.in postdrop: fatal: specify "alternate_config_directories =
>>>>>/etc/postfix.in" in /etc/postfix/main.cf sendmail: warning: premature
>>>>>end-of-input from /usr/sbin/postdrop -r while reading input attribute name
>>>>>sendmail: fatal: eja@urbakken.dk(100): unable to execute /usr/sbin/postdrop
>>>>>-r: Success )
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>Erik Jakobsen wrote:
>>>>>>>
>>>>>>>
>>>>>>>>It has been made the /var/run directory:
>>>>>>>>
>>>>>>>># ls -al /var/run
>>>>>>>>total 132
>>>>>>>>drwxr-xr-x    8 root     root         4096 Jan 16 16:33 .
>>>>>>>>drwxr-xr-x   20 root     root         4096 Jan 16 13:46 ..
>>>>>>>>drwxr-xr-x    2 root     root         4096 Feb 10  2003 console
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 crond.pid
>>>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 dansguardian.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 dhcpd.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 dnsmasq.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 httpd.pid
>>>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 klogd.pid
>>>>>>>>-rw-------    1 postfix  postfix         5 Jan 16 16:32 MailScanner.pid
>>>>>>>>drwxrwxr-x    2 root     root         4096 Mar 13  2003 netreport
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 ppp0.pid
>>>>>>>>-rw-r--r--    1 root     root         8192 Jan 16 16:31 pppd.tdb
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 pppoe-adsl.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>pppoe-adsl.pid.pppd
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>>>pppoe-adsl.pid.pppoe
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31
>>>>>>>>pppoe-adsl.pid.start
>>>>>>>>-rw-r--r--    1 root     root           10 Jan 16 16:31 ppp-ppp0.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:32 privoxy.pid
>>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 proftpd
>>>>>>>>-rw-r--r--    1 root     nobody          5 Jan 16 16:32 proftpd.pid
>>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 16 16:32 samba
>>>>>>>>drwxr-xr-x    2 root     root         4096 Jan 26  2003 saslauthd
>>>>>>>>-rw-r--r--    1 root     root            0 Jan 16 16:32 sm-client.pid
>>>>>>>>-rw-------    1 root     root            5 Jan 16 16:32 snort_eth0.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 sshd.pid
>>>>>>>>drwx------    2 root     root         4096 Jan 25  2003 sudo
>>>>>>>>-rw-------    1 root     root            5 Jan 16 16:31 syslogd.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 syswatch.pid
>>>>>>>>-rw-rw-r--    1 root     utmp         4224 Jan 16 17:23 utmp
>>>>>>>>-rw-------    1 root     root            5 Jan 16 16:33 vpnwatchd.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:33 webconfig.pid
>>>>>>>>-rw-r--r--    1 root     root            5 Jan 16 16:31 xinetd.pid
>>>>>>>>
>>>>>>>>
>>>>>>>>Julian Field wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>mkdir /var/run
>>>>>>>>>then try it again.
>>>>>>>>>
>>>>>>>>>At 15:33 16/01/2004, you wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>Hi.
>>>>>>>>>>
>>>>>>>>>>I have just reinstalled MailScanner on a new server here. I use
>postfix,
>>>>>>>>>>but I'm receiving the following when MailScanner shall start:
>>>>>>>>>>
>>>>>>>>>>[root@gateway /]# service MailScanner status
>>>>>>>>>>Checking MailScanner daemons:
>>>>>>>>>>        MailScanner:                                      [  OK  ]
>>>>>>>>>>        incoming sendmail: head: /var/run/sendmail.in.pid: No such
>>>>>>>>>>file or directory
>>>>>>>>>>                                                          [FAILED]
>>>>>>>>>>        outgoing sendmail: head: /var/run/sendmail.out.pid: No such
>>>>>>>>>>file or directory
>>>>>>>>>>                                                          [FAILED]
>>>>>>>>>>
>>>>>>>>>>--
>>>>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>>>>Registered as user #319488 with the Linux Counter,
>>>>>>>>>>http://counter.li.org.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>--
>>>>>>>>>Julian Field
>>>>>>>>>www.MailScanner.info
>>>>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>>>>
>>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>>
>>>>>>>>--
>>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>>Registered as user #319488 with the Linux Counter,
http://counter.li.org.
>>>>>>>
>>>>>>>--
>>>>>>>Med venlig hilsen - Best regards.
>>>>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>>>>SuSE Linux 8.2 Proff.
>>>>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>>>>
>>>>>>--
>>>>>>Julian Field
>>>>>>www.MailScanner.info
>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>
>>>>>
>>>>--
>>>>Med venlig hilsen - Best regards.
>>>>Erik Jakobsen - eja@urbakken.dk.
>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>SuSE Linux 8.2 Proff.
>>>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>>
>>>
>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.

From Jan-Peter.Koopmann at SECEIDOS.DE  Sat Jan 17 09:22:40 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:54 2006
Subject: Happy Birthday to me!
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C809E@ERWIN.intern.seceidos.de>

<sing> Happy Birthday!!! </sing> 


From Jan-Peter.Koopmann at SECEIDOS.DE  Sat Jan 17 09:22:38 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:54 2006
Subject: getting a quarantined e-mail back?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C809D@ERWIN.intern.seceidos.de>

> I find that messages sent using mutt on the local system get 
> queued directly without going through mailscanner.

Hmm. That should not really be the case from my point of view. Unless of
course you are absolutely sure that no one or no task on this machine
could ever send viruses out. :-)

Regards,
  JP


From eja at URBAKKEN.DK  Sat Jan 17 09:45:56 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
Message-ID: <LISTSERV%2004011709455672@JISCMAIL.AC.UK>

I'll see if this mail arrives in my mailer.

Erik.

From eja at URBAKKEN.DK  Sat Jan 17 10:21:53 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
Message-ID: <LISTSERV%2004011710215335@JISCMAIL.AC.UK>

On Sat, 17 Jan 2004 09:45:56 +0000, Erik Jakobsen <eja@URBAKKEN.DK> wrote:

No, my mail to the list did not arrive here :-(

>I'll see if this mail arrives in my mailer.
>
>Erik.

Erik.

From kevins at BMRB.CO.UK  Sat Jan 17 10:23:39 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:54 2006
Subject: Quarantine loses mail
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21B1A@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B1A@pascal.priv.bmrb.co.uk>
Message-ID: <1074335027.4478.5.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-16 at 07:06, G. Armour Van Horn wrote: Greetings, all,

>I got a message from a client, quoting a cleaned message message:

Maybe you have clean.quarantine running to clearout your quarantine
directory periodically?
Look in /etc/cron.daily/clean.quarantine and see what the line that says
that begins...
$disabled=

From eja at URBAKKEN.DK  Sat Jan 17 10:25:00 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
In-Reply-To: <LISTSERV%2004011710215335@JISCMAIL.AC.UK>
References: <LISTSERV%2004011710215335@JISCMAIL.AC.UK>
Message-ID: <40090D7C.6060709@urbakken.dk>

This mail did arrive here.

Erik Jakobsen wrote:
> On Sat, 17 Jan 2004 09:45:56 +0000, Erik Jakobsen <eja@URBAKKEN.DK> wrote:
>
> No, my mail to the list did not arrive here :-(
>
>
>>I'll see if this mail arrives in my mailer.
>>
>>Erik.
>
>
> Erik.
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From kevins at BMRB.CO.UK  Sat Jan 17 10:25:27 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21B26@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B26@pascal.priv.bmrb.co.uk>
Message-ID: <1074335127.4477.8.camel@bach.kevinspicer.co.uk>

On Sat, 2004-01-17 at 10:21, Erik Jakobsen wrote:

>On Sat, 17 Jan 2004 09:45:56 +0000, Erik Jakobsen <eja@URBAKKEN.DK>
>wrote:

>No, my mail to the list did not arrive here :-(

Have you checked for it in your maillog?  any clues there?  Is it only
mail from the list that is going missing?

From eja at URBAKKEN.DK  Sat Jan 17 11:29:01 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
In-Reply-To: <1074335127.4477.8.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B26@pascal.priv.bmrb.co.uk>
            <1074335127.4477.8.camel@bach.kevinspicer.co.uk>
Message-ID: <40091C7D.3090201@urbakken.dk>

Kevin Spicer wrote:
> On Sat, 2004-01-17 at 10:21, Erik Jakobsen wrote:
>
>
>>On Sat, 17 Jan 2004 09:45:56 +0000, Erik Jakobsen <eja@URBAKKEN.DK>
>>wrote:
>
>
>>No, my mail to the list did not arrive here :-(
>
>
> Have you checked for it in your maillog?  any clues there?  Is it only
> mail from the list that is going missing?

Hi Kevin. I have the maillog running now. but need to examine it more
carefully. I reinstalled my server yesterday, and so did I with
MailScanner too. When I ran the old server, and MailScanner many mails
didn't arrive to me.

I cannot tell if I'm missing other mails now. I tested 5 times today
with sending mails to my alternative e-mail address, that is being sent
to me here. They all arrived.

I can try the Squirrelmail for a while, to eliminate the mailer on this
linux computer here.


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Sat Jan 17 11:46:16 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: getting a quarantined e-mail back?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C809D@ERWIN.intern.seceid os.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C809D@ERWIN.intern.seceidos.de>
Message-ID: <6.0.1.1.2.20040117114534.0408abd0@imap.ecs.soton.ac.uk>

At 09:22 17/01/2004, you wrote:
> > I find that messages sent using mutt on the local system get
> > queued directly without going through mailscanner.

You need to configure your copy of mutt to send mail using SMTP to
"localhost" instead of invoking sendmail directly. Either that, or upgrade
to a recent version of sendmail as this problem has been solved.


>Hmm. That should not really be the case from my point of view. Unless of
>course you are absolutely sure that no one or no task on this machine
>could ever send viruses out. :-)
>
>Regards,
>   JP

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 17 11:41:43 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: Quarantine loses mail
In-Reply-To: <40078D7F.5000201@whidbey.com>
References: <200401161027.59083.nupur@theargoncompany.com>
            <40078D7F.5000201@whidbey.com>
Message-ID: <6.0.1.1.2.20040117114104.0405dc80@imap.ecs.soton.ac.uk>

Please try the latest beta and see if it still occurs.
If it does then please send me exact details of your configuration so I can
try to reproduce the problem.

At 07:06 16/01/2004, you wrote:
>Greetings, all,
>
>I got a message from a client, quoting a cleaned message message:
>
>
> > This is a message from the MailScanner E-Mail Virus Protection Service
> > ----------------------------------------------------------------------
> > The original e-mail message contained potentially dangerous content,
> > which has been removed for your safety.
> >
> > The content is dangerous as it is often used to spread viruses or to gain
> > personal or confidential information from you, such as passwords or credit
> > card numbers.
> >
> > If you wish to receive a copy of the original email, please
> > e-mail <mailto:admin@bogachiel.net>admin@bogachiel.net and include the
> whole of this message
> > in your request.
> >
> > At Mon Jan 12 19:32:54 2004 the content filters said:
> >    MailScanner: Found a form in HTML message
> >
> > Note to Help Desk: Look on Bogachiel Guard Station in
>
> > /var/spool/MailScanner/quarantine/20040112 (message i0D3WeWx002953).
>
>
>I went to the suggested folder and looked at the message, to check if it
>was valid content that I should forward to them. To my surprise, it was
>the warning message quoted above, *not* the original message. I believe
>I've seen this before a couple of times.
>
>Is there a bug? Or did I screw something up?
>
>This was under 4.24-5, which I've been running up until about an hour ago
>when I reved to SA 2.61 and MS 4.25-14.
>
>Van
>
>
>
>
>
>
>--
>----------------------------------------------------------
>Sign up now for Quotes of the Day, a handful of quotations
>on a theme delivered every morning.
>Enlightenment! Daily, for free!
><mailto:twisted@whidbey.com?subject=Subscribe_QOTD>mailto:twisted@whidbey.com?subject=Subscribe_QOTD
>
>For web hosting and maintenance,
>visit Van's home page:
><http://www.domainvanhorn.com/van/>http://www.domainvanhorn.com/van/
>----------------------------------------------------------

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040117/e4064a92/attachment.html
From mailscanner at ecs.soton.ac.uk  Sat Jan 17 11:44:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: feature request
In-Reply-To: <LISTSERV%2004011705204823@JISCMAIL.AC.UK>
References: <LISTSERV%2004011705204823@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040117114153.0409ee18@imap.ecs.soton.ac.uk>

At 05:20 17/01/2004, you wrote:
>is it possible to add a Ruleset funktion to "Virus Scanners" in
>MailScanner.conf?

No, because messages are scanned in large batches for efficiency. Whole 
bunches of messages are scanned at once so they can't selectively use one 
scanner or another (not practically, anyway), they just all get all of them.



>Reason:
>
>If some Domains, or Users don?t want Virus Scanning but Content-Tests...
>Or Domain1 want to use Sophos and Domain2 want to use Clamav...
>
>Here is a example to explain what i mean:
>
>To:           admin@domain1.com      none
>To:           @Domain1.com           sophos
>To:           @Domain2.com           clamav
>To:           @Domain3.com           sophos clamav
>FromOrTo:     default                none
>
>
>I think this would be a good feature?
>
>
>Thanks
>
>
>Holger

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Sat Jan 17 11:38:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <Pine.LNX.4.44.0401170044540.26897-100000@mailbox.prolocati
              on.net>
References: <6.0.1.1.2.20040114190439.040b4828@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401170044540.26897-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040117113828.0405aec8@imap.ecs.soton.ac.uk>

At 23:45 16/01/2004, you wrote:
>Hi!
>
> > > > That was done using the latest beta 4.26-4.
> > >
> > >I had it still with 4.25-14, i can try 4.26-4 and see if i can still catch
> > >some, did you change the code for that part since 4.25-14 ??
> >
> > I don't think so, but I can't reproduce the problem.
>
>Upgraded to MailScanner-4.26-4, dont think it will be gone, but worth a
>try :) If its not gone what can we do to tackle this ?

You can give me details on exactly how to reconstruct it :)
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Sat Jan 17 12:39:36 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:54 2006
Subject: Happy Birthday to me!
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C809E@ERWIN.intern.seceidos.de>
Message-ID: <LFENLEALDCBDKENCNLCNGEOFDAAA.michele@blacknightsolutions.com>

Have a good one!!

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

From eja at URBAKKEN.DK  Sat Jan 17 12:45:46 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:21:54 2006
Subject: Mailtest
In-Reply-To: <LISTSERV%2004011709455672@JISCMAIL.AC.UK>
References: <LISTSERV%2004011709455672@JISCMAIL.AC.UK>
Message-ID: <20040117134546.0dcd8087.eja@urbakken.dk>

On Sat, 17 Jan 2004 09:45:56 +0000
Erik Jakobsen <eja@URBAKKEN.DK> wrote:

> I'll see if this mail arrives in my mailer.

In another mailer i have, I found this mail. Obvioulsy I have a wrong
configuration in the other mail program.

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Sat Jan 17 13:47:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: MailScanner support for Qmail
Message-ID: <6.0.1.1.2.20040117134329.04225150@wheresmymailserver.com>

Mostly to get this information into the MailScanner mailing list archive,
here is a copy of an email I received a month ago from some folks who are
implementing some form of Qmail support within MailScanner.

I suspect they are doing it in a similar way to Communigate Pro, but I'm
not at all sure of that.

If someone would like to try this and document their experiences, I would
be very grateful.

Thanks folks,
Jules.

P.S. A very big thankyou to all of you for my Birthday messages, I really
appreciate it. And an extra special thankyou to those of you who bought me
a birthday present from Amazon.co.uk.

Thankyou!

>From: "S.Karthikeyan" <skarthikeyan@opencompt.com>
>To: mailscanner@ecs.soton.ac.uk, jkf@ecs.soton.ac.uk
>Subject: Regarding qmail support
>Date: Fri, 12 Dec 2003 05:49:00 -0500
>
>Hi Julian/MailScanner team,
>
>    We've written a qmail module for mailscanner. It works in this way.
>
>-It changes the qmail-queue program so that it dumps the mail
>in /var/qmail/queue.in instead of /var/qmail/queue
>-Then, qmail.pm use Internet::Mail perl module to read the queue file
>in /var/qmail/queue.in/mess. we construct the to and from address from
>the /var/qmail/queue.in/todo file
>-After scanning it, we remove the mess,intd,todo file
>-We create mess,intd and todo in the /var/qmail/queue.in directory
>using qmdiskstore.pm.
>-We then kick message using triggerpull'ing a \0 byte to the trigger
>file, which triggers qmail-send to deliver the message.
>
>There is an extra variable in configdefs.pl and MailScanner.conf to
>indicate the number of split spool directories in qmail. Right now, if
>the queue.in directory is in different directory
>than /var/qmail/queue.in, the user has to change the #define value in
>our custom qmail-1.03 source directory. That's the only stuff that has
>to be changed, if the user has custom configured the /var/qmail
>directory to something else, during his qmail compilation and
>installation.
>
>Now, this proof of concept stuff is working for us. Is this design ok,
>or you have previously considered it and dropped it off for some reason?
>Also, how should I submit this code to you?
>
>We have hosted the code in a complete package with
>spamassassin,mailscanner with qmail, clamav,all the needed perl modules
>at http://opencomputing.sourceforge.net. Also it contains a perl auto-
>installer, that does all spool directory copying and config file
>changing stuff on the fly and also uninstalls, disables and enables
>mailscanner.
>
>Regards,
>S.Karthikeyan.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at BARENDSE.TO  Sun Jan 18 08:05:05 2004
From: mailscanner at BARENDSE.TO (Remco Barendse)
Date: Thu Jan 12 21:21:54 2006
Subject: Spam learning whitelist?
In-Reply-To: <Pine.LNX.4.44.0401070559320.15819-100000@raveon.barendse.to>
Message-ID: <Pine.LNX.4.44.0401180901300.11399-100000@raveon.barendse.to>

The honypot is working great, lots of spams coming in :)

The messages that are filtered out however and redirected to postmaster
are getting annoying because there are too many.

Will SpamAss still learn from those spam messages even if I
whitelist the addresses they are sent to in MailScanner?

Thanks!

On Wed, 7 Jan 2004, Remco Barendse wrote:

> Hi!
>
> I have created 2 mailboxes for spam and nonspam training as descibed on
> the MS page.
>
> Was just wondering, should I whitelist mail to these addresses to prevent
> MailScanner from stripping them from html and stuff? (I let MS strip all
> html of even low scoring spam).
>
> Also I have set up some honeypots that forward all mail to the spam
> address (like info@ and sales@) and I don't want to get any spams to those
> addresses delivered to the postmaster mailbox (if they score too high i
> use delete forward as high scoring spam actions).
>
> Thanks for any input!
>
> Remco
>

From chris at FRACTALWEB.COM  Sat Jan 17 18:12:07 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:54 2006
Subject: timeouts and sigpipe
Message-ID: <40097AF7.9030705@fractalweb.com>

Hi everyone.

Last night my system let some spam through, again with spamassassin
timeouts. I've checked through the maillog and see a few things that
seem a bit unusual.

Firstly, I see a SIGPIPE message in the log quite regularly. Not sure
what has caused this to start.
Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Found 4 messages waiting
Jan 17 02:47:41 ns1 MailScanner[6138]: SIGPIPE received - trying new log
socket
Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Found 4 messages waiting
Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Scanning 1 messages,
3305 bytes

I also see that MailScanner had some trouble with ORDB last night:
Jan 17 02:48:14 ns1 MailScanner[30540]: RBL Check ORDB-RBL timed out and
was killed, consecutive failure 1 of 7

And, of course, spamassassin was having trouble also:
Jan 17 02:49:16 ns1 MailScanner[30540]: SpamAssassin timed out and was
killed, consecutive failure 1 of 20

Any help or suggestions would be greatly appreciated.

Thanks,
Chris

From gdoris at ROGERS.COM  Sat Jan 17 22:08:42 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:54 2006
Subject: timeouts and sigpipe
In-Reply-To: <40097AF7.9030705@fractalweb.com>
References: <40097AF7.9030705@fractalweb.com>
Message-ID: <Pine.LNX.4.53.0401171707410.22290@tiger.dorfam.ca>

On Sat, 17 Jan 2004, Chris Yuzik wrote:

> Hi everyone.
>
> Last night my system let some spam through, again with spamassassin
> timeouts. I've checked through the maillog and see a few things that
> seem a bit unusual.
>
> Firstly, I see a SIGPIPE message in the log quite regularly. Not sure
> what has caused this to start.
> Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Found 4 messages waiting
> Jan 17 02:47:41 ns1 MailScanner[6138]: SIGPIPE received - trying new log
> socket
> Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Found 4 messages waiting
> Jan 17 02:47:41 ns1 MailScanner[6138]: New Batch: Scanning 1 messages,
> 3305 bytes
>
> I also see that MailScanner had some trouble with ORDB last night:
> Jan 17 02:48:14 ns1 MailScanner[30540]: RBL Check ORDB-RBL timed out and
> was killed, consecutive failure 1 of 7
>
> And, of course, spamassassin was having trouble also:
> Jan 17 02:49:16 ns1 MailScanner[30540]: SpamAssassin timed out and was
> killed, consecutive failure 1 of 20
>
> Any help or suggestions would be greatly appreciated.
>
> Thanks,
> Chris
>

I believe the SIGPIPE error was removed several releases back.  What level
of MailScanner are you running?

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From raymond at PROLOCATION.NET  Sat Jan 17 22:27:12 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: Outstanding mail archiving bug
In-Reply-To: <6.0.1.1.2.20040117113828.0405aec8@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401172326440.18861-100000@mailbox.prolocation.net>

Hi!

> > > I don't think so, but I can't reproduce the problem.
> >
> >Upgraded to MailScanner-4.26-4, dont think it will be gone, but worth a
> >try :) If its not gone what can we do to tackle this ?
>
> You can give me details on exactly how to reconstruct it :)

Hmmm ... heh ... i could mirror traffic a couple of days =)

Bye,
Raymond.

From spam at CRYING.COM  Sun Jan 18 00:18:27 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
Message-ID: <LISTSERV%2004011800182767@JISCMAIL.AC.UK>

I'm running Mailscanner 4.25-14, Spamassassin 2.61

I'm sort of a newbie. :(

I was wondering if someone could tell me step by step how I would add
bigevil.cf?

I've added it to my server but I'm not sure exactly what files I am to
modify. Do I just modify mailscanner.conf?

If so what lines??

I have this in my mailscanner.conf:
Spam List = ORDB-RBL

Do I add to that line? And then restart mailscanner and that's all?

Any detailed instructions would be awesome.

Thanks

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 18 00:37:26 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <LISTSERV%2004011800182767@JISCMAIL.AC.UK>
Message-ID: <LFENLEALDCBDKENCNLCNEEAEDBAA.michele@blacknightsolutions.com>

You should look at the spamassassinprefs.conf file (I know it's not called
that, but it's late here.. ) or the main spam assassin directory
The options within MailScanner refer to RBLS and whether or not you want to
use SA, they do not allow for custom SA rules
> bigevil.cf?
>
> I've added it to my server but I'm not sure exactly what files I am to
> modify. Do I just modify mailscanner.conf?

No - see above
>
> If so what lines??
>
> I have this in my mailscanner.conf:
> Spam List = ORDB-RBL
>
> Do I add to that line? And then restart mailscanner and that's all?

NO. That's an RBL (realtime blacklist)
>
> Any detailed instructions would be awesome.

From drew at THEMARSHALLS.CO.UK  Sun Jan 18 00:40:40 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <LISTSERV%2004011800182767@JISCMAIL.AC.UK>
References: <LISTSERV%2004011800182767@JISCMAIL.AC.UK>
Message-ID: <4009D608.8090700@themarshalls.co.uk>

Howard wrote:

>I'm running Mailscanner 4.25-14, Spamassassin 2.61
>
>I'm sort of a newbie. :(
>
>I was wondering if someone could tell me step by step how I would add
>bigevil.cf?
>
>
>
Drop the bigevil file into /etc/mail/spamassassin & restart MailScanner

>I've added it to my server but I'm not sure exactly what files I am to
>modify. Do I just modify mailscanner.conf?
>
>If so what lines??
>
>I have this in my mailscanner.conf:
>Spam List = ORDB-RBL
>
>Do I add to that line? And then restart mailscanner and that's all?
>
>Any detailed instructions would be awesome.
>
>Thanks
>
>
Enjoy

Drew

--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From cleveland at WINNEFOX.ORG  Sat Jan 17 19:11:31 2004
From: cleveland at WINNEFOX.ORG (Jody Cleveland)
Date: Thu Jan 12 21:21:54 2006
Subject: OT: Advice please
In-Reply-To: <40071A97.9020803@eatathome.com.au>
References: <4116B9E82087024DB2755B25BB4B494C73B2D1@msx.network.griffin.net.uk>
            <Pine.LNX.4.58.0401151024090.8393@hephaestus.tor.primus.ca>
            <40071A97.9020803@eatathome.com.au>
Message-ID: <2227.172.30.59.9.1074366691.squirrel@172.30.59.9>

Ditto!

> Robin M. wrote:
>
>>On Thu, 15 Jan 2004, Gareth Campling wrote:
>>
>>
>>>Is this availble for download. ? :o)
>>>
>>>
>>>
>>I can make it available for you. Do you need the whole package. I
>> have
>>compiled everything into rpm format including MailScanner, apache,
>> postfix
>>cyrus, ldap etc etc to install into a chrooted environment. It is
>> kinda
>>rought around the edges right now but it is very stable multi-domain
>>support.
>>
>>Email me off list.
>>
>>
>>
>>
>>
> I would also LOVE to see a package like this. I have been charged with
> converting a 300 user Domino inotes system into 'a Linux based
> solution'. But i am really stuglling trying tie all these different
> apps
> together - more importantly i want it to use Win2k AD for
> authentication, i use a perl script to query the AD and retrieve the
> email addresses and use this to build an access list in Postfix - what
> i
> want postfix/courier/cyrus to do for new users is to see if it has
> ever
> recieved mail for user X before, if not then create the mail folders.
> maybe i could adapt your package to do this? do you use AD at all, or
> only openldap?
>


--
Jody Cleveland
(cleveland@winnefox.org)

From peter at UCGBOOK.COM  Sun Jan 18 02:32:00 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:54 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.62 is released!]
Message-ID: <4009F020.5040008@ucgbook.com>

FYI

-------- Original Message --------
Subject: [SA-Announce] SpamAssassin 2.62 is released!
Date: Sat, 17 Jan 2004 19:13:23 -0500
From: Theo Van Dinter <felicity@kluge.net>
To: Spamassassin List <spamassassin-talk@lists.sourceforge.net>
CC: Spamassassin Devel List <spamassassin-dev@incubator.apache.org>,
spamassassin-announce@lists.sourceforge.net

SpamAssassin is a mail filter which uses advanced statistical
and heuristic tests to identify spam (also known as unsolicited
commercial/bulk email).

Downloading
-----------

Pick it up from:

   http://SpamAssassin.org/released/Mail-SpamAssassin-2.62.tar.gz
   http://SpamAssassin.org/released/Mail-SpamAssassin-2.62.tar.bz2
   http://SpamAssassin.org/released/Mail-SpamAssassin-2.62.zip

md5sum:
e0cf85b038d85bb83083ee474763ed3c  Mail-SpamAssassin-2.62.tar.gz
d16248b99675bef3da5e14890099590e  Mail-SpamAssassin-2.62.tar.bz2
76a990a24d10b6835d8073240a40cf48  Mail-SpamAssassin-2.62.zip

sha1sum:
06cebe409f11cf132736a03849ad7ccb7e0bd6a0  Mail-SpamAssassin-2.62.tar.gz
28e09727f394c72efcb8019e83b8a3359b82c70a  Mail-SpamAssassin-2.62.tar.bz2
c83bd44a830c2195610edf0b4be31f62c5e0b0c4  Mail-SpamAssassin-2.62.zip


Or on CPAN shortly, once the mirrors update.

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net keyserver, as well as
http://www.spamassassin.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key
<release@spamassassin.org>
      Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B


Summary of major changes since 2.61
-----------------------------------

   - Fixed two bugs related to Received line generation and parsing.
   - Modified two rules to reduce false positives.
   - Fixed bug where spamd temporary init directory wasn't removed in
some situations.
   - Modified HABEAS_SWE to function even if the Habeas headers were out
of their normal order.
   - Fixed bug where reporting wouldn't remove message markup before
being learned by Bayes.
   - Fixed bug where report_safe_copy_headers would reverse the order of
the Received headers.
   - Fixed several bugs in the Bayes system caused by DB_File oddities.


--
Randomly Generated Tagline:
"Victory is mine...  Victory is mine...  I drink from the keg of glory
  Donna, bring me the finest muffins and bagels from all the land!"
                                  - Josh Lyman, The West Wing

From spam at CRYING.COM  Sun Jan 18 03:44:41 2004
From: spam at CRYING.COM (spam@CRYING.COM)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
Message-ID: <LISTSERV%2004011803444180@JISCMAIL.AC.UK>

On Sun, 18 Jan 2004 00:40:40 +0000, Drew Marshall
<drew@THEMARSHALLS.CO.UK> wrote:

>Howard wrote:
>
>>I'm running Mailscanner 4.25-14, Spamassassin 2.61
>>
>>I'm sort of a newbie. :(
>>
>>I was wondering if someone could tell me step by step how I would add
>>bigevil.cf?
>>
>>
>>
>Drop the bigevil file into /etc/mail/spamassassin & restart MailScanner
>
>>I've added it to my server but I'm not sure exactly what files I am to
>>modify. Do I just modify mailscanner.conf?
>>
>>If so what lines??
>>
>>I have this in my mailscanner.conf:
>>Spam List = ORDB-RBL
>>
>>Do I add to that line? And then restart mailscanner and that's all?
>>
>>Any detailed instructions would be awesome.
>>
>>Thanks
>>
>>
>Enjoy
>
>Drew
>
>--
>In line with our policy, this message has
>been scanned for viruses and dangerous
>content by MailScanner, and is believed to be clean.
>www.themarshalls.co.uk/policy

If it were that simple.... :(

>>I was wondering if someone could tell me step by step how I would add
>>bigevil.cf?
>>

>Drop the bigevil file into /etc/mail/spamassassin & restart MailScanner

Okay I tried that and when I did a spamassassin --lint

I got a bunch of errors here is a clip :

Failed to parse line in SpamAssassin configuration, skipping: /\by
(?:ourmortgagequote\.com|ouronlineoffers\d?
\.com|ourplaceforeverything\.com|ourrxstore\.biz|oyobro\.biz|oyobro\.net|qd
dvmdvmm\.wizawow\.com|u67fx23\.com|ubrsxc4\.com)\b/i
Failed to parse line in SpamAssassin configuration, skipping: uri
BigEvilList_178


I don't have to do anything to my spam.assassin.prefs.conf ? If I do, what
exactly?

Thanks... my eyeballs have been trying to figure all this out and I've
printed out about 100 pages of different topics and still can't figure it
out.

From chris at FRACTALWEB.COM  Sun Jan 18 05:00:17 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:54 2006
Subject: timeouts and sigpipe
In-Reply-To: <Pine.LNX.4.53.0401171707410.22290@tiger.dorfam.ca>
References: <40097AF7.9030705@fractalweb.com>
            <Pine.LNX.4.53.0401171707410.22290@tiger.dorfam.ca>
Message-ID: <400A12E1.3000302@fractalweb.com>

Gerry Doris wrote:

>I believe the SIGPIPE error was removed several releases back.  What level
>of MailScanner are you running?
>
>
Now that's a good question. How do I check?

Chris

From gdoris at ROGERS.COM  Sun Jan 18 05:21:10 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:54 2006
Subject: timeouts and sigpipe
In-Reply-To: <400A12E1.3000302@fractalweb.com>
References: <40097AF7.9030705@fractalweb.com>
            <Pine.LNX.4.53.0401171707410.22290@tiger.dorfam.ca>
            <400A12E1.3000302@fractalweb.com>
Message-ID: <Pine.LNX.4.53.0401180018520.31435@tiger.dorfam.ca>

On Sat, 17 Jan 2004, Chris Yuzik wrote:

> Gerry Doris wrote:
>
> >I believe the SIGPIPE error was removed several releases back.  What level
> >of MailScanner are you running?
> >
> >
> Now that's a good question. How do I check?
>
> Chris


Well, I'd look in /var/log/maillog for a line that states

MailScanner E-Mail Virus Scanner version 4.XX-Y starting...

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From gdoris at ROGERS.COM  Sun Jan 18 05:27:49 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <LISTSERV%2004011803444180@JISCMAIL.AC.UK>
References: <LISTSERV%2004011803444180@JISCMAIL.AC.UK>
Message-ID: <Pine.LNX.4.53.0401180022000.31435@tiger.dorfam.ca>

On Sun, 18 Jan 2004 spam@CRYING.COM wrote:

snip...

> I got a bunch of errors here is a clip :
>
> Failed to parse line in SpamAssassin configuration, skipping: /\by
> (?:ourmortgagequote\.com|ouronlineoffers\d?
> \.com|ourplaceforeverything\.com|ourrxstore\.biz|oyobro\.biz|oyobro\.net|qd
> dvmdvmm\.wizawow\.com|u67fx23\.com|ubrsxc4\.com)\b/i
> Failed to parse line in SpamAssassin configuration, skipping: uri
> BigEvilList_178
>
>
> I don't have to do anything to my spam.assassin.prefs.conf ? If I do, what
> exactly?
>
> Thanks... my eyeballs have been trying to figure all this out and I've
> printed out about 100 pages of different topics and still can't figure it
> out.
>

It looks like you have messed up the download of bigevil.cf.  This often
occurs if you've captured the file with line feeds + carriage returns (ie.
as a DOS file).

I'll send you a working file off list.  Put it into
/etc/mail/spamassassin.

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From chris at FRACTALWEB.COM  Sun Jan 18 05:31:40 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:54 2006
Subject: timeouts and sigpipe
In-Reply-To: <Pine.LNX.4.53.0401180018520.31435@tiger.dorfam.ca>
References: <40097AF7.9030705@fractalweb.com>           
            <Pine.LNX.4.53.0401171707410.22290@tiger.dorfam.ca>           
            <400A12E1.3000302@fractalweb.com>
            <Pine.LNX.4.53.0401180018520.31435@tiger.dorfam.ca>
Message-ID: <400A1A3C.9040804@fractalweb.com>

Gerry Doris wrote:

>Well, I'd look in /var/log/maillog for a line that states
>
>MailScanner E-Mail Virus Scanner version 4.XX-Y starting...
>
>
And here I was typing MailScanner -v, -V, --v, etc. I've looked through
the maillog so many times I've lost track, but I never paid attention to
that. :-)

So, I'm running 4.24-5. I guess I better upgrade. What's the most
current, but stable version?

Also, I see that there's a new version of spamassassin out. I guess I
should do that one too.

Cheers,
Chris

From raymond at PROLOCATION.NET  Sun Jan 18 10:07:47 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.62 is released!]
In-Reply-To: <4009F020.5040008@ucgbook.com>
Message-ID: <Pine.LNX.4.44.0401181106130.23929-100000@mailbox.prolocation.net>

Hi!

> FYI

> SpamAssassin is a mail filter which uses advanced statistical
> and heuristic tests to identify spam (also known as unsolicited
> commercial/bulk email).

Dont forget to alter the 50_scores.cf again after upgrading, it seems the
score HABEAS_SWE -9.0 isnt changed yet.

I have put it at -1 myself.

Bye,
Raymond.

From mike at ZANKER.ORG  Sun Jan 18 11:53:02 2004
From: mike at ZANKER.ORG (Mike Zanker)
Date: Thu Jan 12 21:21:54 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.62 is released!]
In-Reply-To: <Pine.LNX.4.44.0401181106130.23929-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401181106130.23929-100000@mailbox.prolocatio n.net>
Message-ID: <83404921.1074426782@jemima.zanker.org>

On 18 January 2004 11:07 +0100 Raymond Dijkxhoorn
<raymond@PROLOCATION.NET> wrote:

> Dont forget to alter the 50_scores.cf again after upgrading, it seems
> the score HABEAS_SWE -9.0 isnt changed yet.

Aren't you better off doing that in spam.assassin.prefs.conf?

Mike.

From raymond at PROLOCATION.NET  Sun Jan 18 11:56:19 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.62 is released!]
In-Reply-To: <83404921.1074426782@jemima.zanker.org>
Message-ID: <Pine.LNX.4.44.0401181255470.10821-100000@mailbox.prolocation.net>

Hi!

> > Dont forget to alter the 50_scores.cf again after upgrading, it seems
> > the score HABEAS_SWE -9.0 isnt changed yet.
>
> Aren't you better off doing that in spam.assassin.prefs.conf?

Yeah, herhaps a better way of doing that... Saves editting when the next
update is again -9 :)

Thanks,
Raymond.

From mailscanner at ecs.soton.ac.uk  Sun Jan 18 11:59:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:54 2006
Subject: Spam learning whitelist?
In-Reply-To: <Pine.LNX.4.44.0401180901300.11399-100000@raveon.barendse.t o>
References: <Pine.LNX.4.44.0401070559320.15819-100000@raveon.barendse.to>
            <Pine.LNX.4.44.0401180901300.11399-100000@raveon.barendse.to>
Message-ID: <6.0.1.1.2.20040118115843.03ef6020@imap.ecs.soton.ac.uk>

At 08:05 18/01/2004, you wrote:
>The honypot is working great, lots of spams coming in :)
>
>The messages that are filtered out however and redirected to postmaster
>are getting annoying because there are too many.
>
>Will SpamAss still learn from those spam messages even if I
>whitelist the addresses they are sent to in MailScanner?

Yes. The SA and MS whitelists don't talk to each other, they are quite
separate.


>Thanks!
>
>On Wed, 7 Jan 2004, Remco Barendse wrote:
>
> > Hi!
> >
> > I have created 2 mailboxes for spam and nonspam training as descibed on
> > the MS page.
> >
> > Was just wondering, should I whitelist mail to these addresses to prevent
> > MailScanner from stripping them from html and stuff? (I let MS strip all
> > html of even low scoring spam).
> >
> > Also I have set up some honeypots that forward all mail to the spam
> > address (like info@ and sales@) and I don't want to get any spams to those
> > addresses delivered to the postmaster mailbox (if they score too high i
> > use delete forward as high scoring spam actions).
> >
> > Thanks for any input!
> >
> > Remco
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From pete at eatathome.com.au  Sun Jan 18 21:54:31 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <Pine.LNX.4.53.0401180022000.31435@tiger.dorfam.ca>
References: <LISTSERV%2004011803444180@JISCMAIL.AC.UK>
            <Pine.LNX.4.53.0401180022000.31435@tiger.dorfam.ca>
Message-ID: <400B0097.3070800@eatathome.com.au>

Remove the current big evil.cf from the /etc/mail/spamassassin dir
1. cd /etc/mail/spamassassin
     rm bigevil.cf
Now download the file directly into the dir using your Linux console
2. wget http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
Now restart MailScanner (assume you use Red Hat)
3. service MailScanner restart
Test - wait for some spam to go through, jump into MailWatch (or however
you like looking at the reports) and you will see on the next few mails
marked as spam that there are some new scores, big_evil_list etc etc

>On Sun, 18 Jan 2004 spam@CRYING.COM wrote:
>
>snip...
>
>
>
>>I got a bunch of errors here is a clip :
>>
>>Failed to parse line in SpamAssassin configuration, skipping: /\by
>>(?:ourmortgagequote\.com|ouronlineoffers\d?
>>\.com|ourplaceforeverything\.com|ourrxstore\.biz|oyobro\.biz|oyobro\.net|qd
>>dvmdvmm\.wizawow\.com|u67fx23\.com|ubrsxc4\.com)\b/i
>>Failed to parse line in SpamAssassin configuration, skipping: uri
>>BigEvilList_178
>>
>>
>>I don't have to do anything to my spam.assassin.prefs.conf ? If I do, what
>>exactly?
>>
>>Thanks... my eyeballs have been trying to figure all this out and I've
>>printed out about 100 pages of different topics and still can't figure it
>>out.
>>
>>
>>
>
>It looks like you have messed up the download of bigevil.cf.  This often
>occurs if you've captured the file with line feeds + carriage returns (ie.
>as a DOS file).
>
>I'll send you a working file off list.  Put it into
>/etc/mail/spamassassin.
>
>--
>Gerry
>
>"The lyfe so short, the craft so long to learne"  Chaucer
>
>
>
>
>

From raymond at PROLOCATION.NET  Sun Jan 18 22:04:26 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <400B0097.3070800@eatathome.com.au>
Message-ID: <Pine.LNX.4.44.0401182303290.13565-100000@mailbox.prolocation.net>

Hi!

> 1. cd /etc/mail/spamassassin
>      rm bigevil.cf
> Now download the file directly into the dir using your Linux console
> 2. wget http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> Now restart MailScanner (assume you use Red Hat)

You can do this with the script i made, follow the leads on
http://mailscanner.prolocation.net

This you can use to update the BigEvil rules...

Bye,
Raymond.

From spam at CRYING.COM  Sun Jan 18 22:16:29 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
Message-ID: <LISTSERV%2004011822162997@JISCMAIL.AC.UK>

That did it! That was easy!

I ran the following test and got back all these lines.. do you see any
problems at all or is this normal? Lastly, any other rules besides
bigevil.cf that I should run? I've heard about chickenpox? etc...

Thanks

[root@dedicated spamassassin]# spamassassin -D --lint
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/home/admin/bin', which doesn't exist, dropping.
debug: Final PATH set to: /usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin
debug: ignore: using a test message to lint rules
debug: using "/usr/share/spamassassin" for default rules dir
debug: using "/etc/mail/spamassassin" for site rules dir
debug: using "/root/.spamassassin" for user state dir
debug: using "/root/.spamassassin/user_prefs" for user prefs file
debug: using "/root/.spamassassin" for user state dir
debug: bayes: 5355 tie-ing to DB file R/O /root/.spamassassin/bayes_toks
debug: bayes: 5355 tie-ing to DB file R/O /root/.spamassassin/bayes_seen
debug: bayes: found bayes db version 2
debug: bayes: Not available for scanning, only 183 ham(s) in Bayes DB < 200
debug: bayes: 5355 untie-ing
debug: bayes: 5355 untie-ing db_toks
debug: bayes: 5355 untie-ing db_seen
debug: Score set 1 chosen.
debug: Initialising learner
debug: using "/root/.spamassassin" for user state dir
debug: bayes: 5355 tie-ing to DB file R/O /root/.spamassassin/bayes_toks
debug: bayes: 5355 tie-ing to DB file R/O /root/.spamassassin/bayes_seen
debug: bayes: found bayes db version 2
debug: bayes: Not available for scanning, only 183 ham(s) in Bayes DB < 200
debug: bayes: 5355 untie-ing
debug: bayes: 5355 untie-ing db_toks
debug: bayes: 5355 untie-ing db_seen
debug: is Net::DNS::Resolver available? yes
debug: trying (3) leo.org...
debug: looking up MX for 'leo.org'
debug: MX for 'leo.org' exists? 1
debug: MX lookup of leo.org succeeded => Dns available (set dns_available
to hardcode)
debug: is DNS available? 1
debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=1.27
debug: Razor2 is not available
debug: running raw-body-text per-line regexp tests; score so far=1.27
debug: running uri tests; score so far=1.27
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=1.27
debug: Razor2 is not available
debug: DCCifd is not available: no r/w dccifd socket found.
debug: Current PATH is: /usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin
debug: DCC is not available: no executable dccproc found.
debug: Pyzor is not available: pyzor not found
debug: all '*To' addrs:
debug: RBL: success for 1 of 1 queries
debug: running meta tests; score so far=1.27
debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME

From spam at CRYING.COM  Sun Jan 18 22:42:23 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
Message-ID: <LISTSERV%2004011822422365@JISCMAIL.AC.UK>

Can someone tell what's the best way to stop this type of spam: It only
got 3.642.

I also have my mailscanner.conf set to 5 for flagging and 9 for high spam
deletion.

Message-ID: <JAKVNNYERVWRUNAWAIAWCXX@mail.ru>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
From: "Carroll Bruno" <JAbel@sd1.de>
Reply-To: "Carroll Bruno" <JAbel@sd1.de>
Date: Sun, 18 Jan 2004 06:12:41 -0400
X-Mailer: THOR 2.6a (Amiga;TCP/IP)
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="--69495004589733859"
X-Priority: 5
X-century-MailScanner-Information: Please contact the ISP for more
information
X-century-MailScanner: Found to be clean
X-century-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.642,
     required 5, BIZ_TLD 0.78, BigEvilList_131 3.00, HABEAS_SWE -8.00,
     HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
     MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
     RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10,
     WHY_WAIT 0.48)
X-century-MailScanner-SpamScore: sss



SUBJECT: LOw Cost Val?(u)m, Viagr@, X(a)n@x, Som@ Di3t Pills Many M3ds
70du2kKS81b2am

Body:



Get Your Meds Here









Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A (Cialis)



We believe ordering medication should be as simple as ordering anything
else on the
Internet. Private, secure, and easy.



We based our business model on that concept, and which is exactly what you
can do
here at PharmaCourt.



Choose from ff: Weight Loss, Men's Health, Pain Relief, Muscle Relaxers,
Stop
Smoking and Anti-Depressants.



No prescription required, no long lengthy forms to fill out. So why wait
choose your
product and start living a healthier live today.






We ship WORLDWIDE.








It flutters and murmurs still:

Between the dark and the daylight,

The pleasant streets of that dear old town,

My spirit drank repose;







Get Your Meds Here









Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A


From raymond at PROLOCATION.NET  Sun Jan 18 22:46:28 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <LISTSERV%2004011822422365@JISCMAIL.AC.UK>
Message-ID: <Pine.LNX.4.44.0401182345080.20900-100000@mailbox.prolocation.net>

Hi!

> Can someone tell what's the best way to stop this type of spam: It only
> got 3.642.
>
> I also have my mailscanner.conf set to 5 for flagging and 9 for high spam
> deletion.

> X-century-MailScanner-Information: Please contact the ISP for more
> information
> X-century-MailScanner: Found to be clean
> X-century-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.642,
>      required 5, BIZ_TLD 0.78, BigEvilList_131 3.00, HABEAS_SWE -8.00,
>      HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
>      MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
>      RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10,
>      WHY_WAIT 0.48)
> X-century-MailScanner-SpamScore: sss

As discussed multiple times on the list, lower the HABEAS_SWE to -1 or
something. -8 is way over the top it seems.

Also these ones are stopped a lot of the time with the BigEvil list, check
http://mailscanner.prolocation.net for a simple script to update that
list.

Bye,
Raymond.

From steve.swaney at FSL.COM  Sun Jan 18 22:49:00 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <LISTSERV%2004011822422365@JISCMAIL.AC.UK>
Message-ID: <20040118224900.C3E5021C2BE@mail.fsl.com>

Add this line to /etc/MailScanner/spam.assassin.pref.conf:

score HABEAS_SWE -1.0

Where 2.0 is some number much less than -8.0! 

Your spam received a "credit" of -8.0 in the spamassassin score.

Lot's more on this topic in the list archives and the spamassassin mail
list.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com
 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Howard
> Sent: Sunday, January 18, 2004 5:42 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: How to stop this spam?
> 
> Can someone tell what's the best way to stop this type of spam: It only
> got 3.642.
> 
> I also have my mailscanner.conf set to 5 for flagging and 9 for high spam
> deletion.
> 
> Message-ID: <JAKVNNYERVWRUNAWAIAWCXX@mail.ru>
> X-Habeas-SWE-1: winter into spring
> X-Habeas-SWE-2: brightly anticipated
> X-Habeas-SWE-3: like Habeas SWE (tm)
> X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
> X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
> X-Habeas-SWE-6: email in exchange for a license for this Habeas
> X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
> X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
> X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
> From: "Carroll Bruno" <JAbel@sd1.de>
> Reply-To: "Carroll Bruno" <JAbel@sd1.de>
> Date: Sun, 18 Jan 2004 06:12:41 -0400
> X-Mailer: THOR 2.6a (Amiga;TCP/IP)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>      boundary="--69495004589733859"
> X-Priority: 5
> X-century-MailScanner-Information: Please contact the ISP for more
> information
> X-century-MailScanner: Found to be clean
> X-century-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.642,
>      required 5, BIZ_TLD 0.78, BigEvilList_131 3.00, HABEAS_SWE -8.00,
>      HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
>      MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
>      RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10,
>      WHY_WAIT 0.48)
> X-century-MailScanner-SpamScore: sss
> 
> 
> 
> SUBJECT: LOw Cost Val?(u)m, Viagr@, X(a)n@x, Som@ Di3t Pills Many M3ds
> 70du2kKS81b2am
> 
> Body:
> 
> 
> 
> Get Your Meds Here
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A (Cialis)
> 
> 
> 
> We believe ordering medication should be as simple as ordering anything
> else on the
> Internet. Private, secure, and easy.
> 
> 
> 
> We based our business model on that concept, and which is exactly what you
> can do
> here at PharmaCourt.
> 
> 
> 
> Choose from ff: Weight Loss, Men's Health, Pain Relief, Muscle Relaxers,
> Stop
> Smoking and Anti-Depressants.
> 
> 
> 
> No prescription required, no long lengthy forms to fill out. So why wait
> choose your
> product and start living a healthier live today.
> 
> 
> 
> 
> 
> 
> We ship WORLDWIDE.
> 
> 
> 
> 
> 
> 
> 
> 
> It flutters and murmurs still:
> 
> Between the dark and the daylight,
> 
> The pleasant streets of that dear old town,
> 
> My spirit drank repose;
> 
> 
> 
> 
> 
> 
> 
> Get Your Meds Here
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> Fortress Systems Ltd.
> www.fsl.com
> 


From spam at CRYING.COM  Sun Jan 18 23:03:38 2004
From: spam at CRYING.COM (spam@CRYING.COM)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
Message-ID: <LISTSERV%2004011823033811@JISCMAIL.AC.UK>

Thanks.. Where exactly would I find: HABEAS_SWE  to lower it?

I've looked in my spam.assassin.prefs.conf and I don't see it in it.

Thanks

From peter at UCGBOOK.COM  Sun Jan 18 23:05:28 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <LISTSERV%2004011823033811@JISCMAIL.AC.UK>
References: <LISTSERV%2004011823033811@JISCMAIL.AC.UK>
Message-ID: <400B1138.4050107@ucgbook.com>

Put "score HABEAS_SWE -1" in spam.assassin.prefs.conf.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

spam@CRYING.COM wrote:
> Thanks.. Where exactly would I find: HABEAS_SWE  to lower it?
>
> I've looked in my spam.assassin.prefs.conf and I don't see it in it.
>
> Thanks
>

From spam at CRYING.COM  Sun Jan 18 23:06:30 2004
From: spam at CRYING.COM (spam@CRYING.COM)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
Message-ID: <LISTSERV%2004011823063014@JISCMAIL.AC.UK>

Okay I did that...

Do I also need to add a line about Bigevil in
the /etc/MailScanner/spam.assassin.pref.conf?

Thanks

From raymond at PROLOCATION.NET  Sun Jan 18 23:08:36 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <LISTSERV%2004011823063014@JISCMAIL.AC.UK>
Message-ID: <Pine.LNX.4.44.0401190008010.24788-100000@mailbox.prolocation.net>

Hi!

> Okay I did that...
>
> Do I also need to add a line about Bigevil in
> the /etc/MailScanner/spam.assassin.pref.conf?

No, and please also quote the original message, people have no idea what
you are talking about when reading a thread.

Thanks.
Raymond.

From mike at CAMAROSS.NET  Sun Jan 18 23:48:09 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <LISTSERV%2004011822422365@JISCMAIL.AC.UK>
Message-ID: <200401182346.i0INkwiG013880@avwall.bladeware.com>

This was covered last week.

Try adjusting your score for HABEAS_SWE from -8.00 to something more
sensible.  You might also consider checking your SpamAssassin version.  A
new version was just released, although I don't know if Habeas was addressed
or not.

Mike
 

> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Howard
> Sent: Sunday, January 18, 2004 4:42 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: How to stop this spam?
> 
> Can someone tell what's the best way to stop this type of 
> spam: It only got 3.642.
> 
> I also have my mailscanner.conf set to 5 for flagging and 9 
> for high spam deletion.
> 
> Message-ID: <JAKVNNYERVWRUNAWAIAWCXX@mail.ru>
> X-Habeas-SWE-1: winter into spring
> X-Habeas-SWE-2: brightly anticipated
> X-Habeas-SWE-3: like Habeas SWE (tm)
> X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
> X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
> X-Habeas-SWE-6: email in exchange for a license for this Habeas
> X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
> X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
> X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
> From: "Carroll Bruno" <JAbel@sd1.de>
> Reply-To: "Carroll Bruno" <JAbel@sd1.de>
> Date: Sun, 18 Jan 2004 06:12:41 -0400
> X-Mailer: THOR 2.6a (Amiga;TCP/IP)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>      boundary="--69495004589733859"
> X-Priority: 5
> X-century-MailScanner-Information: Please contact the ISP for 
> more information
> X-century-MailScanner: Found to be clean
> X-century-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.642,
>      required 5, BIZ_TLD 0.78, BigEvilList_131 3.00, HABEAS_SWE -8.00,
>      HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
>      MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
>      RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10,
>      WHY_WAIT 0.48)
> X-century-MailScanner-SpamScore: sss
> 
> 
> 
> SUBJECT: LOw Cost Val?(u)m, Viagr@, X(a)n@x, Som@ Di3t Pills 
> Many M3ds 70du2kKS81b2am
> 
> Body:
> 
> 
> 
> Get Your Meds Here
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A (Cialis)
> 
> 
> 
> We believe ordering medication should be as simple as 
> ordering anything else on the Internet. Private, secure, and easy.
> 
> 
> 
> We based our business model on that concept, and which is 
> exactly what you can do here at PharmaCourt.
> 
> 
> 
> Choose from ff: Weight Loss, Men's Health, Pain Relief, 
> Muscle Relaxers, Stop Smoking and Anti-Depressants.
> 
> 
> 
> No prescription required, no long lengthy forms to fill out. 
> So why wait choose your product and start living a healthier 
> live today.
> 
> 
> 
> 
> 
> 
> We ship WORLDWIDE.
> 
> 
> 
> 
> 
> 
> 
> 
> It flutters and murmurs still:
> 
> Between the dark and the daylight,
> 
> The pleasant streets of that dear old town,
> 
> My spirit drank repose;
> 
> 
> 
> 
> 
> 
> 
> Get Your Meds Here
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Premiere Source for X:A:N:A:X, V:A:L:I:U:M, V:I:A:G:R:A
> 


From raymond at PROLOCATION.NET  Sun Jan 18 23:52:36 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <200401182346.i0INkwiG013880@avwall.bladeware.com>
Message-ID: <Pine.LNX.4.44.0401190052050.32586-100000@mailbox.prolocation.net>

Hi!

> Try adjusting your score for HABEAS_SWE from -8.00 to something more
> sensible.  You might also consider checking your SpamAssassin version.  A
> new version was just released, although I don't know if Habeas was addressed
> or not.

They changed some of the header detection, but score still is listed as -8.

Bye,
Raymond.

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 18 23:52:45 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:54 2006
Subject: How to stop this spam?
In-Reply-To: <200401182346.i0INkwiG013880@avwall.bladeware.com>
Message-ID: <LFENLEALDCBDKENCNLCNGECIDBAA.michele@blacknightsolutions.com>

e
> sensible.  You might also consider checking your SpamAssassin version.  A
> new version was just released, although I don't know if Habeas
> was addressed
> or not.
>
Nope. It's still there. As mentioned earlier today, the easiest solution is
to set the habeas score vis MS instead of SA

From gdoris at ROGERS.COM  Mon Jan 19 01:14:37 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssasin help
In-Reply-To: <Pine.LNX.4.44.0401182303290.13565-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401182303290.13565-100000@mailbox.prolocation.net>
Message-ID: <Pine.LNX.4.53.0401182013180.969@tiger.dorfam.ca>

On Sun, 18 Jan 2004, Raymond Dijkxhoorn wrote:

> Hi!
>
> > 1. cd /etc/mail/spamassassin
> >      rm bigevil.cf
> > Now download the file directly into the dir using your Linux console
> > 2. wget http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> > Now restart MailScanner (assume you use Red Hat)
>
> You can do this with the script i made, follow the leads on
> http://mailscanner.prolocation.net
>
> This you can use to update the BigEvil rules...
>
> Bye,
> Raymond.

BTW, I meant to thank you for that script.  I was just sitting down to
write one myself and decided to check my email first...and there it was!

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From spam at CRYING.COM  Mon Jan 19 03:20:27 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
Message-ID: <LISTSERV%2004011903202762@JISCMAIL.AC.UK>

I've got the following running fine and was wondering if anyone had any
comments if I should be running more or less:

-rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
-rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
-rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
-rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
-rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
-rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf

Also, does anyone have any comments on running:
http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf

Lastly, I get a bunch of these text body mails:

ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon loxkx qzderwd
camnjcwr
vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
fxsowmz kevki ffnznyor cczmfwv
swktch qfttob herbri chzddvvpq- ipaceshqg

What filter would take care of this?

Thanks

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan 19 09:09:13 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
In-Reply-To: <LISTSERV%2004011903202762@JISCMAIL.AC.UK>
Message-ID: <LFENLEALDCBDKENCNLCNGEDDDBAA.michele@blacknightsolutions.com>

> Lastly, I get a bunch of these text body mails:
>
> ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon loxkx qzderwd
> camnjcwr
> vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> fxsowmz kevki ffnznyor cczmfwv
> swktch qfttob herbri chzddvvpq- ipaceshqg
The bigevil and some of the other SA extensions attempt to score this kind
of stuff higher, but from what I can see it's a very imperfect science. You
may need to rely on other methods to balance it off ie. using RBLs etc

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 19 10:55:45 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44C@jessica.herefordshire.gov.uk>

I'd recommend the tripwire rule from Chris Santerre's page to hit these:

http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Howard
> Sent: 19 January 2004 03:20
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: CF RULES
>
>
> I've got the following running fine and was wondering if
> anyone had any
> comments if I should be running more or less:
>
> -rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
> -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> -rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
> -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
>
> Also, does anyone have any comments on running:
> http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
>
> Lastly, I get a bunch of these text body mails:
>
> ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon
> loxkx qzderwd
> camnjcwr
> vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> fxsowmz kevki ffnznyor cczmfwv
> swktch qfttob herbri chzddvvpq- ipaceshqg
>
> What filter would take care of this?
>
> Thanks
>

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan 19 11:11:38 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44C@jessica.herefordshire.gov.uk>
Message-ID: <LFENLEALDCBDKENCNLCNCEDODBAA.michele@blacknightsolutions.com>

How effective is this?

My main concern with implementing extra rules is the risk of generating
false positives..

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 19 January 2004 10:56
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: CF RULES
>
>
> I'd recommend the tripwire rule from Chris Santerre's page to hit these:
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Howard
> > Sent: 19 January 2004 03:20
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: CF RULES
> >
> >
> > I've got the following running fine and was wondering if
> > anyone had any
> > comments if I should be running more or less:
> >
> > -rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
> > -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> > -rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
> > -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> > -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> > -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
> >
> > Also, does anyone have any comments on running:
> > http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
> >
> > Lastly, I get a bunch of these text body mails:
> >
> > ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> > fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon
> > loxkx qzderwd
> > camnjcwr
> > vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> > zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> > fxsowmz kevki ffnznyor cczmfwv
> > swktch qfttob herbri chzddvvpq- ipaceshqg
> >
> > What filter would take care of this?
> >
> > Thanks
> >
>

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 19 11:33:19 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44E@jessica.herefordshire.gov.uk>

It looks very effective so far.  The chickenpox rules give me more problems
with false positives, so I may have to lower the scores on those.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Michele Neylon :: Blacknight Solutions
> Sent: 19 January 2004 11:12
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: CF RULES
>
>
> How effective is this?
>
> My main concern with implementing extra rules is the risk of
> generating
> false positives..
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Randal, Phil
> > Sent: 19 January 2004 10:56
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: CF RULES
> >
> >
> > I'd recommend the tripwire rule from Chris Santerre's page
> to hit these:
> >
> > http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
> >
> > Cheers,
> >
> > Phil
> >
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Howard
> > > Sent: 19 January 2004 03:20
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: CF RULES
> > >
> > >
> > > I've got the following running fine and was wondering if
> > > anyone had any
> > > comments if I should be running more or less:
> > >
> > > -rw-r--r--    1 root     root         6051 Jan 15 13:34
> backhair.cf
> > > -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> > > -rw-r--r--    1 root     root        22814 Jan 17 09:18
> chickenpox.cf
> > > -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> > > -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> > > -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
> > >
> > > Also, does anyone have any comments on running:
> > > http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
> > >
> > > Lastly, I get a bunch of these text body mails:
> > >
> > > ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> > > fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon
> > > loxkx qzderwd
> > > camnjcwr
> > > vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> > > zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm
> inlpzlgf dkazd
> > > fxsowmz kevki ffnznyor cczmfwv
> > > swktch qfttob herbri chzddvvpq- ipaceshqg
> > >
> > > What filter would take care of this?
> > >
> > > Thanks
> > >
> >
>

From howard at harper-adams.ac.uk  Mon Jan 19 12:51:12 2004
From: howard at harper-adams.ac.uk (Howard Robinson)
Date: Thu Jan 12 21:21:54 2006
Subject: Bigevil.cf/99_FVGT_Tripwier.cf scoring but not being marked as spam
Message-ID: <200401191249.i0JCn6PB005921@blackhole.harper-adams.ac.uk>

A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1278 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040119/aa5dfcb1/attachment.bin
From martinh at SOLID-STATE-LOGIC.COM  Mon Jan 19 13:00:28 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:54 2006
Subject: Bigevil.cf/99_FVGT_Tripwier.cf scoring but not being marked as spam
In-Reply-To: <200401191249.i0JCn6PB005921@blackhole.harper-adams.ac.uk>
References: <200401191249.i0JCn6PB005921@blackhole.harper-adams.ac.uk>
Message-ID: <400BD4EC.90503@solid-state-logic.com>

Howard Robinson wrote:
> Hello
> I have added bigevil.cf and 99_FVGT_Tripwier.cf to the
> /etc/mail/spamassassin directory and restarted mailsacnner.
> I have sent my self a snipped version of Phil Randal's email about cf
> rules containing just the words made of random selections of letters.
>
> Spamassassin is scoring them but BAYES is adding a minus score that then
> negates them. All the other scores seem to be from 99_FVGT_Tripwier.cf
>
> See below
> X-HAUC-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5,
> BAYES_01 -5.40, MSG_ID_ADDED_BY_MTA_2 0.79, QUOTED_EMAIL_TEXT -0.38,
> TW_BD 0.08, TW_CC 0.08, TW_DQ 0.08, TW_DV 0.08, TW_FN 0.08,
> ---snipped some out of the middle as more of the same--
> TW_ZM 0.08, TW_ZN 0.08, TW_ZR 0.08, TW_ZW 0.08, TW_ZZ 0.08)
> X-PMFLAGS: 34087040 0 1 Y0B111.CNM
>
> I'm unsure what to change to correct this.
>
>

Sorry I meant learn as spam - d'oh, goes and gets coat :-)

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mkipness at GENIANT.COM  Mon Jan 19 13:47:48 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssassin score missing?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C220604D1@dalsxc01.geniant.net>

Anybody have any suggestion on this problem? Still getting tons of
emails pass through with no score. I will probably upgrade SpamAssassin
to the latest, but would like to know what causes this.
---------------

Hi,
 
I've been getting a lot of messages (spam) this morning that have no
spam score. Some messages when looking the headers this morning do have:
 
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, required 8,
HTML_80_90 0.50)
 
But some just have:
 
X-MailScanner-SpamCheck:
 
With nothing after the colon. Does this mean SpamAssassin is timing out?
I see no indication of any problem in the mail logs. 
 
How can I fix?
 
Thanks,
Max


From Uwe.Krause at FEP.FHG.DE  Mon Jan 19 13:50:49 2004
From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe)
Date: Thu Jan 12 21:21:54 2006
Subject: SpamAssassin score missing?
Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CBE5@midgard.fep.fhg.de>

What about the debug mode ?
Send the output ....

Uwe


From dustin.baer at IHS.COM  Mon Jan 19 14:00:42 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:54 2006
Subject: Another silent virus addition - W32/Bagle-A
Message-ID: <400BE30A.DC41E00B@ihs.com>

It appears that W32/Bagle-A spoofs the sender's address.  You all might
want to add it to your list of Silent Viruses

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From mkbowman at neo.rr.com  Mon Jan 19 14:04:30 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:21:54 2006
Subject: Another silent virus addition - W32/Bagle-A
References: <400BE30A.DC41E00B@ihs.com>
Message-ID: <000501c3de95$28805be0$a767a8c0@MKBOWMAN2>

Hello,

Is there a way of breaking down the Virus notifications to specific Viruses?
For example a client of ours doesn't want to receive any notifications about
the W32/Bagle-A but still need to receive notifications about other viruses.

I'm using MailScanner v 4.25-4, sendmail, RH9.

Thank you

Matthew
----- Original Message -----
From: "Dustin Baer" <dustin.baer@IHS.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 9:00 AM
Subject: Another silent virus addition - W32/Bagle-A


> It appears that W32/Bagle-A spoofs the sender's address.  You all might
> want to add it to your list of Silent Viruses
>
> Dustin
> --
> Dustin Baer
> Unix Administrator/Postmaster
> Information Handling Services
> 15 Inverness Way East
> Englewood, CO 80112
> 303-397-2836
>

From raymond at PROLOCATION.NET  Mon Jan 19 14:08:00 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:54 2006
Subject: Another silent virus addition - W32/Bagle-A
In-Reply-To: <400BE30A.DC41E00B@ihs.com>
Message-ID: <Pine.LNX.4.44.0401191505410.13163-100000@mailbox.prolocation.net>

Hi!

> It appears that W32/Bagle-A spoofs the sender's address.  You all might
> want to add it to your list of Silent Viruses

Correct.

See also:

http://www.f-secure.com/v-descs/bagle.shtml
http://www.f-prot.com/virusinfo/descriptions/bagle_a.html

Most virus packages allready support this new one.

1728 W32/Sober.C@mm
1364 W32/Swen.A@mm
351 W32/Bagle.A@mm

Not as bad as the other Sober and Swen yet, but its commung up hard.

Bye,
Raymond.

From steve.freegard at LBSLTD.CO.UK  Mon Jan 19 14:27:01 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:54 2006
Subject: CF RULES
Message-ID: <67D9E7698329D411936E00508B6590B902773DE4@neelix.lbsltd.co.uk>

I personally use BigEvil, Tripwire, Popcorn/Backhair/Weeds and Chickenpox
and haven't had any problems with FP's.

However - as I have a reasonably well trained bayes database, I modify the
low-end and high-end bayes scores just to be on the safe side:

score BAYES_00  -15.0
score BAYES_01  -5.0
score BAYES_90  5.0
score BAYES_99  15.0

As I did this quite some time ago - the recently misused HABEAS_SWE headers
didn't affect me at all:

SpamAssassin Score: 44.16
Spam Report:
Score   Matching                        Rule Description
15.00   BAYES_99                        Bayesian spam probability is 99 to
100%
0.10            BIZ_TLD                         Contains a URL in the BIZ
top-level domain
3.00            BigEvilList_131         Generated BigEvilList_131
0.75            DATE_IN_PAST_12_24      Date: is 12 to 24 hours before
Received: date
-8.00   HABEAS_SWE                      Has Habeas warrant mark
(http://www.habeas.com/)
0.10            HTML_50_60                      Message is 50% to 60% HTML
0.10            HTML_MESSAGE HTML       HTML included in message
17.00   J_BACKHAIR_XX           (Matched 17x BACKHAIR rules - snipped)
1.20            J_CHICKENPOX_XX         (Matched 2x CHICKENPOX rules -
snipped)
0.32            MIME_HTML_ONLY          Message only has text/html MIME
parts
1.10            MIME_HTML_ONLY_MULTI    Multipart message only has text/html
MIME parts
3.51            PYZOR_CHECK             Listed in Pyzor
(http://pyzor.sf.net/)
1.10            RAZOR2_CF_RANGE_51_100  Razor2 gives confidence between 51
and 100
1.05            RAZOR2_CHECK            Listed in Razor2
(http://razor.sf.net/)
1.50            RCVD_IN_BL_SPAMCOP_NET  Received via a relay in
bl.spamcop.net
5.00            RCVD_IN_CBL             Received via a relay in
cbl.abuseat.org
0.10            RCVD_IN_RFCI            Sent via a relay in
ipwhois.rfc-ignorant.org
1.23            WHY_WAIT                        What are you waiting for

Seems to work well for me as long as I make sure that the bayes database is
well fed...

Cheers,
Steve.

-----Original Message-----
From: Michele Neylon :: Blacknight Solutions
[mailto:michele@BLACKNIGHTSOLUTIONS.COM]
Sent: 19 January 2004 11:12
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: CF RULES


How effective is this?

My main concern with implementing extra rules is the risk of generating
false positives..

Mr. Michele Neylon
Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 19 January 2004 10:56
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: CF RULES
>
>
> I'd recommend the tripwire rule from Chris Santerre's page to hit
> these:
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Howard
> > Sent: 19 January 2004 03:20
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: CF RULES
> >
> >
> > I've got the following running fine and was wondering if anyone had
> > any comments if I should be running more or less:
> >
> > -rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
> > -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> > -rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
> > -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> > -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> > -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
> >
> > Also, does anyone have any comments on running:
> > http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
> >
> > Lastly, I get a bunch of these text body mails:
> >
> > ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> > fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon loxkx
> > qzderwd camnjcwr
> > vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> > zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> > fxsowmz kevki ffnznyor cczmfwv
> > swktch qfttob herbri chzddvvpq- ipaceshqg
> >
> > What filter would take care of this?
> >
> > Thanks
> >
>

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From gioia at bclink.it  Mon Jan 19 14:26:08 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:21:54 2006
Subject: R: Little Report problem with Postfix - continued
In-Reply-To: <6.0.1.1.2.20040116223840.03ea4ec0@imap.ecs.soton.ac.uk>
Message-ID: <NGBBLAPAMLLGDEJPHEOAIEMKDAAA.gioia@bclink.it>

Thanks Julian!
I think I'm a bit late for this but..
HAPPY BIRTHDAY !!   :)

-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Julian Field
Inviato: venerd? 16 gennaio 2004 23.40
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: Re: Little Report problem with Postfix - continued


At 21:45 16/01/2004, you wrote:
>Julian Field wrote:
>>At 20:45 16/01/2004, you wrote:
>>>I run postfix and have patched the Message.pm file (Which works great
>>>thanks Julian - oh and by the way, Happy Birthday!) but now I get:
>>>
>>>mailto --> postmaster        = OK no duplicated recipients (Fixed!)
>>>mailto --> recipient             = Works normally
>>>mailto --> sender of Virus = recipients duplicated!!
>>>
>>>Where (And I guess what) do I need to patch to fix the warning message
>>>to only show the one recipient?
>>
>>Have you tried the latest beta release of MailScanner?
>
>Julian
>
>Yes, I have just upgraded and get:
>
>Our virus detector has just been triggered by a message you sent:-
>To: <javascript:sendMail('drew@themarshalls.it,')>drew@themarshalls.co.uk,
><javascript:sendMail('drew@themarshalls.it')>drew@themarshalls.co.uk
>Subject: A test
>Date: Fri Jan 16 21:39:22 2004
>Any infected parts of the message (eicarcom2.zip)
>have not been delivered.
><Snip..>
>
>The postmaster message is fine.

Try the attached Message.pm, this should fix the remaining recipient
duplication problems.

>PS I thought you were supposed to be sipping wine with your feet up as you
>are the birthday boy :-)

I have been, about to go and get some sleep :-)


From steve.douglas at SBIINCORPORATED.COM  Mon Jan 19 14:53:58 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>

I have been watching my mail log with MailScanner and noticed the below
syntax and don't understand what it is saying.  Would anyone have a
suggestion?  I tried to send me an email and it has not been delivers.  My
gateway forwards the mail to an internal email exchange server.  The SPAM
gateway is running the latest SA and MS.

Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot

SD :-)

From dustin.baer at IHS.COM  Mon Jan 19 14:58:25 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
References: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>
Message-ID: <400BF091.1F88735E@ihs.com>

Steve Douglas wrote:
>
> I have been watching my mail log with MailScanner and noticed the below
> syntax and don't understand what it is saying.  Would anyone have a
> suggestion?  I tried to send me an email and it has not been delivers.  My
> gateway forwards the mail to an internal email exchange server.  The SPAM
> gateway is running the latest SA and MS.
>
> Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
> issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot
>
> SD :-)

It just means that someone has connected to your mail server and never
issued any real email commands, i.e. MAIL, EXPN, VRFY, ETRN, that would
normally be given after a HELO, or EHLO command.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From dwinkler at ALGORITHMICS.COM  Mon Jan 19 14:57:35 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B13B@tormail2.algorithmics.com>

It means exactly what it says something connected to sendmail and did not
issue any commands that it would expect.

Someone may have been testing to see if sendmail was up and running or doing
a port/vulnerability scan to find your sendmail version.

This probably has nothing to do with mail not being delivered.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Steve Douglas
Sent: Monday, January 19, 2004 9:54 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: ETRN message


I have been watching my mail log with MailScanner and noticed the below
syntax and don't understand what it is saying.  Would anyone have a
suggestion?  I tried to send me an email and it has not been delivers.  My
gateway forwards the mail to an internal email exchange server.  The SPAM
gateway is running the latest SA and MS.

Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot

SD :-)

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 14:58:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotani
              ka.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>
Message-ID: <6.0.1.1.2.20040119145738.03a24b70@imap.ecs.soton.ac.uk>

MS does not get involved with SMTP service at all, so this is not a
MailScanner problem.

The error means that whatever tried to connect to your mail server didn't
actually try to send a message, it just said HELO and then broke the
connection. Is  your server load very high?

At 14:53 19/01/2004, you wrote:
>I have been watching my mail log with MailScanner and noticed the below
>syntax and don't understand what it is saying.  Would anyone have a
>suggestion?  I tried to send me an email and it has not been delivers.  My
>gateway forwards the mail to an internal email exchange server.  The SPAM
>gateway is running the latest SA and MS.
>
>Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
>Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot
>
>SD :-)

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From gdoris at rogers.com  Mon Jan 19 15:09:23 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>
Message-ID: <53831.129.80.22.133.1074524963.squirrel@tiger.dorfam.ca>

> I have been watching my mail log with MailScanner and noticed the below
> syntax and don't understand what it is saying.  Would anyone have a
> suggestion?  I tried to send me an email and it has not been delivers.  My
> gateway forwards the mail to an internal email exchange server.  The SPAM
> gateway is running the latest SA and MS.
>
> Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
> issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot
>
> SD :-)
>
 Do a "telnet server_name 25" and issue a "ehlo" command.  Exit telnet and
look at your mail log.

Gerry

From steve.swaney at FSL.COM  Mon Jan 19 15:25:07 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:55 2006
Subject: Automatic download of extra SA rule sets
Message-ID: <20040119152510.9114621C295@mail.fsl.com>

Chris Thielen has written a VERY complete and well thought out script to
download the most commonly used SA rules files and posted a link to his
script on the SA mail list:

        http://sandgnat.com/cmos/rules_du_jour

I have tested this script and it required only minor configuration changes
to work with MailScanner. It would also be very easy to extend the script to
get additional Rule Sets.

A couple of caveats:

1. Test first with the Debug flag set.
2. my /etc/mail/spamassassin/local.cf was very old (and not needed). This
kept spamassassin --lint from running with out errors. I removed the file
and all was well.

3. Saving the file from a web browser created some problems, run:

        wget    http://sandgnat.com/cmos/rules_du_jour

to get the file.

Steve
Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com

From steve.douglas at SBIINCORPORATED.COM  Mon Jan 19 15:28:23 2004
From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas)
Date: Thu Jan 12 21:21:55 2006
Subject: ETRN message
Message-ID: <3963522F0E71474CB14C0FF54A6914F701AF3A29@mail.gardenbotanika.com>

Thank you.  Just a bit mystified.  The email I sent to myself as a test is
not getting to me yet I am not receiving any error from an external account
I used to test with.

-----Original Message-----
From: Derek Winkler [mailto:dwinkler@ALGORITHMICS.COM]
Sent: Monday, January 19, 2004 8:58 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: ETRN message

It means exactly what it says something connected to sendmail and did not
issue any commands that it would expect.

Someone may have been testing to see if sendmail was up and running or doing
a port/vulnerability scan to find your sendmail version.

This probably has nothing to do with mail not being delivered.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Steve Douglas
Sent: Monday, January 19, 2004 9:54 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: ETRN message


I have been watching my mail log with MailScanner and noticed the below
syntax and don't understand what it is saying.  Would anyone have a
suggestion?  I tried to send me an email and it has not been delivers.  My
gateway forwards the mail to an internal email exchange server.  The SPAM
gateway is running the latest SA and MS.

Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot

SD :-)

From spam at CRYING.COM  Mon Jan 19 15:30:18 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:21:55 2006
Subject: Adding these .cf's
Message-ID: <LISTSERV%2004011915301831@JISCMAIL.AC.UK>

Also, does anyone have any comments on running:
http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf

or the http://www.stearns.org/sa-blacklist/sa-blacklist.2004011601.cf

Any problems in adding these lists?

From gdoris at rogers.com  Mon Jan 19 15:31:22 2004
From: gdoris at rogers.com (Gerry Doris)
Date: Thu Jan 12 21:21:55 2006
Subject: CF RULES
In-Reply-To: <67D9E7698329D411936E00508B6590B902773DE4@neelix.lbsltd.co.uk>
References: <67D9E7698329D411936E00508B6590B902773DE4@neelix.lbsltd.co.uk>
Message-ID: <33815.129.80.22.143.1074526282.squirrel@tiger.dorfam.ca>

> I personally use BigEvil, Tripwire, Popcorn/Backhair/Weeds and
Chickenpox
> and haven't had any problems with FP's.
>
> However - as I have a reasonably well trained bayes database, I modify
the
> low-end and high-end bayes scores just to be on the safe side:
>
> score BAYES_00  -15.0
> score BAYES_01  -5.0
> score BAYES_90  5.0
> score BAYES_99  15.0
>
> As I did this quite some time ago - the recently misused HABEAS_SWE headers
> didn't affect me at all:
>
> SpamAssassin Score: 44.16
> Spam Report:

...snip

I've added some of these rules to /etc/mail/spamassassin and they do work.
However, I'm a little nervous about the amount of matches that are added
to the header.  Isn't there a limit on the size of the headers?

It would be much better if hits were summarized ie 8 instead of 100 Fred's
Rules all at .08 but I don't know how to do that.


Gerry

From steve.swaney at FSL.COM  Mon Jan 19 15:39:08 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:55 2006
Subject: Automatic download of extra SA rule sets
Message-ID: <20040119153911.65D6121C291@mail.fsl.com>

This bounced back from the list as a duplicate post. I did not receive it
and don't think I posted it twice so I'm posting again. Sorry if it's really
a duplicate.

Steve


-----Original Message-----
From: Stephen Swaney [mailto:steve.swaney@fsl.com]
Sent: Monday, January 19, 2004 10:25 AM
To: 'MailScanner mailing list'
Subject: Automatic download of extra SA rule sets

Chris Thielen has written a VERY complete and well thought out script to
download the most commonly used SA rules files and posted a link to his
script on the SA mail list:

        http://sandgnat.com/cmos/rules_du_jour

I have tested this script and it required only minor configuration changes
to work with MailScanner. It would also be very easy to extend the script
to get additional Rule Sets.

A couple of caveats:

1. Test first with the Debug flag set.
2. my /etc/mail/spamassassin/local.cf was very old (and not needed). This
kept spamassassin --lint from running with out errors. I removed the file
and all was well.

3. Saving the file from a web browser created some problems, run:

        wget    http://sandgnat.com/cmos/rules_du_jour

to get the file.

Steve
Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com

From nathan at TCPNETWORKS.NET  Mon Jan 19 15:45:51 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:21:55 2006
Subject: Tips on Manual Bayes Training?
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>

Quick question for those of you with well-trained bayes databases.

I'm planning to set up some spam traps. Question: Is there any advantage
to learning messages already marked as spam by SpamAssassin?
Logistically, it makes sense only to feed false negatives and false
positives.

For the time being, I'm planning on using MailScanner's "Non Spam
Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
negatives and then learn them into the bayes database. This is an
attempt to offset some of the poisoning that's been affecting us lately.
This doesn't take ham into account, but then I haven't had a lot of
problems with false positives. 

Any suggestions or alternative methods? 

I like the idea of end users redirecting spam to the appropriate
spam/ham mailboxes, but the majority of them are using Outlook or
Outlook Express and don't have any way to do this.

Nathan


From neilrobst at ALM.ORG.UK  Mon Jan 19 15:49:02 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:55 2006
Subject: Tips on Manual Bayes Training?
In-Reply-To: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
Message-ID: <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Nathan,

My users use the Courier IMAP mailserver with Outlook and Outlook 2000.
Both clients are able to make use of shared-folders you can setup in
Courier IMAP. Thus, with this mechanism you can create a shared SPAM
folder for users to manually copy un-marked SPAM into...

Regards,
Neil

On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> Quick question for those of you with well-trained bayes databases.
>
> I'm planning to set up some spam traps. Question: Is there any advantage
> to learning messages already marked as spam by SpamAssassin?
> Logistically, it makes sense only to feed false negatives and false
> positives.
>
> For the time being, I'm planning on using MailScanner's "Non Spam
> Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> negatives and then learn them into the bayes database. This is an
> attempt to offset some of the poisoning that's been affecting us lately.
> This doesn't take ham into account, but then I haven't had a lot of
> problems with false positives.
>
> Any suggestions or alternative methods?
>
> I like the idea of end users redirecting spam to the appropriate
> spam/ham mailboxes, but the majority of them are using Outlook or
> Outlook Express and don't have any way to do this.
>
> Nathan

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 19 16:03:20 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:55 2006
Subject: Adding these .cf's
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44F@jessica.herefordshire.gov.uk>

I would say yes, at first look they'll block legit email too.

You're better sticking with Chris Santerre's bigevil.cf, IMHO.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Howard
> Sent: 19 January 2004 15:30
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Adding these .cf's
>
>
> Also, does anyone have any comments on running:
> http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
>
> or the http://www.stearns.org/sa-blacklist/sa-blacklist.2004011601.cf
>
> Any problems in adding these lists?
>

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 19 16:04:31 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:55 2006
Subject: Tips on Manual Bayes Training?
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C450@jessica.herefordshire.gov.uk>

Don't forget that what Spamassassin marks as spam isn't necessarily "learnt"
as such, so I'd feed your spam corpus to sa-learn too.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Nathan Johanson
> Sent: 19 January 2004 15:46
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Tips on Manual Bayes Training?
>
>
> Quick question for those of you with well-trained bayes databases.
>
> I'm planning to set up some spam traps. Question: Is there
> any advantage
> to learning messages already marked as spam by SpamAssassin?
> Logistically, it makes sense only to feed false negatives and false
> positives.
>
> For the time being, I'm planning on using MailScanner's "Non Spam
> Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> negatives and then learn them into the bayes database. This is an
> attempt to offset some of the poisoning that's been affecting
> us lately.
> This doesn't take ham into account, but then I haven't had a lot of
> problems with false positives.
>
> Any suggestions or alternative methods?
>
> I like the idea of end users redirecting spam to the appropriate
> spam/ham mailboxes, but the majority of them are using Outlook or
> Outlook Express and don't have any way to do this.
>
> Nathan
>

From cwharris at MORGAN.NET  Mon Jan 19 16:17:49 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:55 2006
Subject: Tips on Manual Bayes Training?
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
            <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net>

I am going to install an IMAP server soon, is Courier preferred? I noticed
that some people used Cyrus? is one better than the other?

----- Original Message -----
From: "Neil Robst" <neilrobst@ALM.ORG.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 9:49 AM
Subject: Re: Tips on Manual Bayes Training?


> Hi Nathan,
>
> My users use the Courier IMAP mailserver with Outlook and Outlook 2000.
> Both clients are able to make use of shared-folders you can setup in
> Courier IMAP. Thus, with this mechanism you can create a shared SPAM
> folder for users to manually copy un-marked SPAM into...
>
> Regards,
> Neil
>
> On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> > Quick question for those of you with well-trained bayes databases.
> >
> > I'm planning to set up some spam traps. Question: Is there any advantage
> > to learning messages already marked as spam by SpamAssassin?
> > Logistically, it makes sense only to feed false negatives and false
> > positives.
> >
> > For the time being, I'm planning on using MailScanner's "Non Spam
> > Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> > sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> > negatives and then learn them into the bayes database. This is an
> > attempt to offset some of the poisoning that's been affecting us lately.
> > This doesn't take ham into account, but then I haven't had a lot of
> > problems with false positives.
> >
> > Any suggestions or alternative methods?
> >
> > I like the idea of end users redirecting spam to the appropriate
> > spam/ham mailboxes, but the majority of them are using Outlook or
> > Outlook Express and don't have any way to do this.
> >
> > Nathan
>
>

From dustin.baer at IHS.COM  Mon Jan 19 16:16:29 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:55 2006
Subject: SpamAssassin score missing?
References: <399D85F2BB50BC4295F78EAE203D5C220604C8@dalsxc01.geniant.net>
Message-ID: <400C02DD.15B8B408@ihs.com>

Max Kipness wrote:
>
> Hi,
>
> I've been getting a lot of messages (spam) this morning that have no
> spam score. Some messages when looking the headers this morning do have:
>
> X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, required 8,
> HTML_80_90 0.50)
>
> But some just have:
>
> X-MailScanner-SpamCheck:
>
> With nothing after the colon. Does this mean SpamAssassin is timing out?
> I see no indication of any problem in the mail logs.
>
> How can I fix?
>
> Thanks,
> Max


Do you have a ruleset for your "Spam Checks" in MailScanner.conf?  When
I have "no" in my ruleset, there is nothing after the colon.  Timeout
should say "not spam, SpamAssassin (timed out)"

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From steve.freegard at LBSLTD.CO.UK  Mon Jan 19 16:20:00 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:21:55 2006
Subject: CF RULES
Message-ID: <67D9E7698329D411936E00508B6590B902773DEB@neelix.lbsltd.co.uk>

>
> ...snip
>
> I've added some of these rules to /etc/mail/spamassassin and
> they do work. However, I'm a little nervous about the amount
> of matches that are added to the header.  Isn't there a limit
> on the size of the headers?
>
> It would be much better if hits were summarized ie 8 instead
> of 100 Fred's Rules all at .08 but I don't know how to do that.
>
>
> Gerry
>

I'm sure someone asked this on the SA-list the other day he was having that
exact problem with Exim barfing on the header being too long.  I'm not sure
what the limit is on Sendmail - I had a quick Google but couldn't find it,
and I'm not bothered about downloading the source to check :-))

Because of this the Tripwire rules were renamed from FVGT_TRIPWIRE_?? To
TW_?? - but I don't believe that there is a way to combine multiple matching
rules into one combined for the report - I just did it by hand to save
bandwidth on my post :-))

If you're paranoid about this you could always turn off the 'Detailed Spam
Report' option in MailScanner.conf.

Kind regards,
Steve.

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From neilrobst at ALM.ORG.UK  Mon Jan 19 16:19:51 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:55 2006
Subject: [OT] IMAP servers (was Re: Tips on Manual Bayes Training?)
In-Reply-To: <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net>
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
            <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net>
Message-ID: <1074529191.9605.132.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Chris,

I've used Cyrus, Courier and UW-IMAP. At the moment I think my
preference is for Courier  as, IMHO, it has a good balance of features
against ease of setup / use. I specifically wanted one that would
integrate best with my LDAP directory. Plus my mail server is a closed
box to users so I didn't wants their accounts in /etc/passwd, etc...

Regards,
Neil

On Mon, 2004-01-19 at 16:17, Chris wrote:
> I am going to install an IMAP server soon, is Courier preferred? I noticed
> that some people used Cyrus? is one better than the other?
>
> ----- Original Message -----
> From: "Neil Robst" <neilrobst@ALM.ORG.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 19, 2004 9:49 AM
> Subject: Re: Tips on Manual Bayes Training?
>
>
> > Hi Nathan,
> >
> > My users use the Courier IMAP mailserver with Outlook and Outlook 2000.
> > Both clients are able to make use of shared-folders you can setup in
> > Courier IMAP. Thus, with this mechanism you can create a shared SPAM
> > folder for users to manually copy un-marked SPAM into...
> >
> > Regards,
> > Neil
> >
> > On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> > > Quick question for those of you with well-trained bayes databases.
> > >
> > > I'm planning to set up some spam traps. Question: Is there any advantage
> > > to learning messages already marked as spam by SpamAssassin?
> > > Logistically, it makes sense only to feed false negatives and false
> > > positives.
> > >
> > > For the time being, I'm planning on using MailScanner's "Non Spam
> > > Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> > > sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> > > negatives and then learn them into the bayes database. This is an
> > > attempt to offset some of the poisoning that's been affecting us lately.
> > > This doesn't take ham into account, but then I haven't had a lot of
> > > problems with false positives.
> > >
> > > Any suggestions or alternative methods?
> > >
> > > I like the idea of end users redirecting spam to the appropriate
> > > spam/ham mailboxes, but the majority of them are using Outlook or
> > > Outlook Express and don't have any way to do this.
> > >
> > > Nathan
> >
> >

From cwharris at MORGAN.NET  Mon Jan 19 16:24:19 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:55 2006
Subject: [OT] IMAP servers (was Re: Tips on Manual Bayes Training?)
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
            <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>        
            <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net> 
            <1074529191.9605.132.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <001801c3dea8$b0722b10$2105a8c0@pub.morgan.net>

Cool ill check out courier then.

Thanks Neil!

----- Original Message -----
From: "Neil Robst" <neilrobst@ALM.ORG.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 10:19 AM
Subject: [OT] IMAP servers (was Re: Tips on Manual Bayes Training?)


> Hi Chris,
>
> I've used Cyrus, Courier and UW-IMAP. At the moment I think my
> preference is for Courier  as, IMHO, it has a good balance of features
> against ease of setup / use. I specifically wanted one that would
> integrate best with my LDAP directory. Plus my mail server is a closed
> box to users so I didn't wants their accounts in /etc/passwd, etc...
>
> Regards,
> Neil
>
> On Mon, 2004-01-19 at 16:17, Chris wrote:
> > I am going to install an IMAP server soon, is Courier preferred? I
noticed
> > that some people used Cyrus? is one better than the other?
> >
> > ----- Original Message -----
> > From: "Neil Robst" <neilrobst@ALM.ORG.UK>
> > To: <MAILSCANNER@JISCMAIL.AC.UK>
> > Sent: Monday, January 19, 2004 9:49 AM
> > Subject: Re: Tips on Manual Bayes Training?
> >
> >
> > > Hi Nathan,
> > >
> > > My users use the Courier IMAP mailserver with Outlook and Outlook
2000.
> > > Both clients are able to make use of shared-folders you can setup in
> > > Courier IMAP. Thus, with this mechanism you can create a shared SPAM
> > > folder for users to manually copy un-marked SPAM into...
> > >
> > > Regards,
> > > Neil
> > >
> > > On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> > > > Quick question for those of you with well-trained bayes databases.
> > > >
> > > > I'm planning to set up some spam traps. Question: Is there any
advantage
> > > > to learning messages already marked as spam by SpamAssassin?
> > > > Logistically, it makes sense only to feed false negatives and false
> > > > positives.
> > > >
> > > > For the time being, I'm planning on using MailScanner's "Non Spam
> > > > Actions" ruleset to forward unmarked spam sent to (postmaster@,
info@,
> > > > sales@, etc.) to a spamtrap mailbox. I'll verify all messages as
false
> > > > negatives and then learn them into the bayes database. This is an
> > > > attempt to offset some of the poisoning that's been affecting us
lately.
> > > > This doesn't take ham into account, but then I haven't had a lot of
> > > > problems with false positives.
> > > >
> > > > Any suggestions or alternative methods?
> > > >
> > > > I like the idea of end users redirecting spam to the appropriate
> > > > spam/ham mailboxes, but the majority of them are using Outlook or
> > > > Outlook Express and don't have any way to do this.
> > > >
> > > > Nathan
> > >
> > >
>
>

From steve.freegard at lbsltd.co.uk  Mon Jan 19 16:32:14 2004
From: steve.freegard at lbsltd.co.uk (Steve Freegard)
Date: Thu Jan 12 21:21:55 2006
Subject: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK
Message-ID: <67D9E7698329D411936E00508B6590B902773DED@neelix.lbsltd.co.uk>

Hi Julian,

Just a quick heads-up - it seems that someone has mis-configured their
systems again:

Received: from reverance.robsdesk.com
(cpc2-tref1-4-0-cust125.cdif.cable.ntl.com [81.101.157.125])

Cheers,
Steve.

-----Original Message-----
From: L-Soft list server at JISCMAIL (1.8e) [mailto:LISTSERV@JISCMAIL.AC.UK]

Sent: 19 January 2004 16:24
To: steve.freegard@LBSLTD.CO.UK
Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK


Your message  is being returned to  you unprocessed because it  appears to
have already  been distributed  to the  MAILSCANNER list.  That is,  a
message  with identical text  (but possibly with different  mail headers)
has been  posted to the list recently, either by you or by  someone else. If
you have a good reason to resend this message to the list (for instance
because you have been notified of a hardware failure with loss of  data),
please alter the text of the message in some way and  resend it to the list.
Note that  altering the "Subject:" line or adding blank  lines at the top
or bottom of the message  is not sufficient; you should  instead add a
sentence or  two at the  top explaining why  you are resending the  message,
so that the  other subscribers understand why  they are getting two copies
of the same message.


--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

-------------- next part --------------
An embedded message was scrubbed...
From: Steve Freegard <steve.freegard@lbsltd.co.uk>
Subject: Re: CF RULES
Date: Mon, 19 Jan 2004 16:20:00 -0000
Size: 1867
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040119/bce88930/attachment.mht
From campbell at CNPAPERS.COM  Mon Jan 19 16:55:47 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
Message-ID: <000b01c3dead$17c99060$4501a8c0@cnpapers.net>

I see in my maillog the following lines:

Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11 messages
waiting
Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1 messages,
1727 bytes

I have in my MailScanner.conf the following lines:

Max Unscanned Bytes Per Scan = 100000000
Max Unsafe Bytes Per Scan = 50000000
Max Unscanned Messages Per Scan = 100
Max Unsafe Messages Per Scan = 100


Delivery Method = batch

Am I really only scanning one messages at a time (as it seems) sometimes?
Are all of the above entries proper?

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

From tristanr at CI.GRANDJCT.CO.US  Mon Jan 19 17:21:09 2004
From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
Message-ID: <s00bafa4.057@email-fs.ci.grandjct.co.us>

Greetings,

I apologize for posting these topics a second time, but I didn't receive any responses the first time.  I can understand that the topics may not be worthy of a reply, but I thought people on this list would be interested in discussing a software package that incorporates MailScanner, Kaspersky Anti-Virus and Clam Anti-Virus, and SpamAssassin.  I have not installed OpenProtect (already have MailScanner working), but here are some quotes from the documentation.

"MTA's supported are: Sendmail, Postfix, Exim and Qmail" (Did they get Qmail to work with MailScanner?  It is not officially supported)
"Run the script openprotect-install in the package directory and answer the questions. The script should take care of the installation by itself."
"The install script does the following: 

1)Installs Kaspersky Version 5 
2)Installs ClamAV Version 0.65 
3)Installs perl modules needed by MailScanner 
4)Installs SpamAssassin and perl modules needed by SpamAssassin 
5)Installs MailScanner 
6)Installs the OpenSupport package 
7)Configures MTA Dependent MailScanner configurations 
8)Configures MTA Independent MailScanner configurations 
9)Stops your MTA and starts the MTA along with filter modules "

http://opencomputing.sourceforge.net/

Secondly, is there a reason that MailScanner is not posted on SourceForge?  I believe it would greatly increase the audience of MailScanner, and be highly beneficial to the project overall (more users).  I have created a project on SourceForge and it is painless.  Any thoughts on this?

Tristan Rhodes


From raymond at PROLOCATION.NET  Mon Jan 19 17:22:35 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
In-Reply-To: <000b01c3dead$17c99060$4501a8c0@cnpapers.net>
Message-ID: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net>

Hi!

> Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11 messages
> waiting
> Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1 messages,
> 1727 bytes

> Am I really only scanning one messages at a time (as it seems) sometimes?
> Are all of the above entries proper?

Yes, do you want to wait till you get 100 ? =)

Bye,
Raymond.

From campbell at CNPAPERS.COM  Mon Jan 19 17:30:58 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net>
Message-ID: <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>

No, I don't want to wait for 100, but if I have 11 waiting, why just do one?
Why not 11? As the subject line suggests, I'm confused.

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 12:22 PM
Subject: Re: Confusing log entries


> Hi!
>
> > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11 messages
> > waiting
> > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
messages,
> > 1727 bytes
>
> > Am I really only scanning one messages at a time (as it seems)
sometimes?
> > Are all of the above entries proper?
>
> Yes, do you want to wait till you get 100 ? =)
>
> Bye,
> Raymond.

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 17:58:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
In-Reply-To: <s00bafa4.057@email-fs.ci.grandjct.co.us>
References: <s00bafa4.057@email-fs.ci.grandjct.co.us>
Message-ID: <6.0.1.1.2.20040119175659.02c86ec0@imap.ecs.soton.ac.uk>

At 17:21 19/01/2004, you wrote:
>Greetings,
>
>I apologize for posting these topics a second time, but I didn't receive
>any responses the first time.  I can understand that the topics may not be
>worthy of a reply, but I thought people on this list would be interested
>in discussing a software package that incorporates MailScanner, Kaspersky
>Anti-Virus and Clam Anti-Virus, and SpamAssassin.  I have not installed
>OpenProtect (already have MailScanner working), but here are some quotes
>from the documentation.
>
>"MTA's supported are: Sendmail, Postfix, Exim and Qmail" (Did they get
>Qmail to work with MailScanner?  It is not officially supported)

Yes, they have written their own qmail support. I don't know any more about
it than you do. Does someone feel inclined to test it out and report back
with their experiences please?

>"Run the script openprotect-install in the package directory and answer
>the questions. The script should take care of the installation by itself."
>"The install script does the following:
>
>1)Installs Kaspersky Version 5
>2)Installs ClamAV Version 0.65
>3)Installs perl modules needed by MailScanner
>4)Installs SpamAssassin and perl modules needed by SpamAssassin
>5)Installs MailScanner
>6)Installs the OpenSupport package
>7)Configures MTA Dependent MailScanner configurations
>8)Configures MTA Independent MailScanner configurations
>9)Stops your MTA and starts the MTA along with filter modules "
>
>http://opencomputing.sourceforge.net/
>
>Secondly, is there a reason that MailScanner is not posted on
>SourceForge?  I believe it would greatly increase the audience of
>MailScanner, and be highly beneficial to the project overall (more
>users).  I have created a project on SourceForge and it is painless.  Any
>thoughts on this?

Yes, I must get around to it. I'll try to remember to do it tomorrow. I
don't want to host any content on SourceForge, I just want the bare project
details posted there.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 17:55:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
In-Reply-To: <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net>
            <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>
Message-ID: <6.0.1.1.2.20040119175205.02d706b8@imap.ecs.soton.ac.uk>

The number listed as "waiting" includes all messages that are only partly
delivered. If there are any messages waiting to be scanned (and have been
fully delivered), then MailScanner will scan those available, even if it is
smaller than the batch size limit. As Raymond said, you don't want to wait
until there are 100 fully delivered before doing anything.

As only 1 was scanned this time around, that implies that the other 11-1=10
messages are still being delivered and so are not yet ready for scanning.

The message in the log isn't 100% clear, I agree, but I couldn't think of
any better concise wording for it. And now I don't want to change it since
people might be looking for it as part of some log analysis system they
have written.

At 17:30 19/01/2004, you wrote:
>No, I don't want to wait for 100, but if I have 11 waiting, why just do one?
>Why not 11? As the subject line suggests, I'm confused.
>
>Steve Campbell
>campbell@cnpapers.com
>Charleston Newspapers
>
>
>----- Original Message -----
>From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 19, 2004 12:22 PM
>Subject: Re: Confusing log entries
>
>
> > Hi!
> >
> > > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11 messages
> > > waiting
> > > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
>messages,
> > > 1727 bytes
> >
> > > Am I really only scanning one messages at a time (as it seems)
>sometimes?
> > > Are all of the above entries proper?
> >
> > Yes, do you want to wait till you get 100 ? =)
> >
> > Bye,
> > Raymond.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From ugob at CAMO-ROUTE.COM  Mon Jan 19 17:48:39 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
In-Reply-To: <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net>
            <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>
Message-ID: <400C1877.2080508@camo-route.com>

Stephe Campbell wrote:

>No, I don't want to wait for 100, but if I have 11 waiting, why just do one?
>Why not 11? As the subject line suggests, I'm confused.
>
>

MailScanner takes whatever it finds in the queue, up to a certain amount

If a MailScanner process is free and sees that there some messages, it
takes them, even if there is only one there.

>Steve Campbell
>campbell@cnpapers.com
>Charleston Newspapers
>
>
>----- Original Message -----
>From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 19, 2004 12:22 PM
>Subject: Re: Confusing log entries
>
>
>
>
>>Hi!
>>
>>
>>
>>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11 messages
>>>waiting
>>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
>>>
>>>
>messages,
>
>
>>>1727 bytes
>>>
>>>
>>>Am I really only scanning one messages at a time (as it seems)
>>>
>>>
>sometimes?
>
>
>>>Are all of the above entries proper?
>>>
>>>
>>Yes, do you want to wait till you get 100 ? =)
>>
>>Bye,
>>Raymond.
>>
>>

From campbell at CNPAPERS.COM  Mon Jan 19 17:52:35 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
Message-ID: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>

Is anyone else receiving these messages? Every thing I send is apparently
being delivered twice  to the list and I receive a reply as follows:

Your message  is being returned to  you unprocessed because it  appears to
have
already  been distributed  to the  MAILSCANNER list.  That is,  a message
with
identical text  (but possibly with different  mail headers) has been  posted
to
the list recently, either by you or by  someone else. If you have a good
reason
to resend this message to the list (for instance because you have been
notified
of a hardware failure with loss of  data), please alter the text of the
message
in some way and  resend it to the list. Note that  altering the "Subject:"
line
or adding blank  lines at the top  or bottom of the message  is not
sufficient;
you should  instead add a  sentence or  two at the  top explaining why  you
are
resending the  message, so that the  other subscribers understand why  they
are
getting two copies of the same message


Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

From ugob at CAMO-ROUTE.COM  Mon Jan 19 17:55:21 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
References: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
Message-ID: <400C1A09.1000609@camo-route.com>

Stephe Campbell wrote:

>Is anyone else receiving these messages? Every thing I send is apparently
>being delivered twice  to the list and I receive a reply as follows:
>
>

yes, I just received one because of my last post

>Your message  is being returned to  you unprocessed because it  appears to
>have
>already  been distributed  to the  MAILSCANNER list.  That is,  a message
>with
>identical text  (but possibly with different  mail headers) has been  posted
>to
>the list recently, either by you or by  someone else. If you have a good
>reason
>to resend this message to the list (for instance because you have been
>notified
>of a hardware failure with loss of  data), please alter the text of the
>message
>in some way and  resend it to the list. Note that  altering the "Subject:"
>line
>or adding blank  lines at the top  or bottom of the message  is not
>sufficient;
>you should  instead add a  sentence or  two at the  top explaining why  you
>are
>resending the  message, so that the  other subscribers understand why  they
>are
>getting two copies of the same message
>
>
>Steve Campbell
>campbell@cnpapers.com
>Charleston Newspapers
>
>

From steve.swaney at FSL.COM  Mon Jan 19 17:56:54 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
Message-ID: <20040119175654.209C621C291@mail.fsl.com>

Yes. Starting this morning I had the same problem.

I re-posted the rejected message with a changed body. Then I got the
rejection again but then I also received the (supposedly) rejected post from
the mailer list. A bit confusing.

I'm still not 100% sure that my post re:

        Automatic download of extra SA rule sets

made the list.

Steve
Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Stephe Campbell
> Sent: Monday, January 19, 2004 12:53 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Rejected posting
>
> Is anyone else receiving these messages? Every thing I send is apparently
> being delivered twice  to the list and I receive a reply as follows:
>
> Your message  is being returned to  you unprocessed because it  appears to
> have
> already  been distributed  to the  MAILSCANNER list.  That is,  a message
> with
> identical text  (but possibly with different  mail headers) has been
> posted
> to
> the list recently, either by you or by  someone else. If you have a good
> reason
> to resend this message to the list (for instance because you have been
> notified
> of a hardware failure with loss of  data), please alter the text of the
> message
> in some way and  resend it to the list. Note that  altering the "Subject:"
> line
> or adding blank  lines at the top  or bottom of the message  is not
> sufficient;
> you should  instead add a  sentence or  two at the  top explaining why
> you
> are
> resending the  message, so that the  other subscribers understand why
> they
> are
> getting two copies of the same message
>
>
> Steve Campbell
> campbell@cnpapers.com
> Charleston Newspapers

From mkettler at EVI-INC.COM  Mon Jan 19 18:00:29 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
References: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
Message-ID: <6.0.0.22.0.20040119125913.02441638@xanadu.evi-inc.com>

At 12:52 PM 1/19/2004, Stephe Campbell wrote:
>Is anyone else receiving these messages? Every thing I send is apparently
>being delivered twice  to the list and I receive a reply as follows:

<snip dupe-post warning>

It's happened here a few times before.. generaly it means someone who
subscribes to the list has a mis-configured mailserver that winds up
looping list posts back to the list, making every post have a second copy
that gets rejected.

From campbell at CNPAPERS.COM  Mon Jan 19 18:01:05 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net> 
            <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net> 
            <400C1877.2080508@camo-route.com>
Message-ID: <009201c3deb6$354c1aa0$4501a8c0@cnpapers.net>

Ok, then, please remember it's Monday.

My log says there are 11 messages waiting, and it only  processes 1 message
with a length of 1727 bytes. What are all of those big numbers for in my
MailScanner.conf?

Why does it only process 1727 bytes?

Thanks for the help to all, by the way!

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 12:48 PM
Subject: Re: Confusing log entries


> Stephe Campbell wrote:
>
> >No, I don't want to wait for 100, but if I have 11 waiting, why just do
one?
> >Why not 11? As the subject line suggests, I'm confused.
> >
> >
>
> MailScanner takes whatever it finds in the queue, up to a certain amount
>
> If a MailScanner process is free and sees that there some messages, it
> takes them, even if there is only one there.
>
> >Steve Campbell
> >campbell@cnpapers.com
> >Charleston Newspapers
> >
> >
> >----- Original Message -----
> >From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Monday, January 19, 2004 12:22 PM
> >Subject: Re: Confusing log entries
> >
> >
> >
> >
> >>Hi!
> >>
> >>
> >>
> >>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11
messages
> >>>waiting
> >>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
> >>>
> >>>
> >messages,
> >
> >
> >>>1727 bytes
> >>>
> >>>
> >>>Am I really only scanning one messages at a time (as it seems)
> >>>
> >>>
> >sometimes?
> >
> >
> >>>Are all of the above entries proper?
> >>>
> >>>
> >>Yes, do you want to wait till you get 100 ? =)
> >>
> >>Bye,
> >>Raymond.
> >>
> >>

From mkettler at EVI-INC.COM  Mon Jan 19 18:05:34 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <6.0.0.22.0.20040119125913.02441638@xanadu.evi-inc.com>
References: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
            <6.0.0.22.0.20040119125913.02441638@xanadu.evi-inc.com>
Message-ID: <6.0.0.22.0.20040119130306.024271b0@xanadu.evi-inc.com>

At 01:00 PM 1/19/2004, you wrote:
>At 12:52 PM 1/19/2004, Stephe Campbell wrote:
> >Is anyone else receiving these messages? Every thing I send is apparently
> >being delivered twice  to the list and I receive a reply as follows:
>
><snip dupe-post warning>
>
>It's happened here a few times before.. generaly it means someone who
>subscribes to the list has a mis-configured mailserver that winds up
>looping list posts back to the list, making every post have a second copy
>that gets rejected.

robsdesk.com would appear to be the offender that is misconfigured and
looping posts.

Take a look at the Received: headers in the bounced message.. note that
jiscmail dropped it off at robsdesk, and then later robsdesk delivers it back.

Received: from reverance.robsdesk.com
(cpc2-tref1-4-0-cust125.cdif.cable.ntl.com [81.101.157.125])
         by kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i0JHxOHZ008005
         for <mailscanner@jiscmail.ac.uk>; Mon, 19 Jan 2004 17:59:25 GMT


Rob: please fix your server. It appears to be attempting to re-deliver
messages based on the To: header, instead of properly tracking the
envelope. It is NEVER valid to attempt mail delivery based on the To: field
inside the message.

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan 19 18:02:49 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <6.0.0.22.0.20040119125913.02441638@xanadu.evi-inc.com>
Message-ID: <LFENLEALDCBDKENCNLCNAEGODBAA.michele@blacknightsolutions.com>

> It's happened here a few times before.. generaly it means someone who
> subscribes to the list has a mis-configured mailserver that winds up
> looping list posts back to the list, making every post have a second copy
> that gets rejected.

Which is quite ironic / amusing considering the list's content....

From raymond at PROLOCATION.NET  Mon Jan 19 18:10:18 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
In-Reply-To: <009201c3deb6$354c1aa0$4501a8c0@cnpapers.net>
Message-ID: <Pine.LNX.4.44.0401191909080.22826-100000@mailbox.prolocation.net>

Hi!

> My log says there are 11 messages waiting, and it only  processes 1 message
> with a length of 1727 bytes. What are all of those big numbers for in my
> MailScanner.conf?

There are more MS processes doing messages, and it seems only 1 was
waiting, no big deal.

> Why does it only process 1727 bytes?

The 'big numbers' in your configuration are the max. number of messages.
Nothing more, nothing less.

Bye,
Raymond.

From ugob at CAMO-ROUTE.COM  Mon Jan 19 18:11:11 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
In-Reply-To: <6.0.1.1.2.20040119175659.02c86ec0@imap.ecs.soton.ac.uk>
References: <s00bafa4.057@email-fs.ci.grandjct.co.us>
            <6.0.1.1.2.20040119175659.02c86ec0@imap.ecs.soton.ac.uk>
Message-ID: <400C1DBF.5000309@camo-route.com>

Julian Field wrote:

> At 17:21 19/01/2004, you wrote:
>
>> Greetings,
>>
>> I apologize for posting these topics a second time, but I didn't receive
>> any responses the first time.  I can understand that the topics may
>> not be
>> worthy of a reply, but I thought people on this list would be interested
>> in discussing a software package that incorporates MailScanner,
>> Kaspersky
>> Anti-Virus and Clam Anti-Virus, and SpamAssassin.  I have not installed
>> OpenProtect (already have MailScanner working), but here are some quotes
>> from the documentation.
>>
>> "MTA's supported are: Sendmail, Postfix, Exim and Qmail" (Did they get
>> Qmail to work with MailScanner?  It is not officially supported)
>
>
> Yes, they have written their own qmail support. I don't know any more
> about
> it than you do. Does someone feel inclined to test it out and report back
> with their experiences please?


I use OpenProtect at home with sendmail on fedora.  Very easy setup.
Works as well as MailScanner I have at work.

Ugo

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 18:14:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting
In-Reply-To: <6.0.0.22.0.20040119130306.024271b0@xanadu.evi-inc.com>
References: <008101c3deb5$05bfab40$4501a8c0@cnpapers.net>
            <6.0.0.22.0.20040119125913.02441638@xanadu.evi-inc.com>
            <6.0.0.22.0.20040119130306.024271b0@xanadu.evi-inc.com>
Message-ID: <6.0.1.1.2.20040119181248.02c66350@imap.ecs.soton.ac.uk>

At 18:05 19/01/2004, you wrote:
>robsdesk.com would appear to be the offender that is misconfigured and
>looping posts.
>
>Take a look at the Received: headers in the bounced message.. note that
>jiscmail dropped it off at robsdesk, and then later robsdesk delivers it back.
>
>Received: from reverance.robsdesk.com
>(cpc2-tref1-4-0-cust125.cdif.cable.ntl.com [81.101.157.125])
>         by kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i0JHxOHZ008005
>         for <mailscanner@jiscmail.ac.uk>; Mon, 19 Jan 2004 17:59:25 GMT

I have suspended Rob's list membership until he fixes this problem. He will
have just received a mail from the mailing list server telling him this, so
he knows what is going on.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 18:11:38 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
In-Reply-To: <009201c3deb6$354c1aa0$4501a8c0@cnpapers.net>
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net>
            <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net>
            <400C1877.2080508@camo-route.com>
            <009201c3deb6$354c1aa0$4501a8c0@cnpapers.net>
Message-ID: <6.0.1.1.2.20040119180920.02d84ec0@imap.ecs.soton.ac.uk>

At 18:01 19/01/2004, you wrote:
>Ok, then, please remember it's Monday.
>
>My log says there are 11 messages waiting, and it only  processes 1 message
>with a length of 1727 bytes. What are all of those big numbers for in my
>MailScanner.conf?

They are the maximum batch size. If your server was really busy, you
wouldn't want to scan the entire queue in 1 batch as you would probably run
out of memory or swap space.

>Why does it only process 1727 bytes?

Because that is all that is available for scanning. The other 10 messages
are either
1) still being delivered so haven't completely arrived yet
or
2) are being scanned by other MailScanner processes.
Most common situation is a combination of (1) and (2).


>Thanks for the help to all, by the way!
>
>Steve Campbell
>campbell@cnpapers.com
>Charleston Newspapers
>
>
>----- Original Message -----
>From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 19, 2004 12:48 PM
>Subject: Re: Confusing log entries
>
>
> > Stephe Campbell wrote:
> >
> > >No, I don't want to wait for 100, but if I have 11 waiting, why just do
>one?
> > >Why not 11? As the subject line suggests, I'm confused.
> > >
> > >
> >
> > MailScanner takes whatever it finds in the queue, up to a certain amount
> >
> > If a MailScanner process is free and sees that there some messages, it
> > takes them, even if there is only one there.
> >
> > >Steve Campbell
> > >campbell@cnpapers.com
> > >Charleston Newspapers
> > >
> > >
> > >----- Original Message -----
> > >From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
> > >Sent: Monday, January 19, 2004 12:22 PM
> > >Subject: Re: Confusing log entries
> > >
> > >
> > >
> > >
> > >>Hi!
> > >>
> > >>
> > >>
> > >>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11
>messages
> > >>>waiting
> > >>>Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
> > >>>
> > >>>
> > >messages,
> > >
> > >
> > >>>1727 bytes
> > >>>
> > >>>
> > >>>Am I really only scanning one messages at a time (as it seems)
> > >>>
> > >>>
> > >sometimes?
> > >
> > >
> > >>>Are all of the above entries proper?
> > >>>
> > >>>
> > >>Yes, do you want to wait till you get 100 ? =)
> > >>
> > >>Bye,
> > >>Raymond.
> > >>
> > >>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From campbell at CNPAPERS.COM  Mon Jan 19 18:17:20 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:55 2006
Subject: Confusing log entries
References: <Pine.LNX.4.44.0401191822080.15832-100000@mailbox.prolocation.net> 
            <004c01c3deb2$0057b9c0$4501a8c0@cnpapers.net> 
            <6.0.1.1.2.20040119175205.02d706b8@imap.ecs.soton.ac.uk>
Message-ID: <00dc01c3deb8$7a450c00$4501a8c0@cnpapers.net>

As I said, it's Monday, and I never considered partial messages. Last week I
got hammered by one of those poor African letters, and after my incoming
queue hit 25000, it seemed like it was only processing 1 at a time. I didn't
look throughout the log, just happened to see this one. I knew better from
the past, I just wasn't thinking. I didn't understand what Mr. Dijkxhoom was
saying.

Mr. Field, the log message is perfectly fine.

Thanks all for the help and concern.

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 19, 2004 12:55 PM
Subject: Re: Confusing log entries


> The number listed as "waiting" includes all messages that are only partly
> delivered. If there are any messages waiting to be scanned (and have been
> fully delivered), then MailScanner will scan those available, even if it
is
> smaller than the batch size limit. As Raymond said, you don't want to wait
> until there are 100 fully delivered before doing anything.
>
> As only 1 was scanned this time around, that implies that the other
11-1=10
> messages are still being delivered and so are not yet ready for scanning.
>
> The message in the log isn't 100% clear, I agree, but I couldn't think of
> any better concise wording for it. And now I don't want to change it since
> people might be looking for it as part of some log analysis system they
> have written.
>
> At 17:30 19/01/2004, you wrote:
> >No, I don't want to wait for 100, but if I have 11 waiting, why just do
one?
> >Why not 11? As the subject line suggests, I'm confused.
> >
> >Steve Campbell
> >campbell@cnpapers.com
> >Charleston Newspapers
> >
> >
> >----- Original Message -----
> >From: "Raymond Dijkxhoorn" <raymond@PROLOCATION.NET>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Monday, January 19, 2004 12:22 PM
> >Subject: Re: Confusing log entries
> >
> >
> > > Hi!
> > >
> > > > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Found 11
messages
> > > > waiting
> > > > Jan 19 11:45:14 kanawha MailScanner[14317]: New Batch: Scanning 1
> >messages,
> > > > 1727 bytes
> > >
> > > > Am I really only scanning one messages at a time (as it seems)
> >sometimes?
> > > > Are all of the above entries proper?
> > >
> > > Yes, do you want to wait till you get 100 ? =)
> > >
> > > Bye,
> > > Raymond.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From LISTSERV at JISCMAIL.AC.UK  Mon Jan 19 18:17:38 2004
From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e))
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK
Message-ID: <LISTSERV%2004011918173836@JISCMAIL.AC.UK>

Your message  is being returned to  you unprocessed because it  appears to have
already  been distributed  to the  MAILSCANNER list.  That is,  a message  with
identical text  (but possibly with different  mail headers) has been  posted to
the list recently, either by you or by  someone else. If you have a good reason
to resend this message to the list (for instance because you have been notified
of a hardware failure with loss of  data), please alter the text of the message
in some way and  resend it to the list. Note that  altering the "Subject:" line
or adding blank  lines at the top  or bottom of the message  is not sufficient;
you should  instead add a  sentence or  two at the  top explaining why  you are
resending the  message, so that the  other subscribers understand why  they are
getting two copies of the same message.
-------------- next part --------------
An embedded message was scrubbed...
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
Subject: Re: Confusing log entries
Date: Mon, 19 Jan 2004 17:55:50 +0000
Size: 4915
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040119/76a6fd95/attachment.mht
From LISTSERV at JISCMAIL.AC.UK  Mon Jan 19 18:18:37 2004
From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e))
Date: Thu Jan 12 21:21:55 2006
Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK
Message-ID: <LISTSERV%2004011918183789@JISCMAIL.AC.UK>

Your message  is being returned to  you unprocessed because it  appears to have
already  been distributed  to the  MAILSCANNER list.  That is,  a message  with
identical text  (but possibly with different  mail headers) has been  posted to
the list recently, either by you or by  someone else. If you have a good reason
to resend this message to the list (for instance because you have been notified
of a hardware failure with loss of  data), please alter the text of the message
in some way and  resend it to the list. Note that  altering the "Subject:" line
or adding blank  lines at the top  or bottom of the message  is not sufficient;
you should  instead add a  sentence or  two at the  top explaining why  you are
resending the  message, so that the  other subscribers understand why  they are
getting two copies of the same message.
-------------- next part --------------
An embedded message was scrubbed...
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
Subject: Re: Listing MailScanner on Sourceforge and the OpenProtect software project
Date: Mon, 19 Jan 2004 17:58:44 +0000
Size: 5215
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040119/a4f6ab3d/attachment.mht
From mkipness at GENIANT.COM  Mon Jan 19 19:13:32 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:21:55 2006
Subject: SpamAssassin score missing?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C220604D9@dalsxc01.geniant.net>

> >
> > I've been getting a lot of messages (spam) this morning 
> that have no 
> > spam score. Some messages when looking the headers this 
> morning do have:
> >
> > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, 
> required 
> > 8, HTML_80_90 0.50)
> >
> > But some just have:
> >
> > X-MailScanner-SpamCheck:
> >
> > With nothing after the colon. Does this mean SpamAssassin 
> is timing out?
> > I see no indication of any problem in the mail logs.
> >
> > How can I fix?
> >
> > Thanks,
> > Max
> 
> 
> Do you have a ruleset for your "Spam Checks" in 
> MailScanner.conf?  When I have "no" in my ruleset, there is 
> nothing after the colon.  Timeout should say "not spam, 
> SpamAssassin (timed out)"

Thanks, based on your answer I was able to track down the problem.

I do have a ruleset for Spam Checks. And I had "no" configured for
domain1. Howerver my email address is under domain2. Somehow all the
spam was being emailed to an address mail@domain1.com and also being
sent to me (not sure why yet). Evidently because domain1 was set not to
check for spam, it over-rode the fact that domain2 should check for
spam.

Max


From tristanr at CI.GRANDJCT.CO.US  Mon Jan 19 19:19:17 2004
From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
Message-ID: <s00bcb5f.071@email-fs.ci.grandjct.co.us>

Julian,

>Yes, they have written their own qmail support. I don't know any more about
>it than you do. Does someone feel inclined to test it out and report back
>with their experiences please?

I will try to drudge up an unused PC to give OpenProtect a try.  I see that Ugo has installed it on Fedora with no problems.  I am on their mailing list and they just released a new version last week.  Changes include:

*Support for *BSD style init scripts added
*Fixed init problem in Linux Systems like Slackware, Gentoo
*Fixed init problem in *BSD Systems like FreeBSD, OpenBSd, NetBSD, etc
*Fixed RH 6.2 init bug
*Fixed Perl 5.005 missing header files needed for HTML-Parser
*Fixed problem, if qmail is not installed at /var/qmail, by recompiling the qmail-queue binary
*Added all the languages supported in MailScanner 4.24-15
*Fixed Clamav's /var/lib/clamav permission
*Fixed GCC, PERL, GLIBC and KERNEL version checking bug
*Added a DEFAULTS file for stating the default settings 
*Added a THANKS file for crediting those who helped in bug fixing and
suggesting new features

>Yes, I must get around to it. I'll try to remember to do it tomorrow. I
>don't want to host any content on SourceForge, I just want the bare project
>details posted there.

That is great!  You do not have to host with Sourceforge, you can configure it point to your current MailScanner site.  I would recommend adding a link to the Sourceforge logo on your footer.  It acts as a counter, and will allow MailScanner to climb to the top of popular projects, where it will garner even more attention.  If have any questions about SourceForge I will do my best to answer them.

Tristan Rhodes


From Matthew.Day at BUCKINGHAM.AC.UK  Mon Jan 19 19:21:06 2004
From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect softwa re project
Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D5789E@gila.buckingham.ac.uk>

> -----Original Message-----
> From: Tristan Rhodes [mailto:tristanr@CI.GRANDJCT.CO.US]
> Sent: 19 January 2004 17:21
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Listing MailScanner on Sourceforge and the
> OpenProtect software
> project
>
>
> Greetings,
>
> I apologize for posting these topics a second time, but I
> didn't receive any responses the first time.  I can
> understand that the topics may not be worthy of a reply, but
> I thought people on this list would be interested in
> discussing a software package that incorporates MailScanner,
> Kaspersky Anti-Virus and Clam Anti-Virus, and SpamAssassin.
> I have not installed OpenProtect (already have MailScanner
> working), but here are some quotes from the documentation.
>
> "MTA's supported are: Sendmail, Postfix, Exim and Qmail" (Did
> they get Qmail to work with MailScanner?  It is not
> officially supported)
> "Run the script openprotect-install in the package directory
> and answer the questions. The script should take care of the
> installation by itself."
> "The install script does the following:
>
> 1)Installs Kaspersky Version 5
> 2)Installs ClamAV Version 0.65
> 3)Installs perl modules needed by MailScanner
> 4)Installs SpamAssassin and perl modules needed by SpamAssassin
> 5)Installs MailScanner
> 6)Installs the OpenSupport package
> 7)Configures MTA Dependent MailScanner configurations
> 8)Configures MTA Independent MailScanner configurations
> 9)Stops your MTA and starts the MTA along with filter modules "
>
> http://opencomputing.sourceforge.net/
>
> Secondly, is there a reason that MailScanner is not posted on
> SourceForge?  I believe it would greatly increase the
> audience of MailScanner, and be highly beneficial to the
> project overall (more users).  I have created a project on
> SourceForge and it is painless.  Any thoughts on this?
>
> Tristan Rhodes
>

Tristan

__I know mine isn't the usual scenario__ but coming to MailScanner from a
Windows background, I found the current MS install gives pretty much the
perfect balance between ease of use and shooting-self-in-foot avoidance.

The installation was simple and automated enough for a Linux newbie to do in
a relaxed evening's work (starting at taking the server out of the box and
ending with configuring AV scanning, adding custom SA rules and customising
the default spam handling behaviour and user alert messages) but it did
require me to find out a bit about what I was doing. For example, to learn
enough about Sendmail to configure the server to relay to my test lab
mailhub.
One particular strong point of the MailScanner installation was that it told
me when required packages were missing, a quick Google told me how to add
them.
From ugob at CAMO-ROUTE.COM  Mon Jan 19 19:41:32 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect softwa re project
In-Reply-To: <0EAE842EEAA4D711A05C00B0D0FED1D5789E@gila.buckingham.ac.uk>
References: <0EAE842EEAA4D711A05C00B0D0FED1D5789E@gila.buckingham.ac.uk>
Message-ID: <400C32EC.5060907@camo-route.com>

Matthew Day wrote:

>>-----Original Message-----
>>From: Tristan Rhodes [mailto:tristanr@CI.GRANDJCT.CO.US]
>>Sent: 19 January 2004 17:21
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: Listing MailScanner on Sourceforge and the
>>OpenProtect software
>>project
>>
>>
>>Greetings,
>>
>>I apologize for posting these topics a second time, but I
>>didn't receive any responses the first time.  I can
>>understand that the topics may not be worthy of a reply, but
>>I thought people on this list would be interested in
>>discussing a software package that incorporates MailScanner,
>>Kaspersky Anti-Virus and Clam Anti-Virus, and SpamAssassin.
>>I have not installed OpenProtect (already have MailScanner
>>working), but here are some quotes from the documentation.
>>
>>"MTA's supported are: Sendmail, Postfix, Exim and Qmail" (Did
>>they get Qmail to work with MailScanner?  It is not
>>officially supported)
>>"Run the script openprotect-install in the package directory
>>and answer the questions. The script should take care of the
>>installation by itself."
>>"The install script does the following:
>>
>>1)Installs Kaspersky Version 5
>>2)Installs ClamAV Version 0.65
>>3)Installs perl modules needed by MailScanner
>>4)Installs SpamAssassin and perl modules needed by SpamAssassin
>>5)Installs MailScanner
>>6)Installs the OpenSupport package
>>7)Configures MTA Dependent MailScanner configurations
>>8)Configures MTA Independent MailScanner configurations
>>9)Stops your MTA and starts the MTA along with filter modules "
>>
>>http://opencomputing.sourceforge.net/
>>
>>Secondly, is there a reason that MailScanner is not posted on
>>SourceForge?  I believe it would greatly increase the
>>audience of MailScanner, and be highly beneficial to the
>>project overall (more users).  I have created a project on
>>SourceForge and it is painless.  Any thoughts on this?
>>
>>Tristan Rhodes
>>
>>
>>
>
>Tristan
>
>__I know mine isn't the usual scenario__ but coming to MailScanner from a
>Windows background, I found the current MS install gives pretty much the
>perfect balance between ease of use and shooting-self-in-foot avoidance.
>
>The installation was simple and automated enough for a Linux newbie to do in
>a relaxed evening's work (starting at taking the server out of the box and
>ending with configuring AV scanning, adding custom SA rules and customising
>the default spam handling behaviour and user alert messages) but it did
>require me to find out a bit about what I was doing. For example, to learn
>enough about Sendmail to configure the server to relay to my test lab
>mailhub.
>One particular strong point of the MailScanner installation was that it told
>me when required packages were missing, a quick Google told me how to add
>them.
>From my Windows background of 1000-page instruction manuals I'd have liked
>to see more detailed documentation (yes, I've checked the mailing list
>archives, read the FAQs etc - I just like having stuff laid out in one place
>(read "am lazy")).
>(Julian - if you'd be interested in having a complete MS newbie draft a
>for-idiots-by-an-idiot guide I'd be happy to get involved).
>
>

FSL is working on that already.  You could be another proofreader maybe.

>I still wouldn't be confident enough to setup MailScanner in a production
>environment myself (I've got FSL.com for that) but isn't that the point - I
>didn't just learn new stuff, I also got a better feel for what I don't know.
>
>
>
Yep, I like that too.

>I've spent enough time in the Windows world of "plug it in and turn it on
>straight out of the box without understanding how it works" to have
>developed a healthy fear of this approach. I won't bore anyone with the
>horror stories, I've a feeling I'd be preaching to the converted ;)
>
>
I think that MailScanner is different from any Windows App, first
because you have total control over the setting using plain-text files,
instead of a point-and-click approach.

To learn more about how it works, just stay tuned on this list, you'll
have a very good understanding in a few weeks.

>Best
>
>Matthew Day
>University of Buckingham
>
>

From doko at CS.TU-BERLIN.DE  Mon Jan 19 20:17:03 2004
From: doko at CS.TU-BERLIN.DE (Matthias Klose)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
In-Reply-To: <6.0.1.1.2.20040119175659.02c86ec0@imap.ecs.soton.ac.uk>
References: <s00bafa4.057@email-fs.ci.grandjct.co.us>
            <6.0.1.1.2.20040119175659.02c86ec0@imap.ecs.soton.ac.uk>
Message-ID: <16396.15167.315544.113387@gargle.gargle.HOWL>

Julian Field writes:
> >Secondly, is there a reason that MailScanner is not posted on
> >SourceForge?  I believe it would greatly increase the audience of
> >MailScanner, and be highly beneficial to the project overall (more
> >users).  I have created a project on SourceForge and it is painless.  Any
> >thoughts on this?
>
> Yes, I must get around to it. I'll try to remember to do it tomorrow. I
> don't want to host any content on SourceForge, I just want the bare project
> details posted there.

don't forget to enable the bug tracking system ;-) that would be
better than searching the mailing list.

        Matthias

From spamtrap71892316634 at ANIME.NET  Mon Jan 19 20:52:02 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:55 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <Pine.LNX.4.44.0401191250220.24514-100000@sasami.anime.net>

Is there a way to get mailscanner to block %00 / %01 uri exploits in the
body of mails the same way mailscanner can block iframe exploits in the body?

I want to drop these mails into /dev/null hard, i'd like mailscanner to do
it, not procmail.

-Dan

From rob at ROBSDESK.COM  Mon Jan 19 20:51:26 2004
From: rob at ROBSDESK.COM (Rob Broughall)
Date: Thu Jan 12 21:21:55 2006
Subject: Bouncing mail
Message-ID: <E22D69C8650CC84D9ABC80BD42E73CF9715A@reverance.robsdesk.com>

Hello,

Apologies to those who had received double mailings today, my fault
completely medalling with a pop3 connector for my mail server, it would
seem it doesn't understand things properly.

All sorted now (hopefully)!

Rob


From p.bos at LAKE.XS4ALL.NL  Mon Jan 19 20:56:50 2004
From: p.bos at LAKE.XS4ALL.NL (piet.bos)
Date: Thu Jan 12 21:21:55 2006
Subject: bigevil.cf
Message-ID: <002b01c3dece$c2d90e60$2201a8c0@pietpentiumiii>

Hello All,
A lot is said about the bigevil.cf here in this list.
But I wasn't able to find the sure way to activate it.
I've downloaded the latest version of the file and placed it in
/etc/mail/spamassassin direcory.
Restarted the MailScanner an dnot SA as stated in the file header.
Because at my server there is no spamd runnin concurrently.
Due to the fact that I'm fairly novice in this terrain, I was wondering
if this is OK?

Bye Piet

--
p.bos@lake.xs4all.nl
 http://www.motoren.boten.nl
 http://www.motoren.ath.cx
 http://www.equipment.boten.nl
 http://www.equipment.ath.cx

 Verenigd in het varen4u samenwerkingsverband. http://www.varen4u.nl
 met: http://www.vaartips.nl en http://www.bluebayou.nl

From kevins at BMRB.CO.UK  Mon Jan 19 21:10:06 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:55 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21B8A@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B8A@pascal.priv.bmrb.co.uk>
Message-ID: <1074546607.11047.18.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-19 at 20:17, Matthias Klose wrote:

>don't forget to enable the bug tracking system ;-) that would be
>better than searching the mailing list.

Please don't, the list archives are quite good enough.  Spreading the
places solutions can be found will only increase the amount of work
required to find the answer (as people tend to put in a finite amount of
effort this would probably increase the number of redundant questions
rather than reduce them).

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 21:11:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: bigevil.cf
In-Reply-To: <002b01c3dece$c2d90e60$2201a8c0@pietpentiumiii>
References: <002b01c3dece$c2d90e60$2201a8c0@pietpentiumiii>
Message-ID: <6.0.1.1.2.20040119211046.03879a78@imap.ecs.soton.ac.uk>

At 20:56 19/01/2004, you wrote:
>Hello All,
>A lot is said about the bigevil.cf here in this list.
>But I wasn't able to find the sure way to activate it.
>I've downloaded the latest version of the file and placed it in
>/etc/mail/spamassassin direcory.
>Restarted the MailScanner an dnot SA as stated in the file header.

That should be all you need to do.

>Because at my server there is no spamd runnin concurrently.

MailScanner doesn't use spamd (it's an extra layer slowing everything down,
so I don't use it).

>Due to the fact that I'm fairly novice in this terrain, I was wondering
>if this is OK?

Should be it, yes.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 21:09:57 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <Pine.LNX.4.44.0401191250220.24514-100000@sasami.anime.net>
References: <Pine.LNX.4.44.0401191250220.24514-100000@sasami.anime.net>
Message-ID: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>

At 20:52 19/01/2004, you wrote:
>Is there a way to get mailscanner to block %00 / %01 uri exploits in the
>body of mails the same way mailscanner can block iframe exploits in the body?
>
>I want to drop these mails into /dev/null hard, i'd like mailscanner to do
>it, not procmail.

The current best solution is to create a SpamAssassin rule which catches
these and assigns a score of 100. Then set the SA high score threshold to
100 and delete high-scoring spam.
Works a treat.

You can create the rule by adding this to your spam.assassin.prefs.conf file:
uri     IE_VULN                 /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
score   IE_VULN                 100.0
describe        IE_VULN         Internet Explorer vulnerability

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From neilrobst at ALM.ORG.UK  Mon Jan 19 21:16:05 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:55 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <6.0.1.1.2.20040119134553.077ea528@imap.ecs.soton.ac.uk>
Message-ID: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>

Hi all,

Just applied the 4.26-4 beta of MailScanner to my mail server, though I've
been unable to replicate the problem with the duplicate mails either before
or after (as expected) the upgrade. Do you know any details about
that -whether it only manifested itself when there were lots of recepients
on the message or a high load on the server or what?

Regards,
Neil


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From mkbowman at neo.rr.com  Mon Jan 19 21:15:12 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:21:55 2006
Subject: Fw: Another silent virus addition - W32/Bagle-A
Message-ID: <000701c3ded1$56b59de0$a767a8c0@MKBOWMAN2>

Anyone got this to work?

Thanks

Matthew
----- Original Message -----
From: "Matthew K Bowman" <mkbowman@neo.rr.com>
To: "Julian Field" <mailscanner@ecs.soton.ac.uk>
Sent: Monday, January 19, 2004 11:29 AM
Subject: Re: Another silent virus addition - W32/Bagle-A


> Hmm that didn't work
>
> Silent Virues = /etc/MailScanner/rules/silent.virus.rules
>
> Ruleset:
>
> Virus: default yes
> Virus: Bagle no
> FromorTo: default yes
>
> "Incorrect Syntax"
>
> I'm using 4.25-4
>
>
> ----- Original Message -----
> From: "Julian Field" <mailscanner@ecs.soton.ac.uk>
> To: "Matthew K Bowman" <mkbowman@neo.rr.com>
> Sent: Monday, January 19, 2004 9:10 AM
> Subject: Re: Another silent virus addition - W32/Bagle-A
>
>
> > You can use the "Virus:" keyword in some rulesets where you would
> otherwise
> > be using "To:".
> >
> > For example:
> >
> > Virus:  default yes
> > Virus:  Bagle   no
> > FromOrTo:       default yes
> >
> > At 14:04 19/01/2004, you wrote:
> > >Hello,
> > >
> > >Is there a way of breaking down the Virus notifications to specific
> Viruses?
> > >For example a client of ours doesn't want to receive any notifications
> about
> > >the W32/Bagle-A but still need to receive notifications about other
> viruses.
> > >
> > >I'm using MailScanner v 4.25-4, sendmail, RH9.
> > >
> > >Thank you
> > >
> > >Matthew
> > >----- Original Message -----
> > >From: "Dustin Baer" <dustin.baer@IHS.COM>
> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
> > >Sent: Monday, January 19, 2004 9:00 AM
> > >Subject: Another silent virus addition - W32/Bagle-A
> > >
> > >
> > > > It appears that W32/Bagle-A spoofs the sender's address.  You all
> might
> > > > want to add it to your list of Silent Viruses
> > > >
> > > > Dustin
> > > > --
> > > > Dustin Baer
> > > > Unix Administrator/Postmaster
> > > > Information Handling Services
> > > > 15 Inverness Way East
> > > > Englewood, CO 80112
> > > > 303-397-2836
> > > >
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>

From p.bos at LAKE.XS4ALL.NL  Mon Jan 19 21:20:56 2004
From: p.bos at LAKE.XS4ALL.NL (piet.bos)
Date: Thu Jan 12 21:21:55 2006
Subject: bigevil.cf
In-Reply-To: <6.0.1.1.2.20040119211046.03879a78@imap.ecs.soton.ac.uk>
Message-ID: <002c01c3ded2$23bad0d0$2201a8c0@pietpentiumiii>

|
| MailScanner doesn't use spamd (it's an extra layer slowing
| everything down, so I don't use it).
|
What is triggering SA then?

When I comment the line below

Use SpamAssassin = yes

I'm a bist confused now.

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 21:25:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:55 2006
Subject: bigevil.cf
In-Reply-To: <002c01c3ded2$23bad0d0$2201a8c0@pietpentiumiii>
References: <6.0.1.1.2.20040119211046.03879a78@imap.ecs.soton.ac.uk>
            <002c01c3ded2$23bad0d0$2201a8c0@pietpentiumiii>
Message-ID: <6.0.1.1.2.20040119212312.03cf6240@imap.ecs.soton.ac.uk>

At 21:20 19/01/2004, you wrote:
>|
>| MailScanner doesn't use spamd (it's an extra layer slowing
>| everything down, so I don't use it).
>|
>What is triggering SA then?
>
>When I comment the line below
>
>Use SpamAssassin = yes
>
>I'm a bist confused now.

SpamAssassin is basically just a big function library. If you want to call
it slowly, you use the "spamd/spamc" front end to it. If you want to call
it really slowly, you use the "spamassassin" shell script. If you want to
call it quickly, you just call the function library directly. There's
nothing to "trigger", it's just a function call into the library.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 21:18:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
References: <6.0.1.1.2.20040119134553.077ea528@imap.ecs.soton.ac.uk>
            <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
Message-ID: <6.0.1.1.2.20040119211804.03b3eb70@imap.ecs.soton.ac.uk>

At 21:16 19/01/2004, you wrote:
>Hi all,
>
>Just applied the 4.26-4 beta of MailScanner to my mail server, though I've
>been unable to replicate the problem with the duplicate mails either before
>or after (as expected) the upgrade. Do you know any details about
>that -whether it only manifested itself when there were lots of recepients
>on the message or a high load on the server or what?

It only tended to happen on heavily loaded servers.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From spamtrap71892316634 at ANIME.NET  Mon Jan 19 21:23:20 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>

On Mon, 19 Jan 2004, Julian Field wrote:
> At 20:52 19/01/2004, you wrote:
> >Is there a way to get mailscanner to block %00 / %01 uri exploits in the
> >body of mails the same way mailscanner can block iframe exploits in the body?
> The current best solution is to create a SpamAssassin rule which catches
> these and assigns a score of 100.

So basically, "no, mailscanner can't do that"? It can block iframe
exploits but not URI exploits?

-Dan

From kevins at BMRB.CO.UK  Mon Jan 19 21:24:08 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:56 2006
Subject: bigevil.cf
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21B93@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B93@pascal.priv.bmrb.co.uk>
Message-ID: <1074547449.11047.26.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-19 at 21:20, piet.bos wrote:

>|
>| MailScanner doesn't use spamd (it's an extra layer slowing
>| everything down, so I don't use it).
>|
>What is triggering SA then?

>When I comment the line below

>Use SpamAssassin = yes

>I'm a bist confused now.

MailScanner accesses the Spamassassin perl modules directly.

From p.bos at LAKE.XS4ALL.NL  Mon Jan 19 21:32:08 2004
From: p.bos at LAKE.XS4ALL.NL (piet.bos)
Date: Thu Jan 12 21:21:56 2006
Subject: bigevil.cf
In-Reply-To: <6.0.1.1.2.20040119212312.03cf6240@imap.ecs.soton.ac.uk>
Message-ID: <002d01c3ded3$b0d63580$2201a8c0@pietpentiumiii>

| At 21:20 19/01/2004, you wrote:
| >|
| >| MailScanner doesn't use spamd (it's an extra layer slowing
| everything
| >| down, so I don't use it).
| >|
| >What is triggering SA then?
| >
| >When I comment the line below
| >
| >Use SpamAssassin = yes
| >
| >I'm a bit confused now.
|
| SpamAssassin is basically just a big function library. If you
| want to call it slowly, you use the "spamd/spamc" front end
| to it. If you want to call it really slowly, you use the
| "spamassassin" shell script. If you want to call it quickly,
| you just call the function library directly. There's nothing
| to "trigger", it's just a function call into the library.
|

So the big word is "Hash it out" and it'll still be checked by some sort
of SA?
What I'm doing now is twice the same........is that correct?

You never fail to amaze me Julian.

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 22:01:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
References: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
Message-ID: <6.0.1.1.2.20040119215249.02d1b8f8@imap.ecs.soton.ac.uk>

At 21:23 19/01/2004, you wrote:
>On Mon, 19 Jan 2004, Julian Field wrote:
> > At 20:52 19/01/2004, you wrote:
> > >Is there a way to get mailscanner to block %00 / %01 uri exploits in the
> > >body of mails the same way mailscanner can block iframe exploits in
> the body?
> > The current best solution is to create a SpamAssassin rule which catches
> > these and assigns a score of 100.
>
>So basically, "no, mailscanner can't do that"? It can block iframe
>exploits but not URI exploits?

I don't want to get into the game of adding code for every exploit that
ever appears. IFrame tags have been used in a whole bunch of exploits in
the past, and are still considered by many sites to be "dangerous".
Microsoft will eventually fix the bug that created this security hole, at
which point the check won't be needed anyway. Anyone following a link in an
email that has been flagged as spam does so at their own risk, they have
been warned.

I am not going to write and test code, and do an entire release for every
bug that ever appears in every network app in every operating system.

(And that's about the 15th re-write of this email, hopefully it is polite
this time)

Jules.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 22:07:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <6.0.1.1.2.20040119215249.02d1b8f8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
            <6.0.1.1.2.20040119215249.02d1b8f8@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040119220609.0387f488@imap.ecs.soton.ac.uk>

At 22:01 19/01/2004, you wrote:
>At 21:23 19/01/2004, you wrote:
>>On Mon, 19 Jan 2004, Julian Field wrote:
>> > At 20:52 19/01/2004, you wrote:
>> > >Is there a way to get mailscanner to block %00 / %01 uri exploits in the
>> > >body of mails the same way mailscanner can block iframe exploits in
>>the body?
>> > The current best solution is to create a SpamAssassin rule which catches
>> > these and assigns a score of 100.
>>
>>So basically, "no, mailscanner can't do that"? It can block iframe
>>exploits but not URI exploits?

And anyway, I have given you a method of stopping it completely. So the
answer is "yes, it can do that". The method I described is exactly how I
handle it on my own site, and none of my users ever receive a message
containing this exploit.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 19 22:05:02 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: bigevil.cf
In-Reply-To: <002d01c3ded3$b0d63580$2201a8c0@pietpentiumiii>
References: <6.0.1.1.2.20040119212312.03cf6240@imap.ecs.soton.ac.uk>
            <002d01c3ded3$b0d63580$2201a8c0@pietpentiumiii>
Message-ID: <6.0.1.1.2.20040119220305.038ba850@imap.ecs.soton.ac.uk>

At 21:32 19/01/2004, you wrote:
>| At 21:20 19/01/2004, you wrote:
>| >|
>| >| MailScanner doesn't use spamd (it's an extra layer slowing
>| everything
>| >| down, so I don't use it).
>| >|
>| >What is triggering SA then?
>| >
>| >When I comment the line below
>| >
>| >Use SpamAssassin = yes
>| >
>| >I'm a bit confused now.
>|
>| SpamAssassin is basically just a big function library. If you
>| want to call it slowly, you use the "spamd/spamc" front end
>| to it. If you want to call it really slowly, you use the
>| "spamassassin" shell script. If you want to call it quickly,
>| you just call the function library directly. There's nothing
>| to "trigger", it's just a function call into the library.
>|
>
>So the big word is "Hash it out" and it'll still be checked by some sort
>of SA?
>What I'm doing now is twice the same........is that correct?

If you have set "Use SpamAssassin = yes" and you also have spamd/spamc
being called by procmail or some other setup, then you are doing it twice.
Just running spamd doesn't automatically pick up mail, it's just a daemon
providing service to the "spamc" client which part of your message delivery
system may be calling. MailScanner makes no use of spamd and it does not
need to be running for MailScanner to work.

>You never fail to amaze me Julian.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chris at FRACTALWEB.COM  Mon Jan 19 22:13:03 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <6.0.1.1.2.20040119215249.02d1b8f8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>           
            <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
            <6.0.1.1.2.20040119215249.02d1b8f8@imap.ecs.soton.ac.uk>
Message-ID: <400C566F.7020405@fractalweb.com>

At 21:23 19/01/2004, you wrote:

>> On Mon, 19 Jan 2004, Julian Field wrote:
>> > At 20:52 19/01/2004, you wrote:
>> > >Is there a way to get mailscanner to block %00 / %01 uri exploits
>> in the
>> > >body of mails the same way mailscanner can block iframe exploits in
>> the body?
>> > The current best solution is to create a SpamAssassin rule which
>> catches
>> > these and assigns a score of 100.
>>
>> So basically, "no, mailscanner can't do that"? It can block iframe
>> exploits but not URI exploits?
>
I'm with Julian on this one. All that matters is that you block these
extremely dangerous emails from your users. If Spamassassin can do it,
then why "reinvent the wheel" by making MailScanner do it also?

I have MailScanner set to delete (and quarantine) high scoring spam,
which on my server is anything above 15. I have yet to see a
false-positive score that high. If these get deleted without your users
even seeing them, then all the better. There's no way anyone would
accidentally use this exploit in a legitimate email.

Although I haven't seen many of these exploits come though, I have seen
a few in the past week, all purporting to be from Bank of America, Ebay,
and Paypal (so far).

Cheers,
Chris

From raymond at PROLOCATION.NET  Mon Jan 19 22:13:54 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <400C551C.6090001@themarshalls.co.uk>
Message-ID: <Pine.LNX.4.44.0401192313290.18682-100000@mailbox.prolocation.net>

Hi!

> duplicate mail. My old set up on Slackware didn't suffer, the new on
> Gentoo did :-(  . I'm not quite sure why but it seemed that the Postfix
> queue runner and MailScanner got in each others way with the result that
> MS picked up incomplete messages.

I see the same using Exim, so i doubt this is mailer related.

Bye,
Raymond.

From spamtrap71892316634 at ANIME.NET  Mon Jan 19 22:37:46 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <400C566F.7020405@fractalweb.com>
Message-ID: <Pine.LNX.4.44.0401191428410.28001-100000@sasami.anime.net>

On Mon, 19 Jan 2004, Chris Yuzik wrote:
> At 21:23 19/01/2004, you wrote:
> >> So basically, "no, mailscanner can't do that"? It can block iframe
> >> exploits but not URI exploits?
> I'm with Julian on this one. All that matters is that you block these
> extremely dangerous emails from your users. If Spamassassin can do it,
> then why "reinvent the wheel" by making MailScanner do it also?
> I have MailScanner set to delete (and quarantine) high scoring spam,
> which on my server is anything above 15. I have yet to see a
> false-positive score that high. If these get deleted without your users
> even seeing them, then all the better. There's no way anyone would
> accidentally use this exploit in a legitimate email.

Ok, here is the problem.

Not all of our users want spamassassin. Some do, and they run it from
.procmailrc in their homedirs.

On the other hand, we have virus scanning globally via mailscanner and
f-prot.

The %00/%01 exploit would fall under the same category as iframe blocking
in mailscanner.

So I guess i'm looking for a way to filter %00/%01 globally, yet avoid
forcing spamassassin globally on all users.

Alternatively, could the iframe blocking be generic-ized in mailscanner in
such a way that admins could plugin their own rules into mailscanner so
that 'exploit of the week' doesnt have to be hardcoded into mailscanner?

Maybe a special direction clause for /etc/MailScanner/rules ruleset files,
eg Url: ?

-Dan

From peter at UCGBOOK.COM  Mon Jan 19 22:42:50 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
References: <Pine.LNX.4.44.0401191250220.24514-100000@sasami.anime.net>
            <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
Message-ID: <400C5D6A.2030009@ucgbook.com>

Julian Field wrote:
> You can create the rule by adding this to your spam.assassin.prefs.conf
> file:
> uri     IE_VULN                 /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
> score   IE_VULN                 100.0
> describe        IE_VULN         Internet Explorer vulnerability

How does that compare to this rule included in SA? Could it be used with
a higher score to serve the same purpose? I have already done that,
that's why I'm asking. Should I add the above rule also and go back to
the standard score for the one below?

uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST      Uses %-escapes inside a URL's hostname
score HTTP_ESCAPED_HOST 1.101 2.403 1.001 1.509

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan 19 22:46:19 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80B4@ERWIN.intern.seceidos.de>

> (And that's about the 15th re-write of this email, hopefully 
> it is polite this time)

I loved that part! Great!

Regards,
  JP


From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan 19 22:49:21 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80B5@ERWIN.intern.seceidos.de>

> Ok, here is the problem.
> 
> Not all of our users want spamassassin. Some do, and they run 
> it from .procmailrc in their homedirs.
> 
> On the other hand, we have virus scanning globally via 
> mailscanner and f-prot.

Have a look at the MCP functionality. It might do the trick. :-)

Regards,
  JP


From spamtrap71892316634 at ANIME.NET  Mon Jan 19 23:05:07 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C80B5@ERWIN.intern.seceidos.de>
Message-ID: <Pine.LNX.4.44.0401191502160.29179-100000@sasami.anime.net>

On Mon, 19 Jan 2004, Jan-Peter Koopmann wrote:
> > Ok, here is the problem.
> > Not all of our users want spamassassin. Some do, and they run
> > it from .procmailrc in their homedirs.
> > On the other hand, we have virus scanning globally via
> > mailscanner and f-prot.
> Have a look at the MCP functionality. It might do the trick. :-)

err isnt that spamassassin?

I can't see a way to globally block %00/%01 without forcing global usage
of spamassassin... or am I mistaken?

-Dan

From david at PLATFORMHOSTING.COM  Mon Jan 19 23:12:45 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <Pine.LNX.4.44.0401191428410.28001-100000@sasami.anime.net>
Message-ID: <200401192312.i0JNCTD07141@mx1.mailsecurity.net.au>

Sorry for the top post..

Is there anything to stop you from running only a minimal SpamAssassin
ruleset on the MailScanner box to catch this stuff?

Regards,

David Hooton
Senior Partner
Platform Hosting
1300 85 HOST
www.platformhosting.com

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Dan Hollis
Sent: Tuesday, 20 January 2004 9:38 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: blocking %00 / %01 exploits with mailscanner?

On Mon, 19 Jan 2004, Chris Yuzik wrote:
> At 21:23 19/01/2004, you wrote:
> >> So basically, "no, mailscanner can't do that"? It can block iframe
> >> exploits but not URI exploits?
> I'm with Julian on this one. All that matters is that you block these
> extremely dangerous emails from your users. If Spamassassin can do it,
> then why "reinvent the wheel" by making MailScanner do it also?
> I have MailScanner set to delete (and quarantine) high scoring spam,
> which on my server is anything above 15. I have yet to see a
> false-positive score that high. If these get deleted without your users
> even seeing them, then all the better. There's no way anyone would
> accidentally use this exploit in a legitimate email.

Ok, here is the problem.

Not all of our users want spamassassin. Some do, and they run it from
.procmailrc in their homedirs.

On the other hand, we have virus scanning globally via mailscanner and
f-prot.

The %00/%01 exploit would fall under the same category as iframe blocking
in mailscanner.

So I guess i'm looking for a way to filter %00/%01 globally, yet avoid
forcing spamassassin globally on all users.

Alternatively, could the iframe blocking be generic-ized in mailscanner in
such a way that admins could plugin their own rules into mailscanner so
that 'exploit of the week' doesnt have to be hardcoded into mailscanner?

Maybe a special direction clause for /etc/MailScanner/rules ruleset files,
eg Url: ?

-Dan

========================================================================
   This message has been scanned for spam & viruses by Mail Security.
   To report SPAM forward the message to:    spam@mailsecurity.net.au
   Mail Security                              www.mailsecurity.net.au
========================================================================


========================================================================
   This message has been scanned for spam & viruses by Mail Security.
   To report SPAM forward the message to:    spam@mailsecurity.net.au
   Mail Security                              www.mailsecurity.net.au
========================================================================

From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan 19 23:20:57 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80B6@ERWIN.intern.seceidos.de>

> > Have a look at the MCP functionality. It might do the trick. :-)
> 
> err isnt that spamassassin?

That depends on your interpretation of "spamassassin".

> I can't see a way to globally block %00/%01 without forcing 
> global usage of spamassassin... or am I mistaken?

>From my point of view: You are. MCP is using the SpamAssassin engine. It
is not using the SpamAssassin rules and ist purpose is not to block spam
but to filter mails due to their content. It is using only the rules you
supply and nothing more. 

What do you mean by "the customer does not want spamassassin"? Does he
not want spam being filtered by spamassassin, does he not want to use
the engine (even though the footprint should be minimal with MCP at
least compared to "usual" spamassassin)?

Regards,
  JP


From spamtrap71892316634 at ANIME.NET  Mon Jan 19 23:35:21 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C80B6@ERWIN.intern.seceidos.de>
Message-ID: <Pine.LNX.4.44.0401191534570.30254-100000@sasami.anime.net>

On Tue, 20 Jan 2004, Jan-Peter Koopmann wrote:
> What do you mean by "the customer does not want spamassassin"? Does he
> not want spam being filtered by spamassassin

exactly.

-Dan

From spamtrap71892316634 at ANIME.NET  Mon Jan 19 23:44:25 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C80B6@ERWIN.intern.seceidos.de>
Message-ID: <Pine.LNX.4.44.0401191541580.30548-100000@sasami.anime.net>

On Tue, 20 Jan 2004, Jan-Peter Koopmann wrote:
> >From my point of view: You are. MCP is using the SpamAssassin engine. It
> is not using the SpamAssassin rules and ist purpose is not to block spam
> but to filter mails due to their content. It is using only the rules you
> supply and nothing more.

According to the mcp documentation
http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/

It implies mcp is only applied to outbound email, not incoming.

"The point of Message Content Protection (MCP) is to allow you to write
rules for scanning the text content of email messages so you can trap
messages that contain certain numbers of keywords and/or phrases that you
don't want leaving your company."
           ^^^^^^^^^^^^^^^^^^^^

If this is not the case, then the documentation for MCP is worded badly
:-/

-Dan

From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan 19 23:55:51 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80B9@ERWIN.intern.seceidos.de>

> spamassassin"? Does he 
> > not want spam being filtered by spamassassin
> 
> exactly.

Then you could/should use MCP to block the IE vulnerability. It will do
what you want without using the spamassassin rules. BTW: Talk to your
customer again. Depending on your setup all spamassassin (with
MailScanner) does is mark spam (in the Subject or in the header). I
usually set it up so that spam is tagged in the headers only. Users
wanting SpamAssassin then can create a suitable rule. Users who do not
want SpamAssassin simply do not and never really notice it. The only
reason against SpamAssassin could be horsepower... :-)

Regards,
  JP


From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 20 00:03:06 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80BA@ERWIN.intern.seceidos.de>

> According to the mcp documentation
> http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/
> 
> It implies mcp is only applied to outbound email, not incoming.

You either tell MailScanner to treat all mails (e.g. Virus Scanning =
yes) or you use rulesets (e.g. Virus Scanning =
/usr/local/etc/MailScanner/rules/virus.scanning.rules). Unless you
create a ruleset like

From: yourdomain@com    yes
FromOrTo:       default no

which would do what you understood, MCP can/will of course work on
inbound mail as well.

> "The point of Message Content Protection (MCP) is to allow 
> you to write rules for scanning the text content of email 
> messages so you can trap messages that contain certain 
> numbers of keywords and/or phrases that you don't want 
> leaving your company."
>            ^^^^^^^^^^^^^^^^^^^^
> 
> If this is not the case, then the documentation for MCP is 
> worded badly :-/

Out of context: Agreed. Within the MailScanner context and with
knowledge of how MailScanner works: No. From my point of view that
passage is crystal clear. :-)

Do yourself a favour: Simply try it!

Regards,
  JP


From spamtrap71892316634 at ANIME.NET  Tue Jan 20 00:15:06 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C80B9@ERWIN.intern.seceidos.de>
Message-ID: <Pine.LNX.4.44.0401191614450.31426-100000@sasami.anime.net>

On Tue, 20 Jan 2004, Jan-Peter Koopmann wrote:
> BTW: Talk to your customer again.

All 40,000 of them?

-Dan

From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 20 00:34:39 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80BB@ERWIN.intern.seceidos.de>

> > BTW: Talk to your customer again.
> 
> All 40,000 of them?

You at least make the impression that you are more interested in
vituperating than getting advice. Could this possibly be the case if
not: I am sorry.

1. I still think this is a bad decision.

2. How should I/we know your setup? You were saying "Not all of our
users" and not "not all of our 40.000 uers".

3. Still: My personal advice would be to run SpamAssassin and tag the
messages in the header. This is a good service. All 40.000 individual
users/customers are then able to decide for themselves what is the best
for them.

Regards,
  JP


From tristanr at CI.GRANDJCT.CO.US  Tue Jan 20 00:35:00 2004
From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes)
Date: Thu Jan 12 21:21:56 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
Message-ID: <s00c156b.036@email-fs.ci.grandjct.co.us>

In my opinion, the Bug-Tracker would be very useful, in addition to the mailing list and FAQ.  I love the mailing list, but it produces a TON of text and searching the archives has its own issues.  Occasionally you may find incorrect information (perhaps from me).  Sometimes you may find a relevant post, but it is not up-to-date.  In some cases the user may give up before finding a solution.

The bug-tracker would help eliminate posts like, "Was that Postfix issue ever resolved?"  Granted, you might still have to reply, "Check the bug-tracker [link] #23904".  Then when a person searches the archives they will see the link to the bug-tracker, and they will find the current status of the issue.

The bug-tracker would be used for software development issues (feature requests, security concerns, reproducible problems, compatibility issues, etc).  The bug-tracker uniquely identifies the issues, and tracks their current status.  The mailing list and FAQ will continue to be great tools for all types of support questions.  Utilizing all of these tools simplifies responding to an ever increasing amount of support questions and will help with the management of ongoing issues.

I have one pet peeve with the mailing list archives; I get frustrated when I hit "Back" and then have to click "Refresh" and "Retry" to view the page.

Tristan Rhodes

>>> kevins@BMRB.CO.UK 01/19/04 02:10PM >>>
On Mon, 2004-01-19 at 20:17, Matthias Klose wrote:

>don't forget to enable the bug tracking system ;-) that would be
>better than searching the mailing list.

Please don't, the list archives are quite good enough.  Spreading the
places solutions can be found will only increase the amount of work
required to find the answer (as people tend to put in a finite amount of
effort this would probably increase the number of redundant questions
rather than reduce them).


From gdoris at ROGERS.COM  Tue Jan 20 01:45:36 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:21:56 2006
Subject: Automatic download of extra SA rule sets
In-Reply-To: <20040119152510.9114621C295@mail.fsl.com>
References: <20040119152510.9114621C295@mail.fsl.com>
Message-ID: <Pine.LNX.4.53.0401192039470.14514@tiger.dorfam.ca>

On Mon, 19 Jan 2004, Stephen Swaney wrote:

> Chris Thielen has written a VERY complete and well thought out script to
> download the most commonly used SA rules files and posted a link to his
> script on the SA mail list:
>
>         http://sandgnat.com/cmos/rules_du_jour
>
> I have tested this script and it required only minor configuration changes
> to work with MailScanner. It would also be very easy to extend the script to
> get additional Rule Sets.
>
> A couple of caveats:
>
> 1. Test first with the Debug flag set.
> 2. my /etc/mail/spamassassin/local.cf was very old (and not needed). This
> kept spamassassin --lint from running with out errors. I removed the file
> and all was well.
>
> 3. Saving the file from a web browser created some problems, run:
>
>         wget    http://sandgnat.com/cmos/rules_du_jour
>
> to get the file.
>
> Steve

For what it's worth I've made a couple of changes to the script...
- there was a small typo in one of weeds.cf download sections.  You got
weeds.cf instead of weeds_2.cf if you activated weeds_2.
- I changed the spamassassin restart to MailScanner reload
- and since we're going spamassassin rule crazy I added their latest
evilnumbers.cf rule set.

The updated script is attached.

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer
-------------- next part --------------
#!/bin/bash
# Version 1.04

## This file updates SpamAssassin RuleSet files from the internet.
## 
## It is important that you *only* automatically update 
## RuleSet files from people that you trust and that you
## *TEST* this.
## 
## Note: When running this script interactively, debug mode is enable to allow you to view the results.


# Usage instructions:
# 1) Choose rulesets to update (TRUSTED_RULESETS below)
# 2) Configure Local SpamAssassin settings (SA_DIR, MAIL_ADDRESS, SA_RESTART below)
# 3) Run this script periodically (manually or crontab)
# 3a) To run manually, first make it executable (chmod +x rules_du_jour) then execute (./rules_du_jour)
# 3b) To run via cron, edit your cron (crontab -e) and add a line such as this:
#     28 2 * * *                                      /root/bin/rules_du_jour
#     The crontab line above runs /root/bin/rules_du_jour at 2:28AM every day. (choose a different time, please)
#     Make sure the user who's crontab you are editing has permission to write files to the SA config dir.


# Choose Rulesets from this list: 
# BIGEVIL TRIPWIRE POPCORN BACKHAIR WEEDS1 WEEDS2 CHICKENPOX

# IMPORTANT: Edit this line to choose which RuleSets to update
TRUSTED_RULESETS="BIGEVIL TRIPWIRE POPCORN BACKHAIR WEEDS2 CHICKENPOX EVILNUMBERS";


#### Local SpamAssassin/system Settings ####
#### Modify these to match your system. ####
SA_DIR="/etc/mail/spamassassin";                     # Change this to your SA local config 
                                                # directory, probably /etc/mail/spamassassin.
						# For amavisd chrooted, this may be:
						# /var/amavisd/etc/mail/spamassassin
MAIL_ADDRESS="root";                            # Where do Email notifications go
SA_RESTART="/etc/rc.d/init.d/MailScanner reload";  # Command used to restart spamd
                                                # May be /etc/rc.d/init.d/spamassassin restart
						# For amavisd, may be /etc/init.d/amavisd restart

# DEBUG="true";                                   # Uncomment this to turn debug mode on (or use -D)
#### End Local SpamAssassin Settings    ####



TMPDIR="${SA_DIR}/RulesDuJour";                 # Where we store old rulesets.  If you delete
                                                # this directory, RuleSets may be detected as
						# out of date the next time you run rules_du_jour.

#### CF Files information ####
# These are bash Array Variables ("man bash" for more information)
declare -a CF_URLS;                             # Array that contains URLs of the files.
declare -a CF_FILES;                            # Local name of the CF file; eg: bigevil.cf
declare -a CF_NAMES;                            # Happy Name of CF file; eg: "Big Evil"
declare -a PARSE_NEW_VER_SCRIPTS;               # Command to run on the file to retrieve new version info
declare -a CF_MUNGE_SCRIPTS;                    # This (optionally) modifies the file; eg: lower scores


#########################################
####     Begin Rules File Registry   ####
#########################################

# If you add more RuleSets to your own registry, please contribute the settings to the www.exit0.us wiki
# http://www.exit0.us/index.php/RulesDuJourRuleSets

#### Here are settings for Tripwire. ####

TRIPWIRE=0; # Index of Tripwire data into the arrays is 0

              CF_URLS[0]="http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf";
             CF_FILES[0]="tripwire.cf";
             CF_NAMES[0]="TripWire";
PARSE_NEW_VER_SCRIPTS[0]="grep -i '^[         ]*#.*version' | sort | tail -n1";
     CF_MUNGE_SCRIPTS[0]="sed -e s/FVGT_TRIPWIRE_/TW_/g"; # shorten long names to workaround large mail header length

#### Here are settings for Big Evil. ####

BIGEVIL=1; # Index of Big Evil is 1

              CF_URLS[1]="http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf";
             CF_FILES[1]="bigevil.cf";
             CF_NAMES[1]="Big Evil";
PARSE_NEW_VER_SCRIPTS[1]="head -n1";

#### Here are settings for Popcorn. ####

POPCORN=2; # Index of Popcorn is 2

              CF_URLS[2]="http://www.emtinc.net/includes/popcorn.cf";
             CF_FILES[2]="popcorn.cf";
             CF_NAMES[2]="Jennifer's Popcorn";
PARSE_NEW_VER_SCRIPTS[2]="grep -i '^[         ]*#.*version[         ]*[0-9]' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[2]="nothing, yet";
# TODO: Manipulate the scores.

#### Here are settings for Backhair. ####

BACKHAIR=3; # Index of Backhair is 3

              CF_URLS[3]="http://www.emtinc.net/includes/backhair.cf";
             CF_FILES[3]="backhair.cf";
             CF_NAMES[3]="Jennifer's Backhair"; # ;-)
PARSE_NEW_VER_SCRIPTS[3]="grep -i '^[         ]*#.*version[         ]*[0-9]' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[3]="nothing, yet";
# TODO: Manipulate the scores.

#### Here are settings for Weeds 1. ####

WEEDS1=4; # Index of Weeds Set 1 is 4

              CF_URLS[4]="http://www.emtinc.net/includes/weeds.cf";
             CF_FILES[4]="weeds.cf";
             CF_NAMES[4]="Jennifer's Weeds Set (1)";
PARSE_NEW_VER_SCRIPTS[4]="grep -i '^[         ]*#.*version[         ]*[0-9]' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[4]="nothing, yet";
# TODO: Manipulate the scores.

#### Here are settings for Weeds 2. ####

WEEDS2=5; # Index of Weeds Set 2 is 5

              CF_URLS[5]="http://www.emtinc.net/includes/weeds_2.cf";
             CF_FILES[5]="weeds_2.cf";
             CF_NAMES[5]="Jennifer's Weeds Set (2)";
PARSE_NEW_VER_SCRIPTS[5]="grep -i '^[         ]*#.*version[         ]*[0-9]' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[5]="nothing, yet";
# TODO: Manipulate the scores.

#### Here are settings for ChickenPox. ####

CHICKENPOX=6; # Index of ChickenPox is 6

              CF_URLS[6]="http://www.emtinc.net/includes/chickenpox.cf";
             CF_FILES[6]="chickenpox.cf";
             CF_NAMES[6]="Jennifer's ChickenPox";
PARSE_NEW_VER_SCRIPTS[6]="grep -i '^[         ]*#.*version[         ]*[0-9]' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[6]="nothing, yet";
# TODO: Manipulate the scores.


#### Here are settings for EvilNumbers. ####

EVILNUMBERS=7; # Index of EvilNumbers is 7

              CF_URLS[7]="http://www.merchantsoverseas.com/wwwroot/gorilla/evilnumbers.cf";
             CF_FILES[7]="evilnumbers.cf";
             CF_NAMES[7]="Yackley's EvilNumbers";
PARSE_NEW_VER_SCRIPTS[7]="grep -i '^[         ]*#.*version' | sort | tail -n1";
#    CF_MUNGE_SCRIPTS[7]="nothing, yet";
# TODO: Manipulate the scores.


#########################################
####     End Rules File Registry     ####
#########################################

# Do not update beyond this line unless you know what you are doing.






#########################################
####     Begin rules update code     ####
#########################################

# if invoked with -D, enable DEBUG here.
[ "$1" = "-D" ] && DEBUG="true";
# if running interactively, enable DEBUG here.
[ -t 0 ] && DEBUG="true";

# If we're not running interactively, add a random delay here. This should
# help reduce spikes on the servers hosting the rulesets (Thanks, Bob)
MAXDELAY=3600;
DELAY=0;
[ ! -t 0 ] && [ ${MAXDELAY} -gt 0 ] && let DELAY="${RANDOM} % ${MAXDELAY}";
[ "${DEBUG}" ] && [ ${DELAY} -gt 0 ] && echo "Probably running from cron... sleeping for a random interval (${DELAY} seconds)";
[ ${DELAY} -gt 0 ] && sleep ${DELAY};


# Save old working dir
OLDDIR=`pwd`;

# This variable is used to indicate if we should restart spamd. Currently empty (false).
RESTART_REQUIRED="";

[ "${DEBUG}" ] && [ -e ${TMPDIR} ] && echo "Temporary directory already existed: ${TMPDIR}";
[ "${DEBUG}" ] && [ ! -e ${TMPDIR} ] && echo "Temporary directory doesn't exist; creating: ${TMPDIR}";
[ ! -e ${TMPDIR} ] && mkdir ${TMPDIR};

[ "${DEBUG}" ] && echo "Changing to temporary directory: ${TMPDIR}";
cd ${TMPDIR};

for RULESET_NAME in ${TRUSTED_RULESETS} ; do

    INDEX=${!RULESET_NAME};
    CF_URL=${CF_URLS[${INDEX}]};
    CF_FILE=${CF_FILES[${INDEX}]};
    CF_NAME=${CF_NAMES[${INDEX}]};
    PARSE_NEW_VER_SCRIPT=${PARSE_NEW_VER_SCRIPTS[${INDEX}]};
    CF_MUNGE_SCRIPT=${CF_MUNGE_SCRIPTS[${INDEX}]};

    CF_BASENAME=`basename ${CF_URL}`;

    DATE=`date +"%Y%m%d-%H%M"`

    if [ "${DEBUG}" ] ; then
        echo "";
        echo "------ ${RULESET_NAME} ------";
        echo "RULESET_NAME=${RULESET_NAME}";
        echo "INDEX=${INDEX}";
        echo "CF_URL=${CF_URL}";
        echo "CF_FILE=${CF_FILE}";
        echo "CF_NAME=${CF_NAME}";
        echo "PARSE_NEW_VER_SCRIPT=${PARSE_NEW_VER_SCRIPT}";
        echo "CF_MUNGE_SCRIPT=${CF_MUNGE_SCRIPT}";
    fi

    [ "${DEBUG}" ] && [ -f ${TMPDIR}/${CF_BASENAME} ] && echo "Old ${CF_BASENAME} already existed in ${TMPDIR}...";
    [ "${DEBUG}" ] && [ ! -f ${TMPDIR}/${CF_BASENAME} ] && [ ! -f ${SA_DIR}/${CF_FILE} ] && \
        echo "This is the first time downloading ${CF_BASENAME}...";

    [ "${DEBUG}" ] && [ ! -f ${TMPDIR}/${CF_BASENAME} ] && [ -f ${SA_DIR}/${CF_FILE} ] && \
        echo "Copying from ${SA_DIR}/${CF_FILE} to ${TMPDIR}/${CF_BASENAME}...";
    [ ! -f ${TMPDIR}/${CF_BASENAME} ] && [ -f ${SA_DIR}/${CF_FILE} ] && cp ${SA_DIR}/${CF_FILE} ${TMPDIR}/${CF_BASENAME} && touch -r ${SA_DIR}/${CF_FILE} ${TMPDIR}/${CF_BASENAME};

    [ "${DEBUG}" ] && echo "Retrieving file from ${CF_URL}...";
    wget -N ${CF_URL} > ${TMPDIR}/wget.log 2>&1;
    grep -q 'saved' ${TMPDIR}/wget.log;
    DOWNLOADED=$?;

    # Check for 4xx
    grep -q 'ERROR 4[0-9][0-9]' ${TMPDIR}/wget.log;
    WAS404=$?;

    # Check for random failure (dns doesn't exist, etc)
    grep -i -q 'failed: ' ${TMPDIR}/wget.log;
    FAILED=$?;

    # Unset WAS404 if the file didn't return 404.
    [ ! ${WAS404} = 0 ] && WAS404=;

    # Unset FAILED if wget succeded
    [ ! ${FAILED} = 0 ] && FAILED=;

    [ "${FAILED}" ] && RULES_THAT_404ED="${RULES_THAT_404ED}\n${CF_NAME} had an unknown error: `cat ${TMPDIR}/wget.log`";
    [ "${WAS404}" ] && RULES_THAT_404ED="${RULES_THAT_404ED}\n${CF_NAME} not found at ${CF_URL}";

    [ "${DEBUG}" ] && [ ${WAS404} ] && echo "Got 404 from ${CF_NAME} (${CF_URL})...";
    [ "${DEBUG}" ] && [ ! ${WAS404} ] && ([ ${DOWNLOADED} = 0 ] && echo "New version downloaded..." || echo "${CF_BASENAME} was up to date (skipped downloading of ${CF_URL})...");

    if [ ${DOWNLOADED} = 0 ] ; then
       if [ "${CF_MUNGE_SCRIPT}" ] ; then
         [ "${DEBUG}" ] && echo "Munging output using command: ${CF_MUNGE_SCRIPT}";
         sh -c "${CF_MUNGE_SCRIPT}" < ${TMPDIR}/${CF_BASENAME} > ${TMPDIR}/${CF_BASENAME}.2;
       else 
         cp ${TMPDIR}/${CF_BASENAME} ${TMPDIR}/${CF_BASENAME}.2;
       fi

       # Set munged file to same timestamp as downloaded file...
       touch -r ${TMPDIR}/${CF_BASENAME} ${TMPDIR}/${CF_BASENAME}.2;
       [ -f ${SA_DIR}/${CF_FILE} ] && cmp -s ${TMPDIR}/${CF_BASENAME}.2 ${SA_DIR}/${CF_FILE} || {
         [ "${DEBUG}" ] && echo "Old version ${SA_DIR}/${CF_FILE} differs from new version ${TMPDIR}/${CF_BASENAME}.2" ;

         [ "${DEBUG}" ] && [ -f ${SA_DIR}/${CF_FILE} ] && echo "Backing up old version...";
         [ -f ${SA_DIR}/${CF_FILE} ] && mv -f ${SA_DIR}/${CF_FILE} ${TMPDIR}/${CF_FILE}.${DATE};

	 # Save the command that can be used to undo this change, if rules won't --lint
	 [ -f ${TMPDIR}/${CF_FILE}.${DATE} ] && UNDO_COMMAND="${UNDO_COMMAND} mv -f ${TMPDIR}/${CF_FILE}.${DATE} ${SA_DIR}/${CF_FILE};";
	 [ ! -f ${TMPDIR}/${CF_FILE}.${DATE} ] && UNDO_COMMAND="${UNDO_COMMAND} rm -f ${SA_DIR}/${CF_FILE};";

         [ "${DEBUG}" ] && [ -f ${TMPDIR}/${CF_BASENAME}.2 ] && echo "Installing new version...";
         [ -f ${TMPDIR}/${CF_BASENAME}.2 ] && mv -f ${TMPDIR}/${CF_BASENAME}.2 ${SA_DIR}/${CF_FILE};

         NEWVER=`sh -c "cat ${SA_DIR}/${CF_FILE} | ${PARSE_NEW_VER_SCRIPT}"`;

         [ "${DEBUG}" ] && echo "${CF_NAME} has changed on `hostname`.  The new ${CF_NAME} is ${NEWVER}";
         echo -e "${CF_NAME} has changed on `hostname`.  The new ${CF_NAME} is ${NEWVER}" \
            | mail -s "RulesDuJour/`hostname`: ${CF_NAME} RuleSet has been updated" ${MAIL_ADDRESS}

         RESTART_REQUIRED="true";
       }
       [ -f ${TMPDIR}/${CF_BASENAME}.2 ] && rm -f ${TMPDIR}/${CF_BASENAME}.2;
    fi
done

[ "${DEBUG}" ] && echo "" && echo "";
[ "${RULES_THAT_404ED}" ] && echo -e "The following rules had 404 errors:${RULES_THAT_404ED}" | mail -s "RulesDuJour/`hostname`: 404 errors" ${MAIL_ADDRESS};
[ "${DEBUG}" ] && [ "${RULES_THAT_404ED}" ] && echo -e "The following rules had 404 errors:${RULES_THAT_404ED}" && echo "";

[ "${RESTART_REQUIRED}" ] && {
    sleep 1
    [ "${DEBUG}" ] && echo "Attempting to --lint the rules.";
    spamassassin --lint > /dev/null 2>&1 ;
    LINTFAILED=$?;

    # Unset LINTFAILED if lint didn't fail.
    [ "${LINTFAILED}" = "0" ] && LINTFAILED=;

    [ "${DEBUG}" ] && [ "${LINTFAILED}" ] && echo "WARNING: spamassassin --lint failed." && echo "Rolling configuration files back, not restarting SpamAssassin." && echo "Rollback command is: ${UNDO_COMMAND}";
    [ "${LINTFAILED}" ] && RESTART_REQUIRED= && sh -c "${UNDO_COMMAND}";
    [ "${LINTFAILED}" ] && echo "spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin.  Rollback command was: ${UNDO_COMMAND}" | mail -s "RulesDuJour/`hostname`: lint failed. Updates rolled back." ${MAIL_ADDRESS};
    
    [ "${DEBUG}" ] && [ "${RESTART_REQUIRED}" ] && echo "Restarting SpamAssassin using: ${SA_RESTART}";
    [ "${RESTART_REQUIRED}" ] && ${SA_RESTART} > /dev/null 2>&1
}
[ "${DEBUG}" ] && [ ! "${RESTART_REQUIRED}" ] && echo "No files updated; No restart required.";

    [ "${DEBUG}" ] && echo "Changing back to old working directory: ${OLDDIR}";
cd ${OLDDIR};
From ryan.finnesey at CORPDSG.COM  Tue Jan 20 04:43:17 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:21:56 2006
Subject: Automatic download of extra SA rule sets
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407C0C6@dc012.corpdsg.com>

What is a good SA list?


Ryan



> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Gerry Doris
> Sent: Monday, January 19, 2004 8:46 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Automatic download of extra SA rule sets
> 
> On Mon, 19 Jan 2004, Stephen Swaney wrote:
> 
> > Chris Thielen has written a VERY complete and well thought out
script to
> > download the most commonly used SA rules files and posted a link to
his
> > script on the SA mail list:
> >
> >         http://sandgnat.com/cmos/rules_du_jour
> >
> > I have tested this script and it required only minor configuration
> changes
> > to work with MailScanner. It would also be very easy to extend the
> script to
> > get additional Rule Sets.
> >
> > A couple of caveats:
> >
> > 1. Test first with the Debug flag set.
> > 2. my /etc/mail/spamassassin/local.cf was very old (and not needed).
> This
> > kept spamassassin --lint from running with out errors. I removed the
> file
> > and all was well.
> >
> > 3. Saving the file from a web browser created some problems, run:
> >
> >         wget    http://sandgnat.com/cmos/rules_du_jour
> >
> > to get the file.
> >
> > Steve
> 
> For what it's worth I've made a couple of changes to the script...
> - there was a small typo in one of weeds.cf download sections.  You
got
> weeds.cf instead of weeds_2.cf if you activated weeds_2.
> - I changed the spamassassin restart to MailScanner reload
> - and since we're going spamassassin rule crazy I added their latest
> evilnumbers.cf rule set.
> 
> The updated script is attached.
> 
> --
> Gerry
> 
> "The lyfe so short, the craft so long to learne"  Chaucer


From nathan at TCPNETWORKS.NET  Tue Jan 20 05:17:11 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:21:56 2006
Subject: sa-learn - Ignore Subject Spam Tag
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BC7ED@server1.in.tcpnetworks.com>

Is there a simple way to ignore the spam tag in the subject header when manually learning spam? 
 
I know that SpamAssassin ignores it's own markup and I'm familiar with using the  bayes_ignore_header directives for the MailScanner  headers, but am curious what to do about the spam subject modification. I suppose I could reconfigure MailScanner to leave the the subject alone, but I prefer not to do this if possible. Any ideas or workarounds?
 
Nathan


From doko at CS.TU-BERLIN.DE  Tue Jan 20 06:03:39 2004
From: doko at CS.TU-BERLIN.DE (Matthias Klose)
Date: Thu Jan 12 21:21:56 2006
Subject: Listing MailScanner on Sourceforge and the OpenProtect software project
In-Reply-To: <1074546607.11047.18.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21B8A@pascal.priv.bmrb.co.uk>
            <1074546607.11047.18.camel@bach.kevinspicer.co.uk>
Message-ID: <16396.50363.429863.501233@gargle.gargle.HOWL>

Kevin Spicer writes:
> On Mon, 2004-01-19 at 20:17, Matthias Klose wrote:
>
> >don't forget to enable the bug tracking system ;-) that would be
> >better than searching the mailing list.
>
> Please don't, the list archives are quite good enough.  Spreading the
> places solutions can be found will only increase the amount of work
> required to find the answer (as people tend to put in a finite amount of
> effort this would probably increase the number of redundant questions
> rather than reduce them).

the list archives are so good, that patches are resent several times,
answers to forwarded problem reports have to be searched on the list
and cannot be referenced ... its no spreading at all, its about
collecting all the information in one place where it
belongs. Obviously it has to be used as well.

        Matthias

From pz at CHRIST-NET.SK  Tue Jan 20 08:14:11 2004
From: pz at CHRIST-NET.SK (pz)
Date: Thu Jan 12 21:21:56 2006
Subject: MailWatch and MailScanner and Postfix (settings)
In-Reply-To: <67D9E7698329D411936E00508B6590B902773DEB@neelix.lbsltd.co.uk>
References: <67D9E7698329D411936E00508B6590B902773DEB@neelix.lbsltd.co.uk>
Message-ID: <A0EC8660-4B20-11D8-BC4E-003065E53DCC@christ-net.sk>

Hello,
im trying MailWatch software with mailscanner. I have some problems
with ownership and permisions of files.

in MailScanner.conf

owner postifx
group postfix

but MailWatch cant read quarantine dir, because all new dirs are
created with
postfix.postfix ownership.

Same problem is with /var/spool/MailScanner/spamassasin directory
(postfix.postfix)...

php is running in safe mode, cant read files in which owner is not
nobody (apache) owner.

__

S pozdravom

Peter Zimen

From neilrobst at ALM.ORG.UK  Tue Jan 20 08:42:32 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <6.0.1.1.2.20040119211804.03b3eb70@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040119134553.077ea528@imap.ecs.soton.ac.uk>
            <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <6.0.1.1.2.20040119211804.03b3eb70@imap.ecs.soton.ac.uk>
Message-ID: <1074588152.9635.6.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hmm... my server is barely loaded at all. I've got about 26 users
sending mail via Postfix 2.0.16, Mailscanner (w/ SpamAssassin and
ClamAV). Everything runs on a 2.4GHz, 512Mb Dell PowerEdge 600SC and all
the stats from the box report that it's barely ticking over... certainly
nowhere near what I would call loaded.

We've only really noticed this duplciate mail issue when a mail has been
sent to all ~26 users at once....

Regards,
Neil

On Mon, 2004-01-19 at 21:18, Julian Field wrote:
> At 21:16 19/01/2004, you wrote:
> >Hi all,
> >
> >Just applied the 4.26-4 beta of MailScanner to my mail server, though I've
> >been unable to replicate the problem with the duplicate mails either before
> >or after (as expected) the upgrade. Do you know any details about
> >that -whether it only manifested itself when there were lots of recepients
> >on the message or a high load on the server or what?
>
> It only tended to happen on heavily loaded servers.
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 08:44:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <Pine.LNX.4.44.0401191541580.30548-100000@sasami.anime.net>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C80B6@ERWIN.intern.seceidos.de>
            <Pine.LNX.4.44.0401191541580.30548-100000@sasami.anime.net>
Message-ID: <6.0.1.1.2.20040120084256.03c94498@imap.ecs.soton.ac.uk>

At 23:44 19/01/2004, you wrote:
>On Tue, 20 Jan 2004, Jan-Peter Koopmann wrote:
> > >From my point of view: You are. MCP is using the SpamAssassin engine. It
> > is not using the SpamAssassin rules and ist purpose is not to block spam
> > but to filter mails due to their content. It is using only the rules you
> > supply and nothing more.
>
>According to the mcp documentation
>http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/
>
>It implies mcp is only applied to outbound email, not incoming.

It scans everything.


>"The point of Message Content Protection (MCP) is to allow you to write
>rules for scanning the text content of email messages so you can trap
>messages that contain certain numbers of keywords and/or phrases that you
>don't want leaving your company."
>            ^^^^^^^^^^^^^^^^^^^^
>
>If this is not the case, then the documentation for MCP is worded badly
>:-/

Thankyou for putting it so gently. I was trying to phrase it in such a way
that it also gave an example use, lest people are left scratching their
heads wondering "what do I want to do that for?".
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From neilrobst at ALM.ORG.UK  Tue Jan 20 08:55:33 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <400C551C.6090001@themarshalls.co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
Message-ID: <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Yes... fingers crossed!

Any other issues known with the 4.26-4 beta currently? What's the
general feeling in the community of it's stability, etc?

On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> Just for my 2p, my server doesn't have a high load but I suffered
> duplicate mail. My old set up on Slackware didn't suffer, the new on
> Gentoo did :-(  . I'm not quite sure why but it seemed that the Postfix
> queue runner and MailScanner got in each others way with the result that
> MS picked up incomplete messages.
>
> <fingers crossed> Any way that's all in the past now </fingers crossed>
>
> Drew
>
> Neil Robst wrote:
>
> >Hi all,
> >
> >Just applied the 4.26-4 beta of MailScanner to my mail server, though I've
> >been unable to replicate the problem with the duplicate mails either before
> >or after (as expected) the upgrade. Do you know any details about
> >that -whether it only manifested itself when there were lots of recepients
> >on the message or a high load on the server or what?
> >
> >Regards,
> >Neil
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by MailScanner, and is
> >believed to be clean.
> >
> >
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 20 08:58:47 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:56 2006
Subject: MailWatch and MailScanner and Postfix (settings)
In-Reply-To: <A0EC8660-4B20-11D8-BC4E-003065E53DCC@christ-net.sk>
References: <67D9E7698329D411936E00508B6590B902773DEB@neelix.lbsltd.co.uk>
            <A0EC8660-4B20-11D8-BC4E-003065E53DCC@christ-net.sk>
Message-ID: <400CEDC7.1000506@solid-state-logic.com>

pz wrote:
> Hello,
> im trying MailWatch software with mailscanner. I have some problems
> with ownership and permisions of files.
>
> in MailScanner.conf
>
> owner postifx
> group postfix
>
> but MailWatch cant read quarantine dir, because all new dirs are
> created with
> postfix.postfix ownership.
>
> Same problem is with /var/spool/MailScanner/spamassasin directory
> (postfix.postfix)...
>
> php is running in safe mode, cant read files in which owner is not
> nobody (apache) owner.
>
> __
>
> S pozdravom
>
> Peter Zimen
Peter

There's a script you need to run that resets all the ownerships on the
quaranteen dir. Surprisingly its called 'fix_quaranteen_permissions'.

You may want to subscribe to the Mailwatch users list...

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From drew at THEMARSHALLS.CO.UK  Tue Jan 20 09:06:48 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>

I've been running it now since the weekend without problem. I would
suggest that although marked as a beta and potentialy unstable, it's about
as unstable as the production releases :-) The new patches seem to be
working well.

I have to admit, I changed my Postfix set up to by pass the duplicate
problems and haven't changed it back. I now use a rule in Postfix to hold
all incoming mail, let MS collect from the hold queue (The queue runner
doesn't ever run in there) and drop back into the incoming queue for
delivery. It just means that I only have to ever run just one Postfix
instance. I only ever use SMTP connection so don't have to worry about
direct queue injection by passing MailScanner.

Drew

Neil Robst said:
> Yes... fingers crossed!
>
> Any other issues known with the 4.26-4 beta currently? What's the
> general feeling in the community of it's stability, etc?
>
> On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
>> Just for my 2p, my server doesn't have a high load but I suffered
>> duplicate mail. My old set up on Slackware didn't suffer, the new on
>> Gentoo did :-(  . I'm not quite sure why but it seemed that the Postfix
>> queue runner and MailScanner got in each others way with the result that
>> MS picked up incomplete messages.
>>
>> <fingers crossed> Any way that's all in the past now </fingers crossed>
>>
>> Drew
>>
>> Neil Robst wrote:
>>
>> >Hi all,
>> >
>> >Just applied the 4.26-4 beta of MailScanner to my mail server, though
>> I've
>> >been unable to replicate the problem with the duplicate mails either
>> before
>> >or after (as expected) the upgrade. Do you know any details about
>> >that -whether it only manifested itself when there were lots of
>> recepients
>> >on the message or a high load on the server or what?
>> >
>> >Regards,
>> >Neil
>> >
>> >
>> >--
>> >This message has been scanned for viruses and
>> >dangerous content by MailScanner, and is
>> >believed to be clean.
>> >
>> >
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From neilrobst at ALM.ORG.UK  Tue Jan 20 09:16:31 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
Message-ID: <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Drew,

Can you explain a bit more about how you've configured postfix, please?
I'm using the suggested setup of two postfix instances - the first runs
everything in a chroot jail and smtp, local and virtual and deferred.
Mailscanner then picks everything out the deferred queue, does it's
stuff and drops it back into the incoming queue of the second postfix
instance. Seems to be working well, but you said you'd changed postfix
to bypass the duplicate problems...

Regards,
Neil

On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> I've been running it now since the weekend without problem. I would
> suggest that although marked as a beta and potentialy unstable, it's about
> as unstable as the production releases :-) The new patches seem to be
> working well.
>
> I have to admit, I changed my Postfix set up to by pass the duplicate
> problems and haven't changed it back. I now use a rule in Postfix to hold
> all incoming mail, let MS collect from the hold queue (The queue runner
> doesn't ever run in there) and drop back into the incoming queue for
> delivery. It just means that I only have to ever run just one Postfix
> instance. I only ever use SMTP connection so don't have to worry about
> direct queue injection by passing MailScanner.
>
> Drew
>
> Neil Robst said:
> > Yes... fingers crossed!
> >
> > Any other issues known with the 4.26-4 beta currently? What's the
> > general feeling in the community of it's stability, etc?
> >
> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> Just for my 2p, my server doesn't have a high load but I suffered
> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the Postfix
> >> queue runner and MailScanner got in each others way with the result that
> >> MS picked up incomplete messages.
> >>
> >> <fingers crossed> Any way that's all in the past now </fingers crossed>
> >>
> >> Drew
> >>
> >> Neil Robst wrote:
> >>
> >> >Hi all,
> >> >
> >> >Just applied the 4.26-4 beta of MailScanner to my mail server, though
> >> I've
> >> >been unable to replicate the problem with the duplicate mails either
> >> before
> >> >or after (as expected) the upgrade. Do you know any details about
> >> >that -whether it only manifested itself when there were lots of
> >> recepients
> >> >on the message or a high load on the server or what?
> >> >
> >> >Regards,
> >> >Neil
> >> >
> >> >
> >> >--
> >> >This message has been scanned for viruses and
> >> >dangerous content by MailScanner, and is
> >> >believed to be clean.
> >> >
> >> >
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From kfliong at WOFS.COM  Tue Jan 20 09:16:34 2004
From: kfliong at WOFS.COM (kfliong)
Date: Thu Jan 12 21:21:56 2006
Subject: mailscanner docs
In-Reply-To: <400CEDC7.1000506@solid-state-logic.com>
References: <67D9E7698329D411936E00508B6590B902773DEB@neelix.lbsltd.co.uk>
            <A0EC8660-4B20-11D8-BC4E-003065E53DCC@christ-net.sk>
            <400CEDC7.1000506@solid-state-logic.com>
Message-ID: <6.0.0.22.0.20040120171454.03a81080@192.168.10.2>

err...reading all the settings on bigevil and bayes and stuff makes my head
spins.

Where can I find more info or docs on mailscanner?

Best of all where can i find docs on optimizing mailscanner? This is
important and my server is running like max load when running mailscanner.

Thanks in advance.

From t.d.lee at DURHAM.AC.UK  Tue Jan 20 10:00:18 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:21:56 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <s007faf8.000@s-nst5.lshtm.ac.uk>
References: <s007faf8.000@s-nst5.lshtm.ac.uk>
Message-ID: <Pine.GSO.4.58.0401200939560.11623@arachne.dur.ac.uk>

On Fri, 16 Jan 2004, Peter Bates wrote:

> > mkettler@EVI-INC.COM 15/01/04 15:56:50 >>>
> At 05:38 AM 1/15/2004, David Lee wrote:
> >"Me, too!" (bayes_toks ~ 50MB, bayes_toks.new ~ 1.4GB).  Glad I'm not
> >alone.
> >Yes those sizes are unreasonable... It sounds like expiry is never
> running
> >on your system.
>
> >Try running expiry manualy using sa-learn --force-expire and see if
> it
> >clears things up.
>
> Well, I've done a --force-expire, and got:
>
> -rw-r--r--    1 postfix  postfix       40M Jan 16 14:51 bayes_seen
> -rw-------    1 postfix  postfix      123k Jan 16 14:51 bayes_journal
> -rw-------    1 postfix  postfix      265M Jan 16 14:51 bayes_toks
> -rw-------    1 postfix  postfix      2.7G Jan 16 13:08 bayes_toks.new
> -rw-r--r--    1 postfix  postfix      4.8M Oct 15 09:22 old_bayes_seen
> -rw-r--r--    1 postfix  postfix       22M Oct 15 09:22 old_bayes_toks
>
> now... and my SA/MS is timing out once again, now I've re-enabled Bayes
> with use_bayes...
>
> I'm almost tempted to have a normal SA run without Bayes, and then use
> MCP to reprocess the message again with Bayes (or vice versa)... the
> fact that the Bayes is making it time out, and then effectively timing
> out the rest of the stuff despite it probably being 'positive' in a lot
> of cases is proving far from jolly...

Hmmm... "sa-learn --force-expire --rebuild", for SA 2.61, seems to help
sometimes.  But that is soon to be history, replaced by another problem!
Executive warning:  If you were suffering from this problem, and are
thinking of moving to 2.62, then check the following beforehand.

At 2.62, the SA folk seem to have recognised the 2.61 "bayes_toks"
problem, and instead of "bayes_toks.new" are now using filename patterns
"bayes_toks.expire$$" (where $$ is the process id).  (Do a diff of the
2.61 and 2.62 versions of "lib/Mail/SpamAssassin/BayesStore.pm".)

BUT... the result is that instead of one huge "bayes_toks.new" file, there
now seem to be an increasing number of orphaned "bayes_toks.expire$$"
files.  (Given that $$ could typically span all integers up to 30,000, the
accumulating disk usage results could become 'interesting'...)

I realise such SA details take us somewhat off-topic from strict
MailScanner.  But has anyone here got any experience of this with SA 2.62,
or monitoring it on SA lists?  (Perhaps I need to rejoing an SA list or at
least ferret through their recent archives...)



--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 20 10:05:29 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:56 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <Pine.GSO.4.58.0401200939560.11623@arachne.dur.ac.uk>
References: <s007faf8.000@s-nst5.lshtm.ac.uk>
            <Pine.GSO.4.58.0401200939560.11623@arachne.dur.ac.uk>
Message-ID: <400CFD69.9010001@solid-state-logic.com>

David Lee wrote:
> On Fri, 16 Jan 2004, Peter Bates wrote:
>
>
>>>mkettler@EVI-INC.COM 15/01/04 15:56:50 >>>
>>
>>At 05:38 AM 1/15/2004, David Lee wrote:
>>
>>>"Me, too!" (bayes_toks ~ 50MB, bayes_toks.new ~ 1.4GB).  Glad I'm not
>>>alone.
>>>Yes those sizes are unreasonable... It sounds like expiry is never
>>
>>running
>>
>>>on your system.
>>
>>>Try running expiry manualy using sa-learn --force-expire and see if
>>
>>it
>>
>>>clears things up.
>>
>>Well, I've done a --force-expire, and got:
>>
>>-rw-r--r--    1 postfix  postfix       40M Jan 16 14:51 bayes_seen
>>-rw-------    1 postfix  postfix      123k Jan 16 14:51 bayes_journal
>>-rw-------    1 postfix  postfix      265M Jan 16 14:51 bayes_toks
>>-rw-------    1 postfix  postfix      2.7G Jan 16 13:08 bayes_toks.new
>>-rw-r--r--    1 postfix  postfix      4.8M Oct 15 09:22 old_bayes_seen
>>-rw-r--r--    1 postfix  postfix       22M Oct 15 09:22 old_bayes_toks
>>
>>now... and my SA/MS is timing out once again, now I've re-enabled Bayes
>>with use_bayes...
>>
>>I'm almost tempted to have a normal SA run without Bayes, and then use
>>MCP to reprocess the message again with Bayes (or vice versa)... the
>>fact that the Bayes is making it time out, and then effectively timing
>>out the rest of the stuff despite it probably being 'positive' in a lot
>>of cases is proving far from jolly...
>
>
> Hmmm... "sa-learn --force-expire --rebuild", for SA 2.61, seems to help
> sometimes.  But that is soon to be history, replaced by another problem!
> Executive warning:  If you were suffering from this problem, and are
> thinking of moving to 2.62, then check the following beforehand.
>
> At 2.62, the SA folk seem to have recognised the 2.61 "bayes_toks"
> problem, and instead of "bayes_toks.new" are now using filename patterns
> "bayes_toks.expire$$" (where $$ is the process id).  (Do a diff of the
> 2.61 and 2.62 versions of "lib/Mail/SpamAssassin/BayesStore.pm".)
>
> BUT... the result is that instead of one huge "bayes_toks.new" file, there
> now seem to be an increasing number of orphaned "bayes_toks.expire$$"
> files.  (Given that $$ could typically span all integers up to 30,000, the
> accumulating disk usage results could become 'interesting'...)
>
> I realise such SA details take us somewhat off-topic from strict
> MailScanner.  But has anyone here got any experience of this with SA 2.62,
> or monitoring it on SA lists?  (Perhaps I need to rejoing an SA list or at
> least ferret through their recent archives...)
>

Can't say that (1) I've seen this on my server or (2) on the sa-talk list.

Perhaps you need to get back on the sa-talk list and ask them??

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From kevins at BMRB.CO.UK  Tue Jan 20 10:05:44 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:56 2006
Subject: mailscanner docs
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21BB8@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21BB8@pascal.priv.bmrb.co.uk>
Message-ID: <1074593144.18434.14.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-20 at 09:16, kfliong wrote:

>err...reading all the settings on bigevil and bayes and stuff makes my
>head
>spins.

>Where can I find more info or docs on mailscanner?

Well thats all SpamAssassin, take a look on the SpamAssassin site.

>Best of all where can i find docs on optimizing mailscanner? This is
>important and my server is running like max load when running
>mailscanner.

Take a look in the FAQ, I _think_ there was some stuff in there.

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 20 10:10:29 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:56 2006
Subject: mailscanner docs
In-Reply-To: <6.0.0.22.0.20040120171454.03a81080@192.168.10.2>
Message-ID: <LFENLEALDCBDKENCNLCNGEKCDBAA.michele@blacknightsolutions.com>

> Best of all where can i find docs on optimizing mailscanner? This is
> important and my server is running like max load when running mailscanner.


What are you running exactly?

If you have both SA and MS running at the same time you can have issues. (ie
SA running independent to MS)

From drew at THEMARSHALLS.CO.UK  Tue Jan 20 10:20:20 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>

Neil

What I have done is below, as suggested by Peter Bates and forwarded to me
from this list.

> I'm using MS with Postfix in a slightly 'non-standard' way, but which is
working fine for 13-15K messages we deal with (actually it might be
more, I never bothered counting our outgoing email!)...
> I'm using a 'header_check' like so:
> In main.cf -
> header_checks = pcre:/etc/postfix/header_checks
> In header_checks -
> /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> This puts the incoming mail in the 'hold' queue, and then
> I have in MailScanner.conf -
> Incoming Queue Dir = /var/spool/postfix/hold
> Outgoing Queue Dir = /var/spool/postfix/incoming

With this, you will need to stop postfix.in and uncomment the smtp line in
master.cf (Basically revert your set up to a non-MailScanner set up (It
may be easier if Postfix.in runs chrooted and postfix doesn't to just
alter postfix.in to become just postfix, what ever your mileage!)). Stop
all instances and restart just postfix and you now have one postfix
instance with MailScanner.

Works great!

Drew
--


Neil Robst said:
> Drew,
>
> Can you explain a bit more about how you've configured postfix, please?
I'm using the suggested setup of two postfix instances - the first runs
everything in a chroot jail and smtp, local and virtual and deferred.
Mailscanner then picks everything out the deferred queue, does it's
stuff and drops it back into the incoming queue of the second postfix
instance. Seems to be working well, but you said you'd changed postfix
to bypass the duplicate problems...
>
> Regards,
> Neil
>
> On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
>> I've been running it now since the weekend without problem. I would
suggest that although marked as a beta and potentialy unstable, it's
about
>> as unstable as the production releases :-) The new patches seem to be
working well.
>> I have to admit, I changed my Postfix set up to by pass the duplicate
problems and haven't changed it back. I now use a rule in Postfix to
hold
>> all incoming mail, let MS collect from the hold queue (The queue runner
doesn't ever run in there) and drop back into the incoming queue for
delivery. It just means that I only have to ever run just one Postfix
instance. I only ever use SMTP connection so don't have to worry about
direct queue injection by passing MailScanner.
>> Drew
>> Neil Robst said:
>> > Yes... fingers crossed!
>> >
>> > Any other issues known with the 4.26-4 beta currently? What's the
general feeling in the community of it's stability, etc?
>> >
>> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
>> >> Just for my 2p, my server doesn't have a high load but I suffered
duplicate mail. My old set up on Slackware didn't suffer, the new on
Gentoo did :-(  . I'm not quite sure why but it seemed that the
>> Postfix
>> >> queue runner and MailScanner got in each others way with the result
>> that
>> >> MS picked up incomplete messages.
>> >>
>> >> <fingers crossed> Any way that's all in the past now </fingers
>> crossed>
>> >>
>> >> Drew
>> >>
>> >> Neil Robst wrote:
>> >>
>> >> >Hi all,
>> >> >
>> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
>> though
>> >> I've
>> >> >been unable to replicate the problem with the duplicate mails
either
>> >> before
>> >> >or after (as expected) the upgrade. Do you know any details about
that -whether it only manifested itself when there were lots of
>> >> recepients
>> >> >on the message or a high load on the server or what?
>> >> >
>> >> >Regards,
>> >> >Neil
>> >> >
>> >> >
>> >> >--
>> >> >This message has been scanned for viruses and
>> >> >dangerous content by MailScanner, and is
>> >> >believed to be clean.
>> >> >
>> >> >
>> >>
>> >> --
>> >> In line with our policy, this message has
>> >> been scanned for viruses and dangerous
>> >> content by MailScanner, and is believed to be clean.
>> >> www.themarshalls.co.uk/policy
>> >
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>




--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From neilrobst at ALM.ORG.UK  Tue Jan 20 10:52:40 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
Message-ID: <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

And you think this resolves the duplicate mail problem?

I'm unsure how it differs (apart from only having one postfix daemon
running) from using /var/spool/postfix.in/deferred and
/var/spool/postfix/incoming...?

However, as I've just had a report from my users saying that upgrading
to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)


On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> Neil
>
> What I have done is below, as suggested by Peter Bates and forwarded to me
> from this list.
>
> > I'm using MS with Postfix in a slightly 'non-standard' way, but which is
> working fine for 13-15K messages we deal with (actually it might be
> more, I never bothered counting our outgoing email!)...
> > I'm using a 'header_check' like so:
> > In main.cf -
> > header_checks = pcre:/etc/postfix/header_checks
> > In header_checks -
> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> > This puts the incoming mail in the 'hold' queue, and then
> > I have in MailScanner.conf -
> > Incoming Queue Dir = /var/spool/postfix/hold
> > Outgoing Queue Dir = /var/spool/postfix/incoming
>
> With this, you will need to stop postfix.in and uncomment the smtp line in
> master.cf (Basically revert your set up to a non-MailScanner set up (It
> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> all instances and restart just postfix and you now have one postfix
> instance with MailScanner.
>
> Works great!
>
> Drew
> --
>
>
> Neil Robst said:
> > Drew,
> >
> > Can you explain a bit more about how you've configured postfix, please?
> I'm using the suggested setup of two postfix instances - the first runs
> everything in a chroot jail and smtp, local and virtual and deferred.
> Mailscanner then picks everything out the deferred queue, does it's
> stuff and drops it back into the incoming queue of the second postfix
> instance. Seems to be working well, but you said you'd changed postfix
> to bypass the duplicate problems...
> >
> > Regards,
> > Neil
> >
> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> I've been running it now since the weekend without problem. I would
> suggest that although marked as a beta and potentialy unstable, it's
> about
> >> as unstable as the production releases :-) The new patches seem to be
> working well.
> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> problems and haven't changed it back. I now use a rule in Postfix to
> hold
> >> all incoming mail, let MS collect from the hold queue (The queue runner
> doesn't ever run in there) and drop back into the incoming queue for
> delivery. It just means that I only have to ever run just one Postfix
> instance. I only ever use SMTP connection so don't have to worry about
> direct queue injection by passing MailScanner.
> >> Drew
> >> Neil Robst said:
> >> > Yes... fingers crossed!
> >> >
> >> > Any other issues known with the 4.26-4 beta currently? What's the
> general feeling in the community of it's stability, etc?
> >> >
> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> duplicate mail. My old set up on Slackware didn't suffer, the new on
> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> Postfix
> >> >> queue runner and MailScanner got in each others way with the result
> >> that
> >> >> MS picked up incomplete messages.
> >> >>
> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> crossed>
> >> >>
> >> >> Drew
> >> >>
> >> >> Neil Robst wrote:
> >> >>
> >> >> >Hi all,
> >> >> >
> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> though
> >> >> I've
> >> >> >been unable to replicate the problem with the duplicate mails
> either
> >> >> before
> >> >> >or after (as expected) the upgrade. Do you know any details about
> that -whether it only manifested itself when there were lots of
> >> >> recepients
> >> >> >on the message or a high load on the server or what?
> >> >> >
> >> >> >Regards,
> >> >> >Neil
> >> >> >
> >> >> >
> >> >> >--
> >> >> >This message has been scanned for viruses and
> >> >> >dangerous content by MailScanner, and is
> >> >> >believed to be clean.
> >> >> >
> >> >> >
> >> >>
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From drew at THEMARSHALLS.CO.UK  Tue Jan 20 11:51:44 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>

As I understand Postfix doesn't use much in the way of file locking. It
doesn't need to. In standard form a message is dropped into the onward
directory and the next process is called using a 1b message and so mail
makes it's way through the MTA. MailScanner upsets it by trying to grab
the file from the deferred directory for processing. Now the deferred
directory is used by Postfix as the place where mail is put when delivery
fails, pending re-try (Keeps the active queues down) and every so often
(As set in master.cf) the queue runner process goes to the deffered queue
and inspects the messages for any that are due for retry. If the time
stamp has expired it picks up the message and trys to deliver it. Through
all of this there is not a need for much in the way of locking as what is
going to touch that file? Postfix (As far as Postfix is concerned!) and
Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
queue runner should happen to try to take the same message, you get the
'still being delivered' message in the logs and up pops a duplicated mail!

Easy way round it, use the hold queue. This is designed to only have
messages dropped in it for leter inspection by the postmaster and so the
queue runner doesn't ever re-inspect this directory. Ideal for
MailScanner, message gets dropped (MS knows how to tell when it's
complete), picks up the new message, does it's bit and puts it back in the
incoming queue for Postfix to deal with in it's usual efficient manner.

I haven't had a single duplicate since putting this in place.

Drew

Neil Robst said:
> And you think this resolves the duplicate mail problem?
>
> I'm unsure how it differs (apart from only having one postfix daemon
> running) from using /var/spool/postfix.in/deferred and
> /var/spool/postfix/incoming...?
>
> However, as I've just had a report from my users saying that upgrading
> to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
>
>
> On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
>> Neil
>>
>> What I have done is below, as suggested by Peter Bates and forwarded to
>> me
>> from this list.
>>
>> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
>> is
>> working fine for 13-15K messages we deal with (actually it might be
>> more, I never bothered counting our outgoing email!)...
>> > I'm using a 'header_check' like so:
>> > In main.cf -
>> > header_checks = pcre:/etc/postfix/header_checks
>> > In header_checks -
>> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
>> > This puts the incoming mail in the 'hold' queue, and then
>> > I have in MailScanner.conf -
>> > Incoming Queue Dir = /var/spool/postfix/hold
>> > Outgoing Queue Dir = /var/spool/postfix/incoming
>>
>> With this, you will need to stop postfix.in and uncomment the smtp line
>> in
>> master.cf (Basically revert your set up to a non-MailScanner set up (It
>> may be easier if Postfix.in runs chrooted and postfix doesn't to just
>> alter postfix.in to become just postfix, what ever your mileage!)). Stop
>> all instances and restart just postfix and you now have one postfix
>> instance with MailScanner.
>>
>> Works great!
>>
>> Drew
>> --
>>
>>
>> Neil Robst said:
>> > Drew,
>> >
>> > Can you explain a bit more about how you've configured postfix,
>> please?
>> I'm using the suggested setup of two postfix instances - the first runs
>> everything in a chroot jail and smtp, local and virtual and deferred.
>> Mailscanner then picks everything out the deferred queue, does it's
>> stuff and drops it back into the incoming queue of the second postfix
>> instance. Seems to be working well, but you said you'd changed postfix
>> to bypass the duplicate problems...
>> >
>> > Regards,
>> > Neil
>> >
>> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
>> >> I've been running it now since the weekend without problem. I would
>> suggest that although marked as a beta and potentialy unstable, it's
>> about
>> >> as unstable as the production releases :-) The new patches seem to be
>> working well.
>> >> I have to admit, I changed my Postfix set up to by pass the duplicate
>> problems and haven't changed it back. I now use a rule in Postfix to
>> hold
>> >> all incoming mail, let MS collect from the hold queue (The queue
>> runner
>> doesn't ever run in there) and drop back into the incoming queue for
>> delivery. It just means that I only have to ever run just one Postfix
>> instance. I only ever use SMTP connection so don't have to worry about
>> direct queue injection by passing MailScanner.
>> >> Drew
>> >> Neil Robst said:
>> >> > Yes... fingers crossed!
>> >> >
>> >> > Any other issues known with the 4.26-4 beta currently? What's the
>> general feeling in the community of it's stability, etc?
>> >> >
>> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
>> >> >> Just for my 2p, my server doesn't have a high load but I suffered
>> duplicate mail. My old set up on Slackware didn't suffer, the new on
>> Gentoo did :-(  . I'm not quite sure why but it seemed that the
>> >> Postfix
>> >> >> queue runner and MailScanner got in each others way with the
>> result
>> >> that
>> >> >> MS picked up incomplete messages.
>> >> >>
>> >> >> <fingers crossed> Any way that's all in the past now </fingers
>> >> crossed>
>> >> >>
>> >> >> Drew
>> >> >>
>> >> >> Neil Robst wrote:
>> >> >>
>> >> >> >Hi all,
>> >> >> >
>> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
>> >> though
>> >> >> I've
>> >> >> >been unable to replicate the problem with the duplicate mails
>> either
>> >> >> before
>> >> >> >or after (as expected) the upgrade. Do you know any details about
>> that -whether it only manifested itself when there were lots of
>> >> >> recepients
>> >> >> >on the message or a high load on the server or what?
>> >> >> >
>> >> >> >Regards,
>> >> >> >Neil
>> >> >> >
>> >> >> >
>> >> >> >--
>> >> >> >This message has been scanned for viruses and
>> >> >> >dangerous content by MailScanner, and is
>> >> >> >believed to be clean.
>> >> >> >
>> >> >> >
>> >> >>
>> >> >> --
>> >> >> In line with our policy, this message has
>> >> >> been scanned for viruses and dangerous
>> >> >> content by MailScanner, and is believed to be clean.
>> >> >> www.themarshalls.co.uk/policy
>> >> >
>> >> --
>> >> In line with our policy, this message has
>> >> been scanned for viruses and dangerous
>> >> content by MailScanner, and is believed to be clean.
>> >> www.themarshalls.co.uk/policy
>> >
>>
>>
>>
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 12:00:10 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <65201.194.70.180.170.1074599504.squirrel@net.themarshalls. co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
Message-ID: <6.0.1.1.2.20040120115825.07cc76e0@imap.ecs.soton.ac.uk>

Any chance you could please take a copy of the current Postfix docs off the
MailScanner site, update them to use the "hold queue" approach, and mail
the resulting docs back to me so I can put them up on the web site (at
least as an alternative, quite possibly as a replacement).

This all sounds very good to me. I partially did it the way I did so that
the setup was the same split-MTA as sendmail, but if this route is more
reliable then I think people should be using it.

At 11:51 20/01/2004, you wrote:
>As I understand Postfix doesn't use much in the way of file locking. It
>doesn't need to. In standard form a message is dropped into the onward
>directory and the next process is called using a 1b message and so mail
>makes it's way through the MTA. MailScanner upsets it by trying to grab
>the file from the deferred directory for processing. Now the deferred
>directory is used by Postfix as the place where mail is put when delivery
>fails, pending re-try (Keeps the active queues down) and every so often
>(As set in master.cf) the queue runner process goes to the deffered queue
>and inspects the messages for any that are due for retry. If the time
>stamp has expired it picks up the message and trys to deliver it. Through
>all of this there is not a need for much in the way of locking as what is
>going to touch that file? Postfix (As far as Postfix is concerned!) and
>Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
>queue runner should happen to try to take the same message, you get the
>'still being delivered' message in the logs and up pops a duplicated mail!
>
>Easy way round it, use the hold queue. This is designed to only have
>messages dropped in it for leter inspection by the postmaster and so the
>queue runner doesn't ever re-inspect this directory. Ideal for
>MailScanner, message gets dropped (MS knows how to tell when it's
>complete), picks up the new message, does it's bit and puts it back in the
>incoming queue for Postfix to deal with in it's usual efficient manner.
>
>I haven't had a single duplicate since putting this in place.
>
>Drew
>
>Neil Robst said:
> > And you think this resolves the duplicate mail problem?
> >
> > I'm unsure how it differs (apart from only having one postfix daemon
> > running) from using /var/spool/postfix.in/deferred and
> > /var/spool/postfix/incoming...?
> >
> > However, as I've just had a report from my users saying that upgrading
> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> >
> >
> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> >> Neil
> >>
> >> What I have done is below, as suggested by Peter Bates and forwarded to
> >> me
> >> from this list.
> >>
> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> >> is
> >> working fine for 13-15K messages we deal with (actually it might be
> >> more, I never bothered counting our outgoing email!)...
> >> > I'm using a 'header_check' like so:
> >> > In main.cf -
> >> > header_checks = pcre:/etc/postfix/header_checks
> >> > In header_checks -
> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> >> > This puts the incoming mail in the 'hold' queue, and then
> >> > I have in MailScanner.conf -
> >> > Incoming Queue Dir = /var/spool/postfix/hold
> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> >>
> >> With this, you will need to stop postfix.in and uncomment the smtp line
> >> in
> >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> >> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> >> all instances and restart just postfix and you now have one postfix
> >> instance with MailScanner.
> >>
> >> Works great!
> >>
> >> Drew
> >> --
> >>
> >>
> >> Neil Robst said:
> >> > Drew,
> >> >
> >> > Can you explain a bit more about how you've configured postfix,
> >> please?
> >> I'm using the suggested setup of two postfix instances - the first runs
> >> everything in a chroot jail and smtp, local and virtual and deferred.
> >> Mailscanner then picks everything out the deferred queue, does it's
> >> stuff and drops it back into the incoming queue of the second postfix
> >> instance. Seems to be working well, but you said you'd changed postfix
> >> to bypass the duplicate problems...
> >> >
> >> > Regards,
> >> > Neil
> >> >
> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> >> I've been running it now since the weekend without problem. I would
> >> suggest that although marked as a beta and potentialy unstable, it's
> >> about
> >> >> as unstable as the production releases :-) The new patches seem to be
> >> working well.
> >> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> >> problems and haven't changed it back. I now use a rule in Postfix to
> >> hold
> >> >> all incoming mail, let MS collect from the hold queue (The queue
> >> runner
> >> doesn't ever run in there) and drop back into the incoming queue for
> >> delivery. It just means that I only have to ever run just one Postfix
> >> instance. I only ever use SMTP connection so don't have to worry about
> >> direct queue injection by passing MailScanner.
> >> >> Drew
> >> >> Neil Robst said:
> >> >> > Yes... fingers crossed!
> >> >> >
> >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> >> general feeling in the community of it's stability, etc?
> >> >> >
> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> >> Postfix
> >> >> >> queue runner and MailScanner got in each others way with the
> >> result
> >> >> that
> >> >> >> MS picked up incomplete messages.
> >> >> >>
> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> >> crossed>
> >> >> >>
> >> >> >> Drew
> >> >> >>
> >> >> >> Neil Robst wrote:
> >> >> >>
> >> >> >> >Hi all,
> >> >> >> >
> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> >> though
> >> >> >> I've
> >> >> >> >been unable to replicate the problem with the duplicate mails
> >> either
> >> >> >> before
> >> >> >> >or after (as expected) the upgrade. Do you know any details about
> >> that -whether it only manifested itself when there were lots of
> >> >> >> recepients
> >> >> >> >on the message or a high load on the server or what?
> >> >> >> >
> >> >> >> >Regards,
> >> >> >> >Neil
> >> >> >> >
> >> >> >> >
> >> >> >> >--
> >> >> >> >This message has been scanned for viruses and
> >> >> >> >dangerous content by MailScanner, and is
> >> >> >> >believed to be clean.
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >> --
> >> >> >> In line with our policy, this message has
> >> >> >> been scanned for viruses and dangerous
> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> www.themarshalls.co.uk/policy
> >> >> >
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >>
> >>
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
>--
>In line with our policy, this message has
>been scanned for viruses and dangerous
>content by MailScanner, and is believed to be clean.
>www.themarshalls.co.uk/policy

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From neilrobst at ALM.ORG.UK  Tue Jan 20 12:12:17 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>           
            <400C551C.6090001@themarshalls.co.uk>           
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>  
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>  
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com> 
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
Message-ID: <001401c3df4e$a612a9f0$1300a8c0@testpc>

Thanks Drew - I really appreciate your assistance on this and taking the
time to explain it too me! I#ll try 'your' method and see if that give me
the same success it has you!

Best Regards,
Neil

----- Original Message -----
From: "Drew Marshall" <drew@THEMARSHALLS.CO.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 20, 2004 11:51 AM
Subject: Re: 4.26- beta upgrade (was RE: Another MailScanner User!)


> As I understand Postfix doesn't use much in the way of file locking. It
> doesn't need to. In standard form a message is dropped into the onward
> directory and the next process is called using a 1b message and so mail
> makes it's way through the MTA. MailScanner upsets it by trying to grab
> the file from the deferred directory for processing. Now the deferred
> directory is used by Postfix as the place where mail is put when delivery
> fails, pending re-try (Keeps the active queues down) and every so often
> (As set in master.cf) the queue runner process goes to the deffered queue
> and inspects the messages for any that are due for retry. If the time
> stamp has expired it picks up the message and trys to deliver it. Through
> all of this there is not a need for much in the way of locking as what is
> going to touch that file? Postfix (As far as Postfix is concerned!) and
> Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> queue runner should happen to try to take the same message, you get the
> 'still being delivered' message in the logs and up pops a duplicated mail!
>
> Easy way round it, use the hold queue. This is designed to only have
> messages dropped in it for leter inspection by the postmaster and so the
> queue runner doesn't ever re-inspect this directory. Ideal for
> MailScanner, message gets dropped (MS knows how to tell when it's
> complete), picks up the new message, does it's bit and puts it back in the
> incoming queue for Postfix to deal with in it's usual efficient manner.
>
> I haven't had a single duplicate since putting this in place.
>
> Drew
>
> Neil Robst said:
> > And you think this resolves the duplicate mail problem?
> >
> > I'm unsure how it differs (apart from only having one postfix daemon
> > running) from using /var/spool/postfix.in/deferred and
> > /var/spool/postfix/incoming...?
> >
> > However, as I've just had a report from my users saying that upgrading
> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> >
> >
> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> >> Neil
> >>
> >> What I have done is below, as suggested by Peter Bates and forwarded to
> >> me
> >> from this list.
> >>
> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> >> is
> >> working fine for 13-15K messages we deal with (actually it might be
> >> more, I never bothered counting our outgoing email!)...
> >> > I'm using a 'header_check' like so:
> >> > In main.cf -
> >> > header_checks = pcre:/etc/postfix/header_checks
> >> > In header_checks -
> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> >> > This puts the incoming mail in the 'hold' queue, and then
> >> > I have in MailScanner.conf -
> >> > Incoming Queue Dir = /var/spool/postfix/hold
> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> >>
> >> With this, you will need to stop postfix.in and uncomment the smtp line
> >> in
> >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> >> alter postfix.in to become just postfix, what ever your mileage!)).
Stop
> >> all instances and restart just postfix and you now have one postfix
> >> instance with MailScanner.
> >>
> >> Works great!
> >>
> >> Drew
> >> --
> >>
> >>
> >> Neil Robst said:
> >> > Drew,
> >> >
> >> > Can you explain a bit more about how you've configured postfix,
> >> please?
> >> I'm using the suggested setup of two postfix instances - the first runs
> >> everything in a chroot jail and smtp, local and virtual and deferred.
> >> Mailscanner then picks everything out the deferred queue, does it's
> >> stuff and drops it back into the incoming queue of the second postfix
> >> instance. Seems to be working well, but you said you'd changed postfix
> >> to bypass the duplicate problems...
> >> >
> >> > Regards,
> >> > Neil
> >> >
> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> >> I've been running it now since the weekend without problem. I would
> >> suggest that although marked as a beta and potentialy unstable, it's
> >> about
> >> >> as unstable as the production releases :-) The new patches seem to
be
> >> working well.
> >> >> I have to admit, I changed my Postfix set up to by pass the
duplicate
> >> problems and haven't changed it back. I now use a rule in Postfix to
> >> hold
> >> >> all incoming mail, let MS collect from the hold queue (The queue
> >> runner
> >> doesn't ever run in there) and drop back into the incoming queue for
> >> delivery. It just means that I only have to ever run just one Postfix
> >> instance. I only ever use SMTP connection so don't have to worry about
> >> direct queue injection by passing MailScanner.
> >> >> Drew
> >> >> Neil Robst said:
> >> >> > Yes... fingers crossed!
> >> >> >
> >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> >> general feeling in the community of it's stability, etc?
> >> >> >
> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> >> Postfix
> >> >> >> queue runner and MailScanner got in each others way with the
> >> result
> >> >> that
> >> >> >> MS picked up incomplete messages.
> >> >> >>
> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> >> crossed>
> >> >> >>
> >> >> >> Drew
> >> >> >>
> >> >> >> Neil Robst wrote:
> >> >> >>
> >> >> >> >Hi all,
> >> >> >> >
> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> >> though
> >> >> >> I've
> >> >> >> >been unable to replicate the problem with the duplicate mails
> >> either
> >> >> >> before
> >> >> >> >or after (as expected) the upgrade. Do you know any details
about
> >> that -whether it only manifested itself when there were lots of
> >> >> >> recepients
> >> >> >> >on the message or a high load on the server or what?
> >> >> >> >
> >> >> >> >Regards,
> >> >> >> >Neil
> >> >> >> >
> >> >> >> >
> >> >> >> >--
> >> >> >> >This message has been scanned for viruses and
> >> >> >> >dangerous content by MailScanner, and is
> >> >> >> >believed to be clean.
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >> --
> >> >> >> In line with our policy, this message has
> >> >> >> been scanned for viruses and dangerous
> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> www.themarshalls.co.uk/policy
> >> >> >
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >>
> >>
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From drew at THEMARSHALLS.CO.UK  Tue Jan 20 12:13:31 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <6.0.1.1.2.20040120115825.07cc76e0@imap.ecs.soton.ac.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
            <6.0.1.1.2.20040120115825.07cc76e0@imap.ecs.soton.ac.uk>
Message-ID: <65265.194.70.180.170.1074600811.squirrel@net.themarshalls.co.uk>

Julian

I'm not a programmer, as you may remember ;-), but English I can manage :-)

I'll have a look tonight and send it over.

Drew
--
Julian Field said:
> Any chance you could please take a copy of the current Postfix docs off
> the
> MailScanner site, update them to use the "hold queue" approach, and mail
> the resulting docs back to me so I can put them up on the web site (at
> least as an alternative, quite possibly as a replacement).
>
> This all sounds very good to me. I partially did it the way I did so that
> the setup was the same split-MTA as sendmail, but if this route is more
> reliable then I think people should be using it.
>
> At 11:51 20/01/2004, you wrote:
>>As I understand Postfix doesn't use much in the way of file locking. It
>>doesn't need to. In standard form a message is dropped into the onward
>>directory and the next process is called using a 1b message and so mail
>>makes it's way through the MTA. MailScanner upsets it by trying to grab
>>the file from the deferred directory for processing. Now the deferred
>>directory is used by Postfix as the place where mail is put when delivery
>>fails, pending re-try (Keeps the active queues down) and every so often
>>(As set in master.cf) the queue runner process goes to the deffered queue
>>and inspects the messages for any that are due for retry. If the time
>>stamp has expired it picks up the message and trys to deliver it. Through
>>all of this there is not a need for much in the way of locking as what is
>>going to touch that file? Postfix (As far as Postfix is concerned!) and
>>Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
>>queue runner should happen to try to take the same message, you get the
>>'still being delivered' message in the logs and up pops a duplicated
>> mail!
>>
>>Easy way round it, use the hold queue. This is designed to only have
>>messages dropped in it for leter inspection by the postmaster and so the
>>queue runner doesn't ever re-inspect this directory. Ideal for
>>MailScanner, message gets dropped (MS knows how to tell when it's
>>complete), picks up the new message, does it's bit and puts it back in
>> the
>>incoming queue for Postfix to deal with in it's usual efficient manner.
>>
>>I haven't had a single duplicate since putting this in place.
>>
>>Drew
>>
>>Neil Robst said:
>> > And you think this resolves the duplicate mail problem?
>> >
>> > I'm unsure how it differs (apart from only having one postfix daemon
>> > running) from using /var/spool/postfix.in/deferred and
>> > /var/spool/postfix/incoming...?
>> >
>> > However, as I've just had a report from my users saying that upgrading
>> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
>> >
>> >
>> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
>> >> Neil
>> >>
>> >> What I have done is below, as suggested by Peter Bates and forwarded
>> to
>> >> me
>> >> from this list.
>> >>
>> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but
>> which
>> >> is
>> >> working fine for 13-15K messages we deal with (actually it might be
>> >> more, I never bothered counting our outgoing email!)...
>> >> > I'm using a 'header_check' like so:
>> >> > In main.cf -
>> >> > header_checks = pcre:/etc/postfix/header_checks
>> >> > In header_checks -
>> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
>> >> > This puts the incoming mail in the 'hold' queue, and then
>> >> > I have in MailScanner.conf -
>> >> > Incoming Queue Dir = /var/spool/postfix/hold
>> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
>> >>
>> >> With this, you will need to stop postfix.in and uncomment the smtp
>> line
>> >> in
>> >> master.cf (Basically revert your set up to a non-MailScanner set up
>> (It
>> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
>> >> alter postfix.in to become just postfix, what ever your mileage!)).
>> Stop
>> >> all instances and restart just postfix and you now have one postfix
>> >> instance with MailScanner.
>> >>
>> >> Works great!
>> >>
>> >> Drew
>> >> --
>> >>
>> >>
>> >> Neil Robst said:
>> >> > Drew,
>> >> >
>> >> > Can you explain a bit more about how you've configured postfix,
>> >> please?
>> >> I'm using the suggested setup of two postfix instances - the first
>> runs
>> >> everything in a chroot jail and smtp, local and virtual and deferred.
>> >> Mailscanner then picks everything out the deferred queue, does it's
>> >> stuff and drops it back into the incoming queue of the second postfix
>> >> instance. Seems to be working well, but you said you'd changed
>> postfix
>> >> to bypass the duplicate problems...
>> >> >
>> >> > Regards,
>> >> > Neil
>> >> >
>> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
>> >> >> I've been running it now since the weekend without problem. I
>> would
>> >> suggest that although marked as a beta and potentialy unstable, it's
>> >> about
>> >> >> as unstable as the production releases :-) The new patches seem to
>> be
>> >> working well.
>> >> >> I have to admit, I changed my Postfix set up to by pass the
>> duplicate
>> >> problems and haven't changed it back. I now use a rule in Postfix to
>> >> hold
>> >> >> all incoming mail, let MS collect from the hold queue (The queue
>> >> runner
>> >> doesn't ever run in there) and drop back into the incoming queue for
>> >> delivery. It just means that I only have to ever run just one Postfix
>> >> instance. I only ever use SMTP connection so don't have to worry
>> about
>> >> direct queue injection by passing MailScanner.
>> >> >> Drew
>> >> >> Neil Robst said:
>> >> >> > Yes... fingers crossed!
>> >> >> >
>> >> >> > Any other issues known with the 4.26-4 beta currently? What's
>> the
>> >> general feeling in the community of it's stability, etc?
>> >> >> >
>> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
>> >> >> >> Just for my 2p, my server doesn't have a high load but I
>> suffered
>> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
>> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
>> >> >> Postfix
>> >> >> >> queue runner and MailScanner got in each others way with the
>> >> result
>> >> >> that
>> >> >> >> MS picked up incomplete messages.
>> >> >> >>
>> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
>> >> >> crossed>
>> >> >> >>
>> >> >> >> Drew
>> >> >> >>
>> >> >> >> Neil Robst wrote:
>> >> >> >>
>> >> >> >> >Hi all,
>> >> >> >> >
>> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
>> >> >> though
>> >> >> >> I've
>> >> >> >> >been unable to replicate the problem with the duplicate mails
>> >> either
>> >> >> >> before
>> >> >> >> >or after (as expected) the upgrade. Do you know any details
>> about
>> >> that -whether it only manifested itself when there were lots of
>> >> >> >> recepients
>> >> >> >> >on the message or a high load on the server or what?
>> >> >> >> >
>> >> >> >> >Regards,
>> >> >> >> >Neil
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >--
>> >> >> >> >This message has been scanned for viruses and
>> >> >> >> >dangerous content by MailScanner, and is
>> >> >> >> >believed to be clean.
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >> --
>> >> >> >> In line with our policy, this message has
>> >> >> >> been scanned for viruses and dangerous
>> >> >> >> content by MailScanner, and is believed to be clean.
>> >> >> >> www.themarshalls.co.uk/policy
>> >> >> >
>> >> >> --
>> >> >> In line with our policy, this message has
>> >> >> been scanned for viruses and dangerous
>> >> >> content by MailScanner, and is believed to be clean.
>> >> >> www.themarshalls.co.uk/policy
>> >> >
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> In line with our policy, this message has
>> >> been scanned for viruses and dangerous
>> >> content by MailScanner, and is believed to be clean.
>> >> www.themarshalls.co.uk/policy
>> >
>>
>>
>>--
>>In line with our policy, this message has
>>been scanned for viruses and dangerous
>>content by MailScanner, and is believed to be clean.
>>www.themarshalls.co.uk/policy
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From neilrobst at ALM.ORG.UK  Tue Jan 20 12:36:56 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>           
            <400C551C.6090001@themarshalls.co.uk>           
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>  
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com> 
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
Message-ID: <001b01c3df52$17e769a0$1300a8c0@testpc>

Just had a thought about this - Wont it only
----- Original Message -----
From: "Drew Marshall" <drew@THEMARSHALLS.CO.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 20, 2004 10:20 AM
Subject: Re: 4.26- beta upgrade (was RE: Another MailScanner User!)


> Neil
>
> What I have done is below, as suggested by Peter Bates and forwarded to me
> from this list.
>
> > I'm using MS with Postfix in a slightly 'non-standard' way, but which is
> working fine for 13-15K messages we deal with (actually it might be
> more, I never bothered counting our outgoing email!)...
> > I'm using a 'header_check' like so:
> > In main.cf -
> > header_checks = pcre:/etc/postfix/header_checks
> > In header_checks -
> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> > This puts the incoming mail in the 'hold' queue, and then
> > I have in MailScanner.conf -
> > Incoming Queue Dir = /var/spool/postfix/hold
> > Outgoing Queue Dir = /var/spool/postfix/incoming
>
> With this, you will need to stop postfix.in and uncomment the smtp line in
> master.cf (Basically revert your set up to a non-MailScanner set up (It
> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> all instances and restart just postfix and you now have one postfix
> instance with MailScanner.
>
> Works great!
>
> Drew
> --
>
>
> Neil Robst said:
> > Drew,
> >
> > Can you explain a bit more about how you've configured postfix, please?
> I'm using the suggested setup of two postfix instances - the first runs
> everything in a chroot jail and smtp, local and virtual and deferred.
> Mailscanner then picks everything out the deferred queue, does it's
> stuff and drops it back into the incoming queue of the second postfix
> instance. Seems to be working well, but you said you'd changed postfix
> to bypass the duplicate problems...
> >
> > Regards,
> > Neil
> >
> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> I've been running it now since the weekend without problem. I would
> suggest that although marked as a beta and potentialy unstable, it's
> about
> >> as unstable as the production releases :-) The new patches seem to be
> working well.
> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> problems and haven't changed it back. I now use a rule in Postfix to
> hold
> >> all incoming mail, let MS collect from the hold queue (The queue runner
> doesn't ever run in there) and drop back into the incoming queue for
> delivery. It just means that I only have to ever run just one Postfix
> instance. I only ever use SMTP connection so don't have to worry about
> direct queue injection by passing MailScanner.
> >> Drew
> >> Neil Robst said:
> >> > Yes... fingers crossed!
> >> >
> >> > Any other issues known with the 4.26-4 beta currently? What's the
> general feeling in the community of it's stability, etc?
> >> >
> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> duplicate mail. My old set up on Slackware didn't suffer, the new on
> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> Postfix
> >> >> queue runner and MailScanner got in each others way with the result
> >> that
> >> >> MS picked up incomplete messages.
> >> >>
> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> crossed>
> >> >>
> >> >> Drew
> >> >>
> >> >> Neil Robst wrote:
> >> >>
> >> >> >Hi all,
> >> >> >
> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> though
> >> >> I've
> >> >> >been unable to replicate the problem with the duplicate mails
> either
> >> >> before
> >> >> >or after (as expected) the upgrade. Do you know any details about
> that -whether it only manifested itself when there were lots of
> >> >> recepients
> >> >> >on the message or a high load on the server or what?
> >> >> >
> >> >> >Regards,
> >> >> >Neil
> >> >> >
> >> >> >
> >> >> >--
> >> >> >This message has been scanned for viruses and
> >> >> >dangerous content by MailScanner, and is
> >> >> >believed to be clean.
> >> >> >
> >> >> >
> >> >>
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

From neilrobst at ALM.ORG.UK  Tue Jan 20 12:56:11 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
Message-ID: <002401c3df54$cb4f88e0$1300a8c0@testpc>

oops... sorry everyone. Really must finish writing my posts before hitting
the send button :-)

----- Original Message -----
From: "Neil Robst" <neilrobst@alm.org.uk>
To: "MailScanner mailing list" <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 20, 2004 12:36 PM
Subject: Re: 4.26- beta upgrade (was RE: Another MailScanner User!)


> Just had a thought about this - Wont it only
> ----- Original Message -----
> From: "Drew Marshall" <drew@THEMARSHALLS.CO.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Tuesday, January 20, 2004 10:20 AM
> Subject: Re: 4.26- beta upgrade (was RE: Another MailScanner User!)
>
>
> > Neil
> >
> > What I have done is below, as suggested by Peter Bates and forwarded to
me
> > from this list.
> >
> > > I'm using MS with Postfix in a slightly 'non-standard' way, but which
is
> > working fine for 13-15K messages we deal with (actually it might be
> > more, I never bothered counting our outgoing email!)...
> > > I'm using a 'header_check' like so:
> > > In main.cf -
> > > header_checks = pcre:/etc/postfix/header_checks
> > > In header_checks -
> > > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> > > This puts the incoming mail in the 'hold' queue, and then
> > > I have in MailScanner.conf -
> > > Incoming Queue Dir = /var/spool/postfix/hold
> > > Outgoing Queue Dir = /var/spool/postfix/incoming
> >
> > With this, you will need to stop postfix.in and uncomment the smtp line
in
> > master.cf (Basically revert your set up to a non-MailScanner set up (It
> > may be easier if Postfix.in runs chrooted and postfix doesn't to just
> > alter postfix.in to become just postfix, what ever your mileage!)). Stop
> > all instances and restart just postfix and you now have one postfix
> > instance with MailScanner.
> >
> > Works great!
> >
> > Drew
> > --
> >
> >
> > Neil Robst said:
> > > Drew,
> > >
> > > Can you explain a bit more about how you've configured postfix,
please?
> > I'm using the suggested setup of two postfix instances - the first runs
> > everything in a chroot jail and smtp, local and virtual and deferred.
> > Mailscanner then picks everything out the deferred queue, does it's
> > stuff and drops it back into the incoming queue of the second postfix
> > instance. Seems to be working well, but you said you'd changed postfix
> > to bypass the duplicate problems...
> > >
> > > Regards,
> > > Neil
> > >
> > > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> > >> I've been running it now since the weekend without problem. I would
> > suggest that although marked as a beta and potentialy unstable, it's
> > about
> > >> as unstable as the production releases :-) The new patches seem to be
> > working well.
> > >> I have to admit, I changed my Postfix set up to by pass the duplicate
> > problems and haven't changed it back. I now use a rule in Postfix to
> > hold
> > >> all incoming mail, let MS collect from the hold queue (The queue
runner
> > doesn't ever run in there) and drop back into the incoming queue for
> > delivery. It just means that I only have to ever run just one Postfix
> > instance. I only ever use SMTP connection so don't have to worry about
> > direct queue injection by passing MailScanner.
> > >> Drew
> > >> Neil Robst said:
> > >> > Yes... fingers crossed!
> > >> >
> > >> > Any other issues known with the 4.26-4 beta currently? What's the
> > general feeling in the community of it's stability, etc?
> > >> >
> > >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> > >> >> Just for my 2p, my server doesn't have a high load but I suffered
> > duplicate mail. My old set up on Slackware didn't suffer, the new on
> > Gentoo did :-(  . I'm not quite sure why but it seemed that the
> > >> Postfix
> > >> >> queue runner and MailScanner got in each others way with the
result
> > >> that
> > >> >> MS picked up incomplete messages.
> > >> >>
> > >> >> <fingers crossed> Any way that's all in the past now </fingers
> > >> crossed>
> > >> >>
> > >> >> Drew
> > >> >>
> > >> >> Neil Robst wrote:
> > >> >>
> > >> >> >Hi all,
> > >> >> >
> > >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> > >> though
> > >> >> I've
> > >> >> >been unable to replicate the problem with the duplicate mails
> > either
> > >> >> before
> > >> >> >or after (as expected) the upgrade. Do you know any details about
> > that -whether it only manifested itself when there were lots of
> > >> >> recepients
> > >> >> >on the message or a high load on the server or what?
> > >> >> >
> > >> >> >Regards,
> > >> >> >Neil
> > >> >> >
> > >> >> >
> > >> >> >--
> > >> >> >This message has been scanned for viruses and
> > >> >> >dangerous content by MailScanner, and is
> > >> >> >believed to be clean.
> > >> >> >
> > >> >> >
> > >> >>
> > >> >> --
> > >> >> In line with our policy, this message has
> > >> >> been scanned for viruses and dangerous
> > >> >> content by MailScanner, and is believed to be clean.
> > >> >> www.themarshalls.co.uk/policy
> > >> >
> > >> --
> > >> In line with our policy, this message has
> > >> been scanned for viruses and dangerous
> > >> content by MailScanner, and is believed to be clean.
> > >> www.themarshalls.co.uk/policy
> > >
> >
> >
> >
> >
> > --
> > In line with our policy, this message has
> > been scanned for viruses and dangerous
> > content by MailScanner, and is believed to be clean.
> > www.themarshalls.co.uk/policy
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
>

From neilrobst at ALM.ORG.UK  Tue Jan 20 13:49:23 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
Message-ID: <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

I've just set this up using the hold queue instead of the deferred queue
- just waiting for  a test to see whether it's successful or not.

One query though - I'm using the rpm install of MailScanner on RedHat
Linux 9. It created a config file in /etc/sysconfig/MailScanner which
configured the mail server used, as you are probably aware and the
directories for the incoming and outgoing mail server config files. This
is fine for 'normal' setup when you have two daemons running, however
with this mechanism there is only one. Normally I just have MailScanner
start on boot automatically which in turn starts the postfix instances.

However, in order to make MailScanner work with only one postfix
instance, I've had to hack the /etc/rc.d/init.d/MailScanner startup
script and comment out the StartOutSendmail routine call. Is there a
neater way to do this?

Regards,
Neil

On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
> As I understand Postfix doesn't use much in the way of file locking. It
> doesn't need to. In standard form a message is dropped into the onward
> directory and the next process is called using a 1b message and so mail
> makes it's way through the MTA. MailScanner upsets it by trying to grab
> the file from the deferred directory for processing. Now the deferred
> directory is used by Postfix as the place where mail is put when delivery
> fails, pending re-try (Keeps the active queues down) and every so often
> (As set in master.cf) the queue runner process goes to the deffered queue
> and inspects the messages for any that are due for retry. If the time
> stamp has expired it picks up the message and trys to deliver it. Through
> all of this there is not a need for much in the way of locking as what is
> going to touch that file? Postfix (As far as Postfix is concerned!) and
> Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> queue runner should happen to try to take the same message, you get the
> 'still being delivered' message in the logs and up pops a duplicated mail!
>
> Easy way round it, use the hold queue. This is designed to only have
> messages dropped in it for leter inspection by the postmaster and so the
> queue runner doesn't ever re-inspect this directory. Ideal for
> MailScanner, message gets dropped (MS knows how to tell when it's
> complete), picks up the new message, does it's bit and puts it back in the
> incoming queue for Postfix to deal with in it's usual efficient manner.
>
> I haven't had a single duplicate since putting this in place.
>
> Drew
>
> Neil Robst said:
> > And you think this resolves the duplicate mail problem?
> >
> > I'm unsure how it differs (apart from only having one postfix daemon
> > running) from using /var/spool/postfix.in/deferred and
> > /var/spool/postfix/incoming...?
> >
> > However, as I've just had a report from my users saying that upgrading
> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> >
> >
> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> >> Neil
> >>
> >> What I have done is below, as suggested by Peter Bates and forwarded to
> >> me
> >> from this list.
> >>
> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> >> is
> >> working fine for 13-15K messages we deal with (actually it might be
> >> more, I never bothered counting our outgoing email!)...
> >> > I'm using a 'header_check' like so:
> >> > In main.cf -
> >> > header_checks = pcre:/etc/postfix/header_checks
> >> > In header_checks -
> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> >> > This puts the incoming mail in the 'hold' queue, and then
> >> > I have in MailScanner.conf -
> >> > Incoming Queue Dir = /var/spool/postfix/hold
> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> >>
> >> With this, you will need to stop postfix.in and uncomment the smtp line
> >> in
> >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> >> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> >> all instances and restart just postfix and you now have one postfix
> >> instance with MailScanner.
> >>
> >> Works great!
> >>
> >> Drew
> >> --
> >>
> >>
> >> Neil Robst said:
> >> > Drew,
> >> >
> >> > Can you explain a bit more about how you've configured postfix,
> >> please?
> >> I'm using the suggested setup of two postfix instances - the first runs
> >> everything in a chroot jail and smtp, local and virtual and deferred.
> >> Mailscanner then picks everything out the deferred queue, does it's
> >> stuff and drops it back into the incoming queue of the second postfix
> >> instance. Seems to be working well, but you said you'd changed postfix
> >> to bypass the duplicate problems...
> >> >
> >> > Regards,
> >> > Neil
> >> >
> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> >> I've been running it now since the weekend without problem. I would
> >> suggest that although marked as a beta and potentialy unstable, it's
> >> about
> >> >> as unstable as the production releases :-) The new patches seem to be
> >> working well.
> >> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> >> problems and haven't changed it back. I now use a rule in Postfix to
> >> hold
> >> >> all incoming mail, let MS collect from the hold queue (The queue
> >> runner
> >> doesn't ever run in there) and drop back into the incoming queue for
> >> delivery. It just means that I only have to ever run just one Postfix
> >> instance. I only ever use SMTP connection so don't have to worry about
> >> direct queue injection by passing MailScanner.
> >> >> Drew
> >> >> Neil Robst said:
> >> >> > Yes... fingers crossed!
> >> >> >
> >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> >> general feeling in the community of it's stability, etc?
> >> >> >
> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> >> Postfix
> >> >> >> queue runner and MailScanner got in each others way with the
> >> result
> >> >> that
> >> >> >> MS picked up incomplete messages.
> >> >> >>
> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> >> crossed>
> >> >> >>
> >> >> >> Drew
> >> >> >>
> >> >> >> Neil Robst wrote:
> >> >> >>
> >> >> >> >Hi all,
> >> >> >> >
> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> >> though
> >> >> >> I've
> >> >> >> >been unable to replicate the problem with the duplicate mails
> >> either
> >> >> >> before
> >> >> >> >or after (as expected) the upgrade. Do you know any details about
> >> that -whether it only manifested itself when there were lots of
> >> >> >> recepients
> >> >> >> >on the message or a high load on the server or what?
> >> >> >> >
> >> >> >> >Regards,
> >> >> >> >Neil
> >> >> >> >
> >> >> >> >
> >> >> >> >--
> >> >> >> >This message has been scanned for viruses and
> >> >> >> >dangerous content by MailScanner, and is
> >> >> >> >believed to be clean.
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >> --
> >> >> >> In line with our policy, this message has
> >> >> >> been scanned for viruses and dangerous
> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> www.themarshalls.co.uk/policy
> >> >> >
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >>
> >>
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From drew at THEMARSHALLS.CO.UK  Tue Jan 20 13:56:15 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
            <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <32911.194.70.180.170.1074606975.squirrel@net.themarshalls.co.uk>

I don't use RH so this is quite funny as I normally have to hack my mail
startup scripts to start two instances and MailScanner :-).

I would say that there is not a better way to start up the process.

Drew

Neil Robst said:
> I've just set this up using the hold queue instead of the deferred queue
> - just waiting for  a test to see whether it's successful or not.
>
> One query though - I'm using the rpm install of MailScanner on RedHat
> Linux 9. It created a config file in /etc/sysconfig/MailScanner which
> configured the mail server used, as you are probably aware and the
> directories for the incoming and outgoing mail server config files. This
> is fine for 'normal' setup when you have two daemons running, however
> with this mechanism there is only one. Normally I just have MailScanner
> start on boot automatically which in turn starts the postfix instances.
>
> However, in order to make MailScanner work with only one postfix
> instance, I've had to hack the /etc/rc.d/init.d/MailScanner startup
> script and comment out the StartOutSendmail routine call. Is there a
> neater way to do this?
>
> Regards,
> Neil
>
> On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
>> As I understand Postfix doesn't use much in the way of file locking. It
>> doesn't need to. In standard form a message is dropped into the onward
>> directory and the next process is called using a 1b message and so mail
>> makes it's way through the MTA. MailScanner upsets it by trying to grab
>> the file from the deferred directory for processing. Now the deferred
>> directory is used by Postfix as the place where mail is put when
>> delivery
>> fails, pending re-try (Keeps the active queues down) and every so often
>> (As set in master.cf) the queue runner process goes to the deffered
>> queue
>> and inspects the messages for any that are due for retry. If the time
>> stamp has expired it picks up the message and trys to deliver it.
>> Through
>> all of this there is not a need for much in the way of locking as what
>> is
>> going to touch that file? Postfix (As far as Postfix is concerned!) and
>> Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
>> queue runner should happen to try to take the same message, you get the
>> 'still being delivered' message in the logs and up pops a duplicated
>> mail!
>>
>> Easy way round it, use the hold queue. This is designed to only have
>> messages dropped in it for leter inspection by the postmaster and so the
>> queue runner doesn't ever re-inspect this directory. Ideal for
>> MailScanner, message gets dropped (MS knows how to tell when it's
>> complete), picks up the new message, does it's bit and puts it back in
>> the
>> incoming queue for Postfix to deal with in it's usual efficient manner.
>>
>> I haven't had a single duplicate since putting this in place.
>>
>> Drew
>>
>> Neil Robst said:
>> > And you think this resolves the duplicate mail problem?
>> >
>> > I'm unsure how it differs (apart from only having one postfix daemon
>> > running) from using /var/spool/postfix.in/deferred and
>> > /var/spool/postfix/incoming...?
>> >
>> > However, as I've just had a report from my users saying that upgrading
>> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
>> >
>> >
>> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
>> >> Neil
>> >>
>> >> What I have done is below, as suggested by Peter Bates and forwarded
>> to
>> >> me
>> >> from this list.
>> >>
>> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but
>> which
>> >> is
>> >> working fine for 13-15K messages we deal with (actually it might be
>> >> more, I never bothered counting our outgoing email!)...
>> >> > I'm using a 'header_check' like so:
>> >> > In main.cf -
>> >> > header_checks = pcre:/etc/postfix/header_checks
>> >> > In header_checks -
>> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
>> >> > This puts the incoming mail in the 'hold' queue, and then
>> >> > I have in MailScanner.conf -
>> >> > Incoming Queue Dir = /var/spool/postfix/hold
>> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
>> >>
>> >> With this, you will need to stop postfix.in and uncomment the smtp
>> line
>> >> in
>> >> master.cf (Basically revert your set up to a non-MailScanner set up
>> (It
>> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
>> >> alter postfix.in to become just postfix, what ever your mileage!)).
>> Stop
>> >> all instances and restart just postfix and you now have one postfix
>> >> instance with MailScanner.
>> >>
>> >> Works great!
>> >>
>> >> Drew
>> >> --
>> >>
>> >>
>> >> Neil Robst said:
>> >> > Drew,
>> >> >
>> >> > Can you explain a bit more about how you've configured postfix,
>> >> please?
>> >> I'm using the suggested setup of two postfix instances - the first
>> runs
>> >> everything in a chroot jail and smtp, local and virtual and deferred.
>> >> Mailscanner then picks everything out the deferred queue, does it's
>> >> stuff and drops it back into the incoming queue of the second postfix
>> >> instance. Seems to be working well, but you said you'd changed
>> postfix
>> >> to bypass the duplicate problems...
>> >> >
>> >> > Regards,
>> >> > Neil
>> >> >
>> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
>> >> >> I've been running it now since the weekend without problem. I
>> would
>> >> suggest that although marked as a beta and potentialy unstable, it's
>> >> about
>> >> >> as unstable as the production releases :-) The new patches seem to
>> be
>> >> working well.
>> >> >> I have to admit, I changed my Postfix set up to by pass the
>> duplicate
>> >> problems and haven't changed it back. I now use a rule in Postfix to
>> >> hold
>> >> >> all incoming mail, let MS collect from the hold queue (The queue
>> >> runner
>> >> doesn't ever run in there) and drop back into the incoming queue for
>> >> delivery. It just means that I only have to ever run just one Postfix
>> >> instance. I only ever use SMTP connection so don't have to worry
>> about
>> >> direct queue injection by passing MailScanner.
>> >> >> Drew
>> >> >> Neil Robst said:
>> >> >> > Yes... fingers crossed!
>> >> >> >
>> >> >> > Any other issues known with the 4.26-4 beta currently? What's
>> the
>> >> general feeling in the community of it's stability, etc?
>> >> >> >
>> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
>> >> >> >> Just for my 2p, my server doesn't have a high load but I
>> suffered
>> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
>> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
>> >> >> Postfix
>> >> >> >> queue runner and MailScanner got in each others way with the
>> >> result
>> >> >> that
>> >> >> >> MS picked up incomplete messages.
>> >> >> >>
>> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
>> >> >> crossed>
>> >> >> >>
>> >> >> >> Drew
>> >> >> >>
>> >> >> >> Neil Robst wrote:
>> >> >> >>
>> >> >> >> >Hi all,
>> >> >> >> >
>> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
>> >> >> though
>> >> >> >> I've
>> >> >> >> >been unable to replicate the problem with the duplicate mails
>> >> either
>> >> >> >> before
>> >> >> >> >or after (as expected) the upgrade. Do you know any details
>> about
>> >> that -whether it only manifested itself when there were lots of
>> >> >> >> recepients
>> >> >> >> >on the message or a high load on the server or what?
>> >> >> >> >
>> >> >> >> >Regards,
>> >> >> >> >Neil
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >--
>> >> >> >> >This message has been scanned for viruses and
>> >> >> >> >dangerous content by MailScanner, and is
>> >> >> >> >believed to be clean.
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >> --
>> >> >> >> In line with our policy, this message has
>> >> >> >> been scanned for viruses and dangerous
>> >> >> >> content by MailScanner, and is believed to be clean.
>> >> >> >> www.themarshalls.co.uk/policy
>> >> >> >
>> >> >> --
>> >> >> In line with our policy, this message has
>> >> >> been scanned for viruses and dangerous
>> >> >> content by MailScanner, and is believed to be clean.
>> >> >> www.themarshalls.co.uk/policy
>> >> >
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> In line with our policy, this message has
>> >> been scanned for viruses and dangerous
>> >> content by MailScanner, and is believed to be clean.
>> >> www.themarshalls.co.uk/policy
>> >
>>
>>
>> --
>> In line with our policy, this message has
>> been scanned for viruses and dangerous
>> content by MailScanner, and is believed to be clean.
>> www.themarshalls.co.uk/policy
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From marc at CALIBREDIGITAL.COM  Tue Jan 20 14:06:04 2004
From: marc at CALIBREDIGITAL.COM (=?ISO-8859-1?Q?Marc Anthony P. Barrette=20?=)
Date: Thu Jan 12 21:21:56 2006
Subject: =?ISO-8859-1?Q?Automated Reply from Marc Anthony P. Barrette <marc>?=
Message-ID: <200401201407.i0KE74026647@co.calibre-dd.com>

From: contact@calibredigital.com
Subject: No longer employed by Calibre Digital Pictures
Precedence: bulk

Marc Anthony Barrette is no longer employed by Calibre Digital
Pictures.

Please direct any Calibre related email normally sent to Marc
Anthony to contact@calibredigital.com

Thank You

From neilrobst at ALM.ORG.UK  Tue Jan 20 14:05:02 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>           
            <400C551C.6090001@themarshalls.co.uk>           
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>  
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>  
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>  
            <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com> 
            <32911.194.70.180.170.1074606975.squirrel@net.themarshalls.co.uk>
Message-ID: <003d01c3df5e$66270920$1300a8c0@testpc>

Julian, unless someone else suggests something different could I suggest a
change to the MailScanner init.d script so that if the POSTFIXOUTCF variable
isn't defined it doesn't attempt to start an output queue daemon?

Regards,
Neil
----- Original Message -----
From: "Drew Marshall" <drew@THEMARSHALLS.CO.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 20, 2004 1:56 PM
Subject: Re: 4.26- beta upgrade (was RE: Another MailScanner User!)


> I don't use RH so this is quite funny as I normally have to hack my mail
> startup scripts to start two instances and MailScanner :-).
>
> I would say that there is not a better way to start up the process.
>
> Drew
>
> Neil Robst said:
> > I've just set this up using the hold queue instead of the deferred queue
> > - just waiting for  a test to see whether it's successful or not.
> >
> > One query though - I'm using the rpm install of MailScanner on RedHat
> > Linux 9. It created a config file in /etc/sysconfig/MailScanner which
> > configured the mail server used, as you are probably aware and the
> > directories for the incoming and outgoing mail server config files. This
> > is fine for 'normal' setup when you have two daemons running, however
> > with this mechanism there is only one. Normally I just have MailScanner
> > start on boot automatically which in turn starts the postfix instances.
> >
> > However, in order to make MailScanner work with only one postfix
> > instance, I've had to hack the /etc/rc.d/init.d/MailScanner startup
> > script and comment out the StartOutSendmail routine call. Is there a
> > neater way to do this?
> >
> > Regards,
> > Neil
> >
> > On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
> >> As I understand Postfix doesn't use much in the way of file locking. It
> >> doesn't need to. In standard form a message is dropped into the onward
> >> directory and the next process is called using a 1b message and so mail
> >> makes it's way through the MTA. MailScanner upsets it by trying to grab
> >> the file from the deferred directory for processing. Now the deferred
> >> directory is used by Postfix as the place where mail is put when
> >> delivery
> >> fails, pending re-try (Keeps the active queues down) and every so often
> >> (As set in master.cf) the queue runner process goes to the deffered
> >> queue
> >> and inspects the messages for any that are due for retry. If the time
> >> stamp has expired it picks up the message and trys to deliver it.
> >> Through
> >> all of this there is not a need for much in the way of locking as what
> >> is
> >> going to touch that file? Postfix (As far as Postfix is concerned!) and
> >> Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> >> queue runner should happen to try to take the same message, you get the
> >> 'still being delivered' message in the logs and up pops a duplicated
> >> mail!
> >>
> >> Easy way round it, use the hold queue. This is designed to only have
> >> messages dropped in it for leter inspection by the postmaster and so
the
> >> queue runner doesn't ever re-inspect this directory. Ideal for
> >> MailScanner, message gets dropped (MS knows how to tell when it's
> >> complete), picks up the new message, does it's bit and puts it back in
> >> the
> >> incoming queue for Postfix to deal with in it's usual efficient manner.
> >>
> >> I haven't had a single duplicate since putting this in place.
> >>
> >> Drew
> >>
> >> Neil Robst said:
> >> > And you think this resolves the duplicate mail problem?
> >> >
> >> > I'm unsure how it differs (apart from only having one postfix daemon
> >> > running) from using /var/spool/postfix.in/deferred and
> >> > /var/spool/postfix/incoming...?
> >> >
> >> > However, as I've just had a report from my users saying that
upgrading
> >> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> >> >
> >> >
> >> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> >> >> Neil
> >> >>
> >> >> What I have done is below, as suggested by Peter Bates and forwarded
> >> to
> >> >> me
> >> >> from this list.
> >> >>
> >> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but
> >> which
> >> >> is
> >> >> working fine for 13-15K messages we deal with (actually it might be
> >> >> more, I never bothered counting our outgoing email!)...
> >> >> > I'm using a 'header_check' like so:
> >> >> > In main.cf -
> >> >> > header_checks = pcre:/etc/postfix/header_checks
> >> >> > In header_checks -
> >> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> >> >> > This puts the incoming mail in the 'hold' queue, and then
> >> >> > I have in MailScanner.conf -
> >> >> > Incoming Queue Dir = /var/spool/postfix/hold
> >> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> >> >>
> >> >> With this, you will need to stop postfix.in and uncomment the smtp
> >> line
> >> >> in
> >> >> master.cf (Basically revert your set up to a non-MailScanner set up
> >> (It
> >> >> may be easier if Postfix.in runs chrooted and postfix doesn't to
just
> >> >> alter postfix.in to become just postfix, what ever your mileage!)).
> >> Stop
> >> >> all instances and restart just postfix and you now have one postfix
> >> >> instance with MailScanner.
> >> >>
> >> >> Works great!
> >> >>
> >> >> Drew
> >> >> --
> >> >>
> >> >>
> >> >> Neil Robst said:
> >> >> > Drew,
> >> >> >
> >> >> > Can you explain a bit more about how you've configured postfix,
> >> >> please?
> >> >> I'm using the suggested setup of two postfix instances - the first
> >> runs
> >> >> everything in a chroot jail and smtp, local and virtual and
deferred.
> >> >> Mailscanner then picks everything out the deferred queue, does it's
> >> >> stuff and drops it back into the incoming queue of the second
postfix
> >> >> instance. Seems to be working well, but you said you'd changed
> >> postfix
> >> >> to bypass the duplicate problems...
> >> >> >
> >> >> > Regards,
> >> >> > Neil
> >> >> >
> >> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> >> >> I've been running it now since the weekend without problem. I
> >> would
> >> >> suggest that although marked as a beta and potentialy unstable, it's
> >> >> about
> >> >> >> as unstable as the production releases :-) The new patches seem
to
> >> be
> >> >> working well.
> >> >> >> I have to admit, I changed my Postfix set up to by pass the
> >> duplicate
> >> >> problems and haven't changed it back. I now use a rule in Postfix to
> >> >> hold
> >> >> >> all incoming mail, let MS collect from the hold queue (The queue
> >> >> runner
> >> >> doesn't ever run in there) and drop back into the incoming queue for
> >> >> delivery. It just means that I only have to ever run just one
Postfix
> >> >> instance. I only ever use SMTP connection so don't have to worry
> >> about
> >> >> direct queue injection by passing MailScanner.
> >> >> >> Drew
> >> >> >> Neil Robst said:
> >> >> >> > Yes... fingers crossed!
> >> >> >> >
> >> >> >> > Any other issues known with the 4.26-4 beta currently? What's
> >> the
> >> >> general feeling in the community of it's stability, etc?
> >> >> >> >
> >> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> >> >> Just for my 2p, my server doesn't have a high load but I
> >> suffered
> >> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> >> >> Postfix
> >> >> >> >> queue runner and MailScanner got in each others way with the
> >> >> result
> >> >> >> that
> >> >> >> >> MS picked up incomplete messages.
> >> >> >> >>
> >> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> >> >> crossed>
> >> >> >> >>
> >> >> >> >> Drew
> >> >> >> >>
> >> >> >> >> Neil Robst wrote:
> >> >> >> >>
> >> >> >> >> >Hi all,
> >> >> >> >> >
> >> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail
server,
> >> >> >> though
> >> >> >> >> I've
> >> >> >> >> >been unable to replicate the problem with the duplicate mails
> >> >> either
> >> >> >> >> before
> >> >> >> >> >or after (as expected) the upgrade. Do you know any details
> >> about
> >> >> that -whether it only manifested itself when there were lots of
> >> >> >> >> recepients
> >> >> >> >> >on the message or a high load on the server or what?
> >> >> >> >> >
> >> >> >> >> >Regards,
> >> >> >> >> >Neil
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >--
> >> >> >> >> >This message has been scanned for viruses and
> >> >> >> >> >dangerous content by MailScanner, and is
> >> >> >> >> >believed to be clean.
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> In line with our policy, this message has
> >> >> >> >> been scanned for viruses and dangerous
> >> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> >> www.themarshalls.co.uk/policy
> >> >> >> >
> >> >> >> --
> >> >> >> In line with our policy, this message has
> >> >> >> been scanned for viruses and dangerous
> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> www.themarshalls.co.uk/policy
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From jfraley at glenraven.com  Tue Jan 20 14:17:05 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:21:56 2006
Subject: .exe
Message-ID: <1074608224.4585.11.camel@jfraleyx.glenraven.com>

It looks like I am going may be forced to allow .exe files in email.  I
just want to make sure that if I change deny to allow for .exe in the
filename.rules.conf that the file will still be scanned for viruses and
quarantined if there is a virus.

Thanks,

Jon

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 14:59:20 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: .exe
In-Reply-To: <1074608224.4585.11.camel@jfraleyx.glenraven.com>
References: <1074608224.4585.11.camel@jfraleyx.glenraven.com>
Message-ID: <6.0.1.1.2.20040120145902.03f6e970@imap.ecs.soton.ac.uk>

Correct.

At 14:17 20/01/2004, you wrote:
>It looks like I am going may be forced to allow .exe files in email.  I
>just want to make sure that if I change deny to allow for .exe in the
>filename.rules.conf that the file will still be scanned for viruses and
>quarantined if there is a virus.
>
>Thanks,
>
>Jon

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 13:53:40 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:56 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
            <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <6.0.1.1.2.20040120135130.03a15df0@imap.ecs.soton.ac.uk>

At 13:49 20/01/2004, you wrote:
>I've just set this up using the hold queue instead of the deferred queue
>- just waiting for  a test to see whether it's successful or not.
>
>One query though - I'm using the rpm install of MailScanner on RedHat
>Linux 9. It created a config file in /etc/sysconfig/MailScanner which
>configured the mail server used, as you are probably aware and the
>directories for the incoming and outgoing mail server config files. This
>is fine for 'normal' setup when you have two daemons running, however
>with this mechanism there is only one. Normally I just have MailScanner
>start on boot automatically which in turn starts the postfix instances.
>
>However, in order to make MailScanner work with only one postfix
>instance, I've had to hack the /etc/rc.d/init.d/MailScanner startup
>script and comment out the StartOutSendmail routine call. Is there a
>neater way to do this?

Not yet, no. I probably need to add another option to
/etc/sysconfig/MailScanner so you can set which type of Postfix setup you
are using. Then it could start the Postfix instances as necessary for the
layout you are using. Default will be 2 Postfixes as that is what is used
now, but the "1 Postfix" setup documentation would need to tell you to
tweak /etc/sysconfig/MailScanner. Unless of course I can auto-detect what
type of setup you are using from the Postfix configuration files. I'll make
it automatic if possible.


>Regards,
>Neil
>
>On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
> > As I understand Postfix doesn't use much in the way of file locking. It
> > doesn't need to. In standard form a message is dropped into the onward
> > directory and the next process is called using a 1b message and so mail
> > makes it's way through the MTA. MailScanner upsets it by trying to grab
> > the file from the deferred directory for processing. Now the deferred
> > directory is used by Postfix as the place where mail is put when delivery
> > fails, pending re-try (Keeps the active queues down) and every so often
> > (As set in master.cf) the queue runner process goes to the deffered queue
> > and inspects the messages for any that are due for retry. If the time
> > stamp has expired it picks up the message and trys to deliver it. Through
> > all of this there is not a need for much in the way of locking as what is
> > going to touch that file? Postfix (As far as Postfix is concerned!) and
> > Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> > queue runner should happen to try to take the same message, you get the
> > 'still being delivered' message in the logs and up pops a duplicated mail!
> >
> > Easy way round it, use the hold queue. This is designed to only have
> > messages dropped in it for leter inspection by the postmaster and so the
> > queue runner doesn't ever re-inspect this directory. Ideal for
> > MailScanner, message gets dropped (MS knows how to tell when it's
> > complete), picks up the new message, does it's bit and puts it back in the
> > incoming queue for Postfix to deal with in it's usual efficient manner.
> >
> > I haven't had a single duplicate since putting this in place.
> >
> > Drew
> >
> > Neil Robst said:
> > > And you think this resolves the duplicate mail problem?
> > >
> > > I'm unsure how it differs (apart from only having one postfix daemon
> > > running) from using /var/spool/postfix.in/deferred and
> > > /var/spool/postfix/incoming...?
> > >
> > > However, as I've just had a report from my users saying that upgrading
> > > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> > >
> > >
> > > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> > >> Neil
> > >>
> > >> What I have done is below, as suggested by Peter Bates and forwarded to
> > >> me
> > >> from this list.
> > >>
> > >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> > >> is
> > >> working fine for 13-15K messages we deal with (actually it might be
> > >> more, I never bothered counting our outgoing email!)...
> > >> > I'm using a 'header_check' like so:
> > >> > In main.cf -
> > >> > header_checks = pcre:/etc/postfix/header_checks
> > >> > In header_checks -
> > >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> > >> > This puts the incoming mail in the 'hold' queue, and then
> > >> > I have in MailScanner.conf -
> > >> > Incoming Queue Dir = /var/spool/postfix/hold
> > >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> > >>
> > >> With this, you will need to stop postfix.in and uncomment the smtp line
> > >> in
> > >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> > >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> > >> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> > >> all instances and restart just postfix and you now have one postfix
> > >> instance with MailScanner.
> > >>
> > >> Works great!
> > >>
> > >> Drew
> > >> --
> > >>
> > >>
> > >> Neil Robst said:
> > >> > Drew,
> > >> >
> > >> > Can you explain a bit more about how you've configured postfix,
> > >> please?
> > >> I'm using the suggested setup of two postfix instances - the first runs
> > >> everything in a chroot jail and smtp, local and virtual and deferred.
> > >> Mailscanner then picks everything out the deferred queue, does it's
> > >> stuff and drops it back into the incoming queue of the second postfix
> > >> instance. Seems to be working well, but you said you'd changed postfix
> > >> to bypass the duplicate problems...
> > >> >
> > >> > Regards,
> > >> > Neil
> > >> >
> > >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> > >> >> I've been running it now since the weekend without problem. I would
> > >> suggest that although marked as a beta and potentialy unstable, it's
> > >> about
> > >> >> as unstable as the production releases :-) The new patches seem to be
> > >> working well.
> > >> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> > >> problems and haven't changed it back. I now use a rule in Postfix to
> > >> hold
> > >> >> all incoming mail, let MS collect from the hold queue (The queue
> > >> runner
> > >> doesn't ever run in there) and drop back into the incoming queue for
> > >> delivery. It just means that I only have to ever run just one Postfix
> > >> instance. I only ever use SMTP connection so don't have to worry about
> > >> direct queue injection by passing MailScanner.
> > >> >> Drew
> > >> >> Neil Robst said:
> > >> >> > Yes... fingers crossed!
> > >> >> >
> > >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> > >> general feeling in the community of it's stability, etc?
> > >> >> >
> > >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> > >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> > >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> > >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> > >> >> Postfix
> > >> >> >> queue runner and MailScanner got in each others way with the
> > >> result
> > >> >> that
> > >> >> >> MS picked up incomplete messages.
> > >> >> >>
> > >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> > >> >> crossed>
> > >> >> >>
> > >> >> >> Drew
> > >> >> >>
> > >> >> >> Neil Robst wrote:
> > >> >> >>
> > >> >> >> >Hi all,
> > >> >> >> >
> > >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> > >> >> though
> > >> >> >> I've
> > >> >> >> >been unable to replicate the problem with the duplicate mails
> > >> either
> > >> >> >> before
> > >> >> >> >or after (as expected) the upgrade. Do you know any details about
> > >> that -whether it only manifested itself when there were lots of
> > >> >> >> recepients
> > >> >> >> >on the message or a high load on the server or what?
> > >> >> >> >
> > >> >> >> >Regards,
> > >> >> >> >Neil
> > >> >> >> >
> > >> >> >> >
> > >> >> >> >--
> > >> >> >> >This message has been scanned for viruses and
> > >> >> >> >dangerous content by MailScanner, and is
> > >> >> >> >believed to be clean.
> > >> >> >> >
> > >> >> >> >
> > >> >> >>
> > >> >> >> --
> > >> >> >> In line with our policy, this message has
> > >> >> >> been scanned for viruses and dangerous
> > >> >> >> content by MailScanner, and is believed to be clean.
> > >> >> >> www.themarshalls.co.uk/policy
> > >> >> >
> > >> >> --
> > >> >> In line with our policy, this message has
> > >> >> been scanned for viruses and dangerous
> > >> >> content by MailScanner, and is believed to be clean.
> > >> >> www.themarshalls.co.uk/policy
> > >> >
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> In line with our policy, this message has
> > >> been scanned for viruses and dangerous
> > >> content by MailScanner, and is believed to be clean.
> > >> www.themarshalls.co.uk/policy
> > >
> >
> >
> > --
> > In line with our policy, this message has
> > been scanned for viruses and dangerous
> > content by MailScanner, and is believed to be clean.
> > www.themarshalls.co.uk/policy

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jburzenski at AMERICANHM.COM  Tue Jan 20 15:18:36 2004
From: jburzenski at AMERICANHM.COM (Jason Burzenski)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8098E0008@ahm_exchange2.americanhm.com>

All:

The Open Source Initiative is accepting nominations for the open source
awards.  To make a nomination, use the link below.

http://opensource.org/OSA/nominations.php


I've submitted a nomination for Julian and his work on MailScanner.  I truly
feel that MailScanner is an exceptional tool that stands out in the open
source community as both a well developed piece of software and as a model
for other open source projects.   Kudos to Julian and the community that has
helped MailScanner grow.

Jason Burzenski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/95164ba5/attachment.html
From neilrobst at ALM.ORG.UK  Tue Jan 20 15:22:27 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:57 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <6.0.1.1.2.20040120135130.03a15df0@imap.ecs.soton.ac.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
            <1074606562.10396.49.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <6.0.1.1.2.20040120135130.03a15df0@imap.ecs.soton.ac.uk>
Message-ID: <1074612146.10396.57.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

If you want to make it automatic, couldn't you just detect whether there
is a /etc/postfix.in and /etc/postfix directories and if there are then
it's a two-daemon setup, else if there is only one of them then it's the
single-daemon config...?

Regards,
Neil

On Tue, 2004-01-20 at 13:53, Julian Field wrote:
> At 13:49 20/01/2004, you wrote:
> >I've just set this up using the hold queue instead of the deferred queue
> >- just waiting for  a test to see whether it's successful or not.
> >
> >One query though - I'm using the rpm install of MailScanner on RedHat
> >Linux 9. It created a config file in /etc/sysconfig/MailScanner which
> >configured the mail server used, as you are probably aware and the
> >directories for the incoming and outgoing mail server config files. This
> >is fine for 'normal' setup when you have two daemons running, however
> >with this mechanism there is only one. Normally I just have MailScanner
> >start on boot automatically which in turn starts the postfix instances.
> >
> >However, in order to make MailScanner work with only one postfix
> >instance, I've had to hack the /etc/rc.d/init.d/MailScanner startup
> >script and comment out the StartOutSendmail routine call. Is there a
> >neater way to do this?
>
> Not yet, no. I probably need to add another option to
> /etc/sysconfig/MailScanner so you can set which type of Postfix setup you
> are using. Then it could start the Postfix instances as necessary for the
> layout you are using. Default will be 2 Postfixes as that is what is used
> now, but the "1 Postfix" setup documentation would need to tell you to
> tweak /etc/sysconfig/MailScanner. Unless of course I can auto-detect what
> type of setup you are using from the Postfix configuration files. I'll make
> it automatic if possible.
>
>
> >Regards,
> >Neil
> >
> >On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
> > > As I understand Postfix doesn't use much in the way of file locking. It
> > > doesn't need to. In standard form a message is dropped into the onward
> > > directory and the next process is called using a 1b message and so mail
> > > makes it's way through the MTA. MailScanner upsets it by trying to grab
> > > the file from the deferred directory for processing. Now the deferred
> > > directory is used by Postfix as the place where mail is put when delivery
> > > fails, pending re-try (Keeps the active queues down) and every so often
> > > (As set in master.cf) the queue runner process goes to the deffered queue
> > > and inspects the messages for any that are due for retry. If the time
> > > stamp has expired it picks up the message and trys to deliver it. Through
> > > all of this there is not a need for much in the way of locking as what is
> > > going to touch that file? Postfix (As far as Postfix is concerned!) and
> > > Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> > > queue runner should happen to try to take the same message, you get the
> > > 'still being delivered' message in the logs and up pops a duplicated mail!
> > >
> > > Easy way round it, use the hold queue. This is designed to only have
> > > messages dropped in it for leter inspection by the postmaster and so the
> > > queue runner doesn't ever re-inspect this directory. Ideal for
> > > MailScanner, message gets dropped (MS knows how to tell when it's
> > > complete), picks up the new message, does it's bit and puts it back in the
> > > incoming queue for Postfix to deal with in it's usual efficient manner.
> > >
> > > I haven't had a single duplicate since putting this in place.
> > >
> > > Drew
> > >
> > > Neil Robst said:
> > > > And you think this resolves the duplicate mail problem?
> > > >
> > > > I'm unsure how it differs (apart from only having one postfix daemon
> > > > running) from using /var/spool/postfix.in/deferred and
> > > > /var/spool/postfix/incoming...?
> > > >
> > > > However, as I've just had a report from my users saying that upgrading
> > > > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> > > >
> > > >
> > > > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> > > >> Neil
> > > >>
> > > >> What I have done is below, as suggested by Peter Bates and forwarded to
> > > >> me
> > > >> from this list.
> > > >>
> > > >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> > > >> is
> > > >> working fine for 13-15K messages we deal with (actually it might be
> > > >> more, I never bothered counting our outgoing email!)...
> > > >> > I'm using a 'header_check' like so:
> > > >> > In main.cf -
> > > >> > header_checks = pcre:/etc/postfix/header_checks
> > > >> > In header_checks -
> > > >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> > > >> > This puts the incoming mail in the 'hold' queue, and then
> > > >> > I have in MailScanner.conf -
> > > >> > Incoming Queue Dir = /var/spool/postfix/hold
> > > >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> > > >>
> > > >> With this, you will need to stop postfix.in and uncomment the smtp line
> > > >> in
> > > >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> > > >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> > > >> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> > > >> all instances and restart just postfix and you now have one postfix
> > > >> instance with MailScanner.
> > > >>
> > > >> Works great!
> > > >>
> > > >> Drew
> > > >> --
> > > >>
> > > >>
> > > >> Neil Robst said:
> > > >> > Drew,
> > > >> >
> > > >> > Can you explain a bit more about how you've configured postfix,
> > > >> please?
> > > >> I'm using the suggested setup of two postfix instances - the first runs
> > > >> everything in a chroot jail and smtp, local and virtual and deferred.
> > > >> Mailscanner then picks everything out the deferred queue, does it's
> > > >> stuff and drops it back into the incoming queue of the second postfix
> > > >> instance. Seems to be working well, but you said you'd changed postfix
> > > >> to bypass the duplicate problems...
> > > >> >
> > > >> > Regards,
> > > >> > Neil
> > > >> >
> > > >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> > > >> >> I've been running it now since the weekend without problem. I would
> > > >> suggest that although marked as a beta and potentialy unstable, it's
> > > >> about
> > > >> >> as unstable as the production releases :-) The new patches seem to be
> > > >> working well.
> > > >> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> > > >> problems and haven't changed it back. I now use a rule in Postfix to
> > > >> hold
> > > >> >> all incoming mail, let MS collect from the hold queue (The queue
> > > >> runner
> > > >> doesn't ever run in there) and drop back into the incoming queue for
> > > >> delivery. It just means that I only have to ever run just one Postfix
> > > >> instance. I only ever use SMTP connection so don't have to worry about
> > > >> direct queue injection by passing MailScanner.
> > > >> >> Drew
> > > >> >> Neil Robst said:
> > > >> >> > Yes... fingers crossed!
> > > >> >> >
> > > >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> > > >> general feeling in the community of it's stability, etc?
> > > >> >> >
> > > >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> > > >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> > > >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> > > >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> > > >> >> Postfix
> > > >> >> >> queue runner and MailScanner got in each others way with the
> > > >> result
> > > >> >> that
> > > >> >> >> MS picked up incomplete messages.
> > > >> >> >>
> > > >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> > > >> >> crossed>
> > > >> >> >>
> > > >> >> >> Drew
> > > >> >> >>
> > > >> >> >> Neil Robst wrote:
> > > >> >> >>
> > > >> >> >> >Hi all,
> > > >> >> >> >
> > > >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> > > >> >> though
> > > >> >> >> I've
> > > >> >> >> >been unable to replicate the problem with the duplicate mails
> > > >> either
> > > >> >> >> before
> > > >> >> >> >or after (as expected) the upgrade. Do you know any details about
> > > >> that -whether it only manifested itself when there were lots of
> > > >> >> >> recepients
> > > >> >> >> >on the message or a high load on the server or what?
> > > >> >> >> >
> > > >> >> >> >Regards,
> > > >> >> >> >Neil
> > > >> >> >> >
> > > >> >> >> >
> > > >> >> >> >--
> > > >> >> >> >This message has been scanned for viruses and
> > > >> >> >> >dangerous content by MailScanner, and is
> > > >> >> >> >believed to be clean.
> > > >> >> >> >
> > > >> >> >> >
> > > >> >> >>
> > > >> >> >> --
> > > >> >> >> In line with our policy, this message has
> > > >> >> >> been scanned for viruses and dangerous
> > > >> >> >> content by MailScanner, and is believed to be clean.
> > > >> >> >> www.themarshalls.co.uk/policy
> > > >> >> >
> > > >> >> --
> > > >> >> In line with our policy, this message has
> > > >> >> been scanned for viruses and dangerous
> > > >> >> content by MailScanner, and is believed to be clean.
> > > >> >> www.themarshalls.co.uk/policy
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> In line with our policy, this message has
> > > >> been scanned for viruses and dangerous
> > > >> content by MailScanner, and is believed to be clean.
> > > >> www.themarshalls.co.uk/policy
> > > >
> > >
> > >
> > > --
> > > In line with our policy, this message has
> > > been scanned for viruses and dangerous
> > > content by MailScanner, and is believed to be clean.
> > > www.themarshalls.co.uk/policy
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 15:53:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B8098E0008@ahm_exchange2.ame
              ricanhm.com>
References: <9BDD6D4AD0795C46974D7D46C17883B8098E0008@ahm_exchange2.americanhm.com>
Message-ID: <6.0.1.1.2.20040120155133.03f15a40@imap.ecs.soton.ac.uk>

May I suggest something: get a few of yourselves together (either on or off
the list) and carefully think about the wording you want to use. They don't
want to be mailbombed with nominations, but a well-worded one would be much
better than a few on-the-spot submissions.

At 15:18 20/01/2004, you wrote:
>The Open Source Initiative is accepting nominations for the open source
>awards.  To make a nomination, use the link below.
>
><http://opensource.org/OSA/nominations.php>http://opensource.org/OSA/nominations.php
>
>
>I've submitted a nomination for Julian and his work on MailScanner.  I
>truly feel that MailScanner is an exceptional tool that stands out in the
>open source community as both a well developed piece of software and as a
>model for other open source projects.   Kudos to Julian and the community
>that has helped MailScanner grow.

And thankyou!
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chrisk at OS-IT.NET  Tue Jan 20 16:03:50 2004
From: chrisk at OS-IT.NET (Chris Kissinger)
Date: Thu Jan 12 21:21:57 2006
Subject: Spam bypassing gateway server
Message-ID: <EKECJBACGLPHJCFNKMAEMEBMNAAA.chrisk@os-it.net>

Trying to figure out how some spam is totally bypassing the gateway mail
server and not being scanned by MailScanner. The gateway server is the only
MX record, mail sent from the regular mail server to a local domain still
goes out and is scanned by the gateway server then delivered.

On the ones getting through there's no MailScanner headers added, there's
also no headers from it hitting the gateway server at all. If it was a
timeout issue shouldn't it at least have the regular mail headers added?

Any ideas would be great.

Chris

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 16:16:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Spam bypassing gateway server
In-Reply-To: <EKECJBACGLPHJCFNKMAEMEBMNAAA.chrisk@os-it.net>
References: <EKECJBACGLPHJCFNKMAEMEBMNAAA.chrisk@os-it.net>
Message-ID: <6.0.1.1.2.20040120161413.07d0db58@imap.ecs.soton.ac.uk>

At 16:03 20/01/2004, you wrote:
>Trying to figure out how some spam is totally bypassing the gateway mail
>server and not being scanned by MailScanner. The gateway server is the only
>MX record, mail sent from the regular mail server to a local domain still
>goes out and is scanned by the gateway server then delivered.
>
>On the ones getting through there's no MailScanner headers added, there's
>also no headers from it hitting the gateway server at all. If it was a
>timeout issue shouldn't it at least have the regular mail headers added?

Is the rest of your network firewalled properly? Is there any way to get to
port 25 on any other servers except the gateway mail server? The MX tells
people where they *should* deliver mail. There's nothing stopping the
spammers trying some other host.

Also, on your MailScanner system, check you have stopped the original
sendmail process from running (the one with "-bd" *and* "-q15m" or some
such number in its command-line).
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jaearick at COLBY.EDU  Tue Jan 20 16:12:15 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:21:57 2006
Subject: Julian Field of the MailScanner Project (fwd)
Message-ID: <Pine.GSO.4.58.0401201109510.27517@cayuga>

Julian,

   Too late!  I already sent in my words of praise to OSA,
included below.

Jeff Earickson
Colby College

---------- Forwarded message ----------
Date: Tue, 20 Jan 2004 10:54:10 -0500 (EST)
From: Jeff A. Earickson <jaearick@colby.edu>
To: osa-nominations@opensource.org
Subject: Julian Field of the MailScanner Project

http://www.mailscanner.info

Mr. Field has helped open-source and UNIX email administrators
everywhere with a comprehensive and bulletproof anti-virus and
anti-spam control for mail servers running a variety of popular
email server packages (sendmail, postfix, exim, qmail).  MailScanner
can use a wide variety of anti-virus software for multiple
protection against emailed malware.  His Perl code provides
fine-grain control over both virus filtering and the use of
anti-spam agents such as Spamassassin, various block lists,
Razor, DCC, et. al.  The sysadmin has complete control over
what MailScanner does to email at his site.

The most beautiful thing about his code: No major reconfiguration
of one's mailer software is needed.  In its basic configuration,
it is simple and quick to install and use.  You do not need to
recompile your mail code, eg sendmail, nor do you need to monkey
with the config files.  You also do not have to run MailScanner
in front of the mailer software (ie, have it listen to port 25
instead of the mailer software).  It stands as a robust wall
between the mailer software's initial handling of email and its
final delivery, killing virii and spam efficiently.  It is one
of the few pieces of software that I know of that gets *more*
efficient under heavy load, due to its batch processing of
incoming email.

Personally speaking, MailScanner has saved my butt and my
mail server numerous times during virus outbreaks.  My system
barely flinched during the Sobig-F onslaught; MailScanner killed
more than 120,000 copies of Sobig in a month.

-----------------------------------
Jeff A. Earickson, Ph.D
Senior UNIX Sysadmin, Email Guru,
Colby Communications Sports Photographer
Colby College, 4214 Mayflower Hill,
Waterville ME, 04901-8842
phone: 207-872-3659 (fax = 3076)
-----------------------------------

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 20 16:13:30 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:57 2006
Subject: Spam bypassing gateway server
In-Reply-To: <EKECJBACGLPHJCFNKMAEMEBMNAAA.chrisk@os-it.net>
Message-ID: <LFENLEALDCBDKENCNLCNIEMGDBAA.michele@blacknightsolutions.com>

Could you post the headers?

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Chris Kissinger
> Sent: 20 January 2004 16:04
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Spam bypassing gateway server
>
>
> Trying to figure out how some spam is totally bypassing the gateway mail
> server and not being scanned by MailScanner. The gateway server
> is the only
> MX record, mail sent from the regular mail server to a local domain still
> goes out and is scanned by the gateway server then delivered.
>
> On the ones getting through there's no MailScanner headers added, there's
> also no headers from it hitting the gateway server at all. If it was a
> timeout issue shouldn't it at least have the regular mail headers added?
>
> Any ideas would be great.
>
> Chris
>

From cwharris at MORGAN.NET  Tue Jan 20 16:21:46 2004
From: cwharris at MORGAN.NET (Chris)
Date: Thu Jan 12 21:21:57 2006
Subject: Customized spam actions.
References: <200401091712.59726.carles@unlimitedmail.org> 
            <6.0.1.1.2.20040109164104.097e43b0@imap.ecs.soton.ac.uk>
Message-ID: <005301c3df71$7fa9f890$2105a8c0@pub.morgan.net>

Just a quick question on this old topic...

if I setup a rules file that looks like this:

To: user1@test.com delete
To: default deliver

Will this make it so that everyone other than user1@test.com will still get
their spam?

Essentially, only user1 will notice anything has changed, right?

Chris


----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 09, 2004 10:42 AM
Subject: Re: Customized spam actions.


> At 16:12 09/01/2004, you wrote:
> >Hi,
> >Is it possible to customize the spam actions by email or by domain ?
>
> Yes, using a ruleset. Please read /etc/MailScanner/rules/*
>
> >Example 1: The owner of the mailboxl user1@test.com wants that all its
email
> >messages marked as spam be bounced, but the owner of the mailbox
> >user2@test.com wants a deliver of its spam messages.
>
> To: user1@test.com bounce
> To: user2@test.com deliver
>
> >Example 2: I want the spam action delete for all the spam detected mails
> >delivered to the domain @dom1.com, but the action deliver for the domain
> >@dom2.com.
>
> To: dom1.com delete
> To: dom2.com deliver
>
> >Is it possible ?
> >I know that it is possible for the virus scan especify which domains or
> >mailboxes will have its email messages scaned using a filename rules, but
is
> >it possible too for the spam maked messages ?
>
> Rulesets apply to virtually all configuration options, as given in the
> comment immediately before each configuration option.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 16:24:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Customized spam actions.
In-Reply-To: <005301c3df71$7fa9f890$2105a8c0@pub.morgan.net>
References: <200401091712.59726.carles@unlimitedmail.org>
            <6.0.1.1.2.20040109164104.097e43b0@imap.ecs.soton.ac.uk>
            <005301c3df71$7fa9f890$2105a8c0@pub.morgan.net>
Message-ID: <6.0.1.1.2.20040120162322.03f15b88@imap.ecs.soton.ac.uk>

Correct.
But I would advise you change "To: default deliver" to "FromOrTo: default
deliver" as otherwise there is no result specified for any From address.
The default line should always say "FromOrTo:" and never just one or the other.

At 16:21 20/01/2004, you wrote:
>Just a quick question on this old topic...
>
>if I setup a rules file that looks like this:
>
>To: user1@test.com delete
>To: default deliver
>
>Will this make it so that everyone other than user1@test.com will still get
>their spam?
>
>Essentially, only user1 will notice anything has changed, right?
>
>Chris
>
>
>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Friday, January 09, 2004 10:42 AM
>Subject: Re: Customized spam actions.
>
>
> > At 16:12 09/01/2004, you wrote:
> > >Hi,
> > >Is it possible to customize the spam actions by email or by domain ?
> >
> > Yes, using a ruleset. Please read /etc/MailScanner/rules/*
> >
> > >Example 1: The owner of the mailboxl user1@test.com wants that all its
>email
> > >messages marked as spam be bounced, but the owner of the mailbox
> > >user2@test.com wants a deliver of its spam messages.
> >
> > To: user1@test.com bounce
> > To: user2@test.com deliver
> >
> > >Example 2: I want the spam action delete for all the spam detected mails
> > >delivered to the domain @dom1.com, but the action deliver for the domain
> > >@dom2.com.
> >
> > To: dom1.com delete
> > To: dom2.com deliver
> >
> > >Is it possible ?
> > >I know that it is possible for the virus scan especify which domains or
> > >mailboxes will have its email messages scaned using a filename rules, but
>is
> > >it possible too for the spam maked messages ?
> >
> > Rulesets apply to virtually all configuration options, as given in the
> > comment immediately before each configuration option.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From robin at PRIMUS.CA  Tue Jan 20 16:23:23 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:57 2006
Subject: default file rule
Message-ID: <Pine.LNX.4.58.0401201110320.9895@hephaestus.tor.primus.ca>

in the file filename.rules.conf it specifies to allow or deny files. What
happens to files which are not listed in this file? i.e. .doc extension is
not in this list. Is there a default action ?

From mkbowman at neo.rr.com  Tue Jan 20 16:23:04 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:21:57 2006
Subject: Spam bypassing gateway server
References: <EKECJBACGLPHJCFNKMAEMEBMNAAA.chrisk@os-it.net>
Message-ID: <000801c3df71$b1207a20$a767a8c0@MKBOWMAN2>

Chris,

I had a similar issue here. We had port 25 opened on the mail servers. After
disabling port 25 from the outside it cured the problem.

Now we have 3 mailscanner gateways behind a F5 doing load balancing :)

Matthew

----- Original Message -----
From: "Chris Kissinger" <chrisk@OS-IT.NET>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 20, 2004 11:03 AM
Subject: Spam bypassing gateway server


> Trying to figure out how some spam is totally bypassing the gateway mail
> server and not being scanned by MailScanner. The gateway server is the
only
> MX record, mail sent from the regular mail server to a local domain still
> goes out and is scanned by the gateway server then delivered.
>
> On the ones getting through there's no MailScanner headers added, there's
> also no headers from it hitting the gateway server at all. If it was a
> timeout issue shouldn't it at least have the regular mail headers added?
>
> Any ideas would be great.
>
> Chris
>

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 16:33:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: default file rule
In-Reply-To: <Pine.LNX.4.58.0401201110320.9895@hephaestus.tor.primus.ca>
References: <Pine.LNX.4.58.0401201110320.9895@hephaestus.tor.primus.ca>
Message-ID: <6.0.1.1.2.20040120163300.07ea4288@imap.ecs.soton.ac.uk>

At 16:23 20/01/2004, you wrote:
>in the file filename.rules.conf it specifies to allow or deny files. What
>happens to files which are not listed in this file? i.e. .doc extension is
>not in this list. Is there a default action ?

The default is to allow it.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From p.bos at LAKE.XS4ALL.NL  Tue Jan 20 16:44:06 2004
From: p.bos at LAKE.XS4ALL.NL (piet.bos)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B8098E0008@ahm_exchange2.americanhm.com>
Message-ID: <000701c3df74$9ebaaba0$2201a8c0@pietpentiumiii>

anyone who doesn't concur with this statement should immediately stop
using MailScanner.
Please submit your nomination too!

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Jason Burzenski
Sent: Tuesday, January 20, 2004 4:19 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Nominations for the Open Source Awards



All:

The Open Source Initiative is accepting nominations for the open source
awards.  To make a nomination, use the link below.

http://opensource.org/OSA/nominations.php


I've submitted a nomination for Julian and his work on MailScanner.  I
truly feel that MailScanner is an exceptional tool that stands out in
the open source community as both a well developed piece of software and
as a model for other open source projects.   Kudos to Julian and the
community that has helped MailScanner grow.

Jason Burzenski

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/68a718e2/attachment.html
From robin at PRIMUS.CA  Tue Jan 20 16:47:22 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:21:57 2006
Subject: default file rule
In-Reply-To: <6.0.1.1.2.20040120163300.07ea4288@imap.ecs.soton.ac.uk>
References: <Pine.LNX.4.58.0401201110320.9895@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040120163300.07ea4288@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401201138440.9895@hephaestus.tor.primus.ca>

On Tue, 20 Jan 2004, Julian Field wrote:
> At 16:23 20/01/2004, you wrote:
> >in the file filename.rules.conf it specifies to allow or deny files. What
> >happens to files which are not listed in this file? i.e. .doc extension is
> >not in this list. Is there a default action ?
>
> The default is to allow it.

Why are there rules which specify to allow certain files? or rather is it
possible to change the default rule?

From chrisk at OS-IT.NET  Tue Jan 20 16:49:21 2004
From: chrisk at OS-IT.NET (Chris Kissinger)
Date: Thu Jan 12 21:21:57 2006
Subject: Spam bypassing gateway server
In-Reply-To: <6.0.1.1.2.20040120161413.07d0db58@imap.ecs.soton.ac.uk>
Message-ID: <EKECJBACGLPHJCFNKMAEEECDNAAA.chrisk@os-it.net>

On Tue, 20 Jan 2004, Julian Field wrote:
> Is the rest of your network firewalled properly? Is there any way to get
to
> port 25 on any other servers except the gateway mail server? The MX tells
> people where they *should* deliver mail. There's nothing stopping the
> spammers trying some other host.

I don't know why, but I always forget how dedicated spammers are to
disrupting our world. Regular mail server has 25 open as not all domains
hosted on it are scanned by mailscanner. I suppose I could send them all
through and just not do any checks.

Guess I'll come up with something... Thanks Julian, you're always on the
ball. (Especially when the stupid simple answers evade us.)

Chris

From mkbowman at neo.rr.com  Tue Jan 20 16:47:40 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
References: <000701c3df74$9ebaaba0$2201a8c0@pietpentiumiii>
Message-ID: <000901c3df75$210a59c0$a767a8c0@MKBOWMAN2>

MessageI think Julian needs to be mentioned in the New Year Honours List.

Julian Field OBE
:)


  ----- Original Message ----- 
  From: piet.bos 
  To: MAILSCANNER@JISCMAIL.AC.UK 
  Sent: Tuesday, January 20, 2004 11:44 AM
  Subject: Re: Nominations for the Open Source Awards


  anyone who doesn't concur with this statement should immediately stop using MailScanner.
  Please submit your nomination too!
    -----Original Message-----
    From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Burzenski
    Sent: Tuesday, January 20, 2004 4:19 PM
    To: MAILSCANNER@JISCMAIL.AC.UK
    Subject: Nominations for the Open Source Awards


    All: 

    The Open Source Initiative is accepting nominations for the open source awards.  To make a nomination, use the link below.

    http://opensource.org/OSA/nominations.php 



    I've submitted a nomination for Julian and his work on MailScanner.  I truly feel that MailScanner is an exceptional tool that stands out in the open source community as both a well developed piece of software and as a model for other open source projects.   Kudos to Julian and the community that has helped MailScanner grow.  

    Jason Burzenski 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/9ff3f3bf/attachment.html
From denis at CROOMBS.ORG  Tue Jan 20 16:53:34 2004
From: denis at CROOMBS.ORG (Denis Croombs)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
References: <000701c3df74$9ebaaba0$2201a8c0@pietpentiumiii>
Message-ID: <01aa01c3df75$f1d212f0$85b8fea9@Laptop>

MessageI have done mine, Julian deserves an award for all his hard work.

Denis

www.just-servers.co.uk
www.just-hosting.net



anyone who doesn't concur with this statement should immediately stop using
MailScanner.
Please submit your nomination too!
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Jason Burzenski
Sent: Tuesday, January 20, 2004 4:19 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Nominations for the Open Source Awards


All:
The Open Source Initiative is accepting nominations for the open source
awards.  To make a nomination, use the link below.
http://opensource.org/OSA/nominations.php


I've submitted a nomination for Julian and his work on MailScanner.  I truly
feel that MailScanner is an exceptional tool that stands out in the open
source community as both a well developed piece of software and as a model
for other open source projects.   Kudos to Julian and the community that has
helped MailScanner grow.
Jason Burzenski

--
This message has been scanned for viruses and
dangerous content by
Marvin and is believed to be clean.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Marvin the E-Mail scanner

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 16:51:39 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: default file rule
In-Reply-To: <Pine.LNX.4.58.0401201138440.9895@hephaestus.tor.primus.ca>
References: <Pine.LNX.4.58.0401201110320.9895@hephaestus.tor.primus.ca>
            <6.0.1.1.2.20040120163300.07ea4288@imap.ecs.soton.ac.uk>
            <Pine.LNX.4.58.0401201138440.9895@hephaestus.tor.primus.ca>
Message-ID: <6.0.1.1.2.20040120165020.03f27198@imap.ecs.soton.ac.uk>

At 16:47 20/01/2004, you wrote:
>On Tue, 20 Jan 2004, Julian Field wrote:
> > At 16:23 20/01/2004, you wrote:
> > >in the file filename.rules.conf it specifies to allow or deny files. What
> > >happens to files which are not listed in this file? i.e. .doc extension is
> > >not in this list. Is there a default action ?
> >
> > The default is to allow it.
>
>Why are there rules which specify to allow certain files?

Because there are rules later on in the file which may deny them.

>  or rather is it
>possible to change the default rule?

If you want to change the default to deny, add a rule at the end of the
file that says

deny    .       Attachments are not allowed     Attachments are not allowed

(Remember to separate each of the 4 fields with tab characters and not just
spaces).
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 20 17:05:32 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <000901c3df75$210a59c0$a767a8c0@MKBOWMAN2>
Message-ID: <LFENLEALDCBDKENCNLCNKEMMDBAA.michele@blacknightsolutions.com>

MessageNah. We can look into getting him honorary Irish citizenship :)   (
much better value!)

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

  -----Original Message-----
  From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Matthew K Bowman
  Sent: 20 January 2004 16:48
  To: MAILSCANNER@JISCMAIL.AC.UK
  Subject: Re: Nominations for the Open Source Awards


  I think Julian needs to be mentioned in the New Year Honours List.

  Julian Field OBE
  :)


    ----- Original Message -----
    From: piet.bos
    To: MAILSCANNER@JISCMAIL.AC.UK
    Sent: Tuesday, January 20, 2004 11:44 AM
    Subject: Re: Nominations for the Open Source Awards


    anyone who doesn't concur with this statement should immediately stop
using MailScanner.
    Please submit your nomination too!
      -----Original Message-----
      From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Jason Burzenski
      Sent: Tuesday, January 20, 2004 4:19 PM
      To: MAILSCANNER@JISCMAIL.AC.UK
      Subject: Nominations for the Open Source Awards


      All:

      The Open Source Initiative is accepting nominations for the open
source awards.  To make a nomination, use the link below.

      http://opensource.org/OSA/nominations.php



      I've submitted a nomination for Julian and his work on MailScanner.  I
truly feel that MailScanner is an exceptional tool that stands out in the
open source community as both a well developed piece of software and as a
model for other open source projects.   Kudos to Julian and the community
that has helped MailScanner grow.

      Jason Burzenski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/b9d2b22a/attachment.html
From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 20 17:06:20 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80DE@ERWIN.intern.seceidos.de>

nomination on its way... :-)


________________________________

        From: Jason Burzenski [mailto:jburzenski@AMERICANHM.COM] 
        Sent: Tuesday, January 20, 2004 4:19 PM
        To: MAILSCANNER@JISCMAIL.AC.UK
        Subject: Nominations for the Open Source Awards
	
	

        All: 

        The Open Source Initiative is accepting nominations for the open source awards.  To make a nomination, use the link below.

        http://opensource.org/OSA/nominations.php 


        I've submitted a nomination for Julian and his work on MailScanner.  I truly feel that MailScanner is an exceptional tool that stands out in the open source community as both a well developed piece of software and as a model for other open source projects.   Kudos to Julian and the community that has helped MailScanner grow.  

        Jason Burzenski 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/d2cebaaf/attachment.html
From mkbowman at neo.rr.com  Tue Jan 20 17:05:26 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
References: <LFENLEALDCBDKENCNLCNKEMMDBAA.michele@blacknightsolutions.com>
Message-ID: <000801c3df77$99b00da0$a767a8c0@MKBOWMAN2>

MessageGiven the recent winners I think your idea is better. As long as it comes with a lifetime supply of Guiness :)

  ----- Original Message ----- 
  From: Michele Neylon :: Blacknight Solutions 
  To: Matthew K Bowman ; MAILSCANNER@JISCMAIL.AC.UK 
  Sent: Tuesday, January 20, 2004 12:05 PM
  Subject: RE: Nominations for the Open Source Awards


  Nah. We can look into getting him honorary Irish citizenship :)   ( much better value!)

  Mr. Michele Neylon
  Blacknight Internet Solutions Ltd
  http://www.blacknightsolutions.ie/
  http://www.search.ie/
  Tel. + 353 (0)59 9137101
  Lowest price domains in Ireland 

    -----Original Message-----
    From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matthew K Bowman
    Sent: 20 January 2004 16:48
    To: MAILSCANNER@JISCMAIL.AC.UK
    Subject: Re: Nominations for the Open Source Awards


    I think Julian needs to be mentioned in the New Year Honours List.

    Julian Field OBE
    :)


      ----- Original Message ----- 
      From: piet.bos 
      To: MAILSCANNER@JISCMAIL.AC.UK 
      Sent: Tuesday, January 20, 2004 11:44 AM
      Subject: Re: Nominations for the Open Source Awards


      anyone who doesn't concur with this statement should immediately stop using MailScanner.
      Please submit your nomination too!
        -----Original Message-----
        From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Burzenski
        Sent: Tuesday, January 20, 2004 4:19 PM
        To: MAILSCANNER@JISCMAIL.AC.UK
        Subject: Nominations for the Open Source Awards


        All: 

        The Open Source Initiative is accepting nominations for the open source awards.  To make a nomination, use the link below.

        http://opensource.org/OSA/nominations.php 



        I've submitted a nomination for Julian and his work on MailScanner.  I truly feel that MailScanner is an exceptional tool that stands out in the open source community as both a well developed piece of software and as a model for other open source projects.   Kudos to Julian and the community that has helped MailScanner grow.  

        Jason Burzenski 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/28c747ee/attachment.html
From marco at MUW.EDU  Tue Jan 20 17:28:14 2004
From: marco at MUW.EDU (Marco Obaid)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <000801c3df77$99b00da0$a767a8c0@MKBOWMAN2>
References: <LFENLEALDCBDKENCNLCNKEMMDBAA.michele@blacknightsolutions.com>
            <000801c3df77$99b00da0$a767a8c0@MKBOWMAN2>
Message-ID: <1074619694.400d652e93dc1@webmail.MUW.Edu>

I would go as far as nominating him for the Nobel Prize, for promoting "Piece
of Mind" to all admins and users equally. Also, I take my hat off to all the
active members on this list for your invaluable expertise.

Quoting Matthew K Bowman <mkbowman@neo.rr.com>:

> MessageGiven the recent winners I think your idea is better. As long as it
> comes with a lifetime supply of Guiness :)
>

From acschmitt at BPA.GOV  Tue Jan 20 17:25:11 2004
From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
Message-ID: <242663BECAD80B4DAAF2E62788F96917473B0A@exhq01.bud.bpa.gov>

Nomination in.

Andy Schmitt

  _____

From: Jason Burzenski [mailto:jburzenski@AMERICANHM.COM]
Sent: Tuesday, January 20, 2004 4:19 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Nominations for the Open Source Awards



All:

The Open Source Initiative is accepting nominations for the open source awards.  To make a nomination, use the link below.

http://opensource.org/OSA/nominations.php <http://opensource.org/OSA/nominations.php>


I've submitted a nomination for Julian and his work on MailScanner.  I truly feel that MailScanner is an exceptional tool that stands out in the open source community as both a well developed piece of software and as a model for other open source projects.   Kudos to Julian and the community that has helped MailScanner grow.

Jason Burzenski



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040120/8c39e257/attachment.html
From bagt at TVS2NET.CH  Tue Jan 20 17:26:54 2004
From: bagt at TVS2NET.CH (Bagt)
Date: Thu Jan 12 21:21:57 2006
Subject: Mailscanner / Sophos unexpected error
Message-ID: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>

hi,

I have this error

Report: Sophos: Could not check file.zip/manual program.pdf (unexpected
error [0x80040202])

It's the first time, my server has > 50'000 messages analyze.

in my Mailscanner.conf
----------------------
....
Allowed Sophos Error Messages = "corrupt"
...


Sophos Version
--------------

Product version           : 3.76
Engine version            : 2.17
User interface version    : 2.07.031
Platform                  : Linux/Intel
Released                  : 01 December 2003
Total viruses (with IDEs) : 86261


How can I fix it ? ( Allowed Sophos Error Messages = "corrupt", "unexpected
error" )

It's only a problem for PDF files ?

Thanks.

From pages at ntin.net  Tue Jan 20 17:33:11 2004
From: pages at ntin.net (NTIN Page Guy)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <1074619694.400d652e93dc1@webmail.MUW.Edu>
References: <LFENLEALDCBDKENCNLCNKEMMDBAA.michele@blacknightsolutions.com>
            <000801c3df77$99b00da0$a767a8c0@MKBOWMAN2>
            <1074619694.400d652e93dc1@webmail.MUW.Edu>
Message-ID: <462847413.20040120113311@ntin.net>

Hello Marco,

 Tuesday, January 20, 2004, you wrote:


MO> I would go as far as nominating him for the Nobel Prize, for promoting "Piece
MO> of Mind" to all admins and users equally. Also, I take my hat off to all the
MO> active members on this list for your invaluable expertise.

MO> Quoting Matthew K Bowman <mkbowman@neo.rr.com>:

>> MessageGiven the recent winners I think your idea is better. As long as it
>> comes with a lifetime supply of Guiness :)
>>

Do you mean "Peace of Mind"?

Piece, a part of a whole: as a : FRAGMENT <pieces of broken glass> b :
any of the individual members comprising a unit.

Peace, a state of tranquillity or quiet.

Best regards,
Robert B, NTIN                           mailto:pages@ntin.net

From mailscanner at ecs.soton.ac.uk  Tue Jan 20 17:37:23 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Mailscanner / Sophos unexpected error
In-Reply-To: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>
References: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>
Message-ID: <6.0.1.1.2.20040120173629.03d71ec0@imap.ecs.soton.ac.uk>

This is a known Sophos problem. There is an option in the MailScanner.conf
to allow you to let through files which cause this error. It's called
"Allowed Sophos Errors" if I remember correctly.

At 17:26 20/01/2004, you wrote:
>hi,
>
>I have this error
>
>Report: Sophos: Could not check file.zip/manual program.pdf (unexpected
>error [0x80040202])
>
>It's the first time, my server has > 50'000 messages analyze.
>
>in my Mailscanner.conf
>----------------------
>....
>Allowed Sophos Error Messages = "corrupt"
>...
>
>
>Sophos Version
>--------------
>
>Product version           : 3.76
>Engine version            : 2.17
>User interface version    : 2.07.031
>Platform                  : Linux/Intel
>Released                  : 01 December 2003
>Total viruses (with IDEs) : 86261
>
>
>How can I fix it ? ( Allowed Sophos Error Messages = "corrupt", "unexpected
>error" )
>
>It's only a problem for PDF files ?
>
>Thanks.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Tue Jan 20 17:38:47 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:57 2006
Subject: Mailscanner / Sophos unexpected error
References: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>
Message-ID: <400D67A7.F1DEBA04@ihs.com>

Bagt wrote:
>
> hi,
>
> I have this error
>
> Report: Sophos: Could not check file.zip/manual program.pdf (unexpected
> error [0x80040202])
>
> How can I fix it ? ( Allowed Sophos Error Messages = "corrupt", "unexpected
> error" )


Add  to "Allowed Sophos Error Messages" in MailScanner.conf.  Your line
should look like this:

Allowed Sophos Error Messages = "corrupt", "unexpected error",
"0x80040202"

Restart MailScanner.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 20 17:43:38 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:21:57 2006
Subject: Mailscanner / Sophos unexpected error
In-Reply-To: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>
References: <6.0.0.22.2.20040120181153.02a0c8b8@pop.netplus.ch>
Message-ID: <400D68CA.6000607@solid-state-logic.com>

Hi

my line says....

Allowed Sophos Error Messages = "corrupt", "format not supported"


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300



Bagt wrote:
> hi,
>
> I have this error
>
> Report: Sophos: Could not check file.zip/manual program.pdf (unexpected
> error [0x80040202])
>
> It's the first time, my server has > 50'000 messages analyze.
>
> in my Mailscanner.conf
> ----------------------
> ....
> Allowed Sophos Error Messages = "corrupt"
> ...
>
>
> Sophos Version
> --------------
>
> Product version           : 3.76
> Engine version            : 2.17
> User interface version    : 2.07.031
> Platform                  : Linux/Intel
> Released                  : 01 December 2003
> Total viruses (with IDEs) : 86261
>
>
> How can I fix it ? ( Allowed Sophos Error Messages = "corrupt", "unexpected
> error" )
>
> It's only a problem for PDF files ?
>
> Thanks.


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From TGFurnish at HERFF-JONES.COM  Tue Jan 20 17:46:00 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:57 2006
Subject: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733618@inex1.herffjones.hj-int>

Is it still Monday?  I'm drawing a blank on how to do something.  (How) can
I configure MS to deliver a notification to the recipient that a message was
quarantined, without actually delivering the message, not even as an
attachment?

I've been asked to send recipients a message that basically says "We blocked
a message we think is spam, from Bob, with subject Foo - click here if you
think the message wasn't spam."  But the options I have in the config don't
seem to allow for that particular set-up.  Can MS do that?

I don't want to deliver the original message at all, but I still want to
notify the sender that a message was blocked.  Recipients can filter these
into a folder and ignore them 99% of the time, but on those occasions when
they're expecting a message that doesn't come in, they'd be able to open the
spam folder and search for the sender of the missing message, then click a
link to release the message.

--
Trever

From marco at MUW.EDU  Tue Jan 20 18:12:44 2004
From: marco at MUW.EDU (Marco Obaid)
Date: Thu Jan 12 21:21:57 2006
Subject: Nominations for the Open Source Awards
In-Reply-To: <1074619694.400d652e93dc1@webmail.MUW.Edu>
References: <LFENLEALDCBDKENCNLCNKEMMDBAA.michele@blacknightsolutions.com>
            <000801c3df77$99b00da0$a767a8c0@MKBOWMAN2>
            <1074619694.400d652e93dc1@webmail.MUW.Edu>
Message-ID: <1074622364.400d6f9cd0e46@webmail.MUW.Edu>

I stand corrected :)

"Peace of Mind" is what I meant ...

Thank you for the correction
Marco

Quoting NTIN Page Guy <pages@ntin.net>:

> Hello Marco,
>
>  Tuesday, January 20, 2004, you wrote:
>
>
> MO> I would go as far as nominating him for the Nobel Prize, for promoting
> "Piece
> MO> of Mind" to all admins and users equally. Also, I take my hat off to all
> the
> MO> active members on this list for your invaluable expertise.
>
> MO> Quoting Matthew K Bowman <mkbowman@neo.rr.com>:
>
> >> MessageGiven the recent winners I think your idea is better. As long as
> it
> >> comes with a lifetime supply of Guiness :)
> >>
>
> Do you mean "Peace of Mind"?
>
> Piece, a part of a whole: as a : FRAGMENT <pieces of broken glass> b :
> any of the individual members comprising a unit.
>
> Peace, a state of tranquillity or quiet.
>
> Best regards,
> Robert B, NTIN                           mailto:pages@ntin.net

From nathan at TCPNETWORKS.NET  Tue Jan 20 18:19:25 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BA516@server1.in.tcpnetworks.com>

Is there a simple way to ignore the spam tag in the subject header when
manually learning spam? Or does it matter?
 
I know that SpamAssassin ignores it's own markup and I'm familiar with
using the  bayes_ignore_header directives for the MailScanner  headers,
but am curious what to do about the spam subject modification. I suppose
I could reconfigure MailScanner to leave the the subject alone, but I
prefer not to do this if possible. Any ideas or workarounds?
 


From mailscanner at ecs.soton.ac.uk  Tue Jan 20 18:26:25 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
In-Reply-To: <CC6008BDBF458A4DB8456380C1BAB3800BA516@server1.in.tcpnetwo
              rks.com>
References: <CC6008BDBF458A4DB8456380C1BAB3800BA516@server1.in.tcpnetworks.com>
Message-ID: <6.0.1.1.2.20040120182535.03f5c068@imap.ecs.soton.ac.uk>

If you use a script to auto-learn a mailbox at one go (I have published
mine here several times), then you could easily use sed to remove the
subject tag before feeding the file to sa-learn.

At 18:19 20/01/2004, you wrote:
>Is there a simple way to ignore the spam tag in the subject header when
>manually learning spam? Or does it matter?
>
>I know that SpamAssassin ignores it's own markup and I'm familiar with
>using the  bayes_ignore_header directives for the MailScanner  headers,
>but am curious what to do about the spam subject modification. I suppose
>I could reconfigure MailScanner to leave the the subject alone, but I
>prefer not to do this if possible. Any ideas or workarounds?
>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From nathan at TCPNETWORKS.NET  Tue Jan 20 19:56:35 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BA517@server1.in.tcpnetworks.com>

Thanks the quick response. A quick "man sed" got me going.
Sometimes I just need someone to point out the obvious (as it's not
always obvious to me).
 
Nathan

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Sent: Tuesday, January 20, 2004 10:26 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Sa-learn and MailScanner Subject Modification


If you use a script to auto-learn a mailbox at one go (I have published
mine here several times), then you could easily use sed to remove the
subject tag before feeding the file to sa-learn.

At 18:19 20/01/2004, you wrote:
>Is there a simple way to ignore the spam tag in the subject header when
>manually learning spam? Or does it matter?
>
>I know that SpamAssassin ignores it's own markup and I'm familiar with
>using the  bayes_ignore_header directives for the MailScanner  headers,
>but am curious what to do about the spam subject modification. I
suppose
>I could reconfigure MailScanner to leave the the subject alone, but I
>prefer not to do this if possible. Any ideas or workarounds?
>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From sysadmins at ENHTECH.COM  Tue Jan 20 20:10:54 2004
From: sysadmins at ENHTECH.COM (Errol Neal)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
In-Reply-To: <6.0.1.1.2.20040120182535.03f5c068@imap.ecs.soton.ac.uk>
References: <CC6008BDBF458A4DB8456380C1BAB3800BA516@server1.in.tcpnetworks.com>
            <6.0.1.1.2.20040120182535.03f5c068@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.0.20040120151027.02495ea0@mail.enhtech.com>

At 01:26 PM 1/20/2004, Julian Field wrote:
>If you use a script to auto-learn a mailbox at one go (I have published
>mine here several times), then you could easily use sed to remove the
>subject tag before feeding the file to sa-learn.

Julian,

Do you mind re-posting your script?

Thanks.

Errol Neal


Errol U. Neal Jr., Systems Administrator
Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
http://www.enhtech.com
703-924-0301 or 800-368-3249
703-997-0839 Fax

From Kevin_Miller at CI.JUNEAU.AK.US  Tue Jan 20 20:11:10 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:21:57 2006
Subject: SpamAssasin help
Message-ID: <08146035CA49D6119A36009027AC822A0264ECE5@CITY-EXCH-NTS>

>That did it! That was easy!
>
>I ran the following test and got back all these lines.. do you see any
>problems at all or is this normal? Lastly, any other rules besides
>bigevil.cf that I should run? I've heard about chickenpox? etc...

I've seen a number of posts that say to run "spamassassin -D --lint" and
have a quick question:  Do you stop MailScanner first, or can you just run
that while all the normal stuff is going on?  My inclination is to stop it,
but I've never noticed anybody saying to.  Thanks...


...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From mkettler at EVI-INC.COM  Tue Jan 20 20:23:34 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:21:57 2006
Subject: SpamAssasin help
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ECE5@CITY-EXCH-NTS>
References: <08146035CA49D6119A36009027AC822A0264ECE5@CITY-EXCH-NTS>
Message-ID: <6.0.0.22.0.20040120151614.02605118@xanadu.evi-inc.com>

At 03:11 PM 1/20/2004, you wrote:
>I've seen a number of posts that say to run "spamassassin -D --lint" and
>have a quick question:  Do you stop MailScanner first, or can you just run
>that while all the normal stuff is going on?  My inclination is to stop it,
>but I've never noticed anybody saying to.  Thanks...

No need to stop MailScanner while running the SA command line...

I do it all the time and look at me  <insert picture of frazzled sysadmin
with a smoking server>

Ok, don't look at me.. but seriously, it really is fine to lint your
config, etc through the SA command line when MS is still going..

That said, editing your files while MS is running can be a bit tricky, as
MS periodicaly restarts and may read the config you are editing.

To prevent that, I use a "test user" account and test my options in "test
user"'s user_prefs.. this way I'm not editing local.cf, or other files that
Mailscanner might read..

Basically I keep /home/testuser/.spamassassin/user_prefs and
/etc/MailScanner/spam.assassin.prefs.conf the same. When I want to make
changes, I su to test user, edit the user_prefs, lint the config, and then
su back to root and copy the user_prefs file up to spam.assassin.prefs.conf.

From TGFurnish at HERFF-JONES.COM  Tue Jan 20 20:25:16 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.hj-int>

Check the FAQ:
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html

--
Trever

> -----Original Message-----
> From: Errol Neal [mailto:sysadmins@ENHTECH.COM]
> Sent: Tuesday, January 20, 2004 3:11 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Sa-learn and MailScanner Subject Modification
>
>
> At 01:26 PM 1/20/2004, Julian Field wrote:
> >If you use a script to auto-learn a mailbox at one go (I
> have published
> >mine here several times), then you could easily use sed to remove the
> >subject tag before feeding the file to sa-learn.
>
> Julian,
>
> Do you mind re-posting your script?
>
> Thanks.
>
> Errol Neal
>
>
> Errol U. Neal Jr., Systems Administrator
> Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
> http://www.enhtech.com
> 703-924-0301 or 800-368-3249
> 703-997-0839 Fax
>

From sysadmins at ENHTECH.COM  Tue Jan 20 20:39:39 2004
From: sysadmins at ENHTECH.COM (Errol Neal)
Date: Thu Jan 12 21:21:57 2006
Subject: Sa-learn and MailScanner Subject Modification
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.
              hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.hj-int>
Message-ID: <6.0.0.22.0.20040120153923.02f9be68@mail.enhtech.com>

At 03:25 PM 1/20/2004, Furnish, Trever G wrote:
>Check the FAQ:
>http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html

Thanks Trever.





Errol U. Neal Jr., Systems Administrator
Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
http://www.enhtech.com
703-924-0301 or 800-368-3249
703-997-0839 Fax

From alc at TLYNX.COM  Tue Jan 20 22:07:02 2004
From: alc at TLYNX.COM (Al Cooper)
Date: Thu Jan 12 21:21:57 2006
Subject: Razor Install Problem (not finding SHA1)
Message-ID: <HIEJIEFOKKEJNODJNBDNMEJKDLAA.alc@tlynx.com>

I am attempting to install Razor 2.36 on a Redhat 9 box running MS 4.25-14.
I install the Razor SDK package with no problem.  When I tried to start
installing Razor by running 'perl Makefile.PL' from the razor-agents-2.36
directory, I get the following error 'Warning: prerequisite Digest::SHA1 0
not found'.  However I run from / 'find . -name SHA1' I find that SHA1 is
located at
'/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1'.
I also tried to re-install Digest::SHA1 via MCPAN and I get the message
"Digest::SHA1 is up to date."

Any suggestions?

Thanks for your help.

Al Cooper

From peter at UCGBOOK.COM  Tue Jan 20 22:17:34 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:57 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.63 is released!]
Message-ID: <400DA8FE.5010307@ucgbook.com>

FYI

-------- Original Message --------
Subject: [SA-Announce] SpamAssassin 2.63 is released!
Date: Tue, 20 Jan 2004 16:37:30 -0500
From: Theo Van Dinter <felicity@kluge.net>
To: Spamassassin List <spamassassin-talk@lists.sourceforge.net>,
Spamassassin Devel List <spamassassin-dev@incubator.apache.org>
CC: spamassassin-announce@lists.sourceforge.net

SpamAssassin is a mail filter which uses advanced statistical
and heuristic tests to identify spam (also known as unsolicited
commercial/bulk email).

Downloading
-----------

Pick it up from:

   http://SpamAssassin.org/released/Mail-SpamAssassin-2.63.tar.gz
   http://SpamAssassin.org/released/Mail-SpamAssassin-2.63.tar.bz2
   http://SpamAssassin.org/released/Mail-SpamAssassin-2.63.zip

md5sum of archive files:
fc5a8e69ef2355c30c7b71877ac58d57  Mail-SpamAssassin-2.63.tar.gz
215303794096bc66712381115adabb25  Mail-SpamAssassin-2.63.tar.bz2
4255080324987f336fa17773d3eeaa01  Mail-SpamAssassin-2.63.zip

sha1sum of archive files:
6bab68dfd6a5238fc84360ce08249657bed4bab3  Mail-SpamAssassin-2.63.tar.gz
558ab8e2cb95e8b4c4a3652b37e656eb3dc4d52c  Mail-SpamAssassin-2.63.tar.bz2
0288cd3669cafc3072d745c9c2efa916eb7ec3ca  Mail-SpamAssassin-2.63.zip


Or on CPAN shortly, once the mirrors update.

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net keyserver, as well as
http://www.spamassassin.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key
<release@spamassassin.org>
      Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B


Summary of major changes since 2.62
-----------------------------------

   - Fixed bug related to perl 5.0 which stopped SpamAssassin from being
runable
   - Fixed bug where "spamassassin -l" parameter wouldn't be untainted
before being used
   - Added caching of body rendering results so that the message wouldn't
     be rendered the same way multiple times unnecessarily.


--
Randomly Generated Tagline:
Why does the Lifestyles of the Rich and Famous theme song sound like the
  theme song from Charlie's Angels?


--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From kevins at BMRB.CO.UK  Tue Jan 20 22:31:42 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:21:57 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.63 is released!]
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001C21BF3@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001C21BF3@pascal.priv.bmrb.co.uk>
Message-ID: <1074637902.23143.82.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-20 at 22:17, Peter Bonivart wrote:
> FYI
>-------- Original Message --------
>Subject: [SA-Announce] SpamAssassin 2.63 is released!

Doh!  I finally got round to upgrading 2.60 to 2.61 the day before 2.62
was released, upgraded to 2.62 yesterday.  If I upgrade now do you
reckon they'll be able to get 2.64 out the door by Thursday?

From TGFurnish at HERFF-JONES.COM  Tue Jan 20 22:57:35 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:57 2006
Subject: Razor Install Problem (not finding SHA1)
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60804@inex1.herffjones.hj-int>

What happens if you run the following:

perl -e 'use Digest::SHA1;'

If you get an error about it not being found, then your problem is that it's
not installed correctly for the version of perl that you're using.  If
that's the case, then you may find it helpful to double-check which version
of perl is in your path:

type perl
perl -v

It might also help to print out your @INC:
perl -e 'print join("\n", @INC, "\n");'

Then again, I don't think that zero should be there either in the warning
message you're getting, so you may have a very different problem.

HTH,
Trever

> -----Original Message-----
> From: Al Cooper [mailto:alc@TLYNX.COM]
> Sent: Tuesday, January 20, 2004 5:07 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Razor Install Problem (not finding SHA1)
>
>
> I am attempting to install Razor 2.36 on a Redhat 9 box
> running MS 4.25-14.
> I install the Razor SDK package with no problem.  When I
> tried to start
> installing Razor by running 'perl Makefile.PL' from the
> razor-agents-2.36
> directory, I get the following error 'Warning: prerequisite
> Digest::SHA1 0
> not found'.  However I run from / 'find . -name SHA1' I find
> that SHA1 is
> located at
> '/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto
> /Digest/SHA1'.
> I also tried to re-install Digest::SHA1 via MCPAN and I get
> the message
> "Digest::SHA1 is up to date."
>
> Any suggestions?
>
> Thanks for your help.
>
> Al Cooper
>

From alc at TLYNX.COM  Tue Jan 20 23:06:15 2004
From: alc at TLYNX.COM (Al Cooper)
Date: Thu Jan 12 21:21:57 2006
Subject: Razor Install Problem (not finding SHA1)
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A60804@inex1.herffjones.hj-int>
Message-ID: <HIEJIEFOKKEJNODJNBDNOEJNDLAA.alc@tlynx.com>

Thanks for responding.  Comments in line.


>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>Behalf Of Furnish, Trever G
>Sent: Tuesday, January 20, 2004 3:58 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Razor Install Problem (not finding SHA1)
>
>
>perl -e 'use Digest::SHA1;'

[root@gate2 root]# perl -e 'use Digest::SHA1;'
Digest::SHA1 object version 2.01 does not match bootstrap parameter 2.07 at
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/DynaLoader.pm line 249.
Compilation failed in require at -e line 1.
BEGIN failed--compilation aborted at -e line 1.
[root@gate2 root]#


>
>If you get an error about it not being found, then your problem is that
it's
>not installed correctly for the version of perl that you're using.  If
>that's the case, then you may find it helpful to double-check which version
>of perl is in your path:
>
>type perl
>perl -v

[root@gate2 root]# perl -v

This is perl, v5.8.0 built for i386-linux-thread-multi
(with 1 registered patch, see perl -V for more detail)

Copyright 1987-2002, Larry Wall

Perl may be copied only under the terms of either the Artistic License or
the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.
>
>It might also help to print out your @INC:
>perl -e 'print join("\n", @INC, "\n");'
>
>Then again, I don't think that zero should be there either in the warning
>message you're getting, so you may have a very different problem.
>
>HTH,
>Trever
>
> -----Original Message-----
> From: Al Cooper [mailto:alc@TLYNX.COM]
> Sent: Tuesday, January 20, 2004 5:07 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Razor Install Problem (not finding SHA1)
>
>
> I am attempting to install Razor 2.36 on a Redhat 9 box
> running MS 4.25-14.
> I install the Razor SDK package with no problem.  When I
> tried to start
> installing Razor by running 'perl Makefile.PL' from the
> razor-agents-2.36
> directory, I get the following error 'Warning: prerequisite
> Digest::SHA1 0
> not found'.  However I run from / 'find . -name SHA1' I find
> that SHA1 is
> located at
> '/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto
> /Digest/SHA1'.
> I also tried to re-install Digest::SHA1 via MCPAN and I get
> the message
> "Digest::SHA1 is up to date."
>
> Any suggestions?
>
> Thanks for your help.
>
> Al Cooper
>

From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 20 23:17:14 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:21:57 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.63 is released!]
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C80E2@ERWIN.intern.seceidos.de>

> Doh!  I finally got round to upgrading 2.60 to 2.61 the day 
> before 2.62 was released, upgraded to 2.62 yesterday.  If I 
> upgrade now do you reckon they'll be able to get 2.64 out the 
> door by Thursday?


Probably. Give it a try. The worst thing that could happen is that we all get 2.64 on Thursday! :-)

Regards,
 JP


From greyhair at GREYHAIR.NET  Tue Jan 20 23:32:19 2004
From: greyhair at GREYHAIR.NET (greyhair)
Date: Thu Jan 12 21:21:57 2006
Subject: OT:  Sendmail store/forward Server
In-Reply-To: <HIEJIEFOKKEJNODJNBDNOEJNDLAA.alc@tlynx.com>
References: <HIEJIEFOKKEJNODJNBDNOEJNDLAA.alc@tlynx.com>
Message-ID: <400DBA83.2030402@greyhair.net>

Hi.  Sorry for this off topic question but I don't know exactly how to
do it an am unable to experiment at the current time.
in sendmail how do i setup a store/forward server in addition to on
going email server.  Is it domain routing?  I want a way to be someone
else's secondary mail server and my own primary mail server (and vis versa).

I know the DNS part ... just not the sendmail part.  any help or
pointers will be greatly appreciated

thanks
greyhair

From michele at BLACKNIGHTSOLUTIONS.COM  Wed Jan 21 00:19:40 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:57 2006
Subject: [Fwd: [SA-Announce] SpamAssassin 2.63 is released!]
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C80E2@ERWIN.intern.seceidos.de>
Message-ID: <LFENLEALDCBDKENCNLCNKEOLDBAA.michele@blacknightsolutions.com>

> Probably. Give it a try. The worst thing that could happen is
> that we all get 2.64 on Thursday! :-)

Oh God! I hope not! My experiments with new versions of software can have
bad side-effects ....

From james at grayonline.id.au  Wed Jan 21 01:35:31 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:57 2006
Subject: Kudos to Julian! We eat Bagles for breakfast!
Message-ID: <200401211235.31307.james@grayonline.id.au>

Just wanted to pass on the sheer, stunned, amazement of my manager and the
other IT Operations staff at $WORK ($WORK == "Windows shop"[1]).  The
latest worm (Bagel) is the first serious outbreak since I upgraded our mail
gateway to run FreeBSD+Sendmail+MailScanner+SpamAssassin+McAfee.  The
previous setup was "home grown" by a previous admin, but spawning >50
processes to handle each and every message took it's toll on reliability
and performance.

Anyway, not one Bagle made it past the ".exe" and filetype filtering before
I had a chance to update the virus signatures.  Now the sigs are up to
date, Bagle is being correctly flagged as a virus.  The last major outbreak
(Swen et al) got past the previous "home grown" system and chaos ensued.
They were expecting similar problems this time.....the total lack of
problems has left them stunned.  In fact $BOSS asked me this morning "How
much did we pay for that mail gateway software again?!".

Well done Julian and others who have contributed to this project.  It's
comforting being an admin behind a MailScanner gateway that's protecting a
Windows network :)

Cheers,

James

[1] Despite being a Windows shop I am a Unix engineer (SCSA/SCSE etc) and
have been asked to slip a few *nix boxen in "under the radar"....the mail
gateway was one of the first.
--
Fortune cookies says:
Real computer scientists like having a computer on their desk, else how
could they read their mail?

From robv at DISASTER.COM  Wed Jan 21 02:02:04 2004
From: robv at DISASTER.COM (Vicchiullo, Rob)
Date: Thu Jan 12 21:21:57 2006
Subject: Your MailScanner stats
Message-ID: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>

Just wondering if people wouldn't mind sharing some stats of there box
and how MailScanner runs.

Like CPU, Memory, OS, Major MailScanner config options and how many
emails you can handle in an hour.


From ugob at CAMO-ROUTE.COM  Wed Jan 21 02:20:17 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:57 2006
Subject: Your MailScanner stats
Message-ID: <54C38A0B814C8E438EF73FC76F3629273132DC@mtlnt501fs.CAMOROUTE.COM>

My machine: 

Athlon XP 1800, 512 RAM, RAID 0 IDE promise with WD 8 megs.

(currently shared with other apps, but I will end up finally putting my mailscanner on a PII 233/256RAM).

My humble stats:

see http://www.routier.org/mrtg/ and http://www.routier.org/mailscanner-mrtg/

>From nov 2, 2003

15,011 messages total

Average messages/day 185

Rejected by MTA 

365 (2.43%)

Spam received: 273 (1.86%)

Virus: 62 (0.42%) 

> -----Message d'origine-----
> De : Vicchiullo, Rob [mailto:robv@DISASTER.COM]
> Envoy? : Tuesday, January 20, 2004 9:02 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Your MailScanner stats
> 
> 
> Just wondering if people wouldn't mind sharing some stats of there box
> and how MailScanner runs.
> 
> Like CPU, Memory, OS, Major MailScanner config options and how many
> emails you can handle in an hour.
> 


From mikew at CRUCIS.NET  Wed Jan 21 02:30:35 2004
From: mikew at CRUCIS.NET (Mike Watson)
Date: Thu Jan 12 21:21:57 2006
Subject: MailScanner failing after upgrade to RH9
Message-ID: <200401202030.35268.mikew@crucis.net>

I had MailScanner 4.23.11 running on my RH 8.0 box. Since RH8.0 isn't
supported any longer, I finally upgraded to RH9.  After the upgrade, I added
all the eratta and security fixes.  When I restarted RH9, MailScanner failed.

Here is what I'm seeing.

Starting MailScanner daemons:
         incoming sendmail:                                [  OK  ]
         outgoing sendmail:                                [  OK  ]
         MailScanner:       Can't locate MIME/Parser.pm in @INC (@INC
contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .
/usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line
40.
BEGIN failed--compilation aborted at
/usr/lib/MailScanner/MailScanner/MCPMessage.pm line 40.
Compilation failed in require at /usr/sbin/MailScanner line 51.
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 51.

I downloaded 4.25-14 and a number of items failed including Mailtools and MIME
parser, TNEF.

Any hints where I can start to fix this?
I am NOT a full-time admin.

Mike W
--
Registered Linux - 256979   (http://counter.il.org for more information)
NRA Life
ARS: W0TMW

From michele at BLACKNIGHTSOLUTIONS.COM  Wed Jan 21 02:44:37 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:57 2006
Subject: Your MailScanner stats
In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
Message-ID: <LFENLEALDCBDKENCNLCNAEPCDBAA.michele@blacknightsolutions.com>

You can see our stats at: http://www.blacknight.ie/antivirus.php

We run it on each of our shared hosting servers, so the hardware
configuration varies quite a lot

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Vicchiullo, Rob
> Sent: 21 January 2004 02:02
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Your MailScanner stats
>
>
> Just wondering if people wouldn't mind sharing some stats of there box
> and how MailScanner runs.
>
> Like CPU, Memory, OS, Major MailScanner config options and how many
> emails you can handle in an hour.
>

From james at grayonline.id.au  Wed Jan 21 03:30:05 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:57 2006
Subject: Your MailScanner stats
In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
References: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
Message-ID: <200401211430.05999.james@grayonline.id.au>

On Wed, 21 Jan 2004 01:02 pm, Vicchiullo, Rob wrote:
> Just wondering if people wouldn't mind sharing some stats of there box
> and how MailScanner runs.
>
> Like CPU, Memory, OS, Major MailScanner config options and how many
> emails you can handle in an hour.

Here's the vitals for our corporate gateway:

HP Proliant DL360-G2
P3-1.4GHz
1Gb ECC 133MHz RAM
2x36Gb U160 10k RPM SCSI drive (Hardware RAID 0+1)
2 x 10/100/1000 NIC's, both running full duplex 100Mbps
FreeBSD 4.8_RELEASE
Sendmail 8.10.12
MailScanner 4.25-14 (5 child processes)
SpamAssassin 2.61 (+1200 custom rules)
Perl 5.8 (CPAN and all modules are the CPAN versions)
NAI/McAfee VirusScan 4.3.20

Daily mail average is close to 16,000 messages and 120MB data.
That is about 670msg/hr (11msg/min) and about 7.5kB/msg.
Average server load is 0.11 (11%) with spikes to 0.62 (62%).

Average swap usage is 0%.  In other words, the whole process runs entirely
in RAM.  In fact, I can't ever remember seeing ANY swap in use....even when
we did a "make world" recently - swap is definitely turned on though.

We've estimated the network connection will be limiting with our setup
before the server ever runs out of resources, and we've got 200Mbps to the
internet!

However if we turned off all the RBL/network tests in both SpamAssassin and
MailScanner, we estimate our theoretical hourly capacity at about 7000
messages (168,000msg/day) or 10 times what we currently do (a group of us
just crunched the numbers).  This number is purely theoretical based on the
memory bandwidth, as everything happens in RAM, and doesn't take into
account any paging etc.  More realistically we could safely cope with
5500-6000msg/hr.

James
--
Fortune cookies says:
The difference between the right word and the almost right word is the
difference between lightning and the lightning bug.
                -- Mark Twain

From joshua.hirsh at PARTNERSOLUTIONS.CA  Wed Jan 21 03:23:36 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:21:57 2006
Subject: Your MailScanner stats
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F44@eqmail1.efni.vpn>

> Just wondering if people wouldn't mind sharing some stats
> of there box and how MailScanner runs.
> Like CPU, Memory, OS, Major MailScanner config options and
> how many emails you can handle in an hour.


Hey All,

 I don't have any pretty pictures available on the web, but here's some
quick stats:

 Data since July 24th, 2003 at 13:06:43 EST (180.4 days)
 Total messages:        4,130,702
 Spam received: 3,259,610 (!!)
 Valid messages:        1,366,250
 Messages /day: 22,897
 Removed files: 8,176
 Removed virii: 17,343
 Total data:    39.19 Gb
 Average size:  30.08 Kb

 I have a few domains on the server that have had a bad habit of listing
their entire company email directory on a webpage for the past seven years.
The email address format has changed recently, so I filter everything out
that doesn't match the proper format for their new addresses (ie: no period
in the email address? no dice. Thank god for firstname.lastname@domain!)

 Depending on the day, the one rule rejects between 20k to 30k definite spam
messages and lets on through around 1k of possible spam. I delete with a
score of 8+ and tag/deliver everything else.

 The server is a dual 933 P3 with 512M RAM running RHL9 (soon to be Tao
Linux, a free RHEL 3 clone). Average CPU load is between 20 to 40% during
peak hours.


 I've been meaning to fill out some of Julian's wish list, but haven't had
the chance just yet. Soon though, Julian, soon!


http://www.amazon.co.uk/exec/obidos/registry/1W99HT2WWW5PB/ref=wl_s_3/202-36
89704-7123804



 Cheers.

--
Joshua Hirsh
Partner Solutions Inc.
St-Hyacinthe, QC
PGP/GnuPG ID: 0xD12A3B59

From mike at CAMAROSS.NET  Wed Jan 21 04:45:57 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:57 2006
Subject: MailScanner failing after upgrade to RH9
In-Reply-To: <200401202030.35268.mikew@crucis.net>
Message-ID: <200401210444.i0L4ijiG023273@avwall.bladeware.com>

I would run the full install again.

Before doing so, add the following to /root/.bash_profile:

LANG=en_US

export USERNAME BASH_ENV PATH LANG (LANG appended to the end)

Logout and back in so you get the new profile.  Looks like all of your perl
modules didn't make the migration.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Watson
> Sent: Tuesday, January 20, 2004 8:31 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: MailScanner failing after upgrade to RH9
>
> I had MailScanner 4.23.11 running on my RH 8.0 box. Since
> RH8.0 isn't supported any longer, I finally upgraded to RH9.
> After the upgrade, I added all the eratta and security fixes.
>  When I restarted RH9, MailScanner failed.
>
> Here is what I'm seeing.
>
> Starting MailScanner daemons:
>          incoming sendmail:                                [  OK  ]
>          outgoing sendmail:                                [  OK  ]
>          MailScanner:       Can't locate MIME/Parser.pm in @INC (@INC
> contains: /usr/lib/MailScanner
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/5.8.0
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .
> /usr/lib/MailScanner) at
> /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 40.
> BEGIN failed--compilation aborted at
> /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 40.
> Compilation failed in require at /usr/sbin/MailScanner line 51.
> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 51.
>
> I downloaded 4.25-14 and a number of items failed including
> Mailtools and MIME parser, TNEF.
>
> Any hints where I can start to fix this?
> I am NOT a full-time admin.
>
> Mike W
> --
> Registered Linux - 256979   (http://counter.il.org for more
> information)
> NRA Life
> ARS: W0TMW
>

From mike at CAMAROSS.NET  Wed Jan 21 04:52:37 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:57 2006
Subject: Sendmail store/forward Server
In-Reply-To: <400DBA83.2030402@greyhair.net>
Message-ID: <200401210451.i0L4pPiG023563@avwall.bladeware.com>

To be a secondary MX, simply add the domain.com to /etc/mail/relay-domains
and restart MailScanner

To be a forwarder, your MTA becomes the PRIMARY MX.  Add the same entry to
/etc/mail/relay-domains.  Also add an entry to /etc/mail/mailertable like
so:

domain.com              esmtp:final.destination.hostname

hash the mailertable to db and restart MailScanner

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of greyhair
> Sent: Tuesday, January 20, 2004 5:32 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: OT: Sendmail store/forward Server
>
> Hi.  Sorry for this off topic question but I don't know
> exactly how to do it an am unable to experiment at the current time.
> in sendmail how do i setup a store/forward server in addition
> to on going email server.  Is it domain routing?  I want a
> way to be someone else's secondary mail server and my own
> primary mail server (and vis versa).
>
> I know the DNS part ... just not the sendmail part.  any help
> or pointers will be greatly appreciated
>
> thanks
> greyhair
>

From greyhair at GREYHAIR.NET  Wed Jan 21 05:03:31 2004
From: greyhair at GREYHAIR.NET (greyhair)
Date: Thu Jan 12 21:21:57 2006
Subject: Sendmail store/forward Server
In-Reply-To: <200401210451.i0L4pPiG023563@avwall.bladeware.com>
References: <200401210451.i0L4pPiG023563@avwall.bladeware.com>
Message-ID: <400E0823.40906@greyhair.net>

Thank you Mike!!
Again, this list comes thru in a pinch!

greyhair

Mike Kercher wrote:
> To be a secondary MX, simply add the domain.com to /etc/mail/relay-domains
> and restart MailScanner
>
> To be a forwarder, your MTA becomes the PRIMARY MX.  Add the same entry to
> /etc/mail/relay-domains.  Also add an entry to /etc/mail/mailertable like
> so:
>
> domain.com              esmtp:final.destination.hostname
>
> hash the mailertable to db and restart MailScanner
>
> Mike
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of greyhair
>>Sent: Tuesday, January 20, 2004 5:32 PM
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: OT: Sendmail store/forward Server
>>
>>Hi.  Sorry for this off topic question but I don't know
>>exactly how to do it an am unable to experiment at the current time.
>>in sendmail how do i setup a store/forward server in addition
>>to on going email server.  Is it domain routing?  I want a
>>way to be someone else's secondary mail server and my own
>>primary mail server (and vis versa).
>>
>>I know the DNS part ... just not the sendmail part.  any help
>>or pointers will be greatly appreciated
>>
>>thanks
>>greyhair
>>
>
>
>

From sanjay.patel at REXWIRE.COM  Wed Jan 21 05:59:35 2004
From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel)
Date: Thu Jan 12 21:21:57 2006
Subject: Alias table for domains hosted on different server
Message-ID: <200401210611.i0L6BNnn027341@mx.sargam.com>

We clean mail for multiple domains than forward them on to servers hosting
the mail for the domains.

We would like to have all incoming mail for certain domain check be checked
against a  alias list to see if the receiving address is a valid address or
not.

This will stop spammers from send mail to addresses like sdsdsd@domain.com

SKP

From opencomputing at YAHOO.COM  Wed Jan 21 06:59:17 2004
From: opencomputing at YAHOO.COM (Opencomputing Team)
Date: Thu Jan 12 21:21:57 2006
Subject: MailScanner with qmail support - OpenProtect
Message-ID: <LISTSERV%2004012106591754@JISCMAIL.AC.UK>

Hi,
 We've integrated qmail support to the virus/spam
filter MailScanner. We've hosted the project at
opencomputing.sf.net.  You can download the software
at http://opencompt.com or
http://opencomputing.sf.net. We bundle spamassassin,
clamav also with the package and it can be installed
easily by running the openprotect-install script. All
in All, it serves as an easy to install
AntiVirus+AntiSpam Filter.
  Just try out the package and send in your
feedback/comments back to our mailing list
(http://lists.sourceforge.net/lists/listinfo/opencomputing-openprotect)
or to email@opencompt.com.

cheers,
Opencomputing Team.

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 08:48:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: MailScanner with qmail support - OpenProtect
In-Reply-To: <LISTSERV%2004012106591754@JISCMAIL.AC.UK>
References: <LISTSERV%2004012106591754@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040121084702.03741138@imap.ecs.soton.ac.uk>

Please could we get your qmail support integrated into the main codebase,
so there are no "forks" in the development tree.

If you can send me the source and the installation docs, I should be able
to do the rest for you.

At 06:59 21/01/2004, you wrote:
>Hi,
>  We've integrated qmail support to the virus/spam
>filter MailScanner. We've hosted the project at
>opencomputing.sf.net.  You can download the software
>at http://opencompt.com or
>http://opencomputing.sf.net. We bundle spamassassin,
>clamav also with the package and it can be installed
>easily by running the openprotect-install script. All
>in All, it serves as an easy to install
>AntiVirus+AntiSpam Filter.
>   Just try out the package and send in your
>feedback/comments back to our mailing list
>(http://lists.sourceforge.net/lists/listinfo/opencomputing-openprotect)
>or to email@opencompt.com.
>
>cheers,
>Opencomputing Team.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 08:46:31 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:57 2006
Subject: Alias table for domains hosted on different server
In-Reply-To: <200401210611.i0L6BNnn027341@mx.sargam.com>
References: <200401210611.i0L6BNnn027341@mx.sargam.com>
Message-ID: <6.0.1.1.2.20040121084612.03741ab8@imap.ecs.soton.ac.uk>

At 05:59 21/01/2004, you wrote:
>We clean mail for multiple domains than forward them on to servers hosting
>the mail for the domains.
>
>We would like to have all incoming mail for certain domain check be checked
>against a  alias list to see if the receiving address is a valid address or
>not.
>
>This will stop spammers from send mail to addresses like sdsdsd@domain.com
>
>SKP

Please read the anti-spam control docs and the stuff about the access
database at
http://www.sendmail.org/m4/anti_spam.html
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From james at grayonline.id.au  Wed Jan 21 08:44:16 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:58 2006
Subject: Strange SpamAssassin upgrade failure
Message-ID: <200401211944.16521.james@grayonline.id.au>

Hi All,

I had a strange one today.  I upgraded from SA 2.61 to 2.63 using the source
tar ball from au.spamassassin.org.  I did the usual "configure, make, make
test, make install" then restarted MailScanner.

Here lies the problem.  MailScanner restarted happily, SpamAssassin was
scanning happily but SA was ONLY using my custom rules in
/etc/mail/spamassassin!  All the standard rules in /usr/local/spamassassin
were being ignored.  I checked the permissions of the files in
/usr/share/spamassassin and they were all "644 root:root", the
/usr/share/spamassassin directory was 755.

Running "spamassassin --debug --lint -C
/usr/local/etc/MailScanner/spam.assassin.prefs.conf" mentioned NOTHING
about the "default rules dir".  However running without the "-C" option
showed both the default and site rules dirs.

The weirdest thing was when I reverted back to SA 2.61 (without changing ANY
config files) SpamAssassin started using all it's rules again.

Now when I lint the rules with MailScanner's spam.assassin.prefs.conf file,
both the default and site rules dirs are listed.

The system is running FreeBSD and the ports version of MailScanner.  But I'm
using the tar-ball (non-ports) version of SpamAssassin.  Perl is 5.8 from
CPAN.

Any ideas folks?

James
--
Fortune cookies says:
The less time planning, the more time programming.

From neilrobst at ALM.ORG.UK  Wed Jan 21 09:26:37 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
            <400C551C.6090001@themarshalls.co.uk>
            <1074588933.9635.16.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65001.194.70.180.170.1074589608.squirrel@net.themarshalls.co.uk>
            <1074590191.9635.20.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65087.194.70.180.170.1074594020.squirrel@net.themarshalls.co.uk>
            <1074595959.10396.2.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <65201.194.70.180.170.1074599504.squirrel@net.themarshalls.co.uk>
Message-ID: <1074677196.9609.6.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

I've tried the approach below and my users are still reporting getting
mulitple mail messages though apparently only where there are mulitple
recipients on the mail message (including them!).

The method described below does appear to be working according to my
maillogs... I can see the postfix/cleanup daemon hold the messages and
then MailScanner does it's bit and drops the messages in postfix's
incoming queue.

I've never seen any entires in the log file that suggest that mail is
being duplicated here... it's very strange. Can anyone suggest anything
else I can do?

Thanks for all your help so far,
Neil

On Tue, 2004-01-20 at 11:51, Drew Marshall wrote:
> As I understand Postfix doesn't use much in the way of file locking. It
> doesn't need to. In standard form a message is dropped into the onward
> directory and the next process is called using a 1b message and so mail
> makes it's way through the MTA. MailScanner upsets it by trying to grab
> the file from the deferred directory for processing. Now the deferred
> directory is used by Postfix as the place where mail is put when delivery
> fails, pending re-try (Keeps the active queues down) and every so often
> (As set in master.cf) the queue runner process goes to the deffered queue
> and inspects the messages for any that are due for retry. If the time
> stamp has expired it picks up the message and trys to deliver it. Through
> all of this there is not a need for much in the way of locking as what is
> going to touch that file? Postfix (As far as Postfix is concerned!) and
> Postfix knows what it's doing (We hope :-) ) If MailScanner and Postfix
> queue runner should happen to try to take the same message, you get the
> 'still being delivered' message in the logs and up pops a duplicated mail!
>
> Easy way round it, use the hold queue. This is designed to only have
> messages dropped in it for leter inspection by the postmaster and so the
> queue runner doesn't ever re-inspect this directory. Ideal for
> MailScanner, message gets dropped (MS knows how to tell when it's
> complete), picks up the new message, does it's bit and puts it back in the
> incoming queue for Postfix to deal with in it's usual efficient manner.
>
> I haven't had a single duplicate since putting this in place.
>
> Drew
>
> Neil Robst said:
> > And you think this resolves the duplicate mail problem?
> >
> > I'm unsure how it differs (apart from only having one postfix daemon
> > running) from using /var/spool/postfix.in/deferred and
> > /var/spool/postfix/incoming...?
> >
> > However, as I've just had a report from my users saying that upgrading
> > to the 4.26-4 beta hasn't worked, I'm willing to try anything :-)
> >
> >
> > On Tue, 2004-01-20 at 10:20, Drew Marshall wrote:
> >> Neil
> >>
> >> What I have done is below, as suggested by Peter Bates and forwarded to
> >> me
> >> from this list.
> >>
> >> > I'm using MS with Postfix in a slightly 'non-standard' way, but which
> >> is
> >> working fine for 13-15K messages we deal with (actually it might be
> >> more, I never bothered counting our outgoing email!)...
> >> > I'm using a 'header_check' like so:
> >> > In main.cf -
> >> > header_checks = pcre:/etc/postfix/header_checks
> >> > In header_checks -
> >> > /^Received:.*by .*\.your.domain.tld \(Postfix\)/ HOLD
> >> > This puts the incoming mail in the 'hold' queue, and then
> >> > I have in MailScanner.conf -
> >> > Incoming Queue Dir = /var/spool/postfix/hold
> >> > Outgoing Queue Dir = /var/spool/postfix/incoming
> >>
> >> With this, you will need to stop postfix.in and uncomment the smtp line
> >> in
> >> master.cf (Basically revert your set up to a non-MailScanner set up (It
> >> may be easier if Postfix.in runs chrooted and postfix doesn't to just
> >> alter postfix.in to become just postfix, what ever your mileage!)). Stop
> >> all instances and restart just postfix and you now have one postfix
> >> instance with MailScanner.
> >>
> >> Works great!
> >>
> >> Drew
> >> --
> >>
> >>
> >> Neil Robst said:
> >> > Drew,
> >> >
> >> > Can you explain a bit more about how you've configured postfix,
> >> please?
> >> I'm using the suggested setup of two postfix instances - the first runs
> >> everything in a chroot jail and smtp, local and virtual and deferred.
> >> Mailscanner then picks everything out the deferred queue, does it's
> >> stuff and drops it back into the incoming queue of the second postfix
> >> instance. Seems to be working well, but you said you'd changed postfix
> >> to bypass the duplicate problems...
> >> >
> >> > Regards,
> >> > Neil
> >> >
> >> > On Tue, 2004-01-20 at 09:06, Drew Marshall wrote:
> >> >> I've been running it now since the weekend without problem. I would
> >> suggest that although marked as a beta and potentialy unstable, it's
> >> about
> >> >> as unstable as the production releases :-) The new patches seem to be
> >> working well.
> >> >> I have to admit, I changed my Postfix set up to by pass the duplicate
> >> problems and haven't changed it back. I now use a rule in Postfix to
> >> hold
> >> >> all incoming mail, let MS collect from the hold queue (The queue
> >> runner
> >> doesn't ever run in there) and drop back into the incoming queue for
> >> delivery. It just means that I only have to ever run just one Postfix
> >> instance. I only ever use SMTP connection so don't have to worry about
> >> direct queue injection by passing MailScanner.
> >> >> Drew
> >> >> Neil Robst said:
> >> >> > Yes... fingers crossed!
> >> >> >
> >> >> > Any other issues known with the 4.26-4 beta currently? What's the
> >> general feeling in the community of it's stability, etc?
> >> >> >
> >> >> > On Mon, 2004-01-19 at 22:07, Drew Marshall wrote:
> >> >> >> Just for my 2p, my server doesn't have a high load but I suffered
> >> duplicate mail. My old set up on Slackware didn't suffer, the new on
> >> Gentoo did :-(  . I'm not quite sure why but it seemed that the
> >> >> Postfix
> >> >> >> queue runner and MailScanner got in each others way with the
> >> result
> >> >> that
> >> >> >> MS picked up incomplete messages.
> >> >> >>
> >> >> >> <fingers crossed> Any way that's all in the past now </fingers
> >> >> crossed>
> >> >> >>
> >> >> >> Drew
> >> >> >>
> >> >> >> Neil Robst wrote:
> >> >> >>
> >> >> >> >Hi all,
> >> >> >> >
> >> >> >> >Just applied the 4.26-4 beta of MailScanner to my mail server,
> >> >> though
> >> >> >> I've
> >> >> >> >been unable to replicate the problem with the duplicate mails
> >> either
> >> >> >> before
> >> >> >> >or after (as expected) the upgrade. Do you know any details about
> >> that -whether it only manifested itself when there were lots of
> >> >> >> recepients
> >> >> >> >on the message or a high load on the server or what?
> >> >> >> >
> >> >> >> >Regards,
> >> >> >> >Neil
> >> >> >> >
> >> >> >> >
> >> >> >> >--
> >> >> >> >This message has been scanned for viruses and
> >> >> >> >dangerous content by MailScanner, and is
> >> >> >> >believed to be clean.
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >> --
> >> >> >> In line with our policy, this message has
> >> >> >> been scanned for viruses and dangerous
> >> >> >> content by MailScanner, and is believed to be clean.
> >> >> >> www.themarshalls.co.uk/policy
> >> >> >
> >> >> --
> >> >> In line with our policy, this message has
> >> >> been scanned for viruses and dangerous
> >> >> content by MailScanner, and is believed to be clean.
> >> >> www.themarshalls.co.uk/policy
> >> >
> >>
> >>
> >>
> >>
> >> --
> >> In line with our policy, this message has
> >> been scanned for viruses and dangerous
> >> content by MailScanner, and is believed to be clean.
> >> www.themarshalls.co.uk/policy
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 21 09:32:33 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>

Neil Robst wrote: 
> I've never seen any entires in the log file that suggest that mail is
> being duplicated here... it's very strange. Can anyone suggest
> anything else I can do?

Have you checked the headers of the mails to see whether there are any clues there (such as do they have the same messageid,. Do the recieved headers give any hint as to which point the mail is being split?


From neilrobst at ALM.ORG.UK  Wed Jan 21 09:35:56 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
Message-ID: <1074677756.9609.8.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

No... it's made a little difficult in that I'm based at a different site
to my users. I'll try to get them to forward me some of their duplicated
messages though in order to check this out.

Regards,
Neil

On Wed, 2004-01-21 at 09:32, Spicer, Kevin wrote:
> Neil Robst wrote:
> > I've never seen any entires in the log file that suggest that mail is
> > being duplicated here... it's very strange. Can anyone suggest
> > anything else I can do?
>
> Have you checked the headers of the mails to see whether there are any clues there (such as do they have the same messageid,. Do the recieved headers give any hint as to which point the mail is being split?

From drew at THEMARSHALLS.CO.UK  Wed Jan 21 09:55:18 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <1074677756.9609.8.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
            <1074677756.9609.8.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <33890.194.70.180.170.1074678918.squirrel@net.themarshalls.co.uk>

Can you also post the section of the log that relates to this?

Drew

Neil Robst said:
> No... it's made a little difficult in that I'm based at a different site
> to my users. I'll try to get them to forward me some of their duplicated
> messages though in order to check this out.
>
> Regards,
> Neil
>
> On Wed, 2004-01-21 at 09:32, Spicer, Kevin wrote:
>> Neil Robst wrote:
>> > I've never seen any entires in the log file that suggest that mail is
>> > being duplicated here... it's very strange. Can anyone suggest
>> > anything else I can do?
>>
>> Have you checked the headers of the mails to see whether there are any
>> clues there (such as do they have the same messageid,. Do the recieved
>> headers give any hint as to which point the mail is being split?
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From howard at harper-adams.ac.uk  Wed Jan 21 10:12:33 2004
From: howard at harper-adams.ac.uk (Howard Robinson)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <Pine.LNX.4.44.0401182303290.13565-100000@mailbox.prolocation.net>
References: <400B0097.3070800@eatathome.com.au>
Message-ID: <200401211010.i0LAA0gs023253@blackhole.harper-adams.ac.uk>

On 18 Jan 04, at 23:04, Raymond Dijkxhoorn wrote:
Thanks Raymond
I followed the instructions and installed it on Monday. An email
from root told me that early this morning it uploaded the new
bigevil.cf. I checked (oh ye of little faith) and it had.
Thanks once again.


> You can do this with the script i made, follow the leads on
> http://mailscanner.prolocation.net
>
> This you can use to update the BigEvil rules...
>
> Bye,
> Raymond.




Regards

Howard Robinson
(Senior Technical Development Officer)
Harper Adams University College
Edgmond
Newport
Shropshire
TF10 8NB UK

E-mail: hrobinson@harper-adams.ac.uk
Tel.  : +44(0)1952 820280 Via switchboard
      : +44(0)1952 815253 Direct line
Fax.  : +44(0)1952 814783
College Web site http://www.harper-adams.ac.uk

From neilrobst at ALM.ORG.UK  Wed Jan 21 10:16:50 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <33890.194.70.180.170.1074678918.squirrel@net.themarshalls.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
            <1074677756.9609.8.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <33890.194.70.180.170.1074678918.squirrel@net.themarshalls.co.uk>
Message-ID: <1074680209.9609.32.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Drew,

Thanks for your reply again! I was going through the log trying to cut
out any info that I didn't think was relevant when I got a couple of
mails forwarded onto me by one of my users. The full headers where in
these emails at last and I was able to see something very interesting.

I'd just sent a mail to all my users saying apologies for this duplicate
mail issue and can you forward on some of the duplicate mails including
the headers so I can check them. However, because I use several email
accounts - personal, work and so on - this mail didn't go through
MailScanner. I'm partway through migrating my users from an old
Windows-based mail solution that has caused them lots of headaches with
viruses and has no spam protection. Some of my users therefore are
behind the mailscanner gateway whilst others are not.

Thus, even though my mail to some of my users didn't go through
mailscanner, but instead went through the Window system, they still
received duplicate mails! Therefore, in my opinion this is a mail client
issue as opposed to mailscanner/postfix!

(Did all that make sense!)

So, my slightly-dented faith in MailScanner is now restored!!! and I'm
going to try some things on the client to resolve this...

Will let you know.

Regards,
Neil

On Wed, 2004-01-21 at 09:55, Drew Marshall wrote:
> Can you also post the section of the log that relates to this?
>
> Drew
>
> Neil Robst said:
> > No... it's made a little difficult in that I'm based at a different site
> > to my users. I'll try to get them to forward me some of their duplicated
> > messages though in order to check this out.
> >
> > Regards,
> > Neil
> >
> > On Wed, 2004-01-21 at 09:32, Spicer, Kevin wrote:
> >> Neil Robst wrote:
> >> > I've never seen any entires in the log file that suggest that mail is
> >> > being duplicated here... it's very strange. Can anyone suggest
> >> > anything else I can do?
> >>
> >> Have you checked the headers of the mails to see whether there are any
> >> clues there (such as do they have the same messageid,. Do the recieved
> >> headers give any hint as to which point the mail is being split?
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy

From raymond at PROLOCATION.NET  Wed Jan 21 10:28:25 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <200401211010.i0LAA0gs023253@blackhole.harper-adams.ac.uk>
Message-ID: <Pine.LNX.4.44.0401211128110.20401-100000@mailbox.prolocation.net>

Hi!

> I followed the instructions and installed it on Monday. An email
> from root told me that early this morning it uploaded the new
> bigevil.cf. I checked (oh ye of little faith) and it had.
> Thanks once again.

> > You can do this with the script i made, follow the leads on
> > http://mailscanner.prolocation.net
> >
> > This you can use to update the BigEvil rules...

My pleasure.

Bye,
Raymond

From prandal at HEREFORDSHIRE.GOV.UK  Wed Jan 21 10:32:13 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:58 2006
Subject: .exe
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C45C@jessica.herefordshire.gov.uk>

Do you not have to make sure your filetype.rules.conf is changed to reflect
your changed policies as well?  Or does the filename check override the file
type check?

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Jon Fraley
> Sent: 20 January 2004 14:17
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: .exe
>
>
> It looks like I am going may be forced to allow .exe files in
> email.  I
> just want to make sure that if I change deny to allow for .exe in the
> filename.rules.conf that the file will still be scanned for
> viruses and
> quarantined if there is a virus.
>
> Thanks,
>
> Jon
>

From w.kossen at IMN.NL  Wed Jan 21 10:40:01 2004
From: w.kossen at IMN.NL (Willem Kossen)
Date: Thu Jan 12 21:21:58 2006
Subject: MailScanner failing after upgrade to RH9
References: <200401202030.35268.mikew@crucis.net>
Message-ID: <004301c3e00a$f226cdf0$7801a8c0@imnla499>

----- Original Message -----
From: "Mike Watson" <mikew@CRUCIS.NET>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 21, 2004 3:30 AM
Subject: MailScanner failing after upgrade to RH9


> I had MailScanner 4.23.11 running on my RH 8.0 box. Since RH8.0 isn't
> supported any longer, I finally upgraded to RH9.  After the upgrade, I
added
> all the eratta and security fixes.  When I restarted RH9, MailScanner
failed.
>
> Here is what I'm seeing.
>
> Starting MailScanner daemons:
>          incoming sendmail:                                [  OK  ]
>          outgoing sendmail:                                [  OK  ]
>          MailScanner:       Can't locate MIME/Parser.pm in @INC (@INC


I think your perl got upgraded from 5.6.1 to 5.8.0 and this means that your
installed perlmodules are in an old 5.6.1 tree. Since @INC is now showing a
5.8.0 tree, they can't be found. I suggest you reinstall all needed
perlmodules for MailScanner

Good Luck

Willem Kossen



> contains: /usr/lib/MailScanner
/usr/lib/perl5/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/5.8.0
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .
> /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/MCPMessage.pm
line
> 40.
> BEGIN failed--compilation aborted at
> /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 40.
> Compilation failed in require at /usr/sbin/MailScanner line 51.
> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 51.
>
> I downloaded 4.25-14 and a number of items failed including Mailtools and
MIME
> parser, TNEF.
>
> Any hints where I can start to fix this?
> I am NOT a full-time admin.
>
> Mike W
> --
> Registered Linux - 256979   (http://counter.il.org for more information)
> NRA Life
> ARS: W0TMW

From w.kossen at IMN.NL  Wed Jan 21 10:50:30 2004
From: w.kossen at IMN.NL (Willem Kossen)
Date: Thu Jan 12 21:21:58 2006
Subject: Your MailScanner stats
References: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
Message-ID: <007701c3e00c$662fe4b0$7801a8c0@imnla499>

-- ----- Original Message ------
-- Subject: Your MailScanner stats
--
-- Just wondering if people wouldn't mind sharing some stats of there box
-- and how MailScanner runs.
--
-- Like CPU, Memory, OS, Major MailScanner config options and how many
-- emails you can handle in an hour.

My personal mailserver is hosted on a
- pentium 133 Mhz
- 80 Mb ram
- Linux 2.4.23 redhattish
- config of Mailscanner mostly standard
- ClamAV and Spamassassin
- this machine is also a firewall, webserver, faxserver, printserver,
fileserver, IDS, Databaseserver etc
- i don't handle large amounts of mail, allthough lots of logging is sent
through email and also that is scanned
- I've had three viruses (in three weeks time) of which I've personally sent
2 for testing
- I've had no spam yet since the email addresses hosted so far have been
free of that (this will change :(    )
- it's not a fast machine and it will not handle lots of mail (because the
kernel starts killing processes if it does :(   )
- if $$$ then upgrade else :(

any questions?

Willem Kossen

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 11:19:36 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: .exe
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C45C@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C45C@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040121111919.03d2ba58@imap.ecs.soton.ac.uk>

They are 2 separate checks. An attachment has to pass both tests to be
allowed through.

At 10:32 21/01/2004, you wrote:
>Do you not have to make sure your filetype.rules.conf is changed to reflect
>your changed policies as well?  Or does the filename check override the file
>type check?
>
>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Jon Fraley
> > Sent: 20 January 2004 14:17
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: .exe
> >
> >
> > It looks like I am going may be forced to allow .exe files in
> > email.  I
> > just want to make sure that if I change deny to allow for .exe in the
> > filename.rules.conf that the file will still be scanned for
> > viruses and
> > quarantined if there is a virus.
> >
> > Thanks,
> >
> > Jon
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 11:20:51 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: MailScanner failing after upgrade to RH9
In-Reply-To: <004301c3e00a$f226cdf0$7801a8c0@imnla499>
References: <200401202030.35268.mikew@crucis.net>
            <004301c3e00a$f226cdf0$7801a8c0@imnla499>
Message-ID: <6.0.1.1.2.20040121111945.03d6d230@imap.ecs.soton.ac.uk>

At 10:40 21/01/2004, you wrote:
>----- Original Message -----
>From: "Mike Watson" <mikew@CRUCIS.NET>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Wednesday, January 21, 2004 3:30 AM
>Subject: MailScanner failing after upgrade to RH9
>
>
> > I had MailScanner 4.23.11 running on my RH 8.0 box. Since RH8.0 isn't
> > supported any longer, I finally upgraded to RH9.  After the upgrade, I
>added
> > all the eratta and security fixes.  When I restarted RH9, MailScanner
>failed.
> >
> > Here is what I'm seeing.
> >
> > Starting MailScanner daemons:
> >          incoming sendmail:                                [  OK  ]
> >          outgoing sendmail:                                [  OK  ]
> >          MailScanner:       Can't locate MIME/Parser.pm in @INC (@INC
>
>
>I think your perl got upgraded from 5.6.1 to 5.8.0 and this means that your
>installed perlmodules are in an old 5.6.1 tree. Since @INC is now showing a
>5.8.0 tree, they can't be found. I suggest you reinstall all needed
>perlmodules for MailScanner

This is a known problem in RedHat 9. They happily allow you to upgrade, but
the module search path in their build of Perl for RedHat 9 doesn't include
any of the directories used in previous versions.

So the upgrade to RH9 completely breaks all your Perl programs :-(


>Good Luck
>
>Willem Kossen
>
>
>
> > contains: /usr/lib/MailScanner
>/usr/lib/perl5/5.8.0/i386-linux-thread-multi
> > /usr/lib/perl5/5.8.0
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
> > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
> > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
> > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .
> > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/MCPMessage.pm
>line
> > 40.
> > BEGIN failed--compilation aborted at
> > /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 40.
> > Compilation failed in require at /usr/sbin/MailScanner line 51.
> > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 51.
> >
> > I downloaded 4.25-14 and a number of items failed including Mailtools and
>MIME
> > parser, TNEF.
> >
> > Any hints where I can start to fix this?
> > I am NOT a full-time admin.
> >
> > Mike W
> > --
> > Registered Linux - 256979   (http://counter.il.org for more information)
> > NRA Life
> > ARS: W0TMW

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From neilrobst at ALM.ORG.UK  Wed Jan 21 11:25:10 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
Message-ID: <1074684309.9609.59.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Kevin - you have have given me the pointers I needed. I got some of my
users to forward the duplicated mails to me and it seems like they all
have the same X-UIDL header.

Also, the other interesting this is that, as per my other post to this
list on this topic in reply to Drew, some mails are not going through
MailScanner and yet still appear to be being duplicated. Thus this
indicates probably a client software (OE!) issue, rather than
MailScanner. When we migrate a client to the new mail system we are also
moving them to IMAP (from POP3) and Outlook 2000.

So, it looks as though I was unfairly blaming MailScanner/Postfix for
this for which I humbly apologise to you, Julian :-)

Regards,
Neil

On Wed, 2004-01-21 at 09:32, Spicer, Kevin wrote:
> Neil Robst wrote:
> > I've never seen any entires in the log file that suggest that mail is
> > being duplicated here... it's very strange. Can anyone suggest
> > anything else I can do?
>
> Have you checked the headers of the mails to see whether there are any clues there (such as do they have the same messageid,. Do the recieved headers give any hint as to which point the mail is being split?

From drew at THEMARSHALLS.CO.UK  Wed Jan 21 11:36:17 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <1074684309.9609.59.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
            <1074684309.9609.59.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <34031.194.70.180.170.1074684977.squirrel@net.themarshalls.co.uk>

Neil Robst said:
> Kevin - you have have given me the pointers I needed. I got some of my
> users to forward the duplicated mails to me and it seems like they all
> have the same X-UIDL header.
>
> Also, the other interesting this is that, as per my other post to this
> list on this topic in reply to Drew, some mails are not going through
> MailScanner and yet still appear to be being duplicated. Thus this
> indicates probably a client software (OE!) issue, rather than
> MailScanner. When we migrate a client to the new mail system we are also
> moving them to IMAP (from POP3) and Outlook 2000.
Outlook doesn't support IMAP very well (IMHO) you would be better off
looking at some thing like Thunderbird www.mozilla.org which supports IMAP
much better.
>
> So, it looks as though I was unfairly blaming MailScanner/Postfix for
> this for which I humbly apologise to you, Julian :-)
>
> Regards,
> Neil
>
> On Wed, 2004-01-21 at 09:32, Spicer, Kevin wrote:
>> Neil Robst wrote:
>> > I've never seen any entires in the log file that suggest that mail is
>> > being duplicated here... it's very strange. Can anyone suggest
>> > anything else I can do?
>>
>> Have you checked the headers of the mails to see whether there are any
>> clues there (such as do they have the same messageid,. Do the recieved
>> headers give any hint as to which point the mail is being split?
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From neilrobst at ALM.ORG.UK  Wed Jan 21 11:41:04 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <34031.194.70.180.170.1074684977.squirrel@net.themarshalls.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>
            <1074684309.9609.59.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <34031.194.70.180.170.1074684977.squirrel@net.themarshalls.co.uk>
Message-ID: <1074685264.9609.63.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

On Wed, 2004-01-21 at 11:36, Drew Marshall wrote:
> Neil Robst said:
> > Kevin - you have have given me the pointers I needed. I got some of my
> > users to forward the duplicated mails to me and it seems like they all
> > have the same X-UIDL header.
> >
> > Also, the other interesting this is that, as per my other post to this
> > list on this topic in reply to Drew, some mails are not going through
> > MailScanner and yet still appear to be being duplicated. Thus this
> > indicates probably a client software (OE!) issue, rather than
> > MailScanner. When we migrate a client to the new mail system we are also
> > moving them to IMAP (from POP3) and Outlook 2000.
> Outlook doesn't support IMAP very well (IMHO) you would be better off
> looking at some thing like Thunderbird www.mozilla.org which supports IMAP
> much better.
> >
My users are very non-technical and they are all very used to Outlook
Express. Therefore I want to take one step at a time and move them to
Outlook as it is fairly similiar to OE and thus the learning curve will
be fairly flat.

However, I have users on Apple Mac's who may use other software and at
the end of the day I want to create a system that does care what the end
users uses to send/receive mail. As long as it's virus and spam scanned,
that's all I'm really bothered about

Regards,
Neil

From opencomputing at yahoo.com  Wed Jan 21 13:11:31 2004
From: opencomputing at yahoo.com (opencomputing)
Date: Thu Jan 12 21:21:58 2006
Subject: MailScanner with qmail support - OpenProtect
In-Reply-To: <6.0.1.1.2.20040121084702.03741138@imap.ecs.soton.ac.uk>
Message-ID: <20040121131131.78800.qmail@web61008.mail.yahoo.com>

Dear Julian,

--- Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
> Please could we get your qmail support integrated
> into the main codebase,
> so there are no "forks" in the development tree.
> 
> If you can send me the source and the installation
> docs, I should be able
> to do the rest for you.

      We'll be glad to get that module into the main
code base.  You can get the complete code from
http://opencomputing.sf.net.

We have added Qmail.pm, QMDiskStore.pm to the existing
files in the /usr/lib/MailScanner/MailScanner
directory. Also, we have added 
Qmail Hash Directory Number = 23
in MailScanner.conf. Also, we have included our
modified qmail-queue.c file and the modified qmail
directory as op-qmail-1.03 inside the tar.gz file. 
The Makefile is also changed so that a "make
openprotect" will make the qmail-queue binary inside
the op-qmail-1.03 directory. If the user has installed
qmail in a different location than /var/qmail, the
string has to be changed in the conf-qmail file under
op-qmail-1.03 directory. so, setting the following
values in MailScanner.conf will get qmail working:

Run As User = qmailq
Run As Group = qmail
Incoming Queue Dir = /var/qmail/queue.in/mess #(create
this directory or copy queue to queue.in)
Outgoing Queue Dir = /var/qmail/queue/mess
Qmail Hash Directory Number = 23 #(or whatever no.of
dirs used)
MTA = qmail

Of course, our installer does all these by itself. So,
reading the installer code can also reveal what'd done
to make qmail support work.

Also, openprotect was not started to fork MailScanner,
but to give a complete security package which is open
source and also easy to install. Only an install
script(openprotect-install) to run. Infact, an average
computer will not take more than 5 minutes to get
openprotect up and running, regardless of the distro.

cheers,
Opencomputing Team.

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

From opencomputing at YAHOO.COM  Wed Jan 21 13:11:31 2004
From: opencomputing at YAHOO.COM (opencomputing)
Date: Thu Jan 12 21:21:58 2006
Subject: MailScanner with qmail support - OpenProtect
In-Reply-To: <6.0.1.1.2.20040121084702.03741138@imap.ecs.soton.ac.uk>
Message-ID: <20040121131131.78800.qmail@web61008.mail.yahoo.com>

Dear Julian,

--- Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
> Please could we get your qmail support integrated
> into the main codebase,
> so there are no "forks" in the development tree.
>
> If you can send me the source and the installation
> docs, I should be able
> to do the rest for you.

      We'll be glad to get that module into the main
code base.  You can get the complete code from
http://opencomputing.sf.net.

We have added Qmail.pm, QMDiskStore.pm to the existing
files in the /usr/lib/MailScanner/MailScanner
directory. Also, we have added
Qmail Hash Directory Number = 23
in MailScanner.conf. Also, we have included our
modified qmail-queue.c file and the modified qmail
directory as op-qmail-1.03 inside the tar.gz file.
The Makefile is also changed so that a "make
openprotect" will make the qmail-queue binary inside
the op-qmail-1.03 directory. If the user has installed
qmail in a different location than /var/qmail, the
string has to be changed in the conf-qmail file under
op-qmail-1.03 directory. so, setting the following
values in MailScanner.conf will get qmail working:

Run As User = qmailq
Run As Group = qmail
Incoming Queue Dir = /var/qmail/queue.in/mess #(create
this directory or copy queue to queue.in)
Outgoing Queue Dir = /var/qmail/queue/mess
Qmail Hash Directory Number = 23 #(or whatever no.of
dirs used)
MTA = qmail

Of course, our installer does all these by itself. So,
reading the installer code can also reveal what'd done
to make qmail support work.

Also, openprotect was not started to fork MailScanner,
but to give a complete security package which is open
source and also easy to install. Only an install
script(openprotect-install) to run. Infact, an average
computer will not take more than 5 minutes to get
openprotect up and running, regardless of the distro.

cheers,
Opencomputing Team.

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

From bpumphrey at WOODMACLAW.COM  Wed Jan 21 14:05:02 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:21:58 2006
Subject: Your MailScanner stats
Message-ID: <A6E4DAD94E656741BF330E1F7409350C328C66@woodendc.woodmaclaw.local>

PIII 500mhz
19x RAM
6gig hard drive

I used to have the mail forwarding to a spam account to make sure that its doing a good job (and it is, wonderful).  Now I have it on delete.  My high spam assassin score is 7.2 and my other score I think is 5 (low action).  

The email actually goes through a few other servers.  Here is what it does:
Mail comes in and goes through MailScanner
Goes through Norton Symantec Gateway (I actually have this catching all of      the email with the subject line {Spam} (which is what my MailScanner         tags the 5's with) and forwarding it to my spam account.  Actually all  of the 5's are spam too, so I think that it is doing a superb job (so do         my users).
Then it goes through Norton Enterprise Security which has spam actions and     such but I have them turned off because they are not needed.
Then to the mailboxes, which is the exange server.
They also get scanned for viruses at every stop too.  Along with all the clients having their local Norton.  

For MailScanner t should be:
https://mail.woodmaclaw.com/Ameritech/MailAnalysis.htm

Note: It is just a save of the web page (done just now).  So the links don't work from the graphs. 


This is a cut and paste of the Norton side.  Note: These numbers include all of the messages including the high spam from MailScanner because it goes right to this Norton server after MailScanner.  However is wasn't but Monday that I told MailScanner to delete high scoring spam, so these numbers should start dropping.

  Status    
  Version number:     3.1.0.29    
  Date server started:     Fri, 02 Jan 2004 19:00:43 -0500    
  Server up time:     18 days 14 hours 1 minutes 0 seconds    
  Symantec AntiVirus scanning:     Enabled    
  Quarantine forwarding:     Disabled    
  Total megabytes:     437.07    
  Message mode:     Delivery    
  Incoming messages:     Accept    
  Virus definition date (rev. no.):     2004-01-18 (19)    
  Last LiveUpdate attempt:     Wed, 21 Jan 2004 08:00:56 -0500    
  Last LiveUpdate status:     Succeeded (No update necessary)    
  SSL certificate:     Not installed    
  Total viruses:     0    
        
        
Messages    
Accepted:   28167    
Rejected:   9    
Delivered:   28376    
Dropped:   449    
Held:   0    
Forwarded:   12719    
  
  
Queue status    
Messages in fast queue:   0    
Messages in slow queue:   0    
Messages in hold queue:   0    
       
  Infections  
  Repaired:   0  
  Deleted:   0  
  Logged:   0  
  Quarantined:   0  
  
  
  
  
  Attachments  
  Deleted:   0  
  

> -----Message d'origine-----
> De : Vicchiullo, Rob [mailto:robv@DISASTER.COM] Envoy? : Tuesday, 
> January 20, 2004 9:02 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Your 
> MailScanner stats
> 
> 
> Just wondering if people wouldn't mind sharing some stats of there box 
> and how MailScanner runs.
> 
> Like CPU, Memory, OS, Major MailScanner config options and how many 
> emails you can handle in an hour.
>


From michele at BLACKNIGHTSOLUTIONS.COM  Wed Jan 21 14:13:25 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <Pine.LNX.4.44.0401211128110.20401-100000@mailbox.prolocation.net>
Message-ID: <LFENLEALDCBDKENCNLCNEEAMDCAA.michele@blacknightsolutions.com>

I installed the cron script on one of our servers last night. Works a treat
:)

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Raymond Dijkxhoorn
> Sent: 21 January 2004 10:28
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Updating bigevil.cf
>
>
> Hi!
>
> > I followed the instructions and installed it on Monday. An email
> > from root told me that early this morning it uploaded the new
> > bigevil.cf. I checked (oh ye of little faith) and it had.
> > Thanks once again.
>
> > > You can do this with the script i made, follow the leads on
> > > http://mailscanner.prolocation.net
> > >
> > > This you can use to update the BigEvil rules...
>
> My pleasure.
>
> Bye,
> Raymond
>

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 14:13:40 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <LFENLEALDCBDKENCNLCNEEAMDCAA.michele@blacknightsolutions.c om>
References: <Pine.LNX.4.44.0401211128110.20401-100000@mailbox.prolocation.net>
            <LFENLEALDCBDKENCNLCNEEAMDCAA.michele@blacknightsolutions.com>
Message-ID: <6.0.1.1.2.20040121141300.07b9afc0@imap.ecs.soton.ac.uk>

Please can you replace the "-q" on each of the "grep" commands with a
">/dev/null". The Solaris grep doesn't have "-q" :-(

At 14:13 21/01/2004, you wrote:
>I installed the cron script on one of our servers last night. Works a treat
>:)
>
>Mr. Michele Neylon
>Blacknight Internet Solutions Ltd
>http://www.blacknightsolutions.ie/
>http://www.search.ie/
>Tel. + 353 (0)59 9137101
>Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Raymond Dijkxhoorn
> > Sent: 21 January 2004 10:28
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Updating bigevil.cf
> >
> >
> > Hi!
> >
> > > I followed the instructions and installed it on Monday. An email
> > > from root told me that early this morning it uploaded the new
> > > bigevil.cf. I checked (oh ye of little faith) and it had.
> > > Thanks once again.
> >
> > > > You can do this with the script i made, follow the leads on
> > > > http://mailscanner.prolocation.net
> > > >
> > > > This you can use to update the BigEvil rules...
> >
> > My pleasure.
> >
> > Bye,
> > Raymond
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Wed Jan 21 14:19:02 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <6.0.1.1.2.20040121141300.07b9afc0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401211518120.18068-100000@mailbox.prolocation.net>

Hi!

> Please can you replace the "-q" on each of the "grep" commands with a
> ">/dev/null". The Solaris grep doesn't have "-q" :-(

Sure! Thanks. Will update the script.

Bye,
Raymond.

From jrawcliffe at LONDON.EDU  Wed Jan 21 16:06:16 2004
From: jrawcliffe at LONDON.EDU (Julian Rawcliffe)
Date: Thu Jan 12 21:21:58 2006
Subject: Managing MailScanner on multiple hosts
Message-ID: <1074701175.17768.236.camel@isd92.lbs.ac.uk>

I've recently introduced MailScanner, Sophos and SpamAssassin
on a number of Sendmail servers feeding outgoing email and
two iPlanet (or whatever it is now called) Messaging Server
instances.

Most of the documentation I've read refers to one machine
running MS and delivering to local users; SA seems especially
geared toward this kind of setup.

Three things concern me: reporting, user preferences and where to go
after the basic service is up and running.
Reporting: Currently my six machines log locally, but I'm looking
at a centralised loghost. I don't especially want MySQL, PHP and
Apache running on all my gateways. Is anyone aware of a reporting
tool that allows logs to be dumped to another server and then
processed; I'm not too bothered about capturing server load and
memory stats, just mail volume, spam and viruses.
User preferences. Whilst SA is doing a great job and has been beneficial
to most of the user community, there are some that are extremely
irritated by the filtering. None of the users have a home directory on
any of the mail gateways, so ~/.spamassassin/user_prefs is a
non-starter. I had thought about using MySQL for storing prefs wih a
PHP script to manage the contents (as described elsewhere).  This may
be possible but there are other obstacles. Anyone do anything
different?
Lastly, moving on from a basic install. I know I could hit the mailing
lists and scour them for how to get Bigevil and bayes working without
completely disabling all spam detection, but is there anywhere that
describes how to do this without the lists (not that I am in any way
knocking the sound advice and help found on the lists).

None of the above is a moan about how these tools work - they all
do a fantastic job - it's just an attempt to find out what other
people do when running the scanner across more than one host that
only relays email.

--

Julian Rawcliffe

London Business School, Sussex Place, Regents Park, London. NW1 4SA
t: +44 (0)20 7000 7782 direct  ---  Helpdesk t: +44 (0)20 7000 7700
m: +44 (0)7966 90 7782 mobile  ---  Helpdesk f: +44 (0)20 7724 6300
mailto:jrawcliffe@london.edu   ---  http://www.london.edu/technology/

From neilrobst at ALM.ORG.UK  Wed Jan 21 16:15:52 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:58 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <1074701175.17768.236.camel@isd92.lbs.ac.uk>
References: <1074701175.17768.236.camel@isd92.lbs.ac.uk>
Message-ID: <1074701751.9609.84.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Julian,

I can't help you with all this, but I can mention that I'm just
MailScanner with Postfix patched with LDAP for easy maintenance. With
LDAP you can replicate your [(virtual) user] databases easily between
multiple hosts.

Also, most syslog daemons have the ability to log to a central host
which is indeed what I'm doing currently. Take a look at the man page
for it.

Regards,
Neil

On Wed, 2004-01-21 at 16:06, Julian Rawcliffe wrote:
> I've recently introduced MailScanner, Sophos and SpamAssassin
> on a number of Sendmail servers feeding outgoing email and
> two iPlanet (or whatever it is now called) Messaging Server
> instances.
>
> Most of the documentation I've read refers to one machine
> running MS and delivering to local users; SA seems especially
> geared toward this kind of setup.
>
> Three things concern me: reporting, user preferences and where to go
> after the basic service is up and running.
> Reporting: Currently my six machines log locally, but I'm looking
> at a centralised loghost. I don't especially want MySQL, PHP and
> Apache running on all my gateways. Is anyone aware of a reporting
> tool that allows logs to be dumped to another server and then
> processed; I'm not too bothered about capturing server load and
> memory stats, just mail volume, spam and viruses.
> User preferences. Whilst SA is doing a great job and has been beneficial
> to most of the user community, there are some that are extremely
> irritated by the filtering. None of the users have a home directory on
> any of the mail gateways, so ~/.spamassassin/user_prefs is a
> non-starter. I had thought about using MySQL for storing prefs wih a
> PHP script to manage the contents (as described elsewhere).  This may
> be possible but there are other obstacles. Anyone do anything
> different?
> Lastly, moving on from a basic install. I know I could hit the mailing
> lists and scour them for how to get Bigevil and bayes working without
> completely disabling all spam detection, but is there anywhere that
> describes how to do this without the lists (not that I am in any way
> knocking the sound advice and help found on the lists).
>
> None of the above is a moan about how these tools work - they all
> do a fantastic job - it's just an attempt to find out what other
> people do when running the scanner across more than one host that
> only relays email.
>
> --
>
> Julian Rawcliffe
>
> London Business School, Sussex Place, Regents Park, London. NW1 4SA
> t: +44 (0)20 7000 7782 direct  ---  Helpdesk t: +44 (0)20 7000 7700
> m: +44 (0)7966 90 7782 mobile  ---  Helpdesk f: +44 (0)20 7724 6300
> mailto:jrawcliffe@london.edu   ---  http://www.london.edu/technology/

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 16:15:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <1074701175.17768.236.camel@isd92.lbs.ac.uk>
References: <1074701175.17768.236.camel@isd92.lbs.ac.uk>
Message-ID: <6.0.1.1.2.20040121161051.07b61678@imap.ecs.soton.ac.uk>

Your centralised logging could be done with nothing more sophisticated than
syslog, as that can log to a remote host which would then collect all the
logs from your "cluster" setup. However, that would not give you any
reporting tools, MailWatch, anything like that so your entire system would
have to be home-grown.

What I would advise you to do is contact Steve.Swaney@fsl.com about the
"cluster" edition of their MailScanner-based products they will be
producing soon. This will do everything you describe below, and more.

It will cost you some $ but will save you enormous amounts of time (and
hence money) compared to implementing an entire system yourself to achieve
what you have described.

At 16:06 21/01/2004, you wrote:
>I've recently introduced MailScanner, Sophos and SpamAssassin
>on a number of Sendmail servers feeding outgoing email and
>two iPlanet (or whatever it is now called) Messaging Server
>instances.
>
>Most of the documentation I've read refers to one machine
>running MS and delivering to local users; SA seems especially
>geared toward this kind of setup.
>
>Three things concern me: reporting, user preferences and where to go
>after the basic service is up and running.
>Reporting: Currently my six machines log locally, but I'm looking
>at a centralised loghost. I don't especially want MySQL, PHP and
>Apache running on all my gateways. Is anyone aware of a reporting
>tool that allows logs to be dumped to another server and then
>processed; I'm not too bothered about capturing server load and
>memory stats, just mail volume, spam and viruses.
>User preferences. Whilst SA is doing a great job and has been beneficial
>to most of the user community, there are some that are extremely
>irritated by the filtering. None of the users have a home directory on
>any of the mail gateways, so ~/.spamassassin/user_prefs is a
>non-starter. I had thought about using MySQL for storing prefs wih a
>PHP script to manage the contents (as described elsewhere).  This may
>be possible but there are other obstacles. Anyone do anything
>different?
>Lastly, moving on from a basic install. I know I could hit the mailing
>lists and scour them for how to get Bigevil and bayes working without
>completely disabling all spam detection, but is there anywhere that
>describes how to do this without the lists (not that I am in any way
>knocking the sound advice and help found on the lists).
>
>None of the above is a moan about how these tools work - they all
>do a fantastic job - it's just an attempt to find out what other
>people do when running the scanner across more than one host that
>only relays email.
>
>--
>
>Julian Rawcliffe
>
>London Business School, Sussex Place, Regents Park, London. NW1 4SA
>t: +44 (0)20 7000 7782 direct  ---  Helpdesk t: +44 (0)20 7000 7700
>m: +44 (0)7966 90 7782 mobile  ---  Helpdesk f: +44 (0)20 7724 6300
>mailto:jrawcliffe@london.edu   ---  http://www.london.edu/technology/

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Wed Jan 21 16:24:29 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:58 2006
Subject: SpamChecks.rules: sender*@
Message-ID: <400EA7BD.A8B219E7@ihs.com>

This appears to work, but since I didn't see it in etc/rules/EXAMPLES, I
want to be sure it is doing what I think it is doing.

Many newsletters have a different envelope address each time they
arrive, e.g. <bounce-opa-intelligence-8498661@atomic.sparklist.com>.
The number will change each time.

The following would allow all email from atomic.sparklist.com to not be
spam checked:

        From: *@atomic.sparklist.com no

I would rather not whitelist the entirety of atomic.sparklist.com, so
tried the following:

        From: bounce-opa-intelligence*@ no

This seems to have worked.

Is my logic correct?  If so, Julian, this might be a good addition to
etc/rules/EXAMPLES.

(My previous way of doing this was by adding a SpamAssassin rule to
check the From: header and give a large negative score.)

Thanks,

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 16:37:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: SpamChecks.rules: sender*@
In-Reply-To: <400EA7BD.A8B219E7@ihs.com>
References: <400EA7BD.A8B219E7@ihs.com>
Message-ID: <6.0.1.1.2.20040121163644.07bb1e18@imap.ecs.soton.ac.uk>

Yes, that is fine.
I have added it to the EXAMPLES file.

At 16:24 21/01/2004, you wrote:
>Many newsletters have a different envelope address each time they
>arrive, e.g. <bounce-opa-intelligence-8498661@atomic.sparklist.com>.
>The number will change each time.
>
>The following would allow all email from atomic.sparklist.com to not be
>spam checked:
>
>         From: *@atomic.sparklist.com no
>
>I would rather not whitelist the entirety of atomic.sparklist.com, so
>tried the following:
>
>         From: bounce-opa-intelligence*@ no
>
>This seems to have worked.
>
>Is my logic correct?  If so, Julian, this might be a good addition to
>etc/rules/EXAMPLES.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From marco at MUW.EDU  Wed Jan 21 17:06:37 2004
From: marco at MUW.EDU (Marco Obaid)
Date: Thu Jan 12 21:21:58 2006
Subject: SpamChecks.rules: sender*@
In-Reply-To: <6.0.1.1.2.20040121163644.07bb1e18@imap.ecs.soton.ac.uk>
References: <400EA7BD.A8B219E7@ihs.com>
            <6.0.1.1.2.20040121163644.07bb1e18@imap.ecs.soton.ac.uk>
Message-ID: <1074704797.400eb19d211be@webmail.MUW.Edu>

Hi Julian,

But "From: bounce-opa-intelligence*@ no" will whitelist
bounce-opa-intelligence* from any host and not just from atomic.sparklist.com,
which many not be exactly what he wants.

Can he not use:

From: bounce-opa-intelligence*@atomic.sparklist.com no ?

I am asking because I ran into this before ...

Thank you
Marco



Quoting Julian Field <mailscanner@ECS.SOTON.AC.UK>:

> Yes, that is fine.
> I have added it to the EXAMPLES file.
>
> At 16:24 21/01/2004, you wrote:
> >Many newsletters have a different envelope address each time they
> >arrive, e.g. <bounce-opa-intelligence-8498661@atomic.sparklist.com>.
> >The number will change each time.
> >
> >The following would allow all email from atomic.sparklist.com to not be
> >spam checked:
> >
> >         From: *@atomic.sparklist.com no
> >
> >I would rather not whitelist the entirety of atomic.sparklist.com, so
> >tried the following:
> >
> >         From: bounce-opa-intelligence*@ no
> >
> >This seems to have worked.
> >
> >Is my logic correct?  If so, Julian, this might be a good addition to
> >etc/rules/EXAMPLES.
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 16:57:57 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:58 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733620@inex1.herffjones.hj-int>

No one responded with any suggestions for how to accomplish this in
mailscanner, so I'm assuming it's not yet possible.

So I'm hoping this will be considered as a feature request. :-)

New feature requested:
A new "action", recipientnotify, that causes a notification message to be
sent to the recipient instead of the original message.  The message file
would need to support the common variable interpolations - $report, $from,
$subject, $localposter, etc.

And the way I'd envision using this new feature:
In MailScanner.conf:
Spam Actions = store recipientnotify

Then, the message sent to the recipient would look something like:


------ Begin recipient message ------
Our mail filtering system has blocked a message sent to you
from:
        <blockquote>$from</blockquote><p>

...with a subject of:
        <blockquote>$subject</blockquote><p>

If you believe this to be a valid message, please click
<a href="http://myserver/release.cgi?messageid=$id">here</a>.

The original message will be stored for 7 days.
------ End recipient message ------


The linked web page would allow the user to take whatever
actions are appropriate for the site - ie sa-learn, release
from quarantine, whitelist, whatever.

This approach circumvents the need for any user-based authentication
and allows for a *very* simple user interface to quarantined mail.

-----Original Message-----
From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
Sent: Tuesday, January 20, 2004 12:46 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Just the notification for spam?


Is it still Monday?  I'm drawing a blank on how to do something.  (How) can
I configure MS to deliver a notification to the recipient that a message was
quarantined, without actually delivering the message, not even as an
attachment?

I've been asked to send recipients a message that basically says "We blocked
a message we think is spam, from Bob, with subject Foo - click here if you
think the message wasn't spam."  But the options I have in the config don't
seem to allow for that particular set-up.  Can MS do that?

I don't want to deliver the original message at all, but I still want to
notify the sender that a message was blocked.  Recipients can filter these
into a folder and ignore them 99% of the time, but on those occasions when
they're expecting a message that doesn't come in, they'd be able to open the
spam folder and search for the sender of the missing message, then click a
link to release the message.

--
Trever

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 16:59:12 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: SpamChecks.rules: sender*@
In-Reply-To: <1074704797.400eb19d211be@webmail.MUW.Edu>
References: <400EA7BD.A8B219E7@ihs.com>
            <6.0.1.1.2.20040121163644.07bb1e18@imap.ecs.soton.ac.uk>
            <1074704797.400eb19d211be@webmail.MUW.Edu>
Message-ID: <6.0.1.1.2.20040121165817.07d9f778@imap.ecs.soton.ac.uk>

At 17:06 21/01/2004, you wrote:
>Hi Julian,
>
>But "From: bounce-opa-intelligence*@ no" will whitelist
>bounce-opa-intelligence* from any host and not just from atomic.sparklist.com,
>which many not be exactly what he wants.

Quite correct. Blame addled brain on surfeit of pain-killers, life is
slightly out of focus at the mo...
:-)


>Can he not use:
>
>From: bounce-opa-intelligence*@atomic.sparklist.com no ?

Yes.


>I am asking because I ran into this before ...
>
>Thank you
>Marco
>
>
>
>Quoting Julian Field <mailscanner@ECS.SOTON.AC.UK>:
>
> > Yes, that is fine.
> > I have added it to the EXAMPLES file.
> >
> > At 16:24 21/01/2004, you wrote:
> > >Many newsletters have a different envelope address each time they
> > >arrive, e.g. <bounce-opa-intelligence-8498661@atomic.sparklist.com>.
> > >The number will change each time.
> > >
> > >The following would allow all email from atomic.sparklist.com to not be
> > >spam checked:
> > >
> > >         From: *@atomic.sparklist.com no
> > >
> > >I would rather not whitelist the entirety of atomic.sparklist.com, so
> > >tried the following:
> > >
> > >         From: bounce-opa-intelligence*@ no
> > >
> > >This seems to have worked.
> > >
> > >Is my logic correct?  If so, Julian, this might be a good addition to
> > >etc/rules/EXAMPLES.
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From ugob at CAMO-ROUTE.COM  Wed Jan 21 17:01:44 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:58 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <54C38A0B814C8E438EF73FC76F3629274107DC@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> Envoy? : Wednesday, January 21, 2004 11:58 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : feature request - FW: Just the notification for spam?
> 
> 
> No one responded with any suggestions for how to accomplish this in
> mailscanner, so I'm assuming it's not yet possible.

I've suggested that already, but it has been taken by MailWatch instead.  However, i don't know about the development, but Steve from MailWatch said that he would try to release a new version next week.  Maybe ask on the mailwatch list...

Hth

Ugo

> 
> So I'm hoping this will be considered as a feature request. :-)
> 
> New feature requested:
> A new "action", recipientnotify, that causes a notification 
> message to be
> sent to the recipient instead of the original message.  The 
> message file
> would need to support the common variable interpolations - 
> $report, $from,
> $subject, $localposter, etc.
> 
> And the way I'd envision using this new feature:
> In MailScanner.conf:
> Spam Actions = store recipientnotify
> 
> Then, the message sent to the recipient would look something like:
> 
> 
> ------ Begin recipient message ------
> Our mail filtering system has blocked a message sent to you
> from:
>         <blockquote>$from</blockquote><p>
> 
> ...with a subject of:
>         <blockquote>$subject</blockquote><p>
> 
> If you believe this to be a valid message, please click
> <a href="http://myserver/release.cgi?messageid=$id">here</a>.
> 
> The original message will be stored for 7 days.
> ------ End recipient message ------
> 
> 
> The linked web page would allow the user to take whatever
> actions are appropriate for the site - ie sa-learn, release
> from quarantine, whitelist, whatever.
> 
> This approach circumvents the need for any user-based authentication
> and allows for a *very* simple user interface to quarantined mail.
> 
> -----Original Message-----
> From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> Sent: Tuesday, January 20, 2004 12:46 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Just the notification for spam?
> 
> 
> Is it still Monday?  I'm drawing a blank on how to do 
> something.  (How) can
> I configure MS to deliver a notification to the recipient 
> that a message was
> quarantined, without actually delivering the message, not even as an
> attachment?
> 
> I've been asked to send recipients a message that basically 
> says "We blocked
> a message we think is spam, from Bob, with subject Foo - 
> click here if you
> think the message wasn't spam."  But the options I have in 
> the config don't
> seem to allow for that particular set-up.  Can MS do that?
> 
> I don't want to deliver the original message at all, but I 
> still want to
> notify the sender that a message was blocked.  Recipients can 
> filter these
> into a folder and ignore them 99% of the time, but on those 
> occasions when
> they're expecting a message that doesn't come in, they'd be 
> able to open the
> spam folder and search for the sender of the missing message, 
> then click a
> link to release the message.
> 
> --
> Trever
> 


From mailscanner at ecs.soton.ac.uk  Wed Jan 21 17:09:53 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629274107DC@mtlnt501fs.CAMOROUT E.COM>
References: <54C38A0B814C8E438EF73FC76F3629274107DC@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <6.0.1.1.2.20040121170930.03bcbd18@imap.ecs.soton.ac.uk>

At 17:01 21/01/2004, you wrote:
> > -----Message d'origine-----
> > De : Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> > Envoy? : Wednesday, January 21, 2004 11:58 AM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : feature request - FW: Just the notification for spam?
> >
> >
> > No one responded with any suggestions for how to accomplish this in
> > mailscanner, so I'm assuming it's not yet possible.
>
>I've suggested that already, but it has been taken by MailWatch 
>instead.  However, i don't know about the development, but Steve from 
>MailWatch said that he would try to release a new version next 
>week.  Maybe ask on the mailwatch list...

Had forgotten about this. Is implementation in MailWatch okay? (saves me 
duplicating effort).


>Hth
>
>Ugo
>
> >
> > So I'm hoping this will be considered as a feature request. :-)
> >
> > New feature requested:
> > A new "action", recipientnotify, that causes a notification
> > message to be
> > sent to the recipient instead of the original message.  The
> > message file
> > would need to support the common variable interpolations -
> > $report, $from,
> > $subject, $localposter, etc.
> >
> > And the way I'd envision using this new feature:
> > In MailScanner.conf:
> > Spam Actions = store recipientnotify
> >
> > Then, the message sent to the recipient would look something like:
> >
> >
> > ------ Begin recipient message ------
> > Our mail filtering system has blocked a message sent to you
> > from:
> >         <blockquote>$from</blockquote><p>
> >
> > ...with a subject of:
> >         <blockquote>$subject</blockquote><p>
> >
> > If you believe this to be a valid message, please click
> > <a href="http://myserver/release.cgi?messageid=$id">here</a>.
> >
> > The original message will be stored for 7 days.
> > ------ End recipient message ------
> >
> >
> > The linked web page would allow the user to take whatever
> > actions are appropriate for the site - ie sa-learn, release
> > from quarantine, whitelist, whatever.
> >
> > This approach circumvents the need for any user-based authentication
> > and allows for a *very* simple user interface to quarantined mail.
> >
> > -----Original Message-----
> > From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> > Sent: Tuesday, January 20, 2004 12:46 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Just the notification for spam?
> >
> >
> > Is it still Monday?  I'm drawing a blank on how to do
> > something.  (How) can
> > I configure MS to deliver a notification to the recipient
> > that a message was
> > quarantined, without actually delivering the message, not even as an
> > attachment?
> >
> > I've been asked to send recipients a message that basically
> > says "We blocked
> > a message we think is spam, from Bob, with subject Foo -
> > click here if you
> > think the message wasn't spam."  But the options I have in
> > the config don't
> > seem to allow for that particular set-up.  Can MS do that?
> >
> > I don't want to deliver the original message at all, but I
> > still want to
> > notify the sender that a message was blocked.  Recipients can
> > filter these
> > into a folder and ignore them 99% of the time, but on those
> > occasions when
> > they're expecting a message that doesn't come in, they'd be
> > able to open the
> > spam folder and search for the sender of the missing message,
> > then click a
> > link to release the message.
> >
> > --
> > Trever
> >

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From TGFurnish at HERFF-JONES.COM  Wed Jan 21 17:15:06 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:58 2006
Subject: Razor Install Problem (not finding SHA1)
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733621@inex1.herffjones.hj-int>

Did you do an upgrade of this system?  Or maybe change the compiler or perl
version?  I'm not familiar with that particular error and not really
familiar with Dynaloader, but my guess would be that the version of
Digest::SHA1 you have installed was compiled either for a different version
of perl or on a different architecture or ... I'll stop before I start
imagining too much. :-)

The version of that module that you find in the filesystem is in a
vendor_perl directory.  That's different compared to my rh9 box.  I have one
in the vendor_perl directory, but I also have one in a site_perl directory,
and the site_perl directory is listed first in @INC, so that's the one that
gets used.

My setup notes say I installed Digest::SHA1 via cpan, but I didn't need to
use "force".  I'm not sure why it's telling you yours is up to date unless
maybe there was a package from redhat that I missed that included a more
up-to-date version of that module.

You might want to try getting more detailed in your cpan actions.  Instead
of just "install", do "test" and see what it says.  If it tells you it's
already up to date, then do "force test Digest::SHA1".

You also didn't send the output of one of the commands I suggested - you
might want to take a look there.  The command was:
        perl -e 'print join("\n", @INC, "\n");'

And on my system, it prints out:
/usr/lib/perl5/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/5.8.0
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0
/usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/5.8.0
.

And also fyi, on my system I have the following instances of SHA1-related
files:
[root@relay en]# locate SHA1
/usr/lib/gcc-lib/i386-redhat-linux/3.2.2/include/gnu/java/security/provider/
SHA1PRNG.h
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/SHA1
.so
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/SHA1
.bs
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/.pac
klist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Digest/SHA1.pm
/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SHA1.pm
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/SH
A1.bs
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/SH
A1.so
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Digest/SHA1.pm
/usr/lib/perl5/vendor_perl/5.8.0/Digest/HMAC_SHA1.pm
/usr/share/man/man3/SHA1_Final.3ssl.gz
/usr/share/man/man3/SHA1.3ssl.gz
/usr/share/man/man3/SHA1_Init.3ssl.gz
/usr/share/man/man3/SHA1_Update.3ssl.gz
/usr/share/man/man3/Digest::SHA1.3pm.gz
/usr/share/man/man3/Digest::HMAC_SHA1.3pm.gz
/usr/local/src/Mail-SpamAssassin-2.55/lib/Mail/SpamAssassin/SHA1.pm
/usr/local/src/Mail-SpamAssassin-2.55/blib/lib/Mail/SpamAssassin/SHA1.pm
/usr/local/src/Mail-SpamAssassin-2.60/lib/Mail/SpamAssassin/SHA1.pm
/usr/local/src/Mail-SpamAssassin-2.60/blib/lib/Mail/SpamAssassin/SHA1.pm
/usr/man/man3/Digest::SHA1.3pm
/u01/9/RPMS/perl-Digest-SHA1-2.01-10.i386.rpm

(That last one is just the original rpm from redhat9.)

Hope it helps,
Trever



> -----Original Message-----
> From: Al Cooper [mailto:alc@TLYNX.COM]
> Sent: Tuesday, January 20, 2004 6:06 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Razor Install Problem (not finding SHA1)
>
>
> Thanks for responding.  Comments in line.
>
>
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >Behalf Of Furnish, Trever G
> >Sent: Tuesday, January 20, 2004 3:58 PM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: Razor Install Problem (not finding SHA1)
> >
> >
> >perl -e 'use Digest::SHA1;'
>
> [root@gate2 root]# perl -e 'use Digest::SHA1;'
> Digest::SHA1 object version 2.01 does not match bootstrap
> parameter 2.07 at
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/DynaLoader.pm line 249.
> Compilation failed in require at -e line 1.
> BEGIN failed--compilation aborted at -e line 1.
> [root@gate2 root]#
>
>
> >
> >If you get an error about it not being found, then your
> problem is that
> it's
> >not installed correctly for the version of perl that you're
> using.  If
> >that's the case, then you may find it helpful to
> double-check which version
> >of perl is in your path:
> >
> >type perl
> >perl -v
>
> [root@gate2 root]# perl -v
>
> This is perl, v5.8.0 built for i386-linux-thread-multi
> (with 1 registered patch, see perl -V for more detail)
>
> Copyright 1987-2002, Larry Wall
>
> Perl may be copied only under the terms of either the
> Artistic License or
> the
> GNU General Public License, which may be found in the Perl 5
> source kit.
>
> Complete documentation for Perl, including FAQ lists, should
> be found on
> this system using `man perl' or `perldoc perl'.  If you have
> access to the
> Internet, point your browser at http://www.perl.com/, the
> Perl Home Page.
> >
> >It might also help to print out your @INC:
> >perl -e 'print join("\n", @INC, "\n");'
> >
> >Then again, I don't think that zero should be there either
> in the warning
> >message you're getting, so you may have a very different problem.
> >
> >HTH,
> >Trever
> >
> > -----Original Message-----
> > From: Al Cooper [mailto:alc@TLYNX.COM]
> > Sent: Tuesday, January 20, 2004 5:07 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Razor Install Problem (not finding SHA1)
> >
> >
> > I am attempting to install Razor 2.36 on a Redhat 9 box
> > running MS 4.25-14.
> > I install the Razor SDK package with no problem.  When I
> > tried to start
> > installing Razor by running 'perl Makefile.PL' from the
> > razor-agents-2.36
> > directory, I get the following error 'Warning: prerequisite
> > Digest::SHA1 0
> > not found'.  However I run from / 'find . -name SHA1' I find
> > that SHA1 is
> > located at
> > '/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto
> > /Digest/SHA1'.
> > I also tried to re-install Digest::SHA1 via MCPAN and I get
> > the message
> > "Digest::SHA1 is up to date."
> >
> > Any suggestions?
> >
> > Thanks for your help.
> >
> > Al Cooper
> >
>

From dustin.baer at IHS.COM  Wed Jan 21 17:17:39 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:58 2006
Subject: SpamChecks.rules: sender*@
References: <400EA7BD.A8B219E7@ihs.com>
            <6.0.1.1.2.20040121163644.07bb1e18@imap.ecs.soton.ac.uk>
            <1074704797.400eb19d211be@webmail.MUW.Edu>
            <6.0.1.1.2.20040121165817.07d9f778@imap.ecs.soton.ac.uk>
Message-ID: <400EB433.BF9D763D@ihs.com>

Julian Field wrote:
>
> At 17:06 21/01/2004, you wrote:
> >Hi Julian,
> >
> >But "From: bounce-opa-intelligence*@ no" will whitelist
> >bounce-opa-intelligence* from any host and not just from atomic.sparklist.com,
> >which many not be exactly what he wants.
>
> Quite correct. Blame addled brain on surfeit of pain-killers, life is
> slightly out of focus at the mo...
> :-)
>
> >Can he not use:
> >
> >From: bounce-opa-intelligence*@atomic.sparklist.com no ?
>
> Yes.

Thanks.  I have added the host.domain part to it.  I didn't think about
it, either.

Dustin

--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From chris at FRACTALWEB.COM  Wed Jan 21 17:23:45 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:21:58 2006
Subject: Still getting duplicate mails!
In-Reply-To: <1074685264.9609.63.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499A3@pascal.priv.bmrb.co.uk>  
            <1074684309.9609.59.camel@dyn-9-173-7-53.leeds.uk.ibm.com>         
            <34031.194.70.180.170.1074684977.squirrel@net.themarshalls.co.uk>
            <1074685264.9609.63.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <400EB5A1.2000904@fractalweb.com>

Neil Robst wrote:

>On Wed, 2004-01-21 at 11:36, Drew Marshall wrote:
>
>
>>Neil Robst said:
>>
>>
>>>Kevin - you have have given me the pointers I needed. I got some of my
>>>users to forward the duplicated mails to me and it seems like they all
>>>have the same X-UIDL header.
>>>
>>>Also, the other interesting this is that, as per my other post to this
>>>list on this topic in reply to Drew, some mails are not going through
>>>MailScanner and yet still appear to be being duplicated. Thus this
>>>indicates probably a client software (OE!) issue, rather than
>>>MailScanner. When we migrate a client to the new mail system we are also
>>>moving them to IMAP (from POP3) and Outlook 2000.
>>>
>>>
>>Outlook doesn't support IMAP very well (IMHO) you would be better off
>>looking at some thing like Thunderbird www.mozilla.org which supports IMAP
>>much better.
>>
>>
>My users are very non-technical and they are all very used to Outlook
>Express. Therefore I want to take one step at a time and move them to
>Outlook as it is fairly similiar to OE and thus the learning curve will
>be fairly flat.
>
>However, I have users on Apple Mac's who may use other software and at
>the end of the day I want to create a system that does care what the end
>users uses to send/receive mail. As long as it's virus and spam scanned,
>that's all I'm really bothered about
>
>
Neil,

I second the motion to switch your users away from OE and move them over
to Mozilla Thunderbird. If you haven't tried the latest iteration of
this excellent mail client, then you need to asap. It seems to cover
most, if not all, of the vulnerabilities that OE and Outlook exhibit.
The interface is far more intuitive than OE ever was. I think vurtually
all of your users will be up and running on Thunderbird (or Mozilla
Mail) in minutes.

Cheers,
Chris

From rherban at HYPERVINE.NET  Mon Jan 19 18:44:07 2004
From: rherban at HYPERVINE.NET (No Name)
Date: Thu Jan 12 21:21:58 2006
Subject: ETRN message
Message-ID: <B0001126192@nocmailsvc003.allthesites.org>

I have been watching my mail log with MailScanner and noticed the below
syntax and don't understand what it is saying.  Would anyone have a
suggestion?  I tried to send me an email and it has not been delivers.  My
gateway forwards the mail to an internal email exchange server.  The SPAM
gateway is running the latest SA and MS.

Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot

SD :-)

From rherban at HYPERVINE.NET  Mon Jan 19 19:08:10 2004
From: rherban at HYPERVINE.NET (No Name)
Date: Thu Jan 12 21:21:58 2006
Subject: ETRN message
In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotani
              ka.com>
References: <3963522F0E71474CB14C0FF54A6914F701AF3A23@mail.gardenbotanika.com>
Message-ID: <B0001131181@nocmailsvc003.allthesites.org>

MS does not get involved with SMTP service at all, so this is not a
MailScanner problem.

The error means that whatever tried to connect to your mail server didn't
actually try to send a message, it just said HELO and then broke the
connection. Is  your server load very high?

At 14:53 19/01/2004, you wrote:
>I have been watching my mail log with MailScanner and noticed the below
>syntax and don't understand what it is saying.  Would anyone have a
>suggestion?  I tried to send me an email and it has not been delivers.  My
>gateway forwards the mail to an internal email exchange server.  The SPAM
>gateway is running the latest SA and MS.
>
>Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
>Pentium IV, RH9, 1.5 GB RAM, 80 GB HDD, and f-prot
>
>SD :-)

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Wed Jan 21 18:11:10 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:58 2006
Subject: ETRN message
In-Reply-To: <B0001126192@nocmailsvc003.allthesites.org>
References: <B0001126192@nocmailsvc003.allthesites.org>
Message-ID: <400EC0BE.4010800@ucgbook.com>

No Name wrote:
> Jan 19 08:42:38 mail sendmail[30274]: i0JEgcjd030274: [x.x.x.x] did not
> issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Is the IP address inside the brackets local? If so it could just be
monitoring of your Sendmail, they usually connect and drop out
immediately. Test with "telnet localhost 25" and type "quit" at the
prompt. That will leave such a log line.

There's more in the list archives since this was recently discussed.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From peter at UCGBOOK.COM  Wed Jan 21 18:14:52 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:58 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF03733620@inex1.herffjones.hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF03733620@inex1.herffjones.hj-int>
Message-ID: <400EC19C.4090707@ucgbook.com>

Furnish, Trever G wrote:
> No one responded with any suggestions for how to accomplish this in
> mailscanner, so I'm assuming it's not yet possible.
>
> So I'm hoping this will be considered as a feature request. :-)
>
> New feature requested:
> A new "action", recipientnotify, that causes a notification message to be
> sent to the recipient instead of the original message.  The message file
> would need to support the common variable interpolations - $report, $from,
> $subject, $localposter, etc.

Wouldn't the attachment action pretty much do what you want? It sends a
customizable message to the recipient who can choose to open the
attachment...is that too simple? ;-)

I might be completely wrong of course. :-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From peter at UCGBOOK.COM  Wed Jan 21 18:17:35 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <6.0.1.1.2.20040121141300.07b9afc0@imap.ecs.soton.ac.uk>
References: <Pine.LNX.4.44.0401211128110.20401-100000@mailbox.prolocation.net> 
            <LFENLEALDCBDKENCNLCNEEAMDCAA.michele@blacknightsolutions.com>
            <6.0.1.1.2.20040121141300.07b9afc0@imap.ecs.soton.ac.uk>
Message-ID: <400EC23F.1060502@ucgbook.com>

Julian Field wrote:
> Please can you replace the "-q" on each of the "grep" commands with a
> ">/dev/null". The Solaris grep doesn't have "-q" :-(

If you use /usr/xpg4/bin/grep it does. ;-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From raymond at PROLOCATION.NET  Wed Jan 21 18:18:32 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:58 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <6.0.1.1.2.20040121161051.07b61678@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401211915380.17172-100000@mailbox.prolocation.net>

Hi!

> What I would advise you to do is contact Steve.Swaney@fsl.com about the
> "cluster" edition of their MailScanner-based products they will be
> producing soon. This will do everything you describe below, and more.
>
> It will cost you some $ but will save you enormous amounts of time (and
> hence money) compared to implementing an entire system yourself to achieve
> what you have described.

We also have a centralized solution for log parsing, supporting both Exim
and sendmail as MTA currently.

Also for example with centralized blocking of virus senders, and the
option to send mail to for example your abuse desk to let them know
you blocked someone :)

Its most likely different then the things Julian also posted but for us
its a pretty cool to work with.

Bye,
Raymond.

From raymond at PROLOCATION.NET  Wed Jan 21 18:20:34 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:58 2006
Subject: Updating bigevil.cf
In-Reply-To: <400EC23F.1060502@ucgbook.com>
Message-ID: <Pine.LNX.4.44.0401211920100.17172-100000@mailbox.prolocation.net>

Hi!

> > Please can you replace the "-q" on each of the "grep" commands with a
> > ">/dev/null". The Solaris grep doesn't have "-q" :-(
>
> If you use /usr/xpg4/bin/grep it does. ;-)

To avoid people having trouble i have put a new version online.

Bye,
Raymond.

From raymond at PROLOCATION.NET  Wed Jan 21 18:22:34 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:58 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <1074701751.9609.84.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
Message-ID: <Pine.LNX.4.44.0401211921290.18033-100000@mailbox.prolocation.net>

Hi!

> Also, most syslog daemons have the ability to log to a central host
> which is indeed what I'm doing currently. Take a look at the man page
> for it.

And we have written some scripts to parse those logs and make graphs and
txt output fron those. If people are interested i could post some sample
pages so you can have a look what it currently outputs...

Bye,
Raymond.

From rherban at HYPERVINE.NET  Mon Jan 19 20:22:16 2004
From: rherban at HYPERVINE.NET (No Name)
Date: Thu Jan 12 21:21:58 2006
Subject: Adding these .cf's
Message-ID: <B0001143675@nocmailsvc003.allthesites.org>

Also, does anyone have any comments on running:
http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf

or the http://www.stearns.org/sa-blacklist/sa-blacklist.2004011601.cf

Any problems in adding these lists?

From peter at UCGBOOK.COM  Wed Jan 21 18:34:41 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:58 2006
Subject: Your MailScanner stats
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132DC@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F3629273132DC@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <400EC641.50206@ucgbook.com>

Ugo Bellavance wrote:
> see http://www.routier.org/mrtg/ and http://www.routier.org/mailscanner-mrtg/

Your MailStats are slightly broken when it comes to the SA traps. I
experienced the same problem and after looking through the code I saw
that it only looked for English keywords so my Swedish word for
"blacklisted" for example didn't work. I had to change some words in the
language.conf file back to English to get it to work. Maybe you should
look into that too.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 18:53:05 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:58 2006
Subject: Razor caching proxy
Message-ID: <6.0.1.1.2.20040121185014.02db82f8@imap.ecs.soton.ac.uk>

I've just come across this here:
http://www.stearns.org/razor-caching-proxy

Has anyone else ever heard of it, or tried it out? I would be interested to
hear people's opinions of it. I have contacted Vipul directly to ask if
there is a way of mirroring their servers, and unfortunately the answer is
no. Apparently the reporting and querying services are very tightly bound
to each other, so mirrors aren't possible. Shame.

And what about DCC?
Is anyone running the DCC daemon to provide their own DCC server. Does this
help performance noticeably? I am worried that too many large sites will
overload the central DCC servers, when we could run our own.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Wed Jan 21 19:00:09 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:59 2006
Subject: Razor caching proxy
In-Reply-To: <6.0.1.1.2.20040121185014.02db82f8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040121185014.02db82f8@imap.ecs.soton.ac.uk>
Message-ID: <400ECC39.9050609@ucgbook.com>

Julian Field wrote:
> And what about DCC?
> Is anyone running the DCC daemon to provide their own DCC server. Does this
> help performance noticeably? I am worried that too many large sites will
> overload the central DCC servers, when we could run our own.

They recommend a local server if you handle more than 100,000 mails per
day. They state that sites with less traffic spend more bandwidth
syncing their servers than using the public ones.

I'm well below 100,000 on my sites. Maybe Raymond is running one? ;-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From raymond at PROLOCATION.NET  Wed Jan 21 19:06:57 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:59 2006
Subject: Razor caching proxy
In-Reply-To: <400ECC39.9050609@ucgbook.com>
Message-ID: <Pine.LNX.4.44.0401212006320.22844-100000@mailbox.prolocation.net>

Hi!

> They recommend a local server if you handle more than 100,000 mails per
> day. They state that sites with less traffic spend more bandwidth
> syncing their servers than using the public ones.
>
> I'm well below 100,000 on my sites. Maybe Raymond is running one? ;-)

No, but it would be interesting to find out if it helps.

Bye,
Raymond.

From walkera-mailscanner at OFB.NET  Wed Jan 21 19:14:19 2004
From: walkera-mailscanner at OFB.NET (Walker Aumann)
Date: Thu Jan 12 21:21:59 2006
Subject: Logging scores of non-spam (patch)
Message-ID: <13893.1074712459@ofb.net>

For my site, I thought it could be interesting to know the scores of mail
getting through MailScanner/SpamAssassin without having to archive all
the messages, to get an idea of how close messages were getting to the
threshhold.  The following two patches (against MailScanner 4.25-14) add
a "Log Non Spam" option that works just like the "Log Spam" option.
Hopefully someone else will also find this data useful.

Walker
-------------- next part --------------
*** ConfigDefs.pl       2003-12-02 03:44:42.000000000 -0800
--- ConfigDefs.pl.new   2004-01-12 10:34:56.000000000 -0800
***************
*** 169,174 ****
--- 169,175 ----
  debugspamassassin     0       no      0       yes     1
  deliverinbackground   1       no      0       yes     1
  logspam                       1       no      0       yes     1
+ lognonspam            0       no      0       yes     1
  logspeed              0       no      0       yes     1
  logmcp                        0       no      0       yes     1
  expandtnef            1       no      0       yes     1
-------------- next part --------------
*** Message.pm  2004-01-12 10:25:20.000000000 -0800
--- Message.pm.new      2004-01-12 10:37:48.000000000 -0800
***************
*** 273,278 ****
--- 273,279 ----
    my $RBLsaysspam   = 0;
    my $rblcounter    = 0;
    my $LogSpam = MailScanner::Config::Value('logspam');
+   my $LogNonSpam = MailScanner::Config::Value('lognonspam');
    my $LocalSpamText = MailScanner::Config::LanguageValue($this, 'spam');

    # Construct a pretty list of all the unique domain names for logging
***************
*** 442,448 ****
    }

    # Do the spam logging here so we can log high-scoring spam too
!   if ($LogSpam && $this->{isspam}) {
      my $ReportText = $spamheader;
      $ReportText =~ s/\s+/ /sg;
      MailScanner::Log::InfoLog("Message %s from %s (%s) to %s is %s",
--- 443,449 ----
    }

    # Do the spam logging here so we can log high-scoring spam too
!   if (($LogSpam && $this->{isspam}) or $LogNonSpam) {
      my $ReportText = $spamheader;
      $ReportText =~ s/\s+/ /sg;
      MailScanner::Log::InfoLog("Message %s from %s (%s) to %s is %s",
From dot at DOTAT.AT  Wed Jan 21 19:09:50 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:21:59 2006
Subject: Razor caching proxy
In-Reply-To: <m2n.1AjNUL-000wLD@chiark.greenend.org.uk>
Message-ID: <E1AjNja-00070d-00@chiark.greenend.org.uk>

Julian Field <mailscanner@ECS.SOTON.AC.UK> wrote:
>
>And what about DCC?
>Is anyone running the DCC daemon to provide their own DCC server. Does this
>help performance noticeably? I am worried that too many large sites will
>overload the central DCC servers, when we could run our own.

When I have upgraded the memory on our mail hub machines, I intend to
run dccd. Our incoming traffic is about 300,000 messages per day.

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
NORTH FITZROY SOLE: SOUTH OR SOUTHWEST VEERING WEST 5 TO 7, PERHAPS GALE 8
LATER. OCCASIONAL RAIN. GOOD BECOMING MODERATE OCCASIONALLY POOR.

From marco at MUW.EDU  Wed Jan 21 20:21:01 2004
From: marco at MUW.EDU (Marco Obaid)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
Message-ID: <1074716461.400edf2d93daf@webmail.MUW.Edu>

Few months ago, I moved my main mailserver mail.mydomain behind a mail gateway,
gw.mydomain. All mail sent from mail.mydomain goes through my gw.mydomain and
ofcourse gw.mydomain is my MX for my domain, which forwards clean feed to my
users located on mail.mydomain.

Everything is running great except one annoying thing, spammers are still able
to contact mail.mydomain.

How can I configure my mailserver main.mydomain (running sendmail) to refuse
smtp connections except when to my mail gateway (gw.mydomain)?
I do not want my mail server to talk to any server  but my gateway.

It is probably a very simple thing, I just cannot find it in my books.

Thank you for any hints
Marco

From peter at UCGBOOK.COM  Wed Jan 21 20:07:00 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
In-Reply-To: <1074716461.400edf2d93daf@webmail.MUW.Edu>
References: <1074716461.400edf2d93daf@webmail.MUW.Edu>
Message-ID: <400EDBE4.1060806@ucgbook.com>

Marco Obaid wrote:
> How can I configure my mailserver main.mydomain (running sendmail) to refuse
> smtp connections except when to my mail gateway (gw.mydomain)?
> I do not want my mail server to talk to any server  but my gateway.

Shouldn't you use your firewall for that?

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From dustin.baer at IHS.COM  Wed Jan 21 20:07:55 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
References: <8FFC76593085ED4A80D3601BC41EFCDF03733620@inex1.herffjones.hj-int>
Message-ID: <400EDC1B.29FA0BEB@ihs.com>

"Furnish, Trever G" wrote:
>
> No one responded with any suggestions for how to accomplish this in
> mailscanner, so I'm assuming it's not yet possible.
>
> So I'm hoping this will be considered as a feature request. :-)
>
> New feature requested:
> A new "action", recipientnotify, that causes a notification message to be
> sent to the recipient instead of the original message.  The message file
> would need to support the common variable interpolations - $report, $from,

Doesn't this defeat the purpose of trying to stop people from having to
be annoyed by spam?  With your request, a person will get a message
(that they can filter) that tells them of quarantined spam, which seems
just as annoying as getting the spam in the first place.  Basically, you
want to substitute spam for
might-be-spam-but-you-have-to-open-this-email-to-find-out.

> Recipients can filter these into a folder and ignore them 99% of the time

If you modify the subjet to add {Spam?}, they can filter it anyway.
Letting them filter on something in the subject, would save them from
having to open the email, read who it is from (which should also be
displayed in their "spam" email folder), and then click a link.

Must be a VP requesting your "feature."

Dustin

From marco at MUW.EDU  Wed Jan 21 20:29:57 2004
From: marco at MUW.EDU (Marco Obaid)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
In-Reply-To: <400EDBE4.1060806@ucgbook.com>
References: <1074716461.400edf2d93daf@webmail.MUW.Edu>
            <400EDBE4.1060806@ucgbook.com>
Message-ID: <1074716997.400ee145b87a4@webmail.MUW.Edu>

Quoting Peter Bonivart <peter@UCGBOOK.COM>:

> Shouldn't you use your firewall for that?

I could, but I know there is a way in Sendmail to do this.
Also I have internal servers on site that I do not want to establish
smtp connections with my main mail server.


Marco

From mike at CAMAROSS.NET  Wed Jan 21 20:23:08 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
In-Reply-To: <1074716997.400ee145b87a4@webmail.MUW.Edu>
Message-ID: <200401212021.i0LKLtiG000411@avwall.bladeware.com>

You could very easily use iptables or tcpwrappers for this.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid
> Sent: Wednesday, January 21, 2004 2:30 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: OT:Sendmail Help
>
> Quoting Peter Bonivart <peter@UCGBOOK.COM>:
>
> > Shouldn't you use your firewall for that?
>
> I could, but I know there is a way in Sendmail to do this.
> Also I have internal servers on site that I do not want to
> establish smtp connections with my main mail server.
>
>
> Marco
>

From neilrobst at ALM.ORG.UK  Mon Jan 19 15:49:02 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:59 2006
Subject: Tips on Manual Bayes Training?
In-Reply-To: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
Message-ID: <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Nathan,

My users use the Courier IMAP mailserver with Outlook and Outlook 2000.
Both clients are able to make use of shared-folders you can setup in
Courier IMAP. Thus, with this mechanism you can create a shared SPAM
folder for users to manually copy un-marked SPAM into...

Regards,
Neil

On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> Quick question for those of you with well-trained bayes databases.
>
> I'm planning to set up some spam traps. Question: Is there any advantage
> to learning messages already marked as spam by SpamAssassin?
> Logistically, it makes sense only to feed false negatives and false
> positives.
>
> For the time being, I'm planning on using MailScanner's "Non Spam
> Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> negatives and then learn them into the bayes database. This is an
> attempt to offset some of the poisoning that's been affecting us lately.
> This doesn't take ham into account, but then I haven't had a lot of
> problems with false positives.
>
> Any suggestions or alternative methods?
>
> I like the idea of end users redirecting spam to the appropriate
> spam/ham mailboxes, but the majority of them are using Outlook or
> Outlook Express and don't have any way to do this.
>
> Nathan

From prandal at HEREFORDSHIRE.GOV.UK  Mon Jan 19 16:03:20 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:21:59 2006
Subject: Adding these .cf's
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44F@jessica.herefordshire.gov.uk>

I would say yes, at first look they'll block legit email too.

You're better sticking with Chris Santerre's bigevil.cf, IMHO.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Howard
> Sent: 19 January 2004 15:30
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Adding these .cf's
>
>
> Also, does anyone have any comments on running:
> http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
>
> or the http://www.stearns.org/sa-blacklist/sa-blacklist.2004011601.cf
>
> Any problems in adding these lists?
>

From neilrobst at ALM.ORG.UK  Mon Jan 19 16:19:51 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:21:59 2006
Subject: [OT] IMAP servers (was Re: Tips on Manual Bayes Training?)
In-Reply-To: <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net>
References: <CC6008BDBF458A4DB8456380C1BAB3800BC7E7@server1.in.tcpnetworks.com>
            <1074527341.9605.115.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <000f01c3dea7$c8682900$2105a8c0@pub.morgan.net>
Message-ID: <1074529191.9605.132.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

Hi Chris,

I've used Cyrus, Courier and UW-IMAP. At the moment I think my
preference is for Courier  as, IMHO, it has a good balance of features
against ease of setup / use. I specifically wanted one that would
integrate best with my LDAP directory. Plus my mail server is a closed
box to users so I didn't wants their accounts in /etc/passwd, etc...

Regards,
Neil

On Mon, 2004-01-19 at 16:17, Chris wrote:
> I am going to install an IMAP server soon, is Courier preferred? I noticed
> that some people used Cyrus? is one better than the other?
>
> ----- Original Message -----
> From: "Neil Robst" <neilrobst@ALM.ORG.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 19, 2004 9:49 AM
> Subject: Re: Tips on Manual Bayes Training?
>
>
> > Hi Nathan,
> >
> > My users use the Courier IMAP mailserver with Outlook and Outlook 2000.
> > Both clients are able to make use of shared-folders you can setup in
> > Courier IMAP. Thus, with this mechanism you can create a shared SPAM
> > folder for users to manually copy un-marked SPAM into...
> >
> > Regards,
> > Neil
> >
> > On Mon, 2004-01-19 at 15:45, Nathan Johanson wrote:
> > > Quick question for those of you with well-trained bayes databases.
> > >
> > > I'm planning to set up some spam traps. Question: Is there any advantage
> > > to learning messages already marked as spam by SpamAssassin?
> > > Logistically, it makes sense only to feed false negatives and false
> > > positives.
> > >
> > > For the time being, I'm planning on using MailScanner's "Non Spam
> > > Actions" ruleset to forward unmarked spam sent to (postmaster@, info@,
> > > sales@, etc.) to a spamtrap mailbox. I'll verify all messages as false
> > > negatives and then learn them into the bayes database. This is an
> > > attempt to offset some of the poisoning that's been affecting us lately.
> > > This doesn't take ham into account, but then I haven't had a lot of
> > > problems with false positives.
> > >
> > > Any suggestions or alternative methods?
> > >
> > > I like the idea of end users redirecting spam to the appropriate
> > > spam/ham mailboxes, but the majority of them are using Outlook or
> > > Outlook Express and don't have any way to do this.
> > >
> > > Nathan
> >
> >

From hermit921 at YAHOO.COM  Wed Jan 21 20:52:30 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:21:59 2006
Subject: MailScanner fails to insert headers
In-Reply-To: <13893.1074712459@ofb.net>
References: <13893.1074712459@ofb.net>
Message-ID: <6.0.0.22.2.20040121124809.01d5db68@pop.mail.yahoo.com>

I have a few cases lately where messages go through our MailScanner 4.23
setup (with postfix).  I can see their entries in maillog.  They don't get
either the virus header or spam header that messages normally get.  The
messages I have in hand are very short, with only an email address in the
body -- assuming the users managed to forward the entire email.  Any ideas
why this would happen?

hermit921

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 21:24:56 2004
From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk)
Date: Thu Jan 12 21:21:59 2006
Subject: NOTIFY-New Guestbook Entry
Message-ID: <200401212124.i0LLOuqr012440@seer.ecs.soton.ac.uk>

New Guestbook-Entry from Christian Campbell

We are currently running MailScanner in conjunction with Spamassassin, Clam-AV and F-Prot.  I\'\'m not currently using Bayes.<br />
<BR><br />
<BR>Our organization wasn\'\'t prepared to spend the $10,000+ dollars on a spam filtration system.  However, a peer at a different company has a fancy $15K system, and it doesn\'\'t catch the spam that I do with MS/SA.<br />
<BR><br />
<BR>We are currently using it as our Mail Gateway which then forwards to an Exchange 5.5 server and a Domino R5 server.  <br />
<BR><br />
<BR>We process approximately 160K messages per month for ~600 mailboxes on a 1U Dell 1550 single processor (900mhz) with 500MB RAM.<br />
<BR><br />
<BR>This is a great product.  We couldn\'\'t be happier.<br />
<BR><br />
<BR>Christian Campbell<br />
<BR>Systems Engineer<br />
<BR>Bruegger\'\'s Enterprises<br />
<BR>Burlington, Vermont USA

From campbell at CNPAPERS.COM  Wed Jan 21 21:23:06 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
References: <1074716461.400edf2d93daf@webmail.MUW.Edu>           
            <400EDBE4.1060806@ucgbook.com> 
            <1074716997.400ee145b87a4@webmail.MUW.Edu>
Message-ID: <002f01c3e064$c2cef3c0$4501a8c0@cnpapers.net>

It sounds to me that you are risking a little security here by letting spam
bypass a server to be blocked by another. My sendmail server has enough to
do, so I try and block everything at the firewall.

If I'm not mistaken, and you are running RedHat on these inside servers, I
believe sendmail is installed by default unless you say not, and these can
be their own MTA without using the gateway. You only need to allow outbound
SMTP through your firewall for this and block inbound SMTP (as long as the
return address is located on your mail server).

I think this would work and perhaps save you a lot of grief.

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Marco Obaid" <marco@MUW.EDU>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 21, 2004 3:29 PM
Subject: Re: OT:Sendmail Help


> Quoting Peter Bonivart <peter@UCGBOOK.COM>:
>
> > Shouldn't you use your firewall for that?
>
> I could, but I know there is a way in Sendmail to do this.
> Also I have internal servers on site that I do not want to establish
> smtp connections with my main mail server.
>
>
> Marco

From rherban at HYPERVINE.NET  Mon Jan 19 17:22:15 2004
From: rherban at HYPERVINE.NET (No Name)
Date: Thu Jan 12 21:21:59 2006
Subject: CF RULES
Message-ID: <B0000957702@nocmailsvc005.allthesites.org>

I personally use BigEvil, Tripwire, Popcorn/Backhair/Weeds and Chickenpox
and haven't had any problems with FP's.

However - as I have a reasonably well trained bayes database, I modify the
low-end and high-end bayes scores just to be on the safe side:

score BAYES_00  -15.0
score BAYES_01  -5.0
score BAYES_90  5.0
score BAYES_99  15.0

As I did this quite some time ago - the recently misused HABEAS_SWE headers
didn't affect me at all:

SpamAssassin Score: 44.16
Spam Report:
Score   Matching                        Rule Description
15.00   BAYES_99                        Bayesian spam probability is 99 to
100%
0.10            BIZ_TLD                         Contains a URL in the BIZ
top-level domain
3.00            BigEvilList_131         Generated BigEvilList_131
0.75            DATE_IN_PAST_12_24      Date: is 12 to 24 hours before
Received: date
-8.00   HABEAS_SWE                      Has Habeas warrant mark
(http://www.habeas.com/)
0.10            HTML_50_60                      Message is 50% to 60% HTML
0.10            HTML_MESSAGE HTML       HTML included in message
17.00   J_BACKHAIR_XX           (Matched 17x BACKHAIR rules - snipped)
1.20            J_CHICKENPOX_XX         (Matched 2x CHICKENPOX rules -
snipped)
0.32            MIME_HTML_ONLY          Message only has text/html MIME
parts
1.10            MIME_HTML_ONLY_MULTI    Multipart message only has text/html
MIME parts
3.51            PYZOR_CHECK             Listed in Pyzor
(http://pyzor.sf.net/)
1.10            RAZOR2_CF_RANGE_51_100  Razor2 gives confidence between 51
and 100
1.05            RAZOR2_CHECK            Listed in Razor2
(http://razor.sf.net/)
1.50            RCVD_IN_BL_SPAMCOP_NET  Received via a relay in
bl.spamcop.net
5.00            RCVD_IN_CBL             Received via a relay in
cbl.abuseat.org
0.10            RCVD_IN_RFCI            Sent via a relay in
ipwhois.rfc-ignorant.org
1.23            WHY_WAIT                        What are you waiting for

Seems to work well for me as long as I make sure that the bayes database is
well fed...

Cheers,
Steve.

-----Original Message-----
From: Michele Neylon :: Blacknight Solutions
[mailto:michele@BLACKNIGHTSOLUTIONS.COM]
Sent: 19 January 2004 11:12
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: CF RULES


How effective is this?

My main concern with implementing extra rules is the risk of generating
false positives..

Mr. Michele Neylon
Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 19 January 2004 10:56
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: CF RULES
>
>
> I'd recommend the tripwire rule from Chris Santerre's page to hit
> these:
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Howard
> > Sent: 19 January 2004 03:20
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: CF RULES
> >
> >
> > I've got the following running fine and was wondering if anyone had
> > any comments if I should be running more or less:
> >
> > -rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
> > -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> > -rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
> > -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> > -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> > -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
> >
> > Also, does anyone have any comments on running:
> > http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
> >
> > Lastly, I get a bunch of these text body mails:
> >
> > ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> > fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon loxkx
> > qzderwd camnjcwr
> > vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> > zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> > fxsowmz kevki ffnznyor cczmfwv
> > swktch qfttob herbri chzddvvpq- ipaceshqg
> >
> > What filter would take care of this?
> >
> > Thanks
> >
>

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From ugob at CAMO-ROUTE.COM  Wed Jan 21 21:35:25 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <54C38A0B814C8E438EF73FC76F3629274107E2@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Envoy? : Wednesday, January 21, 2004 12:10 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: feature request - FW: Just the notification for spam?
> 
> 
> At 17:01 21/01/2004, you wrote:
> > > -----Message d'origine-----
> > > De : Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> > > Envoy? : Wednesday, January 21, 2004 11:58 AM
> > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > Objet : feature request - FW: Just the notification for spam?
> > >
> > >
> > > No one responded with any suggestions for how to 
> accomplish this in
> > > mailscanner, so I'm assuming it's not yet possible.
> >
> >I've suggested that already, but it has been taken by MailWatch 
> >instead.  However, i don't know about the development, but 
> Steve from 
> >MailWatch said that he would try to release a new version next 
> >week.  Maybe ask on the mailwatch list...
> 
> Had forgotten about this. Is implementation in MailWatch 
> okay? (saves me 
> duplicating effort).

I can't tell, I didn't have time to check yet.

Ugo
> 
> 
> >Hth
> >
> >Ugo
> >
> > >
> > > So I'm hoping this will be considered as a feature request. :-)
> > >
> > > New feature requested:
> > > A new "action", recipientnotify, that causes a notification
> > > message to be
> > > sent to the recipient instead of the original message.  The
> > > message file
> > > would need to support the common variable interpolations -
> > > $report, $from,
> > > $subject, $localposter, etc.
> > >
> > > And the way I'd envision using this new feature:
> > > In MailScanner.conf:
> > > Spam Actions = store recipientnotify
> > >
> > > Then, the message sent to the recipient would look something like:
> > >
> > >
> > > ------ Begin recipient message ------
> > > Our mail filtering system has blocked a message sent to you
> > > from:
> > >         <blockquote>$from</blockquote><p>
> > >
> > > ...with a subject of:
> > >         <blockquote>$subject</blockquote><p>
> > >
> > > If you believe this to be a valid message, please click
> > > <a href="http://myserver/release.cgi?messageid=$id">here</a>.
> > >
> > > The original message will be stored for 7 days.
> > > ------ End recipient message ------
> > >
> > >
> > > The linked web page would allow the user to take whatever
> > > actions are appropriate for the site - ie sa-learn, release
> > > from quarantine, whitelist, whatever.
> > >
> > > This approach circumvents the need for any user-based 
> authentication
> > > and allows for a *very* simple user interface to quarantined mail.
> > >
> > > -----Original Message-----
> > > From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM]
> > > Sent: Tuesday, January 20, 2004 12:46 PM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Just the notification for spam?
> > >
> > >
> > > Is it still Monday?  I'm drawing a blank on how to do
> > > something.  (How) can
> > > I configure MS to deliver a notification to the recipient
> > > that a message was
> > > quarantined, without actually delivering the message, not 
> even as an
> > > attachment?
> > >
> > > I've been asked to send recipients a message that basically
> > > says "We blocked
> > > a message we think is spam, from Bob, with subject Foo -
> > > click here if you
> > > think the message wasn't spam."  But the options I have in
> > > the config don't
> > > seem to allow for that particular set-up.  Can MS do that?
> > >
> > > I don't want to deliver the original message at all, but I
> > > still want to
> > > notify the sender that a message was blocked.  Recipients can
> > > filter these
> > > into a folder and ignore them 99% of the time, but on those
> > > occasions when
> > > they're expecting a message that doesn't come in, they'd be
> > > able to open the
> > > spam folder and search for the sender of the missing message,
> > > then click a
> > > link to release the message.
> > >
> > > --
> > > Trever
> > >
> 
> -- 
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 


From james at grayonline.id.au  Wed Jan 21 21:35:51 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:59 2006
Subject: Strange SpamAssassin upgrade failure
In-Reply-To: <200401211944.16521.james@grayonline.id.au>
References: <200401211944.16521.james@grayonline.id.au>
Message-ID: <200401220835.51820.james@grayonline.id.au>

On Wed, 21 Jan 2004 07:44 pm, James Gray wrote:
> Hi All,
>
> I had a strange one today.  I upgraded from SA 2.61 to 2.63 using the
> source tar ball from au.spamassassin.org.  I did the usual "configure,
> make, make test, make install" then restarted MailScanner.
>
> Here lies the problem.  MailScanner restarted happily, SpamAssassin was
> scanning happily but SA was ONLY using my custom rules in
> /etc/mail/spamassassin!  All the standard rules in
> /usr/local/spamassassin were being ignored.  I checked the permissions of
> the files in
> /usr/share/spamassassin and they were all "644 root:root", the
> /usr/share/spamassassin directory was 755.

OK - poor form replying to your own question but I thought I'd post the
solution in case anyone has a similar problem in future.

Beware of the build prefix during the configure stage!  SA 2.61 had /usr as
the installation prefix but I compiled 2.63 with /usr/local to comply with
our internal standards.  The result was that MailScanner was using the 2.63
SA engine but was being told to use the (older) /usr/share/spamassassin
default rules from 2.61.  BZZZZT! Wrong!!  SpamAssassin's rules are
version-specific.  You can't use SA version X.Y default rules with anything
other than SA X.Y.

So a little tweak of the MailScanner.conf file to tell it that SpamAssassin
is scattered through the /usr/local branch (ie, default rules in
/usr/local/share/spamassassin), and it was all fixed.  I also created a
symbolic link:
/usr/bin/spamassassin -> /usr/local/bin/spamassassin (rinse and repeat for
spamd and spamc)
This way the new version in the /usr/local tree will be used when linting
the rules etc (I could have edited the $PATH but that would break other
things, so symlink it is).

James
--
Fortune cookies says:
On a clear disk you can seek forever.
                -- P. Denning

From rzewnickie at RFA.ORG  Wed Jan 21 21:37:41 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:21:59 2006
Subject: Sa-learn and MailScanner Subject Modification
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.hj-int>
Message-ID: <20040121213741.GA14742@rfa.org>

Julian,

Do you have any comments on the discussion in that FAQ regarding the
added/modified headers resulting from forwarded false-postives and
false-negatives?

As I read your FAQ entry and the script included you don't alter the
messages sent to your spam/notspam accounts. Does this mean that you are
not concerned about the added headers? or are all your clients using
imap, and therefore copying the original message to spam/notspam imap
folders rather than forwarding?

Thanks,
Eric Rz.

On Tue, Jan 20, 2004 at 03:25:16PM -0500, Furnish, Trever G wrote:
> Check the FAQ:
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html
>
> --
> Trever
>
> > -----Original Message-----
> > From: Errol Neal [mailto:sysadmins@ENHTECH.COM]
> > Sent: Tuesday, January 20, 2004 3:11 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Sa-learn and MailScanner Subject Modification
> >
> >
> > At 01:26 PM 1/20/2004, Julian Field wrote:
> > >If you use a script to auto-learn a mailbox at one go (I
> > have published
> > >mine here several times), then you could easily use sed to remove the
> > >subject tag before feeding the file to sa-learn.
> >
> > Julian,
> >
> > Do you mind re-posting your script?
> >
> > Thanks.
> >
> > Errol Neal
> >
> >
> > Errol U. Neal Jr., Systems Administrator
> > Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
> > http://www.enhtech.com
> > 703-924-0301 or 800-368-3249
> > 703-997-0839 Fax
> >

From ugob at CAMO-ROUTE.COM  Wed Jan 21 21:37:35 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <54C38A0B814C8E438EF73FC76F3629274107E3@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Peter Bonivart [mailto:peter@UCGBOOK.COM]
> Envoy? : Wednesday, January 21, 2004 1:15 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: feature request - FW: Just the notification for spam?
> 
> 
> Furnish, Trever G wrote:
> > No one responded with any suggestions for how to accomplish this in
> > mailscanner, so I'm assuming it's not yet possible.
> >
> > So I'm hoping this will be considered as a feature request. :-)
> >
> > New feature requested:
> > A new "action", recipientnotify, that causes a notification 
> message to be
> > sent to the recipient instead of the original message.  The 
> message file
> > would need to support the common variable interpolations - 
> $report, $from,
> > $subject, $localposter, etc.
> 
> Wouldn't the attachment action pretty much do what you want? 
> It sends a
> customizable message to the recipient who can choose to open the
> attachment...is that too simple? ;-)

hmm, a little bit.  What we are looking for is send only a text message, saying that someone received a spam from x@x.com.  Since I'm using an Exchange server wich receives the mail after MS scans it, it would save bandwidth and disk space on the exchange server.  And I find it more convenient.

We went even further with an idea of a daily diary.
> 
> I might be completely wrong of course. :-)
> 
> --
> /Peter Bonivart
> 
> --Unix lovers do it in the Sun
> 
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
> 


From mailscanner at ecs.soton.ac.uk  Wed Jan 21 21:50:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: Sa-learn and MailScanner Subject Modification
In-Reply-To: <20040121213741.GA14742@rfa.org>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60802@inex1.herffjones.hj-int>
            <20040121213741.GA14742@rfa.org>
Message-ID: <6.0.1.1.2.20040121214937.04491008@imap.ecs.soton.ac.uk>

It only stands a chance of working with bounced/redirected mail.
"Forwarding" won't work as it destroys all the headers completely.

At 21:37 21/01/2004, you wrote:
>Julian,
>
>Do you have any comments on the discussion in that FAQ regarding the
>added/modified headers resulting from forwarded false-postives and
>false-negatives?
>
>As I read your FAQ entry and the script included you don't alter the
>messages sent to your spam/notspam accounts. Does this mean that you are
>not concerned about the added headers? or are all your clients using
>imap, and therefore copying the original message to spam/notspam imap
>folders rather than forwarding?
>
>Thanks,
>Eric Rz.
>
>On Tue, Jan 20, 2004 at 03:25:16PM -0500, Furnish, Trever G wrote:
> > Check the FAQ:
> > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html
> >
> > --
> > Trever
> >
> > > -----Original Message-----
> > > From: Errol Neal [mailto:sysadmins@ENHTECH.COM]
> > > Sent: Tuesday, January 20, 2004 3:11 PM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Sa-learn and MailScanner Subject Modification
> > >
> > >
> > > At 01:26 PM 1/20/2004, Julian Field wrote:
> > > >If you use a script to auto-learn a mailbox at one go (I
> > > have published
> > > >mine here several times), then you could easily use sed to remove the
> > > >subject tag before feeding the file to sa-learn.
> > >
> > > Julian,
> > >
> > > Do you mind re-posting your script?
> > >
> > > Thanks.
> > >
> > > Errol Neal
> > >
> > >
> > > Errol U. Neal Jr., Systems Administrator
> > > Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
> > > http://www.enhtech.com
> > > 703-924-0301 or 800-368-3249
> > > 703-997-0839 Fax
> > >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 21:59:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: automatic Sophos ide files
In-Reply-To: <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
Message-ID: <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>

The Sophos.install script removes the old ide directory (which is actually
only a soft link to the datestamped ide directory).

You end up with this:

 > cd /usr/local/Sophos/
 > ls -l
total 12
drwxr-xr-x   2 root     other       1536 Jan 21 21:35 377.200401212135
drwxr-xr-x   2 root     root         512 Jan  5 08:50 bin
lrwxrwxrwx   1 root     other         34 Jan 21 21:35 ide ->
/usr/local/Sophos/377.200401212135
drwxr-xr-x   2 root     root        1024 Jan  5 08:50 lib
drwxr-xr-x  10 root     root         512 Jan  5 08:50 man
 >

If you don't use Sophos.install, then I obviously take no responsibility
for what you might end up with :-)

At 21:52 21/01/2004, you wrote:
>We use the default MailScanner hourly update of Sophos ide files.  However,
>they seem to accumulate in /usr/local/Sophos/ide indefinitely.  oi have
>been told that when the new Sophos version comes out each month, the
>previous ide files are no longer necessary since they are merged into the
>Sophos engine.
>
>Can anyone confirm this?  Is it safe to delete ide files more than a month
>old at the time I update the Sophos engine?  At least one place on the
>Sophos documentation it implies removing the old ide files is necessary.
>
>hermit921

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.swaney at FSL.COM  Wed Jan 21 21:56:14 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:21:59 2006
Subject: OT:Sendmail Help
Message-ID: <20040121215614.609AC21C2D3@mail.fsl.com>

Couldn't you use a sendmail access map to only accept mail from the gateway:

<IP address of gateway> RELAY

Remove the other unwanted RELAY entries from the access map

See:

http://www.sendmail.org/m4/anti_spam.html#access_db

----- Original Message -----
From: "Marco Obaid" <marco@MUW.EDU>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 21, 2004 3:29 PM
Subject: Re: OT:Sendmail Help


> Quoting Peter Bonivart <peter@UCGBOOK.COM>:
>
> > Shouldn't you use your firewall for that?
>
> I could, but I know there is a way in Sendmail to do this.
> Also I have internal servers on site that I do not want to establish
> smtp connections with my main mail server.
>
>
> Marco

Stephen Swaney
President
Fortress Systems Ltd.
Phone: 202 338-1670
Fax: 202 448-2969
Steve.Swaney@FSL.com

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 22:03:01 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733624@inex1.herffjones.hj-int>

> -----Original Message-----
> From: Peter Bonivart [mailto:peter@UCGBOOK.COM]
> Sent: Wednesday, January 21, 2004 1:15 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: feature request - FW: Just the notification for spam?
>
> Wouldn't the attachment action pretty much do what you want?
> It sends a
> customizable message to the recipient who can choose to open the
> attachment...is that too simple? ;-)
>
> I might be completely wrong of course. :-)

Nope, it doesn't, because:

1. There's the additional bandwidth being wasted to deliver all those
attachments.

2. I have no record of whether the user decided to open the message.

3. It doesn't facilitate marking the message as ham or several other nice
features that are enabled by being able to deal with the message in its
unaltered state.


A bit more info: I already have MailWatch set up and like it very much - in
fact I've customized the authentication and submitted a few itty bitty tiny
teeny bits to Steve that have been since included.  And I'm closely
following his current work, but management's asked that users not be 1)
required to authenticate or 2) have to go check a web page to find out
whether a message was blocked or 3) be presented with any interface they're
likely to ask questions about.

Being able to send a custom notification to the user without actually
sending the original message would neatly circumvent any need for user
authentication - if you get the notification, you're authenticated.

It would mean a user wouldn't need to go to a web page to see if a message
was blocked - just look at the folder you filter your spam messages into and
see if it's there.

And the interface would be much simpler than MailWatch's just because it
would only be presenting information related to one message at a time - and
probably would have only a few buttons and a few lines of text, in my case.

From hermit921 at YAHOO.COM  Wed Jan 21 22:06:46 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:21:59 2006
Subject: automatic Sophos ide files
In-Reply-To: <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
            <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.2.20040121140439.01c543a8@pop.mail.yahoo.com>

I have ide files from early December after I used Sophos.install yesterday
to install this week's Sophos engine.  I guess Sophos must still be
supplying old ide files for fresh downloads.

As long as I understand what is going on....

hermit921

At 01:59 PM 1/21/2004, Julian Field wrote:
>The Sophos.install script removes the old ide directory (which is actually
>only a soft link to the datestamped ide directory).
>
>You end up with this:
>
> > cd /usr/local/Sophos/
> > ls -l
>total 12
>drwxr-xr-x   2 root     other       1536 Jan 21 21:35 377.200401212135
>drwxr-xr-x   2 root     root         512 Jan  5 08:50 bin
>lrwxrwxrwx   1 root     other         34 Jan 21 21:35 ide ->
>/usr/local/Sophos/377.200401212135
>drwxr-xr-x   2 root     root        1024 Jan  5 08:50 lib
>drwxr-xr-x  10 root     root         512 Jan  5 08:50 man
> >
>
>If you don't use Sophos.install, then I obviously take no responsibility
>for what you might end up with :-)
>
>At 21:52 21/01/2004, you wrote:
>>We use the default MailScanner hourly update of Sophos ide files.  However,
>>they seem to accumulate in /usr/local/Sophos/ide indefinitely.  oi have
>>been told that when the new Sophos version comes out each month, the
>>previous ide files are no longer necessary since they are merged into the
>>Sophos engine.
>>
>>Can anyone confirm this?  Is it safe to delete ide files more than a month
>>old at the time I update the Sophos engine?  At least one place on the
>>Sophos documentation it implies removing the old ide files is necessary.
>>
>>hermit921
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From hermit921 at YAHOO.COM  Wed Jan 21 21:52:51 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:21:59 2006
Subject: automatic Sophos ide files
In-Reply-To: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
Message-ID: <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>

We use the default MailScanner hourly update of Sophos ide files.  However,
they seem to accumulate in /usr/local/Sophos/ide indefinitely.  oi have
been told that when the new Sophos version comes out each month, the
previous ide files are no longer necessary since they are merged into the
Sophos engine.

Can anyone confirm this?  Is it safe to delete ide files more than a month
old at the time I update the Sophos engine?  At least one place on the
Sophos documentation it implies removing the old ide files is necessary.

hermit921

From rzewnickie at RFA.ORG  Wed Jan 21 22:11:01 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:21:59 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <Pine.LNX.4.44.0401211921290.18033-100000@mailbox.prolocation.net>
References: <1074701751.9609.84.camel@dyn-9-173-7-53.leeds.uk.ibm.com>
            <Pine.LNX.4.44.0401211921290.18033-100000@mailbox.prolocation.net>
Message-ID: <20040121221101.GB14742@rfa.org>

We use a single sylog server as well and I've been looking for a way to
parse the logs to get mail statistics.

I don't need to produce charts and graphs. Text only output would be
preferable so as not to require apache or mysql on the log server. If
you could post your scripts for parsing that would be helpful, although
I see from your next post that you are not using postfix.

Has anyone else created some log parsing scripts with text only output
that work with postfix?

Thanks,
Eric Rz.

On Wed, Jan 21, 2004 at 07:22:34PM +0100, Raymond Dijkxhoorn wrote:
> Hi!
>
> > Also, most syslog daemons have the ability to log to a central host
> > which is indeed what I'm doing currently. Take a look at the man page
> > for it.
>
> And we have written some scripts to parse those logs and make graphs and
> txt output fron those. If people are interested i could post some sample
> pages so you can have a look what it currently outputs...
>
> Bye,
> Raymond.

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 22:15:10 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733625@inex1.herffjones.hj-int>

> -----Original Message-----
> From: Dustin Baer [mailto:dustin.baer@IHS.COM]
> Sent: Wednesday, January 21, 2004 3:08 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: feature request - FW: Just the notification for spam?
>
> Doesn't this defeat the purpose of trying to stop people from
> having to
> be annoyed by spam?  With your request, a person will get a message
> (that they can filter) that tells them of quarantined spam,
> which seems
> just as annoying as getting the spam in the first place.
> Basically, you
> want to substitute spam for
> might-be-spam-but-you-have-to-open-this-email-to-find-out.

Uh, no - spam already gets filtered by users into folders.  But I still
deliver the entire message, at considerable bandwidth cost - I don't want to
keep delivering the message, but I presently don't have a suitable method of
allowing users to release their own messages, nor of having them train the
system.  Mailwatch plus spam-training mailboxes is a useful set-up (and
that's done), but as good for my situation as what I'm requesting.  And
spam-training mailboxes still require the message to be sent over the wire
again, further wasting bandwidth.

>
> > Recipients can filter these into a folder and ignore them
> 99% of the time
>
> If you modify the subjet to add {Spam?}, they can filter it anyway.

Already done, but again that does not address the waste of bandwidth, nor
the need to train SA.

> Letting them filter on something in the subject, would save them from
> having to open the email, read who it is from (which should also be
> displayed in their "spam" email folder), and then click a link.

Having to check your spam folder for a message you've been waiting on is a
tremendous improvement over having to contact a helpdesk to ask them whether
the message was blocked and is a smaller, but still significant improvement
over having to log into a web page, search for a blocked message, open the
blocked message detail report, then check some boxes to release the message.

>From the helpdesk standpoint, bayesian training will be much more effective
if it does NOT involve a user forwarding a message and will be much more
practical if they don't have to do the release/train/whitelist on behalf of
the user.

And yes, from a VP standpoint, anything that involves asking a large
userbase spread over an entire continent to remember one more
username/password combo *does* justify at least some pushback towards the
techie asking you to ok it.

> Must be a VP requesting your "feature."

In this case, IMO, that's not important because it's still a useful feature.
:-)

From mkipness at GENIANT.COM  Mon Jan 19 19:13:32 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:21:59 2006
Subject: SpamAssassin score missing?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C220604D9@dalsxc01.geniant.net>

> >
> > I've been getting a lot of messages (spam) this morning 
> that have no 
> > spam score. Some messages when looking the headers this 
> morning do have:
> >
> > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, 
> required 
> > 8, HTML_80_90 0.50)
> >
> > But some just have:
> >
> > X-MailScanner-SpamCheck:
> >
> > With nothing after the colon. Does this mean SpamAssassin 
> is timing out?
> > I see no indication of any problem in the mail logs.
> >
> > How can I fix?
> >
> > Thanks,
> > Max
> 
> 
> Do you have a ruleset for your "Spam Checks" in 
> MailScanner.conf?  When I have "no" in my ruleset, there is 
> nothing after the colon.  Timeout should say "not spam, 
> SpamAssassin (timed out)"

Thanks, based on your answer I was able to track down the problem.

I do have a ruleset for Spam Checks. And I had "no" configured for
domain1. Howerver my email address is under domain2. Somehow all the
spam was being emailed to an address mail@domain1.com and also being
sent to me (not sure why yet). Evidently because domain1 was set not to
check for spam, it over-rode the fact that domain2 should check for
spam.

Max


From TGFurnish at HERFF-JONES.COM  Wed Jan 21 22:28:53 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733626@inex1.herffjones.hj-int>

> -----Original Message-----
> From: Ugo Bellavance [mailto:ugob@CAMO-ROUTE.COM]
> Sent: Wednesday, January 21, 2004 4:38 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: feature request - FW: Just the notification for spam?
>
> hmm, a little bit.  What we are looking for is send only a
> text message, saying that someone received a spam from
> x@x.com.  Since I'm using an Exchange server wich receives
> the mail after MS scans it, it would save bandwidth and disk
> space on the exchange server.  And I find it more convenient.
>
> We went even further with an idea of a daily diary.

You mean a report each day that tells the user what messages were blocked
and provides them with links to log into MailWatch?  I'd thought about doing
that too, but I don't think my users will be willing or even able to wait
for the daily report.

Although I'm still fond of telling people silly enough to come stomping up
to me about a missing email that "it's not uncommon for email messages to be
delayed several days", very few of them buy it. :-)

One could watch the mailwatch mailscanner table and send alerts immediately
based on that, but I'm not sure whether mysql supports database triggers.
Steve's posted recently about moving to postgres instead, which i *think*
supports triggers...  But it seems a *lot* cleaner to just add this
functionality to mailscanner as an action.

I would think this would be pretty straightforward to code into MS - just
duplicate the code for the "deliver attach" actions, but leave off the
attachment if the action is "notifyrecipient".  Then my action lines would
read "store notifyrecipient".

...but I've only barely looked at the mailscanner code, so I could be very
wrong...

--
Trever

From raymond at PROLOCATION.NET  Wed Jan 21 22:28:38 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:59 2006
Subject: Managing MailScanner on multiple hosts
In-Reply-To: <20040121221101.GB14742@rfa.org>
Message-ID: <Pine.LNX.4.44.0401212328001.9539-100000@mailbox.prolocation.net>

Hi!

> I don't need to produce charts and graphs. Text only output would be
> preferable so as not to require apache or mysql on the log server. If
> you could post your scripts for parsing that would be helpful, although
> I see from your next post that you are not using postfix.

Yes, Exim and Sendmail only currently.

Bye,
Raymond.

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 22:19:19 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF03733624@inex1.herffjones.
              hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF03733624@inex1.herffjones.hj-int>
Message-ID: <6.0.1.1.2.20040121221850.044b8b18@imap.ecs.soton.ac.uk>

So the summary of all this is
"Yes, I would like it in MailScanner".
Correct?

At 22:03 21/01/2004, you wrote:
> > -----Original Message-----
> > From: Peter Bonivart [mailto:peter@UCGBOOK.COM]
> > Sent: Wednesday, January 21, 2004 1:15 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: feature request - FW: Just the notification for spam?
> >
> > Wouldn't the attachment action pretty much do what you want?
> > It sends a
> > customizable message to the recipient who can choose to open the
> > attachment...is that too simple? ;-)
> >
> > I might be completely wrong of course. :-)
>
>Nope, it doesn't, because:
>
>1. There's the additional bandwidth being wasted to deliver all those
>attachments.
>
>2. I have no record of whether the user decided to open the message.
>
>3. It doesn't facilitate marking the message as ham or several other nice
>features that are enabled by being able to deal with the message in its
>unaltered state.
>
>
>A bit more info: I already have MailWatch set up and like it very much - in
>fact I've customized the authentication and submitted a few itty bitty tiny
>teeny bits to Steve that have been since included.  And I'm closely
>following his current work, but management's asked that users not be 1)
>required to authenticate or 2) have to go check a web page to find out
>whether a message was blocked or 3) be presented with any interface they're
>likely to ask questions about.
>
>Being able to send a custom notification to the user without actually
>sending the original message would neatly circumvent any need for user
>authentication - if you get the notification, you're authenticated.
>
>It would mean a user wouldn't need to go to a web page to see if a message
>was blocked - just look at the folder you filter your spam messages into and
>see if it's there.
>
>And the interface would be much simpler than MailWatch's just because it
>would only be presenting information related to one message at a time - and
>probably would have only a few buttons and a few lines of text, in my case.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 22:21:28 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: automatic Sophos ide files
In-Reply-To: <6.0.0.22.2.20040121140439.01c543a8@pop.mail.yahoo.com>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
            <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
            <6.0.0.22.2.20040121140439.01c543a8@pop.mail.yahoo.com>
Message-ID: <6.0.1.1.2.20040121222050.040e0008@imap.ecs.soton.ac.uk>

I have Sophos 3.77 installed and the oldest IDE is zana-a.ide from Dec 9th.

At 22:06 21/01/2004, you wrote:
>I have ide files from early December after I used Sophos.install yesterday
>to install this week's Sophos engine.  I guess Sophos must still be
>supplying old ide files for fresh downloads.
>
>As long as I understand what is going on....
>
>hermit921
>
>At 01:59 PM 1/21/2004, Julian Field wrote:
>>The Sophos.install script removes the old ide directory (which is actually
>>only a soft link to the datestamped ide directory).
>>
>>You end up with this:
>>
>> > cd /usr/local/Sophos/
>> > ls -l
>>total 12
>>drwxr-xr-x   2 root     other       1536 Jan 21 21:35 377.200401212135
>>drwxr-xr-x   2 root     root         512 Jan  5 08:50 bin
>>lrwxrwxrwx   1 root     other         34 Jan 21 21:35 ide ->
>>/usr/local/Sophos/377.200401212135
>>drwxr-xr-x   2 root     root        1024 Jan  5 08:50 lib
>>drwxr-xr-x  10 root     root         512 Jan  5 08:50 man
>> >
>>
>>If you don't use Sophos.install, then I obviously take no responsibility
>>for what you might end up with :-)
>>
>>At 21:52 21/01/2004, you wrote:
>>>We use the default MailScanner hourly update of Sophos ide files.  However,
>>>they seem to accumulate in /usr/local/Sophos/ide indefinitely.  oi have
>>>been told that when the new Sophos version comes out each month, the
>>>previous ide files are no longer necessary since they are merged into the
>>>Sophos engine.
>>>
>>>Can anyone confirm this?  Is it safe to delete ide files more than a month
>>>old at the time I update the Sophos engine?  At least one place on the
>>>Sophos documentation it implies removing the old ide files is necessary.
>>>
>>>hermit921
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 22:34:18 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF03733626@inex1.herffjones.
              hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF03733626@inex1.herffjones.hj-int>
Message-ID: <6.0.1.1.2.20040121223333.04491908@imap.ecs.soton.ac.uk>

At 22:28 21/01/2004, you wrote:
>I would think this would be pretty straightforward to code into MS - just
>duplicate the code for the "deliver attach" actions, but leave off the
>attachment if the action is "notifyrecipient".  Then my action lines would
>read "store notifyrecipient".
>
>...but I've only barely looked at the mailscanner code, so I could be very
>wrong...

Let _me_ worry about that bit... :-)
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From joshua.hirsh at PARTNERSOLUTIONS.CA  Wed Jan 21 22:27:00 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F55@eqmail1.efni.vpn>

> So the summary of all this is
> "Yes, I would like it in MailScanner".
> Correct?

I'd like to see this feature implemented in Mailscanner. Not everyone runs
MailWatch ;-)

Thanks Julian.


Trever:

www.amazon.co.uk, click on Wish List and type in Julian Field.

It's the one with Mailscanner listed ;)

From raymond at PROLOCATION.NET  Wed Jan 21 22:35:54 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.hj-int>
Message-ID: <Pine.LNX.4.44.0401212335150.9539-100000@mailbox.prolocation.net>

Hi!

> > So the summary of all this is
> > "Yes, I would like it in MailScanner".
> > Correct?
>
> LOL. :-)
>
> Yes, please?  Where's your wishlist on Amazon again???

Cool, instead of taking away the load we are now letting MS spam the
users :)

Bye,
Raymond.

From raymond at PROLOCATION.NET  Wed Jan 21 22:33:09 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:59 2006
Subject: File attachment issue
In-Reply-To: <400EFD75.6020601@eatathome.com.au>
Message-ID: <Pine.LNX.4.44.0401212332350.9539-100000@mailbox.prolocation.net>

Hi!

> Now .doc files are stored and the inline warning to sent to my users.
>
> How do i specifically allow doc file through to any of my users - we
> have plenty (4 layers) of  AV and our firewall blocks by type, so i
> really want MS to leave the file attachments alone, unless its a virus
> or something nasty DEFINITELY, not just the wrong file type.
>
> How can i urgently rectify this ?

Change your filename.rules.conf, you can change anything you like there.

Bye,
Raymond.

From pete at eatathome.com.au  Wed Jan 21 22:30:13 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:21:59 2006
Subject: File attachment issue
Message-ID: <400EFD75.6020601@eatathome.com.au>

Hi, i have never actually changed any of the settings regarding file
types, the only change i have made recently was to add bigevil and turn
off bayes.

Now .doc files are stored and the inline warning to sent to my users.

How do i specifically allow doc file through to any of my users - we
have plenty (4 layers) of  AV and our firewall blocks by type, so i
really want MS to leave the file attachments alone, unless its a virus
or something nasty DEFINITELY, not just the wrong file type.

How can i urgently rectify this ?

Thanks
Pete

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 22:31:54 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60818@inex1.herffjones.hj-int>

D'OH!!!

I wrote:
> system.  Mailwatch plus spam-training mailboxes is a useful
> set-up (and
> that's done), but as good for my situation as what I'm
> requesting.

Hopefully it was obvious that what I meant to say was "but NOT as good for
my situation..."

:-)

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 22:33:10 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.hj-int>

> -----Original Message-----
> From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Sent: Wednesday, January 21, 2004 5:19 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: feature request - FW: Just the notification for spam?
>
>
> So the summary of all this is
> "Yes, I would like it in MailScanner".
> Correct?

LOL. :-)

Yes, please?  Where's your wishlist on Amazon again???

--
Trever

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 22:47:08 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.
              hj-int>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.hj-int>
Message-ID: <6.0.1.1.2.20040121223728.040ea850@imap.ecs.soton.ac.uk>

At 22:33 21/01/2004, you wrote:
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> > Sent: Wednesday, January 21, 2004 5:19 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: feature request - FW: Just the notification for spam?
> >
> >
> > So the summary of all this is
> > "Yes, I would like it in MailScanner".
> > Correct?
>
>LOL. :-)
>
>Yes, please?  Where's your wishlist on Amazon again???

www.amazon.co.uk. In the wish lists, search for Julian Field in Southampton.
Thankyou in advance!

It will take me a while to write and test, and things are pretty busy at
work at the moment (I'm getting involved in the technical admin of a
project with *57* participating institutions, and they need an entire
finance system in a hurry!)
I'll get to it as soon as I can.

I intend the "notify" action to send a plain-text email to all the
recipients of the message, telling them that the message was detected as
spam and so has not been delivered. My version of the message won't be able
to tell them much of any use, apart from including an example of each of
the variables you can use in it. I'll leave the customisation to you. I
probably won't allow it as a non-spam action, as that would be pretty daft
and the message will confuse your users :-)

Any other requests or things I have forgotten, let me know (preferably
before I implement it ;)
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From sysadmins at ENHTECH.COM  Wed Jan 21 22:54:52 2004
From: sysadmins at ENHTECH.COM (Errol Neal)
Date: Thu Jan 12 21:21:59 2006
Subject: Your MailScanner stats
In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
References: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
Message-ID: <6.0.0.22.0.20040121175418.02fc0f90@mail.enhtech.com>

At 09:02 PM 1/20/2004, Vicchiullo, Rob wrote:
>Just wondering if people wouldn't mind sharing some stats of there box
>and how MailScanner runs.
>
>Like CPU, Memory, OS, Major MailScanner config options and how many
>emails you can handle in an hour.


Try this one.. the link to the mailstats program is on the bottom

http://mailscanner.enhtech.com

http://mailscanner2.enhtech.com



Regards,

Errol Neal


Errol U. Neal Jr., Systems Administrator
Enhanced Technologies, Inc. - The Business Grade Hosting Specialists
http://www.enhtech.com
703-924-0301 or 800-368-3249
703-997-0839 Fax

From shrek-m at GMX.DE  Wed Jan 21 23:01:57 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:21:59 2006
Subject: automatic Sophos ide files
In-Reply-To: <6.0.0.22.2.20040121140439.01c543a8@pop.mail.yahoo.com>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>           
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>           
            <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
            <6.0.0.22.2.20040121140439.01c543a8@pop.mail.yahoo.com>
Message-ID: <400F04E5.8040302@gmx.de>

hermit921 wrote:

> I have ide files from early December after I used Sophos.install
> yesterday
> to install this week's Sophos engine. I guess Sophos must still be
> supplying old ide files for fresh downloads.
>
> As long as I understand what is going on....


it is all like expected,
what have you done before 24.12. ... / 31.12. / 01.01.

----
Date: Mon, 08 Dec 2003 16:53:14 +0000 (GMT)
Message-ID: <1070902394.d038913282020c221effd06f6cb93dbc@dover.sophos.com>
MIME-Version: 1.0
Subject: Sophos Anti-Virus IDE alert: W32/Agobot-BD
Content-Type: text/plain; charset=us-ascii

Name: W32/Agobot-BD
Aliases: WORM_AGOBOT.BD
Type: Win32 worm
Date: 8 December 2003

A virus identity file (IDE) file which provides protection is
available now from the Latest virus identities section, and will
be incorporated into the January 2004 (3.77) release of Sophos
Anti-Virus.
----
----
Date: Tue, 09 Dec 2003 15:11:48 +0000 (GMT)
Message-ID: <1070982708.c58bdfc04006ba4d1feb7f575e353d66@dover.sophos.com>
MIME-Version: 1.0
Subject: Sophos Anti-Virus IDE alert: Troj/Zana-A
Content-Type: text/plain; charset=us-ascii

Name: Troj/Zana-A
Type: Trojan
Date: 9 December 2003

A virus identity file (IDE) file which provides protection is
available now from the Latest virus identities section, and will
be incorporated into the February 2004 (3.78) release of Sophos
Anti-Virus.
----

--
shrek-m

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 23:02:25 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733627@inex1.herffjones.hj-int>

> I intend the "notify" action to send a plain-text email to all the
> recipients of the message, telling them that the message was
> detected as
> spam and so has not been delivered. My version of the message
> won't be able
> to tell them much of any use, apart from including an example
> of each of
> the variables you can use in it. I'll leave the customisation
> to you. I
> probably won't allow it as a non-spam action, as that would
> be pretty daft
> and the message will confuse your users :-)
>
> Any other requests or things I have forgotten, let me know (preferably
> before I implement it ;)
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

As much as I hate to say it - I just feel dirty asking for
html in email - it would actually be considerably more useful
to me if I could have the message content type set to text/html
rather than text/plain.  Otherwise most mail clients won't
properly mark hyperlinks as links and will wrap the link text
to the size of the window, leading to copy'n'paste confusion.

But I'm sure that'd be a simple change for me to keep applying
to updated installs of MS as I go if you just really don't want
to contribute to more email in HTML. :-)

And thanks for even considering it, btw.

--
Trever

From mailscanner at ecs.soton.ac.uk  Wed Jan 21 23:06:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <Pine.LNX.4.44.0401212335150.9539-100000@mailbox.prolocatio n.net>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.hj-int>
            <Pine.LNX.4.44.0401212335150.9539-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040121225555.044ad148@imap.ecs.soton.ac.uk>

At 22:35 21/01/2004, you wrote:
>Hi!
>
> > > So the summary of all this is
> > > "Yes, I would like it in MailScanner".
> > > Correct?
> >
> > LOL. :-)
> >
> > Yes, please?  Where's your wishlist on Amazon again???
>
>Cool, instead of taking away the load we are now letting MS spam the
>users :)

You don't have to use the feature, I personally doubt many sites will use
it. But Trever appears to present a strong case for needing it, and it
won't have any impact on the speed or reliability of MailScanner. And I'm
prepared to implement it.

One setup where it might be useful is in schools, where you have a duty of
care to protect your users from seeing various of the nastier types of
spam. The "attachment" facility is useless here, as the recipients can
still see the original message. But you don't want to use "store" as then a
teacher has to scan every message for false positives. Instead, I can
imagine a system where clicking on a link in the "notify" message would
forward a request to a teacher that a child had requested a spam message.
It is then up to the teacher to allow/deny the child access to that
message. Effectively spam viewing with authorisation from a teacher.

I am sure there are other scenarios that might use this.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From TGFurnish at HERFF-JONES.COM  Wed Jan 21 23:24:36 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:21:59 2006
Subject: Managing MailScanner on multiple hosts
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A6081C@inex1.herffjones.hj-int>

Not to steal any thunder from FSL, especially since they seem to be working
with Steve (Freegard) to include MailWatch as part of their solution, but
you can also have multiple mailscanner hosts log to a single mysql database,
which is then used by MailWatch.  Then you'd only need mysql/apache/php
installed on the mysql database system, not the distributed MailScanners.

That's only addressing your logging issue though - I suspect FSL (see Julian
F's post) will bundle additional features that meet most of your other
needs...

-t.


> -----Original Message-----
> From: Julian Rawcliffe [mailto:jrawcliffe@LONDON.EDU]
> Sent: Wednesday, January 21, 2004 11:06 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Managing MailScanner on multiple hosts
>
>
> I've recently introduced MailScanner, Sophos and SpamAssassin
> on a number of Sendmail servers feeding outgoing email and
> two iPlanet (or whatever it is now called) Messaging Server
> instances.
>
> Most of the documentation I've read refers to one machine
> running MS and delivering to local users; SA seems especially
> geared toward this kind of setup.
>
> Three things concern me: reporting, user preferences and where to go
> after the basic service is up and running.
> Reporting: Currently my six machines log locally, but I'm looking
> at a centralised loghost. I don't especially want MySQL, PHP and
> Apache running on all my gateways. Is anyone aware of a reporting
> tool that allows logs to be dumped to another server and then
> processed; I'm not too bothered about capturing server load and
> memory stats, just mail volume, spam and viruses.
> User preferences. Whilst SA is doing a great job and has been
> beneficial
> to most of the user community, there are some that are extremely
> irritated by the filtering. None of the users have a home directory on
> any of the mail gateways, so ~/.spamassassin/user_prefs is a
> non-starter. I had thought about using MySQL for storing prefs wih a
> PHP script to manage the contents (as described elsewhere).  This may
> be possible but there are other obstacles. Anyone do anything
> different?
> Lastly, moving on from a basic install. I know I could hit the mailing
> lists and scour them for how to get Bigevil and bayes working without
> completely disabling all spam detection, but is there anywhere that
> describes how to do this without the lists (not that I am in any way
> knocking the sound advice and help found on the lists).
>
> None of the above is a moan about how these tools work - they all
> do a fantastic job - it's just an attempt to find out what other
> people do when running the scanner across more than one host that
> only relays email.
>
> --
>
> Julian Rawcliffe
>
> London Business School, Sussex Place, Regents Park, London. NW1 4SA
> t: +44 (0)20 7000 7782 direct  ---  Helpdesk t: +44 (0)20 7000 7700
> m: +44 (0)7966 90 7782 mobile  ---  Helpdesk f: +44 (0)20 7724 6300
> mailto:jrawcliffe@london.edu   ---  http://www.london.edu/technology/
>

From raymond at PROLOCATION.NET  Wed Jan 21 23:26:21 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:21:59 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <6.0.1.1.2.20040121225555.044ad148@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401220025260.16748-100000@mailbox.prolocation.net>

Hi!

> >Cool, instead of taking away the load we are now letting MS spam the
> >users :)

> You don't have to use the feature, I personally doubt many sites will use
> it. But Trever appears to present a strong case for needing it, and it
> won't have any impact on the speed or reliability of MailScanner. And I'm
> prepared to implement it.

Fair enough :)

> I am sure there are other scenarios that might use this.

Bye,
Raymond.

From brose at MED.WAYNE.EDU  Wed Jan 21 23:47:17 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:21:59 2006
Subject: Mailscanner and whitelist rule
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01646821@med-core07.med.wayne.edu>

Would this be a rule that would work?

   From:        good_user*@bad.domain.com    yes

I have to let a dumb newsletter thru but I only want that particular
From mailscanner at ecs.soton.ac.uk  Thu Jan 22 00:01:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: Mailscanner and whitelist rule
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F01646821@med-core07.med.wa
              yne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F01646821@med-core07.med.wayne.edu>
Message-ID: <6.0.1.1.2.20040122000102.040a2b88@imap.ecs.soton.ac.uk>

At 23:47 21/01/2004, you wrote:
>Would this be a rule that would work?

Yes.


>    From:        good_user*@bad.domain.com    yes
>
>I have to let a dumb newsletter thru but I only want that particular
> From to bypass SA because the vendor is in cohorts with an ASP that is
>also listed as a spammer.  The problem is that the from address is
>different every month by the appendage of a character code.  So one
>month it may be good_user_jan@bad.domain.com and then
>good_user_feb@bad.domain.com the next month.
>
>-=B

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From spamtrap71892316634 at ANIME.NET  Mon Jan 19 21:23:20 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:21:59 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <6.0.1.1.2.20040119210754.03d04d20@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>

On Mon, 19 Jan 2004, Julian Field wrote:
> At 20:52 19/01/2004, you wrote:
> >Is there a way to get mailscanner to block %00 / %01 uri exploits in the
> >body of mails the same way mailscanner can block iframe exploits in the body?
> The current best solution is to create a SpamAssassin rule which catches
> these and assigns a score of 100.

So basically, "no, mailscanner can't do that"? It can block iframe
exploits but not URI exploits?

-Dan

From dbird at SGHMS.AC.UK  Thu Jan 22 00:57:17 2004
From: dbird at SGHMS.AC.UK (Daniel Bird)
Date: Thu Jan 12 21:21:59 2006
Subject: blocking %00 / %01 exploits with mailscanner?
In-Reply-To: <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
References: <Pine.LNX.4.44.0401191322240.26000-100000@sasami.anime.net>
Message-ID: <400F1FED.3060905@sghms.ac.uk>

Dan Hollis wrote:

>On Mon, 19 Jan 2004, Julian Field wrote:
>
>
>>At 20:52 19/01/2004, you wrote:
>>
>>
>>>Is there a way to get mailscanner to block %00 / %01 uri exploits in the
>>>body of mails the same way mailscanner can block iframe exploits in the body?
>>>
>>>
>>The current best solution is to create a SpamAssassin rule which catches
>>these and assigns a score of 100.
>>
>>
>
>So basically, "no, mailscanner can't do that"? It can block iframe
>exploits but not URI exploits?
>
>-Dan
>
>
Dan, your question was answered previously. It is a most definite yes.
It is achieved by using the MCP function.

This leverages the SpamAssassin 'engine' without the default rule set.
You then define rule(s) which you want to match against, and assign
score(s) that will cause a block.

So in your case, you would enable the MCP function, copy the SA rule
"HTTP_ESCAPED_HOST" (as this matches the %00 exploits perfectly), and
assign a score that would cause a block.

We have been using this method since Julian released the updated fixes
for MCP and it works flawlessly...

HTH

Dan

--
____________________________________

Daniel Bird
Network & Systems Manager
St. George's Hospital  Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan@sghms.ac.uk
____________________________________

Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare."



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From mikew at CRUCIS.NET  Thu Jan 22 03:21:01 2004
From: mikew at CRUCIS.NET (Mike Watson)
Date: Thu Jan 12 21:21:59 2006
Subject: MailScanner failing after upgrade to RH9
In-Reply-To: <004301c3e00a$f226cdf0$7801a8c0@imnla499>
References: <200401202030.35268.mikew@crucis.net>
            <004301c3e00a$f226cdf0$7801a8c0@imnla499>
Message-ID: <200401212121.01974.mikew@crucis.net>

On Wednesday 21 January 2004 4:40 am, Willem Kossen wrote:
> ----- Original Message -----
> From: "Mike Watson" <mikew@CRUCIS.NET>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Wednesday, January 21, 2004 3:30 AM
> Subject: MailScanner failing after upgrade to RH9
>
> > I had MailScanner 4.23.11 running on my RH 8.0 box. Since RH8.0 isn't
> > supported any longer, I finally upgraded to RH9.  After the upgrade, I
>
> added
>
> > all the eratta and security fixes.  When I restarted RH9, MailScanner
>
> failed.
>
> > Here is what I'm seeing.
> >
> > Starting MailScanner daemons:
> >          incoming sendmail:                                [  OK  ]
> >          outgoing sendmail:                                [  OK  ]
> >          MailScanner:       Can't locate MIME/Parser.pm in @INC (@INC
>
> I think your perl got upgraded from 5.6.1 to 5.8.0 and this means that your
> installed perlmodules are in an old 5.6.1 tree. Since @INC is now showing a
> 5.8.0 tree, they can't be found. I suggest you reinstall all needed
> perlmodules for MailScanner
>
> Good Luck
>
> Willem Kossen
>
You're right.  That is exactly what happened.  I had to rebuild all the
perlmodules.  One unusual occurance.  After I had rebuilt all the modules and
got a successful install of MailScanner, it took several attempts to get
MailScanner started.  Four times in a row, MailScanner would start, run a few
seconds and stop.  No messages in syslog nor maillog other than MS Start
followed by MS failure.  On the fifth attempt it came up and ran and has
continued ever since.

Weird!!

Mike W
--
Registered Linux - 256979   (http://counter.il.org for more information)
NRA Life
ARS: W0TMW


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

From james at grayonline.id.au  Thu Jan 22 03:37:02 2004
From: james at grayonline.id.au (James Gray)
Date: Thu Jan 12 21:21:59 2006
Subject: MCP - different "inappropriate" mail flag?
Message-ID: <200401221437.03049.james@grayonline.id.au>

Let me explain.  Our company (like most) has an "acceptable use policy" or
AUP.  This, among many other things, says our e-mail system is for business
realated purposes only.  Over the last 18 months we've beeing using
SpamAssassin, we've accumulated a good stock of "private" mail addresses
the users didn't want being flagged as spam.  This situation was fine until
the emergence of the dreaded AUP in the last 3 months or so.

Now HR and senior IT Ops people want to know if it's possible to alert users
(and naturally form an audit trail) that their mail doesn't comply with the
AUP.  Basically move all those "private" mail addresses "somewhere" that
will add a "X-Foo-Corp-AUP: VIOLATION" header and a subject rewrite to the
same effect.

I can only think of two ways this "might" be possible:

1. run a  separate spamassassin instance (spamd + milter) that ONLY uses the
"private" addresses rules and adds the header and modifies the subject etc.

2. Use the MCP filter.

The 1st option is ugly and would involve using milter etc, but I figured
MailScanner's MCP is an isolated SpamAssassin instance and would be far
more elegant.  *BUT* can I specify a custom header/subject modifier for
messages caught with MCP??

Any other ideas??

James
--
Fortune cookies says:
In most countries selling harmful things like drugs is punishable.
Then howcome people can sell Microsoft software and go unpunished?
(By hasku@rost.abo.fi, Hasse Skrifvars)

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 08:44:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:21:59 2006
Subject: MCP - different "inappropriate" mail flag?
In-Reply-To: <200401221437.03049.james@grayonline.id.au>
References: <200401221437.03049.james@grayonline.id.au>
Message-ID: <6.0.1.1.2.20040122084126.0391d9a0@imap.ecs.soton.ac.uk>

At 03:37 22/01/2004, you wrote:
>Let me explain.  Our company (like most) has an "acceptable use policy" or
>AUP.  This, among many other things, says our e-mail system is for business
>realated purposes only.  Over the last 18 months we've beeing using
>SpamAssassin, we've accumulated a good stock of "private" mail addresses
>the users didn't want being flagged as spam.  This situation was fine until
>the emergence of the dreaded AUP in the last 3 months or so.
>
>Now HR and senior IT Ops people want to know if it's possible to alert users
>(and naturally form an audit trail) that their mail doesn't comply with the
>AUP.  Basically move all those "private" mail addresses "somewhere" that
>will add a "X-Foo-Corp-AUP: VIOLATION" header and a subject rewrite to the
>same effect.
>
>I can only think of two ways this "might" be possible:
>
>1. run a  separate spamassassin instance (spamd + milter) that ONLY uses the
>"private" addresses rules and adds the header and modifies the subject etc.
>
>2. Use the MCP filter.
>
>The 1st option is ugly and would involve using milter etc, but I figured
>MailScanner's MCP is an isolated SpamAssassin instance and would be far
>more elegant.  *BUT* can I specify a custom header/subject modifier for
>messages caught with MCP??

In MailScanner.conf you have

MCP Header = X-MailScanner-MCPCheck:

(among other things) and in languages.conf you have

MCPnotspam = MCP-Clean
MCPspam = MCP-Trapped

Between them you should be able to do what you want.

Set
MCP Header = X-Foo-Corp-AUP:
and
MCPspam = VIOLATION

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From t.d.lee at DURHAM.AC.UK  Thu Jan 22 09:58:52 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <400CFD69.9010001@solid-state-logic.com>
References: <s007faf8.000@s-nst5.lshtm.ac.uk>
            <Pine.GSO.4.58.0401200939560.11623@arachne.dur.ac.uk>
            <400CFD69.9010001@solid-state-logic.com>
Message-ID: <Pine.GSO.4.58.0401220940340.24483@arachne.dur.ac.uk>

On Tue, 20 Jan 2004, Martin Hepworth wrote:

> David Lee wrote:
> > [...]
> > At 2.62, the SA folk seem to have recognised the 2.61 "bayes_toks"
> > problem, and instead of "bayes_toks.new" are now using filename patterns
> > "bayes_toks.expire$$" (where $$ is the process id).  (Do a diff of the
> > 2.61 and 2.62 versions of "lib/Mail/SpamAssassin/BayesStore.pm".)
> >
> > BUT... the result is that instead of one huge "bayes_toks.new" file, there
> > now seem to be an increasing number of orphaned "bayes_toks.expire$$"
> > files.  (Given that $$ could typically span all integers up to 30,000, the
> > accumulating disk usage results could become 'interesting'...)
> >
> > I realise such SA details take us somewhat off-topic from strict
> > MailScanner.  But has anyone here got any experience of this with SA 2.62,
> > or monitoring it on SA lists?  (Perhaps I need to rejoing an SA list or at
> > least ferret through their recent archives...)
> >
>
> Can't say that (1) I've seen this on my server or (2) on the sa-talk list.
>
> Perhaps you need to get back on the sa-talk list and ask them??

Thanks, Martin.  I posted a note on sa-talk a couple of days ago, but had
not one reply.

But I think we need to come back to MS despite my earlier thought that
this SA/bayes thing might be taking us somewhat off-topic.

Meanwhile, looking deeper locally, I had seen some things which suggest
that the problem may actually be MS's, or at least its use of SA.  We
(durham.ac.uk) have 3 MX records: two of equal low-value (preferred), and
one of higher value (i.e. quasi-backup, our production-test).  As far as
we know, all are identically configured.

But we only see the problem on the two main, busy servers, not on the
lightly-loaded background one.  In addition (and here's the clincher which
pulls us back to MS, or at least MS-triggering):

1. The busy servers, which suffer from this problem, have many "maillog"
   entries of the form "MailScanner[...]: Delete bayes lockfile for $$"
   (where "$$" looks like a process number), and have these orphaned files
   called "bayes_toks.expire$$" (same value "$$").

2. The backup, quiet server has no such maillog messages, and no such
   orphaned files.

So there is clearly something in MS's use of SA on busy machines (in a
timeout/locking-like area) that is causing these orphaned files (SA2.62)
and presumably the equivalent huge "bayes_toks.new" (SA 2.61)).

Thoughts, anyone?  How to begin to try to trace this??


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 22 10:06:41 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <Pine.GSO.4.58.0401220940340.24483@arachne.dur.ac.uk>
References: <s007faf8.000@s-nst5.lshtm.ac.uk>           
            <Pine.GSO.4.58.0401200939560.11623@arachne.dur.ac.uk>           
            <400CFD69.9010001@solid-state-logic.com>
            <Pine.GSO.4.58.0401220940340.24483@arachne.dur.ac.uk>
Message-ID: <400FA0B1.4030901@solid-state-logic.com>

David Lee wrote:
> On Tue, 20 Jan 2004, Martin Hepworth wrote:
>
>
>>David Lee wrote:
>>
>>>[...]
>>>At 2.62, the SA folk seem to have recognised the 2.61 "bayes_toks"
>>>problem, and instead of "bayes_toks.new" are now using filename patterns
>>>"bayes_toks.expire$$" (where $$ is the process id).  (Do a diff of the
>>>2.61 and 2.62 versions of "lib/Mail/SpamAssassin/BayesStore.pm".)
>>>
>>>BUT... the result is that instead of one huge "bayes_toks.new" file, there
>>>now seem to be an increasing number of orphaned "bayes_toks.expire$$"
>>>files.  (Given that $$ could typically span all integers up to 30,000, the
>>>accumulating disk usage results could become 'interesting'...)
>>>
>>>I realise such SA details take us somewhat off-topic from strict
>>>MailScanner.  But has anyone here got any experience of this with SA 2.62,
>>>or monitoring it on SA lists?  (Perhaps I need to rejoing an SA list or at
>>>least ferret through their recent archives...)
>>>
>>
>>Can't say that (1) I've seen this on my server or (2) on the sa-talk list.
>>
>>Perhaps you need to get back on the sa-talk list and ask them??
>
>
> Thanks, Martin.  I posted a note on sa-talk a couple of days ago, but had
> not one reply.
>
> But I think we need to come back to MS despite my earlier thought that
> this SA/bayes thing might be taking us somewhat off-topic.
>
> Meanwhile, looking deeper locally, I had seen some things which suggest
> that the problem may actually be MS's, or at least its use of SA.  We
> (durham.ac.uk) have 3 MX records: two of equal low-value (preferred), and
> one of higher value (i.e. quasi-backup, our production-test).  As far as
> we know, all are identically configured.
>
> But we only see the problem on the two main, busy servers, not on the
> lightly-loaded background one.  In addition (and here's the clincher which
> pulls us back to MS, or at least MS-triggering):
>
> 1. The busy servers, which suffer from this problem, have many "maillog"
>    entries of the form "MailScanner[...]: Delete bayes lockfile for $$"
>    (where "$$" looks like a process number), and have these orphaned files
>    called "bayes_toks.expire$$" (same value "$$").
>
> 2. The backup, quiet server has no such maillog messages, and no such
>    orphaned files.
>
> So there is clearly something in MS's use of SA on busy machines (in a
> timeout/locking-like area) that is causing these orphaned files (SA2.62)
> and presumably the equivalent huge "bayes_toks.new" (SA 2.61)).
>
> Thoughts, anyone?  How to begin to try to trace this??

David
in the MailScanner.conf set the Debug flags for SA and MS (they are
within a couple of lines together), and see what you get.

Also make sure you've got the DB_FILE perl module installed and also the
persmissions on the directory holding the bayes DB is fine.

what versions of perl are you running and what MTA?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 10:23:32 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
Message-ID: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>

For the new "notify" action, I need the translated version of the spam and
mcp reports that it can generate. If you could translate these into all
your favourite languages, I would be really grateful.

If you translate it into a language which you have not been speaking since
the age of 1, please point that out so I can sort out multiple translations.

Thanks folks!

======================
Here is the MCP report:
======================

From: "MailScanner" <$localpostmaster>
To: $to
Subject: Banned content stored for review
X-MailScanner: generated

Our message content detectors have been triggered by a message you received:-
   From: $from
   Subject: $subject
   Date: $date
This message has been quarantined for review before delivery.

If you have any questions about this, or you believe you have received
this message in error, please contact the site system administrators.

Your system administrators will need the following information:
   Server name: $hostname
   Message id: $id
   Date code: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner thanks transtec Computers for their support

======================
And here is the spam report:
======================

From: "MailScanner" <$localpostmaster>
To: $to
Subject: Unsolicited commercial email not delivered
X-MailScanner: generated

Our UCE (spam) detectors have been triggered by a message you received:-
   From: $from
   Subject: $subject
   Date: $date
This message has not been delivered. The detectors that were triggered are
$spamreport.

The message to you has been detected as spam based on either its contents or
the mail server which sent the message to us, or both.

We do not accept unsolicited commercial (spam) e-mail and actively
work to stop it.

If you have any questions about this, or you believe you have received
this message in error, please contact the site system administrators.

Your system administrators will need the following information:
   Server name: $hostname
   Message id: $id
   Date code: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner thanks transtec Computers for their support
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From steve.freegard at LBSLTD.CO.UK  Thu Jan 22 11:24:54 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
Message-ID: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>

Hi David,

I haven't been following this thread closely, so apologies if this has
already been covered.

Maybe the error is being caused by opportunistic bayes expiry which could
take long enough on your system to cause MailScanner to time-out and kill
off SA mid-expiry causing your orphaned files??

You could try setting 'bayes_auto_expire 0' in spam.assassin.prefs.conf and
then creating nightly cron job to run a script and does an 'sa-learn -p
/etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.

Doing it this was should generate an e-mail from cron if anything goes
wrong: e.g. process exceeds ulimits etc. and will give you a starter on the
debug.

Hope this helps.

Kind regards,
Steve.

--
Steve Freegard
Systems Manager
Littlehampton Book Services Ltd.


> -----Original Message-----
> From: David Lee [mailto:t.d.lee@DURHAM.AC.UK]
> Sent: 22 January 2004 09:59
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Bayesian shenanigans (i.e. problems)
>
>
> On Tue, 20 Jan 2004, Martin Hepworth wrote:
>
> > David Lee wrote:
> > > [...]
> > > At 2.62, the SA folk seem to have recognised the 2.61
> "bayes_toks"
> > > problem, and instead of "bayes_toks.new" are now using filename
> > > patterns "bayes_toks.expire$$" (where $$ is the process
> id).  (Do a
> > > diff of the 2.61 and 2.62 versions of
> > > "lib/Mail/SpamAssassin/BayesStore.pm".)
> > >
> > > BUT... the result is that instead of one huge
> "bayes_toks.new" file,
> > > there now seem to be an increasing number of orphaned
> > > "bayes_toks.expire$$" files.  (Given that $$ could typically span
> > > all integers up to 30,000, the accumulating disk usage
> results could
> > > become 'interesting'...)
> > >
> > > I realise such SA details take us somewhat off-topic from strict
> > > MailScanner.  But has anyone here got any experience of
> this with SA
> > > 2.62, or monitoring it on SA lists?  (Perhaps I need to
> rejoing an
> > > SA list or at least ferret through their recent archives...)
> > >
> >
> > Can't say that (1) I've seen this on my server or (2) on
> the sa-talk
> > list.
> >
> > Perhaps you need to get back on the sa-talk list and ask them??
>
> Thanks, Martin.  I posted a note on sa-talk a couple of days
> ago, but had not one reply.
>
> But I think we need to come back to MS despite my earlier
> thought that this SA/bayes thing might be taking us somewhat
> off-topic.
>
> Meanwhile, looking deeper locally, I had seen some things
> which suggest that the problem may actually be MS's, or at
> least its use of SA.  We
> (durham.ac.uk) have 3 MX records: two of equal low-value
> (preferred), and one of higher value (i.e. quasi-backup, our
> production-test).  As far as we know, all are identically configured.
>
> But we only see the problem on the two main, busy servers,
> not on the lightly-loaded background one.  In addition (and
> here's the clincher which pulls us back to MS, or at least
> MS-triggering):
>
> 1. The busy servers, which suffer from this problem, have
> many "maillog"
>    entries of the form "MailScanner[...]: Delete bayes
> lockfile for $$"
>    (where "$$" looks like a process number), and have these
> orphaned files
>    called "bayes_toks.expire$$" (same value "$$").
>
> 2. The backup, quiet server has no such maillog messages, and no such
>    orphaned files.
>
> So there is clearly something in MS's use of SA on busy
> machines (in a timeout/locking-like area) that is causing
> these orphaned files (SA2.62) and presumably the equivalent
> huge "bayes_toks.new" (SA 2.61)).
>
> Thoughts, anyone?  How to begin to try to trace this??
>
>
> --
>
> :  David Lee                                I.T. Service          :
> :  Systems Programmer                       Computer Centre       :
> :                                           University of Durham  :
> :  http://www.dur.ac.uk/t.d.lee/            South Road            :
> :                                           Durham                :
> :  Phone: +44 191 334 2752                  U.K.                  :
>

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.

From ugob at CAMO-ROUTE.COM  Thu Jan 22 11:57:43 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators: French
Message-ID: <54C38A0B814C8E438EF73FC76F3629273132E1@mtlnt501fs.CAMOROUTE.COM>

Here is the french translation.  I tried to stick as much as possible to the words used by Julian.  However, I could work it out to a version with better french.  French is my mother tonge and I live in Quebec, Canada.

I suggest you put an area at the bottom with the address of the helpdesk, since they might not think of hitting reply, and sometimes the $localpostmaster and helpdesk are different addresses.

Thanks,

Ugo

> -----Message d'origine-----
> De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Envoy? : Thursday, January 22, 2004 5:24 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Calling all translators
> 
> 
> For the new "notify" action, I need the translated version of 
> the spam and
> mcp reports that it can generate. If you could translate 
> these into all
> your favourite languages, I would be really grateful.
> 
> If you translate it into a language which you have not been 
> speaking since
> the age of 1, please point that out so I can sort out 
> multiple translations.
> 
> Thanks folks!
> 
> ======================
> Here is the MCP report:
> ======================
> 
> From: "MailScanner" <$localpostmaster>
> To: $to
> Subject: Banned content stored for review
> X-MailScanner: generated
> 
> Our message content detectors have been triggered by a 
> message you received:-
>    From: $from
>    Subject: $subject
>    Date: $date
> This message has been quarantined for review before delivery.
> 
> If you have any questions about this, or you believe you have received
> this message in error, please contact the site system administrators.
> 
> Your system administrators will need the following information:
>    Server name: $hostname
>    Message id: $id
>    Date code: $datenumber
> 
> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner thanks transtec Computers for their support
> 
De: "MailScanner" <$localpostmaster>
?: $to
X-MailScanner: generated
Objet: Contenu interdit conserv? pour r?vision

Notre v?rificateur de contenu de messages a ?t? d?clanch? par un message que vous avez re?u:-

De: $from
Objet: $subject
Date: $date

Ce message a ?t? mis en quarantaine pour r?vision avant sa livraison.

Si vous avez des questions ? ce sujet, ou si vous croyez avoir re?u ce message en erreur, veuillez contacter les administrateurs de syst?me de votre site.

Vos administrateurs de syst?me auront besoin de l'information suivante:

Nom du serveur: $hostname
Num?ro d'identification du message: $id
Code de date: $datenumber 

> ======================
> And here is the spam report:
> ======================
> 
> From: "MailScanner" <$localpostmaster>
> To: $to
> Subject: Unsolicited commercial email not delivered
> X-MailScanner: generated
> 
> Our UCE (spam) detectors have been triggered by a message you 
> received:-
>    From: $from
>    Subject: $subject
>    Date: $date
> This message has not been delivered. The detectors that were 
> triggered are
> $spamreport.
> 
> The message to you has been detected as spam based on either 
> its contents or
> the mail server which sent the message to us, or both.
> 
> We do not accept unsolicited commercial (spam) e-mail and actively
> work to stop it.
> 
> If you have any questions about this, or you believe you have received
> this message in error, please contact the site system administrators.
> 
> Your system administrators will need the following information:
>    Server name: $hostname
>    Message id: $id
>    Date code: $datenumber
> 
De: "MailScanner" <$localpostmaster>
?: $to
Objet: Unsolicited commercial email not delivered
X-MailScanner: generated

Notre d?tecteur de polluriel (spam) a ?t? d?clanch? par un message que  vous avez re?u:-
        De: $from
        Objet: $subject
        Date: $date
Ce message ne vous a pas ?t? livr?.  Le rapport du d?tecteur est:
$spamreport.

Ce message vous ?tant destin? a ?t? d?tect? comme un polluriel, bas? sur le serveur de courrier d'origine, son contenu, ou les deux.

Nous n'acceptons pas de polluriels (spam) et nous travaillons pour arr?ter ce fl?au.

Si vous avez des questions ? ce sujet, ou si vous croyez avoir re?u ce message en erreur, veuillez contacter les administrateurs de syst?me de votre site.

Vos administrateurs de syst?me auront besoin de l'information suivante:

Nom du serveur: $hostname
Num?ro d'identification du message: $id
Code de date: $datenumber 

> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner thanks transtec Computers for their support
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

Ugo 


From goleotti at MISAG.IT  Thu Jan 22 11:54:32 2004
From: goleotti at MISAG.IT (Gabriele Oleotti)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
Message-ID: <1488394A34F6A0408FDA3841418D1442183D11@scorpio.auron.mi>

Here is my proposal for Italian (my native language.)

Bye,
Gabriele

======================
the MCP report:
======================

Da: "MailScanner" <$localpostmaster>
A: $to
Oggetto: Contenuto bloccato ma memorizzato per revisione
X-MailScanner: generato

I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
messaggio:-
   Da: $from
   Oggetto: $subject
   Data: $date
Il messaggio e' stato messo in quarantena per un'eventuale revisione prima del recapito.

Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per 
errore, contatta gli amministratori del sistema.

Le seguenti informazioni identificano il tuo messaggio e vanno
comunicate agli amministratori di sistema:
   Nome server: $hostname
   ID messaggio: $id
   Codice data: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner ringrazia transtec Computers per il loro supporto

======================
the spam report:
======================

Da: "MailScanner" <$localpostmaster>
A: $to
Oggetto: Unsolicited commercial email not delivered
X-MailScanner: generato

I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un 
tuo messaggio:-
   Da: $from
   Oggetto: $subject
   Data: $date
Il messaggio non e' stato inviato. I rilevatori che sono stati attivati sono:
$spamreport.

Il tuo messaggio e' stato catalogato come spam dal mail server che ce l'ha
recapitato, oppure in base ai suoi contenuti, oppure per entrambi i motivi.

Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
attivamente per bloccarli.

Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
errore, contatta gli amministratori del sistema.

Le seguenti informazioni identificano il tuo messaggio e vanno
comunicate agli amministratori di sistema:
   Nome server: $hostname
   ID messaggio: $id
   Codice data: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner ringrazia transtec Computers per il suo supporto


From edu at ICARUS.COM.BR  Thu Jan 22 12:49:18 2004
From: edu at ICARUS.COM.BR (Eduardo Andre)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators : Portuguese Brazil (pt_br)
In-Reply-To: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>
Message-ID: <40068.200.244.152.3.1074775758.squirrel@10.0.1.3>

 Here is the MCP report:
 ======================

 From: "MailScanner" <$localpostmaster>
 To: $to
 Subject: Conte?do bloqueado armazenado para revis?o
 X-MailScanner: generated


 Nosso detector de conte?do de menssagens foi ativado por uma mensagem que
voce recebeu:-
    From: $from
    Subject: $subject
    Date: $date
 Esta menssagem foi posta em quarentena para revis?o antes de ser entregue.

 Se voce tiver alguma d?vida a respeito, ou acredita que voce recebeu esta
 mensagem por erro, por favor contate o administrador do sistema.

 O seu administrador de sistema necessitar? das seguintes informa??es:
    Server name: $hostname
    Message id: $id
    Date code: $datenumber

 --
 MailScanner
 Email Virus Scanner
 www.mailscanner.info
 MailScanner thanks transtec Computers for their support

 ======================
 And here is the spam report:
 ======================

 From: "MailScanner" <$localpostmaster>
 To: $to
 Subject: Email comercial n?o solicitado n?o entregue
 X-MailScanner: generated

 Nossos detetores de emails comerciais n?o solicitados(spam) foram
ativados por uma menssagem que voce recebeu:-
    From: $from
    Subject: $subject
    Date: $date
 Esta menssagem n?o foi entregue. Os detetores que foram ativados s?o
 $spamreport.

 A menssagem para voce foi classificada como SPAM com base nestas regras
 ou
 no servidor que enviou a menssagem para voce, ou em ambos.

 Nos n?o iremos  aceitar emails comerciais n?o solicitados (spam)
 e trabalharemos ativamente para bloquea-los.

 Se voce tiver alguma d?vida a respeito, ou acredita que voce recebeu esta
 mensagem por erro, por favor contate o administrador do sistema.

 O seu administrador de sistema necessitar? das seguintes informa??es:
    Server Name: $hostname
    Message id: $id
    Date code: $datenumber

 --
 MailScanner
 Email Virus Scanner
 www.mailscanner.info
 MailScanner thanks transtec Computers for their support


From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 22 13:00:25 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <1488394A34F6A0408FDA3841418D1442183D11@scorpio.auron.mi>
Message-ID: <LFENLEALDCBDKENCNLCNOEHCDCAA.michele@blacknightsolutions.com>

Gabriele,

Just one question, why did you use the informal 'tu/tuo' instead of the more
formal mode?
I'm not nit-picking, but I am curious

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Gabriele Oleotti
> Sent: 22 January 2004 11:55
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> Here is my proposal for Italian (my native language.)
>
> Bye,
> Gabriele
>
> ======================
> the MCP report:
> ======================
>
> Da: "MailScanner" <$localpostmaster>
> A: $to
> Oggetto: Contenuto bloccato ma memorizzato per revisione
> X-MailScanner: generato
>
> I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
> messaggio:-
>    Da: $from
>    Oggetto: $subject
>    Data: $date
> Il messaggio e' stato messo in quarantena per un'eventuale
> revisione prima del recapito.
>
> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> errore, contatta gli amministratori del sistema.
>
> Le seguenti informazioni identificano il tuo messaggio e vanno
> comunicate agli amministratori di sistema:
>    Nome server: $hostname
>    ID messaggio: $id
>    Codice data: $datenumber
>
> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner ringrazia transtec Computers per il loro supporto
>
> ======================
> the spam report:
> ======================
>
> Da: "MailScanner" <$localpostmaster>
> A: $to
> Oggetto: Unsolicited commercial email not delivered
> X-MailScanner: generato
>
> I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un
> tuo messaggio:-
>    Da: $from
>    Oggetto: $subject
>    Data: $date
> Il messaggio non e' stato inviato. I rilevatori che sono stati
> attivati sono:
> $spamreport.
>
> Il tuo messaggio e' stato catalogato come spam dal mail server che ce l'ha
> recapitato, oppure in base ai suoi contenuti, oppure per entrambi
> i motivi.
>
> Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
> attivamente per bloccarli.
>
> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> errore, contatta gli amministratori del sistema.
>
> Le seguenti informazioni identificano il tuo messaggio e vanno
> comunicate agli amministratori di sistema:
>    Nome server: $hostname
>    ID messaggio: $id
>    Codice data: $datenumber
>
> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner ringrazia transtec Computers per il suo supporto
>

From drew at THEMARSHALLS.CO.UK  Thu Jan 22 13:11:43 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <LFENLEALDCBDKENCNLCNOEHCDCAA.michele@blacknightsolutions.com>
References: <1488394A34F6A0408FDA3841418D1442183D11@scorpio.auron.mi>
            <LFENLEALDCBDKENCNLCNOEHCDCAA.michele@blacknightsolutions.com>
Message-ID: <36104.194.70.180.170.1074777103.squirrel@net.themarshalls.co.uk>

Michele

Will you be doing the Irish translation? :-) I'm looking at a suitable
version for the South Eastern Construction Industry but it won't go
through MCP currently :-D

Drew

Michele Neylon :: Blacknight Solutions said:
> Gabriele,
>
> Just one question, why did you use the informal 'tu/tuo' instead of the
> more
> formal mode?
> I'm not nit-picking, but I am curious
>
> Michele
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> Behalf Of Gabriele Oleotti
>> Sent: 22 January 2004 11:55
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: Re: Calling all translators
>>
>>
>> Here is my proposal for Italian (my native language.)
>>
>> Bye,
>> Gabriele
>>
>> ======================
>> the MCP report:
>> ======================
>>
>> Da: "MailScanner" <$localpostmaster>
>> A: $to
>> Oggetto: Contenuto bloccato ma memorizzato per revisione
>> X-MailScanner: generato
>>
>> I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
>> messaggio:-
>>    Da: $from
>>    Oggetto: $subject
>>    Data: $date
>> Il messaggio e' stato messo in quarantena per un'eventuale
>> revisione prima del recapito.
>>
>> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
>> errore, contatta gli amministratori del sistema.
>>
>> Le seguenti informazioni identificano il tuo messaggio e vanno
>> comunicate agli amministratori di sistema:
>>    Nome server: $hostname
>>    ID messaggio: $id
>>    Codice data: $datenumber
>>
>> --
>> MailScanner
>> Email Virus Scanner
>> www.mailscanner.info
>> MailScanner ringrazia transtec Computers per il loro supporto
>>
>> ======================
>> the spam report:
>> ======================
>>
>> Da: "MailScanner" <$localpostmaster>
>> A: $to
>> Oggetto: Unsolicited commercial email not delivered
>> X-MailScanner: generato
>>
>> I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un
>> tuo messaggio:-
>>    Da: $from
>>    Oggetto: $subject
>>    Data: $date
>> Il messaggio non e' stato inviato. I rilevatori che sono stati
>> attivati sono:
>> $spamreport.
>>
>> Il tuo messaggio e' stato catalogato come spam dal mail server che ce
>> l'ha
>> recapitato, oppure in base ai suoi contenuti, oppure per entrambi
>> i motivi.
>>
>> Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
>> attivamente per bloccarli.
>>
>> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
>> errore, contatta gli amministratori del sistema.
>>
>> Le seguenti informazioni identificano il tuo messaggio e vanno
>> comunicate agli amministratori di sistema:
>>    Nome server: $hostname
>>    ID messaggio: $id
>>    Codice data: $datenumber
>>
>> --
>> MailScanner
>> Email Virus Scanner
>> www.mailscanner.info
>> MailScanner ringrazia transtec Computers per il suo supporto
>>
>


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From P.G.M.Peters at utwente.nl  Thu Jan 22 13:22:26 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:00 2006
Subject: How to stop this spam?
In-Reply-To: <Pine.LNX.4.44.0401182345080.20900-100000@mailbox.prolocation.net>
References: <LISTSERV%2004011822422365@JISCMAIL.AC.UK>
            <Pine.LNX.4.44.0401182345080.20900-100000@mailbox.prolocation.net>
Message-ID: <hgjv00heusdiohi4m31vrl61ouf052k4jl@4ax.com>

On Sun, 18 Jan 2004 23:46:28 +0100, you wrote:

>> X-century-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.642,
>>      required 5, BIZ_TLD 0.78, BigEvilList_131 3.00, HABEAS_SWE -8.00,
>>      HTML_50_60 0.18, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10,
>>      MIME_HTML_ONLY_MULTI 1.10, RCVD_IN_BL_SPAMCOP_NET 2.25,
>>      RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10,
>>      WHY_WAIT 0.48)
>> X-century-MailScanner-SpamScore: sss
>
>As discussed multiple times on the list, lower the HABEAS_SWE to -1 or
>something. -8 is way over the top it seems.

I use:
|# Jan 2004 : Fake Habeas
|header __HABEAS_SWE                eval:message_is_habeas_swe( )
|header __HAB_FORGE_BOUND            Content-Type =~ /boundary="--[0-9]{15,20}"/
|header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[a-z]{3}/
|
|meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND && __HAB_FORGE_MID && __HABEAS_SWE)
|meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
|# -8.0 for default Habeas score.
|describe HABEAS_FORGERY             Common Habeas Forgery
|score HABEAS_FORGERY                3.5

It helps me get away with the few spam that have Habeas headers and
don't get enough points from other spamassasins scores.

I haven't seen a habeas get through this.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From P.G.M.Peters at utwente.nl  Thu Jan 22 13:24:17 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:00 2006
Subject: CF RULES
In-Reply-To: <LISTSERV%2004011903202762@JISCMAIL.AC.UK>
References: <LISTSERV%2004011903202762@JISCMAIL.AC.UK>
Message-ID: <imjv00h4en3s0poslvuoodrci4unl7htrr@4ax.com>

On Mon, 19 Jan 2004 03:20:27 +0000, you wrote:

>What filter would take care of this?

I have put the following in my local cf-file:
|## Chris Petersen Rules
|## 01-09-04
|## v1.1
|
|## I've noticed that a lot of spams recently have been following the random-words technique,
|## with very little "spam" content - often just an image or some obfuscated text.  Has anyone
|## given any thought to writing up a rule that detects a LACK of punctuation, or a lack of
|## short words like a/and/the?  It'd be easy for spammers to get around, but at least it would
|## keep them out of inboxes for awhile.
|
|
|rawbody  CP_RANDOMWORD_10 /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
|describe CP_RANDOMWORD_10       string of 10+ random words
|score    CP_RANDOMWORD_10       0.5
|
|rawbody  CP_RANDOMWORD_15 /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
|describe CP_RANDOMWORD_15       string of 15+ random words
|score    CP_RANDOMWORD_15       2.5

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From P.G.M.Peters at utwente.nl  Thu Jan 22 13:48:02 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:00 2006
Subject: Another silent virus addition - W32/Bagle-A
In-Reply-To: <Pine.LNX.4.44.0401191505410.13163-100000@mailbox.prolocation.net>
References: <400BE30A.DC41E00B@ihs.com>
            <Pine.LNX.4.44.0401191505410.13163-100000@mailbox.prolocation.net>
Message-ID: <hhkv005p94dgk6cggf8068hseja7c1jn8k@4ax.com>

On Mon, 19 Jan 2004 15:08:00 +0100, you wrote:

>Most virus packages allready support this new one.
>
>1728 W32/Sober.C@mm
>1364 W32/Swen.A@mm
>351 W32/Bagle.A@mm
>
>Not as bad as the other Sober and Swen yet, but its commung up hard.

I have Bagle on 9 in my top 10 (for this month):
|   9238 W32/Sober.C@mm
|   4094 W32/Dumaru.A@mm
....
|    424 W32/Bagle.A@mm

For today I see it on 5:
|    282 W32/Sober.C@mm
|     77 W32/Swen.A@mm
|     68 W32/Mimail.C@mm
|     60 W32/Dumaru.A@mm
|     60 W32/Bagle.A@mm

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From goleotti at MISAG.IT  Thu Jan 22 13:57:18 2004
From: goleotti at MISAG.IT (Gabriele Oleotti)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
Message-ID: <1488394A34F6A0408FDA3841418D14420F23DA@scorpio.auron.mi>

It's a lot unusual to use the formal mode for automatically generated messages.

Moreover, while I was translating I was thinking about what my users should have complained about when reading the message and I'm sure they would have not understood if I wrote "vostro/vostra" or "suo/sua."

That's all.

Bye,
Gabriele

-----Original Message-----
From: Michele Neylon :: Blacknight Solutions
[mailto:michele@BLACKNIGHTSOLUTIONS.COM]
Sent: gioved? 22 gennaio 2004 14.00
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Calling all translators


Gabriele,

Just one question, why did you use the informal 'tu/tuo' instead of the more
formal mode?
I'm not nit-picking, but I am curious

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Gabriele Oleotti
> Sent: 22 January 2004 11:55
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> Here is my proposal for Italian (my native language.)
>
> Bye,
> Gabriele
>
> ======================
> the MCP report:
> ======================
>
> Da: "MailScanner" <$localpostmaster>
> A: $to
> Oggetto: Contenuto bloccato ma memorizzato per revisione
> X-MailScanner: generato
>
> I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
> messaggio:-
>    Da: $from
>    Oggetto: $subject
>    Data: $date
> Il messaggio e' stato messo in quarantena per un'eventuale
> revisione prima del recapito.
>
> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> errore, contatta gli amministratori del sistema.
>
> Le seguenti informazioni identificano il tuo messaggio e vanno
> comunicate agli amministratori di sistema:
>    Nome server: $hostname
>    ID messaggio: $id
>    Codice data: $datenumber
>
> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner ringrazia transtec Computers per il loro supporto
>
> ======================
> the spam report:
> ======================
>
> Da: "MailScanner" <$localpostmaster>
> A: $to
> Oggetto: Unsolicited commercial email not delivered
> X-MailScanner: generato
>
> I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un
> tuo messaggio:-
>    Da: $from
>    Oggetto: $subject
>    Data: $date
> Il messaggio non e' stato inviato. I rilevatori che sono stati
> attivati sono:
> $spamreport.
>
> Il tuo messaggio e' stato catalogato come spam dal mail server che ce l'ha
> recapitato, oppure in base ai suoi contenuti, oppure per entrambi
> i motivi.
>
> Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
> attivamente per bloccarli.
>
> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> errore, contatta gli amministratori del sistema.
>
> Le seguenti informazioni identificano il tuo messaggio e vanno
> comunicate agli amministratori di sistema:
>    Nome server: $hostname
>    ID messaggio: $id
>    Codice data: $datenumber
>
> --
> MailScanner
> Email Virus Scanner
> www.mailscanner.info
> MailScanner ringrazia transtec Computers per il suo supporto
>


From Denis.Beauchemin at USHERBROOKE.CA  Thu Jan 22 14:04:40 2004
From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators: French
In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132E1@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F3629273132E1@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <1074780280.6956.14.camel@dbeauchemin.sti.usherbrooke.ca>

Ugo and Julian,

I made some minor corrections to Ugo's very good French translation
(look inline).

Denis
Le jeu 22/01/2004 ? 06:57, Ugo Bellavance a ?crit :
> Here is the french translation.  I tried to stick as much as possible to the words used by Julian.  However, I could work it out to a version with better french.  French is my mother tonge and I live in Quebec, Canada.
> 
> I suggest you put an area at the bottom with the address of the helpdesk, since they might not think of hitting reply, and sometimes the $localpostmaster and helpdesk are different addresses.
> 
> Thanks,
> 
> Ugo
> 
> > -----Message d'origine-----
> > De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> > Envoy? : Thursday, January 22, 2004 5:24 AM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Calling all translators
> > 
> > 
> > For the new "notify" action, I need the translated version of 
> > the spam and
> > mcp reports that it can generate. If you could translate 
> > these into all
> > your favourite languages, I would be really grateful.
> > 
> > If you translate it into a language which you have not been 
> > speaking since
> > the age of 1, please point that out so I can sort out 
> > multiple translations.
> > 
> > Thanks folks!
> > 
> > ======================
> > Here is the MCP report:
> > ======================
> > 
> > From: "MailScanner" <$localpostmaster>
> > To: $to
> > Subject: Banned content stored for review
> > X-MailScanner: generated
> > 
> > Our message content detectors have been triggered by a 
> > message you received:-
> >    From: $from
> >    Subject: $subject
> >    Date: $date
> > This message has been quarantined for review before delivery.
> > 
> > If you have any questions about this, or you believe you have received
> > this message in error, please contact the site system administrators.
> > 
> > Your system administrators will need the following information:
> >    Server name: $hostname
> >    Message id: $id
> >    Date code: $datenumber
> > 
> > --
> > MailScanner
> > Email Virus Scanner
> > www.mailscanner.info
> > MailScanner thanks transtec Computers for their support
> > 
> De: "MailScanner" <$localpostmaster>
> ?: $to
> X-MailScanner: generated
> Objet: Contenu interdit conserv? pour r?vision
> 
> Notre v?rificateur de contenu de messages a ?t? d?clanch? par un message que vous avez re?u:-

Notre v?rificateur de contenu de messages a ?t? activ? par un message
que vous avez re?u:

> 
> De: $from
> Objet: $subject
> Date: $date
> 
> Ce message a ?t? mis en quarantaine pour r?vision avant sa livraison.
> 
> Si vous avez des questions ? ce sujet, ou si vous croyez avoir re?u ce message
> en erreur, veuillez contacter les administrateurs de syst?me de votre site.

par erreur, veuillez contacter les administrateurs de syst?me de votre
site.

> 
> Vos administrateurs de syst?me auront besoin de l'information suivante:
> 
> Nom du serveur: $hostname
> Num?ro d'identification du message: $id
> Code de date: $datenumber 
> 
> > ======================
> > And here is the spam report:
> > ======================
> > 
> > From: "MailScanner" <$localpostmaster>
> > To: $to
> > Subject: Unsolicited commercial email not delivered
> > X-MailScanner: generated
> > 
> > Our UCE (spam) detectors have been triggered by a message you 
> > received:-
> >    From: $from
> >    Subject: $subject
> >    Date: $date
> > This message has not been delivered. The detectors that were 
> > triggered are
> > $spamreport.
> > 
> > The message to you has been detected as spam based on either 
> > its contents or
> > the mail server which sent the message to us, or both.
> > 
> > We do not accept unsolicited commercial (spam) e-mail and actively
> > work to stop it.
> > 
> > If you have any questions about this, or you believe you have received
> > this message in error, please contact the site system administrators.
> > 
> > Your system administrators will need the following information:
> >    Server name: $hostname
> >    Message id: $id
> >    Date code: $datenumber
> > 
> De: "MailScanner" <$localpostmaster>
> ?: $to
> Objet: Unsolicited commercial email not delivered

Objet: Polluriel non livr?

> X-MailScanner: generated
> 
> Notre d?tecteur de polluriel (spam) a ?t? d?clanch? par un message que  vous avez re?u:-

Notre d?tecteur de polluriel (spam) a ?t? activ? par un message que 
vous avez re?u:

>         De: $from
>         Objet: $subject
>         Date: $date
> Ce message ne vous a pas ?t? livr?.  Le rapport du d?tecteur est:
> $spamreport.
> 
> Ce message vous ?tant destin? a ?t? d?tect? comme un polluriel, bas? sur le serveur de courrier d'origine, son contenu, ou les deux.
> 
> Nous n'acceptons pas de polluriels (spam) et nous travaillons pour arr?ter ce fl?au.
> 
> Si vous avez des questions ? ce sujet, ou si vous croyez avoir re?u ce message 
> en erreur, veuillez contacter les administrateurs de syst?me de votre site.

par erreur, veuillez contacter les administrateurs de syst?me de votre
site.

> 
> Vos administrateurs de syst?me auront besoin de l'information suivante:
> 
> Nom du serveur: $hostname
> Num?ro d'identification du message: $id
> Code de date: $datenumber 
> 
> > --
> > MailScanner
> > Email Virus Scanner
> > www.mailscanner.info
> > MailScanner thanks transtec Computers for their support
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> > 
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> 
> Ugo 
-- 
Denis Beauchemin, analyste
Universit? de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045


From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 22 14:43:14 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <36104.194.70.180.170.1074777103.squirrel@net.themarshalls.co.uk>
Message-ID: <LFENLEALDCBDKENCNLCNOEHKDCAA.michele@blacknightsolutions.com>

Drew

LOL

"listen lad yer message weren't delivered coz ye made a right balls of the
attachment. Give the lads on de helpdesk a buzz and we'll sort ye out"  -
close enough?

M

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Drew Marshall
> Sent: 22 January 2004 13:12
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> Michele
>
> Will you be doing the Irish translation? :-) I'm looking at a suitable
> version for the South Eastern Construction Industry but it won't go
> through MCP currently :-D
>
> Drew
>
> Michele Neylon :: Blacknight Solutions said:
> > Gabriele,
> >
> > Just one question, why did you use the informal 'tu/tuo' instead of the
> > more
> > formal mode?
> > I'm not nit-picking, but I am curious
> >
> > Michele
> >
> > Mr. Michele Neylon
> > Blacknight Internet Solutions Ltd
> > http://www.blacknightsolutions.ie/
> > http://www.search.ie/
> > Tel. + 353 (0)59 9137101
> > Lowest price domains in Ireland
> >
> >> -----Original Message-----
> >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >> Behalf Of Gabriele Oleotti
> >> Sent: 22 January 2004 11:55
> >> To: MAILSCANNER@JISCMAIL.AC.UK
> >> Subject: Re: Calling all translators
> >>
> >>
> >> Here is my proposal for Italian (my native language.)
> >>
> >> Bye,
> >> Gabriele
> >>
> >> ======================
> >> the MCP report:
> >> ======================
> >>
> >> Da: "MailScanner" <$localpostmaster>
> >> A: $to
> >> Oggetto: Contenuto bloccato ma memorizzato per revisione
> >> X-MailScanner: generato
> >>
> >> I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
> >> messaggio:-
> >>    Da: $from
> >>    Oggetto: $subject
> >>    Data: $date
> >> Il messaggio e' stato messo in quarantena per un'eventuale
> >> revisione prima del recapito.
> >>
> >> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> >> errore, contatta gli amministratori del sistema.
> >>
> >> Le seguenti informazioni identificano il tuo messaggio e vanno
> >> comunicate agli amministratori di sistema:
> >>    Nome server: $hostname
> >>    ID messaggio: $id
> >>    Codice data: $datenumber
> >>
> >> --
> >> MailScanner
> >> Email Virus Scanner
> >> www.mailscanner.info
> >> MailScanner ringrazia transtec Computers per il loro supporto
> >>
> >> ======================
> >> the spam report:
> >> ======================
> >>
> >> Da: "MailScanner" <$localpostmaster>
> >> A: $to
> >> Oggetto: Unsolicited commercial email not delivered
> >> X-MailScanner: generato
> >>
> >> I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un
> >> tuo messaggio:-
> >>    Da: $from
> >>    Oggetto: $subject
> >>    Data: $date
> >> Il messaggio non e' stato inviato. I rilevatori che sono stati
> >> attivati sono:
> >> $spamreport.
> >>
> >> Il tuo messaggio e' stato catalogato come spam dal mail server che ce
> >> l'ha
> >> recapitato, oppure in base ai suoi contenuti, oppure per entrambi
> >> i motivi.
> >>
> >> Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
> >> attivamente per bloccarli.
> >>
> >> Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> >> errore, contatta gli amministratori del sistema.
> >>
> >> Le seguenti informazioni identificano il tuo messaggio e vanno
> >> comunicate agli amministratori di sistema:
> >>    Nome server: $hostname
> >>    ID messaggio: $id
> >>    Codice data: $datenumber
> >>
> >> --
> >> MailScanner
> >> Email Virus Scanner
> >> www.mailscanner.info
> >> MailScanner ringrazia transtec Computers per il suo supporto
> >>
> >
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 22 14:45:27 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <1488394A34F6A0408FDA3841418D14420F23DA@scorpio.auron.mi>
Message-ID: <LFENLEALDCBDKENCNLCNOEHLDCAA.michele@blacknightsolutions.com>

Ok. I just wondered about that one, as some of my Italian clients are rather
pedantic about their forms of address.
Dottore would be offended if addressed as anything else...

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Gabriele Oleotti
> Sent: 22 January 2004 13:57
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> It's a lot unusual to use the formal mode for automatically
> generated messages.
>
> Moreover, while I was translating I was thinking about what my
> users should have complained about when reading the message and
> I'm sure they would have not understood if I wrote
> "vostro/vostra" or "suo/sua."
>
> That's all.
>
> Bye,
> Gabriele
>
> -----Original Message-----
> From: Michele Neylon :: Blacknight Solutions
> [mailto:michele@BLACKNIGHTSOLUTIONS.COM]
> Sent: gioved? 22 gennaio 2004 14.00
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> Gabriele,
>
> Just one question, why did you use the informal 'tu/tuo' instead
> of the more
> formal mode?
> I'm not nit-picking, but I am curious
>
> Michele
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Gabriele Oleotti
> > Sent: 22 January 2004 11:55
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Calling all translators
> >
> >
> > Here is my proposal for Italian (my native language.)
> >
> > Bye,
> > Gabriele
> >
> > ======================
> > the MCP report:
> > ======================
> >
> > Da: "MailScanner" <$localpostmaster>
> > A: $to
> > Oggetto: Contenuto bloccato ma memorizzato per revisione
> > X-MailScanner: generato
> >
> > I nostri servizi di analisi dei contenuti sono stati attivati da un tuo
> > messaggio:-
> >    Da: $from
> >    Oggetto: $subject
> >    Data: $date
> > Il messaggio e' stato messo in quarantena per un'eventuale
> > revisione prima del recapito.
> >
> > Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> > errore, contatta gli amministratori del sistema.
> >
> > Le seguenti informazioni identificano il tuo messaggio e vanno
> > comunicate agli amministratori di sistema:
> >    Nome server: $hostname
> >    ID messaggio: $id
> >    Codice data: $datenumber
> >
> > --
> > MailScanner
> > Email Virus Scanner
> > www.mailscanner.info
> > MailScanner ringrazia transtec Computers per il loro supporto
> >
> > ======================
> > the spam report:
> > ======================
> >
> > Da: "MailScanner" <$localpostmaster>
> > A: $to
> > Oggetto: Unsolicited commercial email not delivered
> > X-MailScanner: generato
> >
> > I nostri sistemi di rilevazione di UCE (spam) sono stati attivati da un
> > tuo messaggio:-
> >    Da: $from
> >    Oggetto: $subject
> >    Data: $date
> > Il messaggio non e' stato inviato. I rilevatori che sono stati
> > attivati sono:
> > $spamreport.
> >
> > Il tuo messaggio e' stato catalogato come spam dal mail server
> che ce l'ha
> > recapitato, oppure in base ai suoi contenuti, oppure per entrambi
> > i motivi.
> >
> > Questo sito non accetta e-mail commerciali indesiderati (spam) e lavora
> > attivamente per bloccarli.
> >
> > Per qualsiasi domanda, o se pensi di aver ricevuto questo messaggio per
> > errore, contatta gli amministratori del sistema.
> >
> > Le seguenti informazioni identificano il tuo messaggio e vanno
> > comunicate agli amministratori di sistema:
> >    Nome server: $hostname
> >    ID messaggio: $id
> >    Codice data: $datenumber
> >
> > --
> > MailScanner
> > Email Virus Scanner
> > www.mailscanner.info
> > MailScanner ringrazia transtec Computers per il suo supporto
> >
>


From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 22 14:49:47 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <LFENLEALDCBDKENCNLCNOEHKDCAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNOEHKDCAA.michele@blacknightsolutions.com>
Message-ID: <400FE30B.7060008@solid-state-logic.com>

Michele Neylon :: Blacknight Solutions wrote:
> Drew
>
> LOL
>
> "listen lad yer message weren't delivered coz ye made a right balls of the
> attachment. Give the lads on de helpdesk a buzz and we'll sort ye out"  -
> close enough?
>
> M
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>

If from the Dublin area surely it needs to end in 'Thank a million"
doesn't it :-)


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 22 14:58:35 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <400FE30B.7060008@solid-state-logic.com>
Message-ID: <LFENLEALDCBDKENCNLCNIEHNDCAA.michele@blacknightsolutions.com>

Am I the only Irish person on this list???
I feel outnumbered :/

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Martin Hepworth
> Sent: 22 January 2004 14:50
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Calling all translators
>
>
> Michele Neylon :: Blacknight Solutions wrote:
> > Drew
> >
> > LOL
> >
> > "listen lad yer message weren't delivered coz ye made a right
> balls of the
> > attachment. Give the lads on de helpdesk a buzz and we'll sort
> ye out"  -
> > close enough?
> >
> > M
> >
> > Mr. Michele Neylon
> > Blacknight Internet Solutions Ltd
> > http://www.blacknightsolutions.ie/
> > http://www.search.ie/
> > Tel. + 353 (0)59 9137101
> > Lowest price domains in Ireland
> >
>
> If from the Dublin area surely it needs to end in 'Thank a million"
> doesn't it :-)
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>

From lindsay at pa.net  Thu Jan 22 15:12:18 2004
From: lindsay at pa.net (Lindsay Snider)
Date: Thu Jan 12 21:22:00 2006
Subject: Razor caching proxy
In-Reply-To: <6.0.1.1.2.20040121185014.02db82f8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040121185014.02db82f8@imap.ecs.soton.ac.uk>
Message-ID: <1074784338.3643.27.camel@localhost.localdomain>

On Wed, 2004-01-21 at 13:53, Julian Field wrote:
> I've just come across this here:
> http://www.stearns.org/razor-caching-proxy
>
> Has anyone else ever heard of it, or tried it out? I would be interested to
> hear people's opinions of it. I have contacted Vipul directly to ask if
> there is a way of mirroring their servers, and unfortunately the answer is
> no. Apparently the reporting and querying services are very tightly bound
> to each other, so mirrors aren't possible. Shame.
>
> And what about DCC?
> Is anyone running the DCC daemon to provide their own DCC server.

We run a public dcc server here.  We also offered pyzor a public
mirror.  It's amazing how little bandwidth and resources these services
use.

> Does this
> help performance noticeably?

After setting up the dccd server, I came to the realization that dcc and
dccd is really cool. If timeouts are your concern, it doesn't look like
you'd every get more than a couple timeouts from one server before the
client chooses the next best on the list of about 16.

If processing time per message is a concern though, it may be a
different story.  If you run cdcc info and look at the lowest RTT time,
you can get a rough estimate of the time it takes for a dcc check.  At a
glance now, our lowest offsite RTT is 552.18.  The local server is
reporting a RTT of 6.74.  Thus, I'd suggest we are saving over 500ms per
message.

One thing to note, the dccd server will artificially inflate the RTT
time to a client whom is hitting a server hard.  The resulting effect
will be to push busy clients around from server to server as they
continue to pick the lowest RTT time.  You may see large RTT times if
you are one of those clients.

>  I am worried that too many large sites will
> overload the central DCC servers, when we could run our own.

>From watching the load and network graphs of our public box, I'd suggest
that the dcc server network has plenty of resources available.  Our box
is using little bandwidth and is running 99% idle.


> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From edu at ICARUS.COM.BR  Thu Jan 22 16:18:20 2004
From: edu at ICARUS.COM.BR (Eduardo Andre)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators - Portuguese Brasil - Revised
In-Reply-To: <LFENLEALDCBDKENCNLCNIEHNDCAA.michele@blacknightsolutions.com>
References: <400FE30B.7060008@solid-state-logic.com>
            <LFENLEALDCBDKENCNLCNIEHNDCAA.michele@blacknightsolutions.com>
Message-ID: <20284.200.244.152.3.1074788300.squirrel@10.0.1.3>

Julian please replace my last translation to Portuguese - Brasil for this
revised.

Tnx.

Eduardo.



 Here is the MCP report:
 ======================

 From: "MailScanner" <$localpostmaster>
 To: $to
 Subject: Conte?do bloqueado armazenado para revis?o
 X-MailScanner: generated


 Nosso detector de conte?do de mensagens foi ativado por uma mensagem que
voce recebeu:-
    From: $from
    Subject: $subject
    Date: $date

Esta mensagem foi posta em quarentena para revis?o antes de ser entregue.

 Se voce tiver alguma d?vida a respeito, ou acredita que voce recebeu esta
 mensagem por erro, por favor contate o administrador do sistema.

 O seu administrador de sistema necessitar? das seguintes informa??es:
    Server name: $hostname
    Message id: $id
    Date code: $datenumber

 --
 MailScanner
 Email Virus Scanner
 www.mailscanner.info
 MailScanner thanks transtec Computers for their support

 ======================
 And here is the spam report:
 ======================

 From: "MailScanner" <$localpostmaster>
 To: $to
 Subject: O email comercial n?o solicitado n?o foi entregue
 X-MailScanner: generated

 Nossos detetores de emails comerciais n?o solicitados(spam) foram
ativados por uma mensagem que voce recebeu:-
    From: $from
    Subject: $subject
    Date: $date
 Esta mensagem n?o foi entregue. Os detetores que foram ativados s?o
 $spamreport.

 A mensagem destinada para voce foi classificada como SPAM com base nestas
regras
 ou
 no servidor que enviou a mensagem para voce, ou em ambos.

 Nos n?o iremos  aceitar emails comerciais n?o solicitados (spam)
 e trabalharemos ativamente para bloquea-los.

 Se voce tiver alguma d?vida a respeito, ou acredita que voce recebeu esta
 mensagem por erro, por favor contate o administrador do sistema.

 O seu administrador de sistema necessitar? das seguintes informa??es:
    Server Name: $hostname
    Message id: $id
    Date code: $datenumber

 --
 MailScanner
 Email Virus Scanner
 www.mailscanner.info
 MailScanner thanks transtec Computers for their support


From dickenson at CFMC.COM  Thu Jan 22 16:43:58 2004
From: dickenson at CFMC.COM (Jim Dickenson)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
Message-ID: <BC353DCE.47240%dickenson@cfmc.com>

In my spam.whitelist.rules file I have this line:
From:           mileageplus@unitedoffers.com    yes

When a person gets an email with these headers:

From: United Mileage Plus <MileagePlus@UnitedOffers.com>
Reply-To: MileagePlus@UnitedOffers.com


It gets this:

X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
????????FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)

There is no mention that this address is white listed and thus, as it meets
my low spam score, is treated as spam.

I have other addresses listed that are treated correctly so I am at a loss
as to why this address is causing me trouble.

Any ideas on what to check would be appreciated.

TIA,
-- 
Jim Dickenson
mailto:dickenson@cfmc.com

Computers for Marketing Corporation
http://www.cfmc.com/


From steve.freegard at LBSLTD.CO.UK  Thu Jan 22 16:46:52 2004
From: steve.freegard at LBSLTD.CO.UK (Steve Freegard)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
Message-ID: <67D9E7698329D411936E00508B6590B902773E07@neelix.lbsltd.co.uk>

Hi Jim,

Do you have 'Is Definitely Not Spam =
/etc/MailScanner/rules/spam.whitelist.rules' set in MailScanner.conf??

Regards,
Steve.

> -----Original Message-----
> From: Jim Dickenson [mailto:dickenson@CFMC.COM] 
> Sent: 22 January 2004 16:44
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: White List question
> 
> 
> In my spam.whitelist.rules file I have this line:
> From:           mileageplus@unitedoffers.com    yes
> 
> When a person gets an email with these headers:
> 
> From: United Mileage Plus <MileagePlus@UnitedOffers.com>
> Reply-To: MileagePlus@UnitedOffers.com
> 
> 
> It gets this:
> 
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
> ????????FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)
> 
> There is no mention that this address is white listed and 
> thus, as it meets my low spam score, is treated as spam.
> 
> I have other addresses listed that are treated correctly so I 
> am at a loss as to why this address is causing me trouble.
> 
> Any ideas on what to check would be appreciated.
> 
> TIA,
> -- 
> Jim Dickenson
> mailto:dickenson@cfmc.com
> 
> Computers for Marketing Corporation
> http://www.cfmc.com/
> 

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.


From dickenson at CFMC.COM  Thu Jan 22 16:51:30 2004
From: dickenson at CFMC.COM (Jim Dickenson)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
In-Reply-To: <67D9E7698329D411936E00508B6590B902773E07@neelix.lbsltd.co.uk>
Message-ID: <BC353F92.4724E%dickenson@cfmc.com>

Have these lines:
# Rulesets directory containing your ".rules" files
%rules-dir% = /etc/MailScanner/rules
Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules

And the files are here:
[ /etc/MailScanner/rules]# ls
EXAMPLES  README  spam.blacklist.rules  spam.whitelist.rules

-- 
Jim Dickenson
mailto:dickenson@cfmc.com

Computers for Marketing Corporation
http://www.cfmc.com/



> From: Steve Freegard <steve.freegard@LBSLTD.CO.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> Date: Thu, 22 Jan 2004 16:46:52 -0000
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: White List question
> 
> Hi Jim,
> 
> Do you have 'Is Definitely Not Spam =
> /etc/MailScanner/rules/spam.whitelist.rules' set in MailScanner.conf??
> 
> Regards,
> Steve.
> 
>> -----Original Message-----
>> From: Jim Dickenson [mailto:dickenson@CFMC.COM]
>> Sent: 22 January 2004 16:44
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: White List question
>> 
>> 
>> In my spam.whitelist.rules file I have this line:
>> From:           mileageplus@unitedoffers.com    yes
>> 
>> When a person gets an email with these headers:
>> 
>> From: United Mileage Plus <MileagePlus@UnitedOffers.com>
>> Reply-To: MileagePlus@UnitedOffers.com
>> 
>> 
>> It gets this:
>> 
>> X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
>> ????????FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)
>> 
>> There is no mention that this address is white listed and
>> thus, as it meets my low spam score, is treated as spam.
>> 
>> I have other addresses listed that are treated correctly so I
>> am at a loss as to why this address is causing me trouble.
>> 
>> Any ideas on what to check would be appreciated.
>> 
>> TIA,
>> -- 
>> Jim Dickenson
>> mailto:dickenson@cfmc.com
>> 
>> Computers for Marketing Corporation
>> http://www.cfmc.com/
>> 
> 
> --
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender and delete the message from your mailbox.
> 
> This footnote also confirms that this email message has been swept by
> MailScanner (www.mailscanner.info) for the presence of computer viruses.


From t.d.lee at DURHAM.AC.UK  Thu Jan 22 16:52:55 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
Message-ID: <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>

On Thu, 22 Jan 2004, Steve Freegard wrote:

> I haven't been following this thread closely, so apologies if this has
> already been covered.

It hasn't, so you reply is appreciated!

> Maybe the error is being caused by opportunistic bayes expiry which could
> take long enough on your system to cause MailScanner to time-out and kill
> off SA mid-expiry causing your orphaned files??

That sounds very plausible.  I have gone even deeper into the "maillog"
files, and these "Delete bayes ..." for a particular MS process occur
40 seconds after it starts the spam analysis.  And the MS conf has SA
timeout of 40 seconds.  It all fits.

So very promising indeed.

> You could try setting 'bayes_auto_expire 0' in spam.assassin.prefs.conf and
> then creating nightly cron job to run a script and does an 'sa-learn -p
> /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.

Yes, that might be worth a try, at least as proof of concept.

But I wonder whether we need a cleaner solution (remember, a few other
folk have seen one or other variant of this) that, as default behaviour,
tries to prevent this.  Two possibilities:

1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire 0'
   and accompanies that with setting the cron job?  But setting the cron
   job is highly OS-specific (i.e. variable!), and overall this doesn't
   feel quite right.

2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up (which
   it generally does every four hours) it does "--rebuild --force-expire",
   preferably (if possible) by the appropriate subroutine call to SA.

This second feels better and cleaner (although there's a residual issue of
the near simultaneous start-up of around five MS processes).

Julian: Do you have any thoughts?  I'd be happy to try to cobble toegether
a proof of concept patch for that second version (although I'd prefer it
if it arrived fully-fledged on the doorstep!).

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From dustin.baer at IHS.COM  Thu Jan 22 16:55:35 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
References: <BC353DCE.47240%dickenson@cfmc.com>
Message-ID: <40100087.F1A711B@ihs.com>

Jim Dickenson wrote:
>
> In my spam.whitelist.rules file I have this line:
> From:           mileageplus@unitedoffers.com    yes
>
> When a person gets an email with these headers:
>
> From: United Mileage Plus <MileagePlus@UnitedOffers.com>
> Reply-To: MileagePlus@UnitedOffers.com
>
> It gets this:
>
> X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
>         FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)

Are you sure that MileagePlus@UnitedOffers.com is the envelope sender
and not just the From header?

I somewhat recall having to add *.mail.united.com at some point to allow
email from United Airlines.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 17:15:26 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
In-Reply-To: <67D9E7698329D411936E00508B6590B902773E07@neelix.lbsltd.co. uk>
References: <67D9E7698329D411936E00508B6590B902773E07@neelix.lbsltd.co.uk>
Message-ID: <6.0.1.1.2.20040122171338.03ae4c10@imap.ecs.soton.ac.uk>

And also, are you sure that the real "sender" address is
"MileagePlus@UnitedOffers.com"? MailScanner doesn't use the values in the
headers at all, as they are often different from the real sender address so
they look nice. If your mail has a "Return-Path" header at the top (you
will have to view the full email headers to show this), then that is the
address you want to whitelist, not the "From:" address. If you don't have a
Return-Path: header then look for the message in your maillog as that will
show the true sender address.

At 16:46 22/01/2004, you wrote:
>Hi Jim,
>
>Do you have 'Is Definitely Not Spam =
>/etc/MailScanner/rules/spam.whitelist.rules' set in MailScanner.conf??
>
>Regards,
>Steve.
>
> > -----Original Message-----
> > From: Jim Dickenson [mailto:dickenson@CFMC.COM]
> > Sent: 22 January 2004 16:44
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: White List question
> >
> >
> > In my spam.whitelist.rules file I have this line:
> > From:           mileageplus@unitedoffers.com    yes
> >
> > When a person gets an email with these headers:
> >
> > From: United Mileage Plus <MileagePlus@UnitedOffers.com>
> > Reply-To: MileagePlus@UnitedOffers.com
> >
> >
> > It gets this:
> >
> > X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
> >         FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)
> >
> > There is no mention that this address is white listed and
> > thus, as it meets my low spam score, is treated as spam.
> >
> > I have other addresses listed that are treated correctly so I
> > am at a loss as to why this address is causing me trouble.
> >
> > Any ideas on what to check would be appreciated.
> >
> > TIA,
> > --
> > Jim Dickenson
> > mailto:dickenson@cfmc.com
> >
> > Computers for Marketing Corporation
> > http://www.cfmc.com/
> >
>
>--
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the sender and delete the message from your mailbox.
>
>This footnote also confirms that this email message has been swept by
>MailScanner (www.mailscanner.info) for the presence of computer viruses.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 17:21:25 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
Message-ID: <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>

At 16:52 22/01/2004, you wrote:
>On Thu, 22 Jan 2004, Steve Freegard wrote:
>
> > I haven't been following this thread closely, so apologies if this has
> > already been covered.
>
>It hasn't, so you reply is appreciated!
>
> > Maybe the error is being caused by opportunistic bayes expiry which could
> > take long enough on your system to cause MailScanner to time-out and kill
> > off SA mid-expiry causing your orphaned files??
>
>That sounds very plausible.  I have gone even deeper into the "maillog"
>files, and these "Delete bayes ..." for a particular MS process occur
>40 seconds after it starts the spam analysis.  And the MS conf has SA
>timeout of 40 seconds.  It all fits.
>
>So very promising indeed.
>
> > You could try setting 'bayes_auto_expire 0' in spam.assassin.prefs.conf and
> > then creating nightly cron job to run a script and does an 'sa-learn -p
> > /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.
>
>Yes, that might be worth a try, at least as proof of concept.
>
>But I wonder whether we need a cleaner solution (remember, a few other
>folk have seen one or other variant of this) that, as default behaviour,
>tries to prevent this.  Two possibilities:
>
>1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire 0'
>    and accompanies that with setting the cron job?  But setting the cron
>    job is highly OS-specific (i.e. variable!), and overall this doesn't
>    feel quite right.
>
>2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up (which
>    it generally does every four hours) it does "--rebuild --force-expire",
>    preferably (if possible) by the appropriate subroutine call to SA.
>
>This second feels better and cleaner (although there's a residual issue of
>the near simultaneous start-up of around five MS processes).
>
>Julian: Do you have any thoughts?  I'd be happy to try to cobble toegether
>a proof of concept patch for that second version (although I'd prefer it
>if it arrived fully-fledged on the doorstep!).

The trouble with option 2 is that the child processes start up completely
independently of each other, and doing it once at the startup of every
child process would cause a huge holdup while all n children (n could
easily be 12 on a dual-CPU box) ran their own bayes-expire. However, there
are ways around this, as there always are, so I may be able to come up with
a better solution that would do a bayes expire approximately once every 24
hours or so, which should be plenty. The whole system would have to sit and
hang while this took place, unless I temporarily disabled SpamAssassin (or
*possibly* even just bayes) while it was doing it.

This is going to be a bit of a pig to write :-(
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From anders.andersson at LTKALMAR.SE  Thu Jan 22 17:09:03 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:22:00 2006
Subject: SV: Calling all translators - swedish
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E833@lkl61.ltkalmar.se>

Hi
Swedish translation and I have to admit it prolly took me 2 years to start
using swedish, hope its ok  :)
Swedish speaking ppl, pls make a check and if you find my translation bad
give me a hint and I notify Julian


MCP REPORT:##################################################

Fr?n: "MailScanner" <$localpostmaster>
Till: $to
?mne: Ej godk?nnt inneh?ll

V?r inneh?llsfiltrering regerade p? f?ljande e-post meddelande:-
  Fr?n: $from
  ?mne: $subject
  Datum: $date
Meddelandet har lags i karant?n f?r vidare kontroll innan det levereras.

Om ni har fr?gor eller tycker att ett fel har beg?tts
kontakta dom?nens systemadministrat?r.

F?ljande information beh?vs f?r att snabbare kunna hantera fr?gan:
Server Namn: $hostname
Meddelande id: $id
Datum nummer: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info

SPAM REPORT:##################################################

Fr?n: "MailScanner" <$localpostmaster>
Till: $to
?mne: Skr?ppost blockerat
X-MailScanner: generated

V?rt SPAM-skydd har blockerat ett meddelande adresserat till er:-
   Fr?n: $from
   ?mne: $subject
   Datum: $date
Meddelandet har tagits bort. F?ljande meddelande har genererats.
$spamreport.

Meddelandet har blivit klassat som skr?ppost (SPAM) baserat p? inneh?llet
eller av s?ndande server.

Dom?nen accepterar inte skr?ppost (SPAM) och arbetar aktivt f?r att stoppa
det.

Om ni har fr?gor eller tycker att ett fel har beg?tts
kontakta dom?nens systemadministrat?r.

--
MailScanner
Email Virus Scanner
www.mailscanner.info

##################################################


-----Ursprungligt meddelande-----
Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Skickat: den 22 januari 2004 11:24
Till: MAILSCANNER@JISCMAIL.AC.UK
?mne: Calling all translators

For the new "notify" action, I need the translated version of the spam and
mcp reports that it can generate. If you could translate these into all
your favourite languages, I would be really grateful.

If you translate it into a language which you have not been speaking since
the age of 1, please point that out so I can sort out multiple translations.

Thanks folks!


From dwinkler at ALGORITHMICS.COM  Thu Jan 22 16:59:20 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:00 2006
Subject: White List question
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B14B@tormail2.algorithmics.com>

You should check if the envelope address is the same as the headers.

MailScanner uses the envelope address.

The envelope address can be found in the logs.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Jim Dickenson
Sent: Thursday, January 22, 2004 11:44 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: White List question


In my spam.whitelist.rules file I have this line:
From:           mileageplus@unitedoffers.com    yes

When a person gets an email with these headers:

From: United Mileage Plus <MileagePlus@UnitedOffers.com>
Reply-To: MileagePlus@UnitedOffers.com


It gets this:

X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
????????FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)

There is no mention that this address is white listed and thus, as it meets
my low spam score, is treated as spam.

I have other addresses listed that are treated correctly so I am at a loss
as to why this address is causing me trouble.

Any ideas on what to check would be appreciated.

TIA,
-- 
Jim Dickenson
mailto:dickenson@cfmc.com

Computers for Marketing Corporation
http://www.cfmc.com/


From mailscanner at LISTS.COM.AR  Thu Jan 22 18:43:45 2004
From: mailscanner at LISTS.COM.AR (Mariano Absatz)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators - SPANISH
In-Reply-To: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>
Message-ID: <400FEFB1.2798.C18E92D@localhost>

El 22 Jan 2004 a las 10:23, Julian Field escribi?:

> For the new "notify" action, I need the translated version of the spam and
> mcp reports that it can generate. If you could translate these into all
> your favourite languages, I would be really grateful.
> 
> If you translate it into a language which you have not been speaking since
> the age of 1, please point that out so I can sort out multiple translations.
Spanish is my mother tongue and the one I use daily... but I'm 
translating this in a real hurry... I'm actually passing by my office in 
the middle of holydays, regads...

> 
> Thanks folks!
> 
> ======================
> Here is the MCP report:
> ======================
> 
From: "MailScanner" <$localpostmaster>
To: $to
Subject: Contenido prohibido archivado para ser revisado
X-MailScanner: generated

Nuestros detectores de contenido fueron activados por un mensaje que 
Usted recibi?:
   De: $from
   Asunto: $subject
   Fecha: $date
Este mensaje ha sido puesto en cuarentena para su revisi?n antes de
ser enviado.

Si tiene dudas acerca de ?sto, o cree que ha recibido este mensaje
err?neamente, por favor, cont?cte con los administradores de correo
del sitio.

Los administradores del sitio necesitar?n la siguiente informaci?n:
   Nombre del servidor: $hostname
   Identificador del mensaje: $id
   C?digo de fecha: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner agradece a transtec Computers por su apoyo

> ======================
> And here is the spam report:
> ======================
> 
From: "MailScanner" <$localpostmaster>
To: $to
Subject: e-mail comercial no solicitado no fue entregado
X-MailScanner: generated

Nuestros detectores de correo electr?nico no solicitado (UCE/spam)
fueron activados debido a un mensaje que Usted recibi?:
   De: $from
   Asunto: $subject
   Fecha: $date
Este mensaje no ha sido entregado. Los detectores que fueron activados 
son:
$spamreport.

El mensaje env?ado a usted fue identificado como spam bas?ndose en su 
contenido, el servidor de correo que nos lo entreg? o ambos.

No aceptamos correo electr?nico comercial no solicitado (spam) y 
trabajamos activamente para detenerlo.

Si tiene dudas acerca de ?sto, o cree que ha recibido este mensaje
err?neamente, por favor, cont?cte con los administradores de correo
del sitio.

Los administradores del sitio necesitar?n la siguiente informaci?n:
   Nombre del servidor: $hostname
   Identificador del mensaje: $id
   C?digo de fecha: $datenumber

--
MailScanner
Email Virus Scanner
www.mailscanner.info
MailScanner agradece a transtec Computers por su apoyo
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


--
Mariano Absatz
El Baby
----------------------------------------------------------
I've never met a human being who would want to read 17,000 pages
of documentation, and if there was, I'd kill him to get him out
of the gene pool.
                   -- Joseph Costello, President of Cadence


From ugob at CAMO-ROUTE.COM  Thu Jan 22 18:12:32 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators: French
Message-ID: <54C38A0B814C8E438EF73FC76F362927410806@mtlnt501fs.CAMOROUTE.COM>

Agreed.

Thanks

> -----Message d'origine-----
> De : Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA]
> Envoy? : Thursday, January 22, 2004 9:05 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Calling all translators: French
> 
> 
> Ugo and Julian,
> 
> I made some minor corrections to Ugo's very good French translation
> (look inline).
> 
> Denis
> Le jeu 22/01/2004 ? 06:57, Ugo Bellavance a ?crit :
> > Here is the french translation.  I tried to stick as much 
> as possible to the words used by Julian.  However, I could 
> work it out to a version with better french.  French is my 
> mother tonge and I live in Quebec, Canada.
> > 
> > I suggest you put an area at the bottom with the address of 
> the helpdesk, since they might not think of hitting reply, 
> and sometimes the $localpostmaster and helpdesk are different 
> addresses.
> > 
> > Thanks,
> > 
> > Ugo
> > 
> > > -----Message d'origine-----
> > > De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> > > Envoy? : Thursday, January 22, 2004 5:24 AM
> > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > Objet : Calling all translators
> > > 
> > > 
> > > For the new "notify" action, I need the translated version of 
> > > the spam and
> > > mcp reports that it can generate. If you could translate 
> > > these into all
> > > your favourite languages, I would be really grateful.
> > > 
> > > If you translate it into a language which you have not been 
> > > speaking since
> > > the age of 1, please point that out so I can sort out 
> > > multiple translations.
> > > 
> > > Thanks folks!
> > > 
> > > ======================
> > > Here is the MCP report:
> > > ======================
> > > 
> > > From: "MailScanner" <$localpostmaster>
> > > To: $to
> > > Subject: Banned content stored for review
> > > X-MailScanner: generated
> > > 
> > > Our message content detectors have been triggered by a 
> > > message you received:-
> > >    From: $from
> > >    Subject: $subject
> > >    Date: $date
> > > This message has been quarantined for review before delivery.
> > > 
> > > If you have any questions about this, or you believe you 
> have received
> > > this message in error, please contact the site system 
> administrators.
> > > 
> > > Your system administrators will need the following information:
> > >    Server name: $hostname
> > >    Message id: $id
> > >    Date code: $datenumber
> > > 
> > > --
> > > MailScanner
> > > Email Virus Scanner
> > > www.mailscanner.info
> > > MailScanner thanks transtec Computers for their support
> > > 
> > De: "MailScanner" <$localpostmaster>
> > ?: $to
> > X-MailScanner: generated
> > Objet: Contenu interdit conserv? pour r?vision
> > 
> > Notre v?rificateur de contenu de messages a ?t? d?clanch? 
> par un message que vous avez re?u:-
> 
> Notre v?rificateur de contenu de messages a ?t? activ? par un message
> que vous avez re?u:
> 
> > 
> > De: $from
> > Objet: $subject
> > Date: $date
> > 
> > Ce message a ?t? mis en quarantaine pour r?vision avant sa 
> livraison.
> > 
> > Si vous avez des questions ? ce sujet, ou si vous croyez 
> avoir re?u ce message
> > en erreur, veuillez contacter les administrateurs de 
> syst?me de votre site.
> 
> par erreur, veuillez contacter les administrateurs de syst?me de votre
> site.
> 
> > 
> > Vos administrateurs de syst?me auront besoin de 
> l'information suivante:
> > 
> > Nom du serveur: $hostname
> > Num?ro d'identification du message: $id
> > Code de date: $datenumber 
> > 
> > > ======================
> > > And here is the spam report:
> > > ======================
> > > 
> > > From: "MailScanner" <$localpostmaster>
> > > To: $to
> > > Subject: Unsolicited commercial email not delivered
> > > X-MailScanner: generated
> > > 
> > > Our UCE (spam) detectors have been triggered by a message you 
> > > received:-
> > >    From: $from
> > >    Subject: $subject
> > >    Date: $date
> > > This message has not been delivered. The detectors that were 
> > > triggered are
> > > $spamreport.
> > > 
> > > The message to you has been detected as spam based on either 
> > > its contents or
> > > the mail server which sent the message to us, or both.
> > > 
> > > We do not accept unsolicited commercial (spam) e-mail and actively
> > > work to stop it.
> > > 
> > > If you have any questions about this, or you believe you 
> have received
> > > this message in error, please contact the site system 
> administrators.
> > > 
> > > Your system administrators will need the following information:
> > >    Server name: $hostname
> > >    Message id: $id
> > >    Date code: $datenumber
> > > 
> > De: "MailScanner" <$localpostmaster>
> > ?: $to
> > Objet: Unsolicited commercial email not delivered
> 
> Objet: Polluriel non livr?
> 
> > X-MailScanner: generated
> > 
> > Notre d?tecteur de polluriel (spam) a ?t? d?clanch? par un 
> message que  vous avez re?u:-
> 
> Notre d?tecteur de polluriel (spam) a ?t? activ? par un message que 
> vous avez re?u:
> 
> >         De: $from
> >         Objet: $subject
> >         Date: $date
> > Ce message ne vous a pas ?t? livr?.  Le rapport du d?tecteur est:
> > $spamreport.
> > 
> > Ce message vous ?tant destin? a ?t? d?tect? comme un 
> polluriel, bas? sur le serveur de courrier d'origine, son 
> contenu, ou les deux.
> > 
> > Nous n'acceptons pas de polluriels (spam) et nous 
> travaillons pour arr?ter ce fl?au.
> > 
> > Si vous avez des questions ? ce sujet, ou si vous croyez 
> avoir re?u ce message 
> > en erreur, veuillez contacter les administrateurs de 
> syst?me de votre site.
> 
> par erreur, veuillez contacter les administrateurs de syst?me de votre
> site.
> 
> > 
> > Vos administrateurs de syst?me auront besoin de 
> l'information suivante:
> > 
> > Nom du serveur: $hostname
> > Num?ro d'identification du message: $id
> > Code de date: $datenumber 
> > 
> > > --
> > > MailScanner
> > > Email Virus Scanner
> > > www.mailscanner.info
> > > MailScanner thanks transtec Computers for their support
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > > 
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > 
> > Ugo 
> -- 
> Denis Beauchemin, analyste
> Universit? de Sherbrooke, S.T.I.
> T: 819.821.8000x2252 F: 819.821.8045
> 


From m.sapsed at BANGOR.AC.UK  Thu Jan 22 18:35:13 2004
From: m.sapsed at BANGOR.AC.UK (Martin Sapsed)
Date: Thu Jan 12 21:22:00 2006
Subject: CF RULES
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44E@jessica.herefordshire.gov.uk>
Message-ID: <401017E1.6040803@bangor.ac.uk>

Randal, Phil wrote:
> It looks very effective so far.  The chickenpox rules give me more problems
> with false positives, so I may have to lower the scores on those.

I took a lot of = signs out of the chickenpox rules because I was
getting quite a few false positives on e-mails to the Samba list - ones
with smb.conf files pasted in!

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

From jfraley at glenraven.com  Thu Jan 22 18:39:37 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:22:00 2006
Subject: is spam
Message-ID: <1074796776.21963.3.camel@jfraleyx.glenraven.com>

How difficult would it be to make the maillog line that lists the
message as spam to also contain the destination address.  Currently it
just lists the domain.

> Message i0MGftkf015909 from 198.85.139.28 (j.russell@thriftydog.com) to glenraven.com is spam, SpamAssassin (score=8.317, required 6, BAYES_50 0.00, EXCUSE_14 0.08, HTML_70_80 0.10, HTML_IMAGE_ONLY_06 1.44, HTML_IMAGE_RATIO_04 1.05, HTML_MESSAGE 0.10, LOCAL_DRUGS_MALDYSFUNCTION_OBFU 0.50, LOCAL_DRUGS_MALEDYSFUNCTION 1.00, MIME_HEADER_CTYPE_ONLY 2.23, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_HEADER 0.70, OFFERS_ETC 0.23)

Thanks,

Jon

From dh at UPTIME.AT  Thu Jan 22 19:07:29 2004
From: dh at UPTIME.AT (=?ISO-8859-1?Q?D=2E_H=F6hn?=)
Date: Thu Jan 12 21:22:00 2006
Subject: is spam
In-Reply-To: <1074796776.21963.3.camel@jfraleyx.glenraven.com>
References: <1074796776.21963.3.camel@jfraleyx.glenraven.com>
Message-ID: <469521986.1074802049@[192.168.0.25]>

--On Donnerstag, 22. Januar 2004 13:39 -0500 Jon Fraley
<jfraley@glenraven.com> wrote:

> How difficult would it be to make the maillog line that lists the
> message as spam to also contain the destination address.  Currently it
> just lists the domain.
>
>> Message i0MGftkf015909 from 198.85.139.28 (j.russell@thriftydog.com) to

 i0MGftkf015909 Tells you all you need to know. Simply get the destination
addy for that ID

-d

> Jon

From nathan at TCPNETWORKS.NET  Thu Jan 22 19:10:10 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BC7F3@server1.in.tcpnetworks.com>

Can someone please clarify... Doesn't the sa-learn --rebuild command
expire the tokens (if necessary) by default? Isn't the extra
--force-expire option unnecessary if you regularly rebuild the
database?"

As an aside, I have been following this thread here and on the sa-talk
list (where surprisingly there were no responses). I too have been
having problems with accumulating lock files and the subsequent creation
of bayes_toks.new. Deleting the lock files and rebuilding the database
seems to fix the problem (albeit temporarily). Since the common
conception seems to be that Bayes is resource and memory-intensive, I
recently upgraded the RAM on this machine from 256MB to 512MB and
haven't seen the problem since. I'm also planning on increasing the
SpamAssassin time out to 50 or 60 seconds, as this system also seems to
have more than it's share of overall timeouts on a daily basis.

Interstingly, while my attempts at sa-learn --rebuild seem to work w/out
issue, adding the --force-expire switch reports the following status.
Subsequent research of this logging suggests that it's more
informational than a true problem. I'm assuming that this is a
side-effect of currently only using auto-learning and not feeding my
bayes database enough. Has anyone else seen this sort of output? 

> debug: bayes: Can't use estimation method for expiry, something fishy,
calculating optimal atime delta (first pass)
> debug: bayes: atime     token reduction
> debug: bayes: ========  ===============
> debug: bayes: 43200     69735
> debug: bayes: 86400     39541
> debug: bayes: 172800    891
> debug: bayes: 345600    0
> debug: bayes: 691200    0
> debug: bayes: 1382400   0
> debug: bayes: 2764800   0
> debug: bayes: 5529600   0
> debug: bayes: 11059200  0
> debug: bayes: 22118400  0
> debug: bayes: couldn't find a good delta atime, need more token
difference, skipping expire.

Nathan

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Sent: Thursday, January 22, 2004 9:21 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Bayesian shenanigans (i.e. problems)


At 16:52 22/01/2004, you wrote:
>On Thu, 22 Jan 2004, Steve Freegard wrote:
>
> > I haven't been following this thread closely, so apologies if this
has
> > already been covered.
>
>It hasn't, so you reply is appreciated!
>
> > Maybe the error is being caused by opportunistic bayes expiry which
could
> > take long enough on your system to cause MailScanner to time-out and
kill
> > off SA mid-expiry causing your orphaned files??
>
>That sounds very plausible.  I have gone even deeper into the "maillog"
>files, and these "Delete bayes ..." for a particular MS process occur
>40 seconds after it starts the spam analysis.  And the MS conf has SA
>timeout of 40 seconds.  It all fits.
>
>So very promising indeed.
>
> > You could try setting 'bayes_auto_expire 0' in
spam.assassin.prefs.conf and
> > then creating nightly cron job to run a script and does an 'sa-learn
-p
> > /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.
>
>Yes, that might be worth a try, at least as proof of concept.
>
>But I wonder whether we need a cleaner solution (remember, a few other
>folk have seen one or other variant of this) that, as default
behaviour,
>tries to prevent this.  Two possibilities:
>
>1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire
0'
>    and accompanies that with setting the cron job?  But setting the
cron
>    job is highly OS-specific (i.e. variable!), and overall this
doesn't
>    feel quite right.
>
>2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up
(which
>    it generally does every four hours) it does "--rebuild
--force-expire",
>    preferably (if possible) by the appropriate subroutine call to SA.
>
>This second feels better and cleaner (although there's a residual issue
of
>the near simultaneous start-up of around five MS processes).
>
>Julian: Do you have any thoughts?  I'd be happy to try to cobble
toegether
>a proof of concept patch for that second version (although I'd prefer
it
>if it arrived fully-fledged on the doorstep!).

The trouble with option 2 is that the child processes start up
completely
independently of each other, and doing it once at the startup of every
child process would cause a huge holdup while all n children (n could
easily be 12 on a dual-CPU box) ran their own bayes-expire. However,
there
are ways around this, as there always are, so I may be able to come up
with
a better solution that would do a bayes expire approximately once every
24
hours or so, which should be plenty. The whole system would have to sit
and
hang while this took place, unless I temporarily disabled SpamAssassin
(or
*possibly* even just bayes) while it was doing it.

This is going to be a bit of a pig to write :-(
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From peter at UCGBOOK.COM  Thu Jan 22 19:16:36 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:00 2006
Subject: is spam
In-Reply-To: <1074796776.21963.3.camel@jfraleyx.glenraven.com>
References: <1074796776.21963.3.camel@jfraleyx.glenraven.com>
Message-ID: <40102194.6010908@ucgbook.com>

Jon Fraley wrote:
> How difficult would it be to make the maillog line that lists the
> message as spam to also contain the destination address.  Currently it
> just lists the domain.

It could be a thousand addresses...

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 20:14:37 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
            <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>

What's the exact command people type to do the database expiry?

Just --force-expire or ---rebuild as well?

I need to know what to make the code do.

The code is nearly there (but untested).

At 17:21 22/01/2004, you wrote:
>At 16:52 22/01/2004, you wrote:
>>On Thu, 22 Jan 2004, Steve Freegard wrote:
>>
>> > I haven't been following this thread closely, so apologies if this has
>> > already been covered.
>>
>>It hasn't, so you reply is appreciated!
>>
>> > Maybe the error is being caused by opportunistic bayes expiry which could
>> > take long enough on your system to cause MailScanner to time-out and kill
>> > off SA mid-expiry causing your orphaned files??
>>
>>That sounds very plausible.  I have gone even deeper into the "maillog"
>>files, and these "Delete bayes ..." for a particular MS process occur
>>40 seconds after it starts the spam analysis.  And the MS conf has SA
>>timeout of 40 seconds.  It all fits.
>>
>>So very promising indeed.
>>
>> > You could try setting 'bayes_auto_expire 0' in
>> spam.assassin.prefs.conf and
>> > then creating nightly cron job to run a script and does an 'sa-learn -p
>> > /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.
>>
>>Yes, that might be worth a try, at least as proof of concept.
>>
>>But I wonder whether we need a cleaner solution (remember, a few other
>>folk have seen one or other variant of this) that, as default behaviour,
>>tries to prevent this.  Two possibilities:
>>
>>1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire 0'
>>    and accompanies that with setting the cron job?  But setting the cron
>>    job is highly OS-specific (i.e. variable!), and overall this doesn't
>>    feel quite right.
>>
>>2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up (which
>>    it generally does every four hours) it does "--rebuild --force-expire",
>>    preferably (if possible) by the appropriate subroutine call to SA.
>>
>>This second feels better and cleaner (although there's a residual issue of
>>the near simultaneous start-up of around five MS processes).
>>
>>Julian: Do you have any thoughts?  I'd be happy to try to cobble toegether
>>a proof of concept patch for that second version (although I'd prefer it
>>if it arrived fully-fledged on the doorstep!).
>
>The trouble with option 2 is that the child processes start up completely
>independently of each other, and doing it once at the startup of every
>child process would cause a huge holdup while all n children (n could
>easily be 12 on a dual-CPU box) ran their own bayes-expire. However, there
>are ways around this, as there always are, so I may be able to come up with
>a better solution that would do a bayes expire approximately once every 24
>hours or so, which should be plenty. The whole system would have to sit and
>hang while this took place, unless I temporarily disabled SpamAssassin (or
>*possibly* even just bayes) while it was doing it.
>
>This is going to be a bit of a pig to write :-(
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dafydd.tomos at IMAGINET.CO.UK  Thu Jan 22 20:33:40 2004
From: dafydd.tomos at IMAGINET.CO.UK (Dafydd Tomos)
Date: Thu Jan 12 21:22:00 2006
Subject: Calling all translators
In-Reply-To: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040122102007.0388eff8@imap.ecs.soton.ac.uk>
Message-ID: <20040122203340.GA6966@imaginet.co.uk>

On Jan 22, 2004, Julian Field wrote:

For the Welsh/English version

MCP:

-->8--
From: "MailScanner" <$localpostmaster>
To: $from
Subject: Cadwyd cynnwys gwaharddedig i'w adolygu/ Banned content stored for review
X-MailScanner: generated

Mae neges a ddanfonwyd i chi wedi rhoi| Our message content detectors have
ein canfyddwr cynnwys neges ar waith: | been triggered by a message you
                                      | received:

  From: $from
  Subject: $subject
  Date: $date

Mae'r neges hwn wedi ei gadw er mwyn  | This message has been quarantined
ei adolygu cyn ei ddosbarthu.         | for review before delivery.

Os oes gennych unrhyw gwestiynau      | If you have any questions about this,
ynglyn ? hyn, neu os ydych yn credu   | or you believe you have received
eich bod wedi derbyn y neges hon ar   | this message in error, please contact
gam, cysylltwch ? gweinyddwyr system  | the site system administrators.
y safle.

Mi fydd eich gweinyddwyr system angen | Your system administrators will need
gweld y wybodaeth ganlynol:           | the following information:

  Server name: $hostname
  Message id: $id
  Date code: $datenumber

-- 
MailScanner
Email Virus Scanner
www.mailscanner.info
Mae MailScanner yn diolch i gwmni Transtec Computers am eu cymorth.
MailScanner thanks transtec Computers for their support.
--8<--

Spam report:

-->8--
From: "MailScanner"<$localpostmaster>
To: $to
Subject: Ni ddosbarthwyd e-bost masnachol na ofynnwyd amdano/ Unsolicited commercial email not delivered
X-MailScanner: generated

Mae neges yr ydych wedi? dderbyn wedi | Our UCE (spam) detectors have been
rhoi ein canfyddwyr UCE (sbam) ar     | triggered by a message you received:-
waith:-                               |

  From: $from
  Subject: $subject
  Date: $date

Ni ddosbarthwyd y neges hon. Dyma'r   | This message has not been delivered.
canfyddwyr a roddwyd ar waith:        | The detectors that were triggered are:
$spamreport.

Mae'r neges a ddanfonwyd i chi wedi   | The message to you has been detected
ei ganfod fel sbam wedi ei seilio ar  | as spam based on either its contents
naill ai gynnwys y neges neu'r        | or the mail server which sent the
gwasanaethydd e-bost a ddanfonodd y   | message to us, or both.
neges i ni, neu'r ddau.               |

Nid ydym yn derbyn e-bost masnachol na| We do not accept unsolicited
ofynnir amdano (sbam), ac rydym yn    | commercial (spam) e-mail and actively
cymryd camau gweithredol i'w atal.    | work to stop it.

Os oes gennych unrhyw gwestiynau      | If you have any questions about this,
ynglyn ? hyn, neu os ydych yn credu   | or you believe you have received
eich bod wedi derbyn y neges hon ar   | this message in error, please contact
gam, cysylltwch ? gweinyddwyr system  | the site system administrators.
y safle.

Mi fydd eich gweinyddwyr system angen | Your system administrators will need
gweld y wybodaeth ganlynol:           | the following information:

  Server name: $hostname
  Message id: $id
  Date code: $datenumber

-- 
MailScanner
Email Virus Scanner
www.mailscanner.info
Mae MailScanner yn diolch i gwmni Transtec Computers am eu cymorth.
MailScanner thanks transtec Computers for their support.
--8<--


-- 
Dafydd Tomos                                Systems Administrator
                                              Gweinyddwr Systemau
Imaginet Ltd                           http://www.imaginet.co.uk/


From rzewnickie at RFA.ORG  Thu Jan 22 21:10:50 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:00 2006
Subject: Archive Mail to date stamped mboxes?
Message-ID: <20040122211050.GB15477@rfa.org>

Is there a way to use:
Archive Mail = /var/spool/MailScanner/archive
to have the archive stored in date stamped mboxes for ease of keeping
only a specific number of days archived?

I know setting this to a directory will create subdirectories for each
day, but then the archives are kept as queuefiles.

Thanks,
Eric Rz.

MS 4.25-14 w/postfix on debian stable

From peter at UCGBOOK.COM  Thu Jan 22 21:15:10 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>     
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>           
            <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
            <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
Message-ID: <40103D5E.3060804@ucgbook.com>

Julian Field wrote:
> What's the exact command people type to do the database expiry?
>
> Just --force-expire or ---rebuild as well?
>
> I need to know what to make the code do.
>
> The code is nearly there (but untested).

I use both (sa-learn --rebuild --force-expire) from crontab.

Will this be an optional thing?

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From jaearick at colby.edu  Thu Jan 22 21:19:45 2004
From: jaearick at colby.edu (Jeff A. Earickson)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk> 
           <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>           
 <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
 <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.58.0401221616270.17@cayuga>

Julian,

My nightly cron script does:

LOGFILE=/var/tmp/learn.spam.log
PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf
SALEARN=/opt/perl5/bin/sa-learn

$SALEARN --prefs-file=$PREFS --rebuild  --force-expire

before doing the ham/spam learning.  I too have noticed beaucoup of
bayes_toks.expire$$ files in /var/spool/spamassassin, with "bayes locked"
blurbs in syslog.  My setup: Sol 9, MS 4.25-14, SA 2.63, perl 5.8.2,
sophos and clamav-0.65, razor2.

Jeff Earickson
Colby College

On Thu, 22 Jan 2004, Julian Field wrote:

> Date: Thu, 22 Jan 2004 20:14:37 +0000
> From: Julian Field <mailscanner@ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Bayesian shenanigans (i.e. problems)
>
> What's the exact command people type to do the database expiry?
>
> Just --force-expire or ---rebuild as well?
>
> I need to know what to make the code do.
>
> The code is nearly there (but untested).
>
> At 17:21 22/01/2004, you wrote:
> >At 16:52 22/01/2004, you wrote:
> >>On Thu, 22 Jan 2004, Steve Freegard wrote:
> >>
> >> > I haven't been following this thread closely, so apologies if this has
> >> > already been covered.
> >>
> >>It hasn't, so you reply is appreciated!
> >>
> >> > Maybe the error is being caused by opportunistic bayes expiry which could
> >> > take long enough on your system to cause MailScanner to time-out and kill
> >> > off SA mid-expiry causing your orphaned files??
> >>
> >>That sounds very plausible.  I have gone even deeper into the "maillog"
> >>files, and these "Delete bayes ..." for a particular MS process occur
> >>40 seconds after it starts the spam analysis.  And the MS conf has SA
> >>timeout of 40 seconds.  It all fits.
> >>
> >>So very promising indeed.
> >>
> >> > You could try setting 'bayes_auto_expire 0' in
> >> spam.assassin.prefs.conf and
> >> > then creating nightly cron job to run a script and does an 'sa-learn -p
> >> > /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.
> >>
> >>Yes, that might be worth a try, at least as proof of concept.
> >>
> >>But I wonder whether we need a cleaner solution (remember, a few other
> >>folk have seen one or other variant of this) that, as default behaviour,
> >>tries to prevent this.  Two possibilities:
> >>
> >>1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire 0'
> >>    and accompanies that with setting the cron job?  But setting the cron
> >>    job is highly OS-specific (i.e. variable!), and overall this doesn't
> >>    feel quite right.
> >>
> >>2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up (which
> >>    it generally does every four hours) it does "--rebuild --force-expire",
> >>    preferably (if possible) by the appropriate subroutine call to SA.
> >>
> >>This second feels better and cleaner (although there's a residual issue of
> >>the near simultaneous start-up of around five MS processes).
> >>
> >>Julian: Do you have any thoughts?  I'd be happy to try to cobble toegether
> >>a proof of concept patch for that second version (although I'd prefer it
> >>if it arrived fully-fledged on the doorstep!).
> >
> >The trouble with option 2 is that the child processes start up completely
> >independently of each other, and doing it once at the startup of every
> >child process would cause a huge holdup while all n children (n could
> >easily be 12 on a dual-CPU box) ran their own bayes-expire. However, there
> >are ways around this, as there always are, so I may be able to come up with
> >a better solution that would do a bayes expire approximately once every 24
> >hours or so, which should be plenty. The whole system would have to sit and
> >hang while this took place, unless I temporarily disabled SpamAssassin (or
> >*possibly* even just bayes) while it was doing it.
> >
> >This is going to be a bit of a pig to write :-(
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From jaearick at COLBY.EDU  Thu Jan 22 21:19:45 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
            <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
            <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.58.0401221616270.17@cayuga>

Julian,

My nightly cron script does:

LOGFILE=/var/tmp/learn.spam.log
PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf
SALEARN=/opt/perl5/bin/sa-learn

$SALEARN --prefs-file=$PREFS --rebuild  --force-expire

before doing the ham/spam learning.  I too have noticed beaucoup of
bayes_toks.expire$$ files in /var/spool/spamassassin, with "bayes locked"
blurbs in syslog.  My setup: Sol 9, MS 4.25-14, SA 2.63, perl 5.8.2,
sophos and clamav-0.65, razor2.

Jeff Earickson
Colby College

On Thu, 22 Jan 2004, Julian Field wrote:

> Date: Thu, 22 Jan 2004 20:14:37 +0000
> From: Julian Field <mailscanner@ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Bayesian shenanigans (i.e. problems)
>
> What's the exact command people type to do the database expiry?
>
> Just --force-expire or ---rebuild as well?
>
> I need to know what to make the code do.
>
> The code is nearly there (but untested).
>
> At 17:21 22/01/2004, you wrote:
> >At 16:52 22/01/2004, you wrote:
> >>On Thu, 22 Jan 2004, Steve Freegard wrote:
> >>
> >> > I haven't been following this thread closely, so apologies if this has
> >> > already been covered.
> >>
> >>It hasn't, so you reply is appreciated!
> >>
> >> > Maybe the error is being caused by opportunistic bayes expiry which could
> >> > take long enough on your system to cause MailScanner to time-out and kill
> >> > off SA mid-expiry causing your orphaned files??
> >>
> >>That sounds very plausible.  I have gone even deeper into the "maillog"
> >>files, and these "Delete bayes ..." for a particular MS process occur
> >>40 seconds after it starts the spam analysis.  And the MS conf has SA
> >>timeout of 40 seconds.  It all fits.
> >>
> >>So very promising indeed.
> >>
> >> > You could try setting 'bayes_auto_expire 0' in
> >> spam.assassin.prefs.conf and
> >> > then creating nightly cron job to run a script and does an 'sa-learn -p
> >> > /etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire'.
> >>
> >>Yes, that might be worth a try, at least as proof of concept.
> >>
> >>But I wonder whether we need a cleaner solution (remember, a few other
> >>folk have seen one or other variant of this) that, as default behaviour,
> >>tries to prevent this.  Two possibilities:
> >>
> >>1. MS installation-time (and defaults):  MS defaults 'bayes_auto_expire 0'
> >>    and accompanies that with setting the cron job?  But setting the cron
> >>    job is highly OS-specific (i.e. variable!), and overall this doesn't
> >>    feel quite right.
> >>
> >>2. MS run-time: MS defaults 'bayes_auto_expire 0', but at start up (which
> >>    it generally does every four hours) it does "--rebuild --force-expire",
> >>    preferably (if possible) by the appropriate subroutine call to SA.
> >>
> >>This second feels better and cleaner (although there's a residual issue of
> >>the near simultaneous start-up of around five MS processes).
> >>
> >>Julian: Do you have any thoughts?  I'd be happy to try to cobble toegether
> >>a proof of concept patch for that second version (although I'd prefer it
> >>if it arrived fully-fledged on the doorstep!).
> >
> >The trouble with option 2 is that the child processes start up completely
> >independently of each other, and doing it once at the startup of every
> >child process would cause a huge holdup while all n children (n could
> >easily be 12 on a dual-CPU box) ran their own bayes-expire. However, there
> >are ways around this, as there always are, so I may be able to come up with
> >a better solution that would do a bayes expire approximately once every 24
> >hours or so, which should be plenty. The whole system would have to sit and
> >hang while this took place, unless I temporarily disabled SpamAssassin (or
> >*possibly* even just bayes) while it was doing it.
> >
> >This is going to be a bit of a pig to write :-(
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 21:28:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: Archive Mail to date stamped mboxes?
In-Reply-To: <20040122211050.GB15477@rfa.org>
References: <20040122211050.GB15477@rfa.org>
Message-ID: <6.0.1.1.2.20040122212708.0421b458@imap.ecs.soton.ac.uk>

At 21:10 22/01/2004, you wrote:
>Is there a way to use:
>Archive Mail = /var/spool/MailScanner/archive
>to have the archive stored in date stamped mboxes for ease of keeping
>only a specific number of days archived?

You can create the empty file with the date on the end, and make the
/var/spool/MailScanner/archive a soft-link to the read dated filename. Once
a day you create the new dated filename and move the soft link.


>I know setting this to a directory will create subdirectories for each
>day, but then the archives are kept as queuefiles.
>
>Thanks,
>Eric Rz.
>
>MS 4.25-14 w/postfix on debian stable

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 22 21:30:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:00 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <40103D5E.3060804@ucgbook.com>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
            <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
            <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
            <40103D5E.3060804@ucgbook.com>
Message-ID: <6.0.1.1.2.20040122213034.04217dd8@imap.ecs.soton.ac.uk>

At 21:15 22/01/2004, you wrote:
>Julian Field wrote:
>>What's the exact command people type to do the database expiry?
>>
>>Just --force-expire or ---rebuild as well?
>>
>>I need to know what to make the code do.
>>
>>The code is nearly there (but untested).
>
>I use both (sa-learn --rebuild --force-expire) from crontab.

Thanks. That's what I thought.

>Will this be an optional thing?

Of course.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jaearick at COLBY.EDU  Thu Jan 22 21:51:14 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
Message-ID: <Pine.GSO.4.58.0401221646160.17@cayuga>

Julian,

Here's a puzzle...  Our modem pool (137.146.110.0/24) is
listed on dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok,
good.  But if I use "Spam List = SORBS-DNSBL" in MS, then
all of my modem users get their outbound email tagged with
{Spam?} in the subject line, which really annoys my users
and makes me look like an idiot -- even if they are doing
the right thing and sending their email thru our mail-hub.
How to prevent this, yet still use SORBS, CBL, etc?

Jeff Earickson
Colby College

From ugob at CAMO-ROUTE.COM  Thu Jan 22 21:56:18 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
Message-ID: <54C38A0B814C8E438EF73FC76F362927410810@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Jeff A. Earickson [mailto:jaearick@COLBY.EDU]
> Envoy? : Thursday, January 22, 2004 4:51 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : MS punishes my own modem pool
> 
> 
> Julian,
> 
> Here's a puzzle...  Our modem pool (137.146.110.0/24) is
> listed on dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok,
> good.  But if I use "Spam List = SORBS-DNSBL" in MS, then
> all of my modem users get their outbound email tagged with
> {Spam?} in the subject line, which really annoys my users
> and makes me look like an idiot -- even if they are doing
> the right thing and sending their email thru our mail-hub.
> How to prevent this, yet still use SORBS, CBL, etc?

Create a ruleset that excludes your IP network, with the setting "Spam List = "

See the ruleset tutorial in the FAQ for a good startup.

hth
Ugo
> 
> Jeff Earickson
> Colby College
> 


From mailscanner-user at NELAND.DK  Fri Jan 23 00:13:36 2004
From: mailscanner-user at NELAND.DK (Leif Neland)
Date: Thu Jan 12 21:22:00 2006
Subject: ETRN help
Message-ID: <LISTSERV%2004012300133632@JISCMAIL.AC.UK>

On Mon, 10 Nov 2003 18:24:07 +0000, Kevin Spicer <kevins@BMRB.CO.UK> wrote:

>Yes, there is a very good reason why the noetrn option is in the init
>script, it should not be removed.  ETRM commands are received by the
>_listening_ sendmail process and cause it to run its queue looking for
>messages for the appropriate domain.  Because mailscanner splits the
>sendmail process this means issuing a ETRN actually causes the listening
>sendmail process to run the incoming queue (which is its queue) - this
>means it will only deliver mail that has not yet been scanned, mail that
>has been scanned sits happily in the outgoing queue.  Because the
>outgoing queue belongs to a different sendmail process it is unaffected
>by the ETRN commands issued to the incoming sendmail.
>In actual fact allowing ETRN also causes additional serious problems, it
>introduces a race condition that can lead to the receipt of partial
>messages.


Any ideas for having ETRN functionallity? I need it, because I have a
couple of servers which dial in and send ETRN to get their queued mail.
Both recieving and sending server runs Linux, so I can script what's
needed.

Leif

From zabriskw at ITECH.NET  Thu Jan 22 22:01:34 2004
From: zabriskw at ITECH.NET (Kris Zabriskie)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
References: <Pine.GSO.4.58.0401221646160.17@cayuga>
Message-ID: <001e01c3e133$4c9ff940$0c02a8c0@itech.dom>

In your spam rules.. Whitelist your From your domain

----- Original Message -----
From: "Jeff A. Earickson" <jaearick@COLBY.EDU>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Thursday, January 22, 2004 4:51 PM
Subject: MS punishes my own modem pool


> Julian,
>
> Here's a puzzle...  Our modem pool (137.146.110.0/24) is
> listed on dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok,
> good.  But if I use "Spam List = SORBS-DNSBL" in MS, then
> all of my modem users get their outbound email tagged with
> {Spam?} in the subject line, which really annoys my users
> and makes me look like an idiot -- even if they are doing
> the right thing and sending their email thru our mail-hub.
> How to prevent this, yet still use SORBS, CBL, etc?
>
> Jeff Earickson
> Colby College
>

From rzewnickie at RFA.ORG  Thu Jan 22 22:04:16 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:00 2006
Subject: postfix-specific method to feed spam/ham to sa-learn
Message-ID: <20040122220341.GC15477@rfa.org>

I worked out one (naive?) way to get user feedback on false positives
and false negatives using postfix and MS when users are only using pop
and outlook. I'm not going to be using this method, but wanted to share
it in case someone else needed to do it this way. (and also to get
feedback on whether it's even a valid approach). Probably someone better
than me at shell scripting and regular expressions could do this better
and more succinctly.

I set this in MailScanner.conf:
Archive Mail = /var/spool/MailScanner/archive/

Which creates a directory for each day containing a copy of the original
queuefile for each message. I took this approach because it seemed it
would be very easy to set up a simple cronjob that deleted directories
older than x days.

Basically the only feedback required from the user is to send the
headers to either a spam@dom.tld or notspam@dom.tld.

To get to the full headers in Outlook:
1) open the message in its own window
2) select View -> Options
3) the dialog box contains a scroll window at the bottom labeled
   "Internet Headers". Cut and paste the text from there into a new
   message.

Getting the headers this way has been deemed too much work for the
users, so I'm working out another feedback method. But, anyway, with the
headers in the bodies of messages in an mbox I was able to get the date
and queuefile-id with these two command lines (broken with \):

# message id
cat /var/mail/spam | \
formail -I "" -s | \
grep -A2 "^Received:" | \
grep "by host.dom.tld (Postfix) with .*SMTP" | \
cut -d" " -f8

# date directory
cat /var/mail/spam | \
formail -I "" -s | \
grep -A3 "^Received:" | \
grep "for <.*@dom.tld>; ..., .. ... ...." | \
cut -d";" -f 2 | \
xargs -i date -d {} +%Y%m%d

Thus far, I've just been feeding that output in pairs into the simple
script below. If I were going further with this approach I'd have added
the commands above to the script.

#!/bin/bash

archive_dir=/var/spool/MailScanner/archive
sa_prefs=/opt/MailScanner/etc/spam.assassin.prefs.conf
date_dir=$1
queue_file=$2
spam_or_ham=$3
queue_file_path=$archive_dir/$date_dir/$queue_file
line_count=`postcat $queue_file_path | wc -l`
postcat $queue_file_path | \
tail -$(($line_count-6)) | \
head -$(($line_count-10)) | \
sa-learn --$spam_or_ham -p $sa_prefs


Well, that's it. Hopefully it's useful to someone. Appologies if this is
silly or useless.

-Eric Rz.
(now to figure this out with forwarded fp/fn and archive as an mbox ...
should be doable.)

From ugob at CAMO-ROUTE.COM  Thu Jan 22 22:03:58 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
Message-ID: <54C38A0B814C8E438EF73FC76F362927410811@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Kris Zabriskie [mailto:zabriskw@ITECH.NET]
> Envoy? : Thursday, January 22, 2004 5:02 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: MS punishes my own modem pool
> 
> 
> In your spam rules.. Whitelist your From your domain

True.  Better than my idea.  Also check for the filename/filetype settings, your users may get pissed off if you filter the .exe.
> 
> ----- Original Message -----
> From: "Jeff A. Earickson" <jaearick@COLBY.EDU>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Thursday, January 22, 2004 4:51 PM
> Subject: MS punishes my own modem pool
> 
> 
> > Julian,
> >
> > Here's a puzzle...  Our modem pool (137.146.110.0/24) is
> > listed on dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok,
> > good.  But if I use "Spam List = SORBS-DNSBL" in MS, then
> > all of my modem users get their outbound email tagged with
> > {Spam?} in the subject line, which really annoys my users
> > and makes me look like an idiot -- even if they are doing
> > the right thing and sending their email thru our mail-hub.
> > How to prevent this, yet still use SORBS, CBL, etc?
> >
> > Jeff Earickson
> > Colby College
> >
> 


From support at EAGLE-ACCESS.NET  Thu Jan 22 22:12:06 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:00 2006
Subject: MS not deleting spam
Message-ID: <40104AB5.7FB04714@eagle-access.net>

I never could get MailScanner-4.25-14 working.  I spent days wading
through conflicting docs, disorganized FAQ's and searches in archives
that just don't seen to find or work right.  Most of the problems 'I
think' were install issues.  I'm not too good at the technical issues
but I sure could straighten out some of the docs with crummy info, so
that may be were I could plug in.

In any event, I decided to try the openprotect package and it went right
in in minutes and started as advertised.  I made more progress in five
minutes then the last five days.

So now I'm at the debug stage and hardly know were to begin.  It looks
like about half of the spams (real rough est.) are getting blocked
successfully.  About half are getting through with the tag in the
subject line with:

Subject:  {Spam?} Be your own boss tapir

How do I get the rest of these mails to not go to the clients?  They are
apparently successfully being recognized as spam.

Are there any other good known things to be implemented to get a good
starting base for spam filtering?

Are all the default RBL entries built in, needed, and are there any
others that should be added?

Finally, is there an 'after install' docs or mail archive that addresses
the potential after install buffing issues?

Thanks any help would be greatly appreciated.  I hope I didn't ask too
many questions at once.....

joe


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From danielk at AVALONPUB.COM  Thu Jan 22 22:24:59 2004
From: danielk at AVALONPUB.COM (Daniel Kleinsinger)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
Message-ID: <FA443A9FF74E884D975F85C9549091AD013923@titan.avalonpub.com>

> >In your spam rules.. Whitelist your From your domain

>True.  Better than my idea.  Also check for the filename/filetype settings,
your users may get pissed   >off if you filter the .exe.

Actually, I think that whitelisting the IPs would be better than
whitelisting the domain because it's a common spammer tactic to send from
user@mydomain.com.  Within MailScanner complete whitelisting is the only
option.

However, the SpamAssassin blacklist checks are much more configurable.  If
you're interested in spam checking mail from your dialup users you could use
SA's blacklist checks and make use of the trusted_networks config option in
SpamAssassin.  That would still run the pattern matching type rules on local
dialup email, but disable network checks.
http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

Daniel

> > Julian,
> >
> > Here's a puzzle...  Our modem pool (137.146.110.0/24) is listed on
> > dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok, good.  But if I
> > use "Spam List = SORBS-DNSBL" in MS, then all of my modem users get
> > their outbound email tagged with {Spam?} in the subject line, which
> > really annoys my users and makes me look like an idiot -- even if
> > they are doing the right thing and sending their email thru our
> > mail-hub. How to prevent this, yet still use SORBS, CBL, etc?
> >
> > Jeff Earickson
> > Colby College
> >

From danielk at AVALONPUB.COM  Thu Jan 22 22:30:02 2004
From: danielk at AVALONPUB.COM (Daniel Kleinsinger)
Date: Thu Jan 12 21:22:00 2006
Subject: MS punishes my own modem pool
Message-ID: <FA443A9FF74E884D975F85C9549091AD013E49@titan.avalonpub.com>

> > >In your spam rules.. Whitelist your From your domain
>
> >True.  Better than my idea.  Also check for the filename/filetype
> >settings,
> your users may get pissed   >off if you filter the .exe.
>

Rereading Ugo's mail I notice he used the Spam List config option, not
whitelisting.  That would still run your normal SA checks.  So disregard
that part.  The part about using IPs instead of domain names still stands
(unless I misread something else too)....  Always triple check mail sent to
lists.

Daniel

>
> > > Julian,
> > >
> > > Here's a
> puzzle...  Our modem pool (137.146.110.0/24) is listed on
> > > dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok, good.  But if I
> > > use "Spam List = SORBS-DNSBL" in MS, then all of my modem
> users get
> > > their outbound email tagged with {Spam?} in the subject
> line, which
> > > really annoys my users and makes me look like an idiot -- even if
> > > they are doing the right thing and sending their email thru our
> > > mail-hub. How to prevent this, yet still use SORBS, CBL, etc?
> > >
> > > Jeff Earickson
> > > Colby College
> > >
>

From ugob at CAMO-ROUTE.COM  Thu Jan 22 22:35:38 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:00 2006
Subject: MS not deleting spam
Message-ID: <54C38A0B814C8E438EF73FC76F3629273132E7@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> Envoy? : Thursday, January 22, 2004 5:12 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : MS not deleting spam
> 
> 
> I never could get MailScanner-4.25-14 working.  I spent days wading
> through conflicting docs, disorganized FAQ's and searches in archives
> that just don't seen to find or work right.

You should have written us sooner then... that's our job :)

>  Most of the problems 'I
> think' were install issues.  I'm not too good at the technical issues
> but I sure could straighten out some of the docs with crummy info, so
> that may be were I could plug in.


> 
> In any event, I decided to try the openprotect package and it 
> went right
> in in minutes and started as advertised.  I made more progress in five
> minutes then the last five days.
> 
> So now I'm at the debug stage and hardly know were to begin.  It looks
> like about half of the spams (real rough est.) are getting blocked
> successfully.  About half are getting through with the tag in the
> subject line with:
> 
> Subject:  {Spam?} Be your own boss tapir
> 
> How do I get the rest of these mails to not go to the 
> clients?  They are
> apparently successfully being recognized as spam.

What is apparently your problem is that you didin't realize that there were 2 settings for spam:

High Scoring Spam Actions 

and

Spam Actions

-What probably happens here is that your Spam Actions  is set to deliver and High Scoring is set to delete

Set both to store delete or just delete if you don't want to store them.

> 
> Are there any other good known things to be implemented to get a good
> starting base for spam filtering?

Probably install Razor, DCC, Pyzor, which is pretty straightforward, then maybe check for special spamassassin rules...

> 
> Are all the default RBL entries built in, needed, and are there any
> others that should be added?

This is a personal thing.  Your setup is basically very good, so just stay tuned on this list to learn what is changing.  And maybe give a look at the threads about bigevil.cf a few days ago.
> 
> Finally, is there an 'after install' docs or mail archive 
> that addresses
> the potential after install buffing issues?

Hmm, this is the job list.  What happens is that mail hosting is such a complex thing and the setups vary so much from one person to the other, what usually happens is that one installs it, comes on the list for "after install buffing issues", then writes his own doc for his site.  At least that is what I've done.

Some people will write their own, very-compex rules, and some others will stay close to the default setup.  It all depends on your need.

> 
> Thanks any help would be greatly appreciated.  I hope I didn't ask too
> many questions at once.....

That is ok.  But more importantly, stay subscribed to this list.
> 
> joe
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
> 


From rzewnickie at RFA.ORG  Thu Jan 22 22:39:55 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:00 2006
Subject: Archive Mail to date stamped mboxes?
In-Reply-To: <6.0.1.1.2.20040122212708.0421b458@imap.ecs.soton.ac.uk>
References: <20040122211050.GB15477@rfa.org>
            <6.0.1.1.2.20040122212708.0421b458@imap.ecs.soton.ac.uk>
Message-ID: <20040122223955.GE15477@rfa.org>

Ah, thanks. So simple. Should've thought of that myself.

Is there any danger that MS would be writing to the soft linked file at
the time the link is moved?

Thanks again,
Eric Rz.

On Thu, Jan 22, 2004 at 09:28:09PM +0000, Julian Field wrote:
> At 21:10 22/01/2004, you wrote:
> >Is there a way to use:
> >Archive Mail = /var/spool/MailScanner/archive
> >to have the archive stored in date stamped mboxes for ease of keeping
> >only a specific number of days archived?
>
> You can create the empty file with the date on the end, and make the
> /var/spool/MailScanner/archive a soft-link to the read dated filename. Once
> a day you create the new dated filename and move the soft link.
>
>
> >I know setting this to a directory will create subdirectories for each
> >day, but then the archives are kept as queuefiles.
> >
> >Thanks,
> >Eric Rz.
> >
> >MS 4.25-14 w/postfix on debian stable
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From support at EAGLE-ACCESS.NET  Thu Jan 22 23:55:27 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:01 2006
Subject: MS not deleting spam
References: <54C38A0B814C8E438EF73FC76F3629273132E7@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <401062EF.4ACF101C@eagle-access.net>

Ugo Bellavance wrote:

> > -----Message d'origine-----
> > De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> > Envoy? : Thursday, January 22, 2004 5:12 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : MS not deleting spam
> >
> >
>
> > How do I get the rest of these mails to not go to the
> > clients?  They are
> > apparently successfully being recognized as spam.
>
> What is apparently your problem is that you didin't realize that there were 2 settings for spam:
>
> High Scoring Spam Actions
>
> and
>
> Spam Actions
>
> -What probably happens here is that your Spam Actions  is set to deliver and High Scoring is set to delete
>
> Set both to store delete or just delete if you don't want to store them.

Which file am I looking to edit for 'High Scoring Spam Actions' and 'Spam Actions'?

joe

>
>
> >
> > Are there any other good known things to be implemented to get a good
> > starting base for spam filtering?
>
> Probably install Razor, DCC, Pyzor, which is pretty straightforward, then maybe check for special spamassassin rules...
>
> >
> > Are all the default RBL entries built in, needed, and are there any
> > others that should be added?
>
> This is a personal thing.  Your setup is basically very good, so just stay tuned on this list to learn what is changing.  And maybe give a look at the threads about bigevil.cf a few days ago.
> >
> > Finally, is there an 'after install' docs or mail archive
> > that addresses
> > the potential after install buffing issues?
>
> Hmm, this is the job list.  What happens is that mail hosting is such a complex thing and the setups vary so much from one person to the other, what usually happens is that one installs it, comes on the list for "after install buffing issues", then writes his own doc for his site.  At least that is what I've done.
>
> Some people will write their own, very-compex rules, and some others will stay close to the default setup.  It all depends on your need.
>
> >
> > Thanks any help would be greatly appreciated.  I hope I didn't ask too
> > many questions at once.....
>
> That is ok.  But more importantly, stay subscribed to this list.
> >
> > joe
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content, and is believed to be clean.
> >
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.


From ugob at CAMO-ROUTE.COM  Thu Jan 22 23:55:50 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:01 2006
Subject: MS not deleting spam
Message-ID: <54C38A0B814C8E438EF73FC76F362927410819@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> Envoy? : Thursday, January 22, 2004 6:55 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: MS not deleting spam
> 
> 
> Ugo Bellavance wrote:
> 
> > > -----Message d'origine-----
> > > De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> > > Envoy? : Thursday, January 22, 2004 5:12 PM
> > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > Objet : MS not deleting spam
> > >
> > >
> >
> > > How do I get the rest of these mails to not go to the
> > > clients?  They are
> > > apparently successfully being recognized as spam.
> >
> > What is apparently your problem is that you didin't realize 
> that there were 2 settings for spam:
> >
> > High Scoring Spam Actions
> >
> > and
> >
> > Spam Actions
> >
> > -What probably happens here is that your Spam Actions  is 
> set to deliver and High Scoring is set to delete
> >
> > Set both to store delete or just delete if you don't want 
> to store them.
> 
> Which file am I looking to edit for 'High Scoring Spam 
> Actions' and 'Spam Actions'?
> 
> joe


/etc/MailScanner/MailScanner.conf

This is the key to almost all settings. 

hth

Ugo
> 
> >
> >
> > >
> > > Are there any other good known things to be implemented 
> to get a good
> > > starting base for spam filtering?
> >
> > Probably install Razor, DCC, Pyzor, which is pretty 
> straightforward, then maybe check for special spamassassin rules...
> >
> > >
> > > Are all the default RBL entries built in, needed, and are 
> there any
> > > others that should be added?
> >
> > This is a personal thing.  Your setup is basically very 
> good, so just stay tuned on this list to learn what is 
> changing.  And maybe give a look at the threads about 
> bigevil.cf a few days ago.
> > >
> > > Finally, is there an 'after install' docs or mail archive
> > > that addresses
> > > the potential after install buffing issues?
> >
> > Hmm, this is the job list.  What happens is that mail 
> hosting is such a complex thing and the setups vary so much 
> from one person to the other, what usually happens is that 
> one installs it, comes on the list for "after install buffing 
> issues", then writes his own doc for his site.  At least that 
> is what I've done.
> >
> > Some people will write their own, very-compex rules, and 
> some others will stay close to the default setup.  It all 
> depends on your need.
> >
> > >
> > > Thanks any help would be greatly appreciated.  I hope I 
> didn't ask too
> > > many questions at once.....
> >
> > That is ok.  But more importantly, stay subscribed to this list.
> > >
> > > joe
> > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content, and is believed to be clean.
> > >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content, and is believed to be clean.
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
> 


From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 22 23:54:22 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:01 2006
Subject: MS not deleting spam
In-Reply-To: <401062EF.4ACF101C@eagle-access.net>
References: <54C38A0B814C8E438EF73FC76F3629273132E7@mtlnt501fs.CAMOROUTE.COM>
            <401062EF.4ACF101C@eagle-access.net>
Message-ID: <1888.217.114.173.101.1074815662.squirrel@www.blacknightsolutions.com>

You need to set it in the main MailScanner.conf
> Ugo Bellavance wrote:
>
>> > -----Message d'origine-----
>> > De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
>> > Envoy? : Thursday, January 22, 2004 5:12 PM
>> > ? : MAILSCANNER@JISCMAIL.AC.UK
>> > Objet : MS not deleting spam
>> >
>> >
>>
>> > How do I get the rest of these mails to not go to the
>> > clients?  They are
>> > apparently successfully being recognized as spam.
>>
>> What is apparently your problem is that you didin't realize that there
>> were 2 settings for spam:
>>
>> High Scoring Spam Actions
>>
>> and
>>
>> Spam Actions
>>
>> -What probably happens here is that your Spam Actions  is set to
>> deliver and High Scoring is set to delete
>>
>> Set both to store delete or just delete if you don't want to store
>> them.
>
> Which file am I looking to edit for 'High Scoring Spam Actions' and
> 'Spam Actions'?
>
> joe
>
>>
>>
>> >
>> > Are there any other good known things to be implemented to get a
>> good starting base for spam filtering?
>>
>> Probably install Razor, DCC, Pyzor, which is pretty straightforward,
>> then maybe check for special spamassassin rules...
>>
>> >
>> > Are all the default RBL entries built in, needed, and are there any
>> others that should be added?
>>
>> This is a personal thing.  Your setup is basically very good, so just
>> stay tuned on this list to learn what is changing.  And maybe give a
>> look at the threads about bigevil.cf a few days ago.
>> >
>> > Finally, is there an 'after install' docs or mail archive
>> > that addresses
>> > the potential after install buffing issues?
>>
>> Hmm, this is the job list.  What happens is that mail hosting is such
>> a complex thing and the setups vary so much from one person to the
>> other, what usually happens is that one installs it, comes on the list
>> for "after install buffing issues", then writes his own doc for his
>> site.  At least that is what I've done.
>>
>> Some people will write their own, very-compex rules, and some others
>> will stay close to the default setup.  It all depends on your need.
>>
>> >
>> > Thanks any help would be greatly appreciated.  I hope I didn't ask
>> too many questions at once.....
>>
>> That is ok.  But more importantly, stay subscribed to this list.
>> >
>> > joe
>> >
>> >
>> > --
>> > This message has been scanned for viruses and
>> > dangerous content, and is believed to be clean.
>> >
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content, and is believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.


-- 
Mr. Michele Neylon
Blacknight Solutions
http://www.blacknightsolutions.ie/
Tel. 059-9139897
.ie registration from ?45!


From kevins at BMRB.CO.UK  Fri Jan 23 07:23:48 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:01 2006
Subject: ETRN help
In-Reply-To: <LISTSERV%2004012300133632@JISCMAIL.AC.UK>
References: <LISTSERV%2004012300133632@JISCMAIL.AC.UK>
Message-ID: <1074842636.3673.2.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-23 at 00:13, Leif Neland wrote:
> On Mon, 10 Nov 2003 18:24:07 +0000, Kevin Spicer <kevins@BMRB.CO.UK> wrote:
>
> Any ideas for having ETRN functionallity? I need it, because I have a
> couple of servers which dial in and send ETRN to get their queued mail.
> Both recieving and sending server runs Linux, so I can script what's
> needed.

As you control both servers how about using POP3 with fetchmail?





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From support at EAGLE-ACCESS.NET  Fri Jan 23 07:53:33 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:01 2006
Subject: MS not deleting spam
References: <54C38A0B814C8E438EF73FC76F362927410819@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <4010D2FD.FD41C68F@eagle-access.net>

>
> > > > How do I get the rest of these mails to not go to the
> > > > clients?  They are
> > > > apparently successfully being recognized as spam.
> > >
> > > What is apparently your problem is that you didin't realize
> > that there were 2 settings for spam:
> > >
> > > High Scoring Spam Actions
> > >
> > > and
> > >
> > > Spam Actions
> > >
> > > -What probably happens here is that your Spam Actions  is
> > set to deliver and High Scoring is set to delete
> > >
> > > Set both to store delete or just delete if you don't want
> > to store them.
> >
> > Which file am I looking to edit for 'High Scoring Spam
> > Actions' and 'Spam Actions'?
> >
> > joe
>
> /etc/MailScanner/MailScanner.conf

That's the first place I looked.  Silly mistake though, my search string
I used was "/high scoring" instead of the correct string /High Scoring  :
'}

But that did the trick.  I'm stopping about 75% of the spam now.  I've
been reading the
bigevil.cf list recommends you mentioned and will put it on in the morn.
I'm shooting for filtering 90%+

BTW the "store delete" entry stopped this list. ???   Had to whitelist
in....  Is this an aberration to this list or can I expect clients will
loose access to their lists until I whitelist them?   :  '}

Thanks
joe

Ugo Bellavance wrote:

> > -----Message d'origine-----
> > De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> > Envoy? : Thursday, January 22, 2004 6:55 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Re: MS not deleting spam
> >
> >
> > Ugo Bellavance wrote:
> >
> > > > -----Message d'origine-----
> > > > De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
> > > > Envoy? : Thursday, January 22, 2004 5:12 PM
> > > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > > Objet : MS not deleting spam
> > > >
> > > >
> > >

>
>
> This is the key to almost all settings.
>
> hth
>
> Ugo
> >
> > >
> > >
> > > >
> > > > Are there any other good known things to be implemented
> > to get a good
> > > > starting base for spam filtering?
> > >
> > > Probably install Razor, DCC, Pyzor, which is pretty
> > straightforward, then maybe check for special spamassassin rules...
> > >
> > > >
> > > > Are all the default RBL entries built in, needed, and are
> > there any
> > > > others that should be added?
> > >
> > > This is a personal thing.  Your setup is basically very
> > good, so just stay tuned on this list to learn what is
> > changing.  And maybe give a look at the threads about
> > bigevil.cf a few days ago.
> > > >
> > > > Finally, is there an 'after install' docs or mail archive
> > > > that addresses
> > > > the potential after install buffing issues?
> > >
> > > Hmm, this is the job list.  What happens is that mail
> > hosting is such a complex thing and the setups vary so much
> > from one person to the other, what usually happens is that
> > one installs it, comes on the list for "after install buffing
> > issues", then writes his own doc for his site.  At least that
> > is what I've done.
> > >
> > > Some people will write their own, very-compex rules, and
> > some others will stay close to the default setup.  It all
> > depends on your need.
> > >
> > > >
> > > > Thanks any help would be greatly appreciated.  I hope I
> > didn't ask too
> > > > many questions at once.....
> > >
> > > That is ok.  But more importantly, stay subscribed to this list.
> > > >
> > > > joe
> > > >
> > > >
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content, and is believed to be clean.
> > > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content, and is believed to be clean.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content, and is believed to be clean.
> >
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.


From mailscanner at ecs.soton.ac.uk  Fri Jan 23 08:42:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Archive Mail to date stamped mboxes?
In-Reply-To: <20040122223955.GE15477@rfa.org>
References: <20040122211050.GB15477@rfa.org>
            <6.0.1.1.2.20040122212708.0421b458@imap.ecs.soton.ac.uk>
            <20040122223955.GE15477@rfa.org>
Message-ID: <6.0.1.1.2.20040123084124.03f3cff0@imap.ecs.soton.ac.uk>

At 22:39 22/01/2004, you wrote:
>Ah, thanks. So simple. Should've thought of that myself.
>
>Is there any danger that MS would be writing to the soft linked file at
>the time the link is moved?

That could happen, but the file it has open is the real file, not any link
to it, so you are quite safe. The message will be written to the old file
completely.


>Thanks again,
>Eric Rz.
>
>On Thu, Jan 22, 2004 at 09:28:09PM +0000, Julian Field wrote:
> > At 21:10 22/01/2004, you wrote:
> > >Is there a way to use:
> > >Archive Mail = /var/spool/MailScanner/archive
> > >to have the archive stored in date stamped mboxes for ease of keeping
> > >only a specific number of days archived?
> >
> > You can create the empty file with the date on the end, and make the
> > /var/spool/MailScanner/archive a soft-link to the read dated filename. Once
> > a day you create the new dated filename and move the soft link.
> >
> >
> > >I know setting this to a directory will create subdirectories for each
> > >day, but then the archives are kept as queuefiles.
> > >
> > >Thanks,
> > >Eric Rz.
> > >
> > >MS 4.25-14 w/postfix on debian stable
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 08:49:19 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <13893.1074712459@ofb.net>
References: <13893.1074712459@ofb.net>
Message-ID: <20040123094919.56f7bbec.hakon.eriksen@usit.uio.no>

> For my site, I thought it could be interesting to know the scores of
> mail getting through MailScanner/SpamAssassin without having to
> archive all the messages, to get an idea of how close messages were
> getting to the threshhold.  The following two patches (against
> MailScanner 4.25-14) add a "Log Non Spam" option that works just like
> the "Log Spam" option. Hopefully someone else will also find this data
> useful.

Yes, I find it useful. Thank you.

Julian, is there any chance of this making it in to the main
MailScanner-release? 

-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 08:49:06 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
References: <8BD06A60242B4341B8919A4AC958C1D01815F5@busted.dandd.com>
Message-ID: <20040123094906.3fbe7bbe.hakon.eriksen@usit.uio.no>

> Just wondering if people wouldn't mind sharing some stats of there box
> and how MailScanner runs.
> 
> Like CPU, Memory, OS, Major MailScanner config options and how many
> emails you can handle in an hour.
> 

We have five Dell 2650s. Each with 2x2GHz P4 Xeon and 2GB RAM. They all
run RedHat Linux, Exim, MailScanner (duh..), SpamAssassin and Sophos
(with perl-SAVI). 

On an average day, they receive about 80 000 messages each, and deliver 
apx. 125 000[1]. That adds up to about 2GB incoming and 2.5GB outgoing
data. I haven't done any real benchmarking, but it seems each of them
can handle about 12 000 messages in an hour at most. We could probably
tune them to handle more, though. 

-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From raymond at PROLOCATION.NET  Fri Jan 23 09:05:00 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <20040123094906.3fbe7bbe.hakon.eriksen@usit.uio.no>
Message-ID: <Pine.LNX.4.44.0401231004060.28582-100000@mailbox.prolocation.net>

Hi!

> We have five Dell 2650s. Each with 2x2GHz P4 Xeon and 2GB RAM. They all
> run RedHat Linux, Exim, MailScanner (duh..), SpamAssassin and Sophos
> (with perl-SAVI).
>
> On an average day, they receive about 80 000 messages each, and deliver
> apx. 125 000[1]. That adds up to about 2GB incoming and 2.5GB outgoing
> data. I haven't done any real benchmarking, but it seems each of them
> can handle about 12 000 messages in an hour at most. We could probably
> tune them to handle more, though.

You should be able to process at least 2 or three times this total load in
one single box as you describe above...

Bye,
Raymond.

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 09:48:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <20040123094919.56f7bbec.hakon.eriksen@usit.uio.no>
References: <13893.1074712459@ofb.net>
            <20040123094919.56f7bbec.hakon.eriksen@usit.uio.no>
Message-ID: <6.0.1.1.2.20040123094721.035a2e58@imap.ecs.soton.ac.uk>

At 08:49 23/01/2004, you wrote:
> > For my site, I thought it could be interesting to know the scores of
> > mail getting through MailScanner/SpamAssassin without having to
> > archive all the messages, to get an idea of how close messages were
> > getting to the threshhold.  The following two patches (against
> > MailScanner 4.25-14) add a "Log Non Spam" option that works just like
> > the "Log Spam" option. Hopefully someone else will also find this data
> > useful.
>
>Yes, I find it useful. Thank you.
>
>Julian, is there any chance of this making it in to the main
>MailScanner-release?

Consider it done.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Fri Jan 23 11:15:36 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <20040123102219.20f7836d.hakon.eriksen@usit.uio.no>
Message-ID: <Pine.LNX.4.44.0401231214370.11456-100000@mailbox.prolocation.net>

Hi!

> > You should be able to process at least 2 or three times this total
> > load in one single box as you describe above...

> Any tips for optimizing?
>
> I have /var on separate disks (actually they are separate RAID1-sets),
> and /var/MailScanner/incoming on tmpfs. The only RBL I use is ORDB, and
> that is through Exim, not MS. It seems that MailScanner is the most
> CPU-hungry process, and I can't really imagine Exim eating that much
> resources.

Did you disable the per message logs within Exim? I have put online some
stuff in the FAQ about that.

You could mount the disk with noatime to save diso io.

Do you use remote syslogging ?

Bye,
Raymond.

From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 11:40:23 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <Pine.LNX.4.44.0401231214370.11456-100000@mailbox.prolocation.net>
References: <20040123102219.20f7836d.hakon.eriksen@usit.uio.no>
            <Pine.LNX.4.44.0401231214370.11456-100000@mailbox.prolocation.net>
Message-ID: <20040123124023.55bd26af.hakon.eriksen@usit.uio.no>

> Hi!
> 
> > > You should be able to process at least 2 or three times this total
> > > load in one single box as you describe above...
> 
> > Any tips for optimizing?
> >
> > I have /var on separate disks (actually they are separate
> > RAID1-sets), and /var/MailScanner/incoming on tmpfs. The only RBL I
> > use is ORDB, and that is through Exim, not MS. It seems that
> > MailScanner is the most CPU-hungry process, and I can't really
> > imagine Exim eating that much resources.
> 
> Did you disable the per message logs within Exim? I have put online
> some stuff in the FAQ about that.

Yes.

> You could mount the disk with noatime to save diso io.

I tried that on a different setup, but it didn't seem to make much of a
difference. Perhaps I'll try it again and see how it works out.
 
> Do you use remote syslogging ?

Exim-logs go both on disk and to a remote server, MS logs go just to
disk.

-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From smilga at MIKROTIK.COM  Fri Jan 23 11:42:58 2004
From: smilga at MIKROTIK.COM (Martins Smilga)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner attachment
References: <Pine.LNX.4.44.0401231214370.11456-100000@mailbox.prolocation.net>
Message-ID: <050101c3e1a6$0c8b1c90$6508050a@martinsss>

Hello,

How can I configure Mailscanner to attach that  file which was removed from
orginal message (virus file or html ) but still warning about it. It could
be like this --> e-mail from mailscanner and in attachment orginal message.

Best regards,
Martins Smilga

From raymond at PROLOCATION.NET  Fri Jan 23 11:44:15 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <20040123124023.55bd26af.hakon.eriksen@usit.uio.no>
Message-ID: <Pine.LNX.4.44.0401231243200.15204-100000@mailbox.prolocation.net>

Hi!

> > Did you disable the per message logs within Exim? I have put online
> > some stuff in the FAQ about that.
>
> Yes.
>
> > You could mount the disk with noatime to save diso io.
>
> I tried that on a different setup, but it didn't seem to make much of a
> difference. Perhaps I'll try it again and see how it works out.
>
> > Do you use remote syslogging ?
>
> Exim-logs go both on disk and to a remote server, MS logs go just to
> disk.

You could disable the to disk logging, and also limit the exim remote
stuff, max session per host and so on. but i guess you allready do that.

DNS server also seperate, for those 4 servers ?

Bye,
Raymond.

From david at PLATFORMHOSTING.COM  Fri Jan 23 11:43:42 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <20040123124023.55bd26af.hakon.eriksen@usit.uio.no>
Message-ID: <200401231143.i0NBhfw21917@mx1.mailsecurity.net.au>

>> You could mount the disk with noatime to save diso io.

>I tried that on a different setup, but it didn't seem to make much of a
>difference. Perhaps I'll try it again and see how it works out.

I have moved the MailScanner work directory into ramdisk which has also
helped significantly.  As with any high capacity mail application disk IO is
very important, moving the scratch into RAM has helped us significantly.

Regards,

David Hooton
Senior Partner
Platform Hosting
1300 85 HOST
www.platformhosting.com


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================

From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 12:00:53 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <200401231143.i0NBhfw21917@mx1.mailsecurity.net.au>
References: <20040123124023.55bd26af.hakon.eriksen@usit.uio.no>
            <200401231143.i0NBhfw21917@mx1.mailsecurity.net.au>
Message-ID: <20040123130053.014e6c46.hakon.eriksen@usit.uio.no>

> >> You could mount the disk with noatime to save diso io.
> 
> >I tried that on a different setup, but it didn't seem to make much of
> >a difference. Perhaps I'll try it again and see how it works out.
> 
> I have moved the MailScanner work directory into ramdisk which has
> also helped significantly.  As with any high capacity mail application
> disk IO is very important, moving the scratch into RAM has helped us
> significantly.

As you'll see further up the thread, I already do that.

-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From neilrobst at ALM.ORG.UK  Fri Jan 23 09:32:52 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:22:01 2006
Subject: postfix-specific method to feed spam/ham to sa-learn
In-Reply-To: <20040122220341.GC15477@rfa.org>
References: <20040122220341.GC15477@rfa.org>
Message-ID: <1074850371.9816.1.camel@dyn-9-173-7-53.leeds.uk.ibm.com>

On Thu, 2004-01-22 at 22:04, Eric Dantan Rzewnicki wrote:
> I worked out one (naive?) way to get user feedback on false positives
> and false negatives using postfix and MS when users are only using pop
> and outlook. I'm not going to be using this method, but wanted to share
> it in case someone else needed to do it this way. (and also to get
> feedback on whether it's even a valid approach). Probably someone better
> than me at shell scripting and regular expressions could do this better
> and more succinctly.
>
> I set this in MailScanner.conf:
> Archive Mail = /var/spool/MailScanner/archive/
>
> Which creates a directory for each day containing a copy of the original
> queuefile for each message. I took this approach because it seemed it
> would be very easy to set up a simple cronjob that deleted directories
> older than x days.
>
> Basically the only feedback required from the user is to send the
> headers to either a spam@dom.tld or notspam@dom.tld.
>
> To get to the full headers in Outlook:
> 1) open the message in its own window
> 2) select View -> Options
> 3) the dialog box contains a scroll window at the bottom labeled
>    "Internet Headers". Cut and paste the text from there into a new
>    message.
>
> Getting the headers this way has been deemed too much work for the
> users, so I'm working out another feedback method. But, anyway, with the
> headers in the bodies of messages in an mbox I was able to get the date
> and queuefile-id with these two command lines (broken with \):
Eric, you can also get the headers if you get the users to forward the
original mail as an attachement. In Outlook Express you can do this by
going to the Tools menu (I think) and selecting Forward as attachment...

> # message id
> cat /var/mail/spam | \
> formail -I "" -s | \
> grep -A2 "^Received:" | \
> grep "by host.dom.tld (Postfix) with .*SMTP" | \
> cut -d" " -f8
>
> # date directory
> cat /var/mail/spam | \
> formail -I "" -s | \
> grep -A3 "^Received:" | \
> grep "for <.*@dom.tld>; ..., .. ... ...." | \
> cut -d";" -f 2 | \
> xargs -i date -d {} +%Y%m%d
>
> Thus far, I've just been feeding that output in pairs into the simple
> script below. If I were going further with this approach I'd have added
> the commands above to the script.
>
> #!/bin/bash
>
> archive_dir=/var/spool/MailScanner/archive
> sa_prefs=/opt/MailScanner/etc/spam.assassin.prefs.conf
> date_dir=$1
> queue_file=$2
> spam_or_ham=$3
> queue_file_path=$archive_dir/$date_dir/$queue_file
> line_count=`postcat $queue_file_path | wc -l`
> postcat $queue_file_path | \
> tail -$(($line_count-6)) | \
> head -$(($line_count-10)) | \
> sa-learn --$spam_or_ham -p $sa_prefs
>
>
> Well, that's it. Hopefully it's useful to someone. Appologies if this is
> silly or useless.
>
> -Eric Rz.
> (now to figure this out with forwarded fp/fn and archive as an mbox ...
> should be doable.)

Regards,
Neil

From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 09:22:19 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <Pine.LNX.4.44.0401231004060.28582-100000@mailbox.prolocation.net>
References: <20040123094906.3fbe7bbe.hakon.eriksen@usit.uio.no>
            <Pine.LNX.4.44.0401231004060.28582-100000@mailbox.prolocation.net>
Message-ID: <20040123102219.20f7836d.hakon.eriksen@usit.uio.no>

> Hi!
> 
> > We have five Dell 2650s. Each with 2x2GHz P4 Xeon and 2GB RAM. They
> > all run RedHat Linux, Exim, MailScanner (duh..), SpamAssassin and
> > Sophos(with perl-SAVI).
> >
> > On an average day, they receive about 80 000 messages each, and
> > deliver apx. 125 000[1]. That adds up to about 2GB incoming and
> > 2.5GB outgoing data. I haven't done any real benchmarking, but it
> > seems each of them can handle about 12 000 messages in an hour at
> > most. We could probably tune them to handle more, though.
> 
> You should be able to process at least 2 or three times this total
> load in one single box as you describe above...
> 

Any tips for optimizing?

I have /var on separate disks (actually they are separate RAID1-sets),
and /var/MailScanner/incoming on tmpfs. The only RBL I use is ORDB, and
that is through Exim, not MS. It seems that MailScanner is the most
CPU-hungry process, and I can't really imagine Exim eating that much
resources.


-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From m.sapsed at BANGOR.AC.UK  Fri Jan 23 09:23:38 2004
From: m.sapsed at BANGOR.AC.UK (Martin Sapsed)
Date: Thu Jan 12 21:22:01 2006
Subject: CF RULES
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C44E@jessica.herefordshire.gov.uk>
            <401017E1.6040803@bangor.ac.uk>
Message-ID: <4010E81A.90909@bangor.ac.uk>

Me again!

Martin Sapsed wrote:
> Randal, Phil wrote:
>
>> It looks very effective so far.  The chickenpox rules give me more
>> problems
>> with false positives, so I may have to lower the scores on those.
>
> I took a lot of = signs out of the chickenpox rules because I was
> getting quite a few false positives on e-mails to the Samba list - ones
> with smb.conf files pasted in!

and now I've taken it out altogether after some more FPs. At the moment
the local_WORDWORD_10 & 15 rules someone posted here (forgot who -
sorry!) are the most effective extra SA rules I'm using. A lot of the
stuff that BigEvil picks up either hits WORDWORD or DCC or both anyway.
The clever HABEAS_FORGERY rules do quite well too. BACKHAIR does ok but
often on messages that WORDWORD has picked up anyway.

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

From hakon.eriksen at USIT.UIO.NO  Fri Jan 23 12:12:33 2004
From: hakon.eriksen at USIT.UIO.NO (=?ISO-8859-1?Q?H=E5kon?= Eriksen)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <Pine.LNX.4.44.0401231243200.15204-100000@mailbox.prolocation.net>
References: <20040123124023.55bd26af.hakon.eriksen@usit.uio.no>
            <Pine.LNX.4.44.0401231243200.15204-100000@mailbox.prolocation.net>
Message-ID: <20040123131233.48ea6db1.hakon.eriksen@usit.uio.no>

> > > Do you use remote syslogging ?
> > 
> > Exim-logs go both on disk and to a remote server, MS logs go just to
> > disk.
> 
> You could disable the to disk logging, and also limit the exim remote 
> stuff, max session per host and so on. but i guess you allready do
> that. 

As I said, I doubt if Exim is eating much resources for me. None of the
boxes do any local deliveries, they forward the mail to dedicated
servers to do that. I also have a different server to send mail
But I'll look into limiting the amount of disk logging.

> DNS server also seperate, for those 4 servers ?

If you mean do I run a caching server on all the machines, the answer is
no. It's a dedicated DNS server not very far away.

By the way... In your first reply you said I should be able to process
two to three times the total load on a single box. Now, each of my five
boxes receive 80 000 messages, and I can process 12 000 messages an
hour, that means I can actually go through almost 290 000 messages in 24
hours. Is this what your meant about being able to process more messages
than I do now, or did I misunderstand again?

-- 
 H?kon Eriksen <hakon.eriksen@usit.uio.no>
 Gruppe for drift av grunntjenester (GT), SAPP, USIT


From raymond at PROLOCATION.NET  Fri Jan 23 12:23:25 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <20040123131233.48ea6db1.hakon.eriksen@usit.uio.no>
Message-ID: <Pine.LNX.4.44.0401231318360.19111-100000@mailbox.prolocation.net>

Hi!

> > You could disable the to disk logging, and also limit the exim remote
> > stuff, max session per host and so on. but i guess you allready do
> > that.

> As I said, I doubt if Exim is eating much resources for me. None of the
> boxes do any local deliveries, they forward the mail to dedicated
> servers to do that. I also have a different server to send mail
> But I'll look into limiting the amount of disk logging.

Your system is eating resources, the syslogging...

> > DNS server also seperate, for those 4 servers ?
>
> If you mean do I run a caching server on all the machines, the answer is
> no. It's a dedicated DNS server not very far away.

You might consider running a local dns on the boxes itself also.

> By the way... In your first reply you said I should be able to process
> two to three times the total load on a single box. Now, each of my five
> boxes receive 80 000 messages, and I can process 12 000 messages an
> hour, that means I can actually go through almost 290 000 messages in 24
> hours. Is this what your meant about being able to process more messages
> than I do now, or did I misunderstand again?

We process around 700.000 messages in peaks on a simmilar box, daily. With
sendmail running there, Exim should be able to do even more... so 4 x
700.000 in your setup should be do'able i think. Thats also depending on
message size but as i see, you only RBL check with one RBL, do you have
that one on your local server ? You might cut down lookup time with
running it locally... If possible.

Where you see your current limits? Do you run something like Orca to
collect system stats ? If not have a look at that, very handy.

Bye,
Raymond.

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 23 12:29:19 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <Pine.LNX.4.44.0401231318360.19111-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401231318360.19111-100000@mailbox.prolocation.net>
Message-ID: <4011139F.6050205@solid-state-logic.com>

Raymond Dijkxhoorn wrote:
<snip>
>
> Where you see your current limits? Do you run something like Orca to
> collect system stats ? If not have a look at that, very handy.
>
> Bye,
> Raymond.

I thought orca ran only on Solaris as it requires the SEtoolkit???

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 12:29:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>

I have just release the latest beta version. It should be okay, but be very
careful with the new automatic bayes rebuilding feature.

The main new changes are these:

- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
   short text notification message to be sent to the recipients of the spam
   message. The filename of the report is set with the "Recipient Spam Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Added regular rebuild of Bayes database.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added "Log Non Spam" option to allow logging of all non-spam, which can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Removed the "bounce" spam action.

There are other changes as well, of course. Those above are the interesting
recent ones. See the
http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
for more details.

Download as usual from www.mailscanner.info.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 12:12:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner attachment
In-Reply-To: <050101c3e1a6$0c8b1c90$6508050a@martinsss>
References: <Pine.LNX.4.44.0401231214370.11456-100000@mailbox.prolocation.net>
            <050101c3e1a6$0c8b1c90$6508050a@martinsss>
Message-ID: <6.0.1.1.2.20040123121240.03e57a18@imap.ecs.soton.ac.uk>

MailScanner will not send viruses. Sorry.

At 11:42 23/01/2004, you wrote:
>Hello,
>
>How can I configure Mailscanner to attach that  file which was removed from
>orginal message (virus file or html ) but still warning about it. It could
>be like this --> e-mail from mailscanner and in attachment orginal message.
>
>Best regards,
>Martins Smilga

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Fri Jan 23 12:33:06 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:01 2006
Subject: Your MailScanner stats
In-Reply-To: <4011139F.6050205@solid-state-logic.com>
Message-ID: <Pine.LNX.4.44.0401231330540.21794-100000@mailbox.prolocation.net>

Hi!

> > Where you see your current limits? Do you run something like Orca to
> > collect system stats ? If not have a look at that, very handy.

> I thought orca ran only on Solaris as it requires the SEtoolkit???

We run it on most of our linux boxes. Even have it running on Solaris for
Intel, so should work :) You need to look for procallator ...

Bye,
Raymond.

From ugob at CAMO-ROUTE.COM  Fri Jan 23 13:48:19 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:01 2006
Subject: MS not deleting spam
In-Reply-To: <4010D2FD.FD41C68F@eagle-access.net>
References: <54C38A0B814C8E438EF73FC76F362927410819@mtlnt501fs.CAMOROUTE.COM>
            <4010D2FD.FD41C68F@eagle-access.net>
Message-ID: <40112623.70700@camo-route.com>

Eagle Net Support wrote:

>>>>>How do I get the rest of these mails to not go to the
>>>>>clients?  They are
>>>>>apparently successfully being recognized as spam.
>>>>>          
>>>>>
>>>>What is apparently your problem is that you didin't realize
>>>>        
>>>>
>>>that there were 2 settings for spam:
>>>      
>>>
>>>>High Scoring Spam Actions
>>>>
>>>>and
>>>>
>>>>Spam Actions
>>>>
>>>>-What probably happens here is that your Spam Actions  is
>>>>        
>>>>
>>>set to deliver and High Scoring is set to delete
>>>      
>>>
>>>>Set both to store delete or just delete if you don't want
>>>>        
>>>>
>>>to store them.
>>>
>>>Which file am I looking to edit for 'High Scoring Spam
>>>Actions' and 'Spam Actions'?
>>>
>>>joe
>>>      
>>>
>>/etc/MailScanner/MailScanner.conf
>>    
>>
>
>That's the first place I looked.  Silly mistake though, my search string
>I used was "/high scoring" instead of the correct string /High Scoring  :
>'}
>
>But that did the trick.  I'm stopping about 75% of the spam now.  I've
>been reading the
>bigevil.cf list recommends you mentioned and will put it on in the morn.
>I'm shooting for filtering 90%+
>
>BTW the "store delete" entry stopped this list. ???   Had to whitelist
>in....  Is this an aberration to this list or can I expect clients will
>loose access to their lists until I whitelist them?   :  '}
>  
>

Yes, you can expect a lot of things and a lot of calls.  Prevent your 
users and ask them to send you an e-mail if they suspect anything.  
You'll have to be on your toes for maybe one month, the time it takes to 
understand how mailscanner works and what are your users needs, then you 
won't have much maintenance to do, apart from upgrading the components.

hth

Ugo

>Thanks
>joe
>
>Ugo Bellavance wrote:
>
>  
>
>>>-----Message d'origine-----
>>>De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
>>>Envoy? : Thursday, January 22, 2004 6:55 PM
>>>? : MAILSCANNER@JISCMAIL.AC.UK
>>>Objet : Re: MS not deleting spam
>>>
>>>
>>>Ugo Bellavance wrote:
>>>
>>>      
>>>
>>>>>-----Message d'origine-----
>>>>>De : Eagle Net Support [mailto:support@EAGLE-ACCESS.NET]
>>>>>Envoy? : Thursday, January 22, 2004 5:12 PM
>>>>>? : MAILSCANNER@JISCMAIL.AC.UK
>>>>>Objet : MS not deleting spam
>>>>>
>>>>>
>>>>>          
>>>>>
>
>  
>
>>This is the key to almost all settings.
>>
>>hth
>>
>>Ugo
>>    
>>
>>>>        
>>>>
>>>>>Are there any other good known things to be implemented
>>>>>          
>>>>>
>>>to get a good
>>>      
>>>
>>>>>starting base for spam filtering?
>>>>>          
>>>>>
>>>>Probably install Razor, DCC, Pyzor, which is pretty
>>>>        
>>>>
>>>straightforward, then maybe check for special spamassassin rules...
>>>      
>>>
>>>>>Are all the default RBL entries built in, needed, and are
>>>>>          
>>>>>
>>>there any
>>>      
>>>
>>>>>others that should be added?
>>>>>          
>>>>>
>>>>This is a personal thing.  Your setup is basically very
>>>>        
>>>>
>>>good, so just stay tuned on this list to learn what is
>>>changing.  And maybe give a look at the threads about
>>>bigevil.cf a few days ago.
>>>      
>>>
>>>>>Finally, is there an 'after install' docs or mail archive
>>>>>that addresses
>>>>>the potential after install buffing issues?
>>>>>          
>>>>>
>>>>Hmm, this is the job list.  What happens is that mail
>>>>        
>>>>
>>>hosting is such a complex thing and the setups vary so much
>>>from one person to the other, what usually happens is that
>>>one installs it, comes on the list for "after install buffing
>>>issues", then writes his own doc for his site.  At least that
>>>is what I've done.
>>>      
>>>
>>>>Some people will write their own, very-compex rules, and
>>>>        
>>>>
>>>some others will stay close to the default setup.  It all
>>>depends on your need.
>>>      
>>>
>>>>>Thanks any help would be greatly appreciated.  I hope I
>>>>>          
>>>>>
>>>didn't ask too
>>>      
>>>
>>>>>many questions at once.....
>>>>>          
>>>>>
>>>>That is ok.  But more importantly, stay subscribed to this list.
>>>>        
>>>>
>>>>>joe
>>>>>
>>>>>
>>>>>--
>>>>>This message has been scanned for viruses and
>>>>>dangerous content, and is believed to be clean.
>>>>>
>>>>>          
>>>>>
>>>>--
>>>>This message has been scanned for viruses and
>>>>dangerous content, and is believed to be clean.
>>>>        
>>>>
>>>--
>>>This message has been scanned for viruses and
>>>dangerous content, and is believed to be clean.
>>>
>>>      
>>>
>>--
>>This message has been scanned for viruses and
>>dangerous content, and is believed to be clean.
>>    
>>
>
>
>  
>


From mailscanner at ecs.soton.ac.uk  Fri Jan 23 14:33:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <6.0.1.1.2.20040123094721.035a2e58@imap.ecs.soton.ac.uk>
References: <13893.1074712459@ofb.net>
            <20040123094919.56f7bbec.hakon.eriksen@usit.uio.no>
            <6.0.1.1.2.20040123094721.035a2e58@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040123143252.036dd678@imap.ecs.soton.ac.uk>

At 09:48 23/01/2004, you wrote:
>At 08:49 23/01/2004, you wrote:
>> > For my site, I thought it could be interesting to know the scores of
>> > mail getting through MailScanner/SpamAssassin without having to
>> > archive all the messages, to get an idea of how close messages were
>> > getting to the threshhold.  The following two patches (against
>> > MailScanner 4.25-14) add a "Log Non Spam" option that works just like
>> > the "Log Spam" option. Hopefully someone else will also find this data
>> > useful.
>>
>>Yes, I find it useful. Thank you.
>>
>>Julian, is there any chance of this making it in to the main
>>MailScanner-release?
>
>Consider it done.

This is in release 4.26.5-1.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 14:34:29 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: feature request - FW: Just the notification for spam?
In-Reply-To: <6.0.1.1.2.20040121225555.044ad148@imap.ecs.soton.ac.uk>
References: <8FFC76593085ED4A80D3601BC41EFCDF02A60819@inex1.herffjones.hj-int>
            <Pine.LNX.4.44.0401212335150.9539-100000@mailbox.prolocation.net>
            <6.0.1.1.2.20040121225555.044ad148@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040123143418.036dc2c8@imap.ecs.soton.ac.uk>

At 23:06 21/01/2004, you wrote:
>At 22:35 21/01/2004, you wrote:
>>Hi!
>>
>> > > So the summary of all this is
>> > > "Yes, I would like it in MailScanner".
>> > > Correct?
>> >
>> > LOL. :-)
>> >
>> > Yes, please?  Where's your wishlist on Amazon again???
>>
>>Cool, instead of taking away the load we are now letting MS spam the
>>users :)
>
>You don't have to use the feature, I personally doubt many sites will use
>it. But Trever appears to present a strong case for needing it, and it
>won't have any impact on the speed or reliability of MailScanner. And I'm
>prepared to implement it.
>
>One setup where it might be useful is in schools, where you have a duty of
>care to protect your users from seeing various of the nastier types of
>spam. The "attachment" facility is useless here, as the recipients can
>still see the original message. But you don't want to use "store" as then a
>teacher has to scan every message for false positives. Instead, I can
>imagine a system where clicking on a link in the "notify" message would
>forward a request to a teacher that a child had requested a spam message.
>It is then up to the teacher to allow/deny the child access to that
>message. Effectively spam viewing with authorisation from a teacher.
>
>I am sure there are other scenarios that might use this.

This is in release 4.26.5-1.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 14:33:29 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayesian shenanigans (i.e. problems)
In-Reply-To: <6.0.1.1.2.20040122213034.04217dd8@imap.ecs.soton.ac.uk>
References: <67D9E7698329D411936E00508B6590B902773E03@neelix.lbsltd.co.uk>
            <Pine.GSO.4.58.0401221640020.24483@arachne.dur.ac.uk>
            <6.0.1.1.2.20040122171712.07189150@imap.ecs.soton.ac.uk>
            <6.0.1.1.2.20040122201340.04246e98@imap.ecs.soton.ac.uk>
            <40103D5E.3060804@ucgbook.com>
            <6.0.1.1.2.20040122213034.04217dd8@imap.ecs.soton.ac.uk>
Message-ID: <6.0.1.1.2.20040123143315.036dc558@imap.ecs.soton.ac.uk>

At 21:30 22/01/2004, you wrote:
>At 21:15 22/01/2004, you wrote:
>>Julian Field wrote:
>>>What's the exact command people type to do the database expiry?
>>>
>>>Just --force-expire or ---rebuild as well?
>>>
>>>I need to know what to make the code do.
>>>
>>>The code is nearly there (but untested).
>>
>>I use both (sa-learn --rebuild --force-expire) from crontab.
>
>Thanks. That's what I thought.
>
>>Will this be an optional thing?
>
>Of course.

This is in release 4.26.5-1.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From J.Ireland at HGU.MRC.AC.UK  Fri Jan 23 14:54:57 2004
From: J.Ireland at HGU.MRC.AC.UK (John Ireland)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <13893.1074712459@ofb.net>
References: <13893.1074712459@ofb.net>
Message-ID: <401135C1.5030006@hgu.mrc.ac.uk>

I am interested in the "Log Non Spam" option.  FWIW I patch SA.pm to include the
SpamAssassin 'autolearn=' field in the SpamCheck header so I can check the
Bayesian auto learning - the header changes from,

    X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
        required 4, BAYES_99 5.40, BIZ_TLD 0.10,
        DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
to,

    X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
        required 4, autolearn=spam, BAYES_99 5.40, BIZ_TLD 0.10,
        DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...

Would this be of general interest?

I do this now, without a config option, with the following changes to MailScanner-4.25-14,

*** SA.pm.orig  Fri Nov  7 12:41:41 2003
--- SA.pm.new   Mon Dec 15 14:56:54 2003
***************
*** 262,264 ****
     my($pipe);
!   my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore);
     my($HighScoreVal, $pid2delete, $IncludeScores);
--- 262,264 ----
     my($pipe);
!   my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore, $AutoLearn);
     my($HighScoreVal, $pid2delete, $IncludeScores);
***************
*** 299,300 ****
--- 299,309 ----
       }
+    # Get the autolearn status
+    if (!defined $spamness->{auto_learn_status}) {
+         $AutoLearn = "no";
+    } elsif ($spamness->{auto_learn_status}) {
+          $AutoLearn = "spam";
+    } else {
+          $AutoLearn = "ham";
+    }
+    print $pipe $AutoLearn . "\n";
       $spamness->finish();
***************
*** 312,313 ****
--- 321,323 ----
       #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n";
+     $AutoLearn = <$pipe>;
       $SAHitList = <$pipe>;
***************
*** 321,322 ****
--- 331,333 ----
       chomp $SAHits;
+     chomp $AutoLearn;
       chomp $SAHitList;
***************
*** 339,341 ****
                  MailScanner::Config::LanguageValue($Message, 'required') .' ' .
!                $SAReqHits . ($SAHitList?", $SAHitList":'');

--- 350,352 ----
                  MailScanner::Config::LanguageValue($Message, 'required') .' ' .
!                $SAReqHits . ', ' . 'autolearn' . '=' . $AutoLearn .  ($SAHitList?", $SAHitList":'

Walker Aumann wrote:
> For my site, I thought it could be interesting to know the scores of mail
> getting through MailScanner/SpamAssassin without having to archive all
> the messages, to get an idea of how close messages were getting to the
> threshhold.  The following two patches (against MailScanner 4.25-14) add
> a "Log Non Spam" option that works just like the "Log Spam" option.
> Hopefully someone else will also find this data useful.
>
> Walker


--
John Ireland - Systems Manager    Email: mailto:J.Ireland@hgu.mrc.ac.uk
MRC Human Genetics Unit           Tel. : +44-31-332-2471
Western General Hospital          Fax. : +44-31-343-2620
Edinburgh, EH4 2XU, UK            WWW  : http://www.hgu.mrc.ac.uk

From john at TRADOC.FR  Fri Jan 23 15:04:05 2004
From: john at TRADOC.FR (John Wilcock)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <401135C1.5030006@hgu.mrc.ac.uk>
References: <13893.1074712459@ofb.net> <401135C1.5030006@hgu.mrc.ac.uk>
Message-ID: <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>

On Fri, 23 Jan 2004 14:54:57 +0000, John Ireland wrote:
> FWIW I patch SA.pm to include the
> SpamAssassin 'autolearn=' field in the SpamCheck header so I can check the
> Bayesian auto learning - the header changes from,
> 
>     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
>         required 4, BAYES_99 5.40, BIZ_TLD 0.10,
>         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
> to,
> 
>     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
>         required 4, autolearn=spam, BAYES_99 5.40, BIZ_TLD 0.10,
>         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
> 
> Would this be of general interest?

Certainly sounds useful - I've often wondered if this was possible. 
Julian?

John.

-- 
-- Over 2400 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr


From mailscanner at ecs.soton.ac.uk  Fri Jan 23 15:18:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>
References: <13893.1074712459@ofb.net> <401135C1.5030006@hgu.mrc.ac.uk>
            <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>
Message-ID: <6.0.1.1.2.20040123151100.03b851c8@imap.ecs.soton.ac.uk>

At 15:04 23/01/2004, you wrote:
>On Fri, 23 Jan 2004 14:54:57 +0000, John Ireland wrote:
> > FWIW I patch SA.pm to include the
> > SpamAssassin 'autolearn=' field in the SpamCheck header so I can check the
> > Bayesian auto learning - the header changes from,
> >
> >     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
> >         required 4, BAYES_99 5.40, BIZ_TLD 0.10,
> >         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
> > to,
> >
> >     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
> >         required 4, autolearn=spam, BAYES_99 5.40, BIZ_TLD 0.10,
> >         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
> >
> > Would this be of general interest?
>
>Certainly sounds useful - I've often wondered if this was possible.
>Julian?

I think it would be better to leave it out altogether if it is "no" and
just list it for messages learned as "spam" and "not spam". I don't want
the users to have to wonder what "ham" is.

This will be in the next release.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From TGFurnish at HERFF-JONES.COM  Fri Jan 23 15:32:28 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:22:01 2006
Subject: feature request - FW: Just the notification for spam?
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A6082D@inex1.herffjones.hj-int>

> -----Original Message-----
> From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Sent: Friday, January 23, 2004 9:34 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: feature request - FW: Just the notification for spam?
> >
> >I am sure there are other scenarios that might use this.
>
> This is in release 4.26.5-1.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support

Thank you!  First chance I'll have to test will be this weekend.

From P.G.M.Peters at utwente.nl  Fri Jan 23 15:45:39 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>
References: <13893.1074712459@ofb.net> <401135C1.5030006@hgu.mrc.ac.uk>
            <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>
Message-ID: <6cg2101dhk8ga7v6kar7d7dbucqj2aoako@4ax.com>

On Fri, 23 Jan 2004 16:04:05 +0100, you wrote:

>>     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
>>         required 4, autolearn=spam, BAYES_99 5.40, BIZ_TLD 0.10,
>>         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
>>
>> Would this be of general interest?
>
>Certainly sounds useful - I've often wondered if this was possible.

Wouldn't autolearn be spam for every score over the required score?

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 16:28:38 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Logging scores of non-spam (patch)
In-Reply-To: <6cg2101dhk8ga7v6kar7d7dbucqj2aoako@4ax.com>
References: <13893.1074712459@ofb.net> <401135C1.5030006@hgu.mrc.ac.uk>
            <gud210dfa54k14i3is0gj9oorh7gpi64bn@tradoc.fr>
            <6cg2101dhk8ga7v6kar7d7dbucqj2aoako@4ax.com>
Message-ID: <6.0.1.1.2.20040123162748.03b85e80@imap.ecs.soton.ac.uk>

At 15:45 23/01/2004, you wrote:
>On Fri, 23 Jan 2004 16:04:05 +0100, you wrote:
>
> >>     X-MailScanner-SpamCheck: spam, SpamAssassin (score=37.097,
> >>         required 4, autolearn=spam, BAYES_99 5.40, BIZ_TLD 0.10,
> >>         DATE_IN_FUTURE_12_24 3.33, DCC_CHECK 2.70, FORGED_OUTLOOK_TAGS ...
> >>
> >> Would this be of general interest?
> >
> >Certainly sounds useful - I've often wondered if this was possible.
>
>Wouldn't autolearn be spam for every score over the required score?

No. SpamAssassin has its own internal scoring thresholds for learning spam
and non-spam. It will only auto-learn messages it is absolutely sure it has
got right.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From brose at MED.WAYNE.EDU  Fri Jan 23 16:38:15 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner and memory resources
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01744484@med-core07.med.wayne.edu>

 I've started using some of the SA ruleset like tripwire, bigevil and
such.  In doing so, I'm finding that the size of the MailScanner
processes increase dramatically because each MailScanner process is
essentially it's own SA process and loads all the configs and rules it
needs.  Wouldn't it be better to just have MailScanner make calls to
spamd thus reducing the amount of resources?  On my system with 2gigs of
Ram and running 10 MailScanner processes, each process is 119megs with
these rulesets "BIGEVIL TRIPWIRE BACKHAIR WEEDS2 CHICKENPOX ANTIDRUG
EVILNUMBERS BLACKLIST BLACKLIST_URI"

-=Bobby


From marc at CALIBREDIGITAL.COM  Fri Jan 23 16:39:18 2004
From: marc at CALIBREDIGITAL.COM (=?ISO-8859-1?Q?Marc Anthony P. Barrette=20?=)
Date: Thu Jan 12 21:22:01 2006
Subject: =?ISO-8859-1?Q?Automated Reply from Marc Anthony P. Barrette <marc>?=
Message-ID: <200401231640.i0NGeKj05678@co.calibre-dd.com>

Marc Anthony Barrette no longer works at Calibre Digital Pictures.

For information please send email to info@calibredigital.com.

To contact Marc Anthony Barrette please send email to:  marcanthonybarrette@yahoo.com

From support at EAGLE-ACCESS.NET  Fri Jan 23 16:54:59 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
Message-ID: <401151E3.9D2B0A4C@eagle-access.net>

Just brought up MS yesterday.

Is there a way to force the mail left in /var/spool/mqueue to mqueue.in
to scan the doodoo out of old pre MS mail??

Thanks
joe


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From joshua.hirsh at PARTNERSOLUTIONS.CA  Fri Jan 23 16:50:19 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F66@eqmail1.efni.vpn>

> Is there a way to force the mail left in /var/spool/mqueue to
> mqueue.in to scan the doodoo out of old pre MS mail??

mv is your friend ;)

-Joshua

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 16:52:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner and memory resources
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F01744484@med-core07.med.wa
              yne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F01744484@med-core07.med.wayne.edu>
Message-ID: <6.0.1.1.2.20040123163918.08c58400@imap.ecs.soton.ac.uk>

At 16:38 23/01/2004, you wrote:
>  I've started using some of the SA ruleset like tripwire, bigevil and
>such.  In doing so, I'm finding that the size of the MailScanner
>processes increase dramatically because each MailScanner process is
>essentially it's own SA process and loads all the configs and rules it
>needs.  Wouldn't it be better to just have MailScanner make calls to
>spamd thus reducing the amount of resources?

In my view, no. You are running far more extra rulesets than most people
do. Is the 119Mb per process the resident size (RSS in "top"), or just the
(larger) "size" figure quoted in "top"? It's only the RSS figure that counts.

Calling spamd would be slower and, more importantly, would rely on you
having a daemon running, which introduces a whole host of reliability and
recovery problems. I would have to write a whole system to handle memory
leaks (and other resource leaks) in spamd, and be able to detect when it
stops working properly and restart it. That's a very messy process, and is
the same reason I don't support the daemonised versions of the virus
scanning engines.

>   On my system with 2gigs of
>Ram and running 10 MailScanner processes, each process is 119megs with
>these rulesets "BIGEVIL TRIPWIRE BACKHAIR WEEDS2 CHICKENPOX ANTIDRUG
>EVILNUMBERS BLACKLIST BLACKLIST_URI"
>
>-=Bobby

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 17:01:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
In-Reply-To: <401151E3.9D2B0A4C@eagle-access.net>
References: <401151E3.9D2B0A4C@eagle-access.net>
Message-ID: <6.0.1.1.2.20040123170038.03e952f8@imap.ecs.soton.ac.uk>

All you have to do is move the mail queue files into the incoming queue.

As root, do this

cd /var/spool/mqueue
mv * /var/spool/mqueue.in

at which point MailScanner will pick it all up and scan it.

At 16:54 23/01/2004, you wrote:
>Just brought up MS yesterday.
>
>Is there a way to force the mail left in /var/spool/mqueue to mqueue.in
>to scan the doodoo out of old pre MS mail??
>
>Thanks
>joe
>
>
>--
>This message has been scanned for viruses and
>dangerous content, and is believed to be clean.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 17:06:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
In-Reply-To: <000801c3e1d2$9ff76c00$2105a8c0@delta>
References: <000801c3e1d2$9ff76c00$2105a8c0@delta>
Message-ID: <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>

At 17:02 23/01/2004, you wrote:
>Apprently there is some new worm out that generates emails that appear to
>come from our billing department. I cant find anything on it anywhere, but
>the file that it has with it is a page.hta file. I want to block this
>email altogether, so what is the best way to go about doing that? I was
>going to black list them, but since it is apparently some kind of worm,
>its from all different sorts of people. What sort of action should I take
>with this?
>
>Chris

If they have merely used your billing department's email address as the
"From" address in email they are sending, there is nothing you can do to
stop this propagating across the internet, as it never goes anywhere near
your servers.

Using MailScanner's filename.rules.conf file you can block .hta files
coming into your site or leaving your site. It blocks them by default.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From cwharris at MORGAN.NET  Fri Jan 23 17:02:03 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
Message-ID: <000801c3e1d2$9ff76c00$2105a8c0@delta>

Apprently there is some new worm out that generates emails that appear to come from our billing department. I cant find anything on it anywhere, but the file that it has with it is a page.hta file. I want to block this email altogether, so what is the best way to go about doing that? I was going to black list them, but since it is apparently some kind of worm, its from all different sorts of people. What sort of action should I take with this?

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040123/04a236df/attachment.html
From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 23 17:14:05 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner and memory resources
In-Reply-To: <6.0.1.1.2.20040123163918.08c58400@imap.ecs.soton.ac.uk>
References: <D79A56AD131896448D0860DEE07CBE1F01744484@med-core07.med.wayne.edu>
            <6.0.1.1.2.20040123163918.08c58400@imap.ecs.soton.ac.uk>
Message-ID: <4011565D.6010900@solid-state-logic.com>

Julian Field wrote:
> At 16:38 23/01/2004, you wrote:
>
>>  I've started using some of the SA ruleset like tripwire, bigevil and
>> such.  In doing so, I'm finding that the size of the MailScanner
>> processes increase dramatically because each MailScanner process is
>> essentially it's own SA process and loads all the configs and rules it
>> needs.  Wouldn't it be better to just have MailScanner make calls to
>> spamd thus reducing the amount of resources?
>
>
> In my view, no. You are running far more extra rulesets than most people
> do. Is the 119Mb per process the resident size (RSS in "top"), or just the
> (larger) "size" figure quoted in "top"? It's only the RSS figure that
> counts.
>
> Calling spamd would be slower and, more importantly, would rely on you
> having a daemon running, which introduces a whole host of reliability and
> recovery problems. I would have to write a whole system to handle memory
> leaks (and other resource leaks) in spamd, and be able to detect when it
> stops working properly and restart it. That's a very messy process, and is
> the same reason I don't support the daemonised versions of the virus
> scanning engines.
>
>>   On my system with 2gigs of
>> Ram and running 10 MailScanner processes, each process is 119megs with
>> these rulesets "BIGEVIL TRIPWIRE BACKHAIR WEEDS2 CHICKENPOX ANTIDRUG
>> EVILNUMBERS BLACKLIST BLACKLIST_URI"
>>
>> -=Bobby

Runnning all the of the above on a 512MB system and top shows a RSS of
51888K! Time to buy more memory I guess. BUT I see around 4 secs per
message in actual processing time so right now I'm just using 42MB of
swap to cover me..




--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From lists at STHOMAS.NET  Fri Jan 23 17:22:49 2004
From: lists at STHOMAS.NET (Steve Thomas)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayes not being used
Message-ID: <20040123092249.A27351@sthomas.net>

MailScanner 4.25-14
RedHat Linux 7.3
kernel 2.4.20-18.7
SA 2.70-cvs (1.222-2003-12-17-exp)

We've been running MS/SA for quite a while now, but without using bayes. Our system stores all its user info in LDAP and I don't want to use SQL prefs, so we've just been using the stock SA config with some extra rules added. It works decent, but not having bayes running is taking its toll. On my home server, bayes catches pretty much all the mail that normal SA tests miss, but here at work I'm still getting a thousand or so spams a day getting through to my users.

I created two shared folders for the users to put their spam/ham into and every hour, a cron job trains bayes with them and then deletes them. I make sure to use the prefs-file= option with sa-learn, pointing it to spam.assassin.prefs.conf. If I do a sa-learn --dump magic, I can see that over 2700 spams have been learned from and over 500 hams - more than enough for SA to start using bayes during processing.

If I run a message through spamassassin from the command line (in debug mode, again using the prefs-file option), I can see that it's using bayes, so SA is doing what it should be.

MS doesn't seem to use it, however. No BAYES_* tests are showing up in the headers of any messages. I've linted the SA config and it's fine, and I've restarted MS manually a couple of times.

Any ideas?

TIA,
Steve


--
"If a man does his best, what else is there?"
- General George S. Patton (1885-1945)

From dickenson at CFMC.COM  Fri Jan 23 17:26:08 2004
From: dickenson at CFMC.COM (Jim Dickenson)
Date: Thu Jan 12 21:22:01 2006
Subject: White List question
In-Reply-To: <6.0.1.1.2.20040122171338.03ae4c10@imap.ecs.soton.ac.uk>
Message-ID: <BC369930.47750%dickenson@cfmc.com>

Thanks for pointers at where to look. It looks like the "real" sender is
bounce@u.0vm.com so I have changed my whilelist file and let the person know
to let me know if there are further problems.
--
Jim Dickenson
mailto:dickenson@cfmc.com

Computers for Marketing Corporation
http://www.cfmc.com/



> From: Julian Field <mailscanner@ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> Date: Thu, 22 Jan 2004 17:15:26 +0000
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: White List question
>
> And also, are you sure that the real "sender" address is
> "MileagePlus@UnitedOffers.com"? MailScanner doesn't use the values in the
> headers at all, as they are often different from the real sender address so
> they look nice. If your mail has a "Return-Path" header at the top (you
> will have to view the full email headers to show this), then that is the
> address you want to whitelist, not the "From:" address. If you don't have a
> Return-Path: header then look for the message in your maillog as that will
> show the true sender address.
>
> At 16:46 22/01/2004, you wrote:
>> Hi Jim,
>>
>> Do you have 'Is Definitely Not Spam =
>> /etc/MailScanner/rules/spam.whitelist.rules' set in MailScanner.conf??
>>
>> Regards,
>> Steve.
>>
>>> -----Original Message-----
>>> From: Jim Dickenson [mailto:dickenson@CFMC.COM]
>>> Sent: 22 January 2004 16:44
>>> To: MAILSCANNER@JISCMAIL.AC.UK
>>> Subject: White List question
>>>
>>>
>>> In my spam.whitelist.rules file I have this line:
>>> From:           mileageplus@unitedoffers.com    yes
>>>
>>> When a person gets an email with these headers:
>>>
>>> From: United Mileage Plus <MileagePlus@UnitedOffers.com>
>>> Reply-To: MileagePlus@UnitedOffers.com
>>>
>>>
>>> It gets this:
>>>
>>> X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.818, required 5,
>>>         FROM_OFFERS 4.10, HTML_MESSAGE 0.10, RATWARE_HASH_2_V2 1.62)
>>>
>>> There is no mention that this address is white listed and
>>> thus, as it meets my low spam score, is treated as spam.
>>>
>>> I have other addresses listed that are treated correctly so I
>>> am at a loss as to why this address is causing me trouble.
>>>
>>> Any ideas on what to check would be appreciated.
>>>
>>> TIA,
>>> --
>>> Jim Dickenson
>>> mailto:dickenson@cfmc.com
>>>
>>> Computers for Marketing Corporation
>>> http://www.cfmc.com/
>>>
>>
>> --
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they
>> are addressed. If you have received this email in error please notify
>> the sender and delete the message from your mailbox.
>>
>> This footnote also confirms that this email message has been swept by
>> MailScanner (www.mailscanner.info) for the presence of computer viruses.
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From brose at MED.WAYNE.EDU  Fri Jan 23 17:28:33 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:01 2006
Subject: Mailscanner and memory resources
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01744485@med-core07.med.wayne.edu>

 
It's the larger size.  Res runs about 50 to 107megs.  I had to reboot
this morning because MailScanner ran out of fork space and I developed a
queue backup.  But people are starting develop their own rules and this
is going to be more prevalent so SA can get larger.  I even stopped
using bayes because it was being too slow and I still use RBLs on the
sendmail side so SA and MS don't mess with those.  So the only SA stuff
running is the local stuff. 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Friday, January 23, 2004 11:53 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Mailscanner and memory resources

At 16:38 23/01/2004, you wrote:
>  I've started using some of the SA ruleset like tripwire, bigevil and 
>such.  In doing so, I'm finding that the size of the MailScanner 
>processes increase dramatically because each MailScanner process is 
>essentially it's own SA process and loads all the configs and rules it 
>needs.  Wouldn't it be better to just have MailScanner make calls to 
>spamd thus reducing the amount of resources?

In my view, no. You are running far more extra rulesets than most people
do. Is the 119Mb per process the resident size (RSS in "top"), or just
the
(larger) "size" figure quoted in "top"? It's only the RSS figure that
counts.

Calling spamd would be slower and, more importantly, would rely on you
having a daemon running, which introduces a whole host of reliability
and recovery problems. I would have to write a whole system to handle
memory leaks (and other resource leaks) in spamd, and be able to detect
when it stops working properly and restart it. That's a very messy
process, and is the same reason I don't support the daemonised versions
of the virus scanning engines.

>   On my system with 2gigs of
>Ram and running 10 MailScanner processes, each process is 119megs with 
>these rulesets "BIGEVIL TRIPWIRE BACKHAIR WEEDS2 CHICKENPOX ANTIDRUG 
>EVILNUMBERS BLACKLIST BLACKLIST_URI"
>
>-=Bobby

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 23 17:29:10 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayes not being used
In-Reply-To: <20040123092249.A27351@sthomas.net>
References: <20040123092249.A27351@sthomas.net>
Message-ID: <401159E6.1050406@solid-state-logic.com>

Steve Thomas wrote:
> MailScanner 4.25-14
> RedHat Linux 7.3
> kernel 2.4.20-18.7
> SA 2.70-cvs (1.222-2003-12-17-exp)
>
> We've been running MS/SA for quite a while now, but without using bayes. Our system stores all its user info in LDAP and I don't want to use SQL prefs, so we've just been using the stock SA config with some extra rules added. It works decent, but not having bayes running is taking its toll. On my home server, bayes catches pretty much all the mail that normal SA tests miss, but here at work I'm still getting a thousand or so spams a day getting through to my users.
>
> I created two shared folders for the users to put their spam/ham into and every hour, a cron job trains bayes with them and then deletes them. I make sure to use the prefs-file= option with sa-learn, pointing it to spam.assassin.prefs.conf. If I do a sa-learn --dump magic, I can see that over 2700 spams have been learned from and over 500 hams - more than enough for SA to start using bayes during processing.
>
> If I run a message through spamassassin from the command line (in debug mode, again using the prefs-file option), I can see that it's using bayes, so SA is doing what it should be.
>
> MS doesn't seem to use it, however. No BAYES_* tests are showing up in the headers of any messages. I've linted the SA config and it's fine, and I've restarted MS manually a couple of times.
>
> Any ideas?
>
> TIA,
> Steve
>
>
> --
> "If a man does his best, what else is there?"
> - General George S. Patton (1885-1945)
Steve

SA 2.70 is the development version and will turn into 3.0 at some stage
- could be unstable!

Anyway, have you checked the ownership/permissions of the bayes files to
make sure that the MailScanner user can write to them?

Also worth checking with MS and SA in debug mode buy setting the flags
in MailScanner.conf to see what's happening (or not) with the bayes stuff.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From esandquist at IHMS.NET  Fri Jan 23 17:27:06 2004
From: esandquist at IHMS.NET (Eric Sandquist)
Date: Thu Jan 12 21:22:01 2006
Subject: Single instance Postfix install
In-Reply-To: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
Message-ID: <LAEOJCOHMABIMDAGOHNGIEPBCAAC.esandquist@ihms.net>

An update as to where we are now... Much improved, comments through out the
company, I guess I get to keep my job... Whew... :)

HW: Compaq Proliant 1600, Dual P2 500, 1024meg Ram, 5x9.1g Raid 5...

I should have created a 2x9.1 striped, and a 3x9.1 raid 5... but hind
site...

Mandrake 8.2, Enterprise Kernel 2.4.18.6mdk
Postfix 2.0.10 from tar.gz
SpamAssassin 2.63 from tar.gz
MailScanner 2.54-5 from RPM
ClamAv-0.65 from tar.gz
Using DNS Caching... to minimize lookup times.. :)


Currently have set at 5 processes per CPU...
Finally got the header rules correct in post fix to dump all mail to the
HOLD for processing by MailScanner, modified /etc/init.d/MailScanner for
single instance of postfix...
Using tmfs for /var/spool/MailScanner/incoming
no RBL/DCC/or Razor...
Reduced /home partition and allocated 1g to /tmp ( previously this was not
on it's own partition and the "/" partiotion only had 24meg allocated to
it... an obvous problem...

(Acronis.com has a wonderful partition tool that allowed us to boot from a
CD and adjust partition sizes and create new ones for ext3 and ReiserFS
partision type, works on Microsoft[stool] servers as well, fast too...)

Max message size is set for 10meg...  Realestate brokers love to email
excessively large documents, I may need to raise this (by management
directive), but I hope not...

Still looking for anything that will make it more efficient... and minimize
memory usage...

Processed about 40,000msg in last 24hrs...

We were running a dual postfix installation, response time of the server was
over 15minute to pass an email... Now under 2minutes.. :), memory was maxed
and we had a constant swapfile of 90megs or larger with 512meg RAM at the
time...  When we upgraded the RAM to 1024meg, the system consumed all of it
over a 40minute period...  Seems as though there is a memory leak in one of
apps for email, it didn't do this if email is off...  Also, stopping and/or
restarting email didn't return all the memory that appeared to be in use...

I haven't rebooted the machine to clear all the memory since converting to a
single instance of Postfix...    Server load is at 3.4, used to be over 6 on
a regular basis and climbing...  Memory is at 96% with 14meg in Swap.  Seems
to be stable there...  We'll see if it goes down when I get a chance to
reboot.

I have not gotten the bayes filters set to autolearn yet under postfix...
and with some of the dictionary spam that is coming through I've a little
nervous about having anything automated...

I was intending on adding a hidden email link to our main webpage that would
be something spam-spiders would grab and autofeed everything that came into
it to sa-learn... Good idea? Bad idea?

Does anyone know of any open issues with gzip or other "normal" tools that
are commonly used in scanning email that may have memory leaks?  I've been
scanning my archives, I keep justabout everything that comes into me except
spam, and seem to remember something about a malformed zip issue, but can't
seem to find the reference...

Anyway... so far so good... much better than yesterday when I dinged LILO
when installing the enterprise kernel and the machine wouldn't come back up
..... Blood drains from face, suddenly dizzy and nautious, is this a good
time to go home?...

From support at EAGLE-ACCESS.NET  Fri Jan 23 17:39:26 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
References: <401151E3.9D2B0A4C@eagle-access.net>
            <6.0.1.1.2.20040123170038.03e952f8@imap.ecs.soton.ac.uk>
Message-ID: <40115C4E.C1DFC6A6@eagle-access.net>

Sorry I mis-stated this question.  The old pre MS mail is in /var/spool/mail
with each file named to the user (ex. /var/spool/mail/support).  The files
in mqueue have two parts, dfi* and xfi*, likely one is an index headers and
the other body of the text.

Is there a way to port over /var/spool/mail/username to mqueue.in were it
will build the dfi and xfi files???

thanks
joe

Julian Field wrote:

> All you have to do is move the mail queue files into the incoming queue.
>
> As root, do this
>
> cd /var/spool/mqueue
> mv * /var/spool/mqueue.in
>
> at which point MailScanner will pick it all up and scan it.
>
> At 16:54 23/01/2004, you wrote:
> >Just brought up MS yesterday.
> >
> >Is there a way to force the mail left in /var/spool/mqueue to mqueue.in
> >to scan the doodoo out of old pre MS mail??
> >
> >Thanks
> >joe
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content, and is believed to be clean.
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From mkettler at EVI-INC.COM  Fri Jan 23 17:49:09 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayes not being used
In-Reply-To: <20040123092249.A27351@sthomas.net>
References: <20040123092249.A27351@sthomas.net>
Message-ID: <6.0.0.22.0.20040123124844.02631538@xanadu.evi-inc.com>

At 12:22 PM 1/23/2004, Steve Thomas wrote:
>I created two shared folders for the users to put their spam/ham into and
>every hour, a cron job trains bayes with them and then deletes them. I
>make sure to use the prefs-file= option with sa-learn, pointing it to
>spam.assassin.prefs.conf. If I do a sa-learn --dump magic, I can see that
>over 2700 spams have been learned from and over 500 hams - more than
>enough for SA to start using bayes during processing.
>
>If I run a message through spamassassin from the command line (in debug
>mode, again using the prefs-file option), I can see that it's using bayes,
>so SA is doing what it should be.
>
>MS doesn't seem to use it, however. No BAYES_* tests are showing up in the
>headers of any messages. I've linted the SA config and it's fine, and I've
>restarted MS manually a couple of times.
>
>Any ideas?

What's your bayes_path set to?

It sounds like you're using different bayes DB files.

From lists at STHOMAS.NET  Fri Jan 23 17:55:43 2004
From: lists at STHOMAS.NET (Steve Thomas)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayes not being used
In-Reply-To: <401159E6.1050406@solid-state-logic.com>; from
              martinh@SOLID-STATE-LOGIC.COM on Fri, Jan 23,
              2004 at 05:29:10PM +0000
References: <20040123092249.A27351@sthomas.net>
            <401159E6.1050406@solid-state-logic.com>
Message-ID: <20040123095543.B27351@sthomas.net>

On Fri, Jan 23, 2004 at 05:29:10PM +0000, Martin Hepworth is rumored to have said:
>
> SA 2.70 is the development version and will turn into 3.0 at some stage
> - could be unstable!

Could be, but historically I've had very good luck with the CVS versions of SA - and I like to live dangerously. ;)


> Anyway, have you checked the ownership/permissions of the bayes files to
> make sure that the MailScanner user can write to them?

I thought they were set sufficiently for the MS user to write to them, but I was wrong. Thanks for the tip - I'm feeling like a dork now since the problem was permissions... shoulda confirmed that they were proper before sending to the list...


> Also worth checking with MS and SA in debug mode buy setting the flags
> in MailScanner.conf to see what's happening (or not) with the bayes stuff.

I had turned on the SA debug flag, but wasn't getting anything extra in syslog. The comments in the .conf file don't specify that both debugs need to be on in order to view the SA debug info - once I turned on the MS debugging, I saw right away that the problem was permissions on the bayes_* files.

Thanks again,
Steve


--
"Not everything that can be counted counts, and not everything that counts can be counted."
- Albert Einstein (1879-1955)

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 23 18:02:46 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:01 2006
Subject: Bayes not being used
In-Reply-To: <20040123095543.B27351@sthomas.net>
References: <20040123092249.A27351@sthomas.net>           
            <401159E6.1050406@solid-state-logic.com>
            <20040123095543.B27351@sthomas.net>
Message-ID: <401161C6.3070700@solid-state-logic.com>

> I thought they were set sufficiently for the MS user to write to them, but I was wrong. Thanks for the tip - I'm feeling like a dork now since the problem was permissions... shoulda confirmed that they were proper before sending to the list...
>
>

had this one earlier in the week myself - thought it was worth a check.


>
>>Also worth checking with MS and SA in debug mode buy setting the flags
>>in MailScanner.conf to see what's happening (or not) with the bayes stuff.
>
>
> I had turned on the SA debug flag, but wasn't getting anything extra in syslog. The comments in the .conf file don't specify that both debugs need to be on in order to view the SA debug info - once I turned on the MS debugging, I saw right away that the problem was permissions on the bayes_* files.
>
> Thanks again,
> Steve
>

you need to turn on the Debug AND the Spamassassin Debug flag then
alsorts of things get dumped to the screen.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From kevins at BMRB.CO.UK  Fri Jan 23 18:15:56 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
In-Reply-To: <40115C4E.C1DFC6A6@eagle-access.net>
References: <401151E3.9D2B0A4C@eagle-access.net>
            <6.0.1.1.2.20040123170038.03e952f8@imap.ecs.soton.ac.uk>
            <40115C4E.C1DFC6A6@eagle-access.net>
Message-ID: <1074881759.8233.1.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-23 at 17:39, Eagle Net Support wrote:
> Sorry I mis-stated this question.  The old pre MS mail is in /var/spool/mail
> with each file named to the user (ex. /var/spool/mail/support).  The files
> in mqueue have two parts, dfi* and xfi*, likely one is an index headers and
> the other body of the text.
>
> Is there a way to port over /var/spool/mail/username to mqueue.in were it
> will build the dfi and xfi files???
>
Presumably your concern is to scan for viruses?  In which case just scan
all the mail files with your virus scanner (assuming you virus scanner
has a suitable mode - for clam its clamscan --mbox)




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From support at EAGLE-ACCESS.NET  Fri Jan 23 18:30:17 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
References: <401151E3.9D2B0A4C@eagle-access.net>
            <6.0.1.1.2.20040123170038.03e952f8@imap.ecs.soton.ac.uk>
            <40115C4E.C1DFC6A6@eagle-access.net>
            <1074881759.8233.1.camel@bach.kevinspicer.co.uk>
Message-ID: <40116839.C7447CBB@eagle-access.net>

Kevin Spicer wrote:

> On Fri, 2004-01-23 at 17:39, Eagle Net Support wrote:
> > Sorry I mis-stated this question.  The old pre MS mail is in /var/spool/mail
> > with each file named to the user (ex. /var/spool/mail/support).  The files
> > in mqueue have two parts, dfi* and xfi*, likely one is an index headers and
> > the other body of the text.
> >
> > Is there a way to port over /var/spool/mail/username to mqueue.in were it
> > will build the dfi and xfi files???
> >
> Presumably your concern is to scan for viruses?  In which case just scan
> all the mail files with your virus scanner (assuming you virus scanner
> has a suitable mode - for clam its clamscan --mbox)

No I'm going after spam in client boxes.  There are a number of them with over
10Megs of mostly spam but with a few good mails.  One has 60 Megs.  I thought it
would be nice to clean it for clients whom would otherwise probably loose some
good mail because some are just too big to deal with conventional pop.

thanks
joe


>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From cwharris at MORGAN.NET  Fri Jan 23 19:23:23 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
References: <000801c3e1d2$9ff76c00$2105a8c0@delta> 
            <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>
Message-ID: <000e01c3e1e6$6121d240$2105a8c0@delta>

They are coming to my customers. The from address is different everytime. I
have 3 diffent domain names and two of them are getting them. the only
difference in wording is the domain. The email says this:

Internet Billing Notice
Please press "open" and read the attached Billing Notice.

Note if you do not read this withing 24 hours we at morgan.net regret we
will have to terminate internet service


----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 23, 2004 11:06 AM
Subject: Re: Blocking attachments, maybe subject line statement?


> At 17:02 23/01/2004, you wrote:
> >Apprently there is some new worm out that generates emails that appear to
> >come from our billing department. I cant find anything on it anywhere,
but
> >the file that it has with it is a page.hta file. I want to block this
> >email altogether, so what is the best way to go about doing that? I was
> >going to black list them, but since it is apparently some kind of worm,
> >its from all different sorts of people. What sort of action should I take
> >with this?
> >
> >Chris
>
> If they have merely used your billing department's email address as the
> "From" address in email they are sending, there is nothing you can do to
> stop this propagating across the internet, as it never goes anywhere near
> your servers.
>
> Using MailScanner's filename.rules.conf file you can block .hta files
> coming into your site or leaving your site. It blocks them by default.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From pages at ntin.net  Fri Jan 23 19:29:23 2004
From: pages at ntin.net (NTIN Page Guy)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
In-Reply-To: <000e01c3e1e6$6121d240$2105a8c0@delta>
References: <000801c3e1d2$9ff76c00$2105a8c0@delta>
            <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>
            <000e01c3e1e6$6121d240$2105a8c0@delta>
Message-ID: <57422679.20040123132923@ntin.net>

Hello Chris,

I have see similar emails coming into my email server.  We are running
Communigate so I created a rule that blocked these subjects.

 Friday, January 23, 2004, you wrote:


CH> They are coming to my customers. The from address is different everytime. I
CH> have 3 diffent domain names and two of them are getting them. the only
CH> difference in wording is the domain. The email says this:

CH> Internet Billing Notice
CH> Please press "open" and read the attached Billing Notice.

CH> Note if you do not read this withing 24 hours we at morgan.net regret we
CH> will have to terminate internet service


CH> ----- Original Message -----
CH> From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
CH> To: <MAILSCANNER@JISCMAIL.AC.UK>
CH> Sent: Friday, January 23, 2004 11:06 AM
CH> Subject: Re: Blocking attachments, maybe subject line statement?


>> At 17:02 23/01/2004, you wrote:
>> >Apprently there is some new worm out that generates emails that appear to
>> >come from our billing department. I cant find anything on it anywhere,
CH> but
>> >the file that it has with it is a page.hta file. I want to block this
>> >email altogether, so what is the best way to go about doing that? I was
>> >going to black list them, but since it is apparently some kind of worm,
>> >its from all different sorts of people. What sort of action should I take
>> >with this?
>> >
>> >Chris
>>
>> If they have merely used your billing department's email address as the
>> "From" address in email they are sending, there is nothing you can do to
>> stop this propagating across the internet, as it never goes anywhere near
>> your servers.
>>
>> Using MailScanner's filename.rules.conf file you can block .hta files
>> coming into your site or leaving your site. It blocks them by default.
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>



Best regards,
Robert B, NTIN                           mailto:pages@ntin.net

From peter at UCGBOOK.COM  Fri Jan 23 19:41:24 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
In-Reply-To: <000e01c3e1e6$6121d240$2105a8c0@delta>
References: <000801c3e1d2$9ff76c00$2105a8c0@delta>            
            <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>
            <000e01c3e1e6$6121d240$2105a8c0@delta>
Message-ID: <401178E4.50903@ucgbook.com>

Chris Harris wrote:
> They are coming to my customers. The from address is different everytime. I
> have 3 diffent domain names and two of them are getting them. the only

With "from address", do you mean what you see in the client (headers) or
what you see in the server log (envelope)? The From headers are usually
random but not so with the envelope address. Can they really spam you
from so many addresses?

Check the logs for what address to blacklist if you haven't tried that
already.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 20:03:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: force filter of mqueue possible???
In-Reply-To: <40115C4E.C1DFC6A6@eagle-access.net>
References: <401151E3.9D2B0A4C@eagle-access.net>
            <6.0.1.1.2.20040123170038.03e952f8@imap.ecs.soton.ac.uk>
            <40115C4E.C1DFC6A6@eagle-access.net>
Message-ID: <6.0.1.1.2.20040123200148.03d1ee30@imap.ecs.soton.ac.uk>

At 17:39 23/01/2004, you wrote:
>Sorry I mis-stated this question.  The old pre MS mail is in /var/spool/mail
>with each file named to the user (ex. /var/spool/mail/support).  The files
>in mqueue have two parts, dfi* and xfi*, likely one is an index headers and
>the other body of the text.

They should be df* and qf* (df holds the message body and qf holds all the
headers and state).
Haven't seen a setup before that is like the one you describe. Can you
effectively remail all the messages to the corresponding users?

>Is there a way to port over /var/spool/mail/username to mqueue.in were it
>will build the dfi and xfi files???

Haven't seen this setup before, sorry.


>thanks
>joe
>
>Julian Field wrote:
>
> > All you have to do is move the mail queue files into the incoming queue.
> >
> > As root, do this
> >
> > cd /var/spool/mqueue
> > mv * /var/spool/mqueue.in
> >
> > at which point MailScanner will pick it all up and scan it.
> >
> > At 16:54 23/01/2004, you wrote:
> > >Just brought up MS yesterday.
> > >
> > >Is there a way to force the mail left in /var/spool/mqueue to mqueue.in
> > >to scan the doodoo out of old pre MS mail??
> > >
> > >Thanks
> > >joe
> > >
> > >
> > >--
> > >This message has been scanned for viruses and
> > >dangerous content, and is believed to be clean.
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content, and is believed to be clean.
>
>
>--
>This message has been scanned for viruses and
>dangerous content, and is believed to be clean.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From cwharris at MORGAN.NET  Fri Jan 23 20:29:36 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
References: <000801c3e1d2$9ff76c00$2105a8c0@delta>                       
            <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>           
            <000e01c3e1e6$6121d240$2105a8c0@delta>  <401178E4.50903@ucgbook.com>
Message-ID: <004c01c3e1ef$9e6e2dc0$2105a8c0@delta>

According to the server logs the envelope addresses are different everytime.
I have 3 that I have found and they are all different. But everytime I have
ran that IP address through Spamhaus, it has came back as listed.

Which brings me to another question. Should I do my spamhaus checks through
sendmail or mailscanner?
----- Original Message -----
From: "Peter Bonivart" <peter@UCGBOOK.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 23, 2004 1:41 PM
Subject: Re: Blocking attachments, maybe subject line statement?


> Chris Harris wrote:
> > They are coming to my customers. The from address is different
everytime. I
> > have 3 diffent domain names and two of them are getting them. the only
>
> With "from address", do you mean what you see in the client (headers) or
> what you see in the server log (envelope)? The From headers are usually
> random but not so with the envelope address. Can they really spam you
> from so many addresses?
>
> Check the logs for what address to blacklist if you haven't tried that
> already.
>
> --
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>

From ugob at CAMO-ROUTE.COM  Fri Jan 23 20:38:49 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:01 2006
Subject: Blocking attachments, maybe subject line statement?
In-Reply-To: <004c01c3e1ef$9e6e2dc0$2105a8c0@delta>
References: <000801c3e1d2$9ff76c00$2105a8c0@delta>
            <6.0.1.1.2.20040123170457.03eb1c58@imap.ecs.soton.ac.uk>
            <000e01c3e1e6$6121d240$2105a8c0@delta> <401178E4.50903@ucgbook.com>
            <004c01c3e1ef$9e6e2dc0$2105a8c0@delta>
Message-ID: <40118659.30409@camo-route.com>

Chris Harris wrote:

>According to the server logs the envelope addresses are different everytime.
>I have 3 that I have found and they are all different. But everytime I have
>ran that IP address through Spamhaus, it has came back as listed.
>
>Which brings me to another question. Should I do my spamhaus checks through
>sendmail or mailscanner?
>
>
See
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/249.html

>----- Original Message -----
>From: "Peter Bonivart" <peter@UCGBOOK.COM>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Friday, January 23, 2004 1:41 PM
>Subject: Re: Blocking attachments, maybe subject line statement?
>
>
>
>
>>Chris Harris wrote:
>>
>>
>>>They are coming to my customers. The from address is different
>>>
>>>
>everytime. I
>
>
>>>have 3 diffent domain names and two of them are getting them. the only
>>>
>>>
>>With "from address", do you mean what you see in the client (headers) or
>>what you see in the server log (envelope)? The From headers are usually
>>random but not so with the envelope address. Can they really spam you
>>from so many addresses?
>>
>>Check the logs for what address to blacklist if you haven't tried that
>>already.
>>
>>--
>>/Peter Bonivart
>>
>>--Unix lovers do it in the Sun
>>
>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>>SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>>
>>
>>

From ka at PACIFIC.NET  Fri Jan 23 20:39:35 2004
From: ka at PACIFIC.NET (Ken Anderson)
Date: Thu Jan 12 21:22:01 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
Message-ID: <40118687.4080002@pacific.net>

Can 'disarm' be used instead of 'striphtml' in spam.actions.rules?

I assume the effect of 'disarm' is to neuter any potentially dangerous
html tags & actions, while leaving formatting alone?

Also, any thoughts on making 'notify' work in a daily digest fashion?

Thanks,
Ken Anderson
Pacific.Net


Julian Field wrote:
> I have just release the latest beta version. It should be okay, but be very
> careful with the new automatic bayes rebuilding feature.
>
> The main new changes are these:
>
> - Added "notify" Spam Action and High Scoring Spam Action. This will
> cause a
>   short text notification message to be sent to the recipients of the spam
>   message. The filename of the report is set with the "Recipient Spam
> Report"
>   configuration setting. There is also an MCP equivalent of this
>   functionality. See the MCP documentation for details of the settings.
> - Added regular rebuild of Bayes database.
> - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>   configure the operation of the regular Bayes database rebuilds.
> - Added "Log Non Spam" option to allow logging of all non-spam, which
> can be
>   coerced into logging SpamAssassin scores of non-spam mail.
> - Removed the "bounce" spam action.
>
> There are other changes as well, of course. Those above are the interesting
> recent ones. See the
> http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
> for more details.
>
> Download as usual from www.mailscanner.info.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From mailscanner at ecs.soton.ac.uk  Fri Jan 23 21:06:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:01 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <40118687.4080002@pacific.net>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
            <40118687.4080002@pacific.net>
Message-ID: <6.0.1.1.2.20040123210450.03f0a278@imap.ecs.soton.ac.uk>

At 20:39 23/01/2004, you wrote:
>Can 'disarm' be used instead of 'striphtml' in spam.actions.rules?

No, it's just a possible way of getting rid of particular HTML tags (and
it's not 100% effective either, as there are plenty of ways around it).

>I assume the effect of 'disarm' is to neuter any potentially dangerous
>html tags & actions, while leaving formatting alone?

Correct, as far as it can be done.

>Also, any thoughts on making 'notify' work in a daily digest fashion?

I don't like the idea of having to implement daily digests, it is a lot of
work to do properly, and mailing list managers do it quite nicely already.

>Julian Field wrote:
>>I have just release the latest beta version. It should be okay, but be very
>>careful with the new automatic bayes rebuilding feature.
>>
>>The main new changes are these:
>>
>>- Added "notify" Spam Action and High Scoring Spam Action. This will
>>cause a
>>   short text notification message to be sent to the recipients of the spam
>>   message. The filename of the report is set with the "Recipient Spam
>>Report"
>>   configuration setting. There is also an MCP equivalent of this
>>   functionality. See the MCP documentation for details of the settings.
>>- Added regular rebuild of Bayes database.
>>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>>   configure the operation of the regular Bayes database rebuilds.
>>- Added "Log Non Spam" option to allow logging of all non-spam, which
>>can be
>>   coerced into logging SpamAssassin scores of non-spam mail.
>>- Removed the "bounce" spam action.
>>
>>There are other changes as well, of course. Those above are the interesting
>>recent ones. See the
>>http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
>>for more details.
>>
>>Download as usual from www.mailscanner.info.
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From brose at MED.WAYNE.EDU  Fri Jan 23 21:27:16 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01744486@med-core07.med.wayne.edu>

I have log spam on I'm not seeing anything in the logs. I do see logging
for non-spam if I turn that on, but nothing about spam nor the actions
taken.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Friday, January 23, 2004 7:30 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: ANNOUNCE: Unstable 4.26.5 released

I have just release the latest beta version. It should be okay, but be
very careful with the new automatic bayes rebuilding feature.

The main new changes are these:

- Added "notify" Spam Action and High Scoring Spam Action. This will
cause a
   short text notification message to be sent to the recipients of the
spam
   message. The filename of the report is set with the "Recipient Spam
Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Added regular rebuild of Bayes database.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added "Log Non Spam" option to allow logging of all non-spam, which
can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Removed the "bounce" spam action.

There are other changes as well, of course. Those above are the
interesting recent ones. See the
http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
for more details.

Download as usual from www.mailscanner.info.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Fri Jan 23 21:32:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F01744486@med-core07.med.wa
              yne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F01744486@med-core07.med.wayne.edu>
Message-ID: <6.0.1.1.2.20040123213119.03f1d828@imap.ecs.soton.ac.uk>

Check your syslog.conf. Many people do this without problems.

At 21:27 23/01/2004, you wrote:
>I have log spam on I'm not seeing anything in the logs. I do see logging
>for non-spam if I turn that on, but nothing about spam nor the actions
>taken.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Friday, January 23, 2004 7:30 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: ANNOUNCE: Unstable 4.26.5 released
>
>I have just release the latest beta version. It should be okay, but be
>very careful with the new automatic bayes rebuilding feature.
>
>The main new changes are these:
>
>- Added "notify" Spam Action and High Scoring Spam Action. This will
>cause a
>    short text notification message to be sent to the recipients of the
>spam
>    message. The filename of the report is set with the "Recipient Spam
>Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of the settings.
>- Added regular rebuild of Bayes database.
>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>    configure the operation of the regular Bayes database rebuilds.
>- Added "Log Non Spam" option to allow logging of all non-spam, which
>can be
>    coerced into logging SpamAssassin scores of non-spam mail.
>- Removed the "bounce" spam action.
>
>There are other changes as well, of course. Those above are the
>interesting recent ones. See the
>http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
>for more details.
>
>Download as usual from www.mailscanner.info.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Fri Jan 23 21:29:29 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:02 2006
Subject: Bayes expire timeouts?
Message-ID: <40119239.3010706@ucgbook.com>

I stopped the automatic token expire by adding "bayes_auto_expire 0" to
spam.assassin.prefs.conf. I instead run the following command from
crontab every night.

 > Your "cron" job on kleenex
 > /usr/local/bin/sa-learn --force-expire --rebuild
 >
 > produced the following output:
 >
 > ..
 >
 >
...........................................................................................................................................................................................................................................................synced
 >  Bayes databases from journal in 1 seconds: 2049 unique entries (3428
 > total
 > entries)
 > expired old Bayes database entries in 35 seconds
 > 165430 entries kept, 86110 deleted
 > token frequency: 1-occurence tokens: 54.00%
 > token frequency: less than 8 occurrences: 32.25%

As you can see it took 35 seconds to do the job. The SA timeout is 40
seconds so it's not unlikely that some of the SA timeouts are caused by
SA trying to expire tokens. Now I run this command during low traffic
hours to try to minimize the problem.

I have had the Bayes database get corrupt (or something) a couple of
times. Trying to access it causes the R/W error and rebuild doesn't
help, I have to do an import which fixes the database but I have to wait
for 200 spams before it starts scoring again.

Does anyone have more info about this? I think the Bayes scores are most
important and want it to work in a more reliable way.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From ka at PACIFIC.NET  Fri Jan 23 21:29:33 2004
From: ka at PACIFIC.NET (Ken Anderson)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.1.1.2.20040123210450.03f0a278@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>           
            <40118687.4080002@pacific.net>
            <6.0.1.1.2.20040123210450.03f0a278@imap.ecs.soton.ac.uk>
Message-ID: <4011923D.9060807@pacific.net>

Julian Field wrote:

> At 20:39 23/01/2004, you wrote:
>
>> Can 'disarm' be used instead of 'striphtml' in spam.actions.rules?
>
>
> No, it's just a possible way of getting rid of particular HTML tags (and
> it's not 100% effective either, as there are plenty of ways around it).
>
>> I assume the effect of 'disarm' is to neuter any potentially dangerous
>> html tags & actions, while leaving formatting alone?
>
>
> Correct, as far as it can be done.
>
>> Also, any thoughts on making 'notify' work in a daily digest fashion?
>
>
> I don't like the idea of having to implement daily digests, it is a lot of
> work to do properly, and mailing list managers do it quite nicely already.


The notify function is probably not appropriate for this, but it got me
thinking again that it would be nice to have a daily email sent to users
who can scan a list of emails that MailScanner has quarantined.

The list would be clickable links to release individual messages from
quarantine. It would allow us to stop delivering low scoring spam, which
is 99% unwanted by users.

I guess I'm asking for a logging function that logs recipient, subject,
and the quarantined filename for each spam that is quarantined.

Thanks,
Ken Anderson

>> Julian Field wrote:
>>
>>> I have just release the latest beta version. It should be okay, but
>>> be very
>>> careful with the new automatic bayes rebuilding feature.
>>>
>>> The main new changes are these:
>>>
>>> - Added "notify" Spam Action and High Scoring Spam Action. This will
>>> cause a
>>>   short text notification message to be sent to the recipients of the
>>> spam
>>>   message. The filename of the report is set with the "Recipient Spam
>>> Report"
>>>   configuration setting. There is also an MCP equivalent of this
>>>   functionality. See the MCP documentation for details of the settings.
>>> - Added regular rebuild of Bayes database.
>>> - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>>>   configure the operation of the regular Bayes database rebuilds.
>>> - Added "Log Non Spam" option to allow logging of all non-spam, which
>>> can be
>>>   coerced into logging SpamAssassin scores of non-spam mail.
>>> - Removed the "bounce" spam action.
>>>
>>> There are other changes as well, of course. Those above are the
>>> interesting
>>> recent ones. See the
>>> http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
>>> for more details.
>>>
>>> Download as usual from www.mailscanner.info.
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> MailScanner thanks transtec Computers for their support
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From peter at UCGBOOK.COM  Fri Jan 23 21:38:00 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <4011923D.9060807@pacific.net>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>           
            <40118687.4080002@pacific.net>           
            <6.0.1.1.2.20040123210450.03f0a278@imap.ecs.soton.ac.uk>
            <4011923D.9060807@pacific.net>
Message-ID: <40119438.7060808@ucgbook.com>

Ken Anderson wrote:
> The notify function is probably not appropriate for this, but it got me
> thinking again that it would be nice to have a daily email sent to users
> who can scan a list of emails that MailScanner has quarantined.

In my humble opinion, MS is a real-time system. All kinds of summaries
are better done with other tools, like MailWatch for example. Shouldn't
be too hard to do your own script either, if you ask on the list someone
probably will share an already existing one.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From brose at MED.WAYNE.EDU  Fri Jan 23 21:39:31 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <D79A56AD131896448D0860DEE07CBE1F0164684F@med-core07.med.wayne.edu>

But all I did was upgrade.  It was working all along with the 4.25-14.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Friday, January 23, 2004 4:32 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: ANNOUNCE: Unstable 4.26.5 released

Check your syslog.conf. Many people do this without problems.

At 21:27 23/01/2004, you wrote:
>I have log spam on I'm not seeing anything in the logs. I do see 
>logging for non-spam if I turn that on, but nothing about spam nor the 
>actions taken.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On 
>Behalf Of Julian Field
>Sent: Friday, January 23, 2004 7:30 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: ANNOUNCE: Unstable 4.26.5 released
>
>I have just release the latest beta version. It should be okay, but be 
>very careful with the new automatic bayes rebuilding feature.
>
>The main new changes are these:
>
>- Added "notify" Spam Action and High Scoring Spam Action. This will 
>cause a
>    short text notification message to be sent to the recipients of the

>spam
>    message. The filename of the report is set with the "Recipient Spam

>Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of the
settings.
>- Added regular rebuild of Bayes database.
>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options
to
>    configure the operation of the regular Bayes database rebuilds.
>- Added "Log Non Spam" option to allow logging of all non-spam, which 
>can be
>    coerced into logging SpamAssassin scores of non-spam mail.
>- Removed the "bounce" spam action.
>
>There are other changes as well, of course. Those above are the 
>interesting recent ones. See the 
>http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
>for more details.
>
>Download as usual from www.mailscanner.info.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD
E1DC 7222 11F6 5947 1415 B654


From mailscanner at CARLO65.DE  Sat Jan 24 08:50:03 2004
From: mailscanner at CARLO65.DE (Roland Ehle)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407C133@dc012.corpdsg.com>
References: <3041D4D2B8A6F746AD9217BE05AE68C407C133@dc012.corpdsg.com>
Message-ID: <401231BB.7020508@carlo65.de>

Yes, on SuSE 7.3, 8.1 and 8.2

Ryan Finnesey schrieb:
> Is anyone running Mail Scanner on SuSe?
>
>
> *Ryan Finnesey*
> *Diversified Solutions Group*
>
> *119 West 72 Street*
>
> *New York NY 10023*
> :    ryan.finnesey@corpdsg.com
> ( 212-920-0000
>
> 2  212-920-0001

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan 23 21:59:36 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Extending it - was RE: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <40119438.7060808@ucgbook.com>
Message-ID: <LFENLEALDCBDKENCNLCNAEPFDCAA.michele@blacknightsolutions.com>

>
>
> Ken Anderson wrote:
> > The notify function is probably not appropriate for this, but it got me
> > thinking again that it would be nice to have a daily email sent to users
> > who can scan a list of emails that MailScanner has quarantined.
>
> In my humble opinion, MS is a real-time system. All kinds of summaries
> are better done with other tools, like MailWatch for example. Shouldn't
> be too hard to do your own script either, if you ask on the list someone
> probably will share an already existing one.

I agree.
Julian's software is excellent at what it does. You can build
extensions/plugins that offer the kind of functionality that some users
need, but incorporating them directly would be a bad idea, as a lot of
people do not need or want them.

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

From mkettler at EVI-INC.COM  Fri Jan 23 22:11:47 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.0.20040123170222.02518e40@xanadu.evi-inc.com>

At 07:29 AM 1/23/2004, you wrote:
>- Added "Log Non Spam" option to allow logging of all non-spam, which can be
>    coerced into logging SpamAssassin scores of non-spam mail.

Ahh, thank you Julian! This will be very useful indeed when doing system
tweaking/tuning.

>- Removed the "bounce" spam action.

And a most definite thank you for removing the bounce option. It was, at
best, horrifyingly broken but looked attractive to the unwary.


Also an important note from the Change Log Julian left out:

- Added my Amazon.co.uk "wish list" to the donations page.

:)

From brose at MED.WAYNE.EDU  Fri Jan 23 22:18:48 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01646850@med-core07.med.wayne.edu>

Yep if I switch back to 4.25-14, spam logging is working if switch to
4.26.5 it's not on the same box.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Rose, Bobby
Sent: Friday, January 23, 2004 4:40 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: ANNOUNCE: Unstable 4.26.5 released

But all I did was upgrade.  It was working all along with the 4.25-14.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Friday, January 23, 2004 4:32 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: ANNOUNCE: Unstable 4.26.5 released

Check your syslog.conf. Many people do this without problems.

At 21:27 23/01/2004, you wrote:
>I have log spam on I'm not seeing anything in the logs. I do see 
>logging for non-spam if I turn that on, but nothing about spam nor the 
>actions taken.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On 
>Behalf Of Julian Field
>Sent: Friday, January 23, 2004 7:30 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: ANNOUNCE: Unstable 4.26.5 released
>
>I have just release the latest beta version. It should be okay, but be 
>very careful with the new automatic bayes rebuilding feature.
>
>The main new changes are these:
>
>- Added "notify" Spam Action and High Scoring Spam Action. This will 
>cause a
>    short text notification message to be sent to the recipients of the

>spam
>    message. The filename of the report is set with the "Recipient Spam

>Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of the
settings.
>- Added regular rebuild of Bayes database.
>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options
to
>    configure the operation of the regular Bayes database rebuilds.
>- Added "Log Non Spam" option to allow logging of all non-spam, which 
>can be
>    coerced into logging SpamAssassin scores of non-spam mail.
>- Removed the "bounce" spam action.
>
>There are other changes as well, of course. Those above are the 
>interesting recent ones. See the 
>http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
>for more details.
>
>Download as usual from www.mailscanner.info.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD
E1DC 7222 11F6 5947 1415 B654


From danw at NORCOMCABLE.CA  Fri Jan 23 22:49:30 2004
From: danw at NORCOMCABLE.CA (Dan Williamson)
Date: Thu Jan 12 21:22:02 2006
Subject: IPBlock cronjob doesn't clear blocked IP's in 4.25-14
Message-ID: <200401232249.i0NMnUwE018571@lynx.norcomcable.ca>

After upgrading one of my mail servers to 4.25-14 and enabling IPBlock I
have noticed that blocked IP addresses are not being cleared from sendmails
rules.

When I run makemap on the IPBlock.db file I can see the IP being removed
after the cronjob runs.

I use deny.db rather than access.db.

I changed the IPBlock.pl cron to,
        my $AccessDB     = '/etc/mail/deny.db';
As well, I modified the CustomConfig.pm file to,
        my $AccessDB       = '/etc/mail/deny.db';

After the cronjob runs I can see that the deny.db has been altered by the
date change, but the offending IP is still in the deny.db file.  If I run
makemap manually on the deny database the IP address is once again allowed
to relay.

I have another server that runs 4.24-5, although quite a different set-up it
works flawless using the deny.db.

Any ideas what I may have missed?

regards,
-dan

From ka at PACIFIC.NET  Fri Jan 23 23:25:45 2004
From: ka at PACIFIC.NET (Ken Anderson)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <40119438.7060808@ucgbook.com>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>           
            <40118687.4080002@pacific.net>                      
            <6.0.1.1.2.20040123210450.03f0a278@imap.ecs.soton.ac.uk>           
            <4011923D.9060807@pacific.net> <40119438.7060808@ucgbook.com>
Message-ID: <4011AD79.2030403@pacific.net>

The script that processes the log would be entirely separate from
MailScanner of course, like antivirus updates, generating whitelists etc.

I think I'm just talking about a patch to the logging that MS already
does to log recipient, subject and msg id for low scoring spam to
support this. I'll post it for others if I get it working. I haven't
looked at the code yet, so I'm not sure those things are even available
in that part of the process. If anyone else has already done this,
please chime in.

Thanks,
Ken Anderson

Peter Bonivart wrote:

> Ken Anderson wrote:
>
>> The notify function is probably not appropriate for this, but it got me
>> thinking again that it would be nice to have a daily email sent to users
>> who can scan a list of emails that MailScanner has quarantined.
>
>
> In my humble opinion, MS is a real-time system. All kinds of summaries
> are better done with other tools, like MailWatch for example. Shouldn't
> be too hard to do your own script either, if you ask on the list someone
> probably will share an already existing one.
>
> --
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
>

From jvane at INVITATION.ORG  Sat Jan 24 00:50:04 2004
From: jvane at INVITATION.ORG (Jim VanEtten)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
Message-ID: <4011C13C.3050909@invitation.org>

Red Hat Enterprise Linux ES release 2.1 (Panama)
Perl version 5.6.1 built for i386-linux
MailScanner version 4.25-14
SpamAssassin version :  None yet
New RPM install

Step 1: I have tested sendmail and it works
Step 2: I installed Mailscanner and started it up. There are no errors
in the log file. Email still gets delivered via sendmail as if
Mailscanner was not there. There are no header files for MailScanner.

I have installed Mailscanner successfully on Fedora core 1 and Redhat
7.0 with no problems. Can someone help me out with what I could be doing
wrong.

Thanks
Jim

From michele at BLACKNIGHTSOLUTIONS.COM  Sat Jan 24 02:37:45 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <4011C13C.3050909@invitation.org>
Message-ID: <LFENLEALDCBDKENCNLCNOEPPDCAA.michele@blacknightsolutions.com>

Have you turned off sendmail as per the instructions in the installation?

If you run:
tail -f /var/log/maillog

after doing:
/etc/rc.d/init.d/MailScanner restart

Do you see any errors?

I suspect that you may have sendmail running as well as MailScanner

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Jim VanEtten
> Sent: 24 January 2004 00:50
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Mailscanner getting bypassed and Sendmail still delivering
> mail.
>
>
> Red Hat Enterprise Linux ES release 2.1 (Panama)
> Perl version 5.6.1 built for i386-linux
> MailScanner version 4.25-14
> SpamAssassin version :  None yet
> New RPM install
>
> Step 1: I have tested sendmail and it works
> Step 2: I installed Mailscanner and started it up. There are no errors
> in the log file. Email still gets delivered via sendmail as if
> Mailscanner was not there. There are no header files for MailScanner.
>
> I have installed Mailscanner successfully on Fedora core 1 and Redhat
> 7.0 with no problems. Can someone help me out with what I could be doing
> wrong.
>
> Thanks
> Jim
>

From jvane at INVITATION.ORG  Sat Jan 24 02:43:55 2004
From: jvane at INVITATION.ORG (Jim VanEtten)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <LFENLEALDCBDKENCNLCNOEPPDCAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNOEPPDCAA.michele@blacknightsolutions.com>
Message-ID: <4011DBEB.8030408@invitation.org>

I have disabled the sendmail automatic startup and I let mailscanner
start it up on it's own as per the instructions.

service sendmail stop
chkconfig sendmail off
chkconfig --level 2345 MailScanner on
service MailScanner start

MailScanner does kick off 2 instances of sendmail just like it does in
my successfull installations. There are no errors in my maillog or
messages log.

Thanks
Jim

Michele Neylon :: Blacknight Solutions wrote:

>Have you turned off sendmail as per the instructions in the installation?
>
>If you run:
>tail -f /var/log/maillog
>
>after doing:
>/etc/rc.d/init.d/MailScanner restart
>
>Do you see any errors?
>
>I suspect that you may have sendmail running as well as MailScanner
>
>Michele
>
>Mr. Michele Neylon
>Blacknight Internet Solutions Ltd
>http://www.blacknightsolutions.ie/
>http://www.search.ie/
>Tel. + 353 (0)59 9137101
>Lowest price domains in Ireland
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>>Behalf Of Jim VanEtten
>>Sent: 24 January 2004 00:50
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: Mailscanner getting bypassed and Sendmail still delivering
>>mail.
>>
>>
>>Red Hat Enterprise Linux ES release 2.1 (Panama)
>>Perl version 5.6.1 built for i386-linux
>>MailScanner version 4.25-14
>>SpamAssassin version :  None yet
>>New RPM install
>>
>>Step 1: I have tested sendmail and it works
>>Step 2: I installed Mailscanner and started it up. There are no errors
>>in the log file. Email still gets delivered via sendmail as if
>>Mailscanner was not there. There are no header files for MailScanner.
>>
>>I have installed Mailscanner successfully on Fedora core 1 and Redhat
>>7.0 with no problems. Can someone help me out with what I could be doing
>>wrong.
>>
>>Thanks
>>Jim
>>
>>
>>

From ryan.finnesey at CORPDSG.COM  Sat Jan 24 05:03:23 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407C133@dc012.corpdsg.com>

Is anyone running Mail Scanner on SuSe?
 

Ryan Finnesey
Diversified Solutions Group

119 West 72 Street

New York NY 10023
:    ryan.finnesey@corpdsg.com
( 212-920-0000 

2  212-920-0001

 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040124/8c75b9b7/attachment.html
From rob at RJKEELING.FREESERVE.CO.UK  Sat Jan 24 10:28:40 2004
From: rob at RJKEELING.FREESERVE.CO.UK (Rob Keeling)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
References: <3041D4D2B8A6F746AD9217BE05AE68C407C133@dc012.corpdsg.com>
Message-ID: <002001c3e264$d5e49440$1c00000a@RJKLAPTOP>

----- Original Message -----
>From: Ryan Finnesey
>To: MAILSCANNER@JISCMAIL.AC.UK
>Sent: Saturday, January 24, 2004 5:03 AM
>Subject: SuSe?
>
>
>Is anyone running Mail Scanner on SuSe?

Which version of SuSE? We have it running with postfix on both SuSE 8.1 &
8.2.

Rob Keeling
Network Manager
Queen Elizabeth`s Grammar School

>
>
>
>Ryan Finnesey
>Diversified Solutions Group
>119 West 72 Street
>New York NY 10023
>:    ryan.finnesey@corpdsg.com
>( 212-920-0000
>2  212-920-0001

From michele at BLACKNIGHTSOLUTIONS.COM  Sat Jan 24 10:31:22 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <4011DBEB.8030408@invitation.org>
Message-ID: <LFENLEALDCBDKENCNLCNMEACDDAA.michele@blacknightsolutions.com>

Very odd



Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Jim VanEtten
> Sent: 24 January 2004 02:44
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Mailscanner getting bypassed and Sendmail still delivering
> mail.
>
>
> I have disabled the sendmail automatic startup and I let mailscanner
> start it up on it's own as per the instructions.
>
> service sendmail stop
> chkconfig sendmail off
> chkconfig --level 2345 MailScanner on
> service MailScanner start
>
> MailScanner does kick off 2 instances of sendmail just like it does in
> my successfull installations. There are no errors in my maillog or
> messages log.
>
> Thanks
> Jim
>
> Michele Neylon :: Blacknight Solutions wrote:
>
> >Have you turned off sendmail as per the instructions in the installation?
> >
> >If you run:
> >tail -f /var/log/maillog
> >
> >after doing:
> >/etc/rc.d/init.d/MailScanner restart
> >
> >Do you see any errors?
> >
> >I suspect that you may have sendmail running as well as MailScanner
> >
> >Michele
> >
> >Mr. Michele Neylon
> >Blacknight Internet Solutions Ltd
> >http://www.blacknightsolutions.ie/
> >http://www.search.ie/
> >Tel. + 353 (0)59 9137101
> >Lowest price domains in Ireland
> >
> >
> >
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> >>Behalf Of Jim VanEtten
> >>Sent: 24 January 2004 00:50
> >>To: MAILSCANNER@JISCMAIL.AC.UK
> >>Subject: Mailscanner getting bypassed and Sendmail still delivering
> >>mail.
> >>
> >>
> >>Red Hat Enterprise Linux ES release 2.1 (Panama)
> >>Perl version 5.6.1 built for i386-linux
> >>MailScanner version 4.25-14
> >>SpamAssassin version :  None yet
> >>New RPM install
> >>
> >>Step 1: I have tested sendmail and it works
> >>Step 2: I installed Mailscanner and started it up. There are no errors
> >>in the log file. Email still gets delivered via sendmail as if
> >>Mailscanner was not there. There are no header files for MailScanner.
> >>
> >>I have installed Mailscanner successfully on Fedora core 1 and Redhat
> >>7.0 with no problems. Can someone help me out with what I could be doing
> >>wrong.
> >>
> >>Thanks
> >>Jim
> >>
> >>
> >>
>

From mailscanner at ecs.soton.ac.uk  Sat Jan 24 10:51:20 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: IPBlock cronjob doesn't clear blocked IP's in 4.25-14
In-Reply-To: <200401232249.i0NMnUwE018571@lynx.norcomcable.ca>
References: <200401232249.i0NMnUwE018571@lynx.norcomcable.ca>
Message-ID: <6.0.1.1.2.20040124105037.03c1a898@imap.ecs.soton.ac.uk>

The block removal is done by the cron job.
Please can you diff the old cron job (that works) and the new one (that
doesn't) to see if there are any differences.

At 22:49 23/01/2004, you wrote:
>After upgrading one of my mail servers to 4.25-14 and enabling IPBlock I
>have noticed that blocked IP addresses are not being cleared from sendmails
>rules.
>
>When I run makemap on the IPBlock.db file I can see the IP being removed
>after the cronjob runs.
>
>I use deny.db rather than access.db.
>
>I changed the IPBlock.pl cron to,
>         my $AccessDB     = '/etc/mail/deny.db';
>As well, I modified the CustomConfig.pm file to,
>         my $AccessDB       = '/etc/mail/deny.db';
>
>After the cronjob runs I can see that the deny.db has been altered by the
>date change, but the offending IP is still in the deny.db file.  If I run
>makemap manually on the deny database the IP address is once again allowed
>to relay.
>
>I have another server that runs 4.24-5, although quite a different set-up it
>works flawless using the deny.db.
>
>Any ideas what I may have missed?
>
>regards,
>-dan

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 24 10:49:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F01646850@med-core07.med.wa
              yne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F01646850@med-core07.med.wayne.edu>
Message-ID: <6.0.1.1.2.20040124104615.0413e2b0@imap.ecs.soton.ac.uk>

I just tested this and it seemed to work okay. Slight bug though, edit
Message.pm and change line 449 to
if (($LogSpam && $this->{isspam}) || ($LogNonSpam && !$this->{isspam})) {
See if that fixes your problem.

Is anyone else seeing the same problem?

At 22:18 23/01/2004, you wrote:
>Yep if I switch back to 4.25-14, spam logging is working if switch to
>4.26.5 it's not on the same box.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Rose, Bobby
>Sent: Friday, January 23, 2004 4:40 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: ANNOUNCE: Unstable 4.26.5 released
>
>But all I did was upgrade.  It was working all along with the 4.25-14.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Friday, January 23, 2004 4:32 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: ANNOUNCE: Unstable 4.26.5 released
>
>Check your syslog.conf. Many people do this without problems.
>
>At 21:27 23/01/2004, you wrote:
> >I have log spam on I'm not seeing anything in the logs. I do see
> >logging for non-spam if I turn that on, but nothing about spam nor the
> >actions taken.
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> >Behalf Of Julian Field
> >Sent: Friday, January 23, 2004 7:30 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: ANNOUNCE: Unstable 4.26.5 released
> >
> >I have just release the latest beta version. It should be okay, but be
> >very careful with the new automatic bayes rebuilding feature.
> >
> >The main new changes are these:
> >
> >- Added "notify" Spam Action and High Scoring Spam Action. This will
> >cause a
> >    short text notification message to be sent to the recipients of the
>
> >spam
> >    message. The filename of the report is set with the "Recipient Spam
>
> >Report"
> >    configuration setting. There is also an MCP equivalent of this
> >    functionality. See the MCP documentation for details of the
>settings.
> >- Added regular rebuild of Bayes database.
> >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options
>to
> >    configure the operation of the regular Bayes database rebuilds.
> >- Added "Log Non Spam" option to allow logging of all non-spam, which
> >can be
> >    coerced into logging SpamAssassin scores of non-spam mail.
> >- Removed the "bounce" spam action.
> >
> >There are other changes as well, of course. Those above are the
> >interesting recent ones. See the
> >http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog
> >for more details.
> >
> >Download as usual from www.mailscanner.info.
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz MailScanner thanks
>transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD
>E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From raymond at PROLOCATION.NET  Sat Jan 24 12:23:14 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.1.1.2.20040124104615.0413e2b0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.44.0401241320520.31501-100000@mailbox.prolocation.net>

Hi!

> Message.pm and change line 449 to
> if (($LogSpam && $this->{isspam}) || ($LogNonSpam && !$this->{isspam})) {
> See if that fixes your problem.
>
> Is anyone else seeing the same problem?

I just upgraded to 4.26.5-1 and i see non spam logged just fine, also
without the modifications above.

Jan 24 13:21:09 vmx02 MailScanner[11170]: Message 1AkMmV-0002v7-90 from
213.73.255.38 (emilysl@aol.com) to ???????.?? is spam, SpamAssassin
(score=19.684, required 5, BAYES_70 2.25, BIZ_TLD 0.10, CLICK_BELOW 0.10,
DATE_IN_FUTURE_03_06 1.93, FORGED_OUTLOOK_TAGS 1.00, HTML_70_80 0.10,
HTML_IMAGE_ONLY_02 1.23, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10,
MISSING_MIMEOLE 1.59, PENIS_ENLARGE 2.69, SORTED_RECIPS 2.70, USERPASS
3.81)

Jan 24 13:21:49 vmx02 MailScanner[11154]: RBL checks: 1AkMnL-0002xu-Gb
found in NJABL, SORBS-DNSBL, DSBL
Jan 24 13:22:00 vmx02 MailScanner[11154]: Message 1AkMnL-0002xu-Gb from
200.57.6.239 (fabiolacastillo_mid@hotmail.com) to ???????.?? is
spam, NJABL, SORBS-DNSBL, DSBL

I did not tun on Log Non Spam = yes, perhaps its a combination thing.

But a straight upgrade didnt break.

Bye,
Raymond.

From raymond at PROLOCATION.NET  Sat Jan 24 12:30:21 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <Pine.LNX.4.44.0401241320520.31501-100000@mailbox.prolocation.net>
Message-ID: <Pine.LNX.4.44.0401241328260.907-100000@mailbox.prolocation.net>

Hi!

> Jan 24 13:21:49 vmx02 MailScanner[11154]: RBL checks: 1AkMnL-0002xu-Gb
> found in NJABL, SORBS-DNSBL, DSBL
> Jan 24 13:22:00 vmx02 MailScanner[11154]: Message 1AkMnL-0002xu-Gb from
> 200.57.6.239 (fabiolacastillo_mid@hotmail.com) to ???????.?? is
> spam, NJABL, SORBS-DNSBL, DSBL
>
> I did not tun on Log Non Spam = yes, perhaps its a combination thing.

Quick test with the 'Log Non Spam = yes' running:

Jan 24 13:27:06 vmx02 MailScanner[11952]: Message 1AkMra-00035h-5t from
213.73.255.38 (hbkaohtehhpke@el-nacional.com) to ???????.?? is not
spam, SpamAssassin (score=-4.8, required 5, BAYES_00 -4.90, HTML_MESSAGE
0.10)

Jan 24 13:27:07 vmx02 MailScanner[12045]: Message 1AkMry-00038V-Df from
213.73.255.243 (ggnw66@webmail.com.tw) to ???????.?? is spam,
SpamAssassin (score=6.57, required 5, BAYES_50 0.00, BIZ_TLD 0.10,
DCC_CHECK 2.91, FORGED_MUA_OUTLOOK 2.57, FROM_ENDS_IN_NUMS 0.99)

Both are logged just fine it seems. Turning the non spam logging of again
now, its flooding my logs :)

Bye,
Raymond.

From mike at ZANKER.ORG  Sat Jan 24 13:45:47 2004
From: mike at ZANKER.ORG (Mike Zanker)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <4011DBEB.8030408@invitation.org>
References: <LFENLEALDCBDKENCNLCNOEPPDCAA.michele@blacknightsolutions.com >
            <4011DBEB.8030408@invitation.org>
Message-ID: <608569656.1074951947@jemima.zanker.org>

On 23 January 2004 21:43 -0500 Jim VanEtten <jvane@INVITATION.ORG>
wrote:

> I have disabled the sendmail automatic startup and I let mailscanner
> start it up on it's own as per the instructions.
>
> service sendmail stop
> chkconfig sendmail off
> chkconfig --level 2345 MailScanner on
> service MailScanner start
>
> MailScanner does kick off 2 instances of sendmail just like it does in
> my successful installations. There are no errors in my maillog or
> messages log.

It's certainly not a problem with Panama - I'm running MailScanner and
SA on Panama without any problems.

Mike.

From mailscanner at ecs.soton.ac.uk  Sat Jan 24 15:33:48 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.0.22.0.20040123170222.02518e40@xanadu.evi-inc.com>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
            <6.0.0.22.0.20040123170222.02518e40@xanadu.evi-inc.com>
Message-ID: <6.0.1.1.2.20040124152847.03ad7de8@imap.ecs.soton.ac.uk>

At 22:11 23/01/2004, you wrote:
Also an important note from the Change Log Julian left out:

>- Added my Amazon.co.uk "wish list" to the donations page.

:o)

I am planning on releasing 4.26 stable next weekend.
If there are any requests which I haven't already responded to, or
extras/changes that you would like to see, please tell me now, not at the
end of the week :)
Also, if you could test out the new features in 4.26 before then, that
would really help. Everything should be okay except this one, which I have
just fixed:
* If you have LogSpam=no and LogNonSpam=yes, then spam will still be logged.

Any other obvious bugs I should know about?
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From danw at NORCOMCABLE.CA  Sat Jan 24 15:37:33 2004
From: danw at NORCOMCABLE.CA (Dan Williamson)
Date: Thu Jan 12 21:22:02 2006
Subject: IPBlock cronjob doesn't clear blocked IP's in 4.25-14 - resolved
In-Reply-To: <6.0.1.1.2.20040124105037.03c1a898@imap.ecs.soton.ac.uk>
Message-ID: <KAECILFBONBEJPKEPGMGIECDKEAA.danw@norcomcable.ca>

After scrutinizing the cronjob I noticed I had made a typo on my $Refusal
line... oops.
Thanks for this great feature it is proving extremely valuable for us.

regards,
-dan


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: January 24, 2004 4:51 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: IPBlock cronjob doesn't clear blocked IP's in 4.25-14


The block removal is done by the cron job.
Please can you diff the old cron job (that works) and the new one (that
doesn't) to see if there are any differences.

At 22:49 23/01/2004, you wrote:
>After upgrading one of my mail servers to 4.25-14 and enabling IPBlock I
>have noticed that blocked IP addresses are not being cleared from sendmails
>rules.
>
>When I run makemap on the IPBlock.db file I can see the IP being removed
>after the cronjob runs.
>
>I use deny.db rather than access.db.
>
>I changed the IPBlock.pl cron to,
>         my $AccessDB     = '/etc/mail/deny.db';
>As well, I modified the CustomConfig.pm file to,
>         my $AccessDB       = '/etc/mail/deny.db';
>
>After the cronjob runs I can see that the deny.db has been altered by the
>date change, but the offending IP is still in the deny.db file.  If I run
>makemap manually on the deny database the IP address is once again allowed
>to relay.
>
>I have another server that runs 4.24-5, although quite a different set-up
it
>works flawless using the deny.db.
>
>Any ideas what I may have missed?
>
>regards,
>-dan

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dot at DOTAT.AT  Sat Jan 24 19:19:44 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner and memory resources
In-Reply-To: <m2n.1Ak4Kp-000z7M@chiark.greenend.org.uk>
Message-ID: <E1AkTJo-0004KR-00@chiark.greenend.org.uk>

"Rose, Bobby" <brose@MED.WAYNE.EDU> wrote:
> I've started using some of the SA ruleset like tripwire, bigevil and
>such.  In doing so, I'm finding that the size of the MailScanner
>processes increase dramatically because each MailScanner process is
>essentially it's own SA process and loads all the configs and rules it
>needs.  Wouldn't it be better to just have MailScanner make calls to
>spamd thus reducing the amount of resources?

I believe spamd forks in order to implement concurrent message handling,
so using spamd will increase memory usage because of the lack of sharing
of perl infrastructure bwteeen MailScanner and SpamAssasin.

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
HEBRIDES: SOUTHWESTERLY 6 OR 7, OCCASIONALLY GALE 8. SQUALLY SHOWERS. MODERATE
OR GOOD.

From danielk at AVALONPUB.COM  Sat Jan 24 23:50:35 2004
From: danielk at AVALONPUB.COM (Daniel Kleinsinger)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <4011C13C.3050909@invitation.org>
References: <4011C13C.3050909@invitation.org>
Message-ID: <401304CB.4080807@avalonpub.com>

Is it possible you have a backup mx host that's somehow bypassing your
MailScanner installation?  I guess some setups allow backup mxs to
deliver directly to user mailboxes and if there's no MS on the backup
then the emails don't get scanned.  Spammers often deliver to backup
mxs, even when the primary mx is up, for just that reason.

Daniel

Jim VanEtten wrote:

>Red Hat Enterprise Linux ES release 2.1 (Panama)
>Perl version 5.6.1 built for i386-linux
>MailScanner version 4.25-14
>SpamAssassin version :  None yet
>New RPM install
>
>Step 1: I have tested sendmail and it works
>Step 2: I installed Mailscanner and started it up. There are no errors
>in the log file. Email still gets delivered via sendmail as if
>Mailscanner was not there. There are no header files for MailScanner.
>
>I have installed Mailscanner successfully on Fedora core 1 and Redhat
>7.0 with no problems. Can someone help me out with what I could be doing
>wrong.
>
>Thanks
>Jim
>
>

From jvane at INVITATION.ORG  Sat Jan 24 23:36:24 2004
From: jvane at INVITATION.ORG (Jim Van Etten)
Date: Thu Jan 12 21:22:02 2006
Subject: Mailscanner getting bypassed and Sendmail still delivering mail.
In-Reply-To: <401304CB.4080807@avalonpub.com>
References: <4011C13C.3050909@invitation.org> <401304CB.4080807@avalonpub.com>
Message-ID: <40130178.3000205@invitation.org>

I am not sure what it was but I have upgraded to Redhat Enterprise
Version 3 and everything is working great. now.

Daniel Kleinsinger wrote:

> Is it possible you have a backup mx host that's somehow bypassing your
> MailScanner installation?  I guess some setups allow backup mxs to
> deliver directly to user mailboxes and if there's no MS on the backup
> then the emails don't get scanned.  Spammers often deliver to backup
> mxs, even when the primary mx is up, for just that reason.
>
> Daniel
>
> Jim VanEtten wrote:
>
>> Red Hat Enterprise Linux ES release 2.1 (Panama)
>> Perl version 5.6.1 built for i386-linux
>> MailScanner version 4.25-14
>> SpamAssassin version :  None yet
>> New RPM install
>>
>> Step 1: I have tested sendmail and it works
>> Step 2: I installed Mailscanner and started it up. There are no errors
>> in the log file. Email still gets delivered via sendmail as if
>> Mailscanner was not there. There are no header files for MailScanner.
>>
>> I have installed Mailscanner successfully on Fedora core 1 and Redhat
>> 7.0 with no problems. Can someone help me out with what I could be doing
>> wrong.
>>
>> Thanks
>> Jim
>>
>>

From gdoris at ROGERS.COM  Sun Jan 25 04:31:15 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:02 2006
Subject: MailWatch - Database Ping Error?
Message-ID: <Pine.LNX.4.53.0401242327120.1498@tiger.dorfam.ca>

I upgraded my server from RH9 to Fedora this evening and have run into a
minor problem.

I'm now seeing entries in /var/log/maillog that state "Database ping
failure, attempting to reconnect".  There aren't that many of them but I
can't understand where they're coming from.

Has anyone noticed anything like this?

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From ryan.finnesey at CORPDSG.COM  Sun Jan 25 06:53:47 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407C14C@dc012.corpdsg.com>

I was going to install it on 9.0

Ryan
 

> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Keeling
> Sent: Saturday, January 24, 2004 5:29 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: SuSe?
> 
> ----- Original Message -----
> >From: Ryan Finnesey
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Sent: Saturday, January 24, 2004 5:03 AM
> >Subject: SuSe?
> >
> >
> >Is anyone running Mail Scanner on SuSe?
> 
> Which version of SuSE? We have it running with postfix on 
> both SuSE 8.1 & 8.2.
> 
> Rob Keeling
> Network Manager
> Queen Elizabeth`s Grammar School
> 
> >
> >
> >
> >Ryan Finnesey
> >Diversified Solutions Group
> >119 West 72 Street
> >New York NY 10023
> >:    ryan.finnesey@corpdsg.com
> >( 212-920-0000
> >2  212-920-0001
> 
> 


From gdoris at ROGERS.COM  Sun Jan 25 08:03:20 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:02 2006
Subject: MailWatch - Database Ping Error?
In-Reply-To: <Pine.LNX.4.53.0401242327120.1498@tiger.dorfam.ca>
References: <Pine.LNX.4.53.0401242327120.1498@tiger.dorfam.ca>
Message-ID: <Pine.LNX.4.53.0401250300060.1498@tiger.dorfam.ca>

On Sat, 24 Jan 2004, Gerry Doris wrote:

> I upgraded my server from RH9 to Fedora this evening and have run into a
> minor problem.
>
> I'm now seeing entries in /var/log/maillog that state "Database ping
> failure, attempting to reconnect".  There aren't that many of them but I
> can't understand where they're coming from.
>
> Has anyone noticed anything like this?
>
> --
> Gerry

I hate to answer my own question but just after I sent the message I found
the solution in the archives.

DBD-mysql was at too high a level after the upgrade.  I moved it back to
DBD-mysql-2.1028 and the problem went away.

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From mailscanner at ecs.soton.ac.uk  Sun Jan 25 11:43:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407C14C@dc012.corpdsg.com>
References: <3041D4D2B8A6F746AD9217BE05AE68C407C14C@dc012.corpdsg.com>
Message-ID: <6.0.1.1.2.20040125114310.037b1aa0@imap.ecs.soton.ac.uk>

There haven't been any reports of it not working, so how about you give it
a try?

At 06:53 25/01/2004, you wrote:
>I was going to install it on 9.0
>
>Ryan
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Keeling
> > Sent: Saturday, January 24, 2004 5:29 AM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: SuSe?
> >
> > ----- Original Message -----
> > >From: Ryan Finnesey
> > >To: MAILSCANNER@JISCMAIL.AC.UK
> > >Sent: Saturday, January 24, 2004 5:03 AM
> > >Subject: SuSe?
> > >
> > >
> > >Is anyone running Mail Scanner on SuSe?
> >
> > Which version of SuSE? We have it running with postfix on
> > both SuSE 8.1 & 8.2.
> >
> > Rob Keeling
> > Network Manager
> > Queen Elizabeth`s Grammar School
> >
> > >
> > >
> > >
> > >Ryan Finnesey
> > >Diversified Solutions Group
> > >119 West 72 Street
> > >New York NY 10023
> > >:    ryan.finnesey@corpdsg.com
> > >( 212-920-0000
> > >2  212-920-0001
> >
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From P.G.M.Peters at utwente.nl  Sun Jan 25 12:51:16 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:02 2006
Subject: SuSe?
In-Reply-To: <6.0.1.1.2.20040125114310.037b1aa0@imap.ecs.soton.ac.uk>
References: <3041D4D2B8A6F746AD9217BE05AE68C407C14C@dc012.corpdsg.com>
            <6.0.1.1.2.20040125114310.037b1aa0@imap.ecs.soton.ac.uk>
Message-ID: <2te710133lecqfn4okd7fkvog3o56nsln8@4ax.com>

On Sun, 25 Jan 2004 11:43:34 +0000, you wrote:

>There haven't been any reports of it not working, so how about you give it
>a try?

I only had to tweek the startup a bit (running sendmail on SuSe).

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From Q.G.Campbell at NEWCASTLE.AC.UK  Sun Jan 25 13:55:50 2004
From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
Message-ID: <74BC2BBF06470148911E64E2B48FE13964D216@pinewood.ncl.ac.uk>

The following is a full list of Level 1 file types blocked by Outlook
2003 and OWA 2003. You may wish to use this to supplement (or annotate)
the list Julian provides in the "filename.rules.conf" file. 

Level 1 file types blocked by Outlook 2003

File extension File type 
.ade Microsoft Access project extension 
.adp Microsoft Access project 
.app Microsoft FoxPro-generated application 
.bas Microsoft Visual Basic(r) class module 
.bat Batch file 
.chm Compiled HTML Help file 
.cmd Microsoft Windows NT(r) command script 
.com Microsoft MS-DOS(r) program 
.cpl Control Panel extension 
.crt Security certificate 
.csh Unix shell script 
.exe Executable file or program 
.fxp Microsoft FoxPro(r) file 
.hlp Help file 
.hta HTML program  
.inf Setup information 
.ins Internet naming service 
.isp Internet communication settings 
.js Jscript(r) file 
.jse Jscript-encoded script file 
.ksh Unix shell script 
.lnk Shortcut 
.mda Microsoft Access add-in program 
.mdb Microsoft Access program 
.mde Microsoft Access MDE database 
.mdt Microsoft Access file 
.mdw Microsoft Access file 
.mdz Microsoft Access wizard program 
.msc Microsoft Common Console document 
.msi Windows Installer package 
.msp Windows Installer patch 
.mst Visual Test source files 
.ops FoxPro file 
.pcd Photo CD image or Microsoft Visual Test compiled script 
.pif Shortcut to MS-DOS program 
.prf Microsoft Outlook Profile Settings 
.prg FoxPro program source file 
.reg Registration entries 
.scf Windows Explorer Command file 
.scr Screen saver 
.sct Windows(r) script component 
.shb Shortcut into a document 
.shs Shell scrap object 
.url Internet shortcut 
.vb VBScript file 
.vbe VBScript-encoded script file 
.vbs VBScript file 
.wsc Windows script component 
.wsf Windows script file 
.wsh Windows script host settings file 
.xsl XML file that can contain script 

The above list was taken from Microsoft web pages by one of our Exchange
specialists.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 


From mailscanner at ecs.soton.ac.uk  Sun Jan 25 14:33:20 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964D216@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964D216@pinewood.ncl.ac.uk>
Message-ID: <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>

Would people like me to add all of these to my supplied
filename.rules.conf? I don't really agree with all of them. For example,
running a .inf file just shows it to you, it doesn't "run" it.

And why is a .crt dangerous?

At 13:55 25/01/2004, you wrote:
>The following is a full list of Level 1 file types blocked by Outlook
>2003 and OWA 2003. You may wish to use this to supplement (or annotate)
>the list Julian provides in the "filename.rules.conf" file.
>
>Level 1 file types blocked by Outlook 2003
>
>File extension File type
>.ade Microsoft Access project extension
>.adp Microsoft Access project
>.app Microsoft FoxPro-generated application
>.bas Microsoft Visual Basic(r) class module
>.bat Batch file
>.chm Compiled HTML Help file
>.cmd Microsoft Windows NT(r) command script
>.com Microsoft MS-DOS(r) program
>.cpl Control Panel extension
>.crt Security certificate
>.csh Unix shell script
>.exe Executable file or program
>.fxp Microsoft FoxPro(r) file
>.hlp Help file
>.hta HTML program
>.inf Setup information
>.ins Internet naming service
>.isp Internet communication settings
>.js Jscript(r) file
>.jse Jscript-encoded script file
>.ksh Unix shell script
>.lnk Shortcut
>.mda Microsoft Access add-in program
>.mdb Microsoft Access program
>.mde Microsoft Access MDE database
>.mdt Microsoft Access file
>.mdw Microsoft Access file
>.mdz Microsoft Access wizard program
>.msc Microsoft Common Console document
>.msi Windows Installer package
>.msp Windows Installer patch
>.mst Visual Test source files
>.ops FoxPro file
>.pcd Photo CD image or Microsoft Visual Test compiled script
>.pif Shortcut to MS-DOS program
>.prf Microsoft Outlook Profile Settings
>.prg FoxPro program source file
>.reg Registration entries
>.scf Windows Explorer Command file
>.scr Screen saver
>.sct Windows(r) script component
>.shb Shortcut into a document
>.shs Shell scrap object
>.url Internet shortcut
>.vb VBScript file
>.vbe VBScript-encoded script file
>.vbs VBScript file
>.wsc Windows script component
>.wsf Windows script file
>.wsh Windows script host settings file
>.xsl XML file that can contain script
>
>The above list was taken from Microsoft web pages by one of our Exchange
>specialists.
>
>Quentin
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                            University of Newcastle,
>                            Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 14:36:49 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNEEBKDDAA.michele@blacknightsolutions.com>

Julian

If you add them could you please comment them out, as we would have serious
problems if these were all blocked by default.

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 25 January 2004 14:33
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> Would people like me to add all of these to my supplied
> filename.rules.conf? I don't really agree with all of them. For example,
> running a .inf file just shows it to you, it doesn't "run" it.
>
> And why is a .crt dangerous?
>
> At 13:55 25/01/2004, you wrote:
> >The following is a full list of Level 1 file types blocked by Outlook
> >2003 and OWA 2003. You may wish to use this to supplement (or annotate)
> >the list Julian provides in the "filename.rules.conf" file.
> >
> >Level 1 file types blocked by Outlook 2003
> >
> >File extension File type
> >.ade Microsoft Access project extension
> >.adp Microsoft Access project
> >.app Microsoft FoxPro-generated application
> >.bas Microsoft Visual Basic(r) class module
> >.bat Batch file
> >.chm Compiled HTML Help file
> >.cmd Microsoft Windows NT(r) command script
> >.com Microsoft MS-DOS(r) program
> >.cpl Control Panel extension
> >.crt Security certificate
> >.csh Unix shell script
> >.exe Executable file or program
> >.fxp Microsoft FoxPro(r) file
> >.hlp Help file
> >.hta HTML program
> >.inf Setup information
> >.ins Internet naming service
> >.isp Internet communication settings
> >.js Jscript(r) file
> >.jse Jscript-encoded script file
> >.ksh Unix shell script
> >.lnk Shortcut
> >.mda Microsoft Access add-in program
> >.mdb Microsoft Access program
> >.mde Microsoft Access MDE database
> >.mdt Microsoft Access file
> >.mdw Microsoft Access file
> >.mdz Microsoft Access wizard program
> >.msc Microsoft Common Console document
> >.msi Windows Installer package
> >.msp Windows Installer patch
> >.mst Visual Test source files
> >.ops FoxPro file
> >.pcd Photo CD image or Microsoft Visual Test compiled script
> >.pif Shortcut to MS-DOS program
> >.prf Microsoft Outlook Profile Settings
> >.prg FoxPro program source file
> >.reg Registration entries
> >.scf Windows Explorer Command file
> >.scr Screen saver
> >.sct Windows(r) script component
> >.shb Shortcut into a document
> >.shs Shell scrap object
> >.url Internet shortcut
> >.vb VBScript file
> >.vbe VBScript-encoded script file
> >.vbs VBScript file
> >.wsc Windows script component
> >.wsf Windows script file
> >.wsh Windows script host settings file
> >.xsl XML file that can contain script
> >
> >The above list was taken from Microsoft web pages by one of our Exchange
> >specialists.
> >
> >Quentin
> >---
> >PHONE: +44 191 222 8209    Information Systems and Services (ISS),
> >                            University of Newcastle,
> >                            Newcastle upon Tyne,
> >FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> >------------------------------------------------------------------------
> >"Any opinion expressed above is mine. The University can get its own."
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From dh at UPTIME.AT  Sun Jan 25 14:38:29 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964D216@pinewood.ncl.ac.uk>
            <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
Message-ID: <4013D4E5.6020202@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Julian Field wrote:

> Would people like me to add all of these to my supplied
> filename.rules.conf? I don't really agree with all of them. For example,
> running a .inf file just shows it to you, it doesn't "run" it.
>
> And why is a .crt dangerous?
>
<snip>

>> .csh Unix shell script
Why is a C-Shell, shell script dangerous on a machine running 2003? I
thought a) There is no default connection to open this kind of file
b) it would simply be shown in a notepad?

Not to mention that C-Shell shell scripts are not standard sh based
shell scripts and most do not even execute properly without a C Shell

- -d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAE9TpPMoaMn4kKR4RA/3wAJkB580wIXGFP4F3elQglWPlah5ZqQCgg7f9
FA2tu7CQ51IEbxMcrFitJq8=
=orRv
-----END PGP SIGNATURE-----

From mailscanner at ecs.soton.ac.uk  Sun Jan 25 14:43:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <4013D4E5.6020202@uptime.at>
References: <74BC2BBF06470148911E64E2B48FE13964D216@pinewood.ncl.ac.uk>
            <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
            <4013D4E5.6020202@uptime.at>
Message-ID: <6.0.1.1.2.20040125144230.03d70ec0@imap.ecs.soton.ac.uk>

How about someone puts this list in the FAQ, and I leave the
filename.rules.conf alone for now?

At 14:38 25/01/2004, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Julian Field wrote:
>
>>Would people like me to add all of these to my supplied
>>filename.rules.conf? I don't really agree with all of them. For example,
>>running a .inf file just shows it to you, it doesn't "run" it.
>>
>>And why is a .crt dangerous?
><snip>
>
>>>.csh Unix shell script
>Why is a C-Shell, shell script dangerous on a machine running 2003? I
>thought a) There is no default connection to open this kind of file
>b) it would simply be shown in a notepad?
>
>Not to mention that C-Shell shell scripts are not standard sh based
>shell scripts and most do not even execute properly without a C Shell
>
>- -d
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (Darwin)
>
>iD8DBQFAE9TpPMoaMn4kKR4RA/3wAJkB580wIXGFP4F3elQglWPlah5ZqQCgg7f9
>FA2tu7CQ51IEbxMcrFitJq8=
>=orRv
>-----END PGP SIGNATURE-----

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 14:50:27 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125144230.03d70ec0@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNCEBLDDAA.michele@blacknightsolutions.com>

Sounds good to me :)

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 25 January 2004 14:43
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> How about someone puts this list in the FAQ, and I leave the
> filename.rules.conf alone for now?
>
> At 14:38 25/01/2004, you wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: RIPEMD160
> >
> >Julian Field wrote:
> >
> >>Would people like me to add all of these to my supplied
> >>filename.rules.conf? I don't really agree with all of them. For example,
> >>running a .inf file just shows it to you, it doesn't "run" it.
> >>
> >>And why is a .crt dangerous?
> ><snip>
> >
> >>>.csh Unix shell script
> >Why is a C-Shell, shell script dangerous on a machine running 2003? I
> >thought a) There is no default connection to open this kind of file
> >b) it would simply be shown in a notepad?
> >
> >Not to mention that C-Shell shell scripts are not standard sh based
> >shell scripts and most do not even execute properly without a C Shell
> >
> >- -d
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.3 (Darwin)
> >
> >iD8DBQFAE9TpPMoaMn4kKR4RA/3wAJkB580wIXGFP4F3elQglWPlah5ZqQCgg7f9
> >FA2tu7CQ51IEbxMcrFitJq8=
> >=orRv
> >-----END PGP SIGNATURE-----
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From mailscanner at ecs.soton.ac.uk  Sun Jan 25 14:59:59 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <LFENLEALDCBDKENCNLCNCEBLDDAA.michele@blacknightsolutions.c om>
References: <6.0.1.1.2.20040125144230.03d70ec0@imap.ecs.soton.ac.uk>
            <LFENLEALDCBDKENCNLCNCEBLDDAA.michele@blacknightsolutions.com>
Message-ID: <6.0.1.1.2.20040125145938.03d13ec0@imap.ecs.soton.ac.uk>

At 14:50 25/01/2004, you wrote:
>Sounds good to me :)
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Julian Field
> > Sent: 25 January 2004 14:43
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Outlook/OWA 2003 - file types blocked
> >
> >
> > How about someone puts this list in the FAQ, and I leave the
> > filename.rules.conf alone for now?

Well volunteered!
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 15:08:29 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125145938.03d13ec0@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNAEBMDDAA.michele@blacknightsolutions.com>

Done - though it looks almost illegible :(

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 25 January 2004 15:00
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> At 14:50 25/01/2004, you wrote:
> >Sounds good to me :)
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Julian Field
> > > Sent: 25 January 2004 14:43
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Outlook/OWA 2003 - file types blocked
> > >
> > >
> > > How about someone puts this list in the FAQ, and I leave the
> > > filename.rules.conf alone for now?
>
> Well volunteered!
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From mkipness at GENIANT.COM  Sun Jan 25 15:11:53 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C2206053D@dalsxc01.geniant.net>

Hi,
 
I've got two severs set with MailScanner and using the RBL spamcop.net.
One one server spamcop works great and seems to tag more spam than any
other RBL, but on the other server (in a different network/location),
spamcop is not getting one hit and the logs show that it times out every
time. This is a client's site and this server has a Pix firewall and
ICMP turned off both ways. I don't think this makes a difference though.
 
Is there anyway from the command line to test connectivity with spamcop?
 
Or does anybody have an idea why this might be happening?
 
On the RBL line in SpamScanner, spamcop is listed as 'spamcop.net' on
both servers. Oh, and the problem server is working with spamhaus
although it times out once in a while.
 
Thanks,
Max
 


From robin at PRIMUS.CA  Sun Jan 25 15:13:23 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <LFENLEALDCBDKENCNLCNAEBMDDAA.michele@blacknightsolutions.com>
References: <LFENLEALDCBDKENCNLCNAEBMDDAA.michele@blacknightsolutions.com>
Message-ID: <Pine.LNX.4.58.0401251013040.9895@hephaestus.tor.primus.ca>

On Sun, 25 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:

> Done - though it looks almost illegible :(
>
what heading is it under.

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 15:17:28 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <Pine.LNX.4.58.0401251013040.9895@hephaestus.tor.primus.ca>
Message-ID: <LFENLEALDCBDKENCNLCNMEBMDDAA.michele@blacknightsolutions.com>

http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?file=258

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Robin M.
> Sent: 25 January 2004 15:13
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> On Sun, 25 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:
>
> > Done - though it looks almost illegible :(
> >
> what heading is it under.
>

From Q.G.Campbell at NEWCASTLE.AC.UK  Sun Jan 25 15:17:54 2004
From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
Message-ID: <74BC2BBF06470148911E64E2B48FE13964D217@pinewood.ncl.ac.uk>

Julian et al

I really provided the list of file types for info and to allow
comparison against your default "filename.rules.info". It is the most
definitive list I have been able to find of executable file types. 

Our Microsoft system specialists have asked me to include all in our
version of the above file because they want to encourage people to zip
executable files as a matter of practice. 

The versions of Outlook and OWA 2003 that they are rolling out here will
block them by default as described in
http://www.winnetmag.com/Article/ArticleID/41265/Windows_41265.html. 

After comparing this list with your list I am now unsure as to whether
the M$ Access shortcuts should be 

   md[abetwz]

rather than 

   ma[dfgmqrstvw] 

as in the distributed "filename.rules.info" file? 

Perhaps those who jumped in immediately and rejected including any of
these can confirm (with some references to docs, if possible) which is
the correct set? 

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
>Sent: 25 January 2004 14:33
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
>Would people like me to add all of these to my supplied
>filename.rules.conf? I don't really agree with all of them. 
>For example,
>running a .inf file just shows it to you, it doesn't "run" it.
>
>And why is a .crt dangerous?
>
>At 13:55 25/01/2004, you wrote:
>>The following is a full list of Level 1 file types blocked by Outlook
>>2003 and OWA 2003. You may wish to use this to supplement (or 
>annotate)
>>the list Julian provides in the "filename.rules.conf" file.
>>
>>Level 1 file types blocked by Outlook 2003
>>
>>File extension File type
>>.ade Microsoft Access project extension
>>.adp Microsoft Access project
>>.app Microsoft FoxPro-generated application
>>.bas Microsoft Visual Basic(r) class module
>>.bat Batch file
>>.chm Compiled HTML Help file
>>.cmd Microsoft Windows NT(r) command script
>>.com Microsoft MS-DOS(r) program
>>.cpl Control Panel extension
>>.crt Security certificate
>>.csh Unix shell script
>>.exe Executable file or program
>>.fxp Microsoft FoxPro(r) file
>>.hlp Help file
>>.hta HTML program
>>.inf Setup information
>>.ins Internet naming service
>>.isp Internet communication settings
>>.js Jscript(r) file
>>.jse Jscript-encoded script file
>>.ksh Unix shell script
>>.lnk Shortcut
>>.mda Microsoft Access add-in program
>>.mdb Microsoft Access program
>>.mde Microsoft Access MDE database
>>.mdt Microsoft Access file
>>.mdw Microsoft Access file
>>.mdz Microsoft Access wizard program
>>.msc Microsoft Common Console document
>>.msi Windows Installer package
>>.msp Windows Installer patch
>>.mst Visual Test source files
>>.ops FoxPro file
>>.pcd Photo CD image or Microsoft Visual Test compiled script
>>.pif Shortcut to MS-DOS program
>>.prf Microsoft Outlook Profile Settings
>>.prg FoxPro program source file
>>.reg Registration entries
>>.scf Windows Explorer Command file
>>.scr Screen saver
>>.sct Windows(r) script component
>>.shb Shortcut into a document
>>.shs Shell scrap object
>>.url Internet shortcut
>>.vb VBScript file
>>.vbe VBScript-encoded script file
>>.vbs VBScript file
>>.wsc Windows script component
>>.wsf Windows script file
>>.wsh Windows script host settings file
>>.xsl XML file that can contain script
>>
>>The above list was taken from Microsoft web pages by one of 
>our Exchange
>>specialists.
>>
>>Quentin
>>---
>>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>>                            University of Newcastle,
>>                            Newcastle upon Tyne,
>>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>--------------------------------------------------------------
>----------
>>"Any opinion expressed above is mine. The University can get its own."
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>


From mailscanner at ecs.soton.ac.uk  Sun Jan 25 15:25:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964D217@pinewood.ncl.ac.uk>
References: <74BC2BBF06470148911E64E2B48FE13964D217@pinewood.ncl.ac.uk>
Message-ID: <6.0.1.1.2.20040125152354.03ad5368@imap.ecs.soton.ac.uk>

The previous list came from Microsoft as well. So I suspect that some of
their newer apps generate the new file extensions, but I see no reason as
to why the old list is no longer dangerous. So I would include both of them
in a tight setup.

At 15:17 25/01/2004, you wrote:
>Julian et al
>
>I really provided the list of file types for info and to allow
>comparison against your default "filename.rules.info". It is the most
>definitive list I have been able to find of executable file types.
>
>Our Microsoft system specialists have asked me to include all in our
>version of the above file because they want to encourage people to zip
>executable files as a matter of practice.
>
>The versions of Outlook and OWA 2003 that they are rolling out here will
>block them by default as described in
>http://www.winnetmag.com/Article/ArticleID/41265/Windows_41265.html.
>
>After comparing this list with your list I am now unsure as to whether
>the M$ Access shortcuts should be
>
>    md[abetwz]
>
>rather than
>
>    ma[dfgmqrstvw]
>
>as in the distributed "filename.rules.info" file?
>
>Perhaps those who jumped in immediately and rejected including any of
>these can confirm (with some references to docs, if possible) which is
>the correct set?
>
>Quentin
>---
>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                            University of Newcastle,
>                            Newcastle upon Tyne,
>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."
>
> >-----Original Message-----
> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> >Sent: 25 January 2004 14:33
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: Outlook/OWA 2003 - file types blocked
> >
> >
> >Would people like me to add all of these to my supplied
> >filename.rules.conf? I don't really agree with all of them.
> >For example,
> >running a .inf file just shows it to you, it doesn't "run" it.
> >
> >And why is a .crt dangerous?
> >
> >At 13:55 25/01/2004, you wrote:
> >>The following is a full list of Level 1 file types blocked by Outlook
> >>2003 and OWA 2003. You may wish to use this to supplement (or
> >annotate)
> >>the list Julian provides in the "filename.rules.conf" file.
> >>
> >>Level 1 file types blocked by Outlook 2003
> >>
> >>File extension File type
> >>.ade Microsoft Access project extension
> >>.adp Microsoft Access project
> >>.app Microsoft FoxPro-generated application
> >>.bas Microsoft Visual Basic(r) class module
> >>.bat Batch file
> >>.chm Compiled HTML Help file
> >>.cmd Microsoft Windows NT(r) command script
> >>.com Microsoft MS-DOS(r) program
> >>.cpl Control Panel extension
> >>.crt Security certificate
> >>.csh Unix shell script
> >>.exe Executable file or program
> >>.fxp Microsoft FoxPro(r) file
> >>.hlp Help file
> >>.hta HTML program
> >>.inf Setup information
> >>.ins Internet naming service
> >>.isp Internet communication settings
> >>.js Jscript(r) file
> >>.jse Jscript-encoded script file
> >>.ksh Unix shell script
> >>.lnk Shortcut
> >>.mda Microsoft Access add-in program
> >>.mdb Microsoft Access program
> >>.mde Microsoft Access MDE database
> >>.mdt Microsoft Access file
> >>.mdw Microsoft Access file
> >>.mdz Microsoft Access wizard program
> >>.msc Microsoft Common Console document
> >>.msi Windows Installer package
> >>.msp Windows Installer patch
> >>.mst Visual Test source files
> >>.ops FoxPro file
> >>.pcd Photo CD image or Microsoft Visual Test compiled script
> >>.pif Shortcut to MS-DOS program
> >>.prf Microsoft Outlook Profile Settings
> >>.prg FoxPro program source file
> >>.reg Registration entries
> >>.scf Windows Explorer Command file
> >>.scr Screen saver
> >>.sct Windows(r) script component
> >>.shb Shortcut into a document
> >>.shs Shell scrap object
> >>.url Internet shortcut
> >>.vb VBScript file
> >>.vbe VBScript-encoded script file
> >>.vbs VBScript file
> >>.wsc Windows script component
> >>.wsf Windows script file
> >>.wsh Windows script host settings file
> >>.xsl XML file that can contain script
> >>
> >>The above list was taken from Microsoft web pages by one of
> >our Exchange
> >>specialists.
> >>
> >>Quentin
> >>---
> >>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
> >>                            University of Newcastle,
> >>                            Newcastle upon Tyne,
> >>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> >>--------------------------------------------------------------
> >----------
> >>"Any opinion expressed above is mine. The University can get its own."
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Professional Support Services at www.MailScanner.biz
> >MailScanner thanks transtec Computers for their support
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sun Jan 25 15:30:12 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2206053D@dalsxc01.geniant.ne t>
References: <399D85F2BB50BC4295F78EAE203D5C2206053D@dalsxc01.geniant.net>
Message-ID: <6.0.1.1.2.20040125152607.03a3ce60@imap.ecs.soton.ac.uk>

At 15:11 25/01/2004, you wrote:
>Hi,
>
>I've got two severs set with MailScanner and using the RBL spamcop.net.
>One one server spamcop works great and seems to tag more spam than any
>other RBL, but on the other server (in a different network/location),
>spamcop is not getting one hit and the logs show that it times out every
>time. This is a client's site and this server has a Pix firewall and
>ICMP turned off both ways. I don't think this makes a difference though.
>
>Is there anyway from the command line to test connectivity with spamcop?
>
>Or does anybody have an idea why this might be happening?
>
>On the RBL line in SpamScanner,

SpamScanner?

>  spamcop is listed as 'spamcop.net' on
>both servers.

What about the dot on the end? It should be there, like it is for the other
lists. Otherwise check the DNS setup on the rogue machine. The standard
test is this:

[root@tinker etc]# dig 2.0.0.127.bl.spamcop.net any

; <<>> DiG 9.2.1 <<>> 2.0.0.127.bl.spamcop.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55945
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.bl.spamcop.net.      IN      ANY

;; ANSWER SECTION:
2.0.0.127.bl.spamcop.net. 2048  IN      TXT     "Blocked - see
http://www.spamcop.net/bl.shtml?127.0.0.2"
2.0.0.127.bl.spamcop.net. 2048  IN      A       127.0.0.2

;; AUTHORITY SECTION:
bl.spamcop.net.         69080   IN      NS      blns8.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns9.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns10.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns11.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns12.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns4.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns5.spamcop.net.
bl.spamcop.net.         69080   IN      NS      blns6.spamcop.net.

;; Query time: 167 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 25 15:28:32 2004
;; MSG SIZE  rcvd: 289

>  Oh, and the problem server is working with spamhaus
>although it times out once in a while.

dig 2.0.0.127.sbl-xbl.spamhaus.org. any

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 15:22:31 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2206053D@dalsxc01.geniant.net>
Message-ID: <LFENLEALDCBDKENCNLCNEEBNDDAA.michele@blacknightsolutions.com>

Have you ensured that the firewall is allowing traffic for MS?
You may need to ensure that some ports are open to allow this.

"You may need to open some ports on your firewall if you are using Razor2,
Pyzor or DCC.
Assuming your firewall is more than a simple packet filter and tracks
connection state you should only need to open outgoing ports as follows.

Razor2 tcp ports 2703 and 7
Pyzor udp port 24441
DCC udp port 6277

It's worth noting that unless you have this all set up before installing DCC
its initial checks will fail and it won't bother trying again for several
hours" (from the FAQ)

Although the RBLs are a different idea completely they could  be having
issues with the PIX...



Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Max Kipness
> Sent: 25 January 2004 15:12
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Manually test RBL?
>
>
> Hi,
>
> I've got two severs set with MailScanner and using the RBL spamcop.net.
> One one server spamcop works great and seems to tag more spam than any
> other RBL, but on the other server (in a different network/location),
> spamcop is not getting one hit and the logs show that it times out every
> time. This is a client's site and this server has a Pix firewall and
> ICMP turned off both ways. I don't think this makes a difference though.
>
> Is there anyway from the command line to test connectivity with spamcop?
>
> Or does anybody have an idea why this might be happening?
>
> On the RBL line in SpamScanner, spamcop is listed as 'spamcop.net' on
> both servers. Oh, and the problem server is working with spamhaus
> although it times out once in a while.
>
> Thanks,
> Max
>
>

From michele at BLACKNIGHTSOLUTIONS.COM  Sun Jan 25 15:30:02 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125152354.03ad5368@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNMEBNDDAA.michele@blacknightsolutions.com>

I would agree, but if, like us, you are using MS in a hosting environment,
you cannot afford to run it too tightly.
If I was deploying MS for one company then I could be as strict as I liked,
however, at present we are filtering mail for several hundred companies and
individuals.

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 25 January 2004 15:25
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> The previous list came from Microsoft as well. So I suspect that some of
> their newer apps generate the new file extensions, but I see no reason as
> to why the old list is no longer dangerous. So I would include
> both of them
> in a tight setup.
>
> At 15:17 25/01/2004, you wrote:
> >Julian et al
> >
> >I really provided the list of file types for info and to allow
> >comparison against your default "filename.rules.info". It is the most
> >definitive list I have been able to find of executable file types.
> >
> >Our Microsoft system specialists have asked me to include all in our
> >version of the above file because they want to encourage people to zip
> >executable files as a matter of practice.
> >
> >The versions of Outlook and OWA 2003 that they are rolling out here will
> >block them by default as described in
> >http://www.winnetmag.com/Article/ArticleID/41265/Windows_41265.html.
> >
> >After comparing this list with your list I am now unsure as to whether
> >the M$ Access shortcuts should be
> >
> >    md[abetwz]
> >
> >rather than
> >
> >    ma[dfgmqrstvw]
> >
> >as in the distributed "filename.rules.info" file?
> >
> >Perhaps those who jumped in immediately and rejected including any of
> >these can confirm (with some references to docs, if possible) which is
> >the correct set?
> >
> >Quentin
> >---
> >PHONE: +44 191 222 8209    Information Systems and Services (ISS),
> >                            University of Newcastle,
> >                            Newcastle upon Tyne,
> >FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> >------------------------------------------------------------------------
> >"Any opinion expressed above is mine. The University can get its own."
> >
> > >-----Original Message-----
> > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> > >Sent: 25 January 2004 14:33
> > >To: MAILSCANNER@JISCMAIL.AC.UK
> > >Subject: Re: Outlook/OWA 2003 - file types blocked
> > >
> > >
> > >Would people like me to add all of these to my supplied
> > >filename.rules.conf? I don't really agree with all of them.
> > >For example,
> > >running a .inf file just shows it to you, it doesn't "run" it.
> > >
> > >And why is a .crt dangerous?
> > >
> > >At 13:55 25/01/2004, you wrote:
> > >>The following is a full list of Level 1 file types blocked by Outlook
> > >>2003 and OWA 2003. You may wish to use this to supplement (or
> > >annotate)
> > >>the list Julian provides in the "filename.rules.conf" file.
> > >>
> > >>Level 1 file types blocked by Outlook 2003
> > >>
> > >>File extension File type
> > >>.ade Microsoft Access project extension
> > >>.adp Microsoft Access project
> > >>.app Microsoft FoxPro-generated application
> > >>.bas Microsoft Visual Basic(r) class module
> > >>.bat Batch file
> > >>.chm Compiled HTML Help file
> > >>.cmd Microsoft Windows NT(r) command script
> > >>.com Microsoft MS-DOS(r) program
> > >>.cpl Control Panel extension
> > >>.crt Security certificate
> > >>.csh Unix shell script
> > >>.exe Executable file or program
> > >>.fxp Microsoft FoxPro(r) file
> > >>.hlp Help file
> > >>.hta HTML program
> > >>.inf Setup information
> > >>.ins Internet naming service
> > >>.isp Internet communication settings
> > >>.js Jscript(r) file
> > >>.jse Jscript-encoded script file
> > >>.ksh Unix shell script
> > >>.lnk Shortcut
> > >>.mda Microsoft Access add-in program
> > >>.mdb Microsoft Access program
> > >>.mde Microsoft Access MDE database
> > >>.mdt Microsoft Access file
> > >>.mdw Microsoft Access file
> > >>.mdz Microsoft Access wizard program
> > >>.msc Microsoft Common Console document
> > >>.msi Windows Installer package
> > >>.msp Windows Installer patch
> > >>.mst Visual Test source files
> > >>.ops FoxPro file
> > >>.pcd Photo CD image or Microsoft Visual Test compiled script
> > >>.pif Shortcut to MS-DOS program
> > >>.prf Microsoft Outlook Profile Settings
> > >>.prg FoxPro program source file
> > >>.reg Registration entries
> > >>.scf Windows Explorer Command file
> > >>.scr Screen saver
> > >>.sct Windows(r) script component
> > >>.shb Shortcut into a document
> > >>.shs Shell scrap object
> > >>.url Internet shortcut
> > >>.vb VBScript file
> > >>.vbe VBScript-encoded script file
> > >>.vbs VBScript file
> > >>.wsc Windows script component
> > >>.wsf Windows script file
> > >>.wsh Windows script host settings file
> > >>.xsl XML file that can contain script
> > >>
> > >>The above list was taken from Microsoft web pages by one of
> > >our Exchange
> > >>specialists.
> > >>
> > >>Quentin
> > >>---
> > >>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
> > >>                            University of Newcastle,
> > >>                            Newcastle upon Tyne,
> > >>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> > >>--------------------------------------------------------------
> > >----------
> > >>"Any opinion expressed above is mine. The University can get its own."
> > >
> > >--
> > >Julian Field
> > >www.MailScanner.info
> > >Professional Support Services at www.MailScanner.biz
> > >MailScanner thanks transtec Computers for their support
> > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From rcooper at DIMENSION-FLM.COM  Sun Jan 25 15:56:58 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:22:02 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
Message-ID: <OJEPLLLJIBHDGMFBCCBPEECFDDAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Sunday, January 25, 2004 9:33 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Outlook/OWA 2003 - file types blocked
>
>
> Would people like me to add all of these to my supplied
> filename.rules.conf? I don't really agree with all of
> them. For example,
> running a .inf file just shows it to you, it doesn't "run" it.
>
> And why is a .crt dangerous?

The danger comes with the message content in some cases. The
message may tell the user to extract a particular .inf and right
click select install and....  There is actually an exploit using
an .inf file, properly placed, that would allow anyone
administrative access to a win200 box, there are several exploits
having to do with proper placement of autorun.inf files, or .inf
files with the autorun tag.

.crt files can take a given host out of the internet zone and
into the trusted zone which, depending upon the certificate and
local settings, can allow many bad things to happen.

.crt files are assessed as medium risk and .inf files are
assessed as high risk with know dangerous exploits.

I generally believe that if Microsoft says don't trust their OS
with a particular file type I should take their word for it.
Think about a compiled help file, now what kind of idiot would
create code that could render a help potentially *very*
dangerous?? (MS of course)

Rick

>
> At 13:55 25/01/2004, you wrote:
> >The following is a full list of Level 1 file types
> blocked by Outlook
> >2003 and OWA 2003. You may wish to use this to
> supplement (or annotate)
> >the list Julian provides in the "filename.rules.conf" file.
> >
> >Level 1 file types blocked by Outlook 2003
> >
> >File extension File type
> >.ade Microsoft Access project extension
> >.adp Microsoft Access project
> >.app Microsoft FoxPro-generated application
> >.bas Microsoft Visual Basic(r) class module
> >.bat Batch file
> >.chm Compiled HTML Help file
> >.cmd Microsoft Windows NT(r) command script
> >.com Microsoft MS-DOS(r) program
> >.cpl Control Panel extension
> >.crt Security certificate
> >.csh Unix shell script
> >.exe Executable file or program
> >.fxp Microsoft FoxPro(r) file
> >.hlp Help file
> >.hta HTML program
> >.inf Setup information
> >.ins Internet naming service
> >.isp Internet communication settings
> >.js Jscript(r) file
> >.jse Jscript-encoded script file
> >.ksh Unix shell script
> >.lnk Shortcut
> >.mda Microsoft Access add-in program
> >.mdb Microsoft Access program
> >.mde Microsoft Access MDE database
> >.mdt Microsoft Access file
> >.mdw Microsoft Access file
> >.mdz Microsoft Access wizard program
> >.msc Microsoft Common Console document
> >.msi Windows Installer package
> >.msp Windows Installer patch
> >.mst Visual Test source files
> >.ops FoxPro file
> >.pcd Photo CD image or Microsoft Visual Test compiled script
> >.pif Shortcut to MS-DOS program
> >.prf Microsoft Outlook Profile Settings
> >.prg FoxPro program source file
> >.reg Registration entries
> >.scf Windows Explorer Command file
> >.scr Screen saver
> >.sct Windows(r) script component
> >.shb Shortcut into a document
> >.shs Shell scrap object
> >.url Internet shortcut
> >.vb VBScript file
> >.vbe VBScript-encoded script file
> >.vbs VBScript file
> >.wsc Windows script component
> >.wsf Windows script file
> >.wsh Windows script host settings file
> >.xsl XML file that can contain script
> >
> >The above list was taken from Microsoft web pages by
> one of our Exchange
> >specialists.
> >
> >Quentin
> >---
> >PHONE: +44 191 222 8209    Information Systems and
> Services (ISS),
> >                            University of Newcastle,
> >                            Newcastle upon Tyne,
> >FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> >------------------------------------------------------
> ------------------
> >"Any opinion expressed above is mine. The University
> can get its own."
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
> 1415 B654
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

From mkipness at GENIANT.COM  Sun Jan 25 16:15:10 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C2206053E@dalsxc01.geniant.net>

> >I've got two severs set with MailScanner and using the RBL 
> spamcop.net.
> >One one server spamcop works great and seems to tag more 
> spam than any 
> >other RBL, but on the other server (in a different 
> network/location), 
> >spamcop is not getting one hit and the logs show that it times out 
> >every time. This is a client's site and this server has a 
> Pix firewall 
> >and ICMP turned off both ways. I don't think this makes a 
> difference though.
> >
> >Is there anyway from the command line to test connectivity 
> with spamcop?
> >
> >Or does anybody have an idea why this might be happening?
> >
> >On the RBL line in SpamScanner,
> 
> SpamScanner?

Oops, meant MailScanner.

> 
> >  spamcop is listed as 'spamcop.net' on both servers.
> 
> What about the dot on the end? It should be there, like it is 
> for the other lists. Otherwise check the DNS setup on the 
> rogue machine. The standard test is this:

Here is the exact line on both servers. They both do not have the dot at
the end, but the one that is working catches about 1000 vi spamcop every
day. Should I add the dot at the end anyway? And should I use
bl.spamcop.net. instead of just spamcop.net that I'm using now?

Spam List = ORDB-RBL spamhaus.org spamcop.net list.dsbl.org
cbl.abuseat.org opm.blitzed.org 

Concerning the good server, I get basically the same results that you
had listed. However, with the server that is having problems I get the
following for the spamcop test:

[root@pavescan MailScanner]# dig 2.0.0.127.bl.spamcop.net. any

; <<>> DiG 9.2.1 <<>> 2.0.0.127.bl.spamcop.net. any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15561
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.bl.spamcop.net.      IN      ANY

;; AUTHORITY SECTION:
bl.spamcop.net.         86400   IN      SOA     loopback. root.loopback.
1 3600 600 3600000 86400

;; Query time: 23 msec
;; SERVER: 10.254.71.10#53(10.254.71.10)
;; WHEN: Sun Jan 25 10:13:06 2004
;; MSG SIZE  rcvd: 105


Any suggestions? Do you know why it is listing loopback.

Thanks,
Max 


From mailscanner at ecs.soton.ac.uk  Sun Jan 25 16:33:10 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2206053E@dalsxc01.geniant.ne t>
References: <399D85F2BB50BC4295F78EAE203D5C2206053E@dalsxc01.geniant.net>
Message-ID: <6.0.1.1.2.20040125162808.03be6f90@imap.ecs.soton.ac.uk>

At 16:15 25/01/2004, you wrote:
> > >I've got two severs set with MailScanner and using the RBL
> > spamcop.net.
> > >One one server spamcop works great and seems to tag more
> > spam than any
> > >other RBL, but on the other server (in a different
> > network/location),
> > >spamcop is not getting one hit and the logs show that it times out
> > >every time. This is a client's site and this server has a
> > Pix firewall
> > >and ICMP turned off both ways. I don't think this makes a
> > difference though.
> > >
> > >Is there anyway from the command line to test connectivity
> > with spamcop?
> > >
> > >Or does anybody have an idea why this might be happening?
> > >
> > >On the RBL line in SpamScanner,
> >
> > SpamScanner?
>
>Oops, meant MailScanner.
>
> >
> > >  spamcop is listed as 'spamcop.net' on both servers.
> >
> > What about the dot on the end? It should be there, like it is
> > for the other lists. Otherwise check the DNS setup on the
> > rogue machine. The standard test is this:
>
>Here is the exact line on both servers. They both do not have the dot at
>the end, but the one that is working catches about 1000 vi spamcop every
>day. Should I add the dot at the end anyway?

In MailScanner.conf, you should list the RBLs in exactly the way they are
defined in spam.lists.conf. The 2nd field in the lines in spam.lists.conf
should have the "." on the end.

>And should I use
>bl.spamcop.net. instead of just spamcop.net that I'm using now?

Use the list name defined in spam.lists.conf.

>Spam List = ORDB-RBL spamhaus.org spamcop.net list.dsbl.org
>cbl.abuseat.org opm.blitzed.org

You can optimise this by defining
SBL+XBL                         sbl-xbl.spamhaus.org.
in spam.lists.conf and then use "SBL+XBL" in MailScanner.conf instead of
spamhaus.org and cbl.abuseat.org. One less DNS lookup per message, worth doing.

>Concerning the good server, I get basically the same results that you
>had listed. However, with the server that is having problems I get the
>following for the spamcop test:
>
>[root@pavescan MailScanner]# dig 2.0.0.127.bl.spamcop.net. any
>
>; <<>> DiG 9.2.1 <<>> 2.0.0.127.bl.spamcop.net. any
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15561
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;2.0.0.127.bl.spamcop.net.      IN      ANY
>
>;; AUTHORITY SECTION:
>bl.spamcop.net.         86400   IN      SOA     loopback. root.loopback.
>1 3600 600 3600000 86400
>
>;; Query time: 23 msec
>;; SERVER: 10.254.71.10#53(10.254.71.10)
>;; WHEN: Sun Jan 25 10:13:06 2004
>;; MSG SIZE  rcvd: 105
>
>
>Any suggestions? Do you know why it is listing loopback.

Check the /etc/resolv.conf between the 2 machines. Obviously the 2 machines
should produce the same result for the same query.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Sun Jan 25 16:45:20 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:02 2006
Subject: Manually test RBL?
In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C2206053E@dalsxc01.geniant.net>
References: <399D85F2BB50BC4295F78EAE203D5C2206053E@dalsxc01.geniant.net>
Message-ID: <4013F2A0.2030708@ucgbook.com>

Max Kipness wrote:
> Concerning the good server, I get basically the same results that you
> had listed. However, with the server that is having problems I get the
> following for the spamcop test:
>
> [root@pavescan MailScanner]# dig 2.0.0.127.bl.spamcop.net. any
>
> ; <<>> DiG 9.2.1 <<>> 2.0.0.127.bl.spamcop.net. any
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15561
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;2.0.0.127.bl.spamcop.net.      IN      ANY
>
> ;; AUTHORITY SECTION:
> bl.spamcop.net.         86400   IN      SOA     loopback. root.loopback.
> 1 3600 600 3600000 86400
>
> ;; Query time: 23 msec
> ;; SERVER: 10.254.71.10#53(10.254.71.10)
> ;; WHEN: Sun Jan 25 10:13:06 2004
> ;; MSG SIZE  rcvd: 105
>
>
> Any suggestions? Do you know why it is listing loopback.

Look at line 4 of the output, non-existent domain. When you do a lookup
from the good server, does it use the same server (3rd line from end)?
Compare /etc/resolv.conf and /etc/nsswitch.conf between the two. Also
compare a normal lookup (dig www.ibm.com for example) for establishing a
baseline.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From Leonard.Hermens at POTLATCHCORP.COM  Sun Jan 25 18:09:35 2004
From: Leonard.Hermens at POTLATCHCORP.COM (Leonard Hermens)
Date: Thu Jan 12 21:22:03 2006
Subject: Outlook/OWA 2003 - file types blocked
In-Reply-To: <OJEPLLLJIBHDGMFBCCBPEECFDDAA.rcooper@dimension-flm.com>
References: <6.0.1.1.2.20040125143122.03dcdec0@imap.ecs.soton.ac.uk>
            <OJEPLLLJIBHDGMFBCCBPEECFDDAA.rcooper@dimension-flm.com>
Message-ID: <6.0.1.1.2.20040125100559.02e1cec0@email.potlatchcorp.com>

Here is the Microsoft support reference to the Level 1 files blocked in
Outlook 2003, however they provide no more detail on why each is "unsafe":

http://support.microsoft.com/default.aspx?scid=kb;en-us;829982

From martyn at invictawiz.com  Sun Jan 25 20:22:05 2004
From: martyn at invictawiz.com (InvictaWiz Customer Support)
Date: Thu Jan 12 21:22:03 2006
Subject: MS punishes my own modem pool
In-Reply-To: <FA443A9FF74E884D975F85C9549091AD013923@titan.avalonpub.com>
Message-ID: <JFEJJBNPOACELGAPEIOLAEBMCJAA.martyn@invictawiz.com>

Perhaps someone can help with a variation of this question for me?

We have users that dial in from other ISPs. We use SMTP AUTH to ok them for Sendmail relay purposes.
However, if I check against a DUL, they all get blocked even though they are providing AUTH details.
Any ideas please?
I daren't start whitelisting IP addresses as they are all dynamic

Martyn Routley

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Daniel Kleinsinger
Sent: 22 January 2004 22:25
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: MS punishes my own modem pool


> >In your spam rules.. Whitelist your From your domain

>True.  Better than my idea.  Also check for the filename/filetype settings,
your users may get pissed   >off if you filter the .exe.

Actually, I think that whitelisting the IPs would be better than
whitelisting the domain because it's a common spammer tactic to send from
user@mydomain.com.  Within MailScanner complete whitelisting is the only
option.

However, the SpamAssassin blacklist checks are much more configurable.  If
you're interested in spam checking mail from your dialup users you could use
SA's blacklist checks and make use of the trusted_networks config option in
SpamAssassin.  That would still run the pattern matching type rules on local
dialup email, but disable network checks.
http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

Daniel

> > Julian,
> >
> > Here's a puzzle...  Our modem pool (137.146.110.0/24) is listed on
> > dnsbl.sorbs.net, CBL, t1.bl.reynolds.net.au.  Ok, good.  But if I
> > use "Spam List = SORBS-DNSBL" in MS, then all of my modem users get
> > their outbound email tagged with {Spam?} in the subject line, which
> > really annoys my users and makes me look like an idiot -- even if
> > they are doing the right thing and sending their email thru our
> > mail-hub. How to prevent this, yet still use SORBS, CBL, etc?
> >
> > Jeff Earickson
> > Colby College
> >


-----------------------------------------------------------------------------
This message has been scanned for viruses and
dangerous content by the http://www.anti84787.com
MailScanner, and is believed to be clean.
-----------------------------------------------------------------------------

From kevin at KEVINSPICER.CO.UK  Sun Jan 25 20:38:52 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:03 2006
Subject: MS punishes my own modem pool
In-Reply-To: <JFEJJBNPOACELGAPEIOLAEBMCJAA.martyn@invictawiz.com>
References: <JFEJJBNPOACELGAPEIOLAEBMCJAA.martyn@invictawiz.com>
Message-ID: <1075063132.8621.14.camel@bach.kevinspicer.co.uk>

On Sun, 2004-01-25 at 20:22, InvictaWiz Customer Support wrote:
> Perhaps someone can help with a variation of this question for me?
> 
> We have users that dial in from other ISPs. We use SMTP AUTH to ok them for Sendmail relay purposes.
> However, if I check against a DUL, they all get blocked even though they are providing AUTH details.
> Any ideas please?
> I daren't start whitelisting IP addresses as they are all dynamic

Where are you using the DUL?  in sendmail, in MailScanner or in
SpamAssassin?  If you do them in sendmail then I believe you can add
this line to your sendmail.mc...

FEATURE(delay_checks)dnl

and rebuild your sendmail.cf file.

For those that are interested here is the relevant extract from the
sendmail docs...

By using FEATURE(`delay_checks') the rulesets check_mail and check_relay
will not be called when a client connects or issues a MAIL command,
respectively.  Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped if a sender has been authenticated using
a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH().
If check_mail returns an error then the RCPT TO command will be rejected
with that error.  If it returns some other result starting with $# then
check_relay will be skipped.  If the sender address (or a part of it) is
listed in the access map and it has a RHS of OK or RELAY, then
check_relay
will be skipped.  This has an interesting side effect: if your domain is
my.domain and you have

  my.domain RELAY

in the access map, then all e-mail with a sender address of
<user@my.domain> gets through, even if check_relay would reject it
(e.g., based on the hostname or IP address).  This allows spammers
to get around DNS based blacklist by faking the sender address.  To
avoid this problem you have to use tagged entries:

  To:my.domain    RELAY
  Connect:my.domain RELAY

if you need those entries at all (class {R} may take care of them).


[There is more, but I stopped reading at this point!]



-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040125/38ae839d/attachment.bin
From ryan.finnesey at CORPDSG.COM  Sun Jan 25 21:07:05 2004
From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey)
Date: Thu Jan 12 21:22:03 2006
Subject: SuSe?
Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407C157@dc012.corpdsg.com>

I will give it a try today.

Ryan
 

> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field
> Sent: Sunday, January 25, 2004 6:44 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: SuSe?
> 
> There haven't been any reports of it not working, so how 
> about you give it a try?
> 
> At 06:53 25/01/2004, you wrote:
> >I was going to install it on 9.0
> >
> >Ryan
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Keeling
> > > Sent: Saturday, January 24, 2004 5:29 AM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: SuSe?
> > >
> > > ----- Original Message -----
> > > >From: Ryan Finnesey
> > > >To: MAILSCANNER@JISCMAIL.AC.UK
> > > >Sent: Saturday, January 24, 2004 5:03 AM
> > > >Subject: SuSe?
> > > >
> > > >
> > > >Is anyone running Mail Scanner on SuSe?
> > >
> > > Which version of SuSE? We have it running with postfix on 
> both SuSE 
> > > 8.1 & 8.2.
> > >
> > > Rob Keeling
> > > Network Manager
> > > Queen Elizabeth`s Grammar School
> > >
> > > >
> > > >
> > > >
> > > >Ryan Finnesey
> > > >Diversified Solutions Group
> > > >119 West 72 Street
> > > >New York NY 10023
> > > >:    ryan.finnesey@corpdsg.com
> > > >( 212-920-0000
> > > >2  212-920-0001
> > >
> > >
> 
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz 
> MailScanner thanks transtec Computers for their support PGP 
> footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 


From mkipness at GENIANT.COM  Sun Jan 25 21:33:58 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:22:03 2006
Subject: Manually test RBL?
Message-ID: <399D85F2BB50BC4295F78EAE203D5C2206053F@dalsxc01.geniant.net>

> Look at line 4 of the output, non-existent domain. When you 
> do a lookup from the good server, does it use the same server 
> (3rd line from end)?
> Compare /etc/resolv.conf and /etc/nsswitch.conf between the 
> two. Also compare a normal lookup (dig www.ibm.com for 
> example) for establishing a baseline.

Thanks to you and Julian.

I figured out that even though the primary DNS (ISP) in resolve.conf was
valid, it must not be functioning. Once this was changed, spamcop
started working.

Thanks again.

Max


From chris at FRACTALWEB.COM  Mon Jan 26 06:37:45 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:03 2006
Subject: list of email vulnerabilities
Message-ID: <4014B5B9.6070503@fractalweb.com>

Hi everyone,

Is there a list anywhere of all the existing email vulnerabilities in
popular email clients? Specifically, (I guess) Outlook, Outlook Express,
Mozilla Mail, etc?

I'd really like to know what percentage of "bad things" we're protecting
our users from.

Cheers,
Chris

From dh at UPTIME.AT  Mon Jan 26 08:25:56 2004
From: dh at UPTIME.AT (=?ISO-8859-15?Q?David_H=F6hn?=)
Date: Thu Jan 12 21:22:03 2006
Subject: Will MailScanner recognize Split sendmail queues? (split into xf/cf/df directories)
Message-ID: <4014CF14.1000203@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello.

I was just wondering if Mailscanner would recognise the following setup

/var/spool/mqueue.in/df
/var/spool/mqueue.in/cf
/var/spool/mqueue.in/xf -> which is a symlink to a tmpf mounted dir

/var/spool/mqueue/df
/var/spool/mqueue/cf
/var/spool/mqueue/xf -> which is a symlink to the same tmpf mounted dir

The idea behidn this is, that senamil will start writing the appropriate
files to those sub-directories. Since xf files contain information
relevant on to the creator process they can be stored in a memory based
file system.

Thanks for any tips

- -d

- --
nee amata wo mitsukete soshite midoto wasrezu
~     domma mi mumega itakutemo soba mi iru mo
~                        zutto...zutto...zutto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAFM8UPMoaMn4kKR4RA4m5AJ9BXTx0iEFYIPpB2LYuiXukdtVACACeMocI
UQ7KGYhPW6Ro+J0IprFnfbs=
=D9tt
-----END PGP SIGNATURE-----

From p.bos at LAKE.XS4ALL.NL  Mon Jan 26 08:33:08 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
Message-ID: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>

Experiencing many spamassassin timeouts lately.
Is there a valid reason for that?
I'm using version 4.26-1 starting
my settings in MailScanner.conf are:
SpamAssassin Timeout = 40
Max SpamAssassin Timeouts = 50

Any suggestions?
brgds Piet

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 08:37:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: Will MailScanner recognize Split sendmail queues? (split into xf/cf/df directories)
In-Reply-To: <4014CF14.1000203@uptime.at>
References: <4014CF14.1000203@uptime.at>
Message-ID: <6.0.1.1.2.20040126083657.0341ce90@imap.ecs.soton.ac.uk>

At 08:25 26/01/2004, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Hello.
>
>I was just wondering if Mailscanner would recognise the following setup
>
>/var/spool/mqueue.in/df
>/var/spool/mqueue.in/cf
>/var/spool/mqueue.in/xf -> which is a symlink to a tmpf mounted dir
>
>/var/spool/mqueue/df
>/var/spool/mqueue/cf
>/var/spool/mqueue/xf -> which is a symlink to the same tmpf mounted dir

No, sorry. However, if you have a structure like
/var/spool/mqueue.in/q1
/var/spool/mqueue.in/q2
/var/spool/mqueue.in/q3
/var/spool/mqueue.in/q4
then MailScanner can support that. Just put a wildcard "*" in to the
definition of the incoming queue directory.

>The idea behidn this is, that senamil will start writing the appropriate
>files to those sub-directories. Since xf files contain information
>relevant on to the creator process they can be stored in a memory based
>file system.
>
>Thanks for any tips
>
>- -d
>
>- --
>nee amata wo mitsukete soshite midoto wasrezu
>~     domma mi mumega itakutemo soba mi iru mo
>~                        zutto...zutto...zutto
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (Darwin)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFAFM8UPMoaMn4kKR4RA4m5AJ9BXTx0iEFYIPpB2LYuiXukdtVACACeMocI
>UQ7KGYhPW6Ro+J0IprFnfbs=
>=D9tt
>-----END PGP SIGNATURE-----

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 08:39:38 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
In-Reply-To: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>
References: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>
Message-ID: <6.0.1.1.2.20040126083915.03c630a0@imap.ecs.soton.ac.uk>

Run with Debug = yes and Debug SpamAssassin = yes, and see where the
slow-down is.

At 08:33 26/01/2004, you wrote:
>Experiencing many spamassassin timeouts lately.
>Is there a valid reason for that?
>I'm using version 4.26-1 starting
>my settings in MailScanner.conf are:
>SpamAssassin Timeout = 40
>Max SpamAssassin Timeouts = 50
>
>Any suggestions?
>brgds Piet

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dh at UPTIME.AT  Mon Jan 26 08:55:56 2004
From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=)
Date: Thu Jan 12 21:22:03 2006
Subject: Will MailScanner recognize Split sendmail queues? (split into xf/cf/df directories)
In-Reply-To: <6.0.1.1.2.20040126083657.0341ce90@imap.ecs.soton.ac.uk>
References: <4014CF14.1000203@uptime.at>
            <6.0.1.1.2.20040126083657.0341ce90@imap.ecs.soton.ac.uk>
Message-ID: <4014D61C.6050804@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Julian Field wrote:

<snip>
|
|
|> No, sorry. However, if you have a structure like
Ah, bummer. Do you think this could be supported for future versions?
Initial testing on a system does show that when you have a large amount
of Mail passing through the XF files on a memory filesystem bost
performance by about 3-5%.

|> /var/spool/mqueue.in/q1
|> /var/spool/mqueue.in/q2
|> /var/spool/mqueue.in/q3
|> /var/spool/mqueue.in/q4
|> then MailScanner can support that. Just put a wildcard "*" in to the
|> definition of the incoming queue directory.
Yes, thank you. I noticed that from earlier postings to the list.

- -d

- --
nee amata wo mitsukete soshite midoto wasrezu
~     domma mi mumega itakutemo soba mi iru mo
~                        zutto...zutto...zutto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAFNYcPMoaMn4kKR4RA/XdAJ9DgBNA+MQoR3ozyQN13O+YM7rukACfTnLG
mg7QZc+TLpbLq52x41sWFUA=
=O1i5
-----END PGP SIGNATURE-----

From patricksteiner at bluewin.ch  Mon Jan 26 10:12:20 2004
From: patricksteiner at bluewin.ch (Patrick Steiner)
Date: Thu Jan 12 21:22:03 2006
Subject: [Fwd: Bug#229735: Undeliverable bounces due to content are staying in    the mqueue.in]
Message-ID: <4014E804.3000602@bluewin.ch>

Fwd. from Debian BTS

-------- Original Message --------
Subject:        Bug#229735: Undeliverable bounces due to content are staying
in the mqueue.in
Resent-Date:    Mon, 26 Jan 2004 09:33:01 UTC
Resent-From:    Chris Murton <chris@areti.net>
Resent-To:      debian-bugs-dist@lists.debian.org
Resent-CC:      Matthias Klose <doko@debian.org>
Date:   Mon, 26 Jan 2004 09:23:30 -0000
From:   Chris Murton <chris@areti.net>
Reply-To:       Chris Murton <chris@areti.net>, 229735@bugs.debian.org
Organization:   Areti Internet Ltd
To:     <submit@bugs.debian.org>



Package: mailscanner
Version: 4.25.14-2

After running Mailscanner against sendmail for a while, I noticed that the
messages that were being bounced because of their content and were
undeliverable ("Connection refused by host") were not being placed in the
mqueue, but were being held still in the mqueue.in, causing Mailscanner to
report 250 messages waiting in the queue (or similar), and probably
re-scanning the message every time it attempted to deliver the message.

Any thoughts? :)

I am running perl v5.8.2, on Linux 2.4.24 and using the unstable branch for
updates.

Thanks,
Chris.

--
Chris Murton
Mail: chris@areti.net, Tel: +44 (0)20-8315-5800
Areti Internet Ltd, http://www.areti.net





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040126/4afcf94b/attachment.html
From p.bos at LAKE.XS4ALL.NL  Mon Jan 26 11:01:44 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
References: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl> 
            <6.0.1.1.2.20040126083915.03c630a0@imap.ecs.soton.ac.uk>
Message-ID: <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>

a part of the debug output.
I find the  0 behind Net::DNS resolver unavailable rather curious
do you agree?

grtz Piet

debug: running raw-body-text per-line regexp tests; score so far=4.3
debug: running uri tests; score so far=4.3
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=4.3
debug: Razor2 is not available
debug: DCC is not available: dccproc not found
debug: Razor1 is not available
debug: Pyzor is not available: pyzor not found
debug: is Net::DNS::Resolver unavailable? 0
debug: trying (3) gwdg.de...
debug: looking up MX for 'gwdg.de'
debug: MX for 'gwdg.de' exists? 1
debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available to
hardcode)
debug: is DNS available? 1
debug: running meta tests; score so far=5.3
----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 26, 2004 9:39 AM
Subject: Re: many spamassassin timeouts


> Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> slow-down is.
>
> At 08:33 26/01/2004, you wrote:
> >Experiencing many spamassassin timeouts lately.
> >Is there a valid reason for that?
> >I'm using version 4.26-1 starting
> >my settings in MailScanner.conf are:
> >SpamAssassin Timeout = 40
> >Max SpamAssassin Timeouts = 50
> >
> >Any suggestions?
> >brgds Piet
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From gebhard at EPOST.DE  Mon Jan 26 11:32:14 2004
From: gebhard at EPOST.DE (Holger Gebhard)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option?
Message-ID: <LISTSERV%2004012611321440@JISCMAIL.AC.UK>

Hi Julian,
hi Group,

i don?t think its a good feature to remove the bounce option...

For Example a popular and often used Mailadress, sales@company.com, or
vertrieb@company.de naturally receive many Spammails...

With MailScanner V4.26 the reciptient must read thousands of "short text
notification messages" to see whether one Message is falsely trapped as
Spam.

I think it?s a better way to send a notification (Bounce) to the Sender (I
know that mostly all Spammers fake their Mailadresses).

When the Sender realy want to send a Message to a protected Reciptient, he
will send a reply to the Bounce Message (to Admin), or send a new one to
the Recipient.

In my Company there are many "Novice" Users...
With the Bounce Option the Users only sometimes ask me why a Message is
being blocked.
But when I use the notify Reciptient option, the Users will always ask me
about every Notification Message... "It could be an important message"

So please don?t remove the Bounce Option!!!!


One another Question...

Is it posible to add the "RBL-List Name" where a the Message was trapped to
the Spamreport.



Thanks,


Holger


From Kevin.Spicer at BMRB.CO.UK  Mon Jan 26 11:43:06 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option?
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE7B@pascal.priv.bmrb.co.uk>

> In my Company there are many "Novice" Users...
> With the Bounce Option the Users only sometimes ask me why a Message
> is being blocked.
> But when I use the notify Reciptient option, the Users will always
> ask me about every Notification Message... "It could be an important
> message" 

Then whitelist your internal mail servers, so that your outgoing mail is never marked as spam, and/or refine your rulesets and scores so that you don't get false positives.  One useful tip that worked well for me - create SpamAssassin rules to apply negative scores where the name of your products are mentioned (great unless you happen to make viagra...)

> 
> So please don?t remove the Bounce Option!!!!
> 

On the contrary, removing the bounce option is the best thing ever.  I've recently been the victim of some spammer using my email address as the 'sender' address - every day I have hundreds on bounces in my mailbox for mails I never sent.  Anything that potentially reduces  this is good in my book. 



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From mailscanner at ecs.soton.ac.uk  Mon Jan 26 11:30:12 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
In-Reply-To: <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>
References: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>
            <6.0.1.1.2.20040126083915.03c630a0@imap.ecs.soton.ac.uk>
            <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>
Message-ID: <6.0.1.1.2.20040126112937.0362aa08@imap.ecs.soton.ac.uk>

At 11:01 26/01/2004, you wrote:
>a part of the debug output.
>I find the  0 behind Net::DNS resolver unavailable rather curious
>do you agree?

Reinstall Net::DNS. It has loads of dependencies, so keep an eye on CPAN
and don't let it upgrade your entire Perl installation.


>grtz Piet
>
>debug: running raw-body-text per-line regexp tests; score so far=4.3
>debug: running uri tests; score so far=4.3
>debug: uri tests: Done uriRE
>debug: running full-text regexp tests; score so far=4.3
>debug: Razor2 is not available
>debug: DCC is not available: dccproc not found
>debug: Razor1 is not available
>debug: Pyzor is not available: pyzor not found
>debug: is Net::DNS::Resolver unavailable? 0
>debug: trying (3) gwdg.de...
>debug: looking up MX for 'gwdg.de'
>debug: MX for 'gwdg.de' exists? 1
>debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available to
>hardcode)
>debug: is DNS available? 1
>debug: running meta tests; score so far=5.3
>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 26, 2004 9:39 AM
>Subject: Re: many spamassassin timeouts
>
>
> > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > slow-down is.
> >
> > At 08:33 26/01/2004, you wrote:
> > >Experiencing many spamassassin timeouts lately.
> > >Is there a valid reason for that?
> > >I'm using version 4.26-1 starting
> > >my settings in MailScanner.conf are:
> > >SpamAssassin Timeout = 40
> > >Max SpamAssassin Timeouts = 50
> > >
> > >Any suggestions?
> > >brgds Piet
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From p.bos at LAKE.XS4ALL.NL  Mon Jan 26 12:06:05 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
References: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>           
            <6.0.1.1.2.20040126083915.03c630a0@imap.ecs.soton.ac.uk>           
            <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl> 
            <6.0.1.1.2.20040126112937.0362aa08@imap.ecs.soton.ac.uk>
Message-ID: <012101c3e404$c64e53d0$a0ef15ab@ka.klm.nl>

Huh huh didn't work!

# perl -MCPAN -e shell

cpan shell -- CPAN exploration and modules installation (v1.61)
ReadLine support available (try 'install Bundle::CPAN')

cpan> o conf prerequisites_policy ask
    prerequisites_policy ask

cpan> install Net::DNS
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
  Database was generated on Mon, 26 Jan 2004 01:48:31 GMT
Net::DNS is up to date.

cpan>

Net::DNS seems to be uptodate?
Any suggestion?
I'm out of options.


----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 26, 2004 12:30 PM
Subject: Re: many spamassassin timeouts


> At 11:01 26/01/2004, you wrote:
> >a part of the debug output.
> >I find the  0 behind Net::DNS resolver unavailable rather curious
> >do you agree?
>
> Reinstall Net::DNS. It has loads of dependencies, so keep an eye on CPAN
> and don't let it upgrade your entire Perl installation.
>
>
> >grtz Piet
> >
> >debug: running raw-body-text per-line regexp tests; score so far=4.3
> >debug: running uri tests; score so far=4.3
> >debug: uri tests: Done uriRE
> >debug: running full-text regexp tests; score so far=4.3
> >debug: Razor2 is not available
> >debug: DCC is not available: dccproc not found
> >debug: Razor1 is not available
> >debug: Pyzor is not available: pyzor not found
> >debug: is Net::DNS::Resolver unavailable? 0
> >debug: trying (3) gwdg.de...
> >debug: looking up MX for 'gwdg.de'
> >debug: MX for 'gwdg.de' exists? 1
> >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available
to
> >hardcode)
> >debug: is DNS available? 1
> >debug: running meta tests; score so far=5.3
> >----- Original Message -----
> >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Monday, January 26, 2004 9:39 AM
> >Subject: Re: many spamassassin timeouts
> >
> >
> > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > > slow-down is.
> > >
> > > At 08:33 26/01/2004, you wrote:
> > > >Experiencing many spamassassin timeouts lately.
> > > >Is there a valid reason for that?
> > > >I'm using version 4.26-1 starting
> > > >my settings in MailScanner.conf are:
> > > >SpamAssassin Timeout = 40
> > > >Max SpamAssassin Timeouts = 50
> > > >
> > > >Any suggestions?
> > > >brgds Piet

From dwinkler at ALGORITHMICS.COM  Mon Jan 26 14:04:49 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:03 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B158@tormail2.algorithmics.com>

I do this already by reading the qf files directly, no need to read log
files at all. Future enhancement may read the log file to get the score and
tests to include on the report.

Read the qf files on each mail relay, create a csv file in the web
directory.

Central server picks these up.

Send an email to each of the users with the From, Subject and how many
recipients and a link to send the email. Report only includes last 3 days of
emails, last 60 days kept on server, this keeps the emails short but allows
for someone going on a long vacation.

Uses MD5 hashes of the qf files to prevent randomly grabbing emails, not
perfect but at least I didn't have to set up yet another userid and
password.

No modifications needed to MailScanner.

I like reading the qf files since I'm seeing what's actually there not what
the log files say is there.

Only took about a few days to create and setup.

Digests of this type have been discussed on the list before.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Ken Anderson
Sent: Friday, January 23, 2004 6:26 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: ANNOUNCE: Unstable 4.26.5 released


The script that processes the log would be entirely separate from
MailScanner of course, like antivirus updates, generating whitelists etc.

I think I'm just talking about a patch to the logging that MS already
does to log recipient, subject and msg id for low scoring spam to
support this. I'll post it for others if I get it working. I haven't
looked at the code yet, so I'm not sure those things are even available
in that part of the process. If anyone else has already done this,
please chime in.

Thanks,
Ken Anderson

Peter Bonivart wrote:

> Ken Anderson wrote:
>
>> The notify function is probably not appropriate for this, but it got me
>> thinking again that it would be nice to have a daily email sent to users
>> who can scan a list of emails that MailScanner has quarantined.
>
>
> In my humble opinion, MS is a real-time system. All kinds of summaries
> are better done with other tools, like MailWatch for example. Shouldn't
> be too hard to do your own script either, if you ask on the list someone
> probably will share an already existing one.
>
> --
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
>

From john at TRADOC.FR  Mon Jan 26 15:07:10 2004
From: john at TRADOC.FR (John Wilcock)
Date: Thu Jan 12 21:22:03 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <6.0.1.1.2.20040124152847.03ad7de8@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
            <6.0.0.22.0.20040123170222.02518e40@xanadu.evi-inc.com>
            <6.0.1.1.2.20040124152847.03ad7de8@imap.ecs.soton.ac.uk>
Message-ID: <b0ba101npoe3tvut10uttqt81vnnieb9q6@tradoc.fr>

On Sat, 24 Jan 2004 15:33:48 +0000, Julian Field wrote:
> If there are any requests which I haven't already responded to, or
> extras/changes that you would like to see, please tell me now, not at the
> end of the week :)

One micro-buglet - The score reported when _SCORE_ is used in the
[High Scoring] Spam Subject Text is never more than 60, no matter how
high the actual spam score.

John.

-- 
-- Over 2400 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr


From gebhard at EPOST.DE  Mon Jan 26 15:11:27 2004
From: gebhard at EPOST.DE (Holger Gebhard)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option?
Message-ID: <LISTSERV%2004012615112741@JISCMAIL.AC.UK>

>> In my Company there are many "Novice" Users...
>> With the Bounce Option the Users only sometimes ask me why a Message
>> is being blocked.
>> But when I use the notify Reciptient option, the Users will always
>> ask me about every Notification Message... "It could be an important
>> message"

> Then whitelist your internal mail servers, so that your outgoing mail is
> never marked as spam,

Already done...

> and/or refine your rulesets and scores so that you
> don't get false positives.

You can never be shure that no Mail is falsely trapped as
Spam (For example: erroneously listet on an RBL-List for only one day).


> One useful tip that worked well for me -
> create SpamAssassin rules to apply negative scores where the name of your
> products are mentioned (great unless you happen to make viagra...)

Great Idea... I will keep in mind

>>
>> So please don?t remove the Bounce Option!!!!
>>

> On the contrary, removing the bounce option is the best thing ever.  I've
> recently been the victim of some spammer using my email address as
> the 'sender' address - every day I have hundreds on bounces in my mailbox
> for mails I never sent.

That?s partly correct...
The Spammers also search for mailadresses in newsgroups, websites, etc.
When you send a bounce message, send the bounce with another mailadress,
not with your private... For example, create a new mailbox and use
bounce@company.com instead.

> Anything that potentially reduces  this is good in my book.

But in future you, or your users will have much more "short text
notification messages" in the Mailbox instead of Bounce-Messages...
To be sure you have realy NO false positives, all users must read all of
this messages!
Because no sender is warned that his message is trapped as spam, and maybe
deleted... So the sender thinks the message would have arrived.


From mailscanner at ecs.soton.ac.uk  Mon Jan 26 15:23:58 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
In-Reply-To: <b0ba101npoe3tvut10uttqt81vnnieb9q6@tradoc.fr>
References: <6.0.1.1.2.20040123122457.03d0fde8@imap.ecs.soton.ac.uk>
            <6.0.0.22.0.20040123170222.02518e40@xanadu.evi-inc.com>
            <6.0.1.1.2.20040124152847.03ad7de8@imap.ecs.soton.ac.uk>
            <b0ba101npoe3tvut10uttqt81vnnieb9q6@tradoc.fr>
Message-ID: <6.0.1.1.2.20040126152351.0775ece8@imap.ecs.soton.ac.uk>

At 15:07 26/01/2004, you wrote:
>On Sat, 24 Jan 2004 15:33:48 +0000, Julian Field wrote:
> > If there are any requests which I haven't already responded to, or
> > extras/changes that you would like to see, please tell me now, not at the
> > end of the week :)
>
>One micro-buglet - The score reported when _SCORE_ is used in the
>[High Scoring] Spam Subject Text is never more than 60, no matter how
>high the actual spam score.

Fixed.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jflowers at EZO.NET  Mon Jan 26 16:02:42 2004
From: jflowers at EZO.NET (Jim Flowers)
Date: Thu Jan 12 21:22:03 2006
Subject: Extreme Whitelisting
Message-ID: <20040126155114.M37149@ezo.net>

On some domains passing through my mailscanner gateway, I receive a request
that no processing be done for a specific user and, additionally, would like
to save cpu cycles.  Right now I have to use rule files to disable spam
scanning, virus scanning, and spam header to avoid the appearance as well as
the fact of processing.

Is there (could there be) a way to alert MailScanner to just move the
messages for this user to the outbound queue and quit?

--
Jim Flowers<jflowers@ezo.net>

From gebhard at EPOST.DE  Mon Jan 26 16:02:55 2004
From: gebhard at EPOST.DE (Holger Gebhard)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option? Compromise
Message-ID: <LISTSERV%2004012616025534@JISCMAIL.AC.UK>

Hi Julian,
Hi Group,

What do you think about this...

To reduce the bounce Messages is it posible to add a "silent Spam list"?


You might have a List similar to Silent Virus List...
With four features for example:

SA+RBL -> If a Message is trapped by SpamAssassin and one or more RBL-Lists
send no bounce message.

RBL2+ -> If a Message is trapped by two ore more RBL-Lists send no bounce
message. (If the Message trapped only by one RBL-List send a bounce)

SA8+ -> If a Message only trapped by SpamAssassin and the Score is over 8
Point send no bounce. (If the Score is less than 8 Points send a bounce)

AllSpam -> Never send a Bounce Message


Thanks

Holger

From campbell at CNPAPERS.COM  Mon Jan 26 16:18:59 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option?
References: <LISTSERV%2004012611321440@JISCMAIL.AC.UK>
Message-ID: <001f01c3e428$1aceefa0$cf01a8c0@cnpapers.net>

I don't bounce to anyone. I have been on the receiving end of this and know
first hand what it's like to get these emails-from-spammers flooding my
network.

But....

If the option is already there, tested and working, why not leave the option
operational? Mr. Field has mentioned before that he does not want to step on
the toes of others (i.e. Doing in MailScanner what SpamAssassin already
does) and I found it a little surprising that the "Bounce" was removed. I
feel that this is a case of MailScanner doing the job of responsible
postmasters.

There may be real reasons to bounce, and someone will request this feature
to be renewed due to this reason, and it will just have to be re-inserted.
So let's all be responsible, and not use it even if it is there, and let
that be the end of the debate. We do have a choice to use it or not, you
know!

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers


----- Original Message ----- 
From: "Holger Gebhard" <gebhard@EPOST.DE>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 26, 2004 6:32 AM
Subject: Remove Bounce Option?


Hi Julian,
hi Group,

i don?t think its a good feature to remove the bounce option...

For Example a popular and often used Mailadress, sales@company.com, or
vertrieb@company.de naturally receive many Spammails...

With MailScanner V4.26 the reciptient must read thousands of "short text
notification messages" to see whether one Message is falsely trapped as
Spam.

I think it?s a better way to send a notification (Bounce) to the Sender (I
know that mostly all Spammers fake their Mailadresses).

When the Sender realy want to send a Message to a protected Reciptient, he
will send a reply to the Bounce Message (to Admin), or send a new one to
the Recipient.

In my Company there are many "Novice" Users...
With the Bounce Option the Users only sometimes ask me why a Message is
being blocked.
But when I use the notify Reciptient option, the Users will always ask me
about every Notification Message... "It could be an important message"

So please don?t remove the Bounce Option!!!!


One another Question...

Is it posible to add the "RBL-List Name" where a the Message was trapped to
the Spamreport.



Thanks,


Holger


From Denis.Beauchemin at USHERBROOKE.CA  Mon Jan 26 16:27:40 2004
From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin)
Date: Thu Jan 12 21:22:03 2006
Subject: many spamassassin timeouts
In-Reply-To: <012101c3e404$c64e53d0$a0ef15ab@ka.klm.nl>
References: <010101c3e3e7$06e187a0$a0ef15ab@ka.klm.nl>
            <6.0.1.1.2.20040126083915.03c630a0@imap.ecs.soton.ac.uk>
            <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>
            <6.0.1.1.2.20040126112937.0362aa08@imap.ecs.soton.ac.uk>
            <012101c3e404$c64e53d0$a0ef15ab@ka.klm.nl>
Message-ID: <1075134460.3542.154.camel@dbeauchemin.sti.usherbrooke.ca>

Le lun 26/01/2004 ? 07:06, Piet Bos a ?crit :
> Huh huh didn't work!
> 
> # perl -MCPAN -e shell
> 
> cpan shell -- CPAN exploration and modules installation (v1.61)
> ReadLine support available (try 'install Bundle::CPAN')
> 
> cpan> o conf prerequisites_policy ask
>     prerequisites_policy ask
> 
> cpan> install Net::DNS
> CPAN: Storable loaded ok
> Going to read /root/.cpan/Metadata
>   Database was generated on Mon, 26 Jan 2004 01:48:31 GMT
> Net::DNS is up to date.

You could try:
force install Net::DNS

It will reinstall it.

Denis
> 
> cpan>
> 
> Net::DNS seems to be uptodate?
> Any suggestion?
> I'm out of options.
> 
> 
> ----- Original Message -----
> From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Monday, January 26, 2004 12:30 PM
> Subject: Re: many spamassassin timeouts
> 
> 
> > At 11:01 26/01/2004, you wrote:
> > >a part of the debug output.
> > >I find the  0 behind Net::DNS resolver unavailable rather curious
> > >do you agree?
> >
> > Reinstall Net::DNS. It has loads of dependencies, so keep an eye on CPAN
> > and don't let it upgrade your entire Perl installation.
> >
> >
> > >grtz Piet
> > >
> > >debug: running raw-body-text per-line regexp tests; score so far=4.3
> > >debug: running uri tests; score so far=4.3
> > >debug: uri tests: Done uriRE
> > >debug: running full-text regexp tests; score so far=4.3
> > >debug: Razor2 is not available
> > >debug: DCC is not available: dccproc not found
> > >debug: Razor1 is not available
> > >debug: Pyzor is not available: pyzor not found
> > >debug: is Net::DNS::Resolver unavailable? 0
> > >debug: trying (3) gwdg.de...
> > >debug: looking up MX for 'gwdg.de'
> > >debug: MX for 'gwdg.de' exists? 1
> > >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available
> to
> > >hardcode)
> > >debug: is DNS available? 1
> > >debug: running meta tests; score so far=5.3
> > >----- Original Message -----
> > >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> > >To: <MAILSCANNER@JISCMAIL.AC.UK>
> > >Sent: Monday, January 26, 2004 9:39 AM
> > >Subject: Re: many spamassassin timeouts
> > >
> > >
> > > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > > > slow-down is.
> > > >
> > > > At 08:33 26/01/2004, you wrote:
> > > > >Experiencing many spamassassin timeouts lately.
> > > > >Is there a valid reason for that?
> > > > >I'm using version 4.26-1 starting
> > > > >my settings in MailScanner.conf are:
> > > > >SpamAssassin Timeout = 40
> > > > >Max SpamAssassin Timeouts = 50
> > > > >
> > > > >Any suggestions?
> > > > >brgds Piet
-- 
Denis Beauchemin, analyste
Universit? de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045


From mailscanner at ecs.soton.ac.uk  Mon Jan 26 16:22:00 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: Extreme Whitelisting
In-Reply-To: <20040126155114.M37149@ezo.net>
References: <20040126155114.M37149@ezo.net>
Message-ID: <6.0.1.1.2.20040126162030.035eec48@imap.ecs.soton.ac.uk>

At 16:02 26/01/2004, you wrote:
>On some domains passing through my mailscanner gateway, I receive a request
>that no processing be done for a specific user and, additionally, would like
>to save cpu cycles.  Right now I have to use rule files to disable spam
>scanning, virus scanning, and spam header to avoid the appearance as well as
>the fact of processing.
>
>Is there (could there be) a way to alert MailScanner to just move the
>messages for this user to the outbound queue and quit?

It will always add the X-MailScanner-Information: header (unless that is
set to blank). The only processing left is all the stuff required to work
out that you didn't want to scan it in the first place. If you are using
sendmail or Exim then the overhead caused by adding the header is very small.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 16:32:19 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: Remove Bounce Option?
In-Reply-To: <001f01c3e428$1aceefa0$cf01a8c0@cnpapers.net>
References: <LISTSERV%2004012611321440@JISCMAIL.AC.UK>
            <001f01c3e428$1aceefa0$cf01a8c0@cnpapers.net>
Message-ID: <6.0.1.1.2.20040126162259.0362b130@imap.ecs.soton.ac.uk>

Unfortunately there are a lot of sysadmins out there using the bounce 
feature without thinking about the consequences. They fail to see how much 
grief they cause the unsuspecting victims of this setting, and they don't 
see the amount of mail (much of it abusive) that I get on this subject. I 
am partially removing it so that I don't have to waste time and effort 
trying to explain to these users that there is a feature in there which 
people shouldn't use.

I am fed up with the tirade of abusive email I get, and I will take 
whatever steps I deem necessary to reduce that.

I am sure that 0.1% of people could argue a case as to exactly why they 
need it, and why the same thing cannot be achieved in some other way, but 
the other 99.9% will be perfectly happy with its removal.

As an alternative, use "deliver forward spam-responder@your.domain.com". 
Then put a program in the .forward file for "spam-responder" that extracts 
the sender address from the mail and sends out a message to them. That 
shouldn't be too hard to write for sendmail. You could even just write it 
as a "Custom Function" within MailScanner. But don't expect me to write it 
for you :-)

If only everyone was considerate enough to not use the feature, I would 
leave it in. But they're not, and I get the flak it causes.

At 16:18 26/01/2004, you wrote:
>I don't bounce to anyone. I have been on the receiving end of this and know
>first hand what it's like to get these emails-from-spammers flooding my
>network.
>
>But....
>
>If the option is already there, tested and working, why not leave the option
>operational? Mr. Field has mentioned before that he does not want to step on
>the toes of others (i.e. Doing in MailScanner what SpamAssassin already
>does) and I found it a little surprising that the "Bounce" was removed. I
>feel that this is a case of MailScanner doing the job of responsible
>postmasters.
>
>There may be real reasons to bounce, and someone will request this feature
>to be renewed due to this reason, and it will just have to be re-inserted.
>So let's all be responsible, and not use it even if it is there, and let
>that be the end of the debate. We do have a choice to use it or not, you
>know!
>
>Steve Campbell
>campbell@cnpapers.com
>Charleston Newspapers
>
>
>----- Original Message -----
>From: "Holger Gebhard" <gebhard@EPOST.DE>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 26, 2004 6:32 AM
>Subject: Remove Bounce Option?
>
>
>Hi Julian,
>hi Group,
>
>i don?t think its a good feature to remove the bounce option...
>
>For Example a popular and often used Mailadress, sales@company.com, or
>vertrieb@company.de naturally receive many Spammails...
>
>With MailScanner V4.26 the reciptient must read thousands of "short text
>notification messages" to see whether one Message is falsely trapped as
>Spam.
>
>I think it?s a better way to send a notification (Bounce) to the Sender (I
>know that mostly all Spammers fake their Mailadresses).
>
>When the Sender realy want to send a Message to a protected Reciptient, he
>will send a reply to the Bounce Message (to Admin), or send a new one to
>the Recipient.
>
>In my Company there are many "Novice" Users...
>With the Bounce Option the Users only sometimes ask me why a Message is
>being blocked.
>But when I use the notify Reciptient option, the Users will always ask me
>about every Notification Message... "It could be an important message"
>
>So please don?t remove the Bounce Option!!!!
>
>
>One another Question...
>
>Is it posible to add the "RBL-List Name" where a the Message was trapped to
>the Spamreport.
>
>
>
>Thanks,
>
>
>Holger

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mkipness at GENIANT.COM  Mon Jan 26 16:50:58 2004
From: mkipness at GENIANT.COM (Max Kipness)
Date: Thu Jan 12 21:22:03 2006
Subject: Razor stopped working
Message-ID: <399D85F2BB50BC4295F78EAE203D5C2221803C@dalsxc01.geniant.net>

Hi,
 
I installed Razor2 yesterday as soon as I finished I could see
referenced to it in the logs under SpamAssassin. However, today for some
reason, if I grep the logs, I see no reference what so ever.
SpamAssassin is still present under many messages in the log. Is there
some way to restart Razor? I didn't think so. I also ran the test with
SpamAssassin in debug mode, and it states that it finds Razor2.
 
Any suggestions on this one?
 
Also, yesterday when it was working, there were many messages tagged
with SpamAssassin and Razor. It seemed like every single message that
had Razor attached had the same thing, RAZOR2_CF_RANGE_91_100 1.21,
RAZOR2_CHECK 0.88. Is this how it is supposed to work? It just adds 1.99
points to a message that it detects? Or am I missing something?
 
Thanks,
Max


From taz at AZTEK-ENG.COM  Mon Jan 26 16:49:54 2004
From: taz at AZTEK-ENG.COM (Travis Zadikem)
Date: Thu Jan 12 21:22:03 2006
Subject: Mailscanner incoming directory..to many directories
Message-ID: <000501c3e42c$6cc52820$e90200bf@tazpc>

It appears that the mailscanner incoming directory
"/var/spool/MailScanner/incoming" on our server
never removes the directories that are created in what
appears to be the pid numbers of the running processes.  We
now have about 700 directories and think this is starting to get
annoying.  Can someone please tell me how to fix this and prevent
it in the future.  We had a similar problem with quarantine directory
but with another script calle quarantine cleaner was able to get a
handle
on it.

thanks.

From lindsay at pa.net  Mon Jan 26 17:09:49 2004
From: lindsay at pa.net (Lindsay Snider)
Date: Thu Jan 12 21:22:03 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <000501c3e42c$6cc52820$e90200bf@tazpc>
References: <000501c3e42c$6cc52820$e90200bf@tazpc>
Message-ID: <1075136989.20660.11.camel@localhost.localdomain>

On Mon, 2004-01-26 at 11:49, Travis Zadikem wrote:
> It appears that the mailscanner incoming directory
> "/var/spool/MailScanner/incoming" on our server
> never removes the directories that are created in what
> appears to be the pid numbers of the running processes.  We
> now have about 700 directories and think this is starting to get
> annoying.  Can someone please tell me how to fix this and prevent
> it in the future.

You could run:
/usr/sbin/tmpwatch 1 /var/spool/MailScanner/incoming
from cron.

>   We had a similar problem with quarantine directory
> but with another script calle quarantine cleaner was able to get a
> handle
> on it.

What version of MailScanner are you running?  I think I remember seeing
this with an older version.  Perhaps upgrading would help.

>
> thanks.

From maillist at HELPINTERNET.CO.UK  Mon Jan 26 17:22:15 2004
From: maillist at HELPINTERNET.CO.UK (Richard Sidlin)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
Message-ID: <200401261722.i0QHMIK04289@ns.helpplc.co.uk>

I have a client that uses Outlook 2003 but his emails get tagged with the above and bumps it into the spam category.

Any ideas?


R



--
This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email support@helpinternet.co.uk

From dwinkler at ALGORITHMICS.COM  Mon Jan 26 17:22:27 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B15A@tormail2.algorithmics.com>

Can we see the headers, please?

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Richard Sidlin
Sent: Monday, January 26, 2004 12:22 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: FORGED_MUA_OUTLOOK


I have a client that uses Outlook 2003 but his emails get tagged with the
above and bumps it into the spam category.

Any ideas?


R



--
This message has been scanned for viruses and dangerous content by the Help
Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email
support@helpinternet.co.uk

From maillist at HELPINTERNET.CO.UK  Mon Jan 26 17:31:40 2004
From: maillist at HELPINTERNET.CO.UK (Richard Sidlin)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B15A@tormail2.algorithmics.com>
Message-ID: <200401261731.i0QHVhK05671@ns.helpplc.co.uk>

 Return-Path: <xx@xxxx.co.uk>
Received: from dswu28.btconnect.com (dswu28.btconnect.com [193.113.154.29])
        by ns.xxxx.co.uk (8.10.2/8.10.2) with SMTP id i0QHMDK04271
        for <richard@xxxx.co.uk>; Mon, 26 Jan 2004 17:22:13 GMT
Message-Id: <200401261722.i0QHMDK04271@ns.xxxxx.co.uk>
Received: from xxxxxxx (actually host xxx.224.37.217.in-addr.arpa) by dswu28 with SMTP-CUST (XT-PP) with ESMTP; Mon, 26 Jan 2004
17:22:09 +0000
From: "xxxxxx" <xxxxx@xxxxxx.co.uk>
To: "'xxxxxx'" <richard@xxxxx.co.uk>
Subject: FW: computer
Date: Mon, 26 Jan 2004 17:22:43 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_023B_01C3E431.04682390"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Thread-Index: AcPkMB4J641oDb3gQOmORze0/+JaxwAALO8g
X-MailScanner-Information: Provided by Help Internet - 01707 897111
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.8, required 6,
        FORGED_MUA_OUTLOOK 3.48, HTML_60_70 0.10, HTML_FONT_COLOR_BLUE 0.10,
        HTML_MESSAGE 0.10, MISSING_OUTLOOK_NAME 0.58,
        MSG_ID_ADDED_BY_MTA_2 0.40)
X-MailScanner-SpamScore: ssss
X-UIDL: ~)g"!jp""!-1F"!9Hc"!


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Derek Winkler
> Sent: 26 January 2004 17:22
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: FORGED_MUA_OUTLOOK
>
> Can we see the headers, please?
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Richard Sidlin
> Sent: Monday, January 26, 2004 12:22 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: FORGED_MUA_OUTLOOK
>
>
> I have a client that uses Outlook 2003 but his emails get
> tagged with the above and bumps it into the spam category.
>
> Any ideas?
>
>
> R
>
>
>
> --
> This message has been scanned for viruses and dangerous
> content by the Help Internet Virus Spam Defence, and is
> believed to be clean. For details on having your email
> scanned email support@helpinternet.co.uk
>
> --
> This message has been scanned for viruses and dangerous
> content by the Help Internet Virus Spam Defence, and is
> believed to be clean. For details on having your email
> scanned email support@helpinternet.co.uk
>
>



--
This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email support@helpinternet.co.uk

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 17:37:07 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <000501c3e42c$6cc52820$e90200bf@tazpc>
References: <000501c3e42c$6cc52820$e90200bf@tazpc>
Message-ID: <6.0.1.1.2.20040126173521.03d8bec0@imap.ecs.soton.ac.uk>

Are you ever killing MailScanner? Or have you tweaked any of the code in
the init.d script? These directories are all cleared up very tidily by
MailScanner when it shuts down, but it has to be left time to do it. If you
do something like "kill -9" on the MailScanner processes, then the clearing
up cannot take place.

What you are seeing is not normal behaviour, something on your system must
be happening to cause this.

At 16:49 26/01/2004, you wrote:
>It appears that the mailscanner incoming directory
>"/var/spool/MailScanner/incoming" on our server
>never removes the directories that are created in what
>appears to be the pid numbers of the running processes.  We
>now have about 700 directories and think this is starting to get
>annoying.  Can someone please tell me how to fix this and prevent
>it in the future.  We had a similar problem with quarantine directory
>but with another script calle quarantine cleaner was able to get a
>handle
>on it.
>
>thanks.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 17:54:08 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
In-Reply-To: <200401261731.i0QHVhK05671@ns.helpplc.co.uk>
References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B15A@tormail2.algorithmics.com>
            <200401261731.i0QHVhK05671@ns.helpplc.co.uk>
Message-ID: <6.0.1.1.2.20040126175353.02dbb6c0@imap.ecs.soton.ac.uk>

Upgrade to SpamAssassin 2.63 and this should go away.

At 17:31 26/01/2004, you wrote:
>  Return-Path: <xx@xxxx.co.uk>
>Received: from dswu28.btconnect.com (dswu28.btconnect.com [193.113.154.29])
>         by ns.xxxx.co.uk (8.10.2/8.10.2) with SMTP id i0QHMDK04271
>         for <richard@xxxx.co.uk>; Mon, 26 Jan 2004 17:22:13 GMT
>Message-Id: <200401261722.i0QHMDK04271@ns.xxxxx.co.uk>
>Received: from xxxxxxx (actually host xxx.224.37.217.in-addr.arpa) by
>dswu28 with SMTP-CUST (XT-PP) with ESMTP; Mon, 26 Jan 2004
>17:22:09 +0000
>From: "xxxxxx" <xxxxx@xxxxxx.co.uk>
>To: "'xxxxxx'" <richard@xxxxx.co.uk>
>Subject: FW: computer
>Date: Mon, 26 Jan 2004 17:22:43 -0000
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>         boundary="----=_NextPart_000_023B_01C3E431.04682390"
>X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>Thread-Index: AcPkMB4J641oDb3gQOmORze0/+JaxwAALO8g
>X-MailScanner-Information: Provided by Help Internet - 01707 897111
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.8, required 6,
>         FORGED_MUA_OUTLOOK 3.48, HTML_60_70 0.10, HTML_FONT_COLOR_BLUE 0.10,
>         HTML_MESSAGE 0.10, MISSING_OUTLOOK_NAME 0.58,
>         MSG_ID_ADDED_BY_MTA_2 0.40)
>X-MailScanner-SpamScore: ssss
>X-UIDL: ~)g"!jp""!-1F"!9Hc"!
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Derek Winkler
> > Sent: 26 January 2004 17:22
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: FORGED_MUA_OUTLOOK
> >
> > Can we see the headers, please?
> >
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Richard Sidlin
> > Sent: Monday, January 26, 2004 12:22 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: FORGED_MUA_OUTLOOK
> >
> >
> > I have a client that uses Outlook 2003 but his emails get
> > tagged with the above and bumps it into the spam category.
> >
> > Any ideas?
> >
> >
> > R
> >
> >
> >
> > --
> > This message has been scanned for viruses and dangerous
> > content by the Help Internet Virus Spam Defence, and is
> > believed to be clean. For details on having your email
> > scanned email support@helpinternet.co.uk
> >
> > --
> > This message has been scanned for viruses and dangerous
> > content by the Help Internet Virus Spam Defence, and is
> > believed to be clean. For details on having your email
> > scanned email support@helpinternet.co.uk
> >
> >
>
>
>
>--
>This message has been scanned for viruses and dangerous content by the
>Help Internet Virus Spam Defence, and is
>believed to be clean. For details on having your email scanned email
>support@helpinternet.co.uk

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From taz at AZTEK-ENG.COM  Mon Jan 26 17:54:23 2004
From: taz at AZTEK-ENG.COM (Travis Zadikem)
Date: Thu Jan 12 21:22:03 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <1075136989.20660.11.camel@localhost.localdomain>
Message-ID: <000001c3e435$6eaa9ae0$e90200bf@tazpc>

Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
1.142.2.66.
We are all afraid of upgrading at this time because of how long
it took to get the program running correctly in the first place.
-----Original Message-----
From: Lindsay Snider [mailto:lindsay@pa.net]
Sent: Monday, January 26, 2004 10:10 AM
To: MailScanner mailing list; taz@aztek-eng.com
Subject: Re: Mailscanner incoming directory..to many directories


On Mon, 2004-01-26 at 11:49, Travis Zadikem wrote:
> It appears that the mailscanner incoming directory
> "/var/spool/MailScanner/incoming" on our server never removes the
> directories that are created in what appears to be the pid numbers of
> the running processes.  We now have about 700 directories and think
> this is starting to get annoying.  Can someone please tell me how to
> fix this and prevent it in the future.

You could run:
/usr/sbin/tmpwatch 1 /var/spool/MailScanner/incoming
from cron.

>   We had a similar problem with quarantine directory
> but with another script calle quarantine cleaner was able to get a
> handle on it.

What version of MailScanner are you running?  I think I remember seeing
this with an older version.  Perhaps upgrading would help.

>
> thanks.

From dwinkler at ALGORITHMICS.COM  Mon Jan 26 17:52:54 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B15B@tormail2.algorithmics.com>

Not tested and not neccessarily 100% accurate but...

change,

header __OUTLOOK_DOLLARS_MUA      X-Mailer =~ /^Microsoft Outlook(?: 8| CWS,
Build 9|, Build 10)\./

to,

header __OUTLOOK_DOLLARS_MUA      X-Mailer =~ /^Microsoft (?:Office
)*Outlook(?: 8| CWS, Build 9|, Build 1[01])\./

by putting the changed line in your spam.assassin.prefs.conf

It would be more accurate to create another test which only allow the Office
word in combination with the ", Build 11" but that's for another day.

This is based on my SpamAssasin 2.61 installation.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Richard Sidlin
Sent: Monday, January 26, 2004 12:32 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: FORGED_MUA_OUTLOOK


 Return-Path: <xx@xxxx.co.uk>
Received: from dswu28.btconnect.com (dswu28.btconnect.com [193.113.154.29])
        by ns.xxxx.co.uk (8.10.2/8.10.2) with SMTP id i0QHMDK04271
        for <richard@xxxx.co.uk>; Mon, 26 Jan 2004 17:22:13 GMT
Message-Id: <200401261722.i0QHMDK04271@ns.xxxxx.co.uk>
Received: from xxxxxxx (actually host xxx.224.37.217.in-addr.arpa) by dswu28
with SMTP-CUST (XT-PP) with ESMTP; Mon, 26 Jan 2004
17:22:09 +0000
From: "xxxxxx" <xxxxx@xxxxxx.co.uk>
To: "'xxxxxx'" <richard@xxxxx.co.uk>
Subject: FW: computer
Date: Mon, 26 Jan 2004 17:22:43 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_023B_01C3E431.04682390"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Thread-Index: AcPkMB4J641oDb3gQOmORze0/+JaxwAALO8g
X-MailScanner-Information: Provided by Help Internet - 01707 897111
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.8, required 6,
        FORGED_MUA_OUTLOOK 3.48, HTML_60_70 0.10, HTML_FONT_COLOR_BLUE 0.10,
        HTML_MESSAGE 0.10, MISSING_OUTLOOK_NAME 0.58,
        MSG_ID_ADDED_BY_MTA_2 0.40)
X-MailScanner-SpamScore: ssss
X-UIDL: ~)g"!jp""!-1F"!9Hc"!


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Derek Winkler
> Sent: 26 January 2004 17:22
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: FORGED_MUA_OUTLOOK
>
> Can we see the headers, please?
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Richard Sidlin
> Sent: Monday, January 26, 2004 12:22 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: FORGED_MUA_OUTLOOK
>
>
> I have a client that uses Outlook 2003 but his emails get
> tagged with the above and bumps it into the spam category.
>
> Any ideas?
>
>
> R
>
>
>
> --
> This message has been scanned for viruses and dangerous
> content by the Help Internet Virus Spam Defence, and is
> believed to be clean. For details on having your email
> scanned email support@helpinternet.co.uk
>
> --
> This message has been scanned for viruses and dangerous
> content by the Help Internet Virus Spam Defence, and is
> believed to be clean. For details on having your email
> scanned email support@helpinternet.co.uk
>
>



--
This message has been scanned for viruses and dangerous content by the Help
Internet Virus Spam Defence, and is
believed to be clean. For details on having your email scanned email
support@helpinternet.co.uk

From dot at DOTAT.AT  Mon Jan 26 17:49:37 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:03 2006
Subject: FORGED_MUA_OUTLOOK
In-Reply-To: <m2n.1AlASE-0010g7@chiark.greenend.org.uk>
Message-ID: <E1AlArh-0000vk-00@chiark.greenend.org.uk>

Richard Sidlin <maillist@HELPINTERNET.CO.UK> wrote:
>I have a client that uses Outlook 2003 but his emails get tagged with the above and bumps it into the spam category.

Upgrade SpamAssassin.

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
ROCKALL MALIN HEBRIDES BAILEY: NORTHERLY BACKING WESTERLY 5 TO 7, PERHAPS GALE
8 LATER IN HEBRIDES AND BAILEY, DECREASING 4 FOR A TIME. RAIN OR WINTRY
SHOWERS. MODERATE OR GOOD.

From Kevin_Miller at CI.JUNEAU.AK.US  Mon Jan 26 18:01:17 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:03 2006
Subject: SuSe?
Message-ID: <08146035CA49D6119A36009027AC822A0264ED33@CITY-EXCH-NTS>

Yeah - SuSE 8.0/sendmail.


...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500


-----Original Message-----
From: Ryan Finnesey [mailto:ryan.finnesey@CORPDSG.COM]
Sent: Friday, January 23, 2004 8:03 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: SuSe?


Is anyone running Mail Scanner on SuSe?


Ryan Finnesey
Diversified Solutions Group

119 West 72 Street

New York NY 10023
:    ryan.finnesey@corpdsg.com
( 212-920-0000

2  212-920-0001





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040126/4deadfcc/attachment.html
From mailscanner at ecs.soton.ac.uk  Mon Jan 26 18:14:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <000001c3e435$6eaa9ae0$e90200bf@tazpc>
References: <1075136989.20660.11.camel@localhost.localdomain>
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>
Message-ID: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>

That's the internal cvs version number of the file. MailScanner logs its
version number to your maillog when it starts.

What to so long to get it running to start with? I am interested if I can
try to ease the installation process.

At 17:54 26/01/2004, you wrote:
>Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
>1.142.2.66.
>We are all afraid of upgrading at this time because of how long
>it took to get the program running correctly in the first place.
>-----Original Message-----
>From: Lindsay Snider [mailto:lindsay@pa.net]
>Sent: Monday, January 26, 2004 10:10 AM
>To: MailScanner mailing list; taz@aztek-eng.com
>Subject: Re: Mailscanner incoming directory..to many directories
>
>
>On Mon, 2004-01-26 at 11:49, Travis Zadikem wrote:
> > It appears that the mailscanner incoming directory
> > "/var/spool/MailScanner/incoming" on our server never removes the
> > directories that are created in what appears to be the pid numbers of
> > the running processes.  We now have about 700 directories and think
> > this is starting to get annoying.  Can someone please tell me how to
> > fix this and prevent it in the future.
>
>You could run:
>/usr/sbin/tmpwatch 1 /var/spool/MailScanner/incoming
>from cron.
>
> >   We had a similar problem with quarantine directory
> > but with another script calle quarantine cleaner was able to get a
> > handle on it.
>
>What version of MailScanner are you running?  I think I remember seeing
>this with an older version.  Perhaps upgrading would help.
>
> >
> > thanks.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From taz at AZTEK-ENG.COM  Mon Jan 26 18:29:07 2004
From: taz at AZTEK-ENG.COM (Travis Zadikem)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
Message-ID: <000301c3e43a$491820e0$e90200bf@tazpc>

Sorry.  version is 4.23-11.  The reason it took so long was because
sendmail had to be recompiled to be up to the latest and mailscanner
docs are really for linux users NOT solaris users so things had to be
modified to get the program to work on solaris.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Monday, January 26, 2004 11:14 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Mailscanner incoming directory..to many directories


That's the internal cvs version number of the file. MailScanner logs its
version number to your maillog when it starts.

What to so long to get it running to start with? I am interested if I
can try to ease the installation process.

At 17:54 26/01/2004, you wrote:
>Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
>1.142.2.66. We are all afraid of upgrading at this time because of how
>long it took to get the program running correctly in the first place.
>-----Original Message-----
>From: Lindsay Snider [mailto:lindsay@pa.net]
>Sent: Monday, January 26, 2004 10:10 AM
>To: MailScanner mailing list; taz@aztek-eng.com
>Subject: Re: Mailscanner incoming directory..to many directories
>
>
>On Mon, 2004-01-26 at 11:49, Travis Zadikem wrote:
> > It appears that the mailscanner incoming directory
> > "/var/spool/MailScanner/incoming" on our server never removes the
> > directories that are created in what appears to be the pid numbers
> > of the running processes.  We now have about 700 directories and
> > think this is starting to get annoying.  Can someone please tell me
> > how to fix this and prevent it in the future.
>
>You could run:
>/usr/sbin/tmpwatch 1 /var/spool/MailScanner/incoming
>from cron.
>
> >   We had a similar problem with quarantine directory
> > but with another script calle quarantine cleaner was able to get a
> > handle on it.
>
>What version of MailScanner are you running?  I think I remember seeing

>this with an older version.  Perhaps upgrading would help.
>
> >
> > thanks.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD
E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Mon Jan 26 18:34:35 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <000301c3e43a$491820e0$e90200bf@tazpc>
References: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <000301c3e43a$491820e0$e90200bf@tazpc>
Message-ID: <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>

Hopefully in future you will find my Solaris 9 installation walk-through
useful.
http://www.sng.ecs.soton.ac.uk/mailscanner/install/solaris9.txt

Usually Solaris users are more experienced sysadmins and require less help.
Not many people "stumble" into being a Solaris admin. Personally I prefer
Solaris to Linux in some situations as I find it more stable. I haven't got
many Linux boxes that have an uptime over 2 years (and I have Solaris boxes
with that).

At 18:29 26/01/2004, you wrote:
>Sorry.  version is 4.23-11.  The reason it took so long was because
>sendmail had to be recompiled to be up to the latest and mailscanner
>docs are really for linux users NOT solaris users so things had to be
>modified to get the program to work on solaris.
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Monday, January 26, 2004 11:14 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Mailscanner incoming directory..to many directories
>
>
>That's the internal cvs version number of the file. MailScanner logs its
>version number to your maillog when it starts.
>
>What to so long to get it running to start with? I am interested if I
>can try to ease the installation process.
>
>At 17:54 26/01/2004, you wrote:
> >Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
> >1.142.2.66. We are all afraid of upgrading at this time because of how
> >long it took to get the program running correctly in the first place.
> >-----Original Message-----
> >From: Lindsay Snider [mailto:lindsay@pa.net]
> >Sent: Monday, January 26, 2004 10:10 AM
> >To: MailScanner mailing list; taz@aztek-eng.com
> >Subject: Re: Mailscanner incoming directory..to many directories
> >
> >
> >On Mon, 2004-01-26 at 11:49, Travis Zadikem wrote:
> > > It appears that the mailscanner incoming directory
> > > "/var/spool/MailScanner/incoming" on our server never removes the
> > > directories that are created in what appears to be the pid numbers
> > > of the running processes.  We now have about 700 directories and
> > > think this is starting to get annoying.  Can someone please tell me
> > > how to fix this and prevent it in the future.
> >
> >You could run:
> >/usr/sbin/tmpwatch 1 /var/spool/MailScanner/incoming
> >from cron.
> >
> > >   We had a similar problem with quarantine directory
> > > but with another script calle quarantine cleaner was able to get a
> > > handle on it.
> >
> >What version of MailScanner are you running?  I think I remember seeing
>
> >this with an older version.  Perhaps upgrading would help.
> >
> > >
> > > thanks.
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz MailScanner thanks
>transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD
>E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Mon Jan 26 18:46:19 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
Message-ID: <4015607B.63D74101@ihs.com>

As we all know, spammers try to get around bayes by putting in multiple
words that have no meaning:

        coolant drier cudgel belgrade baroness airlock actuate judas decision
abbreviate betroth

etc.

Does anyone see anything wrong with the following rule?  It should match
30 consecutive four-letter words that have no punctuation.  So far, one
spam has triggered it.  The score is currently set low for testing.

body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
\w{4,} \w{4,} \w{4,}/i
describe MULTI_WORD A lot of 4-letter words, with no punctuation
score MULTI_WORD 0.1

Since I am not a Perl master, can anyone suggest an easier way to write
it?

Thanks,

Dustin

From kevins at BMRB.CO.UK  Mon Jan 26 19:03:28 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
In-Reply-To: <4015607B.63D74101@ihs.com>
References: <4015607B.63D74101@ihs.com>
Message-ID: <1075143819.27684.7.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 18:46, Dustin Baer wrote:

> body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,}/i
> describe MULTI_WORD A lot of 4-letter words, with no punctuation
> score MULTI_WORD 0.1
>
> Since I am not a Perl master, can anyone suggest an easier way to write
> it?
Nice idea I think.

I'm not a perl master either, but I'd suggest...

/(\w{4,} ){30,}/

(the trailing i is not required since \w matches upper and lower case
anyway)

You might further allow different numbers of spaces/ tabs etc.  It might
also be worthwhile to disable capturing of the parenthesized part of the
expression (if memory serves this may make it faster)...

/(?:\w{4,}\s+){30,}/




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From mark at TIPPINGMAR.COM  Mon Jan 26 19:26:55 2004
From: mark at TIPPINGMAR.COM (Mark Nienberg)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
In-Reply-To: <1075143819.27684.7.camel@bach.kevinspicer.co.uk>
References: <4015607B.63D74101@ihs.com>
Message-ID: <4014F97F.2382.1D8E5408@localhost>

On 26 Jan 2004 at 19:03, Kevin Spicer wrote:

> On Mon, 2004-01-26 at 18:46, Dustin Baer wrote:
>
> > body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,}/i
> > describe MULTI_WORD A lot of 4-letter words, with no punctuation
> > score MULTI_WORD 0.1
> >
> > Since I am not a Perl master, can anyone suggest an easier way to write
> > it?
> Nice idea I think.
>
> I'm not a perl master either, but I'd suggest...
>
> /(\w{4,} ){30,}/
>
> (the trailing i is not required since \w matches upper and lower case
> anyway)
>
> You might further allow different numbers of spaces/ tabs etc.  It might
> also be worthwhile to disable capturing of the parenthesized part of the
> expression (if memory serves this may make it faster)...
>
> /(?:\w{4,}\s+){30,}/

I'm seeing some with puctuation in them.  This is going to complicate things.  Here is
an example that the proposed rule would miss:

phloem cutback tau admire irredeemable allyl impeccable
headway muff closeup vine castigate astigmat coagulable
dragging pet cavil clapeyron clapboard boundary ruination
conklin butler thyroid depressant ,rub doubt isotherm melanin
mill keenan constantine widget betatron wells paternoster
blocky competitive lange autonomic - nerve domingo ott thesis
chemistry calder duct ember curry congress ostrich decreeing
conspirator .condensible permanent hades onomatopoeia ice cam
dawn precess teethed whitetail hager damn art castro , coleman
bugle doorman multiplicand firehouse ambiguous greensward
beast rutherford scribble teheran carmine annunciate
countermen joyce cover regrettable stove warmish humiliate
missile thereupon myosin . communicate berniece collectible
bawl bugeyed muscovy gator chinamen resuming sainthood
promulgate adams ,flatland goldenseal ciceronian penh wyman
basemen dharma seedling spinodal stuart falconry budget acco

Mark
--
Mark W. Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave, Berkeley, CA  94704
visit our website at http://www.tippingmar.com

From dustin.baer at IHS.COM  Mon Jan 26 19:28:44 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
References: <4015607B.63D74101@ihs.com>
            <1075143819.27684.7.camel@bach.kevinspicer.co.uk>
Message-ID: <40156A6C.6C70857A@ihs.com>

Kevin Spicer wrote:
>
> On Mon, 2004-01-26 at 18:46, Dustin Baer wrote:
>
> > body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > \w{4,} \w{4,} \w{4,}/i
> > describe MULTI_WORD A lot of 4-letter words, with no punctuation
> > score MULTI_WORD 0.1
> >
> > Since I am not a Perl master, can anyone suggest an easier way to write
> > it?
> Nice idea I think.
>
> I'm not a perl master either, but I'd suggest...
>
> /(\w{4,} ){30,}/

Funny, I thought I tried that, but must have done /( \w{4,} ){30,}/
(notice the leading space), which didn't work.  Why the leading space
breaks the expression, I don't know.

Yours works.

> (the trailing i is not required since \w matches upper and lower case
> anyway)

Right.

> You might further allow different numbers of spaces/ tabs etc.  It might
> also be worthwhile to disable capturing of the parenthesized part of the
> expression (if memory serves this may make it faster)...
>
> /(?:\w{4,}\s+){30,}/

That works, also.

I might also change "\w" to "[a-zA-Z]" to ignore digits and underscores.

Thanks for the input, Kevin!  Hopefully, others might find this useful.

Dustin

From dustin.baer at IHS.COM  Mon Jan 26 19:39:20 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
References: <4015607B.63D74101@ihs.com> <4014F97F.2382.1D8E5408@localhost>
Message-ID: <40156CE8.A1FDCBF2@ihs.com>

Mark Nienberg wrote:
>
> On 26 Jan 2004 at 19:03, Kevin Spicer wrote:
>
> > On Mon, 2004-01-26 at 18:46, Dustin Baer wrote:
> >
> > > body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > > \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> > > \w{4,} \w{4,} \w{4,}/i
> > > describe MULTI_WORD A lot of 4-letter words, with no punctuation
> > > score MULTI_WORD 0.1
> > >
> > > Since I am not a Perl master, can anyone suggest an easier way to write
> > > it?
> > Nice idea I think.
> >
> > I'm not a perl master either, but I'd suggest...
> >
> > /(\w{4,} ){30,}/
> >
> > (the trailing i is not required since \w matches upper and lower case
> > anyway)
> >
> > You might further allow different numbers of spaces/ tabs etc.  It might
> > also be worthwhile to disable capturing of the parenthesized part of the
> > expression (if memory serves this may make it faster)...
> >
> > /(?:\w{4,}\s+){30,}/
>
> I'm seeing some with puctuation in them.  This is going to complicate things.  Here is
> an example that the proposed rule would miss:

> [snip]

I hate spammers.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From rzewnickie at RFA.ORG  Mon Jan 26 19:55:33 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <000301c3e43a$491820e0$e90200bf@tazpc>
            <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>
Message-ID: <20040126195533.GF2218@rfa.org>

On Mon, Jan 26, 2004 at 06:34:35PM +0000, Julian Field wrote:
> Usually Solaris users are more experienced sysadmins and require less help.
> Not many people "stumble" into being a Solaris admin. Personally I prefer
> Solaris to Linux in some situations as I find it more stable. I haven't got
> many Linux boxes that have an uptime over 2 years (and I have Solaris boxes
> with that).

# uptime
 14:53:39 up 459 days, 18:56,  1 user,  load average: 0.37, 0.41, 0.42

from a linux box here. not quite 2 years, yet. :)

From michele at BLACKNIGHTSOLUTIONS.COM  Mon Jan 26 20:09:33 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
In-Reply-To: <4015607B.63D74101@ihs.com>
Message-ID: <LFENLEALDCBDKENCNLCNCEJFDDAA.michele@blacknightsolutions.com>

This kind of spam is a real pain. The only sane way of blocking it would
have to be some form of frequency analysis, though the punctuation or lack
thereof makes it quite unwieldy :/

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Dustin Baer
> Sent: 26 January 2004 18:46
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: multiple garbage words/bayes
>
>
> As we all know, spammers try to get around bayes by putting in multiple
> words that have no meaning:
>
>         coolant drier cudgel belgrade baroness airlock actuate
> judas decision
> abbreviate betroth
>
> etc.
>
> Does anyone see anything wrong with the following rule?  It should match
> 30 consecutive four-letter words that have no punctuation.  So far, one
> spam has triggered it.  The score is currently set low for testing.
>
> body   MULTI_WORD /\w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,} \w{4,}
> \w{4,} \w{4,} \w{4,}/i
> describe MULTI_WORD A lot of 4-letter words, with no punctuation
> score MULTI_WORD 0.1
>
> Since I am not a Perl master, can anyone suggest an easier way to write
> it?
>
> Thanks,
>
> Dustin
>

From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 27 08:20:26 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:22:04 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8192@ERWIN.intern.seceidos.de>

> None of those above use snmp

Thought so.

> Might be a ps issue for the processes, can you give me the 
> following outputs...
> 
> ps -eo args

proxy:~ # ps -eo args
ps: args: keyword not found
ps: no valid keywords; valid keywords:
%cpu %mem acflag acflg blocked caught command cpu cputime f flags ignored inblk inblock jobc ktrace
ktracep lim login logname lstart majflt minflt msgrcv msgsnd ni nice nivcsw nsignals nsigs nswap nvcsw
nwchan oublk oublock p_ru paddr pagein pcpu pending pgid pid pmem ppid pri re rgid rlink rss rssize rsz
rtprio ruid ruser sess sig sigcatch sigignore sigmask sl start stat state svgid svuid tdev time tpgid
tsess tsiz tt tty ucomm uid upr user usrpri vsize vsz wchan xstat

> ps axo comm

proxy:~ # ps axo comm
ps: comm: keyword not found
ps: no valid keywords; valid keywords:
%cpu %mem acflag acflg blocked caught command cpu cputime f flags ignored inblk inblock jobc ktrace
ktracep lim login logname lstart majflt minflt msgrcv msgsnd ni nice nivcsw nsignals nsigs nswap nvcsw
nwchan oublk oublock p_ru paddr pagein pcpu pending pgid pid pmem ppid pri re rgid rlink rss rssize rsz
rtprio ruid ruser sess sig sigcatch sigignore sigmask sl start stat state svgid svuid tdev time tpgid
tsess tsiz tt tty ucomm uid upr user usrpri vsize vsz wchan xstat


> perl -e 'print "$^O"'               [note thats an oh not a zero]

freebsd

> Is /var/spool a mount point?

No.

> Is /var/spool/MailScanner/incoming a mount point?

Yes:

mfs:21801 on /var/spool/MailScanner/incoming (mfs, asynchronous, local, nodev, nosuid, nosymfollow)

It is a tmpfs equivalent filesystem.

Thanks in advance,
  JP


From mailscanner at ecs.soton.ac.uk  Mon Jan 26 22:54:29 2004
From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk)
Date: Thu Jan 12 21:22:04 2006
Subject: No subject
Message-ID: <200401262252.i0QMqrJb001293@jackdaw.ecs.soton.ac.uk>

The message contains Unicode characters and has been sent as a binary attachment.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: doc.zip
Type: application/octet-stream
Size: 22640 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040126/39ef9361/doc.obj
From support at EAGLE-ACCESS.NET  Mon Jan 26 21:28:20 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:04 2006
Subject: bigevil.cf setup {Scanned}
Message-ID: <40158674.4DF7A29B@eagle-access.net>

When I set  'MCP Checks = yes" in MailScanner.conf MS stops delivering.
It seems to be accepting by sending to myself but a pop shows it must be
going into a black hole as it doesn't deliver and shows up nowhere.  The
maillog shows an error dealing with language.conf, but I'm don't know if
that is the stopper.  It looks like myself (support) is blacklisted.  I
haven't added any entries to the blacklist.

maillog paste in**********
Jan 26 14:18:26 saturn MailScanner[20003]: MCP Checks: Found 1 MCP
messages
Jan 26 14:18:26 saturn MailScanner[20003]: Spam Checks: Starting
Jan 26 14:18:26 saturn MailScanner[20003]: Virus and Content Scanning:
Starting
Jan 26 14:18:28 saturn sendmail[20008]: i0QLIRB20008:
from=<support@eagle-access.net>,
 size=461, class=0, nrcpts=1,
msgid=<401583F3.AA55A076@eagle-access.net>, proto=ESMTP,
 daemon=MTA, relay=hiper51.seqnet.net [206.168.116.17]
Jan 26 14:18:32 saturn MailScanner[19994]: New Batch: Scanning 1
messages, 979 bytes
Jan 26 14:18:32 saturn MailScanner[19994]: MCP Checks: Starting
Jan 26 14:18:32 saturn MailScanner[19994]: Looked up unknown string
mcpblacklisted in
language translation file /etc/MailScanner/reports/en/languages.conf
Jan 26 14:18:32 saturn MailScanner[19994]: Message i0QLIRB20008 from
206.168.116.17 (s
upport@eagle-access.net) to eagle-access.net is banned (MCP blacklisted)

Jan 26 14:18:32 saturn MailScanner[19994]: MCP Checks: Found 1 MCP
messages
Jan 26 14:18:32 saturn MailScanner[19994]: Spam Checks: Starting
Jan 26 14:18:32 saturn MailScanner[19994]: Virus and Content Scanning:
Starting
Jan 26 14:18:34 saturn ipop3d[20012]: pop3 service init from
206.168.116.17
Jan 26 14:18:34 saturn ipop3d[20012]: Login user=support
host=hiper51.seqnet.net [206.
168.116.17] nmsgs=0/0
Jan 26 14:18:35 saturn ipop3d[20012]: Logout user=support
host=hiper51.seqnet.net [206
.168.116.17] nmsgs=0 ndele=0
end paste in maillog***********************

something in language.cf ??  Haven't changed anything there either.

Would it be better to dump all the SA .cf's and replace it with
bigevil.cf ???

thanks
joe



--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From peter at UCGBOOK.COM  Mon Jan 26 21:32:38 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>           
            <000301c3e43a$491820e0$e90200bf@tazpc>
            <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>
Message-ID: <40158776.4010304@ucgbook.com>

Julian Field wrote:
> Usually Solaris users are more experienced sysadmins and require less help.
> Not many people "stumble" into being a Solaris admin. Personally I prefer
> Solaris to Linux in some situations as I find it more stable. I haven't got
> many Linux boxes that have an uptime over 2 years (and I have Solaris boxes
> with that).

When I worked for Sun support there was this story about a customer who
logged a case where he wanted to know when we were gonna fix the uptime
bug, his had started over at 1 after 999. Don't know if it was true though.

Have seen over 900 days myself. I told them that they probably should
patch the kernel. They replied: why, is it gonna make the system more
stable?

How are you gonna respond to that?

Sorry for the off-topic post but I just love my Suns. :-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From kevins at BMRB.CO.UK  Mon Jan 26 21:55:21 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <40158776.4010304@ucgbook.com>
References: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <000301c3e43a$491820e0$e90200bf@tazpc>
            <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>
            <40158776.4010304@ucgbook.com>
Message-ID: <1075154122.27684.20.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 21:32, Peter Bonivart wrote:
> How are you gonna respond to that?
>
> Sorry for the off-topic post but I just love my Suns. :-)
>
You obviously don't have an A1000 disk array - they have a battery which
has to be replaced every two years and the engineer insists on powering
down the machine to do it (and then resetting the counter to turn out
the bad battery light!).

I have mixed feelings about Solaris, partly because we are still mostly
running 2.6 for historic reasons, and partly because of old hardware
which isn't as snappy as the more recent intel boxes I do most work on.
I have to say though that Sun engineers are probably the best hardware
engineers of any supplier we use.  [Unlike a certain well known supplier
of Intel boxes who regularly sends us engineers who have never seen the
hardware we have before, and have to ask us how to open the case!]




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From JFalgout at CO.JEFFERSON.CO.US  Mon Jan 26 22:02:14 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
Message-ID: <s0152bff.088@gc6.jefferson.co.us>

Looks like we are fighting a new outbreak - random
file names with extensions of .scr, .pif, .exe, .zip, etc

What's the best way to block *ALL* attachments?

From peter at UCGBOOK.COM  Mon Jan 26 22:02:41 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:04 2006
Subject: multiple garbage words/bayes
In-Reply-To: <4015607B.63D74101@ihs.com>
References: <4015607B.63D74101@ihs.com>
Message-ID: <40158E81.6010403@ucgbook.com>

Dustin Baer wrote:
> As we all know, spammers try to get around bayes by putting in multiple
> words that have no meaning:
>
>         coolant drier cudgel belgrade baroness airlock actuate judas decision
> abbreviate betroth
>
> etc.

I have had real good luck with these two rules someone posted a week
ago. I have been using them with 0.1/0.25 respectively to test them and
have not seen any false positives yet but they often seem to trigger
when Bayes doesn't which is exactly what I'm looking for.

rawbody  CP_RANDOMWORD_10
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
describe CP_RANDOMWORD_10       string of 10+ random words
score    CP_RANDOMWORD_10       0.5

rawbody  CP_RANDOMWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describe CP_RANDOMWORD_15       string of 15+ random words
score    CP_RANDOMWORD_15       2.5

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From TGFurnish at HERFF-JONES.COM  Mon Jan 26 22:05:33 2004
From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G)
Date: Thu Jan 12 21:22:04 2006
Subject: ANNOUNCE: Unstable 4.26.5 released
Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF03733635@inex1.herffjones.hj-int>

The custom logging function I posted this summer wrote what you're asking
for to log files - it was just a rip-off of the sql logging code that wrote
to flat files instead.  I haven't updated the code since then, but writing a
logging function that logs just what you care about shouldn't be too
difficult for ya.

But IMHO you really will be better off logging to a sql database instead.
MailWatch is nice.  And immediately after I got flat-file detailed logging
working, I switched to MailWatch. :-)  I might be able to fish out the
custom logging functions I wrote, or you can write your own, or you can find
them on the list archives probably with lots of others - but no guarantee
what I wrote works reliably.

> -----Original Message-----
> From: Ken Anderson [mailto:ka@PACIFIC.NET]
> Sent: Friday, January 23, 2004 6:26 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Unstable 4.26.5 released
>
>
> The script that processes the log would be entirely separate from
> MailScanner of course, like antivirus updates, generating
> whitelists etc.
>
> I think I'm just talking about a patch to the logging that MS already
> does to log recipient, subject and msg id for low scoring spam to
> support this. I'll post it for others if I get it working. I haven't
> looked at the code yet, so I'm not sure those things are even
> available
> in that part of the process. If anyone else has already done this,
> please chime in.
>
> Thanks,
> Ken Anderson
>
> Peter Bonivart wrote:
>
> > Ken Anderson wrote:
> >
> >> The notify function is probably not appropriate for this,
> but it got me
> >> thinking again that it would be nice to have a daily email
> sent to users
> >> who can scan a list of emails that MailScanner has quarantined.
> >
> >
> > In my humble opinion, MS is a real-time system. All kinds
> of summaries
> > are better done with other tools, like MailWatch for
> example. Shouldn't
> > be too hard to do your own script either, if you ask on the
> list someone
> > probably will share an already existing one.
> >
> > --
> > /Peter Bonivart
> >
> > --Unix lovers do it in the Sun
> >
> > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> > SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
> >
> >
>

From peter at UCGBOOK.COM  Mon Jan 26 22:07:13 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <000301c3e43a$491820e0$e90200bf@tazpc>
References: <000301c3e43a$491820e0$e90200bf@tazpc>
Message-ID: <40158F91.3050609@ucgbook.com>

Travis Zadikem wrote:
> Sorry.  version is 4.23-11.  The reason it took so long was because
> sendmail had to be recompiled to be up to the latest and mailscanner
> docs are really for linux users NOT solaris users so things had to be
> modified to get the program to work on solaris.

Did you follow the tar distribution guide? I found it very easy to
follow and subscribing to this list took care of all configuration choices.

http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From kevin at KEVINSPICER.CO.UK  Mon Jan 26 22:07:54 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
Message-ID: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>

Version 0.07 of MailScanner-MRTG is now available for download from
http://mailscanner-mrtg.sourceforge.net for more details read on
below...

This release represents some substantial changes from the previous
versions.  There are intended to improve the speed of processing, the
accuracy of output.  The previous dependency on sar (from the sysstat
package) has been removed (due to its poor portability and not very
accurate output - due to the way we were using it).  For all graphs to
work the ucd-snmp or net-snmp packages are now needed (users concerned
about security should ensure the snmpd daemon binds only to the loopback
interface or filter the port on the external interfaces using iptables
or similar).

0.07 Also includes new Spam/Virus Ratio and Files in Quarantine graphs,
as well as improvements in the smoothness of the Load Average and Bytes
of Mail graphs, a more understandable IP traffic graph and a change in
the colour scheme for the graphs to make them more readable.

Users who install from the tarfile can now use the supplied install.pl
to quickly and easily install/upgrade (run install.pl --help for more
information).

POD Documentation / man page has also been added.

Those upgrading from one of the development snapshots should delete the
/var/www/html/mailscanner-mrtg/state.info file before upgrading.


-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040126/ec10472c/attachment.bin
From kevins at BMRB.CO.UK  Mon Jan 26 22:16:58 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <s0152bff.088@gc6.jefferson.co.us>
References: <s0152bff.088@gc6.jefferson.co.us>
Message-ID: <1075155419.27684.35.camel@bach.kevinspicer.co.uk>

DONT DO THIS....!!!!

deny    .*      Attachment      All attachments temporarily rejected

I just tried it (on my home box, not my production server thankfully)
and it blocks all parts of the message (including message text)


On Mon, 2004-01-26 at 22:02, Jeff Falgout wrote:
> Looks like we are fighting a new outbreak - random
> file names with extensions of .scr, .pif, .exe, .zip, etc
>
> What's the best way to block *ALL* attachments?





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From peter at UCGBOOK.COM  Mon Jan 26 22:17:57 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <s0152bff.088@gc6.jefferson.co.us>
References: <s0152bff.088@gc6.jefferson.co.us>
Message-ID: <40159215.2080308@ucgbook.com>

Jeff Falgout wrote:
> Looks like we are fighting a new outbreak - random
> file names with extensions of .scr, .pif, .exe, .zip, etc
>
> What's the best way to block *ALL* attachments?
>

Putting

deny    .+$     Temporary block         Temporary block

at the top of filename.rules.conf should do the trick (the white space
must be tabs). Totally untested and I might be wrong.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From shrek-m at GMX.DE  Mon Jan 26 22:25:28 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <1075155419.27684.35.camel@bach.kevinspicer.co.uk>
References: <s0152bff.088@gc6.jefferson.co.us>
            <1075155419.27684.35.camel@bach.kevinspicer.co.uk>
Message-ID: <401593D8.3030700@gmx.de>

Kevin Spicer wrote:

>DONT DO THIS....!!!!
>
>deny    .*      Attachment      All attachments temporarily rejected
>
>I just tried it (on my home box, not my production server thankfully)
>and it blocks all parts of the message (including message text)
>
>

happened to me too a few weeks agoo  ;-)
this seems to ok
----
allow   \.txt$          -                       -
allow   \.htm*$         -                       -

deny    .               "bla"         "blubber"
----

>On Mon, 2004-01-26 at 22:02, Jeff Falgout wrote:
>
>
>>Looks like we are fighting a new outbreak - random
>>file names with extensions of .scr, .pif, .exe, .zip, etc
>>
>>What's the best way to block *ALL* attachments?
>>
>>

From JFalgout at CO.JEFFERSON.CO.US  Mon Jan 26 22:29:11 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
Message-ID: <s0153250.009@gc6.jefferson.co.us>

>>> shrek-m@GMX.DE 1/26/2004 3:25:28 PM >>>
Kevin Spicer wrote:

>DONT DO THIS....!!!!
>
>deny    .*      Attachment      All attachments temporarily rejected
>
>I just tried it (on my home box, not my production server thankfully)
>and it blocks all parts of the message (including message text)
>
>

happened to me too a few weeks agoo  ;-)
this seems to ok
----
allow   \.txt$          -                       -
allow   \.htm*$         -                       -

deny    .               "bla"         "blubber"
----

***************************

Is there anything wrong with this?

deny    \.[a-z][a-z0-9]$                "Emergency Attachment Filter"
                                        Possible "Mimail" virus

From kevins at BMRB.CO.UK  Mon Jan 26 22:29:37 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <40159215.2080308@ucgbook.com>
References: <s0152bff.088@gc6.jefferson.co.us> <40159215.2080308@ucgbook.com>
Message-ID: <1075156177.27684.43.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:17, Peter Bonivart wrote:
> Putting
>
> deny    .+$     Temporary block         Temporary block
>
> at the top of filename.rules.conf should do the trick (the white space
> must be tabs). Totally untested and I might be wrong.

That also has the effect of blocking everything (message included)




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Mon Jan 26 22:31:40 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <401593D8.3030700@gmx.de>
References: <s0152bff.088@gc6.jefferson.co.us>
            <1075155419.27684.35.camel@bach.kevinspicer.co.uk>
            <401593D8.3030700@gmx.de>
Message-ID: <1075156300.3730.46.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:25, shrek-m@gmx.de wrote:
> Kevin Spicer wrote:
>
> >DONT DO THIS....!!!!
> >
> >deny    .*      Attachment      All attachments temporarily rejected
> >
> >I just tried it (on my home box, not my production server thankfully)
> >and it blocks all parts of the message (including message text)
> >
> >
>
> happened to me too a few weeks agoo  ;-)

Whats just the best fun is the mail storm this creates as the messages
to postmaster etc are also blocked, causing more messages to postmaster,
which in turn are blocked etc..





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Mon Jan 26 22:36:04 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <s0153250.009@gc6.jefferson.co.us>
References: <s0153250.009@gc6.jefferson.co.us>
Message-ID: <1075156564.27682.51.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:29, Jeff Falgout wrote:
>
> Is there anything wrong with this?
>
> deny    \.[a-z][a-z0-9]$                "Emergency Attachment Filter"
>                                         Possible "Mimail" virus
It will only block two character extensions.

Just been doing a little reading at the virus vendors - they're only
mentioning the attachments you mentioned, so why not just block zips?




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From dustin.baer at IHS.COM  Mon Jan 26 22:35:59 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
References: <s0152bff.088@gc6.jefferson.co.us>
Message-ID: <4015964F.6C524847@ihs.com>

Jeff Falgout wrote:
>
> Looks like we are fighting a new outbreak - random
> file names with extensions of .scr, .pif, .exe, .zip, etc

Yes and it spoofs sender addresses. I have turned off "Notify Senders Of
Blocked Filenames Or Filetypes"

Dustin

From dustin.baer at IHS.COM  Mon Jan 26 22:37:12 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: Blocking extensions inside of zip files
Message-ID: <40159698.22D74CCB@ihs.com>

Is there a way to use the filenames.rules.conf file on zipped files?
E.g. block a zipped .pif or .exe attachment, rather than blocking all
.zip attachments?

Thanks,

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From kevins at BMRB.CO.UK  Mon Jan 26 22:55:22 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: Blocking extensions inside of zip files
In-Reply-To: <40159698.22D74CCB@ihs.com>
References: <40159698.22D74CCB@ihs.com>
Message-ID: <1075157723.3730.53.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:37, Dustin Baer wrote:
> Is there a way to use the filenames.rules.conf file on zipped files?
> E.g. block a zipped .pif or .exe attachment, rather than blocking all
> .zip attachments?
>
No, I think this has been discussed before and is much more difficult /
unpredictable than might be thought.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Mon Jan 26 22:59:36 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <4015964F.6C524847@ihs.com>
References: <s0152bff.088@gc6.jefferson.co.us>   <4015964F.6C524847@ihs.com>
Message-ID: <1075157977.3730.56.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:35, Dustin Baer wrote:
> Jeff Falgout wrote:
> >
> > Looks like we are fighting a new outbreak - random
> > file names with extensions of .scr, .pif, .exe, .zip, etc
>
> Yes and it spoofs sender addresses. I have turned off "Notify Senders Of
> Blocked Filenames Or Filetypes"

Looks like Clam is detecting this as Worm.SCO.A






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From gdoris at ROGERS.COM  Mon Jan 26 23:12:15 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:04 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
Message-ID: <1075158734.24930.4.camel@jaguar.dorfam.ca>

On Mon, 2004-01-26 at 17:07, Kevin Spicer wrote:
> Version 0.07 of MailScanner-MRTG is now available for download from
> http://mailscanner-mrtg.sourceforge.net for more details read on
> below...
snip...

I have a problem with the new version.  I'm getting massive complaints
(MB's of logfiles) filled with the following...I've had to turn off
snmpd to stop the flood.


Warning: -p option is no longer used - specify the remote host as
HOST:PORT
USAGE: snmpwalk [OPTIONS] AGENT [OID]

  Version:  5.1
  Web:      http://www.net-snmp.org/
  Email:    net-snmp-coders@lists.sourceforge.net

OPTIONS:
  -h, --help            display this help message
  -H                    display configuration file directives understood
  -v 1|2c|3             specifies SNMP version to use
  -V, --version         display package version number
SNMP Version 1 or 2c specific
  -c COMMUNITY          set the community string
SNMP Version 3 specific
  -a PROTOCOL           set authentication protocol (MD5|SHA)
  -A PASSPHRASE         set authentication protocol pass phrase
  -e ENGINE-ID          set security engine ID (e.g. 800000020109840301)
  -E ENGINE-ID          set context engine ID (e.g. 800000020109840301)
  -l LEVEL              set security level
(noAuthNoPriv|authNoPriv|authPriv)
  -n CONTEXT            set context name (e.g. bridge1)
  -u USER-NAME          set security name (e.g. bert)
  -x PROTOCOL           set privacy protocol (DES|AES)
  -X PASSPHRASE         set privacy protocol pass phrase
  -Z BOOTS,TIME         set destination engine boots/time
General communication options
  -r RETRIES            set the number of retries
  -t TIMEOUT            set the request timeout (in seconds)

snip...

All the remaining snmp options are listed on and on and on.


--
Gerry Doris <gdoris@rogers.com>

From jen at AH.DK  Mon Jan 26 23:13:30 2004
From: jen at AH.DK (Jan Elmqvist Nielsen)
Date: Thu Jan 12 21:22:04 2006
Subject: Svar: Re: New virus outbreak
Message-ID: <s015ad4c.054@ahpost.ah.dk>

F-prot says:
F-Prot:
/var/spool/MailScanner/incoming/3111/i0QN1Ee04379/hmr.zip->hmr.htm .
Infection: W32/Mydoom.A@mm

And kaspersky hasn't detected it.

only got 1 hit... until now...

/jan Elmqvist Nielsen

>>> kevins@BMRB.CO.UK 26-01-04 23:59 >>>
On Mon, 2004-01-26 at 22:35, Dustin Baer wrote:
> Jeff Falgout wrote:
> >
> > Looks like we are fighting a new outbreak - random
> > file names with extensions of .scr, .pif, .exe, .zip, etc
>
> Yes and it spoofs sender addresses. I have turned off "Notify Senders
Of
> Blocked Filenames Or Filetypes"

Looks like Clam is detecting this as Worm.SCO.A






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From dustin.baer at IHS.COM  Mon Jan 26 23:16:36 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
References: <s0152bff.088@gc6.jefferson.co.us>   <4015964F.6C524847@ihs.com>
            <1075157977.3730.56.camel@bach.kevinspicer.co.uk>
Message-ID: <40159FD4.A0DA922C@ihs.com>

Kevin Spicer wrote:
>
> On Mon, 2004-01-26 at 22:35, Dustin Baer wrote:
> > Jeff Falgout wrote:
> > >
> > > Looks like we are fighting a new outbreak - random
> > > file names with extensions of .scr, .pif, .exe, .zip, etc
> >
> > Yes and it spoofs sender addresses. I have turned off "Notify Senders Of
> > Blocked Filenames Or Filetypes"
>
> Looks like Clam is detecting this as Worm.SCO.A

LOL!  <sarcasm>Good thing my company is paying Sophos $14K+/3 years for
virus definitions.</sarcasm>  I sent them three files today at 14:30 MST
and they still don't have a new IDE for it!!

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From peter at UCGBOOK.COM  Mon Jan 26 23:20:18 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:04 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <1075154122.27684.20.camel@bach.kevinspicer.co.uk>
References: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>           
            <000301c3e43a$491820e0$e90200bf@tazpc>           
            <6.0.1.1.2.20040126183132.03d1b158@imap.ecs.soton.ac.uk>           
            <40158776.4010304@ucgbook.com>
            <1075154122.27684.20.camel@bach.kevinspicer.co.uk>
Message-ID: <4015A0B2.80707@ucgbook.com>

Kevin Spicer wrote:
> You obviously don't have an A1000 disk array - they have a battery which
> has to be replaced every two years and the engineer insists on powering
> down the machine to do it (and then resetting the counter to turn out
> the bad battery light!).

They are instructed to power off the array because there's a microscopic
chance that the battery will explode, you know how it is in America. ;-)
It's really OK to change it with the power on but your cache is of
course not protected if your power should fail during the 10 seconds it
takes to switch the battery. The engineers are usually flexible when it
comes to schedule a routine task like that but if it bothers you that
they power down the array, ask them not to.

You can reset the battery age at any time with "raidutil -c device -R".

> I have mixed feelings about Solaris, partly because we are still mostly
> running 2.6 for historic reasons, and partly because of old hardware
> which isn't as snappy as the more recent intel boxes I do most work on.
> I have to say though that Sun engineers are probably the best hardware
> engineers of any supplier we use.  [Unlike a certain well known supplier
> of Intel boxes who regularly sends us engineers who have never seen the
> hardware we have before, and have to ask us how to open the case!]

You could buy the V60x and V65x Intel-based servers, priced as Dell but
you get the same fine service. Soon you will have AMD64 servers also. :-)

Now I'm totally off-topic so I should stop here.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From dnsadmin at 1BIGTHINK.COM  Mon Jan 26 23:25:45 2004
From: dnsadmin at 1BIGTHINK.COM (Admin)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
Message-ID: <5.2.1.1.0.20040126182542.02c3e668@mail.1bigthink.com>

At 03:35 PM 1/26/2004 -0700, you wrote:
>Jeff Falgout wrote:
> >
> > Looks like we are fighting a new outbreak - random
> > file names with extensions of .scr, .pif, .exe, .zip, etc
>
>Yes and it spoofs sender addresses. I have turned off "Notify Senders Of
>Blocked Filenames Or Filetypes"

Worm.SCO.A
My ClamAV is picking it all up and calling it the SCO worm. Hmm. You'd
think they would have devised a bug that would clobber Linux servers with
that name. I wonder why it acquired that one?

From dnsadmin at 1BIGTHINK.COM  Mon Jan 26 23:34:59 2004
From: dnsadmin at 1BIGTHINK.COM (Admin)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <1075157977.3730.56.camel@bach.kevinspicer.co.uk>
References: <4015964F.6C524847@ihs.com> <s0152bff.088@gc6.jefferson.co.us>
            <4015964F.6C524847@ihs.com>
Message-ID: <5.2.1.1.0.20040126183105.02a9ae60@mail.1bigthink.com>

At 10:59 PM 1/26/2004 +0000, you wrote:
>On Mon, 2004-01-26 at 22:35, Dustin Baer wrote:
> > Jeff Falgout wrote:
> > >
> > > Looks like we are fighting a new outbreak - random
> > > file names with extensions of .scr, .pif, .exe, .zip, etc
> >
> > Yes and it spoofs sender addresses. I have turned off "Notify Senders Of
> > Blocked Filenames Or Filetypes"
>
>Looks like Clam is detecting this as Worm.SCO.A

I noticed an unusual amount of these on a client's SonicWall over the past
12 hours (mine hasn't registered any more than usual, but I host mail):

01/26/2004 17:49:48.720 -       Sub Seven Attack Dropped
-      Source:xx.xxx.xx.xxx, 1785, WAN -       Destination:xxx.xxx.xx.xx,
27374, WAN -         -

There is no mail hosted there. Port 110 is closed.

Hunker down and watch!

From spamtrap71892316634 at ANIME.NET  Mon Jan 26 23:37:55 2004
From: spamtrap71892316634 at ANIME.NET (Dan Hollis)
Date: Thu Jan 12 21:22:04 2006
Subject: New virus outbreak
In-Reply-To: <1075159776.27684.70.camel@bach.kevinspicer.co.uk>
Message-ID: <Pine.LNX.4.44.0401261536280.29748-100000@sasami.anime.net>

On Mon, 26 Jan 2004, Kevin Spicer wrote:
> On Mon, 2004-01-26 at 23:16, Dustin Baer wrote:
> > LOL!  <sarcasm>Good thing my company is paying Sophos $14K+/3 years for
> > virus definitions.</sarcasm>  I sent them three files today at 14:30 MST
> > and they still don't have a new IDE for it!!
> Yeah, looks like McAffee, Symantec and Clam take the honours!

f-prot too...

-Dan

From kevins at BMRB.CO.UK  Mon Jan 26 23:39:07 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <5.2.1.1.0.20040126182542.02c3e668@mail.1bigthink.com>
References: <5.2.1.1.0.20040126182542.02c3e668@mail.1bigthink.com>
Message-ID: <1075160347.27684.80.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 23:25, Admin wrote:

> Worm.SCO.A
> My ClamAV is picking it all up and calling it the SCO worm. Hmm. You'd
> think they would have devised a bug that would clobber Linux servers with
> that name. I wonder why it acquired that one?

Symantec are calling it Novarg  (Novell Argument?)

Heres what the clamav database update said...

Note: The name may change once other av-scanners start to detect this.
The currently used name was suggested by Tomasz Kojm due to its content.






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Mon Jan 26 23:28:24 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075158734.24930.4.camel@jaguar.dorfam.ca>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
             <1075158734.24930.4.camel@jaguar.dorfam.ca>
Message-ID: <1075159704.27684.68.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 23:12, Gerry Doris wrote:
> On Mon, 2004-01-26 at 17:07, Kevin Spicer wrote:
> > Version 0.07 of MailScanner-MRTG is now available for download from
> > http://mailscanner-mrtg.sourceforge.net for more details read on
> > below...
> snip...
>
> I have a problem with the new version.  I'm getting massive complaints
> (MB's of logfiles) filled with the following...I've had to turn off
> snmpd to stop the flood.

Gerry, sorry my fault entirely - I had ucd-snmp and I missed one of the
diffferences.

Could you change line 211 in /usr/liib/MailScanner-MRTG/MSMRTG/Data.pm
to...

$command = "$MSMRTG::Config::Config{'snmpwalkbinary'} -v 2c -c
$MSMRTG::Config::Config{'snmpcommunity'}
localhost:$MSMRTG::Config::Config{'snmpport'} ";

(that should be all one line)

Also make sure you have set...

SNMP version = net

in mailscanner-mrtg.conf

[Maybe I should try and auto detect that in future]

If you can get back to me whether this fix works I'll quickly roll a new
rpm and tarball for the site.

Thanks

Kevin




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Mon Jan 26 23:29:36 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <40159FD4.A0DA922C@ihs.com>
References: <s0152bff.088@gc6.jefferson.co.us> <4015964F.6C524847@ihs.com>
            <1075157977.3730.56.camel@bach.kevinspicer.co.uk>
            <40159FD4.A0DA922C@ihs.com>
Message-ID: <1075159776.27684.70.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 23:16, Dustin Baer wrote:

> LOL!  <sarcasm>Good thing my company is paying Sophos $14K+/3 years for
> virus definitions.</sarcasm>  I sent them three files today at 14:30 MST
> and they still don't have a new IDE for it!!
>
Yeah, looks like McAffee, Symantec and Clam take the honours!




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From Jan-Peter.Koopmann at SECEIDOS.DE  Mon Jan 26 23:50:36 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C818E@ERWIN.intern.seceidos.de>

> Yeah, looks like McAffee, Symantec and Clam take the honours!

eTrust also has new versions prepared but not yet released which is quite strange... :

Aliases reported by other AV products are listed here: 
(W32/Mydoom.A@mm) (W32/Mydoom@MM) (MyDoom.A@mm) (WORM_MIMAIL.R) 

CA antivirus products address this malware as follows:
------------------------------------------------------
eTrust Antivirus 7.x/6.x, InoculateIT 6.x (VET engine) 
    Engine                Update version        Last Update           
    11.2.0                11.2.8111             27 Jan                
    The signature update is currently undergoing extensive testing. It
    should be released within 24 hours. 
    Once the signature file is ready, it can be downloaded here: 
    http://support.ca.com/Download/virussig.html 

eTrust Antivirus 7.x/6.x, InoculateIT 6.x (InoculateIT engine) 
    Engine                Update version        Last Update           
    23.63.0               23.63.79              27 Jan                
    The signature update is currently undergoing extensive testing. It
    should be released within 24 hours. 
    Once the signature file is ready, it can be downloaded here: 
    http://support.ca.com/Download/virussig.html 


So what they are saying is: Yes we know this one and we will have it in our new sig files.... Once they are ready...

LOL

Regards,
  JP


From isp-list at TULSACONNECT.COM  Mon Jan 26 23:54:08 2004
From: isp-list at TULSACONNECT.COM (ISP List)
Date: Thu Jan 12 21:22:05 2006
Subject: Check SpamAssassin If On Spam List Issue
Message-ID: <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect.com>

Hiya.

When I am checking a RBL with MS and have "Check SpamAssassin If On Spam
List" set to "no", it tags the message as spam as expected.  However, my
users typically have filters on the X-Spam-Score header (which allows them
to tailor the spam score levels to their preferences) and this header is
not added when this setting is used.  Could a configuration setting be
added to assign an arbitrary score to the X-Spam-Score header when the
"Check SpamAssassin If On Spam List = no"?

Thanks.

-----------------------------------------
Mike Bacher / isp-list@tulsaconnect.com
TCIS - TulsaConnect Internet Services
Phone: 918-584-1100x110 Fax: 918-582-5776
-----------------------------------------

From FCaen at CI.LAKEWOOD.WA.US  Mon Jan 26 23:55:41 2004
From: FCaen at CI.LAKEWOOD.WA.US (Francois Caen)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
Message-ID: <B5CEB8D11D89254DA019376D100AE2C2AE6373@lkw-hermes.lkw.ci.lakewood.wa.us>

-----Original Message-----
From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] 

> Yeah, looks like McAffee, Symantec and Clam take the honours!

Add F-Prot to the list. The definitions downloaded in the last couple
hours detect the virus properly. And before that, blocking .pif, .exe
and such helped.

---------------------------------------------
Francois Caen
Network Information Systems Engineer - Webmaster
City of Lakewood, WA
(253) 512-2269
 
 
 
NOTICE:  The Information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. If the reader of this message is not the intended addressee or other legitimate recipient, the reader is hereby notified that any consideration, dissemination or duplication of this communication is strictly prohibited. If the addressee has received this communication in error, please return it to the above address by mail and notify this office by telephone.
 
 
 
 
 
 City of Lakewood
 


From tristanr at CI.GRANDJCT.CO.US  Mon Jan 26 23:57:01 2004
From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes)
Date: Thu Jan 12 21:22:05 2006
Subject: Blocking extensions inside of zip files
Message-ID: <s01546f6.073@email-fs.ci.grandjct.co.us>

At work we use another antivirus solution (not my decision), and we have been manually adding the infected .zip files to our blocked attachment list.  We don't want to block all .zip files, and the virus definitions haven't been updated yet (or we haven't downloaded them yet.  Again not my decision).  So this is our best solution, blocking by filename.

file.zip
document.zip
body.zip
* more may be added as we see them

Here is an idea for discussion... How about a filename check inside of zip files?  Similar to the current filename checks, only it also looks inside .zip files a certain depth of directories (or zip files).   If the .zip file continues too deep, then block the attachment.  Of course, if the virus scanners are currently used to expand zip files, then it would not make sense for MailScanner to do this.

Tristan Rhodes

>> Is there a way to use the filenames.rules.conf file on zipped files?
>> E.g. block a zipped .pif or .exe attachment, rather than blocking all
>> .zip attachments?
>>
>No, I think this has been discussed before and is much more difficult /
>unpredictable than might be thought.
>business.


From raymond at PROLOCATION.NET  Tue Jan 27 00:01:14 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C818E@ERWIN.intern.seceidos.de>
Message-ID: <Pine.LNX.4.44.0401270055001.15757-100000@mailbox.prolocation.net>

Hi!

> eTrust also has new versions prepared but not yet released which is
> quite strange... :
>
> Aliases reported by other AV products are listed here:
> (W32/Mydoom.A@mm) (W32/Mydoom@MM) (MyDoom.A@mm) (WORM_MIMAIL.R)

Also:

Worm.SCO.A
W32.Novarg.A@mm

We got around 450 copies yet, thats extremely high for just 1.5
runningtime.

Lets hope some others start catching them also, Kaspersky isnt detecting
it yet either it seems. Luckilly f-prot and clam do. :)

Bye,
Raymond.

From mike at TC3NET.COM  Tue Jan 27 00:12:58 2004
From: mike at TC3NET.COM (Michael Baird)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C818E@ERWIN.intern.seceidos.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C818E@ERWIN.intern.seceidos.de>
Message-ID: <1075162378.12682.1.camel@localhost.localdomain>

Well, Mcafee hasn't actually released a new .dat pack for it, so
MailScanners auto-update doesn't help, you need to download the
extra.dat from their website, and manually install it in the
/usr/local/uvscan dir., note it's uppercase in the zip, I changed it to
lowercase, and it works.

Regards
MIKE

> > Yeah, looks like McAffee, Symantec and Clam take the honours!
>
> eTrust also has new versions prepared but not yet released which is quite strange... :
>
> Aliases reported by other AV products are listed here:
> (W32/Mydoom.A@mm) (W32/Mydoom@MM) (MyDoom.A@mm) (WORM_MIMAIL.R)
>
> CA antivirus products address this malware as follows:
> ------------------------------------------------------
> eTrust Antivirus 7.x/6.x, InoculateIT 6.x (VET engine)
>     Engine                Update version        Last Update
>     11.2.0                11.2.8111             27 Jan
>     The signature update is currently undergoing extensive testing. It
>     should be released within 24 hours.
>     Once the signature file is ready, it can be downloaded here:
>     http://support.ca.com/Download/virussig.html
>
> eTrust Antivirus 7.x/6.x, InoculateIT 6.x (InoculateIT engine)
>     Engine                Update version        Last Update
>     23.63.0               23.63.79              27 Jan
>     The signature update is currently undergoing extensive testing. It
>     should be released within 24 hours.
>     Once the signature file is ready, it can be downloaded here:
>     http://support.ca.com/Download/virussig.html
>
>
> So what they are saying is: Yes we know this one and we will have it in our new sig files.... Once they are ready...
>
> LOL
>
> Regards,
>   JP
>

From dustin.baer at IHS.COM  Tue Jan 27 00:26:52 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:05 2006
Subject: Blocking extensions inside of zip files
References: <s01546f6.073@email-fs.ci.grandjct.co.us>
Message-ID: <4015B04C.1EC908DA@ihs.com>

Tristan Rhodes wrote:
>
> At work we use another antivirus solution (not my decision), and we have been manually adding the infected .zip files to our blocked attachment list.  We don't want to block all .zip files, and the virus definitions haven't been updated yet (or we haven't downloaded them yet.  Again not my decision).  So this is our best solution, blocking by filename.
>
> file.zip
> document.zip
> body.zip
> * more may be added as we see them

USERTRAN.zip
cflxzts.zip
data.zip
doc.zip
fidnm.zip
jqjdjk.zip
jxbyvq.zip
message.zip
readme.zip
test.zip
text.zip
vkfyysw.zip

> Here is an idea for discussion... How about a filename check inside of
> zip files?  Similar to the current filename checks, only it also looks
> inside .zip files a certain depth of directories (or zip files).   If the
> .zip file continues too deep, then block the attachment.  Of course, if
> the virus scanners are currently used to expand zip files, then it would
> not make sense for MailScanner to do this.
>
> Tristan Rhodes

This is something that might be extremely worthwhile, considering how
fast this one spread using a zip file for "passage."

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From penguin at DHCP.NET  Tue Jan 27 00:45:56 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075159704.27684.68.camel@bach.kevinspicer.co.uk>
Message-ID: <000201c3e46e$ec981070$0200a8c0@penguin>

Hello Kevin,

Thanks for the new version; I've been using MailScanner-MRTG for a long time
and I love it.
I just installed the new 0.07, but I keep getting this error:

<SNIP>
ERROR: iptraffic counters not fully initialised
        No iptraffic data on this run
</SNIP>

If I manually run the script I get this information:

penguin root # mailscanner-mrtg iptraffic
0
0
5 days
MailScanner at penguin

It won't yield any traffic info. Any of the other options (like 'cpu' or
'loadavg') give no errors and useful information. Do you know why it would
do that?

Kind regards,

A. Eijkhoudt



-- 
This E-mail has been checked for spam and viruses.


From kevin at KEVINSPICER.CO.UK  Tue Jan 27 00:49:00 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
Message-ID: <1075164541.7437.6.camel@bach.kevinspicer.co.uk>

On Mon, 2004-01-26 at 22:07, Kevin Spicer wrote:
> Version 0.07 of MailScanner-MRTG is now available for download from
> http://mailscannermrtg.sourceforge.net 

Due to a serious bug in the net-snmp code the 0.07 packages have been
replaced with 0.07.01, which fixes the bug and now also autodetects the
version of snmp in use.  Anyone using 0.07 with net-snmp should
upgrade.  Many thanks to Gerry Doris for pointing out that bug so
swiftly.

Thanks also to Michael Mansour who pointed out a typo in the URL I
provided.  The correct site is http://mailscannermrtg.sourceforge.net



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/234f39d0/attachment.bin
From mike at CAMAROSS.NET  Tue Jan 27 00:58:43 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <1075160347.27684.80.camel@bach.kevinspicer.co.uk>
Message-ID: <200401270051.i0R0pCGE001911@avwall.bladeware.com>

Sophos just release an IDE

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer
> Sent: Monday, January 26, 2004 5:39 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: New virus outbreak
>
> On Mon, 2004-01-26 at 23:25, Admin wrote:
>
> > Worm.SCO.A
> > My ClamAV is picking it all up and calling it the SCO worm.
> Hmm. You'd
> > think they would have devised a bug that would clobber
> Linux servers
> > with that name. I wonder why it acquired that one?
>
> Symantec are calling it Novarg  (Novell Argument?)
>
> Heres what the clamav database update said...
>
> Note: The name may change once other av-scanners start to detect this.
> The currently used name was suggested by Tomasz Kojm due to
> its content.
>
>
>
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact
> the sender and delete this message immediately.  Disclosure,
> copying or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our business.
>

From gdoris at ROGERS.COM  Tue Jan 27 00:53:45 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075159704.27684.68.camel@bach.kevinspicer.co.uk>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
             <1075158734.24930.4.camel@jaguar.dorfam.ca>
             <1075159704.27684.68.camel@bach.kevinspicer.co.uk>
Message-ID: <1075164825.24930.10.camel@jaguar.dorfam.ca>

On Mon, 2004-01-26 at 18:28, Kevin Spicer wrote:
> On Mon, 2004-01-26 at 23:12, Gerry Doris wrote:
> > On Mon, 2004-01-26 at 17:07, Kevin Spicer wrote:
> > > Version 0.07 of MailScanner-MRTG is now available for download from
> > > http://mailscanner-mrtg.sourceforge.net for more details read on
> > > below...
> > snip...
> >
> > I have a problem with the new version.  I'm getting massive complaints
> > (MB's of logfiles) filled with the following...I've had to turn off
> > snmpd to stop the flood.
>
> Gerry, sorry my fault entirely - I had ucd-snmp and I missed one of the
> diffferences.
>
> Could you change line 211 in /usr/liib/MailScanner-MRTG/MSMRTG/Data.pm
> to...
>
> $command = "$MSMRTG::Config::Config{'snmpwalkbinary'} -v 2c -c
> $MSMRTG::Config::Config{'snmpcommunity'}
> localhost:$MSMRTG::Config::Config{'snmpport'} ";
>
> (that should be all one line)
>
> Also make sure you have set...
>
> SNMP version = net
>
> in mailscanner-mrtg.conf
>
> [Maybe I should try and auto detect that in future]
>
> If you can get back to me whether this fix works I'll quickly roll a new
> rpm and tarball for the site.
>
> Thanks
>
> Kevin


I made the changes and now am seeing

ERROR: iptraffic counters not fully initialised
        No iptraffic data on this run

and lots of these (one for each of the graphs)

Illegal division by zero at /usr/lib/MailScanner-MRTG/MSMRTG/Data.pm
line 411, <STATE> line 27.
WARNING: Could not get any data from external command
'/usr/sbin/mailscanner-mrtg mail'
Maybe the external command did not even start. (Illegal seek)

WARNING: Problem with External get '/usr/sbin/mailscanner-mrtg mail':
   Expected a Number for 'in' but nothing'

WARNING: Problem with External get '/usr/sbin/mailscanner-mrtg mail':
   Expected a Number for 'out' but nothing'


I don't think I made any other changes???
--
Gerry Doris <gdoris@rogers.com>

From kevin at KEVINSPICER.CO.UK  Tue Jan 27 00:57:00 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <000201c3e46e$ec981070$0200a8c0@penguin>
References: <000201c3e46e$ec981070$0200a8c0@penguin>
Message-ID: <1075165020.7437.14.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 00:45, A. Eijkhoudt wrote:
> Hello Kevin,
> 
> Thanks for the new version; I've been using MailScanner-MRTG for a long time
> and I love it.
> I just installed the new 0.07, but I keep getting this error:
> 
> <SNIP>
> ERROR: iptraffic counters not fully initialised
>         No iptraffic data on this run
> </SNIP>
> 

It could be a few things.  If you get it just once then it is normal
(the iptraffic counters now work on the difference between two runs, so
you don't get data until the second run).

If you keep getting it then....

I presume you are running ucd-snmp not net-snmp (if you are running
net-snmp then upgrade to v0.07.01 which is on the site now).

If your cpu and memory stats are okay this indicates the snmp stuff is
working so it is most likely one of the following

Make sure that the /var/www/mailscanner-mrtg/state.info file is being
updated (check the timestamp).

Make sure that you have specified the correct interfaces to monitor in
the config file

-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/97709c2f/attachment.bin
From penguin at DHCP.NET  Tue Jan 27 01:01:58 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075165020.7437.14.camel@bach.kevinspicer.co.uk>
Message-ID: <000901c3e471$2a321af0$0200a8c0@penguin>

> I presume you are running ucd-snmp not net-snmp (if you are running
> net-snmp then upgrade to v0.07.01 which is on the site now).

I'm running net-snmpd and fixed the error before you had posted the update
;-)
IANA perl coder, but it was an easy thing to fix (incidentally, my patch was
a character for character match ;-))

> Make sure that the /var/www/mailscanner-mrtg/state.info file is being
> updated (check the timestamp).

Check !

<SNIP>
penguin www # ls -al state.info 
-rw-r--r--    1 root     root          771 jan 27 02:00 state.info
</SNIP>

It gets updated every 5 minutes like it should.

> Make sure that you have specified the correct interfaces to monitor in
> the config file

Check !

<SNIP>
penguin MailScanner # ifconfig|grep eth
eth0      Link encap:Ethernet  HWaddr 00:60:08:78:EE:C8  
eth1      Link encap:Ethernet  HWaddr 00:50:04:69:D5:21  
</SNIP>

<SNIP>
penguin MailScanner # cat mailscanner-mrtg.conf |grep Interfaces
Interfaces to Monitor = eth0,eth1
</SNIP>

Someone else has also reported the iptraffic error.

Kind regards,

Arnim.



-- 
This E-mail has been checked for spam and viruses.


From kevin at KEVINSPICER.CO.UK  Tue Jan 27 01:04:43 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075164825.24930.10.camel@jaguar.dorfam.ca>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
             <1075158734.24930.4.camel@jaguar.dorfam.ca>
             <1075159704.27684.68.camel@bach.kevinspicer.co.uk>
             <1075164825.24930.10.camel@jaguar.dorfam.ca>
Message-ID: <1075165483.7435.20.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 00:53, Gerry Doris wrote:
> 
> I made the changes and now am seeing
> 
> ERROR: iptraffic counters not fully initialised
>         No iptraffic data on this run
> 
> and lots of these (one for each of the graphs)
> 
Did you restart snmpd?  

I think that you are not getting snmp data, but you have snmp turned on
in the config file (but I could be wrong, its getting late!)

Please confirm that
a) snmpd is running
b) you have snmp turned on in the config file, and set to 'net'
c) your community string is correct in the conf file
d) root gets sensible output running snmpwalk command

-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/9ca7e4a1/attachment.bin
From kevin at KEVINSPICER.CO.UK  Tue Jan 27 01:09:57 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <000901c3e471$2a321af0$0200a8c0@penguin>
References: <000901c3e471$2a321af0$0200a8c0@penguin>
Message-ID: <1075165797.7437.23.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:01, A. Eijkhoudt wrote:

> penguin www # ls -al state.info 
> -rw-r--r--    1 root     root          771 jan 27 02:00 state.info
> </SNIP>
> 
> It gets updated every 5 minutes like it should.
> 
> > Make sure that you have specified the correct interfaces to monitor in
> > the config file
> 
Could you post please the line from state.info which begins...

DATA  iptraffic
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/4251fc9d/attachment.bin
From penguin at DHCP.NET  Tue Jan 27 01:12:24 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075165797.7437.23.camel@bach.kevinspicer.co.uk>
Message-ID: <000701c3e472$9efea8c0$0200a8c0@penguin>

> Could you post please the line from state.info which begins...
>
> DATA  iptraffic

No problemo:

<SNIP>
penguin www # grep "iptraffic" state.info
DATA    iptraffic       u       u       u       441107
</SNIP>

Does this help?

Kind regards,

Arnim.



--
This E-mail has been checked for spam and viruses.

From kevin at KEVINSPICER.CO.UK  Tue Jan 27 01:19:49 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <000701c3e472$9efea8c0$0200a8c0@penguin>
References: <000701c3e472$9efea8c0$0200a8c0@penguin>
Message-ID: <1075166390.7437.27.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:12, A. Eijkhoudt wrote:
> > Could you post please the line from state.info which begins...

> penguin www # grep "iptraffic" state.info
> DATA    iptraffic       u       u       u       441107
> </SNIP>
> 
> Does this help?

Yes, it looks like you are not getting the interface data from snmp,
try this snmp command....

snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.2.2.1.2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/75fdcc9b/attachment.bin
From penguin at DHCP.NET  Tue Jan 27 01:21:42 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075166390.7437.27.camel@bach.kevinspicer.co.uk>
Message-ID: <000e01c3e473$eb8acce0$0200a8c0@penguin>

> Yes, it looks like you are not getting the interface data from snmp,
> try this snmp command....
>
> snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.2.2.1.2

<SNIP>
penguin root # snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: teql0
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: eth1
IF-MIB::ifDescr.4 = STRING: lo
IF-MIB::ifDescr.5 = STRING: teql1
</SNIP>

teql0 and teql1 are my traffic equalizers.

Kind regards,

Arnim.



--
This E-mail has been checked for spam and viruses.

From kevin at KEVINSPICER.CO.UK  Tue Jan 27 01:27:51 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <000e01c3e473$eb8acce0$0200a8c0@penguin>
References: <000e01c3e473$eb8acce0$0200a8c0@penguin>
Message-ID: <1075166871.7435.37.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:21, A. Eijkhoudt wrote:
> > Yes, it looks like you are not getting the interface data from snmp,
> > try this snmp command....
> >
> > snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.2.2.1.2
> 
> <SNIP>
> penguin root # snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.2.2.1.2
> IF-MIB::ifDescr.1 = STRING: teql0
> IF-MIB::ifDescr.2 = STRING: eth0
> IF-MIB::ifDescr.3 = STRING: eth1
> IF-MIB::ifDescr.4 = STRING: lo
> IF-MIB::ifDescr.5 = STRING: teql1
> </SNIP>
> 
Looks like another subtle difference between ucd-snmp and net-snmp find
this line in /usr/lib/MailScanner-MRTG/MSMRTG/Data.pm

if (/.*ifDescr.(\d+) = (\w+)/) {


(its around line 465 ish - I've made a few changes so within about 10
lines)

change it to...
    if (/.*ifDescr.(\d+) = (?:STRING: )?(\w+)/) {

You'll still get the message on the very next run, but the line in
state.info should be longer and contain your interface names.  The
following scheduled run should be fine.


-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/1edd676b/attachment.bin
From penguin at DHCP.NET  Tue Jan 27 01:44:18 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075166871.7435.37.camel@bach.kevinspicer.co.uk>
Message-ID: <001601c3e477$14713330$0200a8c0@penguin>

> You'll still get the message on the very next run, but the line in
> state.info should be longer and contain your interface names.  The
> following scheduled run should be fine.

Sweet, it works now. The only thing that seems odd to me is the memory
gauge: it shows 1MB in use while the real stats are:

<SNIP>
             total       used       free     shared    buffers     cached
Mem:          1010        936         73          0        113        586
</SNIP>

State.info contains just two ones.

<SNIP>
penguin www # grep "memory" state.info
DATA    memory  1       1       u
</SNIP>

Is this related to the script too or should I look elsewhere for this?

Kind regards,

Arnim.



--
This E-mail has been checked for spam and viruses.

From Jan-Peter.Koopmann at SECEIDOS.DE  Tue Jan 27 01:48:56 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C8191@ERWIN.intern.seceidos.de>

Hi,

> Looks like another subtle difference between ucd-snmp and 
> net-snmp find this line in /usr/lib/MailScanner-MRTG/MSMRTG/Data.pm

That seemed to fix it here. A few other graphs are not getting updated on my FreeBSD system though:

MTA Processes
MailScanner Processes
Space used in /var/spool
Space used in WorkDir

Do I need to configure net-snmpd with snmpd_config or will a "blank" setup suffice?

Regards,
  JP


From kevins at BMRB.CO.UK  Tue Jan 27 01:56:18 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <001601c3e477$14713330$0200a8c0@penguin>
References: <001601c3e477$14713330$0200a8c0@penguin>
Message-ID: <1075168578.7435.51.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:44, A. Eijkhoudt wrote:
> > You'll still get the message on the very next run, but the line in
> > state.info should be longer and contain your interface names.  The
> > following scheduled run should be fine.
>
> Sweet, it works now.

Great, thank for helping me track this down.

> The only thing that seems odd to me is the memory
> gauge: it shows 1MB in use while the real stats are:
>
> <SNIP>
>              total       used       free     shared    buffers     cached
> Mem:          1010        936         73          0        113        586
> </SNIP>
>
Can you give me the output of
snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From penguin at DHCP.NET  Tue Jan 27 01:59:18 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075168578.7435.51.camel@bach.kevinspicer.co.uk>
Message-ID: <001701c3e479$2c5cc980$0200a8c0@penguin>

> Can you give me the output of
> snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4

<SNIP>
penguin mrtg # snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 9
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 0
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 1010
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 0
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 0
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000
UCD-SNMP-MIB::memShared.0 = INTEGER: 0
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 0
UCD-SNMP-MIB::memCached.0 = INTEGER: 0
UCD-SNMP-MIB::memSwapError.0 = INTEGER: 1
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: Running out of swap space (0)
</SNIP>

Where do I sign up to be the official beta-tester for upcoming releases? :]

Regards,

Arnim.



--
This E-mail has been checked for spam and viruses.

From kevins at BMRB.CO.UK  Tue Jan 27 02:02:21 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C8191@ERWIN.intern.seceidos.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8191@ERWIN.intern.seceidos.de>
Message-ID: <1075168941.7435.65.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:48, Jan-Peter Koopmann wrote:
> Hi,
>
> > Looks like another subtle difference between ucd-snmp and
> > net-snmp find this line in /usr/lib/MailScanner-MRTG/MSMRTG/Data.pm
>
> That seemed to fix it here. A few other graphs are not getting updated on my FreeBSD system though:
>
> MTA Processes
> MailScanner Processes
> Space used in /var/spool
> Space used in WorkDir
>
> Do I need to configure net-snmpd with snmpd_config or will a "blank" setup suffice?

None of those above use snmp

Might be a ps issue for the processes, can you give me the following
outputs...

ps -eo args

ps axo comm

perl -e 'print "$^O"'               [note thats an oh not a zero]

Is /var/spool a mount point?
Is /var/spool/MailScanner/incoming a mount point?

If not then those graphs will be blank, this is intentional since the
previous way of doing it was misleading (as it wasn't really the space
in /var/spool at all etc.etc.)






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Tue Jan 27 02:14:54 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <001701c3e479$2c5cc980$0200a8c0@penguin>
References: <001701c3e479$2c5cc980$0200a8c0@penguin>
Message-ID: <1075169695.7437.90.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:59, A. Eijkhoudt wrote:
> > Can you give me the output of
> > snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
>
> <SNIP>
> penguin mrtg # snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
> UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
> UCD-SNMP-MIB::memErrorName.0 = STRING: swap
> UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 9
> UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 0
> UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 1010
> UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 0
> UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 0
> UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000
> UCD-SNMP-MIB::memShared.0 = INTEGER: 0
> UCD-SNMP-MIB::memBuffer.0 = INTEGER: 0
> UCD-SNMP-MIB::memCached.0 = INTEGER: 0
> UCD-SNMP-MIB::memSwapError.0 = INTEGER: 1
> UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: Running out of swap space (0)
> </SNIP>
>
> Where do I sign up to be the official beta-tester for upcoming releases? :]

<grin>
Thanks for your help, it really is appreciated - even at 2am!

This one isn't me though.  It looks like SNMP is returning daft memory
stats.  Basically MSMRTG gets its figures by taking memAvailReal from
memTotalReal and dividing by 1024, and that figure minus shared, buffer
and cache.  Compare your figures to mine..

Solaris running NET-SNMP (256M real memory)
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 1047304
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 1020096
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 262144
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 11488
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 1198784
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000
UCD-SNMP-MIB::memSwapError.0 = INTEGER: 0
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING:

Linux running UCD-SNMP (512M real memory)
enterprises.ucdavis.memory.memIndex.0 = 0
enterprises.ucdavis.memory.memErrorName.0 = swap
enterprises.ucdavis.memory.memTotalSwap.0 = 1128880
enterprises.ucdavis.memory.memAvailSwap.0 = 936984
enterprises.ucdavis.memory.memTotalReal.0 = 515752
enterprises.ucdavis.memory.memAvailReal.0 = 12488
enterprises.ucdavis.memory.memTotalFree.0 = 949472
enterprises.ucdavis.memory.memMinimumSwap.0 = 16000
enterprises.ucdavis.memory.memShared.0 = 0
enterprises.ucdavis.memory.memBuffer.0 = 51180
enterprises.ucdavis.memory.memCached.0 = 160180
enterprises.ucdavis.memory.memSwapError.0 = 0
enterprises.ucdavis.memory.memSwapErrorMsg.0 =





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Tue Jan 27 02:18:27 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075168941.7435.65.camel@bach.kevinspicer.co.uk>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C8191@ERWIN.intern.seceidos.de>
            <1075168941.7435.65.camel@bach.kevinspicer.co.uk>
Message-ID: <1075169910.7437.92.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 02:02, Kevin Spicer wrote:
> Might be a ps issue for the processes, can you give me the following
> outputs...
>
> ps -eo args
>
> ps axo comm
>
> perl -e 'print "$^O"'               [note thats an oh not a zero]
>

And...
ps -eo comm

ps axo args

Yes, this is guesswork!




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Tue Jan 27 02:29:44 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <001701c3e479$2c5cc980$0200a8c0@penguin>
References: <001701c3e479$2c5cc980$0200a8c0@penguin>
Message-ID: <1075170584.7437.96.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 01:59, A. Eijkhoudt wrote:
> > Can you give me the output of
> > snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
>
> <SNIP>
> penguin mrtg # snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
> UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: Running out of swap space (0)
> </SNIP>
>
Just had a quick Google this looks like a known issue in net-snmp <
5.0.6 - suggest you upgrade your net-snmp install if you aren't on at
least 5.0.6

Regards

Kevin




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From penguin at DHCP.NET  Tue Jan 27 02:33:29 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075170584.7437.96.camel@bach.kevinspicer.co.uk>
Message-ID: <000001c3e47d$f2b46760$0200a8c0@penguin>

> Just had a quick Google this looks like a known issue in net-snmp <
> 5.0.6 - suggest you upgrade your net-snmp install if you aren't on at
> least 5.0.6

It's 5.1:

penguin log # snmpd --version

NET-SNMP version:  5.1

Arnim.



--
This E-mail has been checked for spam and viruses.

From chris at FRACTALWEB.COM  Tue Jan 27 02:40:34 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
Message-ID: <4015CFA2.8040203@fractalweb.com>

Hi everyone,

One of my clients is a bit annoyed that a file attachment was just
blocked. File was called "resume.ab.doc". What would I need to tweak the
rules to so these would go through?

Thanks,
Chris

From kevins at BMRB.CO.UK  Tue Jan 27 02:40:29 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <000001c3e47d$f2b46760$0200a8c0@penguin>
References: <000001c3e47d$f2b46760$0200a8c0@penguin>
Message-ID: <1075171229.7435.101.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 02:33, A. Eijkhoudt wrote:
> > Just had a quick Google this looks like a known issue in net-snmp <
> > 5.0.6 - suggest you upgrade your net-snmp install if you aren't on at
> > least 5.0.6
>
> It's 5.1:
>
> penguin log # snmpd --version
>
> NET-SNMP version:  5.1

Ah.

I have to say I dunno then - it still looks like an SNMP issue rather
than anything I've done, but unfortunately I can't offer any more
insight than that.

Sorry.






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From dee at ASYOUNEED.COM  Tue Jan 27 02:46:10 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:05 2006
Subject: Checking that mailscanner is working with spamassassin
In-Reply-To: <000001c3e47d$f2b46760$0200a8c0@penguin>
Message-ID: <000801c3e47f$b868eed0$0201a8c0@lappy>

Hi All,

How can I check if spamassassin is working with mailscanner?

Cheers,
Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of A. Eijkhoudt
> Sent: 27 January 2004 02:33
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Announce: MailScanner-MRTG version 0.07 released
>
> > Just had a quick Google this looks like a known issue in net-snmp <
> > 5.0.6 - suggest you upgrade your net-snmp install if you aren't on
at
> > least 5.0.6
>
> It's 5.1:
>
> penguin log # snmpd --version
>
> NET-SNMP version:  5.1
>
> Arnim.
>
>
>
> --
> This E-mail has been checked for spam and viruses.

From nerijus at USERS.SOURCEFORGE.NET  Tue Jan 27 02:49:26 2004
From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas)
Date: Thu Jan 12 21:22:05 2006
Subject: New virus outbreak
In-Reply-To: <200401270051.i0R0pCGE001911@avwall.bladeware.com>
References: <200401270051.i0R0pCGE001911@avwall.bladeware.com>
Message-ID: <20040127024925.5F7B65DAF@mx.ktv.lt>

Just released Kaspersky update also detects it as Novarg.

Nerijus

On Mon, 26 Jan 2004 18:58:43 -0600 Mike Kercher <mike@CAMAROSS.NET> wrote:

> Sophos just release an IDE
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer
> > Sent: Monday, January 26, 2004 5:39 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: New virus outbreak
> >
> > On Mon, 2004-01-26 at 23:25, Admin wrote:
> >
> > > Worm.SCO.A
> > > My ClamAV is picking it all up and calling it the SCO worm.
> > Hmm. You'd
> > > think they would have devised a bug that would clobber
> > Linux servers
> > > with that name. I wonder why it acquired that one?
> >
> > Symantec are calling it Novarg  (Novell Argument?)
> >
> > Heres what the clamav database update said...
> >
> > Note: The name may change once other av-scanners start to detect this.
> > The currently used name was suggested by Tomasz Kojm due to
> > its content.

From gdoris at ROGERS.COM  Tue Jan 27 02:49:39 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075170584.7437.96.camel@bach.kevinspicer.co.uk>
References: <001701c3e479$2c5cc980$0200a8c0@penguin>
             <1075170584.7437.96.camel@bach.kevinspicer.co.uk>
Message-ID: <1075171778.24930.17.camel@jaguar.dorfam.ca>

On Mon, 2004-01-26 at 21:29, Kevin Spicer wrote:
> On Tue, 2004-01-27 at 01:59, A. Eijkhoudt wrote:
> > > Can you give me the output of
> > > snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
> >
> > <SNIP>
> > penguin mrtg # snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.2021.4
> > UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: Running out of swap space (0)
> > </SNIP>
> >
> Just had a quick Google this looks like a known issue in net-snmp <
> 5.0.6 - suggest you upgrade your net-snmp install if you aren't on at
> least 5.0.6
>
> Regards
>
> Kevin

It's been interesting watching you folks work this out but I've fallen
by the wayside ):

I have never used snmp before and I haven't got a clue on how to
configure snmpd.conf.  Looks like I've have to find a howto and start
reading when I have time.

In the meantime I guess I'll go back to the old version.

--
Gerry Doris <gdoris@rogers.com>

From kevins at BMRB.CO.UK  Tue Jan 27 03:00:08 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075171778.24930.17.camel@jaguar.dorfam.ca>
References: <001701c3e479$2c5cc980$0200a8c0@penguin>
             <1075170584.7437.96.camel@bach.kevinspicer.co.uk>
             <1075171778.24930.17.camel@jaguar.dorfam.ca>
Message-ID: <1075172408.7435.113.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 02:49, Gerry Doris wrote:
>
> It's been interesting watching you folks work this out but I've fallen
> by the wayside ):
>
> I have never used snmp before and I haven't got a clue on how to
> configure snmpd.conf.  Looks like I've have to find a howto and start
> reading when I have time.
>
> In the meantime I guess I'll go back to the old version.
>
Gerry, if you do that go into /var/www/html/mailscanner-mrtg/loadavg and
copy loadavg.log.xxxxx over loadavg.log  and do similarly in mailbytes,
as these would have been rescaled when you installed.

Probably the easier thing to do is just turn SNMP off in the
mailscanner-mrtg.conf file while you sort it out.

Its easy enough to set up snmpd.conf, just run snmpconf and it guides
you through. basically so long as you set a community string for snmp v2
(read only) it should all work  (then set your community string in
mailscanner-mrtg.conf).  I did intend to do a brief guide to setting it
up - but it slipped my mind, sorry.

I've just uploaded 0.07.02 which fixes all those SNMP bugs (I hope...)
and now I'm going to bed.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From penguin at DHCP.NET  Tue Jan 27 03:02:11 2004
From: penguin at DHCP.NET (A. Eijkhoudt)
Date: Thu Jan 12 21:22:05 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075171229.7435.101.camel@bach.kevinspicer.co.uk>
Message-ID: <000101c3e481$f551f8d0$0200a8c0@penguin>

> Ah.
>
> I have to say I dunno then - it still looks like an SNMP issue rather
> than anything I've done, but unfortunately I can't offer any more
> insight than that.
>
> Sorry.

Thanks for the support in any case. And good night, enough code hacking
for me as well tonight :-)

Arnim.



--
This E-mail has been checked for spam and viruses.

From ecorrado at ATHENA.RIDER.EDU  Tue Jan 27 02:55:14 2004
From: ecorrado at ATHENA.RIDER.EDU (Ed Corrado)
Date: Thu Jan 12 21:22:05 2006
Subject: Filter filetype not working
Message-ID: <LISTSERV%2004012702551415@JISCMAIL.AC.UK>

I have recently installed MailScanner on a RedHat machine running Sendmail.
My  main purpose was to use it for spam filtering with SpamAssasian. That is
working great. However, I have been asked to filter out executables.It
appears the default config files are set up to do this - but it is not
working. I have just sent my account on the machine running MailScanner a
e-mail with a .exe file and it didn't get filtered. I also sent a file wit
the name happy99.exe which is specifically filtered in the configuration
files and that got past as well. I have not edited filename.rules.conf or
filetype.rules.conf at all.

I am running MailScanner version:

  $Id: MailScanner.pm,v 1.5.2.1 2003/11/27 14:45:56 jkf Exp $

In my MailScanner.conf I have the following two lines:

Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf

I have seen people asking similar questions in the list archives, but I
haven't found any suggestions that have worked for me. Does anyone have any
idea what I should be looking for to fix this problem?

Ed C.

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 27 03:41:40 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:05 2006
Subject: Filter filetype not working
In-Reply-To: <LISTSERV%2004012702551415@JISCMAIL.AC.UK>
Message-ID: <LFENLEALDCBDKENCNLCNAELODDAA.michele@blacknightsolutions.com>

Ed

Could you provide headers of the emails that were not blocked please.

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Ed Corrado
> Sent: 27 January 2004 02:55
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Filter filetype not working
>
>
> I have recently installed MailScanner on a RedHat machine running
> Sendmail.
> My  main purpose was to use it for spam filtering with
> SpamAssasian. That is
> working great. However, I have been asked to filter out executables.It
> appears the default config files are set up to do this - but it is not
> working. I have just sent my account on the machine running MailScanner a
> e-mail with a .exe file and it didn't get filtered. I also sent a file wit
> the name happy99.exe which is specifically filtered in the configuration
> files and that got past as well. I have not edited filename.rules.conf or
> filetype.rules.conf at all.
>
> I am running MailScanner version:
>
>   $Id: MailScanner.pm,v 1.5.2.1 2003/11/27 14:45:56 jkf Exp $
>
> In my MailScanner.conf I have the following two lines:
>
> Filename Rules = %etc-dir%/filename.rules.conf
> Filetype Rules = %etc-dir%/filetype.rules.conf
>
> I have seen people asking similar questions in the list archives, but I
> haven't found any suggestions that have worked for me. Does
> anyone have any
> idea what I should be looking for to fix this problem?
>
> Ed C.
>

From mike at CAMAROSS.NET  Tue Jan 27 05:04:06 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
In-Reply-To: <4015CFA2.8040203@fractalweb.com>
Message-ID: <200401270456.i0R4ubGE018038@avwall.bladeware.com>

Look at the very last rule in /etc/MailScanner/filename.rules.conf

# Deny all other double file extensions. This catches any hidden filenames.
allow   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding

Note: I have changed mine to ALLOW these and not deny them.  Make sure you
reload MailScanner after altering this file.

Mike

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Yuzik
> Sent: Monday, January 26, 2004 8:41 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: I need to tweak filename rules
>
> Hi everyone,
>
> One of my clients is a bit annoyed that a file attachment was
> just blocked. File was called "resume.ab.doc". What would I
> need to tweak the rules to so these would go through?
>
> Thanks,
> Chris
>

From mike at CAMAROSS.NET  Tue Jan 27 05:05:00 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:05 2006
Subject: Checking that mailscanner is working with spamassassin
In-Reply-To: <000801c3e47f$b868eed0$0201a8c0@lappy>
Message-ID: <200401270457.i0R4vSGE018098@avwall.bladeware.com>

Turn on the spam logging and spamassassin scores in your MailScanner.conf,
reload MailScanner and then tail -f your maillog and watch the magic work.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Dee Lowndes
> Sent: Monday, January 26, 2004 8:46 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Checking that mailscanner is working with spamassassin
>
> Hi All,
>
> How can I check if spamassassin is working with mailscanner?
>
> Cheers,
> Dee
>
> > -----Original Message-----
> > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of A. Eijkhoudt
> > Sent: 27 January 2004 02:33
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Announce: MailScanner-MRTG version 0.07 released
> >
> > > Just had a quick Google this looks like a known issue in
> net-snmp <
> > > 5.0.6 - suggest you upgrade your net-snmp install if you aren't on
> at
> > > least 5.0.6
> >
> > It's 5.1:
> >
> > penguin log # snmpd --version
> >
> > NET-SNMP version:  5.1
> >
> > Arnim.
> >
> >
> >
> > --
> > This E-mail has been checked for spam and viruses.
>

From chris at FRACTALWEB.COM  Tue Jan 27 05:33:11 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
In-Reply-To: <200401270456.i0R4ubGE018038@avwall.bladeware.com>
References: <200401270456.i0R4ubGE018038@avwall.bladeware.com>
Message-ID: <4015F817.1030606@fractalweb.com>

Mike Kercher wrote:

>Look at the very last rule in /etc/MailScanner/filename.rules.conf
>
># Deny all other double file extensions. This catches any hidden filenames.
>allow   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
>hiding
>
>Note: I have changed mine to ALLOW these and not deny them.  Make sure you
>reload MailScanner after altering this file.
>
>
Mike,

OK, that should be interesting.

But what about this, which is commented in the top few lines of the file?

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file.

So, would that mean that OE might actually run "somebadfile.exe.doc" as
an exe? If that's the case, then perhaps overriding the rule isn't a
good idea.

Any thoughts?

Cheers,
Chris

From mike at CAMAROSS.NET  Tue Jan 27 06:00:30 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
In-Reply-To: <4015F817.1030606@fractalweb.com>
Message-ID: <200401270552.i0R5qxGE021373@avwall.bladeware.com>

I *think* that's a different match.  I'm not good with regexp :)

I rely on my virus scanners to catch infected files and this is why I run
sophossavi AND clamavmodule.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Yuzik
> Sent: Monday, January 26, 2004 11:33 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: I need to tweak filename rules
>
> Mike Kercher wrote:
>
> >Look at the very last rule in /etc/MailScanner/filename.rules.conf
> >
> ># Deny all other double file extensions. This catches any
> hidden filenames.
> >allow   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found
> possible filename
> >hiding
> >
> >Note: I have changed mine to ALLOW these and not deny them.
> Make sure
> >you reload MailScanner after altering this file.
> >
> >
> Mike,
>
> OK, that should be interesting.
>
> But what about this, which is commented in the top few lines
> of the file?
>
> # Due to a bug in Outlook Express, you can make the 2nd from
> last extension # be what is used to run the file.
>
> So, would that mean that OE might actually run
> "somebadfile.exe.doc" as an exe? If that's the case, then
> perhaps overriding the rule isn't a good idea.
>
> Any thoughts?
>
> Cheers,
> Chris
>

From rhl-list at BRANTS.COM  Tue Jan 27 07:08:20 2004
From: rhl-list at BRANTS.COM (Frank C. Brants)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
In-Reply-To: <4015CFA2.8040203@fractalweb.com>
Message-ID: <5.2.0.9.2.20040127010618.02881eb0@mail.brants.com>

Just my HO, but I would "tweak" the user before tweaking the rule - tell
him to use dashes.

Franko

At Monday 1/26/2004 08:40 PM, you wrote:

>Hi everyone,
>
>One of my clients is a bit annoyed that a file attachment was just
>blocked. File was called "resume.ab.doc". What would I need to tweak the
>rules to so these would go through?
>
>Thanks,
>Chris


Frank C. Brants
Desk 817-763-0893
Cell   214-769-0354

If you only have a hammer, you tend to see every problem as a nail.
-- Maslow

From shrek-m at GMX.DE  Tue Jan 27 07:20:51 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:05 2006
Subject: Blocking extensions inside of zip files
In-Reply-To: <s01546f6.073@email-fs.ci.grandjct.co.us>
References: <s01546f6.073@email-fs.ci.grandjct.co.us>
Message-ID: <40161153.9010808@gmx.de>

Tristan Rhodes wrote:

>At work we use another antivirus solution (not my decision), and we have been manually adding the infected .zip files to our blocked attachment list.  We don't want to block all .zip files, and the virus definitions haven't been updated yet (or we haven't downloaded them yet.  Again not my decision).  So this is our best solution, blocking by filename.
>
>

outsch

>file.zip
>document.zip
>body.zip
>* more may be added as we see them
>

# unzip -t /data4/doku/viren/zip/qbzy.zip
Archive:  /data4/doku/viren/zip/qbzy.zip
    testing: qbzy.scr                 OK
No errors detected in compressed data of /data4/doku/viren/zip/qbzy.zip.

# sweep -archive /data4/doku/viren/zip/qbzy.zip
 >>> Virus 'W32/MyDoom-A' gefunden in Datei
/data4/doku/viren/zip/qbzy.zip/qbzy.scr
 >>> Virus 'W32/MyDoom-A' gefunden in Datei /data4/doku/viren/zip/qbzy.zip

--
shrek-m

From p.bos at LAKE.XS4ALL.NL  Tue Jan 27 07:31:54 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:05 2006
Subject: is this serious?
Message-ID: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl>

Close scrutiny of my logfile, because of the spamassassin timeouts learned
me that Mailscanner is complaining about the queue depth of Postfix.

Jan 27 08:16:28 spbox MailScanner[2630]: Postfix queue structure is depth 2

every mail it is processing.

I've reported this earlier to Jamie the question then was:"does it occur
every email or only at start up?"
I've noticed it only during startup then, but it occurs at every processed
e-mail.
So my questin is: "is this serious?"

Piet

From chris at FRACTALWEB.COM  Tue Jan 27 07:40:59 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:05 2006
Subject: I need to tweak filename rules
In-Reply-To: <5.2.0.9.2.20040127010618.02881eb0@mail.brants.com>
References: <5.2.0.9.2.20040127010618.02881eb0@mail.brants.com>
Message-ID: <4016160B.9080508@fractalweb.com>

Frank C. Brants wrote:

> Just my HO, but I would "tweak" the user before tweaking the rule - tell
> him to use dashes.

Hi Franko,

Well, sure. But it's not one of my users. This is the human resources
department that regularly receives emailed resumes from people. I can't
tell you how many people use multiple dots within their filenames.

Here's a thought...how difficult would it be to have MailScanner (or
something) convert extra dots in filenames to underscores?

For example, I would like it to convert:
1. "resume.xy.doc" to "resume_xy.doc"
2. "draft.annual.report.pages1to25.red.doc" to
"draft_annual_report_pages1to25_red.doc"
3. "2004.quarterly.report.review.xls" to "2004_quarterly_report_review.xls"

This could also have the added benefit of "disarming" some nasties...or not?

Thoughts?

Cheers,
Chris

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 08:52:10 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: Help
In-Reply-To: <051501c3e48c$2a420530$0a01a8c0@DBPMRV11>
References: <051501c3e48c$2a420530$0a01a8c0@DBPMRV11>
Message-ID: <6.0.1.1.2.20040127085130.0357d728@imap.ecs.soton.ac.uk>

Please read
www.sng.ecs.soton.ac.uk/mailscanner/reject.html

Adding my to your blacklist will make no difference whatever. I do not run 
any service for anyone, nor do I sell any products.

At 04:15 27/01/2004, Viper wrote:
>Please fix your broken virus scanner. I never sent this person an email. The
>virus never uses a REAL To: field. Further emails like this will be seen as
>spam and I will add your IPs to my blacklist and ask others like
>www.spews.org to do the same so everyone blocks you.
>
>
>Return-path: <zurax@viper.rx2.net>
>Envelope-to: viper@venomx.com
>Delivery-date: Mon, 26 Jan 2004 22:59:42 -0500
>Received: from zurax by viper.rx2.net with local-bsmtp (Exim 4.24)
>  id 1AlKO0-0004Vp-G9
>  for viper@venomx.com; Mon, 26 Jan 2004 22:59:40 -0500
>Received: from [65.42.183.20] (helo=temp.bytehead.com)
>  by viper.rx2.net with esmtp (Exim 4.24)
>  id 1AlKNq-0007id-W4
>  for viper@venomx.com; Mon, 26 Jan 2004 22:59:27 -0500
>Received: from root by temp.bytehead.com with local (Exim 3.36 #1)
>  id 1AlKNo-0002X5-00
>  for viper@venomx.com; Mon, 26 Jan 2004 21:59:24 -0600
>From: "MailScanner" <postmaster@temp.bytehead.com>
>To: viper@venomx.com
>Subject: Warning: E-mail viruses detected
>X-MailScanner: generated
>Message-Id: <E1AlKNo-0002X5-00@temp.bytehead.com>
>Date: Mon, 26 Jan 2004 21:59:24 -0600
>X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
>  viper.rx2.net
>X-Spam-Status: No, hits=-0.9 required=5.0 tests=BAYES_30 autolearn=ham
>  version=2.61
>X-Spam-Level:
>X-SpamPal: PASS
>
>Our virus detector has just been triggered by a message you sent:-
>   To: poncho@bytehead.com
>   Subject:  Test
>   Date: Mon Jan 26 21:59:24 2004
>Any infected parts of the message (document.zip)
>have not been delivered.
>
>This message is simply to warn you that your computer system may have a
>virus present and should be checked.
>
>The virus detector said this about the message:
>Report: document.zip->document.txt
>Infection: W32/Mydoom.A@mm
>
>
>--
>MailScanner
>Email Virus Scanner
>www.mailscanner.info
>Mailscanner thanks transtec Computers for their support

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Tue Jan 27 09:38:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: is this serious?
In-Reply-To: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl>
References: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl>
Message-ID: <6.0.1.1.2.20040127093814.03580f18@imap.ecs.soton.ac.uk>

At 07:31 27/01/2004, you wrote:
>Close scrutiny of my logfile, because of the spamassassin timeouts learned
>me that Mailscanner is complaining about the queue depth of Postfix.
>
>Jan 27 08:16:28 spbox MailScanner[2630]: Postfix queue structure is depth 2
>
>every mail it is processing.
>
>I've reported this earlier to Jamie the question then was:"does it occur
>every email or only at start up?"
>I've noticed it only during startup then, but it occurs at every processed
>e-mail.
>So my questin is: "is this serious?"

It's not serious. It's a statement, not a warning. However it shouldn't do
it for every message, just once for each MailScanner child process that
starts up.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 09:37:16 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: Filter filetype not working
In-Reply-To: <LISTSERV%2004012702551415@JISCMAIL.AC.UK>
References: <LISTSERV%2004012702551415@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040127093520.0356a580@imap.ecs.soton.ac.uk>

The filetype checking is disabled by default. Look for the line that
defines the File command and you will probably find a "#" in it starting a
comment.

Also, check that when you locally send these test messages you are actually
sending them through MailScanner. And don't forget that just calling a file
foobar.exe doesn't make it an executable as far as the filetype checking is
concerned. It needs to contain executable code :-)

At 02:55 27/01/2004, you wrote:
>I have recently installed MailScanner on a RedHat machine running Sendmail.
>My  main purpose was to use it for spam filtering with SpamAssasian. That is
>working great. However, I have been asked to filter out executables.It
>appears the default config files are set up to do this - but it is not
>working. I have just sent my account on the machine running MailScanner a
>e-mail with a .exe file and it didn't get filtered. I also sent a file wit
>the name happy99.exe which is specifically filtered in the configuration
>files and that got past as well. I have not edited filename.rules.conf or
>filetype.rules.conf at all.
>
>I am running MailScanner version:
>
>   $Id: MailScanner.pm,v 1.5.2.1 2003/11/27 14:45:56 jkf Exp $
>
>In my MailScanner.conf I have the following two lines:
>
>Filename Rules = %etc-dir%/filename.rules.conf
>Filetype Rules = %etc-dir%/filetype.rules.conf
>
>I have seen people asking similar questions in the list archives, but I
>haven't found any suggestions that have worked for me. Does anyone have any
>idea what I should be looking for to fix this problem?
>
>Ed C.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 09:32:37 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: Check SpamAssassin If On Spam List Issue
In-Reply-To: <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect. com>
References: <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect.com>
Message-ID: <6.0.1.1.2.20040127093215.03569d48@imap.ecs.soton.ac.uk>

Do you mean everywhere the score is used, or just in the "spam stars" header?

At 23:54 26/01/2004, you wrote:
>Hiya.
>
>When I am checking a RBL with MS and have "Check SpamAssassin If On Spam
>List" set to "no", it tags the message as spam as expected.  However, my
>users typically have filters on the X-Spam-Score header (which allows them
>to tailor the spam score levels to their preferences) and this header is
>not added when this setting is used.  Could a configuration setting be
>added to assign an arbitrary score to the X-Spam-Score header when the
>"Check SpamAssassin If On Spam List = no"?
>
>Thanks.
>
>-----------------------------------------
>Mike Bacher / isp-list@tulsaconnect.com
>TCIS - TulsaConnect Internet Services
>Phone: 918-584-1100x110 Fax: 918-582-5776
>-----------------------------------------

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dee at ASYOUNEED.COM  Tue Jan 27 09:30:53 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:05 2006
Subject: Checking that mailscanner is working with spamassassin
In-Reply-To: <200401270457.i0R4vSGE018098@avwall.bladeware.com>
Message-ID: <000201c3e4b8$4282ce50$0201a8c0@lappy>

Thanks Mike I see spam checks: starting in the log :)

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Mike Kercher
> Sent: 27 January 2004 05:05
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Checking that mailscanner is working with spamassassin
>
> Turn on the spam logging and spamassassin scores in your
MailScanner.conf,
> reload MailScanner and then tail -f your maillog and watch the magic
work.
>
> Mike
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Dee Lowndes
> > Sent: Monday, January 26, 2004 8:46 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Checking that mailscanner is working with spamassassin
> >
> > Hi All,
> >
> > How can I check if spamassassin is working with mailscanner?
> >
> > Cheers,
> > Dee
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of A. Eijkhoudt
> > > Sent: 27 January 2004 02:33
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Announce: MailScanner-MRTG version 0.07 released
> > >
> > > > Just had a quick Google this looks like a known issue in
> > net-snmp <
> > > > 5.0.6 - suggest you upgrade your net-snmp install if you aren't
on
> > at
> > > > least 5.0.6
> > >
> > > It's 5.1:
> > >
> > > penguin log # snmpd --version
> > >
> > > NET-SNMP version:  5.1
> > >
> > > Arnim.
> > >
> > >
> > >
> > > --
> > > This E-mail has been checked for spam and viruses.
> >

From dee at ASYOUNEED.COM  Tue Jan 27 09:58:59 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:05 2006
Subject: Enable spamassassin on specific domain
In-Reply-To: <6.0.1.1.2.20040127093215.03569d48@imap.ecs.soton.ac.uk>
Message-ID: <000301c3e4bc$2f3d31b0$0201a8c0@lappy>

Hi,

        I notice that spam assassin increases load quit a bit and was
wondering if it is possible to set this working per domain.

e.g.
blah@domain1.com receives a lot of spam so I enable to check their mail.
Blah@domain2.com doesn't so not enable.

Its important that mailscanner AV scans all mails but the spam is less
so.

Cheers,
Dee

From p.bos at LAKE.XS4ALL.NL  Tue Jan 27 10:17:21 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:05 2006
Subject: is this serious?
References: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl> 
            <6.0.1.1.2.20040127093814.03580f18@imap.ecs.soton.ac.uk>
Message-ID: <007601c3e4be$c0462ed0$a0ef15ab@ka.klm.nl>

> It's not serious. It's a statement, not a warning. However it shouldn't do
> it for every message, just once for each MailScanner child process that
> starts up.

What could cause this to happen then?

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 10:24:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: is this serious?
In-Reply-To: <007601c3e4be$c0462ed0$a0ef15ab@ka.klm.nl>
References: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl>
            <6.0.1.1.2.20040127093814.03580f18@imap.ecs.soton.ac.uk>
            <007601c3e4be$c0462ed0$a0ef15ab@ka.klm.nl>
Message-ID: <6.0.1.1.2.20040127102416.03ada8a8@imap.ecs.soton.ac.uk>

At 10:17 27/01/2004, you wrote:
> > It's not serious. It's a statement, not a warning. However it shouldn't do
> > it for every message, just once for each MailScanner child process that
> > starts up.
>
>What could cause this to happen then?

Is everything working okay otherwise? Is mail getting scanned and delivered
properly?
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 10:26:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:05 2006
Subject: Enable spamassassin on specific domain
In-Reply-To: <000301c3e4bc$2f3d31b0$0201a8c0@lappy>
References: <6.0.1.1.2.20040127093215.03569d48@imap.ecs.soton.ac.uk>
            <000301c3e4bc$2f3d31b0$0201a8c0@lappy>
Message-ID: <6.0.1.1.2.20040127102605.03956468@imap.ecs.soton.ac.uk>

Read about rulesets in /etc/MailScanner/rules/*.

At 09:58 27/01/2004, you wrote:
>Hi,
>
>         I notice that spam assassin increases load quit a bit and was
>wondering if it is possible to set this working per domain.
>
>e.g.
>blah@domain1.com receives a lot of spam so I enable to check their mail.
>Blah@domain2.com doesn't so not enable.
>
>Its important that mailscanner AV scans all mails but the spam is less
>so.
>
>Cheers,
>Dee

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dee at ASYOUNEED.COM  Tue Jan 27 10:32:48 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:05 2006
Subject: Enable spamassassin on specific domain
In-Reply-To: <6.0.1.1.2.20040127102605.03956468@imap.ecs.soton.ac.uk>
Message-ID: <000701c3e4c0$e8d012b0$0201a8c0@lappy>

Thanks Julian,

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: 27 January 2004 10:26
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Enable spamassassin on specific domain
>
> Read about rulesets in /etc/MailScanner/rules/*.
>
> At 09:58 27/01/2004, you wrote:
> >Hi,
> >
> >         I notice that spam assassin increases load quit a bit and
was
> >wondering if it is possible to set this working per domain.
> >
> >e.g.
> >blah@domain1.com receives a lot of spam so I enable to check their
mail.
> >Blah@domain2.com doesn't so not enable.
> >
> >Its important that mailscanner AV scans all mails but the spam is
less
> >so.
> >
> >Cheers,
> >Dee
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dee at ASYOUNEED.COM  Tue Jan 27 10:30:45 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:05 2006
Subject: Enable spamassassin on specific domain
In-Reply-To: <LFENLEALDCBDKENCNLCNGEMLDDAA.michele@blacknightsolutions.com>
Message-ID: <000601c3e4c0$9f95bc30$0201a8c0@lappy>

No,

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Michele Neylon :: Blacknight Solutions
> Sent: 27 January 2004 10:28
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Enable spamassassin on specific domain
>
> Dee
>
> Are you running spamd as well as MS?
>
> Michele
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Dee Lowndes
> > Sent: 27 January 2004 09:59
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Enable spamassassin on specific domain
> >
> >
> > Hi,
> >
> >         I notice that spam assassin increases load quit a bit and
was
> > wondering if it is possible to set this working per domain.
> >
> > e.g.
> > blah@domain1.com receives a lot of spam so I enable to check their
mail.
> > Blah@domain2.com doesn't so not enable.
> >
> > Its important that mailscanner AV scans all mails but the spam is
less
> > so.
> >
> > Cheers,
> > Dee
> >

From p.bos at LAKE.XS4ALL.NL  Tue Jan 27 10:50:58 2004
From: p.bos at LAKE.XS4ALL.NL (Piet Bos)
Date: Thu Jan 12 21:22:05 2006
Subject: is this serious?
References: <001e01c3e4a7$a37aef00$a0ef15ab@ka.klm.nl>           
            <6.0.1.1.2.20040127093814.03580f18@imap.ecs.soton.ac.uk>           
            <007601c3e4be$c0462ed0$a0ef15ab@ka.klm.nl> 
            <6.0.1.1.2.20040127102416.03ada8a8@imap.ecs.soton.ac.uk>
Message-ID: <009b01c3e4c3$72209740$a0ef15ab@ka.klm.nl>

Yes everything is OK except occassionally a SA timeout, but I think thats
not because of this. I guess.

> >What could cause this to happen then?
>
> Is everything working okay otherwise? Is mail getting scanned and
delivered
> properly?

From anders.andersson at LTKALMAR.SE  Tue Jan 27 10:55:27 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:22:05 2006
Subject: OT: backup current stat from mailscanner- mrtg
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E84F@lkl61.ltkalmar.se>

Hi

Im just about to reinstall my server and would really apreciate if someone
could tell me how to save my stats so I can get them back to the new server?



Kind regards



/Anders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/b72a369e/attachment.html
From dean.plant at ROKE.CO.UK  Tue Jan 27 11:00:40 2004
From: dean.plant at ROKE.CO.UK (Plant, Dean)
Date: Thu Jan 12 21:22:05 2006
Subject: Some Mydoom infected mail passing through MailScanner
Message-ID: <EA943CD30BCB104E9D38F5B5DC2D9A70CC5D30@rsys004a.roke.co.uk>

Hello list,

I have a problem with some copies of Mydoom infected mail still being
delivered even though MailScanner has correctly detected the virus. I am
using version 4.21-9 with sendmail, f-prot, clamav on Redhat 8. Is this a
bug that is fixed in a later version of MailScanner?

Below is a MailWatch report of one of the delivered infected mails.

Thanks

Dean Plant. 

Received on: 27/01/04 09:41:19 
Received by: rsys001x 
Received from: halls-c196.lut.ac.uk (158.125.191.215) - Check in OpenRBL  
ID: i0R9f8Ud006179 
Message Headers: Return-Path: <?g>
Received: from lboro.ac.uk (halls-c196.lut.ac.uk [158.125.191.215])
by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id i0R9f8Ud006179
for <xxx@roke.co.uk>; Tue, 27 Jan 2004 09:41:08 GMT
Message-Id: <200401270941.i0R9f8Ud006179@rsys001x.roke.co.uk>
From: jose@lboro.ac.uk
To: xxx@roke.co.uk
Subject: Test
Date: Tue, 27 Jan 2004 09:41:08 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0003_29F6388C.AD268899"
X-Priority: 3
X-MSMail-Priority: Normal 
From: jose@lboro.ac.uk 
To: xxx@roke.co.uk 
Subject: Test 
Size: 31.3Kb 
Virus:  Y  
Blocked File:  N  
Other Infection:  N  
Report: F-Prot:
/var/spool/MailScanner/incoming/30032/i0R9f8Ud006179/document.zip->document.
txt Infection: W32/Mydoom.A@mm ClamAV: document.zip contains Worm.SCO.A 
 
Spam:  Y   Action(s): store, attachment, deliver 
High Scoring Spam:  N  
Listed in RBL:  N  
Whitelisted:  N  
SpamAssassin Spam:  Y  
SpamAssassin Score: 9.52 
Spam Report: -1.52 BAYES_01   
2.91 DCC_CHECK   
1.59 MISSING_MIMEOLE   
3.03 MSGID_FROM_MTA_SHORT   
0.16 NO_REAL_NAME   
1.21 PRIORITY_NO_NAME   
1.10 RAZOR2_CF_RANGE_51_100   
1.05 RAZOR2_CHECK 
 

-- 
Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.


From Kevin.Spicer at BMRB.CO.UK  Tue Jan 27 10:59:39 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:06 2006
Subject: backup current stat from mailscanner- mrtg
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499DF@pascal.priv.bmrb.co.uk>

tar up the whole /var/www/html/mailscanner-mrtg directory is the easiest way.  Make sure you restore the tar before installing mailscanner-mrtg on the new server.

-----Original Message-----
From: Anders Andersson, IT [mailto:anders.andersson@LTKALMAR.SE]
Sent: 27 January 2004 10:55
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: OT: backup current stat from mailscanner- mrtg



Hi

Im just about to reinstall my server and would really apreciate if someone could tell me how to save my stats so I can get them back to the new server?

 

Kind regards

 

/Anders




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/ff1ea64a/attachment.html
From pmb1 at YORK.AC.UK  Tue Jan 27 11:07:46 2004
From: pmb1 at YORK.AC.UK (Mike Brudenell)
Date: Thu Jan 12 21:22:06 2006
Subject: multiple garbage words/bayes
In-Reply-To: <4014F97F.2382.1D8E5408@localhost>
References: <4015607B.63D74101@ihs.com> <4014F97F.2382.1D8E5408@localhost>
Message-ID: <2147483647.1075201666@pippin.york.ac.uk>

Greetings -

--On Monday, January 26, 2004 11:26 am -0800 Mark Nienberg
<mark@TIPPINGMAR.COM> wrote:

> I'm seeing some with puctuation in them.  This is going to complicate
> things.

I think the "\b" pattern may come to the rescue here: it is a zero-width
assertion that matches a word boundary.  That is, to one side there is a
"word character" (\w = [A-Za-z0-9_]) and to the other side a "not word
character".

Someone has subsequently posted a message containing some sample patterns
that use this particular wild-card character; you may be able to adapt them
further to your own needs...

--On Monday, January 26, 2004 11:02 pm +0100 Peter Bonivart
<peter@UCGBOOK.COM> wrote:

> rawbody  CP_RANDOMWORD_10
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
> describe CP_RANDOMWORD_10       string of 10+ random words
> score    CP_RANDOMWORD_10       0.5
>
> rawbody  CP_RANDOMWORD_15
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
> describe CP_RANDOMWORD_15       string of 15+ random words
> score    CP_RANDOMWORD_15       2.5

Cheers,

Mike B-)

--
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

From dee at ASYOUNEED.COM  Tue Jan 27 11:10:13 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <000701c3e4c0$e8d012b0$0201a8c0@lappy>
Message-ID: <000a01c3e4c6$22e66d50$0201a8c0@lappy>

Hi,

How can I forward a blocked mail attachment?

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 10:33
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Enable spamassassin on specific domain
>
> Thanks Julian,
>
> Dee
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
On
> > Behalf Of Julian Field
> > Sent: 27 January 2004 10:26
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Enable spamassassin on specific domain
> >
> > Read about rulesets in /etc/MailScanner/rules/*.
> >
> > At 09:58 27/01/2004, you wrote:
> > >Hi,
> > >
> > >         I notice that spam assassin increases load quit a bit and
> was
> > >wondering if it is possible to set this working per domain.
> > >
> > >e.g.
> > >blah@domain1.com receives a lot of spam so I enable to check their
> mail.
> > >Blah@domain2.com doesn't so not enable.
> > >
> > >Its important that mailscanner AV scans all mails but the spam is
> less
> > >so.
> > >
> > >Cheers,
> > >Dee
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From anders.andersson at LTKALMAR.SE  Tue Jan 27 11:46:10 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:22:06 2006
Subject: SV: backup current stat from mailscanner- mrtg
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E850@lkl61.ltkalmar.se>

Thanks, I sure will do that, I hope  :)  


  _____  

Fr?n: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] 
Skickat: den 27 januari 2004 12:00
Till: MAILSCANNER@JISCMAIL.AC.UK
?mne: Re: backup current stat from mailscanner- mrtg


tar up the whole /var/www/html/mailscanner-mrtg directory is the easiest
way.  Make sure you restore the tar before installing mailscanner-mrtg on
the new server.

-----Original Message-----
From: Anders Andersson, IT [mailto:anders.andersson@LTKALMAR.SE]
Sent: 27 January 2004 10:55
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: OT: backup current stat from mailscanner- mrtg



Hi

Im just about to reinstall my server and would really apreciate if someone
could tell me how to save my stats so I can get them back to the new server?

 

Kind regards

 

/Anders




BMRB International 
http://www.bmrb.co.uk <http://www.bmrb.co.uk>  
+44 (0)20 8566 5000 

This message (and any attachment) is intended only for the recipient and may
contain confidential and/or privileged material. If you have received this
in error, please contact the sender and delete this message immediately.
Disclosure, copying or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited accept no liability
in relation to any personal emails, or content of any email which does not
directly relate to our business. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/358bc7df/attachment.html
From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 27 11:50:30 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <000a01c3e4c6$22e66d50$0201a8c0@lappy>
Message-ID: <LFENLEALDCBDKENCNLCNKENBDDAA.michele@blacknightsolutions.com>

I usually tar gzip it and sent it from the shell

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 11:10
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Forwarding a blocked mail attachment
>
>
> Hi,
>
> How can I forward a blocked mail attachment?
>
> Dee
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Dee Lowndes
> > Sent: 27 January 2004 10:33
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Enable spamassassin on specific domain
> >
> > Thanks Julian,
> >
> > Dee
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
> On
> > > Behalf Of Julian Field
> > > Sent: 27 January 2004 10:26
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Enable spamassassin on specific domain
> > >
> > > Read about rulesets in /etc/MailScanner/rules/*.
> > >
> > > At 09:58 27/01/2004, you wrote:
> > > >Hi,
> > > >
> > > >         I notice that spam assassin increases load quit a bit and
> > was
> > > >wondering if it is possible to set this working per domain.
> > > >
> > > >e.g.
> > > >blah@domain1.com receives a lot of spam so I enable to check their
> > mail.
> > > >Blah@domain2.com doesn't so not enable.
> > > >
> > > >Its important that mailscanner AV scans all mails but the spam is
> > less
> > > >so.
> > > >
> > > >Cheers,
> > > >Dee
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From ugob at CAMO-ROUTE.COM  Tue Jan 27 11:52:43 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <000a01c3e4c6$22e66d50$0201a8c0@lappy>
References: <000a01c3e4c6$22e66d50$0201a8c0@lappy>
Message-ID: <4016510B.1040506@camo-route.com>

Dee Lowndes wrote:

>Hi,
>
>How can I forward a blocked mail attachment?
>
>

What is your MTA ? sendmail? postfix?

>Dee
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>>Behalf Of Dee Lowndes
>>Sent: 27 January 2004 10:33
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: Re: Enable spamassassin on specific domain
>>
>>Thanks Julian,
>>
>>Dee
>>
>>
>>
>>>-----Original Message-----
>>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
>>>
>>>
>On
>
>
>>>Behalf Of Julian Field
>>>Sent: 27 January 2004 10:26
>>>To: MAILSCANNER@JISCMAIL.AC.UK
>>>Subject: Re: Enable spamassassin on specific domain
>>>
>>>Read about rulesets in /etc/MailScanner/rules/*.
>>>
>>>At 09:58 27/01/2004, you wrote:
>>>
>>>
>>>>Hi,
>>>>
>>>>        I notice that spam assassin increases load quit a bit and
>>>>
>>>>
>>was
>>
>>
>>>>wondering if it is possible to set this working per domain.
>>>>
>>>>e.g.
>>>>blah@domain1.com receives a lot of spam so I enable to check their
>>>>
>>>>
>>mail.
>>
>>
>>>>Blah@domain2.com doesn't so not enable.
>>>>
>>>>Its important that mailscanner AV scans all mails but the spam is
>>>>
>>>>
>>less
>>
>>
>>>>so.
>>>>
>>>>Cheers,
>>>>Dee
>>>>
>>>>
>>>--
>>>Julian Field
>>>www.MailScanner.info
>>>MailScanner thanks transtec Computers for their support
>>>
>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>

From dee at ASYOUNEED.COM  Tue Jan 27 11:57:01 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <4016510B.1040506@camo-route.com>
Message-ID: <000301c3e4cc$acddbc60$0201a8c0@lappy>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Ugo Bellavance
> Sent: 27 January 2004 11:53
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Forwarding a blocked mail attachment
>
> Dee Lowndes wrote:
>
> >Hi,
> >
> >How can I forward a blocked mail attachment?
> >
> >
>
> What is your MTA ? sendmail? postfix?

Sendmail

<snip>

From pete at eatathome.com.au  Tue Jan 27 12:02:51 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:22:06 2006
Subject: Some Mydoom infected mail passing through MailScanner
In-Reply-To: <EA943CD30BCB104E9D38F5B5DC2D9A70CC5D30@rsys004a.roke.co.uk>
References: <EA943CD30BCB104E9D38F5B5DC2D9A70CC5D30@rsys004a.roke.co.uk>
Message-ID: <4016536B.3010207@eatathome.com.au>

Your Spam Actions say store AND deliver ... doesnt this mean the mail 
will be delivered?

Do you have 2 mailscanner servers, but the configs are different, 
therefore some MyDooms appear to get through, and some are blocked?

Just guessing

Plant, Dean wrote:

>Hello list,
>
>I have a problem with some copies of Mydoom infected mail still being
>delivered even though MailScanner has correctly detected the virus. I am
>using version 4.21-9 with sendmail, f-prot, clamav on Redhat 8. Is this a
>bug that is fixed in a later version of MailScanner?
>
>Below is a MailWatch report of one of the delivered infected mails.
>
>Thanks
>
>Dean Plant. 
>
>Received on: 27/01/04 09:41:19 
>Received by: rsys001x 
>Received from: halls-c196.lut.ac.uk (158.125.191.215) - Check in OpenRBL  
>ID: i0R9f8Ud006179 
>Message Headers: Return-Path: <g>
>Received: from lboro.ac.uk (halls-c196.lut.ac.uk [158.125.191.215])
>by rsys001x.roke.co.uk (8.12.8/8.12.8) with ESMTP id i0R9f8Ud006179
>for <xxx@roke.co.uk>; Tue, 27 Jan 2004 09:41:08 GMT
>Message-Id: <200401270941.i0R9f8Ud006179@rsys001x.roke.co.uk>
>From: jose@lboro.ac.uk
>To: xxx@roke.co.uk
>Subject: Test
>Date: Tue, 27 Jan 2004 09:41:08 +0000
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>boundary="----=_NextPart_000_0003_29F6388C.AD268899"
>X-Priority: 3
>X-MSMail-Priority: Normal 
>From: jose@lboro.ac.uk 
>To: xxx@roke.co.uk 
>Subject: Test 
>Size: 31.3Kb 
>Virus:  Y  
>Blocked File:  N  
>Other Infection:  N  
>Report: F-Prot:
>/var/spool/MailScanner/incoming/30032/i0R9f8Ud006179/document.zip->document.
>txt Infection: W32/Mydoom.A@mm ClamAV: document.zip contains Worm.SCO.A 
> 
>Spam:  Y   Action(s): store, attachment, deliver 
>High Scoring Spam:  N  
>Listed in RBL:  N  
>Whitelisted:  N  
>SpamAssassin Spam:  Y  
>SpamAssassin Score: 9.52 
>Spam Report: -1.52 BAYES_01   
>2.91 DCC_CHECK   
>1.59 MISSING_MIMEOLE   
>3.03 MSGID_FROM_MTA_SHORT   
>0.16 NO_REAL_NAME   
>1.21 PRIORITY_NO_NAME   
>1.10 RAZOR2_CF_RANGE_51_100   
>1.05 RAZOR2_CHECK 
> 
>
>  
>


From ugob at CAMO-ROUTE.COM  Tue Jan 27 12:16:18 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <000301c3e4cc$acddbc60$0201a8c0@lappy>
References: <000301c3e4cc$acddbc60$0201a8c0@lappy>
Message-ID: <40165692.2040506@camo-route.com>

Dee Lowndes wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>>Behalf Of Ugo Bellavance
>>Sent: 27 January 2004 11:53
>>To: MAILSCANNER@JISCMAIL.AC.UK
>>Subject: Re: Forwarding a blocked mail attachment
>>
>>Dee Lowndes wrote:
>>
>>
>>
>>>Hi,
>>>
>>>How can I forward a blocked mail attachment?
>>>
>>>
>>>
>>>
>>What is your MTA ? sendmail? postfix?
>>
>>
>
>Sendmail
>
><snip>
>
>
One or two files in your quarantine?

From christo at IT4AFRICA.CO.ZA  Tue Jan 27 12:17:46 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:06 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <1075172408.7435.113.camel@bach.kevinspicer.co.uk>
Message-ID: <001b01c3e4cf$92c36cf0$660210ac@christoxp>

I have just upgraded to Mailscanner 0.07-2 and I get the following
errors.

Possible precedence problem on bitwise | operator at
/usr/bin/../lib/mrtg2/BER.pm
line 619.
ERROR: Snmpwalk Binary specified in
/etc/MailScanner/mailscanner-mrtg.conf is not
executable or not present
        Skipping snmp functions
gd-png:  fatal libpng error: Invalid filter type specified
gd-png error: setjmp returns error condition

My Config is RH9
mrtg-2.9.25-1.7.2
mailscanner-4.25-14
libpng-1.2.2-16

Thanx



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Kevin Spicer
Sent: 27 January 2004 05:00 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Announce: MailScanner-MRTG version 0.07 released {Virus
Scanned}


On Tue, 2004-01-27 at 02:49, Gerry Doris wrote:
>
> It's been interesting watching you folks work this out but I've fallen

> by the wayside ):
>
> I have never used snmp before and I haven't got a clue on how to
> configure snmpd.conf.  Looks like I've have to find a howto and start
> reading when I have time.
>
> In the meantime I guess I'll go back to the old version.
>
Gerry, if you do that go into /var/www/html/mailscanner-mrtg/loadavg and
copy loadavg.log.xxxxx over loadavg.log  and do similarly in mailbytes,
as these would have been rescaled when you installed.

Probably the easier thing to do is just turn SNMP off in the
mailscanner-mrtg.conf file while you sort it out.

Its easy enough to set up snmpd.conf, just run snmpconf and it guides
you through. basically so long as you set a community string for snmp v2
(read only) it should all work  (then set your community string in
mailscanner-mrtg.conf).  I did intend to do a brief guide to setting it
up - but it slipped my mind, sorry.

I've just uploaded 0.07.02 which fixes all those SNMP bugs (I hope...)
and now I'm going to bed.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the recipient and
may contain confidential and/or privileged material.  If you have
received this in error, please contact the sender and delete this
message immediately.  Disclosure, copying or other action taken in
respect of this email or in reliance on it is prohibited.  BMRB
International Limited accepts no liability in relation to any personal
emails, or content of any email which does not directly relate to our
business.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks IT For Africa for their support.

From P.G.M.Peters at utwente.nl  Tue Jan 27 12:15:18 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <Pine.LNX.4.44.0401261536280.29748-100000@sasami.anime.net>
References: <1075159776.27684.70.camel@bach.kevinspicer.co.uk>
            <Pine.LNX.4.44.0401261536280.29748-100000@sasami.anime.net>
Message-ID: <5flc10998rfvr9v92bta4j0hb47tgpossa@4ax.com>

On Mon, 26 Jan 2004 15:37:55 -0800, you wrote:

>On Mon, 26 Jan 2004, Kevin Spicer wrote:
>> On Mon, 2004-01-26 at 23:16, Dustin Baer wrote:
>> > LOL!  <sarcasm>Good thing my company is paying Sophos $14K+/3 years for
>> > virus definitions.</sarcasm>  I sent them three files today at 14:30 MST
>> > and they still don't have a new IDE for it!!
>> Yeah, looks like McAffee, Symantec and Clam take the honours!
>
>f-prot too...

F-prot doesn't seem to at my site with these DEF's:
|-rw-r--r--    1 root     root       490746 2004-01-26 18:00 MACRO.DEF
|-rw-r--r--    1 root     root      1110430 2004-01-26 20:00 SIGN.DEF
|-rw-r--r--    1 root     root      1081023 2004-01-27 00:00 SIGN2.DEF

But it is blocked on IFrame-tags.

Do I need the new engine? I am upgrading to 4.3.2. at the moment.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From Kevin.Spicer at BMRB.CO.UK  Tue Jan 27 12:26:35 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:06 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499E2@pascal.priv.bmrb.co.uk>

Christo Bezuidenhout wrote:
> I have just upgraded to Mailscanner 0.07-2 and I get the following
> errors. 
> 
> Possible precedence problem on bitwise | operator at
> /usr/bin/../lib/mrtg2/BER.pm line 619.
> ERROR: Snmpwalk Binary specified in
> /etc/MailScanner/mailscanner-mrtg.conf is not
> executable or not present
>         Skipping snmp functions
> gd-png:  fatal libpng error: Invalid filter type specified
> gd-png error: setjmp returns error condition
> 
> My Config is RH9
> mrtg-2.9.25-1.7.2
> mailscanner-4.25-14
> libpng-1.2.2-16

Which version of snmp are you using?  You do have snmp?
Do a which snmpwalk and set the path produced in mailscanner-mrtg.conf



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From dee at ASYOUNEED.COM  Tue Jan 27 12:30:34 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <40165692.2040506@camo-route.com>
Message-ID: <000001c3e4d1$5c3b8c10$0201a8c0@lappy>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Ugo Bellavance
> Sent: 27 January 2004 12:16
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Forwarding a blocked mail attachment
>
> Dee Lowndes wrote:
>
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
On
> >>Behalf Of Ugo Bellavance
> >>Sent: 27 January 2004 11:53
> >>To: MAILSCANNER@JISCMAIL.AC.UK
> >>Subject: Re: Forwarding a blocked mail attachment
> >>
> >>Dee Lowndes wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>How can I forward a blocked mail attachment?
> >>>
> >>>
> >>>
> >>>
> >>What is your MTA ? sendmail? postfix?
> >>
> >>
> >
> >Sendmail
> >
> ><snip>
> >
> >
> One or two files in your quarantine?

Just the one.

Dee

From raymond at PROLOCATION.NET  Tue Jan 27 12:37:23 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <5flc10998rfvr9v92bta4j0hb47tgpossa@4ax.com>
Message-ID: <Pine.LNX.4.44.0401271335430.3678-100000@mailbox.prolocation.net>

Hi Peter,

> >f-prot too...
>
> F-prot doesn't seem to at my site with these DEF's:
> |-rw-r--r--    1 root     root       490746 2004-01-26 18:00 MACRO.DEF
> |-rw-r--r--    1 root     root      1110430 2004-01-26 20:00 SIGN.DEF
> |-rw-r--r--    1 root     root      1081023 2004-01-27 00:00 SIGN2.DEF
>
> But it is blocked on IFrame-tags.
>
> Do I need the new engine? I am upgrading to 4.3.2. at the moment.

I am running the latest engine, could be.

F-PROT ANTIVIRUS
Program version: 4.3.2
Engine version: 3.14.7

VIRUS SIGNATURE FILES
SIGN.DEF created 26 January 2004
SIGN2.DEF created 26 January 2004
MACRO.DEF created 26 January 2004

So far f-prot found around 20.000 Mydoom virusses on my 2 clusters.

Bye,
Raymond.

From P.G.M.Peters at utwente.nl  Tue Jan 27 12:44:17 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:06 2006
Subject: Some Mydoom infected mail passing through MailScanner
In-Reply-To: <EA943CD30BCB104E9D38F5B5DC2D9A70CC5D30@rsys004a.roke.co.uk>
References: <EA943CD30BCB104E9D38F5B5DC2D9A70CC5D30@rsys004a.roke.co.uk>
Message-ID: <l4nc101oi7i5b8ipd6v1f2662m039ot919@4ax.com>

On Tue, 27 Jan 2004 11:00:40 -0000, you wrote:

>I have a problem with some copies of Mydoom infected mail still being
>delivered even though MailScanner has correctly detected the virus. I am
>using version 4.21-9 with sendmail, f-prot, clamav on Redhat 8. Is this a
>bug that is fixed in a later version of MailScanner?

I checked and the systems running f-prot 4.2.0 did detect Mydoom. The
server running 3.12 (my fault, forgot to update) did not. I am now
running 4.3.2 and all servers are detecting it now.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From rcooper at DIMENSION-FLM.COM  Tue Jan 27 13:15:02 2004
From: rcooper at DIMENSION-FLM.COM (Rick Cooper)
Date: Thu Jan 12 21:22:06 2006
Subject: I need to tweak filename rules
In-Reply-To: <4015F817.1030606@fractalweb.com>
Message-ID: <OJEPLLLJIBHDGMFBCCBPOEHMDDAA.rcooper@dimension-flm.com>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Chris Yuzik
> Sent: Tuesday, January 27, 2004 12:33 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: I need to tweak filename rules
>
>
> Mike Kercher wrote:
>
> >Look at the very last rule in
> /etc/MailScanner/filename.rules.conf
> >
> ># Deny all other double file extensions. This catches
> any hidden filenames.
> >allow   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found
> possible filename
> >hiding
> >
> >Note: I have changed mine to ALLOW these and not deny
> them.  Make sure you
> >reload MailScanner after altering this file.
> >
> >
> Mike,
>
> OK, that should be interesting.
>
> But what about this, which is commented in the top few
> lines of the file?
>
> # Due to a bug in Outlook Express, you can make the
> 2nd from last extension
> # be what is used to run the file.
>

You could use a file rule like (watch the wrap)
 deny
(?:(?:(?:\.exe|\.pif|\.com|\.vb[es]|\.cmd|\.bat|\.scr|\.chm)).*?\
.doc$) report user report

And add whatever \.ext| you want to block within the inner
brackets, however since MailScanner checks files based on type as
well some of the listed extensions are redundant. I tested a copy
of notepad.exe named notepad.exe.doc and another notepad.ddd.doc
and MailScanner stopped both as unacceptable file types. I turned
off the file type checking and MailScanner stopped
notepad.exe.doc with the file name rules.

I have used this rule for a while because we have several vendors
that send file names like northstore.may2004.stats.xls (I pass
.xls and .doc files on the same rule). Trying to tell a Ford
Motor Company corporate employee how to format their file names
is like trying to tell God a rabbit's ears are too long.

If you use the regex above make sure you place an explicit allow
\.doc$ just below the deny above, both should go above the allow
section.


> So, would that mean that OE might actually run
> "somebadfile.exe.doc" as
> an exe? If that's the case, then perhaps overriding
> the rule isn't a
> good idea.
>

The big thing with OE (which I believe has been fixed now) was
naming a file something like badthing.doc.exe and, if you have
"hide known file types" enabled all you would see would be
"badthing" and the icon would be of type .doc (MS stopped
checking type for display after the first "." in the file name).
I believe they no longer execute a file based on it's actual mime
type anymore either (except from the command console) so (and I
tested this) a file named notepad.exe.doc is opened by Word (or
Open Office).


> Any thoughts?
>
> Cheers,
> Chris
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

From isp-list at TULSACONNECT.COM  Tue Jan 27 13:31:31 2004
From: isp-list at TULSACONNECT.COM (ISP List)
Date: Thu Jan 12 21:22:06 2006
Subject: Check SpamAssassin If On Spam List Issue
In-Reply-To: <6.0.1.1.2.20040127093215.03569d48@imap.ecs.soton.ac.uk>
References: <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect. com>
            <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect.com>
Message-ID: <5.2.1.1.2.20040127073119.07a6ce80@securemail.tulsaconnect.com>

At 09:32 AM 1/27/2004 +0000, you wrote:
>Do you mean everywhere the score is used, or just in the "spam stars" header?

Just the spam stars header..


---------------------------------------
Mike Bacher / mike@sparklogic.com
SparkLogic Development / ISP Consulting
Use OptiGold ISP? Check out OptiSkin!
http://www.sparklogic.com/optiskin/
---------------------------------------

From linux at MOSTERT.NOM.ZA  Tue Jan 27 15:08:25 2004
From: linux at MOSTERT.NOM.ZA (Mozzi)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <Pine.LNX.4.44.0401270055001.15757-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401270055001.15757-100000@mailbox.prolocation.net>
Message-ID: <200401271708.25047.linux@mostert.nom.za>

Hi all

I was just wondering, can you run two virus scanners @ once? For instance
f-prot and clamv?
Will the logs reflect witch virus scanner caught it?
I would love to get stats on that ;-)

Mozzi


On Tuesday 27 January 2004 02:01, Raymond Dijkxhoorn wrote:
> Hi!
>
> > eTrust also has new versions prepared but not yet released which is
> > quite strange... :
> >
> > Aliases reported by other AV products are listed here:
> > (W32/Mydoom.A@mm) (W32/Mydoom@MM) (MyDoom.A@mm) (WORM_MIMAIL.R)
>
> Also:
>
> Worm.SCO.A
> W32.Novarg.A@mm
>
> We got around 450 copies yet, thats extremely high for just 1.5
> runningtime.
>
> Lets hope some others start catching them also, Kaspersky isnt detecting
> it yet either it seems. Luckilly f-prot and clam do. :)
>
> Bye,
> Raymond.
>
>
> ************************************************************
> Scanned by @lantic IS Virus Control Service
> This message was scanned for viruses and dangerous content.
> @lantic Internet Services (Pty) Ltd. - http://www.lantic.net
> eScan for Windows-based PCs - http://www.escan.co.za
>
> If you have received a message marked in the subject line
> as [SPAM] please note that according to our MailScanner,
> this message has all the attributes of Unsolicited
> Commercial Email (UCE). If the message has however been
> marked incorrectly, please send a query to abuse@lantic.net
> ************************************************************



************************************************************
Scanned by @lantic IS Virus Control Service
This message was scanned for viruses and dangerous content.
@lantic Internet Services (Pty) Ltd. - http://www.lantic.net
eScan for Windows-based PCs - http://www.escan.co.za

If you have received a message marked in the subject line
as [SPAM] please note that according to our MailScanner,
this message has all the attributes of Unsolicited
Commercial Email (UCE). If the message has however been
marked incorrectly, please send a query to abuse@lantic.net
************************************************************

From raymond at PROLOCATION.NET  Tue Jan 27 13:43:27 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <200401271708.25047.linux@mostert.nom.za>
Message-ID: <Pine.LNX.4.44.0401271442580.13804-100000@mailbox.prolocation.net>

Hi!

> I was just wondering, can you run two virus scanners @ once? For instance
> f-prot and clamv?

Sure.

> Will the logs reflect witch virus scanner caught it?
> I would love to get stats on that ;-)

It will most likely be counted twice, since they both will detect this
one.

Bye,
Raymond.

From martyn at invictawiz.com  Tue Jan 27 13:45:35 2004
From: martyn at invictawiz.com (InvictaWiz Customer Support)
Date: Thu Jan 12 21:22:06 2006
Subject: Mydoom
Message-ID: <JFEJJBNPOACELGAPEIOLKECCCJAA.martyn@invictawiz.com>

We have had the odd message through that has a 95byte (empty)zip attachment.
Is this a random one off or has anyone else seen this?

on 10k emails, we normally have only 10-20 viruses per day. So far today, we have stopped over 1600
mydoom mesages.


Martyn Routley

From eja at URBAKKEN.DK  Tue Jan 27 14:05:13 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
Message-ID: <40167019.90504@urbakken.dk>

Hi.

I have written with the antivir people about my not working antivir, as
I wrote about here a bit ago. Here's what answer I got:

*************************************************************************
You downloaded the Linux Workstation product. This provides an
"on-access" scanner and a command-line "on-demand" scanner. If you want
the command-line scanner to scan your emails, you will need to configure
your Clarkconnect Server to call the antivir binary for each mail. (I am
unfamiliar with the Clarkconnect Server, so I cannot offer any help here).

We also have MailGate available to private use. This runs as a mail
proxy to scan all incoming and outgoing email.

*************************************************************************

Can the MailScanner do that or is it what it does ?.

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From ugob at CAMO-ROUTE.COM  Tue Jan 27 14:30:01 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
Message-ID: <54C38A0B814C8E438EF73FC76F36292741082A@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Dee Lowndes [mailto:dee@ASYOUNEED.COM]
> Envoy? : Tuesday, January 27, 2004 7:31 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Forwarding a blocked mail attachment
> 
> 
> > -----Original Message-----
> > From: MailScanner mailing list 
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Ugo Bellavance
> > Sent: 27 January 2004 12:16
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Forwarding a blocked mail attachment
> >
> > Dee Lowndes wrote:
> >
> > >>-----Original Message-----
> > >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]
> On
> > >>Behalf Of Ugo Bellavance
> > >>Sent: 27 January 2004 11:53
> > >>To: MAILSCANNER@JISCMAIL.AC.UK
> > >>Subject: Re: Forwarding a blocked mail attachment
> > >>
> > >>Dee Lowndes wrote:
> > >>
> > >>
> > >>
> > >>>Hi,
> > >>>
> > >>>How can I forward a blocked mail attachment?
> > >>>
> > >>>
> > >>>
> > >>>
> > >>What is your MTA ? sendmail? postfix?
> > >>
> > >>
> > >
> > >Sendmail
> > >
> > ><snip>
> > >
> > >
> > One or two files in your quarantine?
> 
> Just the one.

then go into your quarantine (usually /var/spool/MailScanner/quarantine/day/messageID) then 

sendmail -t < 'message file'

(subsititute 'message file' by the name of the message file you need to forward

hth
> 
> Dee
> 


From P.G.M.Peters at utwente.nl  Tue Jan 27 14:35:18 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <Pine.LNX.4.44.0401271335430.3678-100000@mailbox.prolocation.net>
References: <5flc10998rfvr9v92bta4j0hb47tgpossa@4ax.com>
            <Pine.LNX.4.44.0401271335430.3678-100000@mailbox.prolocation.net>
Message-ID: <9ntc10p9jvcfshd4evkjremu7ajs74ue4q@4ax.com>

On Tue, 27 Jan 2004 13:37:23 +0100, you wrote:

>> Do I need the new engine? I am upgrading to 4.3.2. at the moment.
>
>I am running the latest engine, could be.

I noticed the system I checked still ran 3.12. The other systems ran
4.2.0 and they detected Mydoom. But they are all 4.3.2 now. 10% of all
e-mail through our mailservers is Mydoom.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From P.G.M.Peters at utwente.nl  Tue Jan 27 14:37:25 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:06 2006
Subject: Mydoom
In-Reply-To: <JFEJJBNPOACELGAPEIOLKECCCJAA.martyn@invictawiz.com>
References: <JFEJJBNPOACELGAPEIOLKECCCJAA.martyn@invictawiz.com>
Message-ID: <9qtc1096noqufctqtlp2llc3e4doabcer8@4ax.com>

On Tue, 27 Jan 2004 13:45:35 -0000, you wrote:

>We have had the odd message through that has a 95byte (empty)zip attachment.
>Is this a random one off or has anyone else seen this?
>
>on 10k emails, we normally have only 10-20 viruses per day. So far today, we have stopped over 1600
>mydoom mesages.

Stats from 1 of 3 servers:
|Bepaal het echte aantal mailtjes:   36241
Real messages (not just number of recipients)

|Bepaal het aantal spam-achtige mailtjes:   16734
Messages tagged as spam by SA and/or blacklists

|Bepaal het aantal via ruleset's geblokkeerde mailtjes:    2323
Messages blocked in sendmail by access.db

|Geef de top 5 (en meer) van gevonden virussen:
|   3894 W32/Mydoom.A@mm
|    258 W32/Sober.C@mm
|     63 W32/Mimail.C@mm
|     61 W32/Swen.A@mm
|     50 W32/Sobig.F@mm
|     40 W32/Mimail.A@mm
|     40 W32/Dumaru.A@mm
|     23 W32/Bagle.A@mm
|     16 W32/Mimail.J@mm
|     11 W32/Mimail.G@mm

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From kodak at FRONTIERHOMEMORTGAGE.COM  Tue Jan 27 14:38:50 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:06 2006
Subject: OT: sophos.com
Message-ID: <004601c3e4e3$47786ed0$0501a8c0@darkside>

Is anyone else having difficulty getting through to
www.sophos.com?  I haven't been able to run any
updates and I can't get to their site.

It's a good thing clamav exists....

TIA,

--J(K)

From chris at TRUDEAU.ORG  Tue Jan 27 14:54:07 2004
From: chris at TRUDEAU.ORG (Chris Trudeau)
Date: Thu Jan 12 21:22:06 2006
Subject: Sophos and timelines
References: <OJEPLLLJIBHDGMFBCCBPOEHMDDAA.rcooper@dimension-flm.com>
Message-ID: <0ec101c3e4e5$6a33cfd0$4919000a@ATLCPW13671>

Is there a way to track/log at what time the update pulled and installed
which IDE files from Sophos?  Does Mailscanner log this anywhere?

CT

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 27 10:27:35 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:06 2006
Subject: Enable spamassassin on specific domain
In-Reply-To: <000301c3e4bc$2f3d31b0$0201a8c0@lappy>
Message-ID: <LFENLEALDCBDKENCNLCNGEMLDDAA.michele@blacknightsolutions.com>

Dee

Are you running spamd as well as MS?

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 09:59
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Enable spamassassin on specific domain
>
>
> Hi,
>
>         I notice that spam assassin increases load quit a bit and was
> wondering if it is possible to set this working per domain.
>
> e.g.
> blah@domain1.com receives a lot of spam so I enable to check their mail.
> Blah@domain2.com doesn't so not enable.
>
> Its important that mailscanner AV scans all mails but the spam is less
> so.
>
> Cheers,
> Dee
>

From mike at CAMAROSS.NET  Tue Jan 27 15:04:40 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:06 2006
Subject: sophos.com
In-Reply-To: <004601c3e4e3$47786ed0$0501a8c0@darkside>
Message-ID: <200401271457.i0REv8GE022147@avwall.bladeware.com>

I can't connect right now either.  I could last night.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki
> Sent: Tuesday, January 27, 2004 8:39 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: OT: sophos.com
>
> Is anyone else having difficulty getting through to
> www.sophos.com?  I haven't been able to run any updates and I
> can't get to their site.
>
> It's a good thing clamav exists....
>
> TIA,
>
> --J(K)
>

From mike at CAMAROSS.NET  Tue Jan 27 15:02:54 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:06 2006
Subject: New virus outbreak
In-Reply-To: <Pine.LNX.4.44.0401271442580.13804-100000@mailbox.prolocation.net>
Message-ID: <200401271455.i0REtNGE021758@avwall.bladeware.com>

Correct...each engine that detects the virus logs it.  I run Sophos and
ClamAV

Jan 27 08:53:05 rh MailScanner[4893]: Virus and Content Scanning: Starting
Jan 27 08:53:05 rh MailScanner[4893]: INFECTED:: W32/MyDoom-A W32/MyDoom-A::
./i0REqhlr009103/text.zip
Jan 27 08:53:06 rh MailScanner[4893]: Virus Scanning: SophosSAVI found 1
infections
Jan 27 08:53:06 rh MailScanner[4893]: INFECTED:: Worm.SCO.A::
./i0REqhlr009103/text.zip
Jan 27 08:53:07 rh MailScanner[4893]: Virus Scanning: ClamAV Module found 1
infections
Jan 27 08:53:07 rh MailScanner[4893]: Infected message i0REqhlr009103 came
from 208.188.72.25
Jan 27 08:53:07 rh MailScanner[4893]: Virus Scanning: Found 1 viruses
Jan 27 08:53:07 rh MailScanner[4893]: Cleaned: Delivered 1 cleaned messages

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn
> Sent: Tuesday, January 27, 2004 7:43 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: New virus outbreak
>
> Hi!
>
> > I was just wondering, can you run two virus scanners @ once? For
> > instance f-prot and clamv?
>
> Sure.
>
> > Will the logs reflect witch virus scanner caught it?
> > I would love to get stats on that ;-)
>
> It will most likely be counted twice, since they both will
> detect this one.
>
> Bye,
> Raymond.
>

From mike at CAMAROSS.NET  Tue Jan 27 15:05:38 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:06 2006
Subject: Sophos and timelines
In-Reply-To: <0ec101c3e4e5$6a33cfd0$4919000a@ATLCPW13671>
Message-ID: <200401271458.i0REw6GE022338@avwall.bladeware.com>

David While's Mailstats package keeps track of this.  I think it does so by
looking at the timestamp on the IDE's

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau
> Sent: Tuesday, January 27, 2004 8:54 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Sophos and timelines
>
> Is there a way to track/log at what time the update pulled
> and installed which IDE files from Sophos?  Does Mailscanner
> log this anywhere?
>
> CT
>

From prandal at HEREFORDSHIRE.GOV.UK  Tue Jan 27 15:00:54 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:06 2006
Subject: Sophos and timelines
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C47F@jessica.herefordshire.gov.uk>

That's an interesting point.

Anybody want to volunteer to update the antivirus autoupdate scripts to log
when they get an update?

>From my logs and file timestamps, ClamAv updated at 11pm (GMT) here and
McAfee at 5am today.

It would be nice to see a line in /var/log/maillog making it clear, though.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Chris Trudeau
> Sent: 27 January 2004 14:54
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Sophos and timelines
>
>
> Is there a way to track/log at what time the update pulled
> and installed
> which IDE files from Sophos?  Does Mailscanner log this anywhere?
>
> CT
>

From kodak at FRONTIERHOMEMORTGAGE.COM  Tue Jan 27 14:59:49 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:06 2006
Subject: Sophos and timelines
In-Reply-To: <0ec101c3e4e5$6a33cfd0$4919000a@ATLCPW13671>
Message-ID: <005b01c3e4e6$3638f7e0$0501a8c0@darkside>

>Is there a way to track/log at what time the update pulled and
>installed
>which IDE files from Sophos?  Does Mailscanner log this anywhere?

If you update with "update.virus.scanners" then the update itself
is logged.  It does not log which IDE files have been pulled
from Sophos, but does give you the name of the directory
they have been uncompressed to, which is named by time and
date.

Grep through your system logs for "update.virus.scanners".

HTH,

--J(K)

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 27 15:03:07 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:06 2006
Subject: OT: sophos.com
In-Reply-To: <004601c3e4e3$47786ed0$0501a8c0@darkside>
References: <004601c3e4e3$47786ed0$0501a8c0@darkside>
Message-ID: <40167DAB.5090606@solid-state-logic.com>

Jason Balicki wrote:
> Is anyone else having difficulty getting through to
> www.sophos.com?  I haven't been able to run any
> updates and I can't get to their site.
>
> It's a good thing clamav exists....
>
> TIA,
>
> --J(K)

Looks like they are overloaded at the moment..and they took along time
last night to update their IDE's. caught the first at 00.05 hrs GMT via
clamAV ans didn't get an email/up[date till 00.40 from sophos. Right now
I'm averaging around two a minute:-( when I usually get around 2 per day
at the most.

Ah the site seems more responsive now...

If you've got enterprise manager you *should* have better luck as that
uses a different system to update.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From kodak at FRONTIERHOMEMORTGAGE.COM  Tue Jan 27 15:18:55 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:06 2006
Subject: OT: sophos.com
In-Reply-To: <40167DAB.5090606@solid-state-logic.com>
Message-ID: <005c01c3e4e8$e1285bd0$0501a8c0@darkside>

>If you've got enterprise manager you *should* have better luck as that
>uses a different system to update.

I do have EM, but it's been intermittently slow as well.  I was
trying to get to the site to get the new version of EM (or
whatever it's called).

Thanks for the response.

--J(K)

From dee at ASYOUNEED.COM  Tue Jan 27 15:30:30 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741082A@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <000801c3e4ea$7f11a990$0201a8c0@lappy>

Thanks I am just waiting for them to resend msg.

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Ugo Bellavance
> Sent: 27 January 2004 14:30
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Forwarding a blocked mail attachment
> 
> > -----Message d'origine-----
> > De : Dee Lowndes [mailto:dee@ASYOUNEED.COM]
> > Envoy? : Tuesday, January 27, 2004 7:31 AM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Re: Forwarding a blocked mail attachment
> >
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of Ugo Bellavance
> > > Sent: 27 January 2004 12:16
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Forwarding a blocked mail attachment
> > >
> > > Dee Lowndes wrote:
> > >
> > > >>-----Original Message-----
> > > >>From: MailScanner mailing list
[mailto:MAILSCANNER@JISCMAIL.AC.UK]
> > On
> > > >>Behalf Of Ugo Bellavance
> > > >>Sent: 27 January 2004 11:53
> > > >>To: MAILSCANNER@JISCMAIL.AC.UK
> > > >>Subject: Re: Forwarding a blocked mail attachment
> > > >>
> > > >>Dee Lowndes wrote:
> > > >>
> > > >>
> > > >>
> > > >>>Hi,
> > > >>>
> > > >>>How can I forward a blocked mail attachment?
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>What is your MTA ? sendmail? postfix?
> > > >>
> > > >>
> > > >
> > > >Sendmail
> > > >
> > > ><snip>
> > > >
> > > >
> > > One or two files in your quarantine?
> >
> > Just the one.
> 
> then go into your quarantine (usually
> /var/spool/MailScanner/quarantine/day/messageID) then
> 
> sendmail -t < 'message file'
> 
> (subsititute 'message file' by the name of the message file you need
to
> forward
> 
> hth
> >
> > Dee
> >


From dee at ASYOUNEED.COM  Tue Jan 27 15:31:50 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: .htm file detected as virus?
In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741082A@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <000901c3e4ea$af061f00$0201a8c0@lappy>

I had a returns form detected as a virus earlier today, is this normal?

Dee

From wppiphoto at wppi.com  Tue Jan 27 15:31:36 2004
From: wppiphoto at wppi.com (SW)
Date: Thu Jan 12 21:22:06 2006
Subject: Something strange...Any ideas? {Scanned}
Message-ID: <006701c3e4ea$a9c75900$0d01a8c0@Toshiba>

Yesterday, I received an e-mail (spam) which did not contain our
X-Mailscanner header in the e-mail but instead something else and I'm trying
to figure out how this e-mail got passed Mailscanner and spamassassin. All
e-mails that come through are setup to have the following header added such
as this:

X-WPPi-MailScanner-Information: Please contact WPPi for more information
X-WPPi-MailScanner: Found to be clean
X-WPPi-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.087,
 required 4, CLICK_BELOW 0.00, HTML_30_40 0.81,
 HTML_FONTCOLOR_BLUE 0.10, HTML_MESSAGE 0.00,
 HTML_TAG_EXISTS_TBODY 0.10, TW_OQ 0.08)


Here is the header information for the spam which did not contain any of our
e-mail headers which tells me that it did not get scanned by Mailscanner/SA:

Return-Path: <jtkbekkm@kichimail.com>
Received: from outsourcedmail.com ([203.252.205.129])
 by wppi.net (8.10.2/8.10.2) with SMTP id i0R39xI06388
 for <sales@wppi.net>; Mon, 26 Jan 2004 22:10:00 -0500
Received: (from www@localhost)
    by outsourcedmail.com (SMTPD32-7.15) with ESMTP id J87Gz037587771
    for <sales@wppi.net>; Mon, 26 Jan 2004 22:09:23 -0500 (EST)
    (envelope-from www)
Message-ID: <046871068995.85qHtXdcfx3X0E@localhost>
From: "Nicole Richards" <jtkbekkm@kichimail.com>
To: sales@wppi.net
Subject: Design Your Logo {Scanned}
Date: Mon, 26 Jan 2004 22:09:23 -0500 (EST)
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - outsourcedmail.com
X-AntiAbuse: Original Domain - outsourcedmail.com
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"

Thanks,

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From pmb1 at YORK.AC.UK  Tue Jan 27 15:09:29 2004
From: pmb1 at YORK.AC.UK (Mike Brudenell)
Date: Thu Jan 12 21:22:06 2006
Subject: OT: sophos.com
In-Reply-To: <004601c3e4e3$47786ed0$0501a8c0@darkside>
References: <004601c3e4e3$47786ed0$0501a8c0@darkside>
Message-ID: <2147483647.1075216169@pippin.york.ac.uk>

Greetings -

--On Tuesday, January 27, 2004 8:38 am -0600 Jason Balicki
<kodak@FRONTIERHOMEMORTGAGE.COM> wrote:

> Is anyone else having difficulty getting through to
> www.sophos.com?  I haven't been able to run any
> updates and I can't get to their site.

We've seen intermittent access to www.sophos.com since late morning.  The
IDE update script has been failing occasionally (confusingly telling me
that our version of Sophos might be too old!).

Interestingly I *can* get to www.sophos.co.uk without any trouble.

As yet there's no news on this site about www.sophos.com being unreachable.

Cheers,

Mike B-)

--
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
Tel:+44-1904-433811  FAX:+44-1904-433740

* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 15:20:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
In-Reply-To: <40167019.90504@urbakken.dk>
References: <40167019.90504@urbakken.dk>
Message-ID: <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>

Half the point of MailScanner is that you only need the command-line "on
demand" scanner, you don't need anything more fancy than that.

At 14:05 27/01/2004, you wrote:
>Hi.
>
>I have written with the antivir people about my not working antivir, as
>I wrote about here a bit ago. Here's what answer I got:
>
>*************************************************************************
>You downloaded the Linux Workstation product. This provides an
>"on-access" scanner and a command-line "on-demand" scanner. If you want
>the command-line scanner to scan your emails, you will need to configure
>your Clarkconnect Server to call the antivir binary for each mail. (I am
>unfamiliar with the Clarkconnect Server, so I cannot offer any help here).
>
>We also have MailGate available to private use. This runs as a mail
>proxy to scan all incoming and outgoing email.
>
>*************************************************************************
>
>Can the MailScanner do that or is it what it does ?.
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 15:18:59 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: Check SpamAssassin If On Spam List Issue
In-Reply-To: <5.2.1.1.2.20040127073119.07a6ce80@securemail.tulsaconnect. com>
References: <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect. com>
            <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect.com>
            <5.2.1.1.2.20040127073119.07a6ce80@securemail.tulsaconnect.com>
Message-ID: <6.0.1.1.2.20040127151841.131c6cf0@imap.ecs.soton.ac.uk>

At 13:31 27/01/2004, you wrote:
>At 09:32 AM 1/27/2004 +0000, you wrote:
>>Do you mean everywhere the score is used, or just in the "spam stars" header?
>
>Just the spam stars header..

Done. It will be in this weekend's release.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From kodak at FRONTIERHOMEMORTGAGE.COM  Tue Jan 27 15:44:11 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:06 2006
Subject: Update Error
In-Reply-To: <200401271534.i0RFYfb3011640@cbr.med.harvard.edu>
Message-ID: <005d01c3e4ec$6885f490$0501a8c0@darkside>

We have been having difficulty connecting to
Sophos.com (and sophos.co.uk, for me at least)
since early this morning.  That's what you're
seeing.

--J(K)

From eja at URBAKKEN.DK  Tue Jan 27 16:01:08 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
In-Reply-To: <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>
References: <40167019.90504@urbakken.dk>
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>
Message-ID: <40168B44.9030409@urbakken.dk>

Julian Field wrote:
> Half the point of MailScanner is that you only need the command-line "on
> demand" scanner, you don't need anything more fancy than that.

Thanks for the reply. How do I make the "on demand" ?.

> At 14:05 27/01/2004, you wrote:
>
>> Hi.
>>
>> I have written with the antivir people about my not working antivir, as
>> I wrote about here a bit ago. Here's what answer I got:
>>
>> *************************************************************************
>> You downloaded the Linux Workstation product. This provides an
>> "on-access" scanner and a command-line "on-demand" scanner. If you want
>> the command-line scanner to scan your emails, you will need to configure
>> your Clarkconnect Server to call the antivir binary for each mail. (I am
>> unfamiliar with the Clarkconnect Server, so I cannot offer any help
>> here).
>>
>> We also have MailGate available to private use. This runs as a mail
>> proxy to scan all incoming and outgoing email.
>>
>> *************************************************************************
>>
>> Can the MailScanner do that or is it what it does ?.
>>
>> --
>> Med venlig hilsen - Best regards.
>> Erik Jakobsen - eja@urbakken.dk.
>> Licensed radioamateur with the callsign OZ4KK.
>> SuSE Linux 8.2 Proff.
>> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From dee at ASYOUNEED.COM  Tue Jan 27 16:07:32 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:06 2006
Subject: sorry .htm not virus but dangerous content
In-Reply-To: <000901c3e4ea$af061f00$0201a8c0@lappy>
Message-ID: <000001c3e4ef$ab85dfa0$0201a8c0@lappy>

As before a return form .htm is returned as dangerous content any ideas?

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 15:32
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: .htm file detected as virus?
>
> I had a returns form detected as a virus earlier today, is this
normal?
>
> Dee

From christo at IT4AFRICA.CO.ZA  Tue Jan 27 16:13:05 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:06 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499E2@pascal.priv.bmrb.co.uk>
Message-ID: <000601c3e4f0$7259d640$660210ac@christoxp>

I'm trying to get net-snmp installed but it looks for perl-Tk. How can I
get Perl-Tk installed.

Thanx

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Spicer, Kevin
Sent: 27 January 2004 02:27 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Announce: MailScanner-MRTG version 0.07 released {Virus
Scanned}


Christo Bezuidenhout wrote:
> I have just upgraded to Mailscanner 0.07-2 and I get the following
> errors.
>
> Possible precedence problem on bitwise | operator at
> /usr/bin/../lib/mrtg2/BER.pm line 619.
> ERROR: Snmpwalk Binary specified in
> /etc/MailScanner/mailscanner-mrtg.conf is not executable or not
> present
>         Skipping snmp functions
> gd-png:  fatal libpng error: Invalid filter type specified gd-png
> error: setjmp returns error condition
>
> My Config is RH9
> mrtg-2.9.25-1.7.2
> mailscanner-4.25-14
> libpng-1.2.2-16

Which version of snmp are you using?  You do have snmp?
Do a which snmpwalk and set the path produced in mailscanner-mrtg.conf



BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks IT For Africa for their support.

From Kevin.Spicer at BMRB.CO.UK  Tue Jan 27 16:22:27 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:06 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499E7@pascal.priv.bmrb.co.uk>

Christo Bezuidenhout wrote:
> I'm trying to get net-snmp installed but it looks for perl-Tk. How
> can I get Perl-Tk installed.
> 

You don't say which OS/ distro so thats not the easy question it might seem.  I don't remember that as a dependency, are you sure you're not trying to install Perl-net-snmp which is NOT required.  I know Mandrake 9 gives you Perl-net-snmp if you ask for net-snmp, the actual SNMP package on mdk9 is ucd-snmp.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From chorlian at CBR.MED.HARVARD.EDU  Tue Jan 27 15:34:41 2004
From: chorlian at CBR.MED.HARVARD.EDU (Henry C. Chorlian)
Date: Thu Jan 12 21:22:06 2006
Subject: Update Error
Message-ID: <200401271534.i0RFYfb3011640@cbr.med.harvard.edu>

Hello all!  Nice virus day...

Anyone get the following?  Remedy?  Thanks in advance!!!!:

Your "cron" job on cbr
/opt2/sophos/bin/autoupdates > /dev/null

produced the following output:


Looking up www.sophos.com
Making HTTP connection to www.sophos.com
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://www.sophos.com/downloads/ide/377_ides.zip
Lynx failed with error return 255
, Bad file number at /opt2/sophos/bin/autoupdates line 75.



------------------------------------------
Henry C. Chorlian
Director of Information Technology
The CBR Institute for Biomedical Research, Inc.
f/k/a Center for Blood Research, Inc.
800 Huntington Avenue
Boston, MA  02115-6303

Harvard Medical School Affiliate
chorlian@cbr.med.harvard.edu
Voice:  (617) 278-3425
Fax:  (617) 278-3493

From jaearick at COLBY.EDU  Tue Jan 27 15:43:09 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:06 2006
Subject: getting rid of bounce feature (yes!)
Message-ID: <Pine.GSO.4.58.0401271038290.6195@cayuga>

Julian,
  Yes, yes, please send the bounce feature to /dev/null
in the next release.  The outbreak of MyDoom-A reinforces
the notion that anti-virus codes that bounce are idiotic.
I've been fielding calls and emails all morning on this.

BTW, clamav started crushing MyDoom at 14:36 local time.
Sophos didn't put out an IDE until 2.5 hours later (7 PM).
Thank god for MailScanner's robust design that allows for
multiple scanners.  I really need to look at that Amazon
wish list...

Jeff Earickson
Colby College

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 16:38:29 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: sorry .htm not virus but dangerous content
In-Reply-To: <000001c3e4ef$ab85dfa0$0201a8c0@lappy>
References: <000901c3e4ea$af061f00$0201a8c0@lappy>
            <000001c3e4ef$ab85dfa0$0201a8c0@lappy>
Message-ID: <6.0.1.1.2.20040127163809.131d7958@imap.ecs.soton.ac.uk>

At 16:07 27/01/2004, you wrote:
>As before a return form .htm is returned as dangerous content any ideas?

Please read the MailScanner.conf file, the bit about "Allow Form Tags".


>Dee
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Dee Lowndes
> > Sent: 27 January 2004 15:32
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: .htm file detected as virus?
> >
> > I had a returns form detected as a virus earlier today, is this
>normal?
> >
> > Dee

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From cwharris at MORGAN.NET  Tue Jan 27 17:01:03 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:22:06 2006
Subject: Filetype blocking
Message-ID: <000801c3e4f7$259fa3a0$2105a8c0@delta>

If I have virus scanning set to no, do the filetype rules still apply?

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/c5807faf/attachment.html
From ugob at CAMO-ROUTE.COM  Tue Jan 27 17:02:58 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:06 2006
Subject: Filetype blocking
Message-ID: <54C38A0B814C8E438EF73FC76F362927410831@mtlnt501fs.CAMOROUTE.COM>

-----Message d'origine-----
De : Chris Harris [mailto:cwharris@MORGAN.NET]
Envoy? : Tuesday, January 27, 2004 12:01 PM
? : MAILSCANNER@JISCMAIL.AC.UK
Objet : Filetype blocking


If I have virus scanning set to no, do the filetype rules still apply?
==

yes, if you have uncommented the file setting to let know the location of your file command.

Ugo
==

Chris


From t.d.lee at DURHAM.AC.UK  Tue Jan 27 17:07:38 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:22:06 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
References: <1075136989.20660.11.camel@localhost.localdomain>
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>
            <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>

On Mon, 26 Jan 2004, Julian Field wrote:

> At 17:54 26/01/2004, you wrote:
> >Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
> >1.142.2.66.
> >We are all afraid of upgrading at this time because of how long
> >it took to get the program running correctly in the first place.
>
> That's the internal cvs version number of the file. MailScanner logs its
> version number to your maillog when it starts.
>
> What to[ok] so long to get it running to start with? I am interested if
> I can try to ease the installation process.

We run MS on both Linux/Redhat and Solaris.  Despite being a long-standing
Solaris person, and a newbie to Linux, I much prefer the Redhat
installation of MS because it uses RPMs.  Would there be any chance of
your routinely and analogously generating Solaris/pkg versions of MS
alongside the RPMs?

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From shrek-m at GMX.DE  Tue Jan 27 17:10:18 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
In-Reply-To: <40168B44.9030409@urbakken.dk>
References: <40167019.90504@urbakken.dk>           
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>
            <40168B44.9030409@urbakken.dk>
Message-ID: <40169B7A.6050708@gmx.de>

Erik Jakobsen wrote:

> Julian Field wrote:
>
>> Half the point of MailScanner is that you only need the command-line "on
>> demand" scanner, you don't need anything more fancy than that.
>
> Thanks for the reply. How do I make the "on demand" ?.


eg. in  /etc/MailScanner/MailScanner.conf
Virus Scanners = antivir


MailScanner starts antivir for scanning = on-demand

in short words:
on access (daemon) = every file you or the os (operatingsystem)
opens/access will be scanned
on demand (command-line) = explicit start for scanning  a file

>>> *************************************************************************
>>>
>>> You downloaded the Linux Workstation product. This provides an
>>> "on-access" scanner and a command-line "on-demand" scanner. If you want
>>> the command-line scanner to scan your emails, you will need to
>>> configure
>>> your Clarkconnect Server to call the antivir binary for each mail.
>>> (I am
>>> unfamiliar with the Clarkconnect Server, so I cannot offer any help
>>> here).
>>>
>>> We also have MailGate available to private use. This runs as a mail
>>> proxy to scan all incoming and outgoing email.
>>>
>>> *************************************************************************
>>>
>>

--
shrek-m

From cwharris at MORGAN.NET  Tue Jan 27 17:15:48 2004
From: cwharris at MORGAN.NET (Chris Harris)
Date: Thu Jan 12 21:22:06 2006
Subject: Filetype blocking
References: <54C38A0B814C8E438EF73FC76F362927410831@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <003001c3e4f9$35308df0$2105a8c0@delta>

How much more of a load will enabling this put on my server? Will it
increase the chance of timeouts?

----- Original Message ----- 
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Tuesday, January 27, 2004 11:02 AM
Subject: Re: Filetype blocking


> -----Message d'origine-----
> De : Chris Harris [mailto:cwharris@MORGAN.NET]
> Envoy? : Tuesday, January 27, 2004 12:01 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Filetype blocking
>
>
> If I have virus scanning set to no, do the filetype rules still apply?
> ==
>
> yes, if you have uncommented the file setting to let know the location of
your file command.
>
> Ugo
> ==
>
> Chris
>
>


From JFalgout at CO.JEFFERSON.CO.US  Tue Jan 27 17:16:38 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:06 2006
Subject: Performance Tuning and RAID
Message-ID: <s0163a8f.057@gc6.jefferson.co.us>

Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
NSCD, and Apache (for Mailstats and Mailscanner-MRTG).

I'm sitting here watching my MailScanner box jump up to a load of:

9:58am  up 208 days,  2:00,  3 users,  load average: 8.12, 9.08, 8.12

And I'm only handling 25k messages/day on average (Yesterday I hit
33k)
With the current outbreak, this box shouldn't be breaking a sweat, but
it
is.


iostat shows:
(The second disk, 8-1, is a dump disk not used by the os)

[root@ww11 MailScanner]# iostat 5 5
Linux 2.4.20-18.8smp (ww11.co.jefferson.co.us)  01/27/2004

avg-cpu:  %user   %nice    %sys   %idle
          14.21    0.00    3.66   82.12

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev8-0           44.48       279.35       247.64 2022819822 1793200872
dev8-1            0.84         0.00       277.22        288 2007401432

avg-cpu:  %user   %nice    %sys   %idle
          88.70    0.00   11.15    0.15

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev8-0           70.20         0.00      2107.60          0      10538
dev8-1            0.00         0.00         0.00          0          0

avg-cpu:  %user   %nice    %sys   %idle
          89.85    0.00    9.70    0.45

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev8-0           64.80         0.00      1327.60          0       6638
dev8-1            0.00         0.00         0.00          0          0

avg-cpu:  %user   %nice    %sys   %idle
          72.70    0.00   11.40   15.90

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev8-0           69.40         0.00      1409.60          0       7048
dev8-1            0.00         0.00         0.00          0          0

avg-cpu:  %user   %nice    %sys   %idle
          87.35    0.00   11.30    1.35

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev8-0           64.80         0.00      2417.20          0      12086
dev8-1            0.00         0.00         0.00          0          0



I'm considering moving to a RAID 10 config.

Is anyone running MS on RAID 10, and if so what kind of performance
boost did you get. Any other ideas to increase performance.
(I've got noatime set on the log filesystem and
/var/spool/MailScanner/incoming on tmpfs)

Jeff

From eja at URBAKKEN.DK  Tue Jan 27 17:28:23 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
In-Reply-To: <40169B7A.6050708@gmx.de>
References: <40167019.90504@urbakken.dk>                      
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>
Message-ID: <40169FB7.4050605@urbakken.dk>

shrek-m@gmx.de wrote:
> Erik Jakobsen wrote:
>
>> Julian Field wrote:
>>
>>> Half the point of MailScanner is that you only need the command-line "on
>>> demand" scanner, you don't need anything more fancy than that.
>>
>>
>> Thanks for the reply. How do I make the "on demand" ?.
>
>
>
> eg. in  /etc/MailScanner/MailScanner.conf
> Virus Scanners = antivir

I do have antivir written on this line, but I only gets information,
that antivir is updated.

>
> MailScanner starts antivir for scanning = on-demand

Ok, this is the job, that MailScanner does ?.

> in short words:
> on access (daemon) = every file you or the os (operatingsystem)
> opens/access will be scanned
> on demand (command-line) = explicit start for scanning  a file

I see. And the only simple thing to do is having the antivir placed in
the MailScanner.conf as I have ?. Nothing else to do ?.

I wonder then why virusinformation the doesn't have antivir in the
messages I receive about founded viruses. I receive information from my
F-PROT and my CLAMAV. They of course also is written on the
MailScanner.conf line.

Thanks for your help.

/Erik.

>>>> *************************************************************************
>>>>
>>>>
>>>> You downloaded the Linux Workstation product. This provides an
>>>> "on-access" scanner and a command-line "on-demand" scanner. If you want
>>>> the command-line scanner to scan your emails, you will need to
>>>> configure
>>>> your Clarkconnect Server to call the antivir binary for each mail.
>>>> (I am
>>>> unfamiliar with the Clarkconnect Server, so I cannot offer any help
>>>> here).
>>>>
>>>> We also have MailGate available to private use. This runs as a mail
>>>> proxy to scan all incoming and outgoing email.
>>>>
>>>> *************************************************************************
>>>>
>>>>
>>>
>
> --
> shrek-m
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From martinh at SOLID-STATE-LOGIC.COM  Tue Jan 27 17:33:18 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:06 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s0163a8f.057@gc6.jefferson.co.us>
References: <s0163a8f.057@gc6.jefferson.co.us>
Message-ID: <4016A0DE.3060601@solid-state-logic.com>

jeff

I'm running a a lot less kit than you and handling 9,000 messages a day
easily (along with MailWatch and it's associated mysql DB).

have you checked the amount of logging you are doing? ie is maillog etc
slowing you down? Also are the apache log files busy?

also you don't mention what version of everything you are running..

are you running the savi verion of sophos and what (if any) RBL's are
you using in SA or MS?

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

Jeff Falgout wrote:
> Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
> Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
> NSCD, and Apache (for Mailstats and Mailscanner-MRTG).
>
> I'm sitting here watching my MailScanner box jump up to a load of:
>
> 9:58am  up 208 days,  2:00,  3 users,  load average: 8.12, 9.08, 8.12
>
> And I'm only handling 25k messages/day on average (Yesterday I hit
> 33k)
> With the current outbreak, this box shouldn't be breaking a sweat, but
> it
> is.
>
>
> iostat shows:
> (The second disk, 8-1, is a dump disk not used by the os)
>
> [root@ww11 MailScanner]# iostat 5 5
> Linux 2.4.20-18.8smp (ww11.co.jefferson.co.us)  01/27/2004
>
> avg-cpu:  %user   %nice    %sys   %idle
>           14.21    0.00    3.66   82.12
>
> Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
> dev8-0           44.48       279.35       247.64 2022819822 1793200872
> dev8-1            0.84         0.00       277.22        288 2007401432
>
> avg-cpu:  %user   %nice    %sys   %idle
>           88.70    0.00   11.15    0.15
>
> Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
> dev8-0           70.20         0.00      2107.60          0      10538
> dev8-1            0.00         0.00         0.00          0          0
>
> avg-cpu:  %user   %nice    %sys   %idle
>           89.85    0.00    9.70    0.45
>
> Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
> dev8-0           64.80         0.00      1327.60          0       6638
> dev8-1            0.00         0.00         0.00          0          0
>
> avg-cpu:  %user   %nice    %sys   %idle
>           72.70    0.00   11.40   15.90
>
> Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
> dev8-0           69.40         0.00      1409.60          0       7048
> dev8-1            0.00         0.00         0.00          0          0
>
> avg-cpu:  %user   %nice    %sys   %idle
>           87.35    0.00   11.30    1.35
>
> Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
> dev8-0           64.80         0.00      2417.20          0      12086
> dev8-1            0.00         0.00         0.00          0          0
>
>
>
> I'm considering moving to a RAID 10 config.
>
> Is anyone running MS on RAID 10, and if so what kind of performance
> boost did you get. Any other ideas to increase performance.
> (I've got noatime set on the log filesystem and
> /var/spool/MailScanner/incoming on tmpfs)
>
> Jeff


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 17:36:48 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>
References: <1075136989.20660.11.camel@localhost.localdomain>
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>
            <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>
Message-ID: <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>

At 17:07 27/01/2004, you wrote:
>On Mon, 26 Jan 2004, Julian Field wrote:
>
> > At 17:54 26/01/2004, you wrote:
> > >Mailscanner is running on a Solaris 2.7 box. Version of Mailscanner is
> > >1.142.2.66.
> > >We are all afraid of upgrading at this time because of how long
> > >it took to get the program running correctly in the first place.
> >
> > That's the internal cvs version number of the file. MailScanner logs its
> > version number to your maillog when it starts.
> >
> > What to[ok] so long to get it running to start with? I am interested if
> > I can try to ease the installation process.
>
>We run MS on both Linux/Redhat and Solaris.  Despite being a long-standing
>Solaris person, and a newbie to Linux, I much prefer the Redhat
>installation of MS because it uses RPMs.  Would there be any chance of
>your routinely and analogously generating Solaris/pkg versions of MS
>alongside the RPMs?

Are there some decent docs on how to create pkgs? A few samples would be
handy too.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 17:35:41 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: Filetype blocking
In-Reply-To: <000801c3e4f7$259fa3a0$2105a8c0@delta>
References: <000801c3e4f7$259fa3a0$2105a8c0@delta>
Message-ID: <6.0.1.1.2.20040127173525.04382350@imap.ecs.soton.ac.uk>

At 17:01 27/01/2004, you wrote:
>If I have virus scanning set to no, do the filetype rules still apply?

No. If you want to do that, set "Virus Scanners = none".
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From peter at UCGBOOK.COM  Tue Jan 27 18:00:03 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:06 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
References: <1075136989.20660.11.camel@localhost.localdomain>           
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>           
            <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>           
            <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>
            <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
Message-ID: <4016A723.2020501@ucgbook.com>

Julian Field wrote:
> Are there some decent docs on how to create pkgs? A few samples would be
> handy too.

It's real easy actually. Go to http://www.sunfreeware.com/ and click
Creating Packages on the left. All you need to get started is there.
Keeping the layout of the tar distro will be easiest since everything is
in one place, spreading files requires a little editing of paths in the
prototype file.

There's probably many other places to read up on this topic but it's
short and concise here and I have used their packages for years so I
trust them.

I'm no expert at this but I will help you out off-list if needed. We
need more Solar power! ;-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From jfalgout at CO.JEFFERSON.CO.US  Tue Jan 27 18:06:40 2004
From: jfalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:06 2006
Subject: Performance Tuning and RAID
Message-ID: <s0164648.013@gc6.jefferson.co.us>

>have you checked the amount of logging you are doing? >ie is maillog
etc
>slowing you down? Also are the apache log files busy?
I think this is the major bottleneck - Disk writes,
thus the reason for RAID 10 (I can't reduce the amount of logging for
MS)

MailScanner config:
Log Spam = yes
Log Permitted Filenames = no
Log Permitted Filetypes = no
Always Looked Up Last = no
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes


>also you don't mention what version of everything you >are running..
mailscanner-4.24-5
SA 2.63
Jan version of Sophos (no SAVI, good idea though might try)
clamscan / ClamAV version 0.65

>are you running the savi verion of sophos and what (if >any) RBL's are
>you using in SA or MS?
RBL in MS - Spamcop, Spamhaus, CBL (with NSCD)

From randyf at SIBERNET.COM  Tue Jan 27 18:07:44 2004
From: randyf at SIBERNET.COM (Randy Fishel)
Date: Thu Jan 12 21:22:06 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
References: <1075136989.20660.11.camel@localhost.localdomain>
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>
            <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>
            <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.56.0401270948280.9244@husky.sibernet.com>

>
> Are there some decent docs on how to create pkgs? A few samples would be
> handy too.
> --
> Julian Field

  http://docs.sun.com has some reasonable information on creating
packages, but you might find 'man pkgmk' just as usefull.  If you would
like some offline help, I am pretty familliar with the SVr4 package
mechansism (just too busy right now to do it myself - but also think
this would be a good idea).

rf

From eja at URBAKKEN.DK  Tue Jan 27 18:21:39 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:06 2006
Subject: Antivir
In-Reply-To: <40169FB7.4050605@urbakken.dk>
References: <40167019.90504@urbakken.dk>                                 
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>
            <40169FB7.4050605@urbakken.dk>
Message-ID: <4016AC33.8080102@urbakken.dk>

Hi.

I checked this:


# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
AntiVir / Linux Version 2.0.9-15
Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
All rights reserved.

Loading /usr/lib/AntiVir/antivir.vdf ...



VDF version: 6.23.0.48 created 27 Jan 2004



For private, non-commercial use only.
AntiVir license: 1001048978 for Erik Jakobsen, Brovst



checking drive/path (cwd): /





----- scan results -----


  directories:        1


        files:        0


       alerts:        0


    scan time: 00:00:01


------------------------


Thank you for using AntiVir.


Is that right or ?.

Erik Jakobsen wrote:
> shrek-m@gmx.de wrote:
>
>> Erik Jakobsen wrote:
>>
>>> Julian Field wrote:
>>>
>>>> Half the point of MailScanner is that you only need the command-line
>>>> "on
>>>> demand" scanner, you don't need anything more fancy than that.
>>>
>>>
>>>
>>> Thanks for the reply. How do I make the "on demand" ?.
>>
>>
>>
>>
>> eg. in  /etc/MailScanner/MailScanner.conf
>> Virus Scanners = antivir
>
>
> I do have antivir written on this line, but I only gets information,
> that antivir is updated.
>
>>
>> MailScanner starts antivir for scanning = on-demand
>
>
> Ok, this is the job, that MailScanner does ?.
>
>> in short words:
>> on access (daemon) = every file you or the os (operatingsystem)
>> opens/access will be scanned
>> on demand (command-line) = explicit start for scanning  a file
>
>
> I see. And the only simple thing to do is having the antivir placed in
> the MailScanner.conf as I have ?. Nothing else to do ?.
>
> I wonder then why virusinformation the doesn't have antivir in the
> messages I receive about founded viruses. I receive information from my
> F-PROT and my CLAMAV. They of course also is written on the
> MailScanner.conf line.
>
> Thanks for your help.
>
> /Erik.
>
>>>>> *************************************************************************
>>>>>
>>>>>
>>>>>
>>>>> You downloaded the Linux Workstation product. This provides an
>>>>> "on-access" scanner and a command-line "on-demand" scanner. If you
>>>>> want
>>>>> the command-line scanner to scan your emails, you will need to
>>>>> configure
>>>>> your Clarkconnect Server to call the antivir binary for each mail.
>>>>> (I am
>>>>> unfamiliar with the Clarkconnect Server, so I cannot offer any help
>>>>> here).
>>>>>
>>>>> We also have MailGate available to private use. This runs as a mail
>>>>> proxy to scan all incoming and outgoing email.
>>>>>
>>>>> *************************************************************************
>>>>>
>>>>>
>>>>>
>>>>
>>
>> --
>> shrek-m
>>
>>
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja@urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 18:23:17 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s0164648.013@gc6.jefferson.co.us>
References: <s0164648.013@gc6.jefferson.co.us>
Message-ID: <6.0.1.1.2.20040127182156.044c5e78@imap.ecs.soton.ac.uk>

Make sure your syslog.conf entry have a - before the log filename. It will
stop it fsync()ing after every log write. This can help quite a lot.

At 18:06 27/01/2004, you wrote:
> >have you checked the amount of logging you are doing? >ie is maillog
>etc
> >slowing you down? Also are the apache log files busy?
>I think this is the major bottleneck - Disk writes,
>thus the reason for RAID 10 (I can't reduce the amount of logging for
>MS)
>
>MailScanner config:
>Log Spam = yes
>Log Permitted Filenames = no
>Log Permitted Filetypes = no
>Always Looked Up Last = no
>Detailed Spam Report = yes
>Include Scores In SpamAssassin Report = yes
>
>
> >also you don't mention what version of everything you >are running..
>mailscanner-4.24-5
>SA 2.63
>Jan version of Sophos (no SAVI, good idea though might try)
>clamscan / ClamAV version 0.65
>
> >are you running the savi verion of sophos and what (if >any) RBL's are
> >you using in SA or MS?
>RBL in MS - Spamcop, Spamhaus, CBL (with NSCD)

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From bpumphrey at WOODMACLAW.COM  Tue Jan 27 18:26:21 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:06 2006
Subject: MyDoom question
Message-ID: <A6E4DAD94E656741BF330E1F7409350C416292@woodendc.woodmaclaw.local>

So far our MailScanner has caught these virues from entering.  I got a
phone call saying that they got a email from us user@woodmaclaw.com with
the virus.  Also the user that it was sent from doesn't exist within the
company. Does that mean that someone is using my server as a relay?

Virus Count 
W32/MyDoom-A 167 
W32/Klez-H 8 
W32/Gibe-F 6 
W32/Mimail-A 2 
Troj/Sefex-A 2 
W32/Bagle-A 2 
W32/Mimail-I 1 
W32/Bugbear-B 1 


From mailscanner at ecs.soton.ac.uk  Tue Jan 27 18:30:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:06 2006
Subject: MyDoom question
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C416292@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C416292@woodendc.woodmaclaw.local>
Message-ID: <6.0.1.1.2.20040127183011.044e2f68@imap.ecs.soton.ac.uk>

No. Someone's PC is infected and it happens to have one of your email
addresses in its address book. MyDoom-A forges sender addresses using any
it can find.

At 18:26 27/01/2004, you wrote:
>So far our MailScanner has caught these virues from entering.  I got a
>phone call saying that they got a email from us user@woodmaclaw.com with
>the virus.  Also the user that it was sent from doesn't exist within the
>company. Does that mean that someone is using my server as a relay?
>
>Virus Count
>W32/MyDoom-A 167
>W32/Klez-H 8
>W32/Gibe-F 6
>W32/Mimail-A 2
>Troj/Sefex-A 2
>W32/Bagle-A 2
>W32/Mimail-I 1
>W32/Bugbear-B 1

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 18:29:36 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016AC33.8080102@urbakken.dk>
References: <40167019.90504@urbakken.dk>
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>
Message-ID: <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>

At 18:21 27/01/2004, you wrote:
>Hi.
>
>I checked this:
>
>
># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
>AntiVir / Linux Version 2.0.9-15
>Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
>All rights reserved.
>
>Loading /usr/lib/AntiVir/antivir.vdf ...
>
>
>
>VDF version: 6.23.0.48 created 27 Jan 2004
>
>
>
>For private, non-commercial use only.
>AntiVir license: 1001048978 for Erik Jakobsen, Brovst
>
>
>
>checking drive/path (cwd): /
>
>
>
>
>
>----- scan results -----
>
>
>  directories:        1
>
>
>        files:        0
>
>
>       alerts:        0
>
>
>    scan time: 00:00:01
>
>
>------------------------
>
>
>Thank you for using AntiVir.
>
>
>Is that right or ?.

That looks okay. I still don't understand why your Antivir installation
isn't working with MailScanner.


>Erik Jakobsen wrote:
>>shrek-m@gmx.de wrote:
>>
>>>Erik Jakobsen wrote:
>>>
>>>>Julian Field wrote:
>>>>
>>>>>Half the point of MailScanner is that you only need the command-line
>>>>>"on
>>>>>demand" scanner, you don't need anything more fancy than that.
>>>>
>>>>
>>>>
>>>>Thanks for the reply. How do I make the "on demand" ?.
>>>
>>>
>>>
>>>
>>>eg. in  /etc/MailScanner/MailScanner.conf
>>>Virus Scanners = antivir
>>
>>
>>I do have antivir written on this line, but I only gets information,
>>that antivir is updated.
>>
>>>
>>>MailScanner starts antivir for scanning = on-demand
>>
>>
>>Ok, this is the job, that MailScanner does ?.
>>
>>>in short words:
>>>on access (daemon) = every file you or the os (operatingsystem)
>>>opens/access will be scanned
>>>on demand (command-line) = explicit start for scanning  a file
>>
>>
>>I see. And the only simple thing to do is having the antivir placed in
>>the MailScanner.conf as I have ?. Nothing else to do ?.
>>
>>I wonder then why virusinformation the doesn't have antivir in the
>>messages I receive about founded viruses. I receive information from my
>>F-PROT and my CLAMAV. They of course also is written on the
>>MailScanner.conf line.
>>
>>Thanks for your help.
>>
>>/Erik.
>>
>>>>>>*************************************************************************
>>>>>>
>>>>>>
>>>>>>
>>>>>>You downloaded the Linux Workstation product. This provides an
>>>>>>"on-access" scanner and a command-line "on-demand" scanner. If you
>>>>>>want
>>>>>>the command-line scanner to scan your emails, you will need to
>>>>>>configure
>>>>>>your Clarkconnect Server to call the antivir binary for each mail.
>>>>>>(I am
>>>>>>unfamiliar with the Clarkconnect Server, so I cannot offer any help
>>>>>>here).
>>>>>>
>>>>>>We also have MailGate available to private use. This runs as a mail
>>>>>>proxy to scan all incoming and outgoing email.
>>>>>>
>>>>>>*************************************************************************
>>>>>>
>>>>>>
>>>
>>>--
>>>shrek-m
>>>
>>
>>--
>>Med venlig hilsen - Best regards.
>>Erik Jakobsen - eja@urbakken.dk.
>>Licensed radioamateur with the callsign OZ4KK.
>>SuSE Linux 8.2 Proff.
>>Registered as user #319488 with the Linux Counter, http://counter.li.org.
>>
>
>--
>Med venlig hilsen - Best regards.
>Erik Jakobsen - eja@urbakken.dk.
>Licensed radioamateur with the callsign OZ4KK.
>SuSE Linux 8.2 Proff.
>Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chrisk at OS-IT.NET  Tue Jan 27 18:32:27 2004
From: chrisk at OS-IT.NET (Chris Kissinger)
Date: Thu Jan 12 21:22:07 2006
Subject: MyDoom question
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C416292@woodendc.woodmaclaw.local>
Message-ID: <EKECJBACGLPHJCFNKMAEOEIFNDAA.chrisk@os-it.net>

Like all the other "Silent" viruses from addresses are spoofed. Whoever
called may just need a clue, tell them to give you the full header
information and you can see if it did indeed go through your server or not.

Chris

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Billy A. Pumphrey
Sent: Tuesday, January 27, 2004 10:26 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: MyDoom question


So far our MailScanner has caught these virues from entering.  I got a
phone call saying that they got a email from us user@woodmaclaw.com with
the virus.  Also the user that it was sent from doesn't exist within the
company. Does that mean that someone is using my server as a relay?

Virus Count
W32/MyDoom-A 167
W32/Klez-H 8
W32/Gibe-F 6
W32/Mimail-A 2
Troj/Sefex-A 2
W32/Bagle-A 2
W32/Mimail-I 1
W32/Bugbear-B 1

From dot at DOTAT.AT  Tue Jan 27 17:54:02 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
In-Reply-To: <m2n.1AlWqv-0011Gm@chiark.greenend.org.uk>
Message-ID: <E1AlXPW-0001HC-00@chiark.greenend.org.uk>

Jeff Falgout <JFalgout@CO.JEFFERSON.CO.US> wrote:
>Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
>Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
>NSCD, and Apache (for Mailstats and Mailscanner-MRTG).

How many concurrent mailscanners? Have you turned off fsync in syslogd?

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
COLWYN BAY TO THE MULL OF GALLOWAY INCLUDING THE ISLE OF MAN: NORTH 4 BACKING
WEST 5 FOR A TIME BEFORE VEERING NORTHWEST 6 OR 7. MAINLY FAIR THEN OCCASIONAL
SHOWERS BECOMING WINTRY. MAINLY GOOD. SLIGHT OR MODERATE BECOMING ROUGH LATER.

From JVolckaert at BELLMEMORIAL.ORG  Tue Jan 27 18:45:02 2004
From: JVolckaert at BELLMEMORIAL.ORG (Jeff Volckaert)
Date: Thu Jan 12 21:22:07 2006
Subject: Just reinstalled thanks to MyDoom and EICAR is slipping through....
Message-ID: <4016B1AE.6040906@Bellmemorial.org>

Hello All,

I just reinstalled the latest 4.25.14 and the latest Sophos (using the
Sophos.install script).  Instead of migrating my old configs I just
edited the default and changed the few things that I need to like
sitename, virus scanner, and postmaster.

I went to a webmail account and emailed the eicar.com file.  It was
rejected for filename.  OK, I renamed it to just 'eicar' and sent it
again.... AND I GOT IT!  It appears to have either not been scanned or
sophos goofed.

Any help?

Thnaks,
Jeff

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 18:53:27 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Just reinstalled thanks to MyDoom and EICAR is slipping through....
In-Reply-To: <4016B1AE.6040906@Bellmemorial.org>
References: <4016B1AE.6040906@Bellmemorial.org>
Message-ID: <6.0.1.1.2.20040127185315.044c6000@imap.ecs.soton.ac.uk>

At 18:45 27/01/2004, you wrote:
>Hello All,
>
>I just reinstalled the latest 4.25.14 and the latest Sophos (using the
>Sophos.install script).  Instead of migrating my old configs I just
>edited the default and changed the few things that I need to like
>sitename, virus scanner, and postmaster.
>
>I went to a webmail account and emailed the eicar.com file.  It was
>rejected for filename.  OK, I renamed it to just 'eicar' and sent it
>again.... AND I GOT IT!  It appears to have either not been scanned or
>sophos goofed.
>
>Any help?

What did you maillog say?
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From postmaster at telesurf.com.py  Tue Jan 27 18:52:03 2004
From: postmaster at telesurf.com.py (MailScanner)
Date: Thu Jan 12 21:22:07 2006
Subject: Atención : Virus de e-mail detectado
Message-ID: <200401271852.i0RIq3d04835@inet3.telecel.com.py>

Nuestro detector de virus ha sido activado por un mensaje enviado por Usted:
  A: gerencia@interviajes.com.py, gerencia@sms_gw.interviajes.com.py
  Asunto: Hello
  Fecha: Tue Jan 27 15:52:02 2004

Uno o m?s de los anexos est?n en la lista de archivos no aceptados
por este sitio y no ser?n entregados.

Considere renombrar los archivos o comprimirlos en un archivo ".zip" 
para evitar esta restricci?n.

El detector de virus dijo lo siguiente acerca del mensaje:
Informe: MailScanner: Windows Screensavers are often used to hide viruses (document.scr)


--
MailScanner
Protecci?n contra Virus de E-mail
www.mailscanner.info


From JFalgout at CO.JEFFERSON.CO.US  Tue Jan 27 19:01:48 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
Message-ID: <s016533a.033@gc6.jefferson.co.us>

>>>> dot@DOTAT.AT 1/27/2004 10:54:02 AM >>>
>Jeff Falgout <JFalgout@CO.JEFFERSON.CO.US> wrote:
>>Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
>>Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
>>NSCD, and Apache (for Mailstats and Mailscanner-MRTG).

>How many concurrent mailscanners? Have you turned off fsync in
syslogd?

Max Children = 20

Just turned off fsync - there is no space between the "-" and the
filename,
correct?

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 19:06:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s016533a.033@gc6.jefferson.co.us>
References: <s016533a.033@gc6.jefferson.co.us>
Message-ID: <6.0.1.1.2.20040127190536.04554340@imap.ecs.soton.ac.uk>

At 19:01 27/01/2004, you wrote:
> >>>> dot@DOTAT.AT 1/27/2004 10:54:02 AM >>>
> >Jeff Falgout <JFalgout@CO.JEFFERSON.CO.US> wrote:
> >>Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
> >>Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
> >>NSCD, and Apache (for Mailstats and Mailscanner-MRTG).
>
> >How many concurrent mailscanners? Have you turned off fsync in
>syslogd?
>
>Max Children = 20
>
>Just turned off fsync - there is no space between the "-" and the
>filename,
>correct?

Yes.

Max Children = 20 is very high. Try dropping that to about 12 as your
throughput may improve. Keep an eye on `top` as your system may be running
out of ram.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From rzewnickie at RFA.ORG  Tue Jan 27 19:10:19 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:07 2006
Subject: Mydoom
In-Reply-To: <9qtc1096noqufctqtlp2llc3e4doabcer8@4ax.com>
References: <JFEJJBNPOACELGAPEIOLKECCCJAA.martyn@invictawiz.com>
            <9qtc1096noqufctqtlp2llc3e4doabcer8@4ax.com>
Message-ID: <20040127191018.GD636@rfa.org>

Peter,

Do you have a script that generates those stats? Is it specific to your
language?

-Eric Rz.

On Tue, Jan 27, 2004 at 03:37:25PM +0100, Peter Peters wrote:
> On Tue, 27 Jan 2004 13:45:35 -0000, you wrote:
>
> >We have had the odd message through that has a 95byte (empty)zip attachment.
> >Is this a random one off or has anyone else seen this?
> >
> >on 10k emails, we normally have only 10-20 viruses per day. So far today, we have stopped over 1600
> >mydoom mesages.
>
> Stats from 1 of 3 servers:
> |Bepaal het echte aantal mailtjes:   36241
> Real messages (not just number of recipients)
>
> |Bepaal het aantal spam-achtige mailtjes:   16734
> Messages tagged as spam by SA and/or blacklists
>
> |Bepaal het aantal via ruleset's geblokkeerde mailtjes:    2323
> Messages blocked in sendmail by access.db
>
> |Geef de top 5 (en meer) van gevonden virussen:
> |   3894 W32/Mydoom.A@mm
> |    258 W32/Sober.C@mm
> |     63 W32/Mimail.C@mm
> |     61 W32/Swen.A@mm
> |     50 W32/Sobig.F@mm
> |     40 W32/Mimail.A@mm
> |     40 W32/Dumaru.A@mm
> |     23 W32/Bagle.A@mm
> |     16 W32/Mimail.J@mm
> |     11 W32/Mimail.G@mm
>
> --
> Peter Peters, senior netwerkbeheerder
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From chris at FRACTALWEB.COM  Tue Jan 27 19:22:38 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
Message-ID: <4016BA7E.3010200@fractalweb.com>

Hi everyone,

I was having a hard look through my logs and such and also looking
though MailWatch. I see quite a few emails that definitely contain the
virus that were only tagged as spam. I can see nothing in
/var/log/maillog that indicates why this message would not have been
marked as infected. I've even forwarded a couple of them to myself and
there's no doubt about it...it's the SCO.A or Navarg or whatever. If I
save the attachment, then scp it to my mailserver and run clamscan on
it, everything works great and ClamAV correctly identifies the virus.

For yesterday alone, my system saw 106 messages that it found infected
with the virus, and an additional 80 that slipped by. WTF???

Is it possible that MailScanner isn't getting clamav to scan all the
attachments? How do I go about troubleshooting this? Urgent help would
be appreciated.

Cheers,
Chris

From michele at BLACKNIGHTSOLUTIONS.COM  Tue Jan 27 19:22:17 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:07 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <000801c3e4ea$7f11a990$0201a8c0@lappy>
Message-ID: <LFENLEALDCBDKENCNLCNIEAEDEAA.michele@blacknightsolutions.com>

What's the 'easy' way of doing this if there are two files??

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 15:31
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Forwarding a blocked mail attachment
>
>
> Thanks I am just waiting for them to resend msg.
>
> Dee
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Ugo Bellavance
> > Sent: 27 January 2004 14:30
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Forwarding a blocked mail attachment
> >
> > > -----Message d'origine-----
> > > De : Dee Lowndes [mailto:dee@ASYOUNEED.COM]
> > > Envoy? : Tuesday, January 27, 2004 7:31 AM
> > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > Objet : Re: Forwarding a blocked mail attachment
> > >
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
> > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > > Behalf Of Ugo Bellavance
> > > > Sent: 27 January 2004 12:16
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: Re: Forwarding a blocked mail attachment
> > > >
> > > > Dee Lowndes wrote:
> > > >
> > > > >>-----Original Message-----
> > > > >>From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]
> > > On
> > > > >>Behalf Of Ugo Bellavance
> > > > >>Sent: 27 January 2004 11:53
> > > > >>To: MAILSCANNER@JISCMAIL.AC.UK
> > > > >>Subject: Re: Forwarding a blocked mail attachment
> > > > >>
> > > > >>Dee Lowndes wrote:
> > > > >>
> > > > >>
> > > > >>
> > > > >>>Hi,
> > > > >>>
> > > > >>>How can I forward a blocked mail attachment?
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>What is your MTA ? sendmail? postfix?
> > > > >>
> > > > >>
> > > > >
> > > > >Sendmail
> > > > >
> > > > ><snip>
> > > > >
> > > > >
> > > > One or two files in your quarantine?
> > >
> > > Just the one.
> >
> > then go into your quarantine (usually
> > /var/spool/MailScanner/quarantine/day/messageID) then
> >
> > sendmail -t < 'message file'
> >
> > (subsititute 'message file' by the name of the message file you need
> to
> > forward
> >
> > hth
> > >
> > > Dee
> > >
>


From jase at SENSIS.COM  Tue Jan 27 19:26:57 2004
From: jase at SENSIS.COM (Desai, Jason)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
Message-ID: <ADF6087CA978A4418AF7F76DDCF2F72102757847@europa.ats.sensis.com>

I've noticed that ClamAV has not been finding SCO.A when they are inside of
a mail delivery failure message.  McAfee however does find it (calling it
Mydoom).

I can take the email and scan it with ClamAV, but it will not find anything.
But if I decode the attachment and scan it with ClamAV, ClamAV will find
SCO.A.

Could it be that the ones that are getting through are delivery failure
notifications?  I don't know if it's a bug in ClamAV or if it could be fixed
with updating the virus definitions, but I don't think it's a MailScanner
bug.

Jason

> -----Original Message-----
> From: Chris Yuzik [mailto:chris@FRACTALWEB.COM]
> Sent: Tuesday, January 27, 2004 2:23 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: [MAILSCANNER] tons of infected files getting though???
>
>
> Hi everyone,
>
> I was having a hard look through my logs and such and also looking
> though MailWatch. I see quite a few emails that definitely contain the
> virus that were only tagged as spam. I can see nothing in
> /var/log/maillog that indicates why this message would not have been
> marked as infected. I've even forwarded a couple of them to myself and
> there's no doubt about it...it's the SCO.A or Navarg or whatever. If I
> save the attachment, then scp it to my mailserver and run clamscan on
> it, everything works great and ClamAV correctly identifies the virus.
>
> For yesterday alone, my system saw 106 messages that it found infected
> with the virus, and an additional 80 that slipped by. WTF???
>
> Is it possible that MailScanner isn't getting clamav to scan all the
> attachments? How do I go about troubleshooting this? Urgent help would
> be appreciated.
>
> Cheers,
> Chris
>

From mkettler at EVI-INC.COM  Tue Jan 27 19:30:20 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <4016BA7E.3010200@fractalweb.com>
References: <4016BA7E.3010200@fractalweb.com>
Message-ID: <6.0.0.22.0.20040127142736.02d93110@xanadu.evi-inc.com>

At 02:22 PM 1/27/2004, Chris Yuzik wrote:
>Is it possible that MailScanner isn't getting clamav to scan all the
>attachments? How do I go about troubleshooting this? Urgent help would
>be appreciated.

1) is it possible that when the mail arrived, your version of clamav didn't
have the SCO.A signature yet? MailScanner auto-updates clamav hourly, so
it's possibly that by the time you transferred the file back over to your
server, it had been updated... check your maillogs to see when it was last
updated.

When I first came in this AM, clamav wasn't hitting them, but it is now.

2) usually questions about problems with MS (or ANY product that matter)
should be accompanied by information as to what version you're running.

From mike at CAMAROSS.NET  Tue Jan 27 19:34:44 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <4016BA7E.3010200@fractalweb.com>
Message-ID: <200401271927.i0RJRDGE004572@avwall.bladeware.com>

How many emails are you pushing per day?  I wonder if it's a load issue.
Have you tried the clamavmodule?

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Yuzik
> Sent: Tuesday, January 27, 2004 1:23 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: tons of infected files getting though???
>
> Hi everyone,
>
> I was having a hard look through my logs and such and also
> looking though MailWatch. I see quite a few emails that
> definitely contain the virus that were only tagged as spam. I
> can see nothing in /var/log/maillog that indicates why this
> message would not have been marked as infected. I've even
> forwarded a couple of them to myself and there's no doubt
> about it...it's the SCO.A or Navarg or whatever. If I save
> the attachment, then scp it to my mailserver and run clamscan
> on it, everything works great and ClamAV correctly identifies
> the virus.
>
> For yesterday alone, my system saw 106 messages that it found
> infected with the virus, and an additional 80 that slipped by. WTF???
>
> Is it possible that MailScanner isn't getting clamav to scan
> all the attachments? How do I go about troubleshooting this?
> Urgent help would be appreciated.
>
> Cheers,
> Chris
>

From mike at CAMAROSS.NET  Tue Jan 27 19:35:51 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s016533a.033@gc6.jefferson.co.us>
Message-ID: <200401271928.i0RJSJGE004789@avwall.bladeware.com>

This may be an idiot's suggestion, but make sure you restart syslog after
modifying the syslog.conf

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff Falgout
> Sent: Tuesday, January 27, 2004 1:02 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Performance Tuning and RAID
>
> >>>> dot@DOTAT.AT 1/27/2004 10:54:02 AM >>>
> >Jeff Falgout <JFalgout@CO.JEFFERSON.CO.US> wrote:
> >>Dual Xeon 2.4s, 2GB Memory, 1 U160 disk - Red Hat 8.0
> running Sendmail
> >>as MTA, Sophos, Clam, SA, BIND NSCD, and Apache (for Mailstats and
> >>Mailscanner-MRTG).
>
> >How many concurrent mailscanners? Have you turned off fsync in
> syslogd?
>
> Max Children = 20
>
> Just turned off fsync - there is no space between the "-" and
> the filename, correct?
>

From garry at GLENDOWN.DE  Tue Jan 27 19:32:03 2004
From: garry at GLENDOWN.DE (Garry Glendown)
Date: Thu Jan 12 21:22:07 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
Message-ID: <4016BCB3.7090604@glendown.de>

Something I've been wondering about ... a while back, mailscanner-mrtg
kept nice stats about the number of mails relayed ... anyway, ever since
I installed a new server, this counter has been way down - even after
the update to the current version, all I get is a very low number of
mails, even though (currently) over 5000 spam mails are recognized ...
All my mail logs end up in /var/log/mail, which is what I use in the
mailscanner-mrtg config ... I'm runnning sendmail ...

Any idea?

Also, too bad the update from 0.06 to 0.07 loses all the old data ... :(
or did I miss something?

-gg

From dh at UPTIME.AT  Tue Jan 27 19:04:50 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s016533a.033@gc6.jefferson.co.us>
References: <s016533a.033@gc6.jefferson.co.us>
Message-ID: <4016B652.9070403@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jeff Falgout wrote:

>>>>>dot@DOTAT.AT 1/27/2004 10:54:02 AM >>>
>>
>>Jeff Falgout <JFalgout@CO.JEFFERSON.CO.US> wrote:
>>
>>>Dual Xeon 2.4s, 2GB Memory, 1 U160 disk -
>>>Red Hat 8.0 running Sendmail as MTA, Sophos, Clam, SA, BIND
>>>NSCD, and Apache (for Mailstats and Mailscanner-MRTG).
>
>
>>How many concurrent mailscanners? Have you turned off fsync in
>
> syslogd?
>
> Max Children = 20
>
try 10 or 12 :)

That worked like a peach on a dual I had.

> Just turned off fsync - there is no space between the "-" and the
> filename,
> correct?
yes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAFrZWPMoaMn4kKR4RAzZHAKCBoyopJlpMUJWoDRQi47GbAbIPYQCgnqc2
tWk2+GDenwkAzCEIiS0jNLc=
=J0/M
-----END PGP SIGNATURE-----

From shrek-m at GMX.DE  Tue Jan 27 19:37:56 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016B49D.8090605@urbakken.dk>
References: <40167019.90504@urbakken.dk>                      
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>
            <4016B49D.8090605@urbakken.dk>
Message-ID: <4016BE14.1090606@gmx.de>

Erik Jakobsen wrote:

>> That looks okay. I still don't understand why your Antivir installation
>> isn't working with MailScanner.
>
>
> Thanks for telling me, that its ok. But a pity, that it doesn't work
> with MailScanner :-(


# rpm -q mailscanner
mailscanner-4.26.5-1

i have downloaded a antivir-server-demo-version.
# ls /usr/local/avlxsrv.tgz
/usr/local/avlxsrv.tgz

here is what i get

****eg1****
# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
[...]
Pruefe Laufwerk/Pfad (cwd): /usr/local/antivir-server-2.0.9


----- Suchergebnisse -----
 Verzeichnisse:        1
       Dateien:        4
        Alarme:        0
Benoetigte Zeit: 00:00:01
--------------------------
Vielen Dank fuer den Einsatz von AntiVir.
********

****eg2****
# /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/*
/usr/lib/MailScanner/antivir-wrapper: line 47:
/data4/doku/viren/alte/antivir: Datei oder Verzeichnis nicht gefunden
/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
/data4/doku/viren/alte/antivir: cannot execute: Datei oder Verzeichnis
nicht gefunden
********
****eg3****
# /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/
/usr/lib/MailScanner/antivir-wrapper: line 47:
/data4/doku/viren//antivir: Datei oder Verzeichnis nicht gefunden
/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
/data4/doku/viren//antivir: cannot execute: Datei oder Verzeichnis nicht
gefunden
********
****eg4****
# /usr/lib/MailScanner/antivir-wrapper .
/usr/lib/MailScanner/antivir-wrapper: line 47:
/usr/local/antivir-server-2.0.9/antivir: Datei oder Verzeichnis nicht
gefunden
/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
/usr/local/antivir-server-2.0.9/antivir: cannot execute: Datei oder
Verzeichnis nicht gefunden
********


--
shrek-m

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 19:36:25 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Forwarding a blocked mail attachment
In-Reply-To: <LFENLEALDCBDKENCNLCNIEAEDEAA.michele@blacknightsolutions.c om>
References: <000801c3e4ea$7f11a990$0201a8c0@lappy>
            <LFENLEALDCBDKENCNLCNIEAEDEAA.michele@blacknightsolutions.com>
Message-ID: <6.0.1.1.2.20040127193608.03cd6ec0@imap.ecs.soton.ac.uk>

At 19:22 27/01/2004, you wrote:
>What's the 'easy' way of doing this if there are two files??

Move them into /var/spool/mqueue.


>Mr. Michele Neylon
>Blacknight Internet Solutions Ltd
>http://www.blacknightsolutions.ie/
>http://www.search.ie/
>Tel. + 353 (0)59 9137101
>Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Dee Lowndes
> > Sent: 27 January 2004 15:31
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Forwarding a blocked mail attachment
> >
> >
> > Thanks I am just waiting for them to resend msg.
> >
> > Dee
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of Ugo Bellavance
> > > Sent: 27 January 2004 14:30
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Forwarding a blocked mail attachment
> > >
> > > > -----Message d'origine-----
> > > > De : Dee Lowndes [mailto:dee@ASYOUNEED.COM]
> > > > Envoy? : Tuesday, January 27, 2004 7:31 AM
> > > > ? : MAILSCANNER@JISCMAIL.AC.UK
> > > > Objet : Re: Forwarding a blocked mail attachment
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: MailScanner mailing list
> > > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > > > Behalf Of Ugo Bellavance
> > > > > Sent: 27 January 2004 12:16
> > > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > > Subject: Re: Forwarding a blocked mail attachment
> > > > >
> > > > > Dee Lowndes wrote:
> > > > >
> > > > > >>-----Original Message-----
> > > > > >>From: MailScanner mailing list
> > [mailto:MAILSCANNER@JISCMAIL.AC.UK]
> > > > On
> > > > > >>Behalf Of Ugo Bellavance
> > > > > >>Sent: 27 January 2004 11:53
> > > > > >>To: MAILSCANNER@JISCMAIL.AC.UK
> > > > > >>Subject: Re: Forwarding a blocked mail attachment
> > > > > >>
> > > > > >>Dee Lowndes wrote:
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>>Hi,
> > > > > >>>
> > > > > >>>How can I forward a blocked mail attachment?
> > > > > >>>
> > > > > >>>
> > > > > >>>
> > > > > >>>
> > > > > >>What is your MTA ? sendmail? postfix?
> > > > > >>
> > > > > >>
> > > > > >
> > > > > >Sendmail
> > > > > >
> > > > > ><snip>
> > > > > >
> > > > > >
> > > > > One or two files in your quarantine?
> > > >
> > > > Just the one.
> > >
> > > then go into your quarantine (usually
> > > /var/spool/MailScanner/quarantine/day/messageID) then
> > >
> > > sendmail -t < 'message file'
> > >
> > > (subsititute 'message file' by the name of the message file you need
> > to
> > > forward
> > >
> > > hth
> > > >
> > > > Dee
> > > >
> >

-- 
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Tue Jan 27 19:43:59 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016BE14.1090606@gmx.de>
References: <40167019.90504@urbakken.dk>
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>
Message-ID: <6.0.1.1.2.20040127194334.03cf8e48@imap.ecs.soton.ac.uk>

But what about a correct command such as
/usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /data4/doku/viren

At 19:37 27/01/2004, you wrote:
>Erik Jakobsen wrote:
>
>>>That looks okay. I still don't understand why your Antivir installation
>>>isn't working with MailScanner.
>>
>>
>>Thanks for telling me, that its ok. But a pity, that it doesn't work
>>with MailScanner :-(
>
>
># rpm -q mailscanner
>mailscanner-4.26.5-1
>
>i have downloaded a antivir-server-demo-version.
># ls /usr/local/avlxsrv.tgz
>/usr/local/avlxsrv.tgz
>
>here is what i get
>
>****eg1****
># /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
>[...]
>Pruefe Laufwerk/Pfad (cwd): /usr/local/antivir-server-2.0.9
>
>
>----- Suchergebnisse -----
>Verzeichnisse:        1
>       Dateien:        4
>        Alarme:        0
>Benoetigte Zeit: 00:00:01
>--------------------------
>Vielen Dank fuer den Einsatz von AntiVir.
>********
>
>****eg2****
># /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/*
>/usr/lib/MailScanner/antivir-wrapper: line 47:
>/data4/doku/viren/alte/antivir: Datei oder Verzeichnis nicht gefunden
>/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
>/data4/doku/viren/alte/antivir: cannot execute: Datei oder Verzeichnis
>nicht gefunden
>********
>****eg3****
># /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/
>/usr/lib/MailScanner/antivir-wrapper: line 47:
>/data4/doku/viren//antivir: Datei oder Verzeichnis nicht gefunden
>/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
>/data4/doku/viren//antivir: cannot execute: Datei oder Verzeichnis nicht
>gefunden
>********
>****eg4****
># /usr/lib/MailScanner/antivir-wrapper .
>/usr/lib/MailScanner/antivir-wrapper: line 47:
>/usr/local/antivir-server-2.0.9/antivir: Datei oder Verzeichnis nicht
>gefunden
>/usr/lib/MailScanner/antivir-wrapper: line 47: exec:
>/usr/local/antivir-server-2.0.9/antivir: cannot execute: Datei oder
>Verzeichnis nicht gefunden
>********
>
>
>--
>shrek-m

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From eja at URBAKKEN.DK  Tue Jan 27 19:56:53 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016BE14.1090606@gmx.de>
References: <40167019.90504@urbakken.dk>                                 
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>           
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>
Message-ID: <4016C285.5060304@urbakken.dk>

Below is the example from Julian Field, but there's an invalid path.

Further down the lines is the wrapper-script I executed, and its form
the example file.

# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /data4/doku/viren
AntiVir / Linux Version 2.0.9-15
Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
All rights reserved.

invalid path /data4/doku/viren

My test, and it should be ok.

[root@gateway /]# /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
AntiVir / Linux Version 2.0.9-15
Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
All rights reserved.

Loading /usr/lib/AntiVir/antivir.vdf ...



VDF version: 6.23.0.48 created 27 Jan 2004



For private, non-commercial use only.
AntiVir license: 1234567 for Erik Jakobsen, Brovst



checking drive/path (cwd): /





----- scan results -----


  directories:        1


        files:        0


       alerts:        0


    scan time: 00:00:01


------------------------


Thank you for using AntiVir.


shrek-m@gmx.de wrote:
> Erik Jakobsen wrote:
>
>>> That looks okay. I still don't understand why your Antivir installation
>>> isn't working with MailScanner.
>>
>>
>>
>> Thanks for telling me, that its ok. But a pity, that it doesn't work
>> with MailScanner :-(
>
>
>
> # rpm -q mailscanner
> mailscanner-4.26.5-1

Mine looks like that:

# rpm -q mailscanner
mailscanner-4.26-4



> i have downloaded a antivir-server-demo-version.
> # ls /usr/local/avlxsrv.tgz
> /usr/local/avlxsrv.tgz
>
> here is what i get
>
> ****eg1****
> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
> [...]
> Pruefe Laufwerk/Pfad (cwd): /usr/local/antivir-server-2.0.9
>
>
> ----- Suchergebnisse -----
> Verzeichnisse:        1
>       Dateien:        4
>        Alarme:        0
> Benoetigte Zeit: 00:00:01
> --------------------------
> Vielen Dank fuer den Einsatz von AntiVir.
> ********
>
> ****eg2****
> # /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/*
> /usr/lib/MailScanner/antivir-wrapper: line 47:
> /data4/doku/viren/alte/antivir: Datei oder Verzeichnis nicht gefunden
> /usr/lib/MailScanner/antivir-wrapper: line 47: exec:
> /data4/doku/viren/alte/antivir: cannot execute: Datei oder Verzeichnis
> nicht gefunden
> ********
> ****eg3****
> # /usr/lib/MailScanner/antivir-wrapper /data4/doku/viren/
> /usr/lib/MailScanner/antivir-wrapper: line 47:
> /data4/doku/viren//antivir: Datei oder Verzeichnis nicht gefunden
> /usr/lib/MailScanner/antivir-wrapper: line 47: exec:
> /data4/doku/viren//antivir: cannot execute: Datei oder Verzeichnis nicht
> gefunden
> ********
> ****eg4****
> # /usr/lib/MailScanner/antivir-wrapper .
> /usr/lib/MailScanner/antivir-wrapper: line 47:
> /usr/local/antivir-server-2.0.9/antivir: Datei oder Verzeichnis nicht
> gefunden
> /usr/lib/MailScanner/antivir-wrapper: line 47: exec:
> /usr/local/antivir-server-2.0.9/antivir: cannot execute: Datei oder
> Verzeichnis nicht gefunden
> ********
>


As you can see, I don't have these errors. I have none, but also it
doesn't work :-(.
> --
> shrek-m
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From shrek-m at GMX.DE  Tue Jan 27 20:06:36 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <6.0.1.1.2.20040127194334.03cf8e48@imap.ecs.soton.ac.uk>
References: <40167019.90504@urbakken.dk>           
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>           
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>
            <6.0.1.1.2.20040127194334.03cf8e48@imap.ecs.soton.ac.uk>
Message-ID: <4016C4CC.7060306@gmx.de>

Julian Field wrote:

>  But what about a correct command such as
>  /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir
>  /data4/doku/viren


:-[

ok,
but indeed,
antivir and mailscanner will not work, at least here.

--
shrek-m

From eja at URBAKKEN.DK  Tue Jan 27 20:14:05 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016C4CC.7060306@gmx.de>
References: <40167019.90504@urbakken.dk>                      
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>           
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>           
            <6.0.1.1.2.20040127194334.03cf8e48@imap.ecs.soton.ac.uk>
            <4016C4CC.7060306@gmx.de>
Message-ID: <4016C68D.4090207@urbakken.dk>

shrek-m@gmx.de wrote:
> Julian Field wrote:
>
>>  But what about a correct command such as
>>  /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir
>>  /data4/doku/viren
>
>
>
> :-[
>
> ok,
> but indeed,
> antivir and mailscanner will not work, at least here.

Hi Shrek. We are in the same boat. Here is what my current scanners
shows of info for a virus, but the antivir is not there:


At Tue Jan 27 20:57:05 2004 the virus scanner said:
    F-Prot: dfzmnri.exe  Infection: W32/Swen.A@mm
    ClamAV: dfzmnri.exe contains Worm.Gibe.F
    MailScanner: Executable DOS/Windows programs are dangerous in email
(dfzmnri.exe)

> --
> shrek-m
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From peter at UCGBOOK.COM  Tue Jan 27 20:18:23 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016C285.5060304@urbakken.dk>
References: <40167019.90504@urbakken.dk>                                       
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>           
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>
            <4016C285.5060304@urbakken.dk>
Message-ID: <4016C78F.8010109@ucgbook.com>

Erik Jakobsen wrote:
> Below is the example from Julian Field, but there's an invalid path.
>
> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /data4/doku/viren
> AntiVir / Linux Version 2.0.9-15
> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
> All rights reserved.
>
> invalid path /data4/doku/viren

He might have meant that you should replace the third field with
something that is valid on your system. ;-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From eja at URBAKKEN.DK  Tue Jan 27 20:22:44 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <4016C78F.8010109@ucgbook.com>
References: <40167019.90504@urbakken.dk>                                       
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>      
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>           
            <4016B49D.8090605@urbakken.dk> <4016BE14.1090606@gmx.de>           
            <4016C285.5060304@urbakken.dk> <4016C78F.8010109@ucgbook.com>
Message-ID: <4016C894.7040800@urbakken.dk>

Peter Bonivart wrote:
> Erik Jakobsen wrote:
>
>> Below is the example from Julian Field, but there's an invalid path.
>>
>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir /data4/doku/viren
>> AntiVir / Linux Version 2.0.9-15
>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
>> All rights reserved.
>>
>> invalid path /data4/doku/viren
>
>
> He might have meant that you should replace the third field with
> something that is valid on your system. ;-)

Might be right, thanks !.

> --
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From rgreen at TRAYERPRODUCTS.COM  Tue Jan 27 20:19:55 2004
From: rgreen at TRAYERPRODUCTS.COM (Rodney Green)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
Message-ID: <4016C7EB.2000803@trayerproducts.com>

On my old mail server which was running Postfix without MailScanner I
was able to use check_sender_access to prohibit certain users from
sending mail to outside e-mail addresses. They could only send to
internal addresses.

With the new mail server running Postfix with MailScanner this is not
working. It simply allows the mail to pass through. Everything's setup
the same as far as the main.conf and the hash maps. Anyone know what
might be wrong? Since MailScanner is running is it even using the
check_sender_access parameter or is it bypassing it all together?

Any help would be appreciated.

Thanks,
Rod

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 20:35:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <4016C7EB.2000803@trayerproducts.com>
References: <4016C7EB.2000803@trayerproducts.com>
Message-ID: <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>

There is a feature implemented via a Custom Function in CustomConfig.pm
that does this. It's not a core feature as you are only about the 2nd
person to ever want it.

At 20:19 27/01/2004, you wrote:
>On my old mail server which was running Postfix without MailScanner I
>was able to use check_sender_access to prohibit certain users from
>sending mail to outside e-mail addresses. They could only send to
>internal addresses.
>
>With the new mail server running Postfix with MailScanner this is not
>working. It simply allows the mail to pass through. Everything's setup
>the same as far as the main.conf and the hash maps. Anyone know what
>might be wrong? Since MailScanner is running is it even using the
>check_sender_access parameter or is it bypassing it all together?
>
>Any help would be appreciated.
>
>Thanks,
>Rod

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chris at FRACTALWEB.COM  Tue Jan 27 20:42:45 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <6.0.0.22.0.20040127142736.02d93110@xanadu.evi-inc.com>
References: <4016BA7E.3010200@fractalweb.com>
            <6.0.0.22.0.20040127142736.02d93110@xanadu.evi-inc.com>
Message-ID: <4016CD45.8020004@fractalweb.com>

Hi Matt,

Matt Kettler wrote:

> 1) is it possible that when the mail arrived, your version of clamav
> didn't
> have the SCO.A signature yet? MailScanner auto-updates clamav hourly, so
> it's possibly that by the time you transferred the file back over to your
> server, it had been updated... check your maillogs to see when it was
> last
> updated.

Clam's definitions get updated here every hour. I'm not sure exactly
what time yesterday they made the new definitions available that detect
this virus, but it's sure catching a lot of them.

> When I first came in this AM, clamav wasn't hitting them, but it is now.
>
> 2) usually questions about problems with MS (or ANY product that matter)
> should be accompanied by information as to what version you're running.
>
I'm running MailScanner version 4.25-14 and Clamav version 0.65 on Red
Hat 7.3. The system detected the first infected email with "worm.sco.a"
at 2:45pm yesterday afternoon. Since then many get detected, yet many
others get through.

If you run MailWatch, just look for messages "where the subject contains
the regular expression hello" in the past day or so. See if any went
though your system that were approximately 31 KB, and were not marked as
infected with this worm.

Cheers,
Chris

From eja at URBAKKEN.DK  Tue Jan 27 18:57:33 2004
From: eja at URBAKKEN.DK (Erik Jakobsen)
Date: Thu Jan 12 21:22:07 2006
Subject: Antivir
In-Reply-To: <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>
References: <40167019.90504@urbakken.dk>           
            <6.0.1.1.2.20040127151948.131cd860@imap.ecs.soton.ac.uk>           
            <40168B44.9030409@urbakken.dk> <40169B7A.6050708@gmx.de>           
            <40169FB7.4050605@urbakken.dk> <4016AC33.8080102@urbakken.dk>
            <6.0.1.1.2.20040127182909.03a54c30@imap.ecs.soton.ac.uk>
Message-ID: <4016B49D.8090605@urbakken.dk>

Julian Field wrote:
> At 18:21 27/01/2004, you wrote:
>
>> Hi.
>>
>> I checked this:
>>
>>
>> # /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir/
>> AntiVir / Linux Version 2.0.9-15
>> Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH.
>> All rights reserved.
>>
>> Loading /usr/lib/AntiVir/antivir.vdf ...
>>
>>
>>
>> VDF version: 6.23.0.48 created 27 Jan 2004
>>
>>
>>
>> For private, non-commercial use only.
>> AntiVir license: 1001048978 for Erik Jakobsen, Brovst
>>
>>
>>
>> checking drive/path (cwd): /
>>
>>
>>
>>
>>
>> ----- scan results -----
>>
>>
>>  directories:        1
>>
>>
>>        files:        0
>>
>>
>>       alerts:        0
>>
>>
>>    scan time: 00:00:01
>>
>>
>> ------------------------
>>
>>
>> Thank you for using AntiVir.
>>
>>
>> Is that right or ?.
>
>
> That looks okay. I still don't understand why your Antivir installation
> isn't working with MailScanner.

Thanks for telling me, that its ok. But a pity, that it doesn't work
with MailScanner :-(

>
>> Erik Jakobsen wrote:
>>
>>> shrek-m@gmx.de wrote:
>>>
>>>> Erik Jakobsen wrote:
>>>>
>>>>> Julian Field wrote:
>>>>>
>>>>>> Half the point of MailScanner is that you only need the command-line
>>>>>> "on
>>>>>> demand" scanner, you don't need anything more fancy than that.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks for the reply. How do I make the "on demand" ?.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> eg. in  /etc/MailScanner/MailScanner.conf
>>>> Virus Scanners = antivir
>>>
>>>
>>>
>>> I do have antivir written on this line, but I only gets information,
>>> that antivir is updated.
>>>
>>>>
>>>> MailScanner starts antivir for scanning = on-demand
>>>
>>>
>>>
>>> Ok, this is the job, that MailScanner does ?.
>>>
>>>> in short words:
>>>> on access (daemon) = every file you or the os (operatingsystem)
>>>> opens/access will be scanned
>>>> on demand (command-line) = explicit start for scanning  a file
>>>
>>>
>>>
>>> I see. And the only simple thing to do is having the antivir placed in
>>> the MailScanner.conf as I have ?. Nothing else to do ?.
>>>
>>> I wonder then why virusinformation the doesn't have antivir in the
>>> messages I receive about founded viruses. I receive information from my
>>> F-PROT and my CLAMAV. They of course also is written on the
>>> MailScanner.conf line.
>>>
>>> Thanks for your help.
>>>
>>> /Erik.
>>>
>>>>>>> *************************************************************************
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You downloaded the Linux Workstation product. This provides an
>>>>>>> "on-access" scanner and a command-line "on-demand" scanner. If you
>>>>>>> want
>>>>>>> the command-line scanner to scan your emails, you will need to
>>>>>>> configure
>>>>>>> your Clarkconnect Server to call the antivir binary for each mail.
>>>>>>> (I am
>>>>>>> unfamiliar with the Clarkconnect Server, so I cannot offer any help
>>>>>>> here).
>>>>>>>
>>>>>>> We also have MailGate available to private use. This runs as a mail
>>>>>>> proxy to scan all incoming and outgoing email.
>>>>>>>
>>>>>>> *************************************************************************
>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>>> --
>>>> shrek-m
>>>>
>>>
>>> --
>>> Med venlig hilsen - Best regards.
>>> Erik Jakobsen - eja@urbakken.dk.
>>> Licensed radioamateur with the callsign OZ4KK.
>>> SuSE Linux 8.2 Proff.
>>> Registered as user #319488 with the Linux Counter,
>>> http://counter.li.org.
>>>
>>
>> --
>> Med venlig hilsen - Best regards.
>> Erik Jakobsen - eja@urbakken.dk.
>> Licensed radioamateur with the callsign OZ4KK.
>> SuSE Linux 8.2 Proff.
>> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja@urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

From chris at FRACTALWEB.COM  Tue Jan 27 20:47:30 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <200401271927.i0RJRDGE004572@avwall.bladeware.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>
Message-ID: <4016CE62.9060900@fractalweb.com>

Mike Kercher wrote:

>How many emails are you pushing per day?  I wonder if it's a load issue.
>Have you tried the clamavmodule?
>
>
Hi Mike,

That's a great question. I generally have about 3k messages go through
the server per day. The server load over the past couple of days
generally hovers around the 0.55 mark, so I don't think it's a load
issue. Not certain though...what do you think?

Cheers,
Chris

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 20:47:28 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <4016CE62.9060900@fractalweb.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>
            <4016CE62.9060900@fractalweb.com>
Message-ID: <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>

At 20:47 27/01/2004, you wrote:
>Mike Kercher wrote:
>
>>How many emails are you pushing per day?  I wonder if it's a load issue.
>>Have you tried the clamavmodule?
>>
>Hi Mike,
>
>That's a great question. I generally have about 3k messages go through
>the server per day. The server load over the past couple of days
>generally hovers around the 0.55 mark, so I don't think it's a load
>issue. Not certain though...what do you think?

I don't see any way in which the load could affect it. High load doesn't
alter the execution of MailScanner.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From rgreen at TRAYERPRODUCTS.COM  Tue Jan 27 20:52:14 2004
From: rgreen at TRAYERPRODUCTS.COM (Rodney Green)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
References: <4016C7EB.2000803@trayerproducts.com>
            <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
Message-ID: <4016CF7E.9060502@trayerproducts.com>

Thanks Julian. Why can't the smtpd_recipient_restrictions parameter work
for this? Postfix is configured the same on the old server where it is
working. MailScanner is the only difference.

Rod

Julian Field wrote:

> There is a feature implemented via a Custom Function in CustomConfig.pm
> that does this. It's not a core feature as you are only about the 2nd
> person to ever want it.
>
> At 20:19 27/01/2004, you wrote:
>
>> On my old mail server which was running Postfix without MailScanner I
>> was able to use check_sender_access to prohibit certain users from
>> sending mail to outside e-mail addresses. They could only send to
>> internal addresses.
>>
>> With the new mail server running Postfix with MailScanner this is not
>> working. It simply allows the mail to pass through. Everything's setup
>> the same as far as the main.conf and the hash maps. Anyone know what
>> might be wrong? Since MailScanner is running is it even using the
>> check_sender_access parameter or is it bypassing it all together?
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Rod
>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From mailscanner at ecs.soton.ac.uk  Tue Jan 27 21:01:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <4016CF7E.9060502@trayerproducts.com>
References: <4016C7EB.2000803@trayerproducts.com>
            <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
            <4016CF7E.9060502@trayerproducts.com>
Message-ID: <6.0.1.1.2.20040127210013.04572be8@imap.ecs.soton.ac.uk>

At 20:52 27/01/2004, you wrote:
>Thanks Julian. Why can't the smtpd_recipient_restrictions parameter work
>for this? Postfix is configured the same on the old server where it is
>working. MailScanner is the only difference.

I don't see why it shouldn't work. Is it configured in your postfix.in as
well as your postfix setups? I'm not familiar enough with Postfix to know
the details of this feature, I'm afraid.


>Rod
>
>Julian Field wrote:
>
>>There is a feature implemented via a Custom Function in CustomConfig.pm
>>that does this. It's not a core feature as you are only about the 2nd
>>person to ever want it.
>>
>>At 20:19 27/01/2004, you wrote:
>>
>>>On my old mail server which was running Postfix without MailScanner I
>>>was able to use check_sender_access to prohibit certain users from
>>>sending mail to outside e-mail addresses. They could only send to
>>>internal addresses.
>>>
>>>With the new mail server running Postfix with MailScanner this is not
>>>working. It simply allows the mail to pass through. Everything's setup
>>>the same as far as the main.conf and the hash maps. Anyone know what
>>>might be wrong? Since MailScanner is running is it even using the
>>>check_sender_access parameter or is it bypassing it all together?
>>>
>>>Any help would be appreciated.
>>>
>>>Thanks,
>>>Rod
>>
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From robin at PRIMUS.CA  Tue Jan 27 21:06:02 2004
From: robin at PRIMUS.CA (Robin M.)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <4016D1A0.9000001@trayerproducts.com>
References: <4016C7EB.2000803@trayerproducts.com>
            <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
            <4016D1A0.9000001@trayerproducts.com>
Message-ID: <Pine.LNX.4.58.0401271604200.9895@hephaestus.tor.primus.ca>

On Tue, 27 Jan 2004, Rodney Green wrote:

> I apologize. I changed the order of the lookup maps for the
> smtpd_recipient_restrictions parameter and got it working. I had
> permit_mynetworks before the map that checked whether or not the user
> was a restricted sender user. Thanks for the help though.
>
If I may ask... what is the best way to prevent mail from being received
or sent to any email address that is not hosted on the server. I.e. I want
users to only be able to send/receive mail to eachother and not to any
other external domain. Should I do this at the MTA level or at the
MailScanner level ?

From rgreen at TRAYERPRODUCTS.COM  Tue Jan 27 21:10:31 2004
From: rgreen at TRAYERPRODUCTS.COM (Rodney Green)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <Pine.LNX.4.58.0401271604200.9895@hephaestus.tor.primus.ca>
References: <4016C7EB.2000803@trayerproducts.com>           
            <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>           
            <4016D1A0.9000001@trayerproducts.com>
            <Pine.LNX.4.58.0401271604200.9895@hephaestus.tor.primus.ca>
Message-ID: <4016D3C7.2000704@trayerproducts.com>

I would think at the MTA level. The only reason I posted my question
here is that I mistakenly thought MailScanner was the problem when it
wasn't. It was a misconfiguration of postfix on my part.

Robin M. wrote:

>On Tue, 27 Jan 2004, Rodney Green wrote:
>
>
>
>>I apologize. I changed the order of the lookup maps for the
>>smtpd_recipient_restrictions parameter and got it working. I had
>>permit_mynetworks before the map that checked whether or not the user
>>was a restricted sender user. Thanks for the help though.
>>
>>
>>
>If I may ask... what is the best way to prevent mail from being received
>or sent to any email address that is not hosted on the server. I.e. I want
>users to only be able to send/receive mail to eachother and not to any
>other external domain. Should I do this at the MTA level or at the
>MailScanner level ?
>
>
>
>

From rzewnickie at RFA.ORG  Tue Jan 27 21:16:55 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:07 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
Message-ID: <20040127211655.GF636@rfa.org>

Appolgies if this has been covered recently. I was unable to find it
mentioned in the archives. I feel like it's been discussed and fixed
already, but I can't find any references to it ...

We have MailScanner-4.25-14 using both sophos (via sophossavi) and
mcafee's uvscan. With the recent storm of MyDoom viruses I noticed that
only sophos was catching them. I have
/opt/MailScanner/lib/mcafee-autoupdate running every 30 minutes vi cron.
The dats are updated in /usr/local/uvscan/datfiles/<dat-version-dir>/
and the link /usr/local/uvscan/datfiles/current is created
appropriately.

However it appears that uvscan is being called with old dats that exist
in /usr/local/uvscan/*.dat. We used to use uvscan with amavisd and the
auto dat update script we used just deleted the old dats and put the new
ones in /usr/local/uvscan/. As soon as I ran that old update script I
started seeing mcafee catching MyDoom in the logs. The dats now in
/usr/local/uvscan/*.dat are identical to those in
/usr/local/uvscan/datfiles/current/ as downloaded by MS's
mcafee-autoupdate.

MS's mcafee-wrapper script looks like this:

    PackageDir=$1
    shift
    prog=uvscan # `basename $0`
    datDIR=$PackageDir

    LD_LIBRARY_PATH=$PackageDir
    export LD_LIBRARY_PATH

    if [ "x$1" = "x-IsItInstalled" ]; then
      [ -x ${PackageDir}/$prog ] && exit 0
      exit 1
    fi

    exec ${PackageDir}/$prog -d $datDIR "$@"

I couldn't find where in MailScanner mcafee-wrapper is called, but I
assume $1 is taken from /opt/MailScanner/etc/virus.scanners.conf. To me
this looks like uvscan is being called with "-d /usr/local/uvscan" when
it should be "-d /usr/local/uvscan/datfiles/current/".

Here are the relevent variables set in mcafee-autoupdate:
    PREFIX=/usr/local/uvscan
    ....

    DATDIR=$PREFIX/datfiles
    SUBDIR=datfiles/current
    LINK=$PREFIX/$SUBDIR

according to this datDIR in mcafee-wrapper should be
datDIR=$PackageDir/datfiles/current

As I type this I feel like I've read about this problem being discussed
and fixed on the list in the past ... but, as I said, I can't seem to
find it in the archives.

-Eric Rz.

From mailscanner at LISTS.COM.AR  Tue Jan 27 21:18:52 2004
From: mailscanner at LISTS.COM.AR (Mariano Absatz)
Date: Thu Jan 12 21:22:07 2006
Subject: is spam
In-Reply-To: <469521986.1074802049@[192.168.0.25]>
References: <1074796776.21963.3.camel@jfraleyx.glenraven.com>
Message-ID: <4016AB8C.1393.163CAB37@localhost>

Regretfully... it depends on how your mail server identifies messages... 
ZMailer does so based on the inode number which is frequently reused (at 
least, in linux, it can be a matter of several reuses within a couple of 
seconds in a somehow loaded server).

I did write a patch which gives really unique id's to every message (see 
the thread 
http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0309&L=mailscanner&P=R106594
in the mailing list.

I use this to generate an alternate log (in CustomConfig.pm) which gives 
me:
1 line for every message with the Id, timestamp, the origin info (IP & mail 
from), subject, spam status, spamassassin info, etc.
1 line for every recipient telling me the recipient address
1 line for every virus or other problem report

These lines are all written in a bunch so they don't intermix.

All these is based on the SQLLogging function.

Regretfully, Julian never added the Id to the distribution (maybe it is a 
little cpu intensive, but I didn't notice any drawbacks using medium-sized 
hardware), so I have to keep patching it... whenever I have time, I publish 
the patches and say it so in the mailing list.

Regards.

El 22 Jan 2004 a las 20:07, D. H?hn escribi?:

> --On Donnerstag, 22. Januar 2004 13:39 -0500 Jon Fraley
> <jfraley@glenraven.com> wrote:
> 
> > How difficult would it be to make the maillog line that lists the
> > message as spam to also contain the destination address.  Currently it
> > just lists the domain.
> >
> >> Message i0MGftkf015909 from 198.85.139.28 (j.russell@thriftydog.com) to
> 
>  i0MGftkf015909 Tells you all you need to know. Simply get the destination
> addy for that ID
> 
> -d
> 
> > Jon


--
Mariano Absatz
El Baby
----------------------------------------------------------
I don't suffer from insanity. I enjoy every minute of it.


From mailscanner at LISTS.COM.AR  Tue Jan 27 21:17:36 2004
From: mailscanner at LISTS.COM.AR (Mariano Absatz)
Date: Thu Jan 12 21:22:07 2006
Subject: Error disabling Filetype Rules
In-Reply-To: <6.0.1.1.2.20040113162029.0752ec90@imap.ecs.soton.ac.uk>
References: <200401131544.i0DFiNr06861@lime.algorithmics.com>
Message-ID: <4016AB40.12586.163B829D@localhost>

FWIW, it happened to me sometime ago, with MS 4.23 under linux and using 
'/dev/null' as the filename worked like a charm... I don't se why it won't 
work with other MS/OS combinations.

Sorry for sayin' this so awfully late, but I'm workin' on holidays and 2 or 
3 months late in readin' the list... just browsin' subjects :-(

Regads...

El 13 Jan 2004 a las 16:21, Julian Field escribi?:

> At 15:44 13/01/2004, you wrote:
> >I got the following errors when trying to disable Filetype Rules as
> >described in the config file:
> >
> >Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
> >file:
> >Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
> >"filetyperules" at line 577
> >Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
> >/opt/MailScanner/etc/MailScanner.conf.
> >
> >I set the config parameter Filetype Rules to blank.
> >
> >This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.
> 
> What do you get when you put a filename in instead of making it blank?

--
Mariano Absatz
El Baby
----------------------------------------------------------
Allow me to introduce my selves.


From Kevin at MICA.NET  Tue Jan 27 21:19:21 2004
From: Kevin at MICA.NET (Kevin Hanser)
Date: Thu Jan 12 21:22:07 2006
Subject: blocking all attachments
Message-ID: <8B699873CEBA3543926B467E768082321A68C1@sol.hq.mica.net>

Ok, I could have _sworn_ that this was JUST asked on the list, but after
searching thru the archives and my local copies, I can't find it
anywhere.

I have a client that wants to block _ALL_ attachments.  What's the best
way to do that w/MailScanner?  
I tried putting 
        deny \..*$
In the filename.rules.conf file, but that ends up blocking the entire
message.  I'm pretty sure that the previous poster had this same
problem, but I can't seem to find the message that tells what the
solution was...

Sorry for asking something that was just so recently asked, I just can't
seem to find the message... It's really baffling to me, since I
distinctly remember reading it...

Thx

k


From campbell at CNPAPERS.COM  Tue Jan 27 21:20:44 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:22:07 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
References: <000001c3e47d$f2b46760$0200a8c0@penguin> 
             <1075171229.7435.101.camel@bach.kevinspicer.co.uk>
Message-ID: <001701c3e51b$6cb22dc0$cf01a8c0@cnpapers.net>

I just installed MailScanner-MRTG 0.07 on my RedHat 7.3 today about noon.
Since then, my CPU utilization has shown 0 (zero). I do have snmp installed,
but do not start it, if that matters. Any clues?


Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

From jfraley at glenraven.com  Tue Jan 27 21:17:18 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>
            <4016CE62.9060900@fractalweb.com>
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>
Message-ID: <1075238237.2106.32.camel@jfraleyx.glenraven.com>

I am seeing something similar.  We run MailScanner 4.25-14, McAfee
v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
of the Worm.SCO.A as mcafee identifies W32/Mydoom@MM.  These are my
statistics for today:

  W32/Dumaru.a@MM    2
  W32/Klez.h@MM    2
  W32/Mimail.a@MM    1
  W32/Mimail.j@MM    1
  W32/Mydoom@MM    765
  Worm.Dumaru.A    2
  Worm/Klez.H    2
  Worm.Mimail.J    1
  Worm.SCO.A    748

I have verified in my log that this is happening.

Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
size=32981, class=0, nrcpts=1,
msgid=<200401272047.i0RKlus5017510@crusher.glenraven.com>, proto=SMTP,
daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
to=<linda@glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
stat=queued
Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
Starting
Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
waiting
Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
messages, 32040 bytes
Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
Jan 27 15:48:19 crusher MailScanner[2543]:
/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
the W32/Mydoom@MM virus !!!
Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
1 infections
Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
i0RKlus5017510 came from 198.85.139.28
Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
"msg-2543-87.txt" to
/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510


On Tue, 2004-01-27 at 15:47, Julian Field wrote:
> At 20:47 27/01/2004, you wrote:
> >Mike Kercher wrote:
> >
> >>How many emails are you pushing per day?  I wonder if it's a load issue.
> >>Have you tried the clamavmodule?
> >>
> >Hi Mike,
> >
> >That's a great question. I generally have about 3k messages go through
> >the server per day. The server load over the past couple of days
> >generally hovers around the 0.55 mark, so I don't think it's a load
> >issue. Not certain though...what do you think?
>
> I don't see any way in which the load could affect it. High load doesn't
> alter the execution of MailScanner.
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From chris at FRACTALWEB.COM  Tue Jan 27 21:37:36 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <1075238237.2106.32.camel@jfraleyx.glenraven.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>           
            <4016CE62.9060900@fractalweb.com>           
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>
            <1075238237.2106.32.camel@jfraleyx.glenraven.com>
Message-ID: <4016DA20.7080004@fractalweb.com>

Jon Fraley wrote:

>I am seeing something similar.  We run MailScanner 4.25-14, McAfee
>v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
>of the Worm.SCO.A as mcafee identifies W32/Mydoom@MM.  These are my
>statistics for today:
>
>  W32/Dumaru.a@MM    2
>  W32/Klez.h@MM    2
>  W32/Mimail.a@MM    1
>  W32/Mimail.j@MM    1
>  W32/Mydoom@MM    765
>  Worm.Dumaru.A    2
>  Worm/Klez.H    2
>  Worm.Mimail.J    1
>  Worm.SCO.A    748
>
>I have verified in my log that this is happening.
>
>Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
>size=32981, class=0, nrcpts=1,
>msgid=<200401272047.i0RKlus5017510@crusher.glenraven.com>, proto=SMTP,
>daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
>Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
>to=<linda@glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
>stat=queued
>Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
>Starting
>Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
>waiting
>Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
>messages, 32040 bytes
>Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
>Jan 27 15:48:19 crusher MailScanner[2543]:
>/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
>the W32/Mydoom@MM virus !!!
>Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
>1 infections
>Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
>i0RKlus5017510 came from 198.85.139.28
>Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
>/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
>Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
>"msg-2543-87.txt" to
>/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
>
>
Hi Jon,

OK, now we're getting somewhere. I was concerned that it was only
happening to me. Now the trick is going to be to figure out exactly when
it happens and why.

Under what circumstances is Clam not detecting? As I see it, we have a
few possibilities:
1. MailScanner is sometimes not asking ClamAV to scan the attachment for
a virus
2. MailScanner IS getting ClamAV to scan, but Clam is not reporting the
infection, for whatever reason
3. Clam is scanning the file and reporting the infection, but
MailScanner is not handling the message correctly. (remember the
situation a couple of months back when Clam started complaining about an
invalid zip header or something, then reported a virus found on the next
line?)

When McAfee detects the virus but Clam doesn't, is it always a zip file
that we're dealing with?

Let's move quickly on this.

Cheers,
Chris

From rgreen at TRAYERPRODUCTS.COM  Tue Jan 27 21:01:20 2004
From: rgreen at TRAYERPRODUCTS.COM (Rodney Green)
Date: Thu Jan 12 21:22:07 2006
Subject: Postfix/MailScanner
In-Reply-To: <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
References: <4016C7EB.2000803@trayerproducts.com>
            <6.0.1.1.2.20040127203403.03a4b898@imap.ecs.soton.ac.uk>
Message-ID: <4016D1A0.9000001@trayerproducts.com>

I apologize. I changed the order of the lookup maps for the
smtpd_recipient_restrictions parameter and got it working. I had
permit_mynetworks before the map that checked whether or not the user
was a restricted sender user. Thanks for the help though.

Riod

Julian Field wrote:

> There is a feature implemented via a Custom Function in CustomConfig.pm
> that does this. It's not a core feature as you are only about the 2nd
> person to ever want it.
>
> At 20:19 27/01/2004, you wrote:
>
>> On my old mail server which was running Postfix without MailScanner I
>> was able to use check_sender_access to prohibit certain users from
>> sending mail to outside e-mail addresses. They could only send to
>> internal addresses.
>>
>> With the new mail server running Postfix with MailScanner this is not
>> working. It simply allows the mail to pass through. Everything's setup
>> the same as far as the main.conf and the hash maps. Anyone know what
>> might be wrong? Since MailScanner is running is it even using the
>> check_sender_access parameter or is it bypassing it all together?
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Rod
>
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From JFalgout at CO.JEFFERSON.CO.US  Tue Jan 27 21:40:17 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:07 2006
Subject: blocking all attachments
Message-ID: <s016785d.087@gc6.jefferson.co.us>

>>>> Kevin@MICA.NET 1/27/2004 2:19:21 PM >>>
>Ok, I could have _sworn_ that this was JUST asked on the list, but
after
>searching thru the archives and my local copies, I can't find it
>anywhere.

It was under the subject "New virus outbreak"

Here is one of the suggestions:

Kevin Spicer wrote:

>DONT DO THIS....!!!!
>
>deny    .*      Attachment      All attachments temporarily rejected
>
>I just tried it (on my home box, not my production server thankfully)
>and it blocks all parts of the message (including message text)
>
>

happened to me too a few weeks agoo  ;-)
this seems to ok
----
allow   \.txt$          -                       -
allow   \.htm*$         -                       -

deny    .               "bla"         "blubber"
----

From jfraley at glenraven.com  Tue Jan 27 21:45:06 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <4016DA20.7080004@fractalweb.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>
            <4016CE62.9060900@fractalweb.com>
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>
            <1075238237.2106.32.camel@jfraleyx.glenraven.com>
            <4016DA20.7080004@fractalweb.com>
Message-ID: <1075239905.2106.34.camel@jfraleyx.glenraven.com>

On Tue, 2004-01-27 at 16:37, Chris Yuzik wrote:
> Jon Fraley wrote:
>
> >I am seeing something similar.  We run MailScanner 4.25-14, McAfee
> >v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
> >of the Worm.SCO.A as mcafee identifies W32/Mydoom@MM.  These are my
> >statistics for today:
> >
> >  W32/Dumaru.a@MM    2
> >  W32/Klez.h@MM    2
> >  W32/Mimail.a@MM    1
> >  W32/Mimail.j@MM    1
> >  W32/Mydoom@MM    765
> >  Worm.Dumaru.A    2
> >  Worm/Klez.H    2
> >  Worm.Mimail.J    1
> >  Worm.SCO.A    748
> >
> >I have verified in my log that this is happening.
> >
> >Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
> >size=32981, class=0, nrcpts=1,
> >msgid=<200401272047.i0RKlus5017510@crusher.glenraven.com>, proto=SMTP,
> >daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
> >Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
> >to=<linda@glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
> >stat=queued
> >Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
> >Starting
> >Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
> >waiting
> >Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
> >messages, 32040 bytes
> >Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
> >Jan 27 15:48:19 crusher MailScanner[2543]:
> >/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
> >the W32/Mydoom@MM virus !!!
> >Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
> >1 infections
> >Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
> >i0RKlus5017510 came from 198.85.139.28
> >Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
> >Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
> >"msg-2543-87.txt" to
> >/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
> >
> >
> Hi Jon,
>
> OK, now we're getting somewhere. I was concerned that it was only
> happening to me. Now the trick is going to be to figure out exactly when
> it happens and why.
>
> Under what circumstances is Clam not detecting? As I see it, we have a
> few possibilities:
> 1. MailScanner is sometimes not asking ClamAV to scan the attachment for
> a virus
> 2. MailScanner IS getting ClamAV to scan, but Clam is not reporting the
> infection, for whatever reason
> 3. Clam is scanning the file and reporting the infection, but
> MailScanner is not handling the message correctly. (remember the
> situation a couple of months back when Clam started complaining about an
> invalid zip header or something, then reported a virus found on the next
> line?)
>
> When McAfee detects the virus but Clam doesn't, is it always a zip file
> that we're dealing with?
>
Not always a zip file:


> New Batch: Scanning 1 messages, 33321 bytes
> Jan 27 05:35:45 crusher MailScanner[2034]: Spam Checks: Starting
> Jan 27 05:35:49 crusher MailScanner[2034]: Virus and Content Scanning: Starting
> Jan 27 05:35:50 crusher MailScanner[2034]: /i0RAZgF0012813/msg-2034-182.txt/document.cmd        Found the W32/Mydoom@MM virus !!!
> Jan 27 05:35:50 crusher MailScanner[2034]: Virus Scanning: McAfee found 1 infections
> Jan 27 05:35:50 crusher MailScanner[2034]: Infected message i0RAZgF0012813 came from 198.85.139.28
> Jan 27 05:35:50 crusher MailScanner[2034]: Saved entire message to /var/spool/MailScanner/quarantine/20040127/i0RAZgF0012813
> Jan 27 05:35:51 crusher MailScanner[2034]: Saved infected "msg-2034-182.txt" to /var/spool/MailScanner/quarantine/20040127/i0RAZgF0012813

Jon
> Let's move quickly on this.
>
> Cheers,
> Chris

From JFalgout at CO.JEFFERSON.CO.US  Tue Jan 27 22:03:55 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
Message-ID: <s0167ded.088@gc6.jefferson.co.us>

>Max Children = 20 is very high. Try dropping that to about 12 as your
>throughput may improve. Keep an eye on `top` as your system may be
running
>out of ram.

Dropped down Max Children to 12 and installed the sophossavi module.

That made a HUGE difference. The load is down to around 2-3.
The sophossavi made the majority of the difference.

Do have one more question though:

sophossavi is reporting MyDoom as :

 MessageID: i0RLwFnh028241
    Report: SophosSAVI: document.zip was infected by W32/MyDoom-A
W32/MyDoom-A
            ClamAV: document.zip contains Worm.SCO.A

Has anyone else noticed this (the duplicate name)?

From chris at FRACTALWEB.COM  Tue Jan 27 22:06:55 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though???
In-Reply-To: <1075239905.2106.34.camel@jfraleyx.glenraven.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>           
            <4016CE62.9060900@fractalweb.com>           
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>           
            <1075238237.2106.32.camel@jfraleyx.glenraven.com>           
            <4016DA20.7080004@fractalweb.com>
            <1075239905.2106.34.camel@jfraleyx.glenraven.com>
Message-ID: <4016E0FF.7080203@fractalweb.com>

Jon Fraley wrote:

>On Tue, 2004-01-27 at 16:37, Chris Yuzik wrote:
>
>
>>Hi Jon,
>>
>>OK, now we're getting somewhere. I was concerned that it was only
>>happening to me. Now the trick is going to be to figure out exactly when
>>it happens and why.
>>
>>Under what circumstances is Clam not detecting? As I see it, we have a
>>few possibilities:
>>1. MailScanner is sometimes not asking ClamAV to scan the attachment for
>>a virus
>>2. MailScanner IS getting ClamAV to scan, but Clam is not reporting the
>>infection, for whatever reason
>>3. Clam is scanning the file and reporting the infection, but
>>MailScanner is not handling the message correctly. (remember the
>>situation a couple of months back when Clam started complaining about an
>>invalid zip header or something, then reported a virus found on the next
>>line?)
>>
>>
Hi Jon (and everyone else),

Ok, then how do we go about figuring out if ClamAV is even scanning the
message? I don't see much in the maillog that indicates whether it was
or wasn't scanned by Clam and what the result was.

Is there a way of turning on a supplemental log for ClamAV? Adjusting
the wrapper, perhaps?

Cheers,
Chris

From hywel at BURRIS.ORG.UK  Tue Jan 27 21:59:17 2004
From: hywel at BURRIS.ORG.UK (Hywel Burris)
Date: Thu Jan 12 21:22:07 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
Message-ID: <200401272209.i0RM9tqZ015404@mail.burris.org.uk>

Hi,

After upgrading to SpamAssassin-2.63-1 i am getting the following error
after running in debug mode:-

         MailScanner:       In Debugging mode, not forking...
SpamAssassin installation could not be found at
/usr/lib/MailScanner/MailScanner/SA.pm line 101

I have tried putting in the path to spamassassin in mailscanner.conf but to
no avail.

i am using RH 8.0 and mailscanner-4.25-14

Thanks

Hywel

P.S Thanks Julian for all your good work i use this at home and for a small
company and its the first time I have ever had an issue


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/af23c4a7/attachment.html
From Kevin at MICA.NET  Tue Jan 27 22:29:25 2004
From: Kevin at MICA.NET (Kevin Hanser)
Date: Thu Jan 12 21:22:07 2006
Subject: blocking all attachments
Message-ID: <8B699873CEBA3543926B467E768082320344D7@sol.hq.mica.net>

Cool, I think I've got it working using that example.  There was one
minor change I made though, to the html line:

allow           \.htm.*$

The original was:
allow           \.htm*$

I made the change because I think the original had a typo...  Unless I'm
misreading (or forgetting how regex's work), that one means it'll match
.ht, .htm, and .htmmmmmmmmmmmmmmmmm(and however many more m's you want)
file, but not .html files. :)

Other than fixing the typo it seems to work.

Thanx!

k

-----Original Message-----
From: Jeff Falgout [mailto:JFalgout@CO.JEFFERSON.CO.US] 

>>>> Kevin@MICA.NET 1/27/2004 2:19:21 PM >>>
>Ok, I could have _sworn_ that this was JUST asked on the list, but
after
>searching thru the archives and my local copies, I can't find it 
>anywhere.

It was under the subject "New virus outbreak"

Here is one of the suggestions:

Kevin Spicer wrote:

>DONT DO THIS....!!!!
>
>deny    .*      Attachment      All attachments temporarily rejected
>
>I just tried it (on my home box, not my production server thankfully) 
>and it blocks all parts of the message (including message text)
>
>

happened to me too a few weeks agoo  ;-)
this seems to ok
----
allow   \.txt$          -                       -
allow   \.htm*$         -                       -

deny    .               "bla"         "blubber"
----


From mike at CAMAROSS.NET  Tue Jan 27 22:43:30 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
In-Reply-To: <s0167ded.088@gc6.jefferson.co.us>
Message-ID: <200401272235.i0RMZwGE005422@avwall.bladeware.com>

I see the same thing.  I'm also using the clamavmodule instead of plain
clamav

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff Falgout
> Sent: Tuesday, January 27, 2004 4:04 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Performance Tuning and RAID
>
> >Max Children = 20 is very high. Try dropping that to about
> 12 as your
> >throughput may improve. Keep an eye on `top` as your system may be
> running
> >out of ram.
>
> Dropped down Max Children to 12 and installed the sophossavi module.
>
> That made a HUGE difference. The load is down to around 2-3.
> The sophossavi made the majority of the difference.
>
> Do have one more question though:
>
> sophossavi is reporting MyDoom as :
>
>  MessageID: i0RLwFnh028241
>     Report: SophosSAVI: document.zip was infected by
> W32/MyDoom-A W32/MyDoom-A
>             ClamAV: document.zip contains Worm.SCO.A
>
> Has anyone else noticed this (the duplicate name)?
>

From kevin at KEVINSPICER.CO.UK  Tue Jan 27 22:54:13 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:07 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <4016BCB3.7090604@glendown.de>
References: <1075154875.27684.26.camel@bach.kevinspicer.co.uk>
            <4016BCB3.7090604@glendown.de>
Message-ID: <1075244053.23032.2.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 19:32, Garry Glendown wrote:
> Something I've been wondering about ... a while back, mailscanner-mrtg
> kept nice stats about the number of mails relayed ... anyway, ever since
> I installed a new server, this counter has been way down - even after
> the update to the current version, all I get is a very low number of
> mails, even though (currently) over 5000 spam mails are recognized ...
> All my mail logs end up in /var/log/mail, which is what I use in the
> mailscanner-mrtg config ... I'm runnning sendmail ...
> 
> Any idea?

Not really!  What version of syslog are you using?  Give me an email off
list and I'll try and work with you to find out why.


> 
> Also, too bad the update from 0.06 to 0.07 loses all the old data ... :(
> or did I miss something?

I think you must have, maybe you installed in a different location?  I
was most careful not to lose old data, the one exception being the IP
traffic counters, which previously didn't make a lot of sense
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/8c32cc12/attachment.bin
From kevin at KEVINSPICER.CO.UK  Tue Jan 27 22:55:50 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:07 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <001701c3e51b$6cb22dc0$cf01a8c0@cnpapers.net>
References: <000001c3e47d$f2b46760$0200a8c0@penguin>
             <1075171229.7435.101.camel@bach.kevinspicer.co.uk>
             <001701c3e51b$6cb22dc0$cf01a8c0@cnpapers.net>
Message-ID: <1075244150.23032.4.camel@bach.kevinspicer.co.uk>

On Tue, 2004-01-27 at 21:20, Stephe Campbell wrote:
> I just installed MailScanner-MRTG 0.07 on my RedHat 7.3 today about noon.
> Since then, my CPU utilization has shown 0 (zero). I do have snmp installed,
> but do not start it, if that matters. Any clues?
> 
Since the CPU utilization is now pulled from snmp starting snmp is the
most likely way to solve your problem.
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040127/abef609f/attachment.bin
From peter at UCGBOOK.COM  Tue Jan 27 23:06:52 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:07 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <200401272209.i0RM9tqZ015404@mail.burris.org.uk>
References: <200401272209.i0RM9tqZ015404@mail.burris.org.uk>
Message-ID: <4016EF0C.9010707@ucgbook.com>

Hywel Burris wrote:
> After upgrading to SpamAssassin-2.63-1 i am getting the following error
> after running in debug mode:-

By the looks of your version number you have installed from RPM, right?

Can't do that. Source, CPAN or SRPM, but not RPM.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From hywel at BURRIS.ORG.UK  Tue Jan 27 23:15:26 2004
From: hywel at BURRIS.ORG.UK (Hywel Burris)
Date: Thu Jan 12 21:22:07 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <4016EF0C.9010707@ucgbook.com>
Message-ID: <200401272326.i0RNQ6eA018363@mail.burris.org.uk>

Hi Peter,

Yes I installed from the RPM. If this can't be done could you briefly
explain how. I seem to remember an email from this group about 6weeks ago on
this subject but couldn't find it.

I have never had any issue like this before from upgrading SA, wonder why
this ones different.

Thanks


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Peter Bonivart
Sent: 27 January 2004 23:07
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Upgrade to SpamAssassin-2.63-1 problem

Hywel Burris wrote:
> After upgrading to SpamAssassin-2.63-1 i am getting the following
> error after running in debug mode:-

By the looks of your version number you have installed from RPM, right?

Can't do that. Source, CPAN or SRPM, but not RPM.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From peter at UCGBOOK.COM  Tue Jan 27 23:35:02 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:07 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <200401272326.i0RNQ6eA018363@mail.burris.org.uk>
References: <200401272326.i0RNQ6eA018363@mail.burris.org.uk>
Message-ID: <4016F5A6.70303@ucgbook.com>

Hywel Burris wrote:
> Hi Peter,
>
> Yes I installed from the RPM. If this can't be done could you briefly
> explain how. I seem to remember an email from this group about 6weeks ago on
> this subject but couldn't find it.
>
> I have never had any issue like this before from upgrading SA, wonder why
> this ones different.
>
> Thanks

There's nothing wrong with the RPM if you want to use SA standalone but
it will not work with MailScanner, all paths will be screwed up and MS
will not find stuff. That's why it's OK to use SRPM because that's built
for your system.

I would recommend CPAN, I use that on Solaris also. Extremely simple:

# perl -e shell -MCPAN
cpan> install Mail::SpamAssassin

Of course, remove the RPM first.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From isp-list at TULSACONNECT.COM  Tue Jan 27 23:45:03 2004
From: isp-list at TULSACONNECT.COM (ISP List)
Date: Thu Jan 12 21:22:07 2006
Subject: Check SpamAssassin If On Spam List Issue
In-Reply-To: <6.0.1.1.2.20040127151841.131c6cf0@imap.ecs.soton.ac.uk>
References: <5.2.1.1.2.20040127073119.07a6ce80@securemail.tulsaconnect. com>
            <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect. com>
            <5.1.1.6.2.20040126175033.056d4ea8@securemail.tulsaconnect.com>
            <5.2.1.1.2.20040127073119.07a6ce80@securemail.tulsaconnect.com>
Message-ID: <5.1.1.6.2.20040127174440.054e1d48@pop3.tulsaconnect.com>

At 03:18 PM 1/27/2004 +0000, you wrote:
>At 13:31 27/01/2004, you wrote:
>>At 09:32 AM 1/27/2004 +0000, you wrote:
>>>Do you mean everywhere the score is used, or just in the "spam stars"
>>>header?
>>
>>Just the spam stars header..
>
>Done. It will be in this weekend's release.
>--

Thanks much.


-----------------------------------------
Mike Bacher / isp-list@tulsaconnect.com
TCIS - TulsaConnect Internet Services
Phone: 918-584-1100x110 Fax: 918-582-5776
-----------------------------------------

From chris at FRACTALWEB.COM  Wed Jan 28 00:04:55 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:07 2006
Subject: tons of infected files getting though??? and clamscan logging
In-Reply-To: <4016E0FF.7080203@fractalweb.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>                 
            <4016CE62.9060900@fractalweb.com>                      
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>           
            <1075238237.2106.32.camel@jfraleyx.glenraven.com>                  
            <4016DA20.7080004@fractalweb.com>           
            <1075239905.2106.34.camel@jfraleyx.glenraven.com>
            <4016E0FF.7080203@fractalweb.com>
Message-ID: <4016FCA7.6060507@fractalweb.com>

Chris Yuzik wrote:

> Ok, then how do we go about figuring out if ClamAV is even scanning the
> message? I don't see much in the maillog that indicates whether it was
> or wasn't scanned by Clam and what the result was.
>
> Is there a way of turning on a supplemental log for ClamAV? Adjusting
> the wrapper, perhaps?

Nothing like responding to your own emails. :-)

I've modified the clamav-wrapper file by changing the ScanOptions= line
to the following:
ScanOptions="$ScanOptions --unzip -l /tmp/clamscanlog --log-verbose"

I now have a log entry in /tmp/clamscanlog each time a message gets
logged. Unfortunately the log tells me almost nothing. A typical entry
looks like this:
--------------------------------------
Scan started: Tue Jan 27 14:32:06 2004

And an entry where it finds an infected file looks like this:
--------------------------------------
Scan started: Tue Jan 27 14:33:21 2004

/var/spool/MailScanner/incoming/26770/./i0RMXBV26943/file.pif:
Worm.SCO.A FOUND

Even with "--log-verbose" enabled, I'm not getting the kind of
information in the log file that I get if I run clamscan by hand with
the same options. Not sure why.

I'm not any closer (yet) to figuring out why some infected files walk
right by the virus scanner.

If I find a file that was originally marked as spam--but not
infected--how do I resubmit the file back to sendmail so it gets
processed by MailScanner again? For example, I've got a file called
i0RNAtV30557 that certainly looks suspicious, but when it went through
MailScanner it only got marked as Spam.

Any further thoughts out there?

Cheers,
Chris

From Kevin_Miller at CI.JUNEAU.AK.US  Wed Jan 28 00:43:29 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:07 2006
Subject: f-prot question
Message-ID: <08146035CA49D6119A36009027AC822A0264ED4C@CITY-EXCH-NTS>

Yesterday when the MyDoom hit, a number of messages slipped in before the
antivirus engines were on top of it.  Clam seemed to be the first to catch
it, but both my f-secure and f-prot weren't on it yet.  First thing I did
was disallow .zip files, then went about updating my antivirus signatures
manually.  (Both are catching the it now.)

Poking around, it seemed like F-prot hadn't updated in quite some time.  I'm
running two machines.  I checked the logs, and the first seems to start the
update.virus.scanners script, but I don't know if it gets any farther.  On
my second machine it clearly kicks off the clam and f-secure autoupdate.
I'm not sure it is with f-prot. I'm not getting anything further in the
logs.

mx1
-----------
Jan 27 01:00:01 mis-mxg-lnx update.virus.scanners: Found f-prot installed

mx2
-----------
Jan 27 13:00:01 mis-mx2-lnx update.virus.scanners: Found clamav installed
Jan 27 13:00:01 mis-mx2-lnx update.virus.scanners: Running autoupdate for
clamav
Jan 27 13:00:06 mis-mx2-lnx ClamAV-autoupdate[21592]: ClamAV did not need
updating
Jan 27 13:00:06 mis-mx2-lnx update.virus.scanners: Found f-secure installed
Jan 27 13:00:06 mis-mx2-lnx update.virus.scanners: Running autoupdate for
f-secure


FWIW, this is what "f-prot -verno" reports:

F-PROT ANTIVIRUS
Program version: 4.1.2
Engine version: 3.13.4

VIRUS SIGNATURE FILES
SIGN.DEF created 27 January 2004
SIGN2.DEF created 27 January 2004
MACRO.DEF created 26 January 2004


I'm tempted to run f-prot.autoupdate from the command line to see what it
outputs, but not sure if I outta shut down MailScanner first.  I think not
but figured I'd double check.  Any reason not to?

I see references to newer versions of f-prot on the list too.  Stinkers.
They didn't notify me they'd upgraded it again.  I did get one notice from
them last fall.  Sigh.  Yet another thing to check into.

As always, thanks much...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From joshua.hirsh at PARTNERSOLUTIONS.CA  Wed Jan 28 01:14:48 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:22:07 2006
Subject: Performance Tuning and RAID
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F81@eqmail1.efni.vpn>

 You'll notice this on most virii that transmit themselves inside of
archives. When your virus scanner runs, it first finds the signature in the
zip file itself, and also finds it in the contents when it extracts the zip.

 This happens to me with Sophos against a few of the Mimail variants and of
course, MyDoom.

 A little annoying, but at least it's working ;-)



Cheers,
-Joshua

From ugob at CAMO-ROUTE.COM  Wed Jan 28 01:22:14 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:07 2006
Subject: Filetype blocking
In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741E9D0@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F362927410831@mtlnt501fs.CAMOROUTE.COM>
            <54C38A0B814C8E438EF73FC76F36292741E9D0@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <40170EC6.2030901@camo-route.com>

Chris Harris wrote:

> How much more of a load will enabling this put on my server? Will it
> increase the chance of timeouts?
>
Added load depends on a lot of things.  Best way to know is to test it 
(enabling virus-scanning).  It will probly not increase the chance of 
timeouts, but it will take longer to process messages.

> ----- Original Message -----
> From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Tuesday, January 27, 2004 11:02 AM
> Subject: Re: Filetype blocking
>
>
> > -----Message d'origine-----
> > De : Chris Harris [mailto:cwharris@MORGAN.NET]
> > Envoy? : Tuesday, January 27, 2004 12:01 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Filetype blocking
> >
> >
> > If I have virus scanning set to no, do the filetype rules still apply?
> > ==
> >
> > yes, if you have uncommented the file setting to let know the 
> location of
> your file command.
> >
> > Ugo
> > ==
> >
> > Chris
> >
> >
>


From jovi_2 at YAHOO.COM  Wed Jan 28 01:48:37 2004
From: jovi_2 at YAHOO.COM (Sathes Nair)
Date: Thu Jan 12 21:22:07 2006
Subject: Blocking Subject Header
Message-ID: <20040128014837.64579.qmail@web10906.mail.yahoo.com>

Hi there,

Due to the recent virus outbreak..(W32.Novarg.A@mm) I
would like to inquire is there anyway mailscanner can
block subject tag that starts with hi, hello, test,.
I am using mailscanner with sendmail on solaris 8.
Thank you so much in advance

cheers....

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

From ugob at CAMO-ROUTE.COM  Wed Jan 28 02:07:00 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:08 2006
Subject: Blocking Subject Header
Message-ID: <54C38A0B814C8E438EF73FC76F362927410841@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Sathes Nair [mailto:jovi_2@YAHOO.COM]
> Envoy? : Tuesday, January 27, 2004 8:49 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Blocking Subject Header
> 
> 
> Hi there,
> 
> Due to the recent virus outbreak..(W32.Novarg.A@mm) I
> would like to inquire is there anyway mailscanner can
> block subject tag that starts with hi, hello, test,.

I don't think mailscanner can do that.  However, you can use spamassassin to give it a high score so that it will be treated as a high-scoring spam.  In my case, store, delete; so my users never see them.

> I am using mailscanner with sendmail on solaris 8.
> Thank you so much in advance
> 
> cheers....
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!
> http://webhosting.yahoo.com/ps/sb/
> 


From gdoris at ROGERS.COM  Wed Jan 28 02:08:55 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:08 2006
Subject: MyDoom question
In-Reply-To: <6.0.1.1.2.20040127183011.044e2f68@imap.ecs.soton.ac.uk>
References: <A6E4DAD94E656741BF330E1F7409350C416292@woodendc.woodmaclaw.local>
            <6.0.1.1.2.20040127183011.044e2f68@imap.ecs.soton.ac.uk>
Message-ID: <Pine.LNX.4.58.0401272104370.4190@tiger.dorfam.ca>

On Tue, 27 Jan 2004, Julian Field wrote:

> No. Someone's PC is infected and it happens to have one of your email
> addresses in its address book. MyDoom-A forges sender addresses using any
> it can find.
> --
> Julian Field

I've suddenly been hit with a small flood of emails addressed like the
following:

james@dorfam.ca
jen@dorfam.ca
jim@dorfam.ca

the list goes on and on.

None of these users exist so all are rejected.  Has this got something to
do with the new virus?

--
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer

From bidwell at ANDREWS.EDU  Wed Jan 28 02:26:11 2004
From: bidwell at ANDREWS.EDU (Daniel Bidwell)
Date: Thu Jan 12 21:22:08 2006
Subject: making clamav examine
Message-ID: <1075256771.1168.24.camel@samwise>

I am using MailScanner 4.20-3 with Clamav 0.60.  They are working well,
but clamav doesn't seem to be scanning .zip files from MailScanner.
When I run clamscan on an infected zip file it tells detects the virus
correctly.

I have added the "--unzip" option to the clamav-wrapper, but this
doesn't seem to make any difference.  Is there a list of file types that
MailScanner will pass to clamav?  Any suggestions?
--
Daniel R. Bidwell       |       bidwell@andrews.edu
Andrews University      |       Information Technology Services
If two always agree, one of them is unnecessary
"Friends don't let friends do DOS"
"In theory, theory and practice are the same.
In practice, however, they are not."

From ecorrado at ATHENA.RIDER.EDU  Wed Jan 28 03:42:42 2004
From: ecorrado at ATHENA.RIDER.EDU (Ed Corrado)
Date: Thu Jan 12 21:22:08 2006
Subject: Filter filetype not working
Message-ID: <LISTSERV%2004012803424299@JISCMAIL.AC.UK>

On Tue, 27 Jan 2004 03:41:40 -0000, Michele Neylon :: Blacknight Solutions
<michele@BLACKNIGHTSOLUTIONS.COM> wrote:

>Ed
>
>Could you provide headers of the emails that were not blocked please.
>
>Michele

Hello Michele,

The headers are as follows:


Return-Path: <cyrus@imap>
X-Sieve: cmu-sieve 2.0
Return-Path: <ecorrado@athena.rider.edu>
Received: from athena.rider.edu (athena.rider.edu [192.107.45.155])
     by imap.ascsa.org (8.11.6/8.9.3) with ESMTP id i0S4LDK11425
     for <ecorrado@imap.ascsa.org>; Tue, 27 Jan 2004 23:21:13 -0500
Received: from localhost (ecorrado@localhost)
     by athena.rider.edu (8.11.7p1+Sun/8.11.6) with ESMTP id i0S3Kn025056
     for <ecorrado@imap.ascsa.org>; Tue, 27 Jan 2004 22:20:49 -0500 (EST)
Date: Tue, 27 Jan 2004 22:20:49 -0500 (EST)
From: "Edward M. Corrado" <ecorrado@athena.rider.edu>
X-Sender: ecorrado@athena
To: ecorrado@imap.ascsa.org
Subject: NT Passwod reset tool
Message-ID: <Pine.GSO.4.21.0401272219340.25044-101000@athena>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-851401618-1075260049=:25044"
X-ASCSA-MailScanner-Information: Please contact the ISP for more information
X-ASCSA-MailScanner: Not scanned: please contact your Internet E-Mail
Service Provider for details
X-ASCSA-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.962,
     required 3, BAYES_00 -4.90, MICROSOFT_EXECUTABLE 0.10,
     MIME_MISSING_BOUNDARY 1.84)


Intersting that it almost got respected as spam, but the file type checking
in MailScanner doesn't seem to have an effect. I guess I could higher the
value of a message with a Microsoft Executable in SpamAssassin, but I'd
rather  have them all rejected by MailScanner.


Ed Corrado

From ecorrado at ATHENA.RIDER.EDU  Wed Jan 28 03:49:43 2004
From: ecorrado at ATHENA.RIDER.EDU (Ed Corrado)
Date: Thu Jan 12 21:22:08 2006
Subject: Filter filetype not working
Message-ID: <LISTSERV%2004012803494313@JISCMAIL.AC.UK>

On Tue, 27 Jan 2004 09:37:16 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>The filetype checking is disabled by default. Look for the line that
>defines the File command and you will probably find a "#" in it starting a
>comment.

Thank you for the suggestion, I did find a "#" in the "File Command" line
(it read File Command= #/usr/bin/file) and I took it out. However, after
restarting MailScanner it still did not do anything about the executable
attachment so I must have a different issue.


>Also, check that when you locally send these test messages you are actually
>sending them through MailScanner.

I sent the messages from another machine on a different network.

>And don't forget that just calling a file
>foobar.exe doesn't make it an executable as far as the filetype checking is
>concerned. It needs to contain executable code :-)

That is good to know, but the file I sent was a real execuable so that
doesn't seem to be a problem.

Thank you again for the suggestions,

Edward

From mike at CAMAROSS.NET  Wed Jan 28 04:03:37 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:08 2006
Subject: MyDoom question
In-Reply-To: <Pine.LNX.4.58.0401272104370.4190@tiger.dorfam.ca>
Message-ID: <200401280356.i0S3u5GE031244@avwall.bladeware.com>

Yeah...I'm seeing the same thing too.  Unfortunately, mike@ is one of those
common names that is on the list, so more are being accepted at my boxen.

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gerry Doris
> Sent: Tuesday, January 27, 2004 8:09 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: MyDoom question
>
> On Tue, 27 Jan 2004, Julian Field wrote:
>
> > No. Someone's PC is infected and it happens to have one of
> your email
> > addresses in its address book. MyDoom-A forges sender
> addresses using
> > any it can find.
> > --
> > Julian Field
>
> I've suddenly been hit with a small flood of emails addressed like the
> following:
>
> james@dorfam.ca
> jen@dorfam.ca
> jim@dorfam.ca
>
> the list goes on and on.
>
> None of these users exist so all are rejected.  Has this got
> something to do with the new virus?
>
> --
> Gerry
>
> "The lyfe so short, the craft so long to learne"  Chaucer
>

From chris at FRACTALWEB.COM  Wed Jan 28 04:09:27 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:08 2006
Subject: making clamav examine
In-Reply-To: <1075256771.1168.24.camel@samwise>
References: <1075256771.1168.24.camel@samwise>
Message-ID: <401735F7.8040007@fractalweb.com>

Daniel Bidwell wrote:

>I am using MailScanner 4.20-3 with Clamav 0.60.  They are working well,
>but clamav doesn't seem to be scanning .zip files from MailScanner.
>When I run clamscan on an infected zip file it tells detects the virus
>correctly.
>
>
Have you considered updating MailScanner and Clamav? Both are pretty
easy upgrades and I would seriously recommend it.

>I have added the "--unzip" option to the clamav-wrapper, but this
>doesn't seem to make any difference.  Is there a list of file types that
>MailScanner will pass to clamav?  Any suggestions?
>
>
Are you having problems detecting zips that are infected with
worm.sco.a? I think this is a different issue than the one that could be
fixed by adding "--unzip" to the clamav wrapper. That was a problem with
corrupt zip headers...this is something different. I think everyone is
still trying to figure it out. Stay tuned.

Cheers,
Chris

From chris at FRACTALWEB.COM  Wed Jan 28 06:04:34 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:08 2006
Subject: tons of infected files getting though??? and clamscan logging
In-Reply-To: <4016FCA7.6060507@fractalweb.com>
References: <200401271927.i0RJRDGE004572@avwall.bladeware.com>                 
            <4016CE62.9060900@fractalweb.com>                                 
            <6.0.1.1.2.20040127204658.04569008@imap.ecs.soton.ac.uk>           
            <1075238237.2106.32.camel@jfraleyx.glenraven.com>                  
            <4016DA20.7080004@fractalweb.com>                      
            <1075239905.2106.34.camel@jfraleyx.glenraven.com>           
            <4016E0FF.7080203@fractalweb.com> <4016FCA7.6060507@fractalweb.com>
Message-ID: <401750F2.5080203@fractalweb.com>

Hi all,

Ok, now I'm getting somewhere. (and yes, I do talk to myself in the real
world too ;-)

I found a message that was marked as spam but not marked as infected
with "worm.sco.a", although it clearly was. Using MailWatch, I released
the message to myself. Evidently, when messages are released by
MailWatch, it goes right past the virus scanners and in to my inbox. My
windows antivirus program picked it up and notified me when I retrieved
my email. So, the email is definitely infected--no question about that.

Next, I set up a new email address for testing, and released the message
to that account. From the squirrelmail interface, I could see the
message and the attachment, and I forwarded that message to the same
address. When the message arrived, it was correctly tagged as infected.
So why wasn't it originally tagged as infected in the first place? Not sure.

Next, I logged in to my mail server as root, found the message an
manually told clamav to scan it. It scans as "OK". Hmmmm. Something is
up here, and I'm not sure what. I suspect there is something wrong or
unique about the mime parts of the message...but I don't read mime very
well--heck, I find mimes annoying, but I digress.

There must be something different about the messages that clam scans as
"OK" vs. the ones that it scans as "FOUND Worm.SCO.A" when they're both
clearly infected. Here's the message that scans clean, with the encoded
attachment snipped out. Anyone see anything wrong with this?

Cheers,
Chris

> X-ClientAddr: 24.???.???.???
> Return-Path: <~Ag>
> Received: from bondage.com (h???-???-???-???.vf.shawcable.net
> [24.???.???.???])
>         by ns1.fractalweb.com (8.11.6/8.11.6) with ESMTP id i0S3vVV20355
>         for <user@domain.com>; Tue, 27 Jan 2004 19:57:32 -0800
> Message-Id: <200401280357.i0S3vVV20355@ns1.fractalweb.com>
> From: forgeduser@sendingdomain.com
> To: user@domain.com
> Subject: Error
> Date: Tue, 27 Jan 2004 19:57:32 -0800
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>         boundary="----=_NextPart_000_0005_09C60BCC.30FFADF6"
> X-Priority: 3
> X-MSMail-Priority: Normal
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6
> Content-Type: text/plain;
>         charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
>
> The message cannot be represented in 7-bit ASCII encoding and has been
> sent as a binary attachment.
>
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6
> Content-Type: application/octet-stream;
>         name="xnztj.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
>         filename="xnztj.zip"
>
> <<<actual mime encoded virus snipped>>>
>
> ------=_NextPart_000_0005_09C60BCC.30FFADF6--

From christo at IT4AFRICA.CO.ZA  Wed Jan 28 06:23:01 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499E7@pascal.priv.bmrb.co.uk>
Message-ID: <003301c3e567$2e1b9e60$660210ac@christoxp>

My Config is RH9
mrtg-2.9.25-1.7.2
mailscanner-4.25-14
libpng-1.2.2-16

The file I'm installing is net-snmp-5.0.9-4.rh9.i386.rpm

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Spicer, Kevin
Sent: 27 January 2004 06:22 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Announce: MailScanner-MRTG version 0.07 released {Virus
Scanned}


Christo Bezuidenhout wrote:
> I'm trying to get net-snmp installed but it looks for perl-Tk. How can

> I get Perl-Tk installed.
>

You don't say which OS/ distro so thats not the easy question it might
seem.  I don't remember that as a dependency, are you sure you're not
trying to install Perl-net-snmp which is NOT required.  I know Mandrake
9 gives you Perl-net-snmp if you ask for  net-snmp, the actual SNMP
package on mdk9 is ucd-snmp.



BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks IT For Africa for their support.

From christo at IT4AFRICA.CO.ZA  Wed Jan 28 06:31:49 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: sorry .htm not virus but dangerous content {Virus Scanned}
In-Reply-To: <000001c3e4ef$ab85dfa0$0201a8c0@lappy>
Message-ID: <003801c3e568$68ae9fe0$660210ac@christoxp>

I saw this morning a html file also blocked as Virus. Upon further
investigation it is actually a .exe file. Before you get to the .exe
part there is a lot of spaces. Mine actually go off the screen and wrap
the text to be able to see the .exe extension.

The new Mydoom or worm.SCO virus.



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Dee Lowndes
Sent: 27 January 2004 06:08 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: sorry .htm not virus but dangerous content {Virus Scanned}


As before a return form .htm is returned as dangerous content any ideas?

Dee

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Dee Lowndes
> Sent: 27 January 2004 15:32
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: .htm file detected as virus?
>
> I had a returns form detected as a virus earlier today, is this
normal?
>
> Dee

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks IT For Africa for their support.

From P.G.M.Peters at utwente.nl  Wed Jan 28 07:41:25 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:08 2006
Subject: Mydoom
In-Reply-To: <20040127191018.GD636@rfa.org>
References: <JFEJJBNPOACELGAPEIOLKECCCJAA.martyn@invictawiz.com>
            <9qtc1096noqufctqtlp2llc3e4doabcer8@4ax.com>
            <20040127191018.GD636@rfa.org>
Message-ID: <plpe10hfa2esf64r8mqo7f8qk4nagdvo7f@4ax.com>

On Tue, 27 Jan 2004 14:10:19 -0500, you wrote:

>Do you have a script that generates those stats? Is it specific to your
>language?

It is written in Dutch but you can look at the code and change the
comments.

It is a very fast hack and I really should rewrite it.

|#!/bin/sh
|#
|#
|# T.b.v. maandelijkse rapportage.
|# in de huidige directory staan de uitgepakte bestanden van vorige maand
|#
|#
|echo "Bestanden van vorige maand in de huidige directory?"
|sleep 5
|echo "OK, ik ga aan de slag"
|echo ""
|echo -n "Bepaal het echte aantal mailtjes: "
|grep from= * | wc -l
|echo -n "Bepaal het aantal spam-achtige mailtjes: "
|grep "Spam Actions" * | wc -l
|echo -n "Bepaal het aantal via ruleset's geblokkeerde mailtjes: "
|grep ruleset= * | wc -l
|echo    "Bepaal de laatste keer dat de F-Prot .DEF bestanden zijn geupdate: "
|ls -l /usr/local/f-prot/*.DEF
|echo "Geef de top 5 (en meer) van gevonden virussen:"
|grep MailScanner * | grep "found virus" | awk '{ print $11 }' | sort | uniq -c | sort -nr | head -10

(Remove the | at the beginning of the lines)

It expects the mail logfiles (and only those) in the current directory.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From raymond at PROLOCATION.NET  Wed Jan 28 08:01:34 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:08 2006
Subject: f-prot question
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED4C@CITY-EXCH-NTS>
Message-ID: <Pine.LNX.4.44.0401280900310.14970-100000@mailbox.prolocation.net>

Hi!

> F-PROT ANTIVIRUS
> Program version: 4.1.2
> Engine version: 3.13.4
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 27 January 2004
> SIGN2.DEF created 27 January 2004
> MACRO.DEF created 26 January 2004

You need to update your engine, this is most likely your problem. The sigs
ARE up to date but your engine isnt.

> I see references to newer versions of f-prot on the list too.  Stinkers.
> They didn't notify me they'd upgraded it again.  I did get one notice from
> them last fall.  Sigh.  Yet another thing to check into.

I posted them on this list also, when there was a new engine... :)

Bye,
Raymond.

From raymond at PROLOCATION.NET  Wed Jan 28 08:02:09 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:08 2006
Subject: MyDoom question
In-Reply-To: <Pine.LNX.4.58.0401272104370.4190@tiger.dorfam.ca>
Message-ID: <Pine.LNX.4.44.0401280901510.14970-100000@mailbox.prolocation.net>

Hi!

> I've suddenly been hit with a small flood of emails addressed like the
> following:
>
> james@dorfam.ca
> jen@dorfam.ca
> jim@dorfam.ca
>
> the list goes on and on.
>
> None of these users exist so all are rejected.  Has this got something to
> do with the new virus?

Harcoded inside the virus.

Bye,
Raymond.

From raymond at PROLOCATION.NET  Wed Jan 28 08:14:58 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:08 2006
Subject: Blocking Subject Header
In-Reply-To: <20040128014837.64579.qmail@web10906.mail.yahoo.com>
Message-ID: <Pine.LNX.4.44.0401280914430.17416-100000@mailbox.prolocation.net>

Hi!

> Due to the recent virus outbreak..(W32.Novarg.A@mm) I
> would like to inquire is there anyway mailscanner can
> block subject tag that starts with hi, hello, test,.
> I am using mailscanner with sendmail on solaris 8.
> Thank you so much in advance

Why not do this in your MTA ?

Bye,
Raymond.

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 08:53:01 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: making clamav examine
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499EB@pascal.priv.bmrb.co.uk>

Daniel Bidwell wrote:
> I am using MailScanner 4.20-3 with Clamav 0.60.  They are working
> well, but clamav doesn't seem to be scanning .zip files from
> MailScanner. When I run clamscan on an infected zip file it tells
> detects the virus correctly. 
> 
> I have added the "--unzip" option to the clamav-wrapper, but this
> doesn't seem to make any difference.  Is there a list of file types
> that MailScanner will pass to clamav?  Any suggestions?

The default wrapper script for Clam with MailScanner can't use external unpackers due to permissions issues (where MailScanner runs as root).  I've attached a copy of the wrapper I use - I did send it to Julian a while back but I don't think it made it into the distribution.

You also need to set the following in MailScanner.conf
Incoming Work User =
Incoming Work Group = clamav
Incoming Work Permissions = 0640



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav-wrapper
Type: application/octet-stream
Size: 5821 bytes
Desc: clamav-wrapper
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/e1f2c63c/clamav-wrapper.obj
From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 09:02:52 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499EC@pascal.priv.bmrb.co.uk>

Christo Bezuidenhout wrote:
> My Config is RH9
> mrtg-2.9.25-1.7.2
> mailscanner-4.25-14
> libpng-1.2.2-16
> 
> The file I'm installing is net-snmp-5.0.9-4.rh9.i386.rpm
> 

Unfortunately I've not got a RH9 box around, but I've had a look on Red Hat network and can't see Perl-Tk as a dependency of the package there.  Maybe you could try one of their packages, they seem to be numbered differently from the one you quote.

You're also going to need net-snmp-utils.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From christo at IT4AFRICA.CO.ZA  Wed Jan 28 08:59:27 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
Message-ID: <005501c3e57d$089a79c0$660210ac@christoxp>

Anybody have a updated list for the silent virus list. I only have the
default that comes with MailScanner-4.24

Thanx
Christo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/61b45276/attachment.html
From raymond at PROLOCATION.NET  Wed Jan 28 09:06:59 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <005501c3e57d$089a79c0$660210ac@christoxp>
Message-ID: <Pine.LNX.4.44.0401281006001.26196-100000@mailbox.prolocation.net>

Hi!

> Anybody have a updated list for the silent virus list. I only have the
> default that comes with MailScanner-4.24

Thats depending on your virus scanner, since names will differ, this is
what i myself use with f-prot:

Klez Yaha Bugbear Lentin Sobig Mimail Lovelorn Dumaru Gibe Ganda Lovgate Fizzer Hybris Akosw Swen Ronoper Sober Bagle Mydoom

Bye,
Raymond.

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 09:06:23 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: Blocking Subject Header
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499ED@pascal.priv.bmrb.co.uk>

Raymond Dijkxhoorn wrote:
> Why not do this in your MTA ?
> 
Heres an example that we used to block the Sobig emails with sendmail.  This was added to the end of sendmail.mc and we rebuilt the sendmail.cf from that.  [This isn't original work, I got it from this list of the web somewhere - so apologies for not crediting the original author...]

LOCAL_RULESETS
## Common Virus Subjects
##
HSubject:               $>Check_Subject
D{VMsg}" - This message may contain a virus - This subject is associated with a known virus, for genuine mail please resend with different subject text."
SCheck_Subject
R$* ILOVEYOU $*                 $#error $: 550 5.7.0 ${VMsg}
RA funny game $*                $#error $: 550 5.7.0 ${VMsg}
RA special nice game $*         $#error $: 550 5.7.0 ${VMsg}
RRe : some questions $*         $#error $: 550 5.7.0 ${VMsg}
RHappy Allhallowmas $*          $#error $: 550 5.7.0 ${VMsg}
RHave a good Allhallowmas $*    $#error $: 550 5.7.0 ${VMsg}
RW32 . Klez . E removal tools $*        $#error $: 550 5.7.0 ${VMsg}
RRe : Approved          $#error $: 550 5.7.0 ${VMsg}
RRe : Details           $#error $: 550 5.7.0 ${VMsg}
RRe : Re : My details           $#error $: 550 5.7.0 ${VMsg}
RRe : Thank you !               $#error $: 550 5.7.0 ${VMsg}
RRe : That movie                $#error $: 550 5.7.0 ${VMsg}
RRe : Wicked screensaver                $#error $: 550 5.7.0 ${VMsg}
RRe : Your application          $#error $: 550 5.7.0 ${VMsg}
RThank you !            $#error $: 550 5.7.0 ${VMsg}
RYour details           $#error $: 550 5.7.0 ${VMsg}



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From martinh at SOLID-STATE-LOGIC.COM  Wed Jan 28 09:17:48 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <005501c3e57d$089a79c0$660210ac@christoxp>
References: <005501c3e57d$089a79c0$660210ac@christoxp>
Message-ID: <40177E3C.4090903@solid-state-logic.com>

Christo Bezuidenhout wrote:
> Anybody have a updated list for the silent virus list. I only have the
> default that comes with MailScanner-4.24
>
> Thanx
> Christo
Chris
I use..

Silent Viruses = HTML-IFrame All-Viruses

as just about every virus/trojan is now faking 'from' info.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From shrek-m at GMX.DE  Wed Jan 28 09:43:19 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <40177E3C.4090903@solid-state-logic.com>
References: <005501c3e57d$089a79c0$660210ac@christoxp>
            <40177E3C.4090903@solid-state-logic.com>
Message-ID: <40178437.5090508@gmx.de>

Martin Hepworth wrote:

> Christo Bezuidenhout wrote:
>
>> Anybody have a updated list for the silent virus list. I only have the
>> default that comes with MailScanner-4.24
>
> Silent Viruses = HTML-IFrame All-Viruses 


i could be wrong but afair
in 4.24-x this isn?t possible
since 4.25-x it is ok

-- 
shrek-m


From dee at ASYOUNEED.COM  Wed Jan 28 09:46:37 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules
In-Reply-To: <Pine.LNX.4.44.0401281006001.26196-100000@mailbox.prolocation.net>
Message-ID: <000c01c3e583$9f672780$0201a8c0@lappy>

Morning,

I am trying to get my head around mailscanner rules and I was wondering
if I have this right. Can I write a rule as follows.

To:     user@blah       /path/to/their/ruleset.rules ?

If not how could I set a rule for a specific address.

Cheers,
Dee

From martinh at SOLID-STATE-LOGIC.COM  Wed Jan 28 09:54:07 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <40178437.5090508@gmx.de>
References: <005501c3e57d$089a79c0$660210ac@christoxp>           
            <40177E3C.4090903@solid-state-logic.com> <40178437.5090508@gmx.de>
Message-ID: <401786BF.6020809@solid-state-logic.com>

shrek-m@gmx.de wrote:
> Martin Hepworth wrote:
> 
>> Christo Bezuidenhout wrote:
>>
>>> Anybody have a updated list for the silent virus list. I only have the
>>> default that comes with MailScanner-4.24
>>
>>
>> Silent Viruses = HTML-IFrame All-Viruses 
> 
> 
> 
> i could be wrong but afair
> in 4.24-x this isn?t possible
> since 4.25-x it is ok
> 

works for me in 4.24-5, I think is All-Viruses keyword was added in 
4.24.x from what I remember....



-- 
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************


From raymond at PROLOCATION.NET  Wed Jan 28 10:00:29 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules
In-Reply-To: <000c01c3e583$9f672780$0201a8c0@lappy>
Message-ID: <Pine.LNX.4.44.0401281100070.29531-100000@mailbox.prolocation.net>

Hi!

> I am trying to get my head around mailscanner rules and I was wondering
> if I have this right. Can I write a rule as follows.
>
> To:     user@blah       /path/to/their/ruleset.rules ?
>
> If not how could I set a rule for a specific address.

Yes you can, but dont forget to define the default rules...

Bye,
Raymond.

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 10:07:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules
In-Reply-To: <000c01c3e583$9f672780$0201a8c0@lappy>
References: <Pine.LNX.4.44.0401281006001.26196-100000@mailbox.prolocation.net>
            <000c01c3e583$9f672780$0201a8c0@lappy>
Message-ID: <6.0.1.1.2.20040128100652.07526a48@imap.ecs.soton.ac.uk>

At 09:46 28/01/2004, you wrote:
>Morning,
>
>I am trying to get my head around mailscanner rules and I was wondering
>if I have this right. Can I write a rule as follows.
>
>To:     user@blah       /path/to/their/ruleset.rules ?
>
>If not how could I set a rule for a specific address.

To: user@blah value

where "value" is the result of this configuration option for mail going to
user@blah.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 09:48:46 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: Error disabling Filetype Rules
In-Reply-To: <4016AB40.12586.163B829D@localhost>
References: <200401131544.i0DFiNr06861@lime.algorithmics.com>
            <4016AB40.12586.163B829D@localhost>
Message-ID: <6.0.1.1.2.20040128094837.0734e670@imap.ecs.soton.ac.uk>

This is already fixed.

At 21:17 27/01/2004, you wrote:
>FWIW, it happened to me sometime ago, with MS 4.23 under linux and using
>'/dev/null' as the filename worked like a charm... I don't se why it won't
>work with other MS/OS combinations.
>
>Sorry for sayin' this so awfully late, but I'm workin' on holidays and 2 or
>3 months late in readin' the list... just browsin' subjects :-(
>
>Regads...
>
>El 13 Jan 2004 a las 16:21, Julian Field escribi?:
>
> > At 15:44 13/01/2004, you wrote:
> > >I got the following errors when trying to disable Filetype Rules as
> > >described in the config file:
> > >
> > >Jan 12 13:59:48 lime MailScanner[24268]: Syntax error(s) in configuration
> > >file:
> > >Jan 12 13:59:48 lime MailScanner[24268]: Unrecognised keyword
> > >"filetyperules" at line 577
> > >Jan 12 13:59:48 lime MailScanner[24268]: Aborting due to syntax errors in
> > >/opt/MailScanner/etc/MailScanner.conf.
> > >
> > >I set the config parameter Filetype Rules to blank.
> > >
> > >This was on Solaris 9, MailScanner 4.25-14 installed from the tarball.
> >
> > What do you get when you put a filename in instead of making it blank?
>
>--
>Mariano Absatz
>El Baby
>----------------------------------------------------------
>Allow me to introduce my selves.

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Wed Jan 28 09:53:31 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: Blocking Subject Header
In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410841@mtlnt501fs.CAMOROUT E.COM>
References: <54C38A0B814C8E438EF73FC76F362927410841@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <6.0.1.1.2.20040128095257.03f1f680@imap.ecs.soton.ac.uk>

At 02:07 28/01/2004, you wrote:
> > -----Message d'origine-----
> > De : Sathes Nair [mailto:jovi_2@YAHOO.COM]
> > Envoy? : Tuesday, January 27, 2004 8:49 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Blocking Subject Header
> >
> >
> > Hi there,
> >
> > Due to the recent virus outbreak..(W32.Novarg.A@mm) I
> > would like to inquire is there anyway mailscanner can
> > block subject tag that starts with hi, hello, test,.
>
>I don't think mailscanner can do that.  However, you can use spamassassin 
>to give it a high score so that it will be treated as a high-scoring 
>spam.  In my case, store, delete; so my users never see them.

You can also use the MCP feature to do this. Personally, I would just go 
for the high-scoring spam solution, it's simpler and faster.


> > I am using mailscanner with sendmail on solaris 8.
> > Thank you so much in advance
> >
> > cheers....
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free web site building tool. Try it!
> > http://webhosting.yahoo.com/ps/sb/
> >

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From dee at ASYOUNEED.COM  Wed Jan 28 10:24:48 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules {Scanned}
In-Reply-To: <6.0.1.1.2.20040128100652.07526a48@imap.ecs.soton.ac.uk>
Message-ID: <000d01c3e588$f4e50ab0$0201a8c0@lappy>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: 28 January 2004 10:08
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: MailScanner Rules {Scanned}
>
> At 09:46 28/01/2004, you wrote:
> >Morning,
> >
> >I am trying to get my head around mailscanner rules and I was
wondering
> >if I have this right. Can I write a rule as follows.
> >
> >To:     user@blah       /path/to/their/ruleset.rules ?
> >
> >If not how could I set a rule for a specific address.
>
> To: user@blah value
>
> where "value" is the result of this configuration option for mail
going to
> user@blah.

In simple terms please for "value" all I see is references to yes or no.

Can you give me an example for any mail coming to user@blah to screen
out messages from user@spammerblah.

I tried my way and got a load of MailScanner defunct :)

Cheers
Dee

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 10:30:05 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules {Scanned}
In-Reply-To: <000d01c3e588$f4e50ab0$0201a8c0@lappy>
References: <6.0.1.1.2.20040128100652.07526a48@imap.ecs.soton.ac.uk>
            <000d01c3e588$f4e50ab0$0201a8c0@lappy>
Message-ID: <6.0.1.1.2.20040128102802.077234b0@imap.ecs.soton.ac.uk>

At 10:24 28/01/2004, you wrote:
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Julian Field
> > Sent: 28 January 2004 10:08
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: MailScanner Rules {Scanned}
> >
> > At 09:46 28/01/2004, you wrote:
> > >Morning,
> > >
> > >I am trying to get my head around mailscanner rules and I was
>wondering
> > >if I have this right. Can I write a rule as follows.
> > >
> > >To:     user@blah       /path/to/their/ruleset.rules ?
> > >
> > >If not how could I set a rule for a specific address.
> >
> > To: user@blah value
> >
> > where "value" is the result of this configuration option for mail
>going to
> > user@blah.
>
>In simple terms please for "value" all I see is references to yes or no.

It can be other things, such as a numerical value or a filename, it is
whatever data the configuration option is expecting to get.

>Can you give me an example for any mail coming to user@blah to screen
>out messages from user@spammerblah.

You can only put 1 condition in the test, and you can't have rules that
point to more rulesets. Sorry, but that's a limitation of the configuration
engine I have written. I know it's not perfect, maybe expanding its
abilities is something I should look at for the next version, so you can at
least have "and" in conditions, which would solve this problem.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From christo at IT4AFRICA.CO.ZA  Wed Jan 28 10:34:20 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499EC@pascal.priv.bmrb.co.uk>
Message-ID: <006b01c3e58a$4a2e1f10$660210ac@christoxp>

I have the net-snmp-5.0.6-17.i386.rpm and the utils installed with that.
But still I get errors. Please find attached

Possible precedence problem on bitwise | operator at
/usr/bin/../lib/mrtg2/BER.pm
line 619.
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
Timeout: No Response from localhost:161
ERROR: iptraffic counters not fully initialised
        No iptraffic data on this run
Use of uninitialized value in join or string
at/usr/lib/MailScanner-MRTG/MSMRTG/State.pm line 193.
gd-png:  fatal libpng error: Invalid filter type specified
gd-png error: setjmp returns error condition

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Spicer, Kevin
Sent: 28 January 2004 11:03 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Announce: MailScanner-MRTG version 0.07 released {Virus
Scanned}


Christo Bezuidenhout wrote:
> My Config is RH9
> mrtg-2.9.25-1.7.2
> mailscanner-4.25-14
> libpng-1.2.2-16
>
> The file I'm installing is net-snmp-5.0.9-4.rh9.i386.rpm
>

Unfortunately I've not got a RH9 box around, but I've had a look on Red
Hat network and can't see Perl-Tk as a dependency of the package there.
Maybe you could try one of their packages, they seem to be numbered
differently from the one you quote.

You're also going to need net-snmp-utils.



BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks IT For Africa for their support.

From ugob at CAMO-ROUTE.COM  Wed Jan 28 11:08:48 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499EC@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0016499EC@pascal.priv.bmrb.co.uk>
Message-ID: <40179840.5060804@camo-route.com>

Spicer, Kevin wrote:

>Christo Bezuidenhout wrote:
>
>
>>My Config is RH9
>>mrtg-2.9.25-1.7.2
>>mailscanner-4.25-14
>>libpng-1.2.2-16
>>
>>The file I'm installing is net-snmp-5.0.9-4.rh9.i386.rpm
>>
>>
>>
>
>Unfortunately I've not got a RH9 box around, but I've had a look on Red Hat network and can't see Perl-Tk as a dependency of the package there.  Maybe you could try one of their packages, they seem to be numbered differently from the one you quote.
>
>
I have 2 RH9 machines, maybe I could help...
Ugo

>You're also going to need net-snmp-utils.
>
>
>
>BMRB International
>http://www.bmrb.co.uk
>+44 (0)20 8566 5000
>_________________________________________________________________
>This message (and any attachment) is intended only for the
>recipient and may contain confidential and/or privileged
>material.  If you have received this in error, please contact the
>sender and delete this message immediately.  Disclosure, copying
>or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited
>accepts no liability in relation to any personal emails, or
>content of any email which does not directly relate to our
>business.
>
>

From shrek-m at GMX.DE  Wed Jan 28 10:36:00 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <401786BF.6020809@solid-state-logic.com>
References: <005501c3e57d$089a79c0$660210ac@christoxp>                      
            <40177E3C.4090903@solid-state-logic.com> <40178437.5090508@gmx.de>
            <401786BF.6020809@solid-state-logic.com>
Message-ID: <40179090.4010708@gmx.de>

Martin Hepworth wrote:

> shrek-m@gmx.de wrote:
>
>> Martin Hepworth wrote:
>>
>>> Silent Viruses = HTML-IFrame All-Viruses 
>>
>> i could be wrong but afair
>> in 4.24-x this isn?t possible
>> since 4.25-x it is ok
>
> works for me in 4.24-5, I think is All-Viruses keyword was added in 
> 4.24.x from what I remember....


in 4.23-11

$ rpm -q --changelog mailscanner | grep -i silent
$

http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog

1/9/2003 New in Version 4.23-11
===============================
* New Features and Improvements *
- Implemented special "silent viruses" list keyword "All-Viruses" which matches
  the name of any virus. This means you can make messages silent which contain
  just viruses and none (or a combination) of the HTML hacks that are detected.


-- 
shrek-m


From dee at ASYOUNEED.COM  Wed Jan 28 10:38:05 2004
From: dee at ASYOUNEED.COM (Dee Lowndes)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner Rules {Scanned}
In-Reply-To: <6.0.1.1.2.20040128102802.077234b0@imap.ecs.soton.ac.uk>
Message-ID: <000e01c3e58a$cfd6e340$0201a8c0@lappy>

> > > >Morning,
> > > >
> > > >I am trying to get my head around mailscanner rules and I was
> >wondering
> > > >if I have this right. Can I write a rule as follows.
> > > >
> > > >To:     user@blah       /path/to/their/ruleset.rules ?
> > > >
> > > >If not how could I set a rule for a specific address.
> > >
> > > To: user@blah value
> > >
> > > where "value" is the result of this configuration option for mail
> >going to
> > > user@blah.
> >
> >In simple terms please for "value" all I see is references to yes or
no.
>
> It can be other things, such as a numerical value or a filename, it is
> whatever data the configuration option is expecting to get.
>
> >Can you give me an example for any mail coming to user@blah to screen
> >out messages from user@spammerblah.
>
> You can only put 1 condition in the test, and you can't have rules
that
> point to more rulesets. Sorry, but that's a limitation of the
> configuration
> engine I have written. I know it's not perfect, maybe expanding its
> abilities is something I should look at for the next version, so you
can
> at
> least have "and" in conditions, which would solve this problem.

Trust me to try the impossible :)

It would be good to be able to set user specific filtering rules in
future though.

Cheers,
Dee

From t.d.lee at DURHAM.AC.UK  Wed Jan 28 10:30:18 2004
From: t.d.lee at DURHAM.AC.UK (David Lee)
Date: Thu Jan 12 21:22:08 2006
Subject: Mailscanner incoming directory..to many directories
In-Reply-To: <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
References: <1075136989.20660.11.camel@localhost.localdomain>
            <000001c3e435$6eaa9ae0$e90200bf@tazpc>
            <6.0.1.1.2.20040126181308.03eebe88@imap.ecs.soton.ac.uk>
            <Pine.GSO.4.58.0401271702320.16517@arachne.dur.ac.uk>
            <6.0.1.1.2.20040127173615.03d84ec0@imap.ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.58.0401281024400.19608@arachne.dur.ac.uk>

On Tue, 27 Jan 2004, Julian Field wrote:

> At 17:07 27/01/2004, you wrote:
> >[...]
> >We run MS on both Linux/Redhat and Solaris.  Despite being a long-standing
> >Solaris person, and a newbie to Linux, I much prefer the Redhat
> >installation of MS because it uses RPMs.  Would there be any chance of
> >your routinely and analogously generating Solaris/pkg versions of MS
> >alongside the RPMs?
>
> Are there some decent docs on how to create pkgs? A few samples would be
> handy too.

Do you have access somehow to the Solaris documentation set?  That
contains the Solaris 2.n "Application Packaging Developer's Guide".
Feel free to contact me off-list if you wish, Julian.


--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

From m at LCOLM.ORG.UK  Wed Jan 28 10:43:02 2004
From: m at LCOLM.ORG.UK (Malcolm Scott)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <40177E3C.4090903@solid-state-logic.com>
References: <005501c3e57d$089a79c0$660210ac@christoxp>
            <40177E3C.4090903@solid-state-logic.com>
Message-ID: <Pine.LNX.4.58.0401281042000.5234@neptune.trinhall.cam.ac.uk>

At 09:17 today, Martin Hepworth wrote:

> Chris
> I use..
>
> Silent Viruses = HTML-IFrame All-Viruses
>
> as just about every virus/trojan is now faking 'from' info.


Hi,

When viruses fake 'from' info, do they just fake the 'From:' header, or do
they fake the envelope sender too? Which does MailScanner use to send virus
notifications?

Thanks

--
|  o  |
| /O\ |  Malcolm Scott
| > < |

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 11:24:34 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <Pine.LNX.4.58.0401281042000.5234@neptune.trinhall.cam.ac.u k>
References: <005501c3e57d$089a79c0$660210ac@christoxp>
            <40177E3C.4090903@solid-state-logic.com>
            <Pine.LNX.4.58.0401281042000.5234@neptune.trinhall.cam.ac.uk>
Message-ID: <6.0.1.1.2.20040128112404.03e603e0@imap.ecs.soton.ac.uk>

At 10:43 28/01/2004, you wrote:
>At 09:17 today, Martin Hepworth wrote:
>
> > Chris
> > I use..
> >
> > Silent Viruses = HTML-IFrame All-Viruses
> >
> > as just about every virus/trojan is now faking 'from' info.
>
>
>Hi,
>
>When viruses fake 'from' info, do they just fake the 'From:' header, or do
>they fake the envelope sender too?

Yes.

>  Which does MailScanner use to send virus
>notifications?

The envelope sender. Which is why you shouldn't notify senders of viruses
at all.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 11:42:54 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE84@pascal.priv.bmrb.co.uk>

Christo Bezuidenhout wrote:
> I have the net-snmp-5.0.6-17.i386.rpm and the utils installed with
> that. But still I get errors. Please find attached
> 

Do you have snmpd running?  Can you connect on the command line?

Try
snmpwalk -v 2c -c public localhost:161 uptime

See if that gives you the system uptime

It does look like there may be something wrong with your mrtg installation too.

Splitting the messages up...

These are from MRTG

> Possible precedence problem on bitwise | operator at
> /usr/bin/../lib/mrtg2/BER.pm line 619.
> gd-png:  fatal libpng error: Invalid filter type specified
> gd-png error: setjmp returns error condition

These are from snmpwalk
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161
> Timeout: No Response from localhost:161

And these are from (or caused by MSMRTG)
> ERROR: iptraffic counters not fully initialised
>         No iptraffic data on this run
> Use of uninitialized value in join or string
> at/usr/lib/MailScanner-MRTG/MSMRTG/State.pm line 193.

I admit there is still a small problem with MSMRTG and net-snmp (which may be causing the last 4 lines above), A couple of folks are trying some patches and I hope to release a fixed version this tonight.

I don't know what the mrtg errors mean, I've not seen them before - perhaps you could Google for them.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From christo at IT4AFRICA.CO.ZA  Wed Jan 28 12:44:21 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE84@pascal.priv.bmrb.co.uk>
Message-ID: <008501c3e59c$73f2d9a0$660210ac@christoxp>

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin
> Sent: 28 January 2004 01:43 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Announce: MailScanner-MRTG version 0.07 released
> {Virus Scanned}
>
>
> Christo Bezuidenhout wrote:
> > I have the net-snmp-5.0.6-17.i386.rpm and the utils installed with
> > that. But still I get errors. Please find attached
> >
>
> Do you have snmpd running?  Can you connect on the command line?
Snmpd is running

>
> Try
> snmpwalk -v 2c -c public localhost:161 uptime
Gives me the uptime of the system
>
> See if that gives you the system uptime
>
> It does look like there may be something wrong with your mrtg
> installation too.
>
> Splitting the messages up...
>
> These are from MRTG
>
> > Possible precedence problem on bitwise | operator at
> > /usr/bin/../lib/mrtg2/BER.pm line 619.
> > gd-png:  fatal libpng error: Invalid filter type specified gd-png
> > error: setjmp returns error condition
>
> These are from snmpwalk
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161
> > Timeout: No Response from localhost:161

The Timeouts dissapeared but still the MSMRTG and gd-png errors stay
>
> And these are from (or caused by MSMRTG)
> > ERROR: iptraffic counters not fully initialised
> >         No iptraffic data on this run
> > Use of uninitialized value in join or string
> > at/usr/lib/MailScanner-MRTG/MSMRTG/State.pm line 193.
>
> I admit there is still a small problem with MSMRTG and
> net-snmp (which may be causing the last 4 lines above), A
> couple of folks are trying some patches and I hope to release
> a fixed version this tonight.
>
> I don't know what the mrtg errors mean, I've not seen them
> before - perhaps you could Google for them.
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> Mailscanner thanks IT For Africa for their support.
>
>

From prandal at HEREFORDSHIRE.GOV.UK  Wed Jan 28 13:22:51 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:08 2006
Subject: tons of infected files getting though???
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C48B@jessica.herefordshire.gov.uk>

There's a whole thread on the ClamAV users mailing list about this - they
appear to be bounces.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Desai, Jason
> Sent: 27 January 2004 19:27
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: tons of infected files getting though???
>
>
> I've noticed that ClamAV has not been finding SCO.A when they
> are inside of
> a mail delivery failure message.  McAfee however does find it
> (calling it
> Mydoom).
>
> I can take the email and scan it with ClamAV, but it will not
> find anything.
> But if I decode the attachment and scan it with ClamAV,
> ClamAV will find
> SCO.A.
>
> Could it be that the ones that are getting through are
> delivery failure
> notifications?  I don't know if it's a bug in ClamAV or if it
> could be fixed
> with updating the virus definitions, but I don't think it's a
> MailScanner
> bug.
>
> Jason
>
> > -----Original Message-----
> > From: Chris Yuzik [mailto:chris@FRACTALWEB.COM]
> > Sent: Tuesday, January 27, 2004 2:23 PM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: [MAILSCANNER] tons of infected files getting though???
> >
> >
> > Hi everyone,
> >
> > I was having a hard look through my logs and such and also looking
> > though MailWatch. I see quite a few emails that definitely
> contain the
> > virus that were only tagged as spam. I can see nothing in
> > /var/log/maillog that indicates why this message would not have been
> > marked as infected. I've even forwarded a couple of them to
> myself and
> > there's no doubt about it...it's the SCO.A or Navarg or
> whatever. If I
> > save the attachment, then scp it to my mailserver and run
> clamscan on
> > it, everything works great and ClamAV correctly identifies
> the virus.
> >
> > For yesterday alone, my system saw 106 messages that it
> found infected
> > with the virus, and an additional 80 that slipped by. WTF???
> >
> > Is it possible that MailScanner isn't getting clamav to scan all the
> > attachments? How do I go about troubleshooting this? Urgent
> help would
> > be appreciated.
> >
> > Cheers,
> > Chris
> >
>

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 13:26:44 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499F6@pascal.priv.bmrb.co.uk>

Christo Bezuidenhout wrote:
> The Timeouts dissapeared but still the MSMRTG and gd-png errors stay

As I said, Google for the mrtg errors.  Google gave me this, which should solve the first problem...
http://www.ee.ethz.ch/~slist/mrtg/msg25586.html

However I can't find a solution for your second problem (the libpng messages) - but your mrtg version number doesn't match any of those available from RedHat network, so I would suggest you upgrade (or downgrade) to the current official RedHat rpm.

The MSMRTG errors should be fixed in the version I hope to release later this evening, However you may find that applying the attached patch to /usr/lib/MailScanner-MRTG/Data.pm helps.


>> And these are from (or caused by MSMRTG)
>>> ERROR: iptraffic counters not fully initialised
>>>         No iptraffic data on this run
>>> Use of uninitialized value in join or string
>>> at/usr/lib/MailScanner-MRTG/MSMRTG/State.pm line 193.
>> 
>> I admit there is still a small problem with MSMRTG and
>> net-snmp (which may be causing the last 4 lines above), A
>> couple of folks are trying some patches and I hope to release a
>> fixed version this tonight. 
>> 
>> I don't know what the mrtg errors mean, I've not seen them
>> before - perhaps you could Google for them.
>> 
>> 
>> 
>> BMRB International
>> http://www.bmrb.co.uk
>> +44 (0)20 8566 5000
>> _________________________________________________________________
>> This message (and any attachment) is intended only for the
>> recipient and may contain confidential and/or privileged
>> material.  If you have received this in error, please contact the
>> sender and delete this message immediately.  Disclosure, copying
>> or other action taken in respect of this email or in
>> reliance on it is prohibited.  BMRB International Limited
>> accepts no liability in relation to any personal emails, or
>> content of any email which does not directly relate to our business.
>> 
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> Mailscanner thanks IT For Africa for their support.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Data_pm.diff
Type: application/octet-stream
Size: 2397 bytes
Desc: Data_pm.diff
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/7e2fedf2/Data_pm.obj
From martinh at SOLID-STATE-LOGIC.COM  Wed Jan 28 13:37:56 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:08 2006
Subject: tons of infected files getting though???
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C48B@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C48B@jessica.herefordshire.gov.uk>
Message-ID: <4017BB34.8020809@solid-state-logic.com>

Randal, Phil wrote:
> There's a whole thread on the ClamAV users mailing list about this - they
> appear to be bounces.
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
>


Also sophos seems to be missing them, and yes I have seen bounces that
are the ones missed..


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From postmaster at Cariddi.aop.int  Wed Jan 28 13:44:05 2004
From: postmaster at Cariddi.aop.int (MailScanner)
Date: Thu Jan 12 21:22:08 2006
Subject: Attenzione: rilevata E-mail infetta
Message-ID: <200401281344.i0SDi5ue013008@Cariddi.aop.int>

Il sistema antivirus e' stato sollecitato dal messaggio seguente:-
  To: serg@unipd.it
  Subject: Mail Transaction Failed
  Date: Wed Jan 28 14:44:05 2004
Ogni parte del messaggio ritenuta infetta non e' stata consegnata al destinatario.

Questo messaggio e' semplicemente per mettervi sull'avviso che molto probabilmente sul vostro computer e' presente un virus, vi consigliamo di controllare con urgenza il sistema.

Per ulteriori informazioni scrivete a f.teti@ao-pisa.toscana.it

Il sistema antivirus riporta:
rapporto: document.zip/DOCUMENT.TXT                                                                      .PIF        Found the W32/Mydoom@MM virus !!!


-- 
MailScanner
Email Virus Scanner
www.mailscanner.info

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 13:49:26 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: tons of infected files getting though???
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499F7@pascal.priv.bmrb.co.uk>

Martin Hepworth wrote:
> Randal, Phil wrote:
>> There's a whole thread on the ClamAV users mailing list about this -
>> they appear to be bounces. 
> 
> Also sophos seems to be missing them, and yes I have seen bounces that
> are the ones missed..

Hmmm, I was just about to post and say that I've not seen any Sophos and Clam both find the same!

I've also not seen any on our network with the payload (and we've had over 3000 blocked so I would expect that if they were getting through elsewhere they would be getting through here), which gets me to thinking....

You said it was not just zips?  So...
Are the attachments on the ones not detected by Clam, but detected by McAffee being picked up by mailscanners filename rules?

I'm going to guess they are not.  Now if these are all bounces that would explain why my users aren't seeing the payload.  All my users use Outlook and Outlook supresses all but the first part of the Delivery Status Notification.  The only hole in my thoery is that Symantec on Exchange isn't finding any of these (but maybe this has the same problem).

So, I think that this is some particular MTA software that returns the message with the bounce, with something strange going on in the mime sections or encoding.  Perhaps someone who can identify these could post the source of the message (with the virus payload data removed).   Is there a common MTA sending these (that is the remote MTA)?



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From prandal at HEREFORDSHIRE.GOV.UK  Wed Jan 28 14:02:27 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:08 2006
Subject: tons of infected files getting though???
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C48D@jessica.herefordshire.gov.uk>

>From the ClamAv list:

"These bounces contain the 
full virus in the form of the complete source of the original email dumped
at 
the end of the bounce message. Although I'm sure the MIME is no longer set
up 
right so it may be harmles, Norton seems to catch these while ClamAV does 
not. I'm running a CVS snapshot of ClamAV from yesterday (the 26th) and run 
Freshclam every hour. It seems to be catching other forms of the SCO virus, 
just not these bounces." - Matthew Trent

and

"It's not only problem with ClamAV mime unpacker - even ripmime is
unable to extract attachment in the body of bounce message.
For example I run ripmime (v1.3.0.6 - 14/01/2004) on bounce message,
it extracted it's body as textfile0, when i run ripmime on textfile0
it extracted textfile0_1, when run on textfile0_1 it extracted
textfile0_2, when run on textfile0_2 it extracted textfile0_3,
textfile1, textfile2, doc.zip and textfile3." - Virgo P?rna

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Spicer, Kevin
> Sent: 28 January 2004 13:49
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: tons of infected files getting though???
> 
> 
> Martin Hepworth wrote:
> > Randal, Phil wrote:
> >> There's a whole thread on the ClamAV users mailing list 
> about this -
> >> they appear to be bounces. 
> > 
> > Also sophos seems to be missing them, and yes I have seen 
> bounces that
> > are the ones missed..
> 
> Hmmm, I was just about to post and say that I've not seen any 
> Sophos and Clam both find the same!
> 
> I've also not seen any on our network with the payload (and 
> we've had over 3000 blocked so I would expect that if they 
> were getting through elsewhere they would be getting through 
> here), which gets me to thinking....
> 
> You said it was not just zips?  So...
> Are the attachments on the ones not detected by Clam, but 
> detected by McAffee being picked up by mailscanners filename rules?
> 
> I'm going to guess they are not.  Now if these are all 
> bounces that would explain why my users aren't seeing the 
> payload.  All my users use Outlook and Outlook supresses all 
> but the first part of the Delivery Status Notification.  The 
> only hole in my thoery is that Symantec on Exchange isn't 
> finding any of these (but maybe this has the same problem).
> 
> So, I think that this is some particular MTA software that 
> returns the message with the bounce, with something strange 
> going on in the mime sections or encoding.  Perhaps someone 
> who can identify these could post the source of the message 
> (with the virus payload data removed).   Is there a common 
> MTA sending these (that is the remote MTA)?
> 
> 
> 
> BMRB International 
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the 
> recipient and may contain confidential and/or privileged 
> material.  If you have received this in error, please contact the 
> sender and delete this message immediately.  Disclosure, copying 
> or other action taken in respect of this email or in 
> reliance on it is prohibited.  BMRB International Limited 
> accepts no liability in relation to any personal emails, or 
> content of any email which does not directly relate to our 
> business.
> 


From dot at DOTAT.AT  Wed Jan 28 13:54:32 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:08 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <m2n.1Alaaa-0011WK@chiark.greenend.org.uk>
Message-ID: <E1Alq9I-0004F1-00@chiark.greenend.org.uk>

Eric Dantan Rzewnicki <rzewnickie@RFA.ORG> wrote:
>
>However it appears that uvscan is being called with old dats that exist
>in /usr/local/uvscan/*.dat.

These should be symlinks to datfiles/current/*.dat

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
ST DAVIDS HEAD TO COLWYN BAY, INCLUDING ST GEORGES CHANNEL: NORTHWEST BACKING
WEST FOR A TIME, 6 OR 7 DECREASING 5 OR 6 LATER WEATHER: WINTRY SHOWERS.
MODERATE OR GOOD. MODERATE OR ROUGH.

From dot at DOTAT.AT  Wed Jan 28 13:57:54 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Virus List
In-Reply-To: <m2n.1Allbk-000yIa@chiark.greenend.org.uk>
Message-ID: <E1AlqCY-0004iu-00@chiark.greenend.org.uk>

Christo Bezuidenhout <christo@IT4AFRICA.CO.ZA> wrote:
>
>Anybody have a updated list for the silent virus list. I only have the
>default that comes with MailScanner-4.24

With NAI McAfee uvscan I use:

Badtrans Bagle Braid Bugbear Colevo Dumaru Fizzer Ganda Gibe Holar Hybris Kickin Klez Korvar Lirva Lovelorn Lovgate Magistr Mimail Mydoom Nimda Sircam Sober Sobig Swen Yaha

I have noted some aliases:

# Palyh=Sobig WinEvar=Korvar

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
ST DAVIDS HEAD TO COLWYN BAY, INCLUDING ST GEORGES CHANNEL: NORTHWEST BACKING
WEST FOR A TIME, 6 OR 7 DECREASING 5 OR 6 LATER WEATHER: WINTRY SHOWERS.
MODERATE OR GOOD. MODERATE OR ROUGH.

From system at sebi.it  Wed Jan 28 14:25:02 2004
From: system at sebi.it (MailScanner)
Date: Thu Jan 12 21:22:08 2006
Subject: Attenzione: rilevata E-mail infetta
Message-ID: <200401281425.i0SEP2D23156@mail.umbrars.net>

Il sistema antivirus e' stato sollecitato dal messaggio seguente:-
  To: maria@frasassi.com
  Subject: Hello
  Date: Wed Jan 28 15:25:02 2004
Ogni parte del messaggio ritenuta infetta non e' stata consegnata al destinatario.

Questo messaggio e' semplicemente per mettervi sull'avviso che molto probabilmente sul vostro computer e' presente un virus, vi consigliamo di controllare con urgenza il sistema.

Il sistema antivirus riporta:
rapporto: text.zip contains Worm.SCO.A 


-- 
MailScanner
Email Virus Scanner
www.mailscanner.info

From m.althoff at BROMBERG.DEMON.NL  Wed Jan 28 14:35:36 2004
From: m.althoff at BROMBERG.DEMON.NL (Matthijs Althoff)
Date: Thu Jan 12 21:22:08 2006
Subject: Mydoom
Message-ID: <LISTSERV%2004012814353634@JISCMAIL.AC.UK>

Hi Peter,

Sendmail log entries using Mcafee (Uvscan)

Jan 21 05:10:34 bromberg MailScanner[9439]: /i0L4A7rN025688/huyrgy.scr
Found the W32/FunLove.gen virus !!!
Jan 21 22:50:20 bromberg MailScanner[32640]: /i0LLo6rM001976/ajnvlw.exe
Found the W32/Swen@MM virus !!!

Been doing a little adding and working around:
The result is not yet what I wanted to see, somewhere it
adds "1 awk", the number of found viruses are correct:

./run

Bepaal het echte aantal mailtjes:    7324
Bepaal het aantal spam-achtige mailtjes:      62
Bepaal het aantal via ruleset's geblokkeerde mailtjes:    4250
Bepaal de M$ Outlook HTML abusers:     114
Bepaal de actuele dat versie: Virus data file v4319 created Jan 27 2004

Geef de top 5 (en meer) van gevonden virussen:

     22 W32/Swen@MM
      1 awk               <-- ??? no idea why
      1 W32/Sober.c@MM
      1 W32/FunLove.gen

From m.althoff at BROMBERG.DEMON.NL  Wed Jan 28 14:42:01 2004
From: m.althoff at BROMBERG.DEMON.NL (Matthijs Althoff)
Date: Thu Jan 12 21:22:08 2006
Subject: Mydoom
Message-ID: <LISTSERV%2004012814420165@JISCMAIL.AC.UK>

Hi Peter,

ahh! ok now with what I created... ;-)

Sendmail log entries using Mcafee (Uvscan)

Jan 21 05:10:34 bromberg MailScanner[9439]: /i0L4A7rN025688/huyrgy.scr
Found the W32/FunLove.gen virus !!!
Jan 21 22:50:20 bromberg MailScanner[32640]: /i0LLo6rM001976/ajnvlw.exe
Found the W32/Swen@MM virus !!!

Been doing a little adding and working around:
The result is not yet what I wanted to see, somewhere it
adds "1 awk", the number of found viruses are correct:

$ cat run
#!/bin/sh
echo ""
echo -n "Bepaal het echte aantal mailtjes: "
grep from= * | wc -l
echo -n "Bepaal het aantal spam-achtige mailtjes: "
grep "Spam Actions" * | wc -l
echo -n "Bepaal het aantal via ruleset's geblokkeerde mailtjes: "
grep ruleset= * | wc -l
echo -n "Bepaal de M$ Outlook HTML abusers: "
grep "will convert HTML" * | wc -l
echo -n "Bepaal de actuele dat versie: "
uvscan --version | grep created
echo ""
echo "Geef de top 5 (en meer) van gevonden virussen:"
echo ""
grep MailScanner * | grep "Found the" | awk '{ print $9 }' | sort | uniq -c
| sort -nr | head -10
echo ""

./run

Bepaal het echte aantal mailtjes:    7324
Bepaal het aantal spam-achtige mailtjes:      62
Bepaal het aantal via ruleset's geblokkeerde mailtjes:    4250
Bepaal de M$ Outlook HTML abusers:     114
Bepaal de actuele dat versie: Virus data file v4319 created Jan 27 2004

Geef de top 5 (en meer) van gevonden virussen:

     22 W32/Swen@MM
      1 awk               <-- ??? no idea why
      1 W32/Sober.c@MM
      1 W32/FunLove.gen

From campbell at CNPAPERS.COM  Wed Jan 28 14:58:26 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE84@pascal.priv.bmrb.co.uk>
Message-ID: <00e001c3e5af$3071aea0$5d01a8c0@cnpapers.net>

This is what I am seeing, not running snmp, and configure as such in the
conf file:

CPU utilization not working
Server Network traffic not working
Space Used in /var/spool not working
Space Used in Work Directory not working

Is this proper in light of the non-snmp stuff?

I turned on the default snmpd installed with RH 7.3 and this did not change.
No changes were made to the snmpd.conf file or anywhere else. I do not use
snmp anywhere (actually, I don't even know what it's used for), so the
configuration of such would be an added chore.

Is it best just to downgrade?

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

From postmaster at Scilla.aop.int  Wed Jan 28 15:10:15 2004
From: postmaster at Scilla.aop.int (MailScanner)
Date: Thu Jan 12 21:22:08 2006
Subject: Attenzione: rilevata E-mail infetta
Message-ID: <200401281510.i0SFAFD1024027@Scilla.aop.int>

Il sistema antivirus e' stato sollecitato dal messaggio seguente:-
  To: leo@makek.dstb.uniud.it
  Subject: Hello
  Date: Wed Jan 28 16:10:15 2004
Ogni parte del messaggio ritenuta infetta non e' stata consegnata al destinatario.

Questo messaggio e' semplicemente per mettervi sull'avviso che molto probabilmente sul vostro computer e' presente un virus, vi consigliamo di controllare con urgenza il sistema.

Per ulteriori informazioni scrivete a f.teti@ao-pisa.toscana.it

Il sistema antivirus riporta:
rapporto: readme.zip/README.HTM                                                                      .EXE        Found the W32/Mydoom@MM virus !!!


-- 
MailScanner
Email Virus Scanner
www.mailscanner.info

From P.G.M.Peters at utwente.nl  Wed Jan 28 15:05:09 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:08 2006
Subject: Mydoom
In-Reply-To: <LISTSERV%2004012814420165@JISCMAIL.AC.UK>
References: <LISTSERV%2004012814420165@JISCMAIL.AC.UK>
Message-ID: <qojf10pivs4008m64mvh9p4tdnd8e49q46@4ax.com>

On Wed, 28 Jan 2004 14:42:01 +0000, you wrote:


>grep MailScanner * | grep "Found the" | awk '{ print $9 }' | sort | uniq -c | sort -nr | head -10

>     22 W32/Swen@MM
>      1 awk               <-- ??? no idea why

What I usually do in these cases is checking what I get with just
grep MailScanner * | grep "Found the"

When the numbes are not to high you can look for it manually. If this
doesn't give some logline with awk on the 9-th position you can do
grep MailScanner * | grep "Found the" | awk '{ print $9 }'

Perhaps awk gives some error message that is piped into sort.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From dwinkler at ALGORITHMICS.COM  Wed Jan 28 15:09:10 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:08 2006
Subject: blocking all attachments
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B167@tormail2.algorithmics.com>

Even better would be \.html?$

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Kevin Hanser
Sent: Tuesday, January 27, 2004 5:29 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: blocking all attachments


Cool, I think I've got it working using that example.  There was one
minor change I made though, to the html line:

allow           \.htm.*$

The original was:
allow           \.htm*$

I made the change because I think the original had a typo...  Unless I'm
misreading (or forgetting how regex's work), that one means it'll match
.ht, .htm, and .htmmmmmmmmmmmmmmmmm(and however many more m's you want)
file, but not .html files. :)

Other than fixing the typo it seems to work.

Thanx!

k

-----Original Message-----
From: Jeff Falgout [mailto:JFalgout@CO.JEFFERSON.CO.US]

>>>> Kevin@MICA.NET 1/27/2004 2:19:21 PM >>>
>Ok, I could have _sworn_ that this was JUST asked on the list, but
after
>searching thru the archives and my local copies, I can't find it
>anywhere.

It was under the subject "New virus outbreak"

Here is one of the suggestions:

Kevin Spicer wrote:

>DONT DO THIS....!!!!
>
>deny    .*      Attachment      All attachments temporarily rejected
>
>I just tried it (on my home box, not my production server thankfully)
>and it blocks all parts of the message (including message text)
>
>

happened to me too a few weeks agoo  ;-)
this seems to ok
----
allow   \.txt$          -                       -
allow   \.htm*$         -                       -

deny    .               "bla"         "blubber"
----

From lenaig at WANADOO.FR  Wed Jan 28 15:15:38 2004
From: lenaig at WANADOO.FR (Thierry)
Date: Thu Jan 12 21:22:08 2006
Subject: pb f-prot wrapper
Message-ID: <20040128151538.GA1465@maelenn>

hello,

got a little pb with f-prot-wrapper:


sh-2.05b$ bash -x f-prot-wrapper
+ PackageDir=
+ shift
+ Scanner=f-prot
+ RamDisk=yes
+ ScanOptions=
+ ScanOptions= -archive
+ ScanOptions= -archive -auto
+ ScanOptions= -archive -auto -ai
+ ScanOptions= -archive -auto -ai -saferemove
+ '[' x = x-IsItInstalled ']'
+ '[' xyes = xyes ']'
+ '[' 0 -gt 1 ']'
+ ScanDir=
+ shift
+ find -type f -print0
+ xargs -0 /f-prot -archive -auto -ai -saferemove
find: illegal option -- t
find: illegal option -- y
find: illegal option -- p
find: illegal option -- e
find: f: No such file or directory
+ exit 0

What to do ?

Thx
--
Thierry

From goleotti at MISAG.IT  Wed Jan 28 15:18:32 2004
From: goleotti at MISAG.IT (Gabriele Oleotti)
Date: Thu Jan 12 21:22:08 2006
Subject: VEXIRA antivirus support
Message-ID: <1488394A34F6A0408FDA3841418D1442183D2A@scorpio.auron.mi>

Hello everybody,
I'm not sure this is the right place to send this kind of emails, so if it is not please forward me to the right place.

I've twicked a little bit with the MailScanner code to add support for the Vexira Antivirus (I'm very satisfied with it.)

I'm using this modified version of MailScanner 4.24.5 from some times and it seems to work fine.

Here I attach the patch to make things to work; basically only minor modifications are necessary to the following files:
- etc/virus.scanners.conf         (virus wrapper configuration)
- lib/MailScanner/SweepViruses.pm (the actual processing sub)
- lib/vexira-wrapper              (virus wrapper shell script)

I haven't had time to test and install any newer version of MailScanner.

I have set the SupportScanning option to BETA (I don't know if this is the right status anyway...) so you may need to modify your Minimum Code Status to at least 'beta' in your MailScanner.conf to see the vexira working.

You may want to check the virus.scanners.conf if you have installed Vexira in a non-standard directory (/usr/bin/vexira)

Any feedback is welcome.

Bye,
Gabriele

P.S. I suggest to run something like "patch -p2 <vexira.patch" in /opt/MailScanner directory (or whatever directory you install MailScanner into) to apply the patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vexira.patch
Type: application/octet-stream
Size: 5037 bytes
Desc: vexira.patch
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/34a22cf4/vexira.obj
From christo at IT4AFRICA.CO.ZA  Wed Jan 28 15:58:05 2004
From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016499F6@pascal.priv.bmrb.co.uk>
Message-ID: <009d01c3e5b7$8438d9c0$660210ac@christoxp>

I reinstalled mailscanner-mrtg and mrtg and it fixed the problem.

Thanx for the assistance

My stats can be viewed at http://mail.it4africa.co.za/mailscanner-mrtg
but there is nothing to see as yet. No info in as yet Busy Building up
as we speak.



> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin
> Sent: 28 January 2004 03:27 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Announce: MailScanner-MRTG version 0.07 released
> {Virus Scanned}
>
>
> Christo Bezuidenhout wrote:
> > The Timeouts dissapeared but still the MSMRTG and gd-png errors stay
>
> As I said, Google for the mrtg errors.  Google gave me this,
> which should solve the first problem...
> http://www.ee.ethz.ch/~slist/mrtg/msg25586.html
>
> However I can't find a solution for your second problem (the
> libpng messages) - but your mrtg version number doesn't match
> any of those available from RedHat network, so I would
> suggest you upgrade (or downgrade) to the current official RedHat rpm.
>
> The MSMRTG errors should be fixed in the version I hope to
> release later this evening, However you may find that
> applying the attached patch to
> /usr/lib/MailScanner-MRTG/Data.pm helps.
>
>
> >> And these are from (or caused by MSMRTG)
> >>> ERROR: iptraffic counters not fully initialised
> >>>         No iptraffic data on this run
> >>> Use of uninitialized value in join or string
> >>> at/usr/lib/MailScanner-MRTG/MSMRTG/State.pm line 193.
> >>
> >> I admit there is still a small problem with MSMRTG and net-snmp
> >> (which may be causing the last 4 lines above), A couple of
> folks are
> >> trying some patches and I hope to release a fixed version this
> >> tonight.
> >>
> >> I don't know what the mrtg errors mean, I've not seen them
> before -
> >> perhaps you could Google for them.
> >>
> >>
> >>
> >> BMRB International
> >> http://www.bmrb.co.uk
> >> +44 (0)20 8566 5000
> >> _________________________________________________________________
> >> This message (and any attachment) is intended only for the
> recipient
> >> and may contain confidential and/or privileged material.
> If you have
> >> received this in error, please contact the sender and delete this
> >> message immediately.  Disclosure, copying or other action taken in
> >> respect of this email or in reliance on it is prohibited.  BMRB
> >> International Limited accepts no liability in relation to any
> >> personal emails, or content of any email which does not directly
> >> relate to our business.
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >> Mailscanner thanks IT For Africa for their support.
>
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> Mailscanner thanks IT For Africa for their support.
>
>

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan 28 16:04:31 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:08 2006
Subject: Enterprise Library + MailScanner
Message-ID: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside>

Julian:

Sophos has a replacement for their Enterprise Manager called
Enterprise Library, and it now supports Linux (and other
*nix and Novell) instead of just Windows clients.  How
difficult would it be to have MailScanner update Sophos
from a CID or a web CID?

Or is it a bad idea to automaticaly upgrade the engine?

TIA,

--J(K)

From lenaig at WANADOO.FR  Wed Jan 28 16:14:08 2004
From: lenaig at WANADOO.FR (Thierry)
Date: Thu Jan 12 21:22:08 2006
Subject: pb f-prot wrapper
In-Reply-To: <20040128151538.GA1465@maelenn>
References: <20040128151538.GA1465@maelenn>
Message-ID: <20040128161408.GA2181@maelenn>

oupss made a mistake ... forgot to feel ScanDir ...

sorry

--
Thierry

From Kevin.Spicer at BMRB.CO.UK  Wed Jan 28 16:26:45 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:08 2006
Subject: Announce: MailScanner-MRTG version 0.07 released {Virus Scanned}
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>

Stephe Campbell wrote:
> This is what I am seeing, not running snmp, and configure as such in
> the conf file:
> 
> CPU utilization not working
> Server Network traffic not working
> Space Used in /var/spool not working
> Space Used in Work Directory not working
> 
> Is this proper in light of the non-snmp stuff?

CPU and Network stats (and memory) come from SNMP
Space used will only return figures now if the specified directory is a mountpoint.  If this is not a mountpoint on your system then it will always return zero.
 
> I turned on the default snmpd installed with RH 7.3 and this did not
> change. No changes were made to the snmpd.conf file or anywhere else.
> I do not use snmp anywhere (actually, I don't even know what it's
> used for), so the configuration of such would be an added chore.

The default snmpd shouldn't need much/any config (I need to produse a quickstart note for that I think) - ensure that it is net-snmp or ucd-snmp, start snmpd and set Use SNMP=yes in the mailscanner-mrtg.conf.  You also need to ensure you have net-snmp-utils or ucd-snmp-utils installed.

If you have net-snmp then there are still a few problems with net-snmp support - I'm rolling all the patches together and will hopefully release an update tonight.

Note that you won't see changes immediately (wait say 10-15 minutes) as it works on the difference between consequtive runs


> Is it best just to downgrade?

Probably not, the previous iptraffic stats were essentially meaningless (due to being a snapshot of 5 seconds of activity, rather than an average over 5 minutes).  The CPU utilization wasn't much better (and tended to be skewed by the load of mailscanner-mrtg itself).  The two disk space graphs (in your case) were showing the space of directories other that what they said they were.  So the only useful graph you have lost is memory (assuming that was working on your box & accurate - which was not the case on all OS's).

Hopefully tonight I'll get a fully-working-with-net-snmp version out the door and I'll try and do some notes on getting snmp working.

If you do downgrade there are a couple of things you need to do...

Immediately after downgrading
mv /var/www/html/mailscanner-mrtg/loadavg.log.xxxxxxxxx /var/www/html/mailscanner-mrtg/loadavg/loadavg.log

mv /var/www/html/mailscanner-mrtg/mailbytes/mailbytes.log.xxxxxxxxx /var/www/html/mailscanner-mrtg/mailbytes/mailbytes.log

(where xxxxxxx is a string on numbers  [unix timestamp])



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From viers at UNILIM.FR  Wed Jan 14 10:11:13 2004
From: viers at UNILIM.FR (Nicolas Viers - SCI)
Date: Thu Jan 12 21:22:08 2006
Subject: FoundForm = Found a form in HTML message
Message-ID: <5.0.2.1.2.20040114110935.01db1260@127.0.0.1>

                         Hello,
how to disable stopping messages with "FoundForm = Found a form in HTML 
message" ?
Because some of newsletters are blocked by mailscanner and users doesn't like.

Thanks a lot


____________________________________________________________

Nicolas Viers               |  Service Commun Informatique
M?l: viers@unilim.fr        |  123, avenue Albert Thomas
                             |     87060 Limoges cedex
Tel: 05-55-45-77-09         |  Fax: 05-55-45-75-95
                   http://www.unilim.fr/sci
____________________________________________________________


From sw at INTERNETX.DE  Wed Jan 14 19:18:25 2004
From: sw at INTERNETX.DE (Sebastian Wiesinger)
Date: Thu Jan 12 21:22:08 2006
Subject: MailScanner is leaving sendmail qf-Files behind
In-Reply-To: <6.0.1.1.2.20040114190531.04230f08@imap.ecs.soton.ac.uk>
References: <20040114181418.GA24010@lain.intern.internetx.de>
            <6.0.1.1.2.20040114190531.04230f08@imap.ecs.soton.ac.uk>
Message-ID: <20040114191825.GA25678@lain.intern.internetx.de>

Yes, they are.

* Julian Field <mailscanner@ECS.SOTON.AC.UK> [2004-01-14 20:16]:
> Are mqueue.in and mqueue on the same filesystem?
>
> At 18:14 14/01/2004, you wrote:
> >Hi, I asked this some time ago, but now the problem appears again.
> >MailScanner doesn't delete some qf-files from the incoming queue after
> >delivering
> >a message:
> >
> >Jan 14 18:32:33 postoffice sm-mta[24906]: i0EHWWTi024906:
> >from=<bounce-debian-isp=sw=internetx.de@lists.debian.org>, size=4833,
> >class=-30, nrcpts=1, msgid=<PbU65B.A.PhE.b0XBAB@murphy>, proto=ESMTP,
> >daemon=MTA, relay=gate2.mailgate.de [62.116.129.39]
> >Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Found 7 messages
> >waiting
> >Jan 14 18:32:33 postoffice MailScanner[19732]: New Batch: Forwarding 3
> >unscanned messages, 30633 bytes
> >Jan 14 18:32:33 postoffice MailScanner[19732]: Spam Checks: Starting
> >Jan 14 18:32:33 postoffice MailScanner[19732]: Unscanned: Delivered 3
> >messages
> >Jan 14 18:32:33 postoffice MailScanner[19732]: Virus and Content Scanning:
> >Starting
> >Jan 14 18:32:34 postoffice sendmail[24913]: i0EHWWTi024906:
> >to=<xya@localhost>, delay=00:00:01, xdelay=00:00:00, mailer=local,
> >pri=176347, dsn=2.0.0, stat=Sent
> >
> >After this, the file qfi0EHWWTi024906 remains in mqueue.in.
> >
> >The first time I posted this, it was assumed to be a sendmail problem,
> >but as sendmail has completed delivery of the mail it must be
> >MailScanner who leaves behind this queuefile....
> >
> >It leaves approx. 6-12 files per day.
> >
> >Greetings
> >Sebastian
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From drew at THEMARSHALLS.CO.UK  Mon Jan 19 22:07:24 2004
From: drew at THEMARSHALLS.CO.UK (Drew Marshall)
Date: Thu Jan 12 21:22:08 2006
Subject: 4.26- beta upgrade  (was RE: Another MailScanner User!)
In-Reply-To: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
References: <CMEGJKDKEADFHABBDGPFMEBCCCAA.neilrobst@alm.org.uk>
Message-ID: <400C551C.6090001@themarshalls.co.uk>

Just for my 2p, my server doesn't have a high load but I suffered
duplicate mail. My old set up on Slackware didn't suffer, the new on
Gentoo did :-(  . I'm not quite sure why but it seemed that the Postfix
queue runner and MailScanner got in each others way with the result that
MS picked up incomplete messages.

<fingers crossed> Any way that's all in the past now </fingers crossed>

Drew

Neil Robst wrote:

>Hi all,
>
>Just applied the 4.26-4 beta of MailScanner to my mail server, though I've
>been unable to replicate the problem with the duplicate mails either before
>or after (as expected) the upgrade. Do you know any details about
>that -whether it only manifested itself when there were lots of recepients
>on the message or a high load on the server or what?
>
>Regards,
>Neil
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>

--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

From mkbowman at neo.rr.com  Wed Jan 28 16:48:54 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Viruses and Mydoom
Message-ID: <000701c3e5be$a0599c00$a767a8c0@MKBOWMAN2>

Hi,

I setup a Ruleset for MyDoom but users are still be notified:

Ruleset below:

Virus: default yes
Virus: Bagle    no
Virus: MyDoom   no
Virus: NoVarg   no
FromOrTo: default yes

Is my syntax and wording ok?

Mailscanner 4.24-5/Redhat 9/sendmail

Thanks
Matthew

From sw at INTERNETX.DE  Wed Jan 28 16:56:00 2004
From: sw at INTERNETX.DE (Sebastian Wiesinger)
Date: Thu Jan 12 21:22:08 2006
Subject: Silent Viruses and Mydoom
In-Reply-To: <000701c3e5be$a0599c00$a767a8c0@MKBOWMAN2>
References: <000701c3e5be$a0599c00$a767a8c0@MKBOWMAN2>
Message-ID: <20040128165600.GA8944@lain.intern.internetx.de>

* Matthew K Bowman <mkbowman@neo.rr.com> [2004-01-28 17:52]:
> Hi,
>
> I setup a Ruleset for MyDoom but users are still be notified:
>
> Ruleset below:
>
> Virus: default yes
> Virus: Bagle    no
> Virus: MyDoom   no
> Virus: NoVarg   no
> FromOrTo: default yes
>
> Is my syntax and wording ok?

First, the ruleset uses the first line matching, so put your first
line from top to the bottom.

If you're using ClamAV you should add:

Virus: SCO      no

before your default line.

Like this:

Virus: Bagle    no
Virus: MyDoom   no
Virus: NoVarg   no
Virus: SCO      no
Virus: default yes

Sebastian

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 16:53:33 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:08 2006
Subject: Enterprise Library + MailScanner
In-Reply-To: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside>
References: <00ad01c3e5b8$6a7a77e0$0501a8c0@darkside>
Message-ID: <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk>

At 16:04 28/01/2004, you wrote:
>Julian:
>
>Sophos has a replacement for their Enterprise Manager called
>Enterprise Library, and it now supports Linux (and other
>*nix and Novell) instead of just Windows clients.  How
>difficult would it be to have MailScanner update Sophos
>from a CID or a web CID?
>
>Or is it a bad idea to automaticaly upgrade the engine?

The only time I ever automatically upgraded the engine, it broke SAVI. I
had to rebuild the perl SAVI module to get it to work again.
So I'm a little wary of going down that path.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 16:52:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: VEXIRA antivirus support
In-Reply-To: <1488394A34F6A0408FDA3841418D1442183D2A@scorpio.auron.mi>
References: <1488394A34F6A0408FDA3841418D1442183D2A@scorpio.auron.mi>
Message-ID: <6.0.1.1.2.20040128165154.08d24298@imap.ecs.soton.ac.uk>

Any chance you could write a vexira-autoupdate as well please?
Then I will include it in the main distribution.

At 15:18 28/01/2004, you wrote:
>Hello everybody,
>I'm not sure this is the right place to send this kind of emails, so if it
>is not please forward me to the right place.
>
>I've twicked a little bit with the MailScanner code to add support for the
>Vexira Antivirus (I'm very satisfied with it.)
>
>I'm using this modified version of MailScanner 4.24.5 from some times and
>it seems to work fine.
>
>Here I attach the patch to make things to work; basically only minor
>modifications are necessary to the following files:
>- etc/virus.scanners.conf         (virus wrapper configuration)
>- lib/MailScanner/SweepViruses.pm (the actual processing sub)
>- lib/vexira-wrapper              (virus wrapper shell script)
>
>I haven't had time to test and install any newer version of MailScanner.
>
>I have set the SupportScanning option to BETA (I don't know if this is the
>right status anyway...) so you may need to modify your Minimum Code Status
>to at least 'beta' in your MailScanner.conf to see the vexira working.
>
>You may want to check the virus.scanners.conf if you have installed Vexira
>in a non-standard directory (/usr/bin/vexira)
>
>Any feedback is welcome.
>
>Bye,
>Gabriele
>
>P.S. I suggest to run something like "patch -p2 <vexira.patch" in
>/opt/MailScanner directory (or whatever directory you install MailScanner
>into) to apply the patch.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 16:55:37 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: New Feature -- "and" in rules
Message-ID: <6.0.1.1.2.20040128165340.03bf9470@imap.ecs.soton.ac.uk>

In rules in ruleset files, you can now have an "and" operator. You are only
allowed 1 per rule at most, but it does mean you can do stuff like

From: user1@friend.com and To: user2@mysite.com yes

or other rules that look like this.

Hopefully this will do away with the need to write Custom Functions for
some functionality that just needs to be able to test 2 addresses for each
rule instead of just 1.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 16:49:45 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: MailScanner Rules {Scanned} - Read Me!
In-Reply-To: <000e01c3e58a$cfd6e340$0201a8c0@lappy>
References: <6.0.1.1.2.20040128102802.077234b0@imap.ecs.soton.ac.uk>
            <000e01c3e58a$cfd6e340$0201a8c0@lappy>
Message-ID: <6.0.1.1.2.20040128164812.03acc900@imap.ecs.soton.ac.uk>

At 10:38 28/01/2004, you wrote:
> > > > >Morning,
> > > > >
> > > > >I am trying to get my head around mailscanner rules and I was
> > >wondering
> > > > >if I have this right. Can I write a rule as follows.
> > > > >
> > > > >To:     user@blah       /path/to/their/ruleset.rules ?
> > > > >
> > > > >If not how could I set a rule for a specific address.
> > > >
> > > > To: user@blah value
> > > >
> > > > where "value" is the result of this configuration option for mail
> > >going to
> > > > user@blah.
> > >
> > >In simple terms please for "value" all I see is references to yes or
>no.
> >
> > It can be other things, such as a numerical value or a filename, it is
> > whatever data the configuration option is expecting to get.
> >
> > >Can you give me an example for any mail coming to user@blah to screen
> > >out messages from user@spammerblah.
> >
> > You can only put 1 condition in the test, and you can't have rules
>that
> > point to more rulesets. Sorry, but that's a limitation of the
> > configuration
> > engine I have written. I know it's not perfect, maybe expanding its
> > abilities is something I should look at for the next version, so you
>can
> > at
> > least have "and" in conditions, which would solve this problem.
>
>Trust me to try the impossible :)
>
>It would be good to be able to set user specific filtering rules in
>future though.

I have just implemented a simple "and" operator in the rules.
You can now say things like
         From: joe@friend.com and To: sysadmin@you.com   yes

In other words you can have 2 address tests in each rule. You are only
allowed 1 "and" in each rule.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From goleotti at MISAG.IT  Wed Jan 28 17:28:11 2004
From: goleotti at MISAG.IT (Gabriele Oleotti)
Date: Thu Jan 12 21:22:09 2006
Subject: VEXIRA antivirus support
Message-ID: <1488394A34F6A0408FDA3841418D1442183D32@scorpio.auron.mi>

Yes, of course. I'm actually working on it.

Bye,
Gabriele

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Sent: mercoled? 28 gennaio 2004 17.52
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: VEXIRA antivirus support


Any chance you could write a vexira-autoupdate as well please?
Then I will include it in the main distribution.

At 15:18 28/01/2004, you wrote:
>Hello everybody,
>I'm not sure this is the right place to send this kind of emails, so if it
>is not please forward me to the right place.
>
>I've twicked a little bit with the MailScanner code to add support for the
>Vexira Antivirus (I'm very satisfied with it.)
>
>I'm using this modified version of MailScanner 4.24.5 from some times and
>it seems to work fine.
>
>Here I attach the patch to make things to work; basically only minor
>modifications are necessary to the following files:
>- etc/virus.scanners.conf         (virus wrapper configuration)
>- lib/MailScanner/SweepViruses.pm (the actual processing sub)
>- lib/vexira-wrapper              (virus wrapper shell script)
>
>I haven't had time to test and install any newer version of MailScanner.
>
>I have set the SupportScanning option to BETA (I don't know if this is the
>right status anyway...) so you may need to modify your Minimum Code Status
>to at least 'beta' in your MailScanner.conf to see the vexira working.
>
>You may want to check the virus.scanners.conf if you have installed Vexira
>in a non-standard directory (/usr/bin/vexira)
>
>Any feedback is welcome.
>
>Bye,
>Gabriele
>
>P.S. I suggest to run something like "patch -p2 <vexira.patch" in
>/opt/MailScanner directory (or whatever directory you install MailScanner
>into) to apply the patch.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From ka at PACIFIC.NET  Wed Jan 28 17:33:25 2004
From: ka at PACIFIC.NET (Ken Anderson)
Date: Thu Jan 12 21:22:09 2006
Subject: New Feature -- "and" in rules
In-Reply-To: <6.0.1.1.2.20040128165340.03bf9470@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040128165340.03bf9470@imap.ecs.soton.ac.uk>
Message-ID: <4017F265.3060201@pacific.net>

Wow, that's great!
I have a custom function based on your per domain custom function
example. Do you think using this feature would be faster, or about the
same as using a custom function for whitelists per user?
Is this in 4.26.5?
Thank you!
Ken Anderson
Pacific.Net



Julian Field wrote:

> In rules in ruleset files, you can now have an "and" operator. You are only
> allowed 1 per rule at most, but it does mean you can do stuff like
>
> From: user1@friend.com and To: user2@mysite.com yes
>
> or other rules that look like this.
>
> Hopefully this will do away with the need to write Custom Functions for
> some functionality that just needs to be able to test 2 addresses for each
> rule instead of just 1.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

From ree at THUNDERSTAR.NET  Wed Jan 28 17:39:14 2004
From: ree at THUNDERSTAR.NET (Ron E.)
Date: Thu Jan 12 21:22:09 2006
Subject: spamassassin timeouts this morning
Message-ID: <Pine.BSO.4.44.0401281234380.31557-100000@ns1.thunderstar.net>

Hi all -

I'm wondering if anyone is getting spamassassin timeouts this morning. My
server has now accumulated quite a backlog due to this. I am saw that the
dsbl.org blacklist was timing out so I've disabled that, then I saw that
both razor & pyzor were timing out - a pyzor discover seemed to handlmed
to handle pyzor, but razor is still timing out after doing a discover.

Any suggestions would be great.

Regards,

Ron

From support at EAGLE-ACCESS.NET  Wed Jan 28 17:52:06 2004
From: support at EAGLE-ACCESS.NET (Eagle Net Support)
Date: Thu Jan 12 21:22:09 2006
Subject: Spam List = {Scanned}
Message-ID: <4017F6C6.50837787@eagle-access.net>

I think I found why I'm not filtering hardly any spam out.  The Entry in
MailScanner.conf are set to nothing:

Spam List  =
Spam Domain List  =

Could anyone provide these entries?  Do I need corresponding entries in
either

spam.assassin.prefs.conf
spam.lists.conf

Also could someone provide the default settings to run MCP ?  I set mine
up with the entries listed in the FAQ, but I suspect they may be
incorrect as they don't look right, (ex. MCP Checks = no , seems like it
should be yes.  So I'd like to confirm all of them.

*************paste MCP entries MailScanner.conf from FAQ
MCP Checks = no

MCP Required SpamAssassin Score = 1
MCP High SpamAssassin Score = 10
MCP Error Score = 1

MCP Header = X-MailScanner-MCPCheck:
#Actions are deliver, bounce, forward email@domain.com, store
#For qmail, use ONLY store
Non MCP Actions = deliver
MCP Actions = deliver
High Scoring MCP Actions = deliver

Log MCP = yes
Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = no
Detailed MCP Report = yes
Include Scores In MCP Report = no

MCP Max SpamAssassin Timeouts = 20
MCP Max SpamAssassin Size = 100000
MCP SpamAssassin Timeout = 10

MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
MCP SpamAssassin User State Dir =
MCP SpamAssassin Local Rules Dir = %mcp-dir%
MCP SpamAssassin Default Rules Dir = %mcp-dir%
*********************end paste

thanks
joe


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 18:07:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: Spam List = {Scanned}
In-Reply-To: <4017F6C6.50837787@eagle-access.net>
References: <4017F6C6.50837787@eagle-access.net>
Message-ID: <6.0.1.1.2.20040128180422.03be51c0@imap.ecs.soton.ac.uk>

At 17:52 28/01/2004, you wrote:
>I think I found why I'm not filtering hardly any spam out.  The Entry in
>MailScanner.conf are set to nothing:
>
>Spam List  =
>Spam Domain List  =

I leave Spam Domain List set to blank.
In Spam List, I use MAPS-RBL+ (we have a subscription to it), ORDB-RBL and
SBL+XBL.

>Could anyone provide these entries?  Do I need corresponding entries in
>either
>
>spam.assassin.prefs.conf

None needed.

>spam.lists.conf

ORDB-RBL                        relays.ordb.org.
SBL+XBL                         sbl-xbl.spamhaus.org.

The lists used by other people will of course vary from what I use myself.

>Also could someone provide the default settings to run MCP ?  I set mine
>up with the entries listed in the FAQ, but I suspect they may be
>incorrect as they don't look right, (ex. MCP Checks = no , seems like it
>should be yes.  So I'd like to confirm all of them.

Only use MCP if you need to. It is quite a performance hit due to a bug in
SpamAssassin that I haven't been able to find yet. Read the docs and
compare with the spam settings, so that you understand the effect of each
of the MCP settings.

>*************paste MCP entries MailScanner.conf from FAQ
>MCP Checks = no
>
>MCP Required SpamAssassin Score = 1
>MCP High SpamAssassin Score = 10
>MCP Error Score = 1
>
>MCP Header = X-MailScanner-MCPCheck:
>#Actions are deliver, bounce, forward email@domain.com, store
>#For qmail, use ONLY store
>Non MCP Actions = deliver
>MCP Actions = deliver
>High Scoring MCP Actions = deliver
>
>Log MCP = yes
>Is Definitely MCP = no
>Is Definitely Not MCP = no
>Definite MCP Is High Scoring = no
>Always Include MCP Report = no
>Detailed MCP Report = yes
>Include Scores In MCP Report = no
>
>MCP Max SpamAssassin Timeouts = 20
>MCP Max SpamAssassin Size = 100000
>MCP SpamAssassin Timeout = 10
>
>MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf
>MCP SpamAssassin User State Dir =
>MCP SpamAssassin Local Rules Dir = %mcp-dir%
>MCP SpamAssassin Default Rules Dir = %mcp-dir%
>*********************end paste
>
>thanks
>joe
>
>
>--
>This message has been scanned for viruses and
>dangerous content, and is believed to be clean.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 18:02:52 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: New Feature -- "and" in rules
In-Reply-To: <4017F265.3060201@pacific.net>
References: <6.0.1.1.2.20040128165340.03bf9470@imap.ecs.soton.ac.uk>
            <4017F265.3060201@pacific.net>
Message-ID: <6.0.1.1.2.20040128180135.03bac110@imap.ecs.soton.ac.uk>

At 17:33 28/01/2004, you wrote:
>Wow, that's great!
>I have a custom function based on your per domain custom function
>example. Do you think using this feature would be faster, or about the
>same as using a custom function for whitelists per user?
>Is this in 4.26.5?

Using the per-domain custom function will still be faster when used with a
lot of domains. In that case, the domains are looked up in a hash table
(very fast). With the "and" operator, all the rules have to be checked
until a match is found, as the address tests can be arbitrary strings and
not just domain names.

It will be in 4.26.6.

>Thank you!
>Ken Anderson
>Pacific.Net
>
>
>
>Julian Field wrote:
>
>>In rules in ruleset files, you can now have an "and" operator. You are only
>>allowed 1 per rule at most, but it does mean you can do stuff like
>>
>>From: user1@friend.com and To: user2@mysite.com yes
>>
>>or other rules that look like this.
>>
>>Hopefully this will do away with the need to write Custom Functions for
>>some functionality that just needs to be able to test 2 addresses for each
>>rule instead of just 1.
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 18:04:08 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: spamassassin timeouts this morning
In-Reply-To: <Pine.BSO.4.44.0401281234380.31557-100000@ns1.thunderstar.n et>
References: <Pine.BSO.4.44.0401281234380.31557-100000@ns1.thunderstar.net>
Message-ID: <6.0.1.1.2.20040128180326.03b8df90@imap.ecs.soton.ac.uk>

At 17:39 28/01/2004, you wrote:
>Hi all -
>
>I'm wondering if anyone is getting spamassassin timeouts this morning. My
>server has now accumulated quite a backlog due to this. I am saw that the
>dsbl.org blacklist was timing out so I've disabled that, then I saw that
>both razor & pyzor were timing out - a pyzor discover seemed to handlmed
>to handle pyzor, but razor is still timing out after doing a discover.

I switched off razor yesterday morning, it was repeatedly timing out.
Haven't tried it again since (been writing code for you lot :-)
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mja at FAMILYRADIO.ORG  Wed Jan 28 18:14:12 2004
From: mja at FAMILYRADIO.ORG (Michael J. Allen)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
Message-ID: <4017FBF4.2010908@familyradio.org>

To all:

How do I get ClamAV to disenfect email ?  See snippet from maillog below:

     *
     *
     *
<snip>
Jan 27 14:30:11 mail2 MailScanner[590]:
/var/spool/MailScanner/incoming/590/./i0
RMTaPh009920/message.zip: Worm.SCO.A FOUND
Jan 27 14:30:11 mail2 MailScanner[590]: Virus Re-scanning: ClamAV found
10 infec
tions
Jan 27 14:30:11 mail2 MailScanner[590]: Disinfection: Rescan found only
10 virus
es
</snip>
     *
     *
     *

I am using the latest version of sendmail as my MTA.  Do I have to use
'qmail' as my
MTA instead?

Mike

From michele at BLACKNIGHTSOLUTIONS.COM  Wed Jan 28 18:16:17 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:09 2006
Subject: spamassassin timeouts this morning
In-Reply-To: <6.0.1.1.2.20040128180326.03b8df90@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNMEGADEAA.michele@blacknightsolutions.com>

> At 17:39 28/01/2004, you wrote:
> >Hi all -
> >
> >I'm wondering if anyone is getting spamassassin timeouts this morning. My
> >server has now accumulated quite a backlog due to this. I am saw that the
> >dsbl.org blacklist was timing out so I've disabled that, then I saw that
> >both razor & pyzor were timing out - a pyzor discover seemed to handlmed
> >to handle pyzor, but razor is still timing out after doing a discover.
>
> I switched off razor yesterday morning, it was repeatedly timing out.
> Haven't tried it again since (been writing code for you lot :-)

I get the general impression that mail servers are under pressure today at a
global level, so SA timeouts etc., would not really surprise me. We had to
shutdown some services on one of our shared hosting servers due to the
amount of junk that MS had to process :(

From raymond at PROLOCATION.NET  Wed Jan 28 18:17:25 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
In-Reply-To: <4017FBF4.2010908@familyradio.org>
Message-ID: <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocation.net>

Hi!

> How do I get ClamAV to disenfect email ?  See snippet from maillog below:
>
> RMTaPh009920/message.zip: Worm.SCO.A FOUND
> Jan 27 14:30:11 mail2 MailScanner[590]: Virus Re-scanning: ClamAV found

It wont, Clam will only detect virusses, not clean them.

Bye,
Raymond.

From jaearick at COLBY.EDU  Wed Jan 28 18:21:07 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:09 2006
Subject: mydoom-a miscounting, a discovery
Message-ID: <Pine.GSO.4.58.0401281314040.7403@cayuga>

Hi,
   I wondered last night why clamav was counting so many
more SCO.A's than sophos was counting MyDoom-A.  I was seeing
about twice as many INFECTED:: syslogs for clamav in my summary
perl report, eg:

  1779: Worm.SCO.A
   638: W32/MyDoom-A

In poking thru my syslogs, I discovered that sometimes MailScanner
writes a syslog message from Sophos like:

INFECTED:: W32/MyDoom-A:: ./i0SI7Qhm007323/document.pif

and sometimes it writes out:

INFECTED:: W32/MyDoom-A W32/MyDoom-A:: ./i0SI8W68008073/data.zip

where the filetype is always *.zip for the double notation.

Once I tweaked my perl script that does the summary counts, the
arithmetic matched: Clamav and Sophos are catching the same
numbers of copies.  Any ideas on why the double notation from
Sophos?  Both the signature of the zipped and unzipped files match
the sig for MyDoom-A?

Jeff Earickson
Colby College

From mike at UNIXSECURITY.ORG  Wed Jan 28 18:35:16 2004
From: mike at UNIXSECURITY.ORG (Mike Wallis)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
Message-ID: <401800E4.60708@unixsecurity.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Spicer, Kevin wrote:

| The default snmpd shouldn't need much/any config (I need to produse
| a quickstart note for that I think) - ensure that it is net-snmp or
| ucd-snmp, start snmpd and set Use SNMP=yes in the
| mailscanner-mrtg.conf.  You also need to ensure you have
| net-snmp-utils or ucd-snmp-utils installed.
|
| If you have net-snmp then there are still a few problems with
| net-snmp support - I'm rolling all the patches together and will
| hopefully release an update tonight.
|
| Note that you won't see changes immediately (wait say 10-15
| minutes) as it works on the difference between consequtive runs

This may or may not be something you're addressing, but with a RH9
system, I have yet to get any of the snmp related graphs populated. In
doing some testing, it seems to be an issue with net-snmp using the
ucd-snmp mibs.

[root@deep-thought mibs]# snmpwalk -v 2c -c public localhost
.1.3.6.1.4.1.2021.4
UCD-SNMP-MIB::memory = No more variables left in this MIB View (It is
past the end of the MIB tree)

[root@deep-thought mibs]# rpm -qa |grep snmp
net-snmp-5.0.9-2.90.1
net-snmp-utils-5.0.9-2.90.1

- --
Mike Wallis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAGADkXes7jE7XvgsRAnatAJ4wnN4ojtI3dMawsvYdsRvosKLUtwCeIyYV
33Trz1OD3ltThcKQmZtvMo8=
=Y22S
-----END PGP SIGNATURE-----

From mkettler at EVI-INC.COM  Wed Jan 28 18:59:31 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
In-Reply-To: <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocatio n.net>
References: <4017FBF4.2010908@familyradio.org>
            <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocation.net>
Message-ID: <6.0.0.22.0.20040128135715.02502588@xanadu.evi-inc.com>

At 01:17 PM 1/28/2004, Raymond Dijkxhoorn wrote:
> > RMTaPh009920/message.zip: Worm.SCO.A FOUND
> > Jan 27 14:30:11 mail2 MailScanner[590]: Virus Re-scanning: ClamAV found
>
>It wont, Clam will only detect virusses, not clean them.

Besides, in the case of Worm.SCO.A, disinfection == deletion.

SCO.A doesn't infect legitimate files, it just emails copies of itself. An
infected file consists entirely of the worm itself and nothing else.

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 18:59:14 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
In-Reply-To: <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocatio n.net>
References: <4017FBF4.2010908@familyradio.org>
            <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocation.net>
Message-ID: <6.0.1.1.2.20040128185635.0482df68@imap.ecs.soton.ac.uk>

At 18:17 28/01/2004, you wrote:
>Hi!
>
> > How do I get ClamAV to disenfect email ?  See snippet from maillog below:
> >
> > RMTaPh009920/message.zip: Worm.SCO.A FOUND
> > Jan 27 14:30:11 mail2 MailScanner[590]: Virus Re-scanning: ClamAV found
>
>It wont, Clam will only detect virusses, not clean them.

MailScanner makes a distinction between "cleaning" and "disinfection"
Cleaning = remove the virus from the email, replace it with a harmless text
notification message.
Disinfection = only possible with some scanners and for some macro viruses,
removal of the macro virus from the document leaving the original document
intact. If this steps succeeds then the document is sent on to the original
recipients in a separate message.

MailScanner will "clean" with any virus scanner. It will only "disinfect"
with scanners that can do it. Clam cannot disinfect, but that doesn't mean
any viruses will get through to your users, they won't.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From brose at MED.WAYNE.EDU  Wed Jan 28 19:00:11 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01646882@med-core07.med.wayne.edu>

Why would disinfect it.  The exe,scr,pif that are being passed around
are the virus, not some virus attached to a real file. Plus the email
itself is a message generated by the virus.  Removing the virus and
sending on the virus generated message would just lead to your userbase
asking questions.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Raymond Dijkxhoorn
Sent: Wednesday, January 28, 2004 1:17 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Disinfection by ClamAV

Hi!

> How do I get ClamAV to disenfect email ?  See snippet from maillog
below:
>
> RMTaPh009920/message.zip: Worm.SCO.A FOUND Jan 27 14:30:11 mail2 
> MailScanner[590]: Virus Re-scanning: ClamAV found

It wont, Clam will only detect virusses, not clean them.

Bye,
Raymond.


From mailscanner at BARENDSE.TO  Wed Jan 28 19:03:15 2004
From: mailscanner at BARENDSE.TO (Remco Barendse)
Date: Thu Jan 12 21:22:09 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <E1Alq9I-0004F1-00@chiark.greenend.org.uk>
Message-ID: <Pine.LNX.4.44.0401282001030.8561-100000@raveon.barendse.to>

Uhmm, not really

You should *not* use any symlinks at all.

You will either get the symptoms as described (`old' dat files) or you
will see some (as in really some, not all!!) slipping through scanned, but
undetected.

I think I was the first unfortunate person to find/report this 'feature'
of mcafee, there have been several reports about it since.


On Wed, 28 Jan 2004, Tony Finch wrote:

> Eric Dantan Rzewnicki <rzewnickie@RFA.ORG> wrote:
> >
> >However it appears that uvscan is being called with old dats that exist
> >in /usr/local/uvscan/*.dat.
>
> These should be symlinks to datfiles/current/*.dat
>
> Tony.
> --
> f.a.n.finch  <dot@dotat.at>  http://dotat.at/
> ST DAVIDS HEAD TO COLWYN BAY, INCLUDING ST GEORGES CHANNEL: NORTHWEST BACKING
> WEST FOR A TIME, 6 OR 7 DECREASING 5 OR 6 LATER WEATHER: WINTRY SHOWERS.
> MODERATE OR GOOD. MODERATE OR ROUGH.
>

From ree at THUNDERSTAR.NET  Wed Jan 28 19:13:28 2004
From: ree at THUNDERSTAR.NET (Ron E.)
Date: Thu Jan 12 21:22:09 2006
Subject: spamassassin timeouts this morning
In-Reply-To: <6.0.1.1.2.20040128180326.03b8df90@imap.ecs.soton.ac.uk>
Message-ID: <Pine.BSO.4.44.0401281412410.31557-100000@ns1.thunderstar.net>

On Wed, 28 Jan 2004, Julian Field wrote:

> At 17:39 28/01/2004, you wrote:
> >Hi all -
> >
> >I'm wondering if anyone is getting spamassassin timeouts this morning. My
> >server has now accumulated quite a backlog due to this. I am saw that the
> >dsbl.org blacklist was timing out so I've disabled that, then I saw that
> >both razor & pyzor were timing out - a pyzor discover seemed to handlmed
> >to handle pyzor, but razor is still timing out after doing a discover.
>
> I switched off razor yesterday morning, it was repeatedly timing out.
> Haven't tried it again since (been writing code for you lot :-)
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

Thanks for the feedback, Julian - I ended up having to turn off razor,
pyzor and two dns blacklists - dsbl & ORDB in order to get the backlog to
start moving again.

Sheesh.

-Ron

From mja at FAMILYRADIO.ORG  Wed Jan 28 19:12:19 2004
From: mja at FAMILYRADIO.ORG (Michael J. Allen)
Date: Thu Jan 12 21:22:09 2006
Subject: Disinfection by ClamAV
In-Reply-To: <6.0.1.1.2.20040128185635.0482df68@imap.ecs.soton.ac.uk>
References: <4017FBF4.2010908@familyradio.org>           
            <Pine.LNX.4.44.0401281916560.5560-100000@mailbox.prolocation.net>
            <6.0.1.1.2.20040128185635.0482df68@imap.ecs.soton.ac.uk>
Message-ID: <40180993.3020500@familyradio.org>

Thanks to all for the help and clarifications regarding MailScanner and
ClamAV.  A most enlightening discussion!

Mike

Julian Field wrote:

> At 18:17 28/01/2004, you wrote:
>
>> Hi!
>>
>> > How do I get ClamAV to disenfect email ?  See snippet from maillog
>> below:
>> >
>> > RMTaPh009920/message.zip: Worm.SCO.A FOUND
>> > Jan 27 14:30:11 mail2 MailScanner[590]: Virus Re-scanning: ClamAV
>> found
>>
>> It wont, Clam will only detect virusses, not clean them.
>
>
> MailScanner makes a distinction between "cleaning" and "disinfection"
> Cleaning = remove the virus from the email, replace it with a harmless
> text
> notification message.
> Disinfection = only possible with some scanners and for some macro
> viruses,
> removal of the macro virus from the document leaving the original
> document
> intact. If this steps succeeds then the document is sent on to the
> original
> recipients in a separate message.
>
> MailScanner will "clean" with any virus scanner. It will only "disinfect"
> with scanners that can do it. Clam cannot disinfect, but that doesn't
> mean
> any viruses will get through to your users, they won't.
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From bob.jones at USG.EDU  Wed Jan 28 19:16:22 2004
From: bob.jones at USG.EDU (Bob Jones)
Date: Thu Jan 12 21:22:09 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <Pine.LNX.4.44.0401282001030.8561-100000@raveon.barendse.to>
References: <Pine.LNX.4.44.0401282001030.8561-100000@raveon.barendse.to>
Message-ID: <40180A86.7070802@usg.edu>

Remco Barendse wrote:
> Uhmm, not really
>
> You should *not* use any symlinks at all.
>
> You will either get the symptoms as described (`old' dat files) or you
> will see some (as in really some, not all!!) slipping through scanned, but
> undetected.
>
> I think I was the first unfortunate person to find/report this 'feature'
> of mcafee, there have been several reports about it since.

So does this mean we shouldn't be using the mcafee-autoupdate script
inculding in Mailscanner/libs to update our dat files?  Since it uses
symlinks and all.  We haven't had any problems in the 4 months or so
we've been doing this.

Bob

From ree at THUNDERSTAR.NET  Wed Jan 28 19:15:18 2004
From: ree at THUNDERSTAR.NET (Ron E.)
Date: Thu Jan 12 21:22:09 2006
Subject: spamassassin timeouts this morning
In-Reply-To: <LFENLEALDCBDKENCNLCNMEGADEAA.michele@blacknightsolutions.com>
Message-ID: <Pine.BSO.4.44.0401281414020.31557-100000@ns1.thunderstar.net>

On Wed, 28 Jan 2004, Michele Neylon :: Blacknight Solutions wrote:

> > At 17:39 28/01/2004, you wrote:
> > >Hi all -
> > >
> > >I'm wondering if anyone is getting spamassassin timeouts this morning. My
> > >server has now accumulated quite a backlog due to this. I am saw that the
> > >dsbl.org blacklist was timing out so I've disabled that, then I saw that
> > >both razor & pyzor were timing out - a pyzor discover seemed to handlmed
> > >to handle pyzor, but razor is still timing out after doing a discover.
> >
> > I switched off razor yesterday morning, it was repeatedly timing out.
> > Haven't tried it again since (been writing code for you lot :-)
>
> I get the general impression that mail servers are under pressure today at a
> global level, so SA timeouts etc., would not really surprise me. We had to
> shutdown some services on one of our shared hosting servers due to the
> amount of junk that MS had to process :(
>

Yes, I think you're right - since I posted this I also got a similar
response on the razor list. Looks like we have our friendly mydoom, et. al
to thank...

From peter at UCGBOOK.COM  Wed Jan 28 19:26:47 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:09 2006
Subject: New virus outbreak
In-Reply-To: <1075156177.27684.43.camel@bach.kevinspicer.co.uk>
References: <s0152bff.088@gc6.jefferson.co.us> <40159215.2080308@ucgbook.com>
            <1075156177.27684.43.camel@bach.kevinspicer.co.uk>
Message-ID: <40180CF7.4090207@ucgbook.com>

Kevin Spicer wrote:
> On Mon, 2004-01-26 at 22:17, Peter Bonivart wrote:
>
>>Putting
>>
>>deny    .+$     Temporary block         Temporary block
>>
>>at the top of filename.rules.conf should do the trick (the white space
>>must be tabs). Totally untested and I might be wrong.
>
>
> That also has the effect of blocking everything (message included)

We never got an answer why none of our suggestions worked. Is the regex
wrong?

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From dwinkler at ALGORITHMICS.COM  Wed Jan 28 19:48:00 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:09 2006
Subject: Don't Quarantine Viruses
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B16C@tormail2.algorithmics.com>

I'd like to be able to not quarantine viruses but still quarantine filetype
denies.

The Quarantine options don't seem to distingish between the two.

or do they?

Thanks,

Derek

From bpumphrey at WOODMACLAW.COM  Wed Jan 28 19:52:29 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:09 2006
Subject: Virus Score
Message-ID: <A6E4DAD94E656741BF330E1F7409350C4162A7@woodendc.woodmaclaw.local>

I looked in the mailscanner.conf and couldn't find it, I'm guessing that
I overlooked it.  How do I set the score so that is blocks/deletes the
email instead of sending a message to my user with the subject line
altered to {virus?}?


From lars+lister.mailscanner at adventuras.no  Wed Jan 28 19:57:16 2004
From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen)
Date: Thu Jan 12 21:22:09 2006
Subject: parsing problem
Message-ID: <14804.213.236.228.129.1075319836.squirrel@mail.adventuras.no>

Two times this has happened when we have received digests from the
MailScanner mailinglist:

 from the maillog:
Jan 28 20:35:17 natalie MailScanner[13077]: Spam Checks: Starting
Jan 28 20:35:32 natalie MailScanner[13077]: Spam Checks completed at 17370
bytes per second
Jan 28 20:35:37 natalie MailScanner[13077]: Cannot parse
/var/spool/MailScanner/incoming/13077/i0SJZEUW013858.header and ,
Jan 28 20:35:37 natalie MailScanner[13077]: Virus and Content Scanning:
Starting
Jan 28 20:35:39 natalie MailScanner[13077]: Virus Scanning completed at
32570 bytes per second
Jan 28 20:35:39 natalie MailScanner[13077]: Saved entire message to
/var/spool/MailScanner/quarantine/20040128/i0SJZEUW013858


 in short:
Cannot parse
 /var/spool/MailScanner/incoming/12930/i0SIXP3W012933.header and ,
And then the whole mail was dropped into quarantine and a message like
this delivered to the recipient:
"Report: Could not analyze message"

I am so far no more than surprised and puzzled, two cases does not make a
real problem, yet.
Can someone give me a clue why this happens?

--
Lars







----------------------------------------------------------------
Tjenesten mail.adventuras.no ble levert av Adventuras Web Agency
http://www.adventuras.no/

From mkettler at EVI-INC.COM  Wed Jan 28 20:02:07 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:09 2006
Subject: Virus Score
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C4162A7@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C4162A7@woodendc.woodmaclaw.local>
Message-ID: <6.0.0.22.0.20040128145851.01f79ea8@xanadu.evi-inc.com>

At 02:52 PM 1/28/2004, you wrote:
>I looked in the mailscanner.conf and couldn't find it, I'm guessing that
>I overlooked it.  How do I set the score so that is blocks/deletes the
>email instead of sending a message to my user with the subject line
>altered to {virus?}?

Score? Viruses don't get scores. They're either infected or not.

In any event, I suggest the following settings to prevent notices to your
users:

Silent Viruses = HTML-IFrame All-Viruses

Still Deliver Silent Viruses = no

From mike at CAMAROSS.NET  Wed Jan 28 20:07:27 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:09 2006
Subject: FYI
Message-ID: <200401281959.i0SJxtGq018305@avwall.bladeware.com>

Name: W32/MyDoom-B
Aliases: W32/Mydoom.b@MM, I-Worm.Mydoom.b
Type: Win32 worm
Date: 28 January 2004

A virus identity (IDE) file which provides protection is available now from
the Latest virus identities section, and will be incorporated into the March
2004 (3.79) release of Sophos Anti-Virus.

Enterprise Manager customers will receive the IDE automatically at their
next scheduled update.

Information about W32/MyDoom-B can be found at:
http://www.sophos.com/virusinfo/analyses/w32mydoomb.html

From raymond at PROLOCATION.NET  Wed Jan 28 20:03:20 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:09 2006
Subject: Ouch!
Message-ID: <Pine.LNX.4.44.0401282102390.19181-100000@mailbox.prolocation.net>

Hi!

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.B&VSect=T

How many will we get this time ?

Bye,
Raymond.

From joshua.hirsh at PARTNERSOLUTIONS.CA  Wed Jan 28 19:55:11 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:22:09 2006
Subject: Don't Quarantine Viruses
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>

> I'd like to be able to not quarantine viruses but still
> quarantine filetype denies.

Yup, you can distinguish between the two. You can set "Quarantine
Infections" to match against a rule, and in the rules file have something
like this:

Virus:  sobig           no
Virus:  dumaru  no
Virus:  mimail  no


Etc..


 Cheers,

-Joshua

From brose at MED.WAYNE.EDU  Wed Jan 28 19:44:29 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:09 2006
Subject: Feature Request?
Message-ID: <D79A56AD131896448D0860DEE07CBE1F0174449C@med-core07.med.wayne.edu>

Ugh I hate asking because I don't like the idea, but do you think
MailScanner can have a config like the Max Normal Queue Size except for
temporarily disabling SpamAssassin?

The only net checks SA does is Razor and Pyzor, and I've disabled Bayes.
I have MS running on Solaris and a SunFire280R with 2gig of ram and
running MS with 15 processes at 30 messages each.  When the it gets to a
certain point, it just doesn't go fast enough to clear the queues out
especially when you got all these mass mailings viruses going on.  I'm
planning on asking for more RAM for it.

-=B


From mkbowman at neo.rr.com  Wed Jan 28 19:37:00 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:22:09 2006
Subject: Silent Viruses and Mydoom
References: <000701c3e5be$a0599c00$a767a8c0@MKBOWMAN2>
            <20040128165600.GA8944@lain.intern.internetx.de>
Message-ID: <000301c3e5d6$19265350$a767a8c0@MKBOWMAN2>

Thanks I got the order correct but Mydoom is still getting passed on as a
notification


Infection: W32/Mydoom.A@mm

does Mydoom.A have to exist in the ruleset





----- Original Message -----
From: "Sebastian Wiesinger" <sw@INTERNETX.DE>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 28, 2004 11:56 AM
Subject: Re: Silent Viruses and Mydoom


> * Matthew K Bowman <mkbowman@neo.rr.com> [2004-01-28 17:52]:
> > Hi,
> >
> > I setup a Ruleset for MyDoom but users are still be notified:
> >
> > Ruleset below:
> >
> > Virus: default yes
> > Virus: Bagle    no
> > Virus: MyDoom   no
> > Virus: NoVarg   no
> > FromOrTo: default yes
> >
> > Is my syntax and wording ok?
>
> First, the ruleset uses the first line matching, so put your first
> line from top to the bottom.
>
> If you're using ClamAV you should add:
>
> Virus: SCO      no
>
> before your default line.
>
> Like this:
>
> Virus: Bagle    no
> Virus: MyDoom   no
> Virus: NoVarg   no
> Virus: SCO      no
> Virus: default yes
>
> Sebastian
>

From kevins at BMRB.CO.UK  Wed Jan 28 19:35:10 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <401800E4.60708@unixsecurity.org>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
            <401800E4.60708@unixsecurity.org>
Message-ID: <1075318511.24361.33.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 18:35, Mike Wallis wrote:

> This may or may not be something you're addressing, but with a RH9
> system, I have yet to get any of the snmp related graphs populated. In
> doing some testing, it seems to be an issue with net-snmp using the
> ucd-snmp mibs.
>
> [root@deep-thought mibs]# snmpwalk -v 2c -c public localhost
> .1.3.6.1.4.1.2021.4
> UCD-SNMP-MIB::memory = No more variables left in this MIB View (It is
> past the end of the MIB tree)
>
 I don't have access to a RH9 machine, but I have managed to try with a
Mandrake 9.1.  I initially couldn't get it to work - but then I replaced
the supplied snmpd.conf (in /etc/snmp) with a vert simple one....

#START
rocommunity  public
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
syslocation Unknown
syscontact Root <root@localhost>
#END

and voila!  Would you mind trying this and letting me know how you get
on.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From mike at UNIXSECURITY.ORG  Wed Jan 28 20:09:35 2004
From: mike at UNIXSECURITY.ORG (Mike Wallis)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075318511.24361.33.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>    
            <401800E4.60708@unixsecurity.org>
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>
Message-ID: <401816FF.7070301@unixsecurity.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Spicer wrote:

| I don't have access to a RH9 machine, but I have managed to try
| with a Mandrake 9.1.  I initially couldn't get it to work - but
| then I replaced the supplied snmpd.conf (in /etc/snmp) with a vert
| simple one....
|
| #START rocommunity  public pass .1.3.6.1.4.1.4413.4.1
| /usr/bin/ucd5820stat syslocation Unknown syscontact Root
| <root@localhost> #END
|
| and voila!  Would you mind trying this and letting me know how you
| get on.

Yep, that seems to have done it... since I wasn't using snmp before,
that's an acceptable solution for me.

- --
Mike Wallis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAGBb/Xes7jE7XvgsRAlDrAKCI5QPg62vPnqIoCqN6+RH+nXgcvACeOjz7
zkmvRb8SOQj41CnA4xHJZE4=
=CtLv
-----END PGP SIGNATURE-----

From dwinkler at ALGORITHMICS.COM  Wed Jan 28 20:16:17 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:09 2006
Subject: Don't Quarantine Viruses
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B16F@tormail2.algorithmics.com>

I'm going to assume this should end in:

Virus: default  yes

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Hirsh, Joshua
Sent: Wednesday, January 28, 2004 2:55 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Don't Quarantine Viruses


> I'd like to be able to not quarantine viruses but still
> quarantine filetype denies.

Yup, you can distinguish between the two. You can set "Quarantine
Infections" to match against a rule, and in the rules file have something
like this:

Virus:  sobig           no
Virus:  dumaru  no
Virus:  mimail  no


Etc..


 Cheers,

-Joshua

From bpumphrey at WOODMACLAW.COM  Wed Jan 28 20:22:04 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:09 2006
Subject: Virus Score
Message-ID: <A6E4DAD94E656741BF330E1F7409350C4162A8@woodendc.woodmaclaw.local>

Awesome!!!  The HTML part was the same.  My silent was just set to yes.
Thanks

-----Original Message-----
From: Matt Kettler [mailto:mkettler@EVI-INC.COM] 
Sent: Wednesday, January 28, 2004 3:02 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Virus Score

At 02:52 PM 1/28/2004, you wrote:
>I looked in the mailscanner.conf and couldn't find it, I'm guessing
that
>I overlooked it.  How do I set the score so that is blocks/deletes the
>email instead of sending a message to my user with the subject line
>altered to {virus?}?

Score? Viruses don't get scores. They're either infected or not.

In any event, I suggest the following settings to prevent notices to
your
users:

Silent Viruses = HTML-IFrame All-Viruses

Still Deliver Silent Viruses = no


From joshua.hirsh at PARTNERSOLUTIONS.CA  Wed Jan 28 20:15:21 2004
From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua)
Date: Thu Jan 12 21:22:09 2006
Subject: Don't Quarantine Viruses
Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5F88@eqmail1.efni.vpn>

> I'm going to assume this should end in:
>
> Virus: default  yes

Yes ;-)


I must have missed that line..

-Joshua

From kevin at KEVINSPICER.CO.UK  Wed Jan 28 20:26:48 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <401816FF.7070301@unixsecurity.org>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
            <401800E4.60708@unixsecurity.org>
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>
            <401816FF.7070301@unixsecurity.org>
Message-ID: <1075321608.24361.36.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 20:09, Mike Wallis wrote:
> 
> Yep, that seems to have done it... since I wasn't using snmp before,
> that's an acceptable solution for me.

Great, thanks for testing Mike.  I'm going to do some docs on snmp, as
it seems to be causing some confusion, and I will include a sample
minimum config based on that.

-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/d885db71/attachment.bin
From Kevin_Miller at CI.JUNEAU.AK.US  Wed Jan 28 20:59:34 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:09 2006
Subject: f-prot question
Message-ID: <08146035CA49D6119A36009027AC822A0264ED59@CITY-EXCH-NTS>

>-----Original Message-----
>
>You need to update your engine, this is most likely your
>problem. The sigs
>ARE up to date but your engine isnt.
>
>> I see references to newer versions of f-prot on the list
>too.  Stinkers.
>> They didn't notify me they'd upgraded it again.  I did get
>one notice from
>> them last fall.  Sigh.  Yet another thing to check into.
>
>I posted them on this list also, when there was a new engine... :)
>
>Bye,
>Raymond.

Yeah, I need to update.  But it is catching the viruses.  I guess the
question is, is the MailScanner autoupdate script choking because of the
older version?

And, as I mentioned yesterday I'm tempted to run f-prot.autoupdate from the
command line to see what it outputs, but not sure if I outta shut down
MailScanner first.  I think not but figured I'd double check.  Any reason
not to?

Thanks...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 21:03:11 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: f-prot question
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED59@CITY-EXCH-NTS>
References: <08146035CA49D6119A36009027AC822A0264ED59@CITY-EXCH-NTS>
Message-ID: <6.0.1.1.2.20040128210231.0424fd50@imap.ecs.soton.ac.uk>

At 20:59 28/01/2004, you wrote:
> >-----Original Message-----
> >
> >You need to update your engine, this is most likely your
> >problem. The sigs
> >ARE up to date but your engine isnt.
> >
> >> I see references to newer versions of f-prot on the list
> >too.  Stinkers.
> >> They didn't notify me they'd upgraded it again.  I did get
> >one notice from
> >> them last fall.  Sigh.  Yet another thing to check into.
> >
> >I posted them on this list also, when there was a new engine... :)
> >
> >Bye,
> >Raymond.
>
>Yeah, I need to update.  But it is catching the viruses.  I guess the
>question is, is the MailScanner autoupdate script choking because of the
>older version?
>
>And, as I mentioned yesterday I'm tempted to run f-prot.autoupdate from the
>command line to see what it outputs, but not sure if I outta shut down
>MailScanner first.  I think not but figured I'd double check.  Any reason
>not to?

You can safely run it from the command-line, no need to shut down
MailScanner first. MailScanner will be locked out during the actual upgrade
process.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Kevin_Miller at CI.JUNEAU.AK.US  Wed Jan 28 21:02:05 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:09 2006
Subject: Clamav
Message-ID: <08146035CA49D6119A36009027AC822A0264ED5A@CITY-EXCH-NTS>

I'm adding clamav .65 to one of my gateways.  I searched back through the
last couple months of posts, but never saw a definative answer to the
question of whether it's better to run clamav or clamavmodule, and why.  Any
reason not to just go w/the clamav?  I hate mucking w/CPAN as it always
seems to get grumpy about something...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From raymond at PROLOCATION.NET  Wed Jan 28 21:04:34 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:09 2006
Subject: Clamav
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED5A@CITY-EXCH-NTS>
Message-ID: <Pine.LNX.4.44.0401282203450.25304-100000@mailbox.prolocation.net>

Hi!

> I'm adding clamav .65 to one of my gateways.  I searched back through the
> last couple months of posts, but never saw a definative answer to the
> question of whether it's better to run clamav or clamavmodule, and why.  Any
> reason not to just go w/the clamav?  I hate mucking w/CPAN as it always
> seems to get grumpy about something...

Module seems faster, its only loading the DB once if i understood
correctly, the online one loads it again and again. I myself use the lib
version and indeed, in my setup,m that was faster.

Bye,
Raymond.

From Kevin_Miller at CI.JUNEAU.AK.US  Wed Jan 28 21:21:27 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:09 2006
Subject: Clamav
Message-ID: <08146035CA49D6119A36009027AC822A0264ED5B@CITY-EXCH-NTS>

>Module seems faster, its only loading the DB once if i understood
>correctly, the online one loads it again and again. I myself
>use the lib
>version and indeed, in my setup,m that was faster.
>
>Bye,
>Raymond.

I'm probably being dense here, but the lib version being the clamavmodule
Perl flavor, right?

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From raymond at PROLOCATION.NET  Wed Jan 28 21:28:31 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:09 2006
Subject: Clamav
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED5B@CITY-EXCH-NTS>
Message-ID: <Pine.LNX.4.44.0401282227580.29323-100000@mailbox.prolocation.net>

Hi!

> >Module seems faster, its only loading the DB once if i understood
> >correctly, the online one loads it again and again. I myself
> >use the lib version and indeed, in my setup,m that was faster.

> I'm probably being dense here, but the lib version being the clamavmodule
> Perl flavor, right?

Yes, the perl module.

Bye,
Raymond.

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan 28 21:53:46 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:09 2006
Subject: OT: Article disparaging email scanners, MailScanner included
Message-ID: <00f101c3e5e9$3419c2b0$0501a8c0@darkside>

There is an article at attrition.org wherein
Jericho bad-mouths email anti-virus scanners
because they (in short) bounce and notify senders.

I already sent him a message explaining that it's
up to the administrator to set this, and that
he's not giving MailScanner a fair shake because
recent versions have notify set to "off" by default.

Make of it what you will, here's the link:

http://www.attrition.org/security/rant/av-spammers.html

--J(K)

From jaearick at COLBY.EDU  Wed Jan 28 22:00:09 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
Message-ID: <Pine.GSO.4.58.0401281654500.7403@cayuga>

Gang,

See:

http://www.attrition.org/security/rant/av-spammers.html

MailScanner is torched about halfway down, along with
every other anti-virus thingee out there.  The guy has
a half a point.  As well as retiring the bounce option
maybe Julian should consider making the "Silent Virus"
the only option in the next MS.

(rant found by way of www.fark.com, the best "news"
source on the Internet).

Jeff Earickson
Colby College

From mailscanner at BARENDSE.TO  Wed Jan 28 22:05:35 2004
From: mailscanner at BARENDSE.TO (Remco Barendse)
Date: Thu Jan 12 21:22:09 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <40180A86.7070802@usg.edu>
Message-ID: <Pine.LNX.4.44.0401282257350.15388-100000@raveon.barendse.to>

To be honest, I don't know :)

I don't use the mailscanner update scripts but I fetch the daily dats
twice a day from cron because sometimes mcafee is too slow with new
datfiles.

I experienced problems in cases where there was a symlink to the binary
and/or a symlink to the datfiles (not 100% sure about the dat files).

It's kind of hard to debug because mcafee is running, and reporting that
the file is clean when run from MailScanner, checking the same file from
the commandline would find the virus. Sometimes it works, sometimes it
doesn't.

I haven't seen any reports from other mcafee users that they did have
problems with the mcafee-autoupdate script so assume it should work.

But you should definately avoid symlinks to the binaries (there is even
some remark about this in MailScanner.conf)

Someone on the list said that there was a new engine out for mcafee,
version 4.20 or so? My ISP includes a license for mcafee virusscan
included with my internet connection but they removed the *nux version
because 'mcafee is stopping development and support' for the *nix
versions. Haven't been able to confirm that though. Is mcafee indeed
phasing out?



On Wed, 28 Jan 2004, Bob Jones wrote:

> Remco Barendse wrote:
> > Uhmm, not really
> >
> > You should *not* use any symlinks at all.
> >
> > You will either get the symptoms as described (`old' dat files) or you
> > will see some (as in really some, not all!!) slipping through scanned, but
> > undetected.
> >
> > I think I was the first unfortunate person to find/report this 'feature'
> > of mcafee, there have been several reports about it since.
>
> So does this mean we shouldn't be using the mcafee-autoupdate script
> inculding in Mailscanner/libs to update our dat files?  Since it uses
> symlinks and all.  We haven't had any problems in the 4 months or so
> we've been doing this.
>
> Bob
>

From mailscanner at ecs.soton.ac.uk  Wed Jan 28 22:09:41 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:09 2006
Subject: OT: Article disparaging email scanners, MailScanner included
In-Reply-To: <00f101c3e5e9$3419c2b0$0501a8c0@darkside>
References: <00f101c3e5e9$3419c2b0$0501a8c0@darkside>
Message-ID: <6.0.1.1.2.20040128220927.048ecf20@imap.ecs.soton.ac.uk>

I have tried to "educate" him.

At 21:53 28/01/2004, you wrote:
>There is an article at attrition.org wherein
>Jericho bad-mouths email anti-virus scanners
>because they (in short) bounce and notify senders.
>
>I already sent him a message explaining that it's
>up to the administrator to set this, and that
>he's not giving MailScanner a fair shake because
>recent versions have notify set to "off" by default.
>
>Make of it what you will, here's the link:
>
>http://www.attrition.org/security/rant/av-spammers.html
>
>--J(K)

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From rwmailscanner at LACASITA.DEMON.CO.UK  Wed Jan 28 22:10:36 2004
From: rwmailscanner at LACASITA.DEMON.CO.UK (Robert Richard Wallace)
Date: Thu Jan 12 21:22:09 2006
Subject: tons of infected files getting though???
Message-ID: <LISTSERV%2004012822103686@JISCMAIL.AC.UK>

This problem I believe relates to the fact that MailScanner uses MIME-tools
to  break up mails into attachments before scanning. I did some testing on 2
samples I have of the  virus one was caught and the other not.

The one not caught is a bounce message and it seems to have a MIME type that
fails to be detected by MIME-tools and therefore the attachment is not
scanned. I can provide samples if anyone wants to investigate this further.
I tried with the latest experimental perl modules and still it failed.

I used a util called juju and it managed to correctly decode all attachments
to both mails. So I am wondering if it might be a good idea to add some sort
of double checking on MIME decodes with another util or library. Anyone care
to comment on this ?

From mkettler at EVI-INC.COM  Wed Jan 28 22:29:52 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <Pine.GSO.4.58.0401281654500.7403@cayuga>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
Message-ID: <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>

At 05:00 PM 1/28/2004, Jeff A. Earickson wrote:
>Gang,
>
>See:
>
>http://www.attrition.org/security/rant/av-spammers.html
>
>MailScanner is torched about halfway down, along with
>every other anti-virus thingee out there.  The guy has
>a half a point.  As well as retiring the bounce option
>maybe Julian should consider making the "Silent Virus"
>the only option in the next MS.
>
>(rant found by way of www.fark.com, the best "news"
>source on the Internet).


If nothing else, you should walk away from that article realizing that it
is an absolute shame that MailScanner even has the feature at all. Default
disabled or not, it's a bad idea.

It's like having a rifle option on a can opener... Why would you ever have
such a dangerous mis-feature which could injure the operator and
bystanders? Just because some crazy lunatic wants to be able to open one
can and shoot a hole through another at the same time doesn't mean it's a
good idea to manufacture such a product. Others who need can openers might
play with it without knowing what it does.

Sure, some under-educated system admins might want this feature, but let's
face it, they only want it because they are completely clueless about the
implications. It's _ALWAYS_ a bad idea to notify senders of a real virus
infection in email, without exception.

From david at PLATFORMHOSTING.COM  Wed Jan 28 22:28:00 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075321608.24361.36.camel@bach.kevinspicer.co.uk>
Message-ID: <200401282228.i0SMS2103328@mx1.mailsecurity.net.au>

Kevin,

Even though this does work and is a read only , it doesn't provide any
access control, which could leave users vulnerable to any possible exploits
which may arise in net-snmp.  Perhaps adding an acl to only allow access to
127.0.0.1 would be smart?

Regards,

David Hooton
Senior Partner
Platform Hosting
1300 85 HOST
www.platformhosting.com

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Kevin Spicer
Sent: Thursday, 29 January 2004 7:27 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Announce: MailScanner-MRTG version 0.07 released

On Wed, 2004-01-28 at 20:09, Mike Wallis wrote:
>
> Yep, that seems to have done it... since I wasn't using snmp before,
> that's an acceptable solution for me.

Great, thanks for testing Mike.  I'm going to do some docs on snmp, as
it seems to be causing some confusion, and I will include a sample
minimum config based on that.

--
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.
My public key may be obtained from http://www.keyserver.net


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================

From chris at FRACTALWEB.COM  Wed Jan 28 22:33:08 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:09 2006
Subject: tons of infected files getting though???
In-Reply-To: <LISTSERV%2004012822103686@JISCMAIL.AC.UK>
References: <LISTSERV%2004012822103686@JISCMAIL.AC.UK>
Message-ID: <401838A4.4090006@fractalweb.com>

Robert Richard Wallace wrote:

>This problem I believe relates to the fact that MailScanner uses MIME-tools
>to  break up mails into attachments before scanning. I did some testing on 2
>samples I have of the  virus one was caught and the other not.
>
>The one not caught is a bounce message and it seems to have a MIME type that
>fails to be detected by MIME-tools and therefore the attachment is not
>scanned. I can provide samples if anyone wants to investigate this further.
>I tried with the latest experimental perl modules and still it failed.
>
>I used a util called juju and it managed to correctly decode all attachments
>to both mails. So I am wondering if it might be a good idea to add some sort
>of double checking on MIME decodes with another util or library. Anyone care
>to comment on this ?
>
>
Hi Richard,

This is pretty much the conclusion I came to as well. Some infected
messages are caught while others aren't. Same with ClamAV...it can catch
some but not others.

There's definitely a problem with the mime encoding of some of these
messages though. If you have one where the virus was not detected, then
send it to yourself, it arrives fine. Forward it back to yourself and
MailScanner (and ClamAV) will detect it. My guess is that the message
gets re-assembled properly along the way, and then MailScanner works.

So, the question is: is our problem with some of these emails related to
MailScanner or ClamAV or ???

I'm not familiar with "juju". Is this something that can be accessed
from Perl?

Cheers,
Chris

From dh at UPTIME.AT  Wed Jan 28 22:36:18 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
Message-ID: <40183962.1010304@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Matt Kettler wrote:
<snip>
>
> If nothing else, you should walk away from that article realizing that it
> is an absolute shame that MailScanner even has the feature at all. Default
> disabled or not, it's a bad idea.
>
Says who? You? Or the other thousand people that have formed an opinion.
I am one of those long time Administrators that is edcuated enough to
know when to use a feature and when not to use a feature. Just because a
piece of software offers something does not mean that I have to use it.
> It's like having a rifle option on a can opener... Why would you ever have
> such a dangerous mis-feature which could injure the operator and
> bystanders?
I do not quite understand how that comparison works. The can opener's
primary feature would be to open the can without destroying its
contents. Opening it with the gun options would be the "blast the can to
bits" option then? I will agree that MailScanner could cause a lot of
trouble to others systems when the bounce option is used falsely but it
would most likely not blow itself up.

> Just because some crazy lunatic wants to be able to open one
> can and shoot a hole through another at the same time doesn't mean it's a
> good idea to manufacture such a product. Others who need can openers might
> play with it without knowing what it does.
>
> Sure, some under-educated system admins might want this feature, but let's
> face it, they only want it because they are completely clueless about the
> implications. It's _ALWAYS_ a bad idea to notify senders of a real virus
> infection in email, without exception.

In my humble opinion it is _ALWAYS_ a bad idea to rant and rave about
possible troublsome implementations in software the moment those
"features" are misused by people who should know better. I am glad that
there was such a feature, yet the current development on the Internet's
global community, the Trends in Virus writing and maybe spamming seem to
make it necessary to remove this option as popularity of MailScanner
grows. It was never wrong to include it, I used it in the early days and
it helped many, because I do keep close track of what my Mail Server
does or not does. That said, I am quiet now as I do seem to have a
strong opinion on it.

Good night :)

- -d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAGDlmPMoaMn4kKR4RA1o/AJ0TPV7qusqZVAnmkchQHVIM+JTqEwCgjvIl
x0owHgmZDZV9eQfEdMWoHk4=
=/iaG
-----END PGP SIGNATURE-----

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan 28 22:38:00 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
Message-ID: <010001c3e5ef$626115a0$0501a8c0@darkside>

>Sure, some under-educated system admins might want this
>feature, but let's
>face it, they only want it because they are completely
>clueless about the
>implications. It's _ALWAYS_ a bad idea to notify senders of a
>real virus
>infection in email, without exception.

Consider me under-educated, but why is that?  If:

1) The virus doesn't forge the sender address

and

2) you have some mechanisim in place to not notify for
every single message sent (once is enough, or perhaps
once a day is enough)

then why not?

Obviously I'm of a different mindset, but if it can
notify someone that they are infected *when they
actually are* then I don't see it as a bad thing.

If there are reasons to not do this that override
my reasons here, by all means let me know, perhaps
I don't have the whole picture.

(For the record: I don't notify except by hand.  I
don't have a mechanisim in place to limit automatic
notifications.)

--J(K)

From goleotti at MISAG.IT  Wed Jan 28 22:49:38 2004
From: goleotti at MISAG.IT (Gabriele Oleotti)
Date: Thu Jan 12 21:22:09 2006
Subject: VEXIRA antivirus support
Message-ID: <1488394A34F6A0408FDA3841418D1442183D34@scorpio.auron.mi>


Julian,
here is the updated patch with the vexira autoupdater.

Thank you,
Gabriele

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Sent: mercoled? 28 gennaio 2004 17.52
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: VEXIRA antivirus support


Any chance you could write a vexira-autoupdate as well please?
Then I will include it in the main distribution.

At 15:18 28/01/2004, you wrote:
>Hello everybody,
>I'm not sure this is the right place to send this kind of emails, so if it
>is not please forward me to the right place.
>
>I've twicked a little bit with the MailScanner code to add support for the
>Vexira Antivirus (I'm very satisfied with it.)
>
>I'm using this modified version of MailScanner 4.24.5 from some times and
>it seems to work fine.
>
>Here I attach the patch to make things to work; basically only minor
>modifications are necessary to the following files:
>- etc/virus.scanners.conf         (virus wrapper configuration)
>- lib/MailScanner/SweepViruses.pm (the actual processing sub)
>- lib/vexira-wrapper              (virus wrapper shell script)
>
>I haven't had time to test and install any newer version of MailScanner.
>
>I have set the SupportScanning option to BETA (I don't know if this is the
>right status anyway...) so you may need to modify your Minimum Code Status
>to at least 'beta' in your MailScanner.conf to see the vexira working.
>
>You may want to check the virus.scanners.conf if you have installed Vexira
>in a non-standard directory (/usr/bin/vexira)
>
>Any feedback is welcome.
>
>Bye,
>Gabriele
>
>P.S. I suggest to run something like "patch -p2 <vexira.patch" in
>/opt/MailScanner directory (or whatever directory you install MailScanner
>into) to apply the patch.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vexira.patch
Type: application/octet-stream
Size: 6983 bytes
Desc: vexira.patch
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040128/d20c1f53/vexira.obj
From mkettler at EVI-INC.COM  Wed Jan 28 23:04:22 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <40183962.1010304@uptime.at>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
Message-ID: <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>

At 05:36 PM 1/28/2004, David H. wrote:
> > If nothing else, you should walk away from that article realizing that it
> > is an absolute shame that MailScanner even has the feature at all. Default
> > disabled or not, it's a bad idea.
> >
>Says who? You? Or the other thousand people that have formed an opinion.
>I am one of those long time Administrators that is edcuated enough to
>know when to use a feature and when not to use a feature.

Ok, I'll be willing to accept I might be wrong, however I will ask you to
at least offer some evidence of my error.

Can you cite an example of when, at the present time, it is a good idea to
have a mailserver configured to auto respond to a sender and notify them
that a message sent contained a live virus infection?

I can't think of any.


>I am glad that
>there was such a feature, yet the current development on the Internet's
>global community, the Trends in Virus writing and maybe spamming seem to
>make it necessary to remove this option as popularity of MailScanner
>grows.

Yes, I'd agree the feature _had_ a purpose. However, in my opinion that
time has long since past. Forged sender viruses aren't a recent trend. I
can't think of a significant virus written since Sircam in July, 2001 that
did not forge From addresses. Certainly everything post Klez-e in January
2002 has forged From's. That's 2 years gone by.


And none of this should be construed as a reason to not use MailScanner, or
declare it to be garbage. It is however a suggestion that perhaps
MailScanner needs a bit of a "cleanup" to remove options that have no sane
or valid use in a modern world.

From kevins at BMRB.CO.UK  Wed Jan 28 23:01:53 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <40183644.6060400@unixsecurity.org>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
            <401800E4.60708@unixsecurity.org>
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>
            <401816FF.7070301@unixsecurity.org>
            <1075321608.24361.36.camel@bach.kevinspicer.co.uk>
            <40183644.6060400@unixsecurity.org>
Message-ID: <1075330913.24492.75.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 22:23, Mike Wallis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kevin Spicer wrote:
>
> | Great, thanks for testing Mike.  I'm going to do some docs on snmp,
> | as it seems to be causing some confusion, and I will include a
> | sample minimum config based on that.
>
> Actually, it looks like it fixed memory and cpu, but not network
> utilization.

Can you give me the outputs of...
snmpwalk -v2c -c public localhost .1.3.6.1.2.1.2.2.1.2
snmpwalk -v2c -c public localhost .1.3.6.1.2.1.2.2.1.10
snmpwalk -v2c -c public localhost .1.3.6.1.2.1.2.2.1.16




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From P.G.M.Peters at utwente.nl  Wed Jan 28 22:57:15 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:09 2006
Subject: Silent Viruses and Mydoom
In-Reply-To: <20040128165600.GA8944@lain.intern.internetx.de>
References: <000701c3e5be$a0599c00$a767a8c0@MKBOWMAN2>
            <20040128165600.GA8944@lain.intern.internetx.de>
Message-ID: <ngfg109cgaj5bja144v1p7hn9vtri9vi4j@4ax.com>

On Wed, 28 Jan 2004 17:56:00 +0100, you wrote:

>If you're using ClamAV you should add:
>
>Virus: SCO      no
>
>before your default line.

I was in the impression that the default entry was not used but saved
for the case where no other line matched so it didn't matter where the
default line would be.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From kevins at BMRB.CO.UK  Wed Jan 28 22:57:28 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <200401282228.i0SMS2103328@mx1.mailsecurity.net.au>
References: <200401282228.i0SMS2103328@mx1.mailsecurity.net.au>
Message-ID: <1075330648.24361.69.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 22:28, David Hooton wrote:
> Kevin,
>
> Even though this does work and is a read only , it doesn't provide any
> access control, which could leave users vulnerable to any possible exploits
> which may arise in net-snmp.  Perhaps adding an acl to only allow access to
> 127.0.0.1 would be smart?
>
Funnily enough I just wrote that in the doc I'm producing!  Heres my
current working minimal config...

# START snmpd.conf
# This line makes the snmp daemon listen only on the loopback interface
# If you want to run on an alternative port change the 161 part
# (Don't forget to update the mailscanner-mrtg.conf file with the new
# port
agentaddress localhost:161
# Use this version instead for ucd-snmp
#agentaddress 161@localhost

# This line sets up a single community string (with read-only access)
# With access only permitted from localhost
# If you have users logging into your machine and want to make sure they
# can't easily get info from snmp change 'public' to something else
# (Don't forget to update the community string in mailscanner-mrtg.conf)
rocommunity  public localhost

# System Information, change this if you want
syslocation Unknown
syscontact Root <root@localhost>
# FINISH snmpd.conf


Of course I would always recommend firewalling all unnecessary ports
using iptables or similar.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Wed Jan 28 22:58:45 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <40183644.6060400@unixsecurity.org>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>
            <401800E4.60708@unixsecurity.org>
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>
            <401816FF.7070301@unixsecurity.org>
            <1075321608.24361.36.camel@bach.kevinspicer.co.uk>
            <40183644.6060400@unixsecurity.org>
Message-ID: <1075330725.24492.71.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 22:23, Mike Wallis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kevin Spicer wrote:
>
> | Great, thanks for testing Mike.  I'm going to do some docs on snmp,
> | as it seems to be causing some confusion, and I will include a
> | sample minimum config based on that.
>
> Actually, it looks like it fixed memory and cpu, but not network
> utilization.
> And this is more of a quibble really - any plans to be able to read
> disk usage for non-mount points? I was getting graphs of /var/spool
> prior to the upgrade.
>

I've just made the spool directory configurable, so you can set it to
/var if you want.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kodak at FRONTIERHOMEMORTGAGE.COM  Wed Jan 28 21:36:28 2004
From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki)
Date: Thu Jan 12 21:22:09 2006
Subject: Enterprise Library + MailScanner
In-Reply-To: <6.0.1.1.2.20040128165239.03bf91e0@imap.ecs.soton.ac.uk>
Message-ID: <00eb01c3e5e6$c9d84ae0$0501a8c0@darkside>

I said:
>>Or is it a bad idea to automaticaly upgrade the engine?

Julian said:
>The only time I ever automatically upgraded the engine, it
>broke SAVI. I
>had to rebuild the perl SAVI module to get it to work again.
>So I'm a little wary of going down that path.

Fair enough then.  It's easy enough to automate via a
seperate cron job if I want.

Thanks,

--J(K)

From mike at UNIXSECURITY.ORG  Wed Jan 28 22:23:00 2004
From: mike at UNIXSECURITY.ORG (Mike Wallis)
Date: Thu Jan 12 21:22:09 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075321608.24361.36.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>    
            <401800E4.60708@unixsecurity.org>           
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>           
            <401816FF.7070301@unixsecurity.org>
            <1075321608.24361.36.camel@bach.kevinspicer.co.uk>
Message-ID: <40183644.6060400@unixsecurity.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Spicer wrote:

| Great, thanks for testing Mike.  I'm going to do some docs on snmp,
| as it seems to be causing some confusion, and I will include a
| sample minimum config based on that.

Actually, it looks like it fixed memory and cpu, but not network
utilization.
And this is more of a quibble really - any plans to be able to read
disk usage for non-mount points? I was getting graphs of /var/spool
prior to the upgrade.

- --
Mike Wallis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAGDZDXes7jE7XvgsRAjwoAKCaWKx5QOJRuE+f3PodHaeShyA7qACbBrPm
lQK6L6WiNvKHSXDQ18mazP8=
=5ILu
-----END PGP SIGNATURE-----

From JFalgout at CO.JEFFERSON.CO.US  Wed Jan 28 22:56:53 2004
From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout)
Date: Thu Jan 12 21:22:09 2006
Subject: MyDoom Countermeasures
Message-ID: <s017dbd2.072@gc6.jefferson.co.us>

I added this list of names to my sendmail access file,
and the number of MyDoom's/hr dropped significantly.

YMMV

# MyDoom countermeasures. It forges the username for email
# address. Here are some of the ones we've seen that don't
# exist.
jane@                           DROP
anna@                           DROP
andrew@                         DROP
brian@                          DROP
david@                          DROP
linda@                          DROP
john@                           DROP
kevin@                          DROP
jerry@                          DROP
maria@                          DROP
jeff@                           DROP
alice@                          DROP
bob@                            DROP
debby@                          DROP
stan@                           DROP
claudia@                        DROP
bill@                           DROP
ted@                            DROP
james@                          DROP
matt@                           DROP
alex@                           DROP
robert@                         DROP
julie@                          DROP
peter@                          DROP
sandra@                         DROP
joe@                            DROP
jimmy@                          DROP
sam@                            DROP
helen@                          DROP
smith@                          DROP
leo@                            DROP
jim@                            DROP
george@                         DROP
mike@                           DROP
steve@                          DROP
michael@                        DROP
brent@                          DROP
dave@                           DROP
ray@                            DROP
fred@                           DROP
dan@                            DROP
tom@                            DROP
mary@                           DROP
adam@                           DROP
brenda@                         DROP
jose@                           DROP
jack@                           DROP
srooney@                        DROP

From Leonard.Hermens at POTLATCHCORP.COM  Wed Jan 28 23:09:26 2004
From: Leonard.Hermens at POTLATCHCORP.COM (Leonard Hermens)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
Message-ID: <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>

At 03:04 PM 1/28/2004, Matt Kettler wrote:
>Can you cite an example of when, at the present time, it is a good idea to
>have a mailserver configured to auto respond to a sender and notify them
>that a message sent contained a live virus infection?

Any virus or macro virus that is sent manually by the sender.

From peter at UCGBOOK.COM  Wed Jan 28 23:12:55 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:09 2006
Subject: Clamav
In-Reply-To: <Pine.LNX.4.44.0401282227580.29323-100000@mailbox.prolocation.net>
References: <Pine.LNX.4.44.0401282227580.29323-100000@mailbox.prolocation.net>
Message-ID: <401841F7.4080102@ucgbook.com>

Raymond Dijkxhoorn wrote:
>>>Module seems faster, its only loading the DB once if i understood
>>>correctly, the online one loads it again and again. I myself
>>>use the lib version and indeed, in my setup,m that was faster.

Will you have to upgrade the module when you upgrade Clam or is it
independant of Clams version?

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From brose at MED.WAYNE.EDU  Wed Jan 28 23:16:36 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
Message-ID: <D79A56AD131896448D0860DEE07CBE1F0164688D@med-core07.med.wayne.edu>

But the default option in MailScanner is All-Silent for many versions
now.

Remember how sendmail used to be distributed with anti-relay off by
default.  And years after the newer versions had it on by default, you
still had *nix vendors shipping the old versions on their system and
also had sendmail start on boot.  



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Jeff A. Earickson
Sent: Wednesday, January 28, 2004 5:00 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: rant about anti-virus and spam, MS flamed

Gang,

See:

http://www.attrition.org/security/rant/av-spammers.html

MailScanner is torched about halfway down, along with every other
anti-virus thingee out there.  The guy has a half a point.  As well as
retiring the bounce option maybe Julian should consider making the
"Silent Virus"
the only option in the next MS.

(rant found by way of www.fark.com, the best "news"
source on the Internet).

Jeff Earickson
Colby College


From chris at FRACTALWEB.COM  Wed Jan 28 23:20:12 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:09 2006
Subject: OT: more IE6 vulnerabilities
Message-ID: <401843AC.2010906@fractalweb.com>

Hi everyone,

http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=944

Every time I read articles like this one, I get a bad taste in my mouth.
Lovely.  Then I think about Microsoft's "Trusted Computing" initiative,
and the sour taste gets worse. How can a company that has more money
than most countries leave its users open to crap like this? It's bad
enough that they seem to build security holes into their products from
the beginning, then never seem to bother testing anything before
shipping it.

I particularly love the part where the writer says, "We also have reason
to believe there is no fix." This gets better all the time. Now we can
not only be fooled into believing that we're on our bank's website, but
we can acquire a worm while they're robbing us blind. Thanks, Microsoft.

I'll be using Mozilla exclusively from now on. Long live open source.

Cheers,
Chris

From kevins at BMRB.CO.UK  Wed Jan 28 23:17:04 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
            <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
Message-ID: <1075331824.24361.77.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 23:09, Leonard Hermens wrote:
> At 03:04 PM 1/28/2004, Matt Kettler wrote:
> >Can you cite an example of when, at the present time, it is a good idea to
> >have a mailserver configured to auto respond to a sender and notify them
> >that a message sent contained a live virus infection?
>
> Any virus or macro virus that is sent manually by the sender.

How will you know?




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Wed Jan 28 23:24:57 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:09 2006
Subject: OT: more IE6 vulnerabilities
In-Reply-To: <401843AC.2010906@fractalweb.com>
References: <401843AC.2010906@fractalweb.com>
Message-ID: <1075332298.24492.82.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 23:20, Chris Yuzik wrote:
> Hi everyone,
>
> http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=944
>
Boy am I glad that we just implemented virus scanning on all our http
traffic (although https still worries me!).  Funny thing is that to do
it we had to put a squid box between our ISA server and the internet!
Yep we're proxying our proxy!




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From brose at MED.WAYNE.EDU  Wed Jan 28 23:27:38 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:10 2006
Subject: MyDoom Countermeasures
Message-ID: <D79A56AD131896448D0860DEE07CBE1F017444A1@med-core07.med.wayne.edu>

You would think that the AV vendors would have posted this info when
they deconstructed it.  It also uses the domain name of the email
address that it's sending to as the source system hostname.  I had a
postmaster using Declude AV software email me about the virus coming
from us and I pointed out that the system hostname of the source machine
being used wouldn't resolve to the IP address of the source machine.  I
guess he wasn't doing reverse lookups.



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Jeff Falgout
Sent: Wednesday, January 28, 2004 5:57 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: MyDoom Countermeasures

I added this list of names to my sendmail access file, and the number of
MyDoom's/hr dropped significantly.

YMMV

# MyDoom countermeasures. It forges the username for email # address.
Here are some of the ones we've seen that don't # exist.
jane@                           DROP
anna@                           DROP
andrew@                         DROP
brian@                          DROP
david@                          DROP
linda@                          DROP
john@                           DROP
kevin@                          DROP
jerry@                          DROP
maria@                          DROP
jeff@                           DROP
alice@                          DROP
bob@                            DROP
debby@                          DROP
stan@                           DROP
claudia@                        DROP
bill@                           DROP
ted@                            DROP
james@                          DROP
matt@                           DROP
alex@                           DROP
robert@                         DROP
julie@                          DROP
peter@                          DROP
sandra@                         DROP
joe@                            DROP
jimmy@                          DROP
sam@                            DROP
helen@                          DROP
smith@                          DROP
leo@                            DROP
jim@                            DROP
george@                         DROP
mike@                           DROP
steve@                          DROP
michael@                        DROP
brent@                          DROP
dave@                           DROP
ray@                            DROP
fred@                           DROP
dan@                            DROP
tom@                            DROP
mary@                           DROP
adam@                           DROP
brenda@                         DROP
jose@                           DROP
jack@                           DROP
srooney@                        DROP


From raymond at PROLOCATION.NET  Wed Jan 28 23:28:20 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:10 2006
Subject: Clamav
In-Reply-To: <401841F7.4080102@ucgbook.com>
Message-ID: <Pine.LNX.4.44.0401290028010.10438-100000@mailbox.prolocation.net>

Hi!

> >>>Module seems faster, its only loading the DB once if i understood
> >>>correctly, the online one loads it again and again. I myself
> >>>use the lib version and indeed, in my setup,m that was faster.
>
> Will you have to upgrade the module when you upgrade Clam or is it
> independant of Clams version?

You need to keep them both updated :)

Bye,
Raymond.

From mkettler at EVI-INC.COM  Wed Jan 28 23:37:10 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
            <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
Message-ID: <6.0.0.22.0.20040128182805.025c8f48@xanadu.evi-inc.com>

At 06:09 PM 1/28/2004, Leonard Hermens wrote:
> >Can you cite an example of when, at the present time, it is a good idea to
> >have a mailserver configured to auto respond to a sender and notify them
> >that a message sent contained a live virus infection?
>
>Any virus or macro virus that is sent manually by the sender.

I'll agree that is a particular email where it is good for a server to
autorespond.

However, that's not an answer to the question.

A mailserver can't be configured to tell the difference between a manual
send and an automated one, so your example is a single isolated email
example. I'm asking for a situation where it's a good idea to configure
your mailserver in such a manner, not a single message case.

Real world, real mailserver, present time, realistic situation where it
would be a good idea to have a server do this. (ie: how can you do it on an
automated basis without inflicting casualties, and still reap some useful
benefit.)

From brose at MED.WAYNE.EDU  Wed Jan 28 23:36:31 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01646890@med-core07.med.wayne.edu>

Jay Leno mentioned last night that Bill Gates is to be knighted by Queen
E.  He made a joke about why Gates would want to be a knight of the
British kingdom when his empire was bigger.  ;-)

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Sent: Wednesday, January 28, 2004 6:20 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: OT: more IE6 vulnerabilities

Hi everyone,

http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=94
4

Every time I read articles like this one, I get a bad taste in my mouth.
Lovely.  Then I think about Microsoft's "Trusted Computing" initiative,
and the sour taste gets worse. How can a company that has more money
than most countries leave its users open to crap like this? It's bad
enough that they seem to build security holes into their products from
the beginning, then never seem to bother testing anything before
shipping it.

I particularly love the part where the writer says, "We also have reason
to believe there is no fix." This gets better all the time. Now we can
not only be fooled into believing that we're on our bank's website, but
we can acquire a worm while they're robbing us blind. Thanks, Microsoft.

I'll be using Mozilla exclusively from now on. Long live open source.

Cheers,
Chris


From chris at FRACTALWEB.COM  Wed Jan 28 23:46:09 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:10 2006
Subject: MyDoom Countermeasures
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F017444A1@med-core07.med.wayne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F017444A1@med-core07.med.wayne.edu>
Message-ID: <401849C1.1060302@fractalweb.com>

Rose, Bobby wrote:

>You would think that the AV vendors would have posted this info when
>they deconstructed it.  It also uses the domain name of the email
>address that it's sending to as the source system hostname.
>
Are you sure about this? I'm seeing a lot of messages coming in that
don't look like that's the case.

Can you provide an example so I know I'm looking at the right stuff?

> I had a
>postmaster using Declude AV software email me about the virus coming
>from us and I pointed out that the system hostname of the source machine
>being used wouldn't resolve to the IP address of the source machine.  I
>guess he wasn't doing reverse lookups.
>
>

Thanks,
Chris

From Leonard.Hermens at POTLATCHCORP.COM  Wed Jan 28 23:43:52 2004
From: Leonard.Hermens at POTLATCHCORP.COM (Leonard Hermens)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <1075331824.24361.77.camel@bach.kevinspicer.co.uk>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
            <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
            <1075331824.24361.77.camel@bach.kevinspicer.co.uk>
Message-ID: <6.0.1.1.2.20040128154117.02e18ec0@email.potlatchcorp.com>

At 03:17 PM 1/28/2004, Kevin Spicer wrote:
>On Wed, 2004-01-28 at 23:09, Leonard Hermens wrote:
> > At 03:04 PM 1/28/2004, Matt Kettler wrote:
> > >Can you cite an example of when, at the present time, it is a good idea to
> > >have a mailserver configured to auto respond to a sender and notify them
> > >that a message sent contained a live virus infection?
> >
> > Any virus or macro virus that is sent manually by the sender.
>
>How will you know?

Not all viruses automatically email themselves. That's the point to my
answer. He wanted an example and I gave one. :)

From brose at MED.WAYNE.EDU  Wed Jan 28 23:51:00 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:10 2006
Subject: MyDoom Countermeasures
Message-ID: <D79A56AD131896448D0860DEE07CBE1F01646891@med-core07.med.wayne.edu>

In this example, the virus source was med.wayne.edu [15.244.169.245].
Med.wayne.edu is in the 146.9-netblock.


Received: from media.cfhosting.net [64.118.64.98] by cfpop.cfhosting.net
with ESMTP
  (SMTPD32-8.02) id AB3F23480150; Tue, 27 Jan 2004 14:25:51 -0500
Received: from med.wayne.edu [15.244.169.245] by media.cfhosting.net
with ESMTP
  (SMTPD32-8.02) id AB4B827011A; Tue, 27 Jan 2004 14:26:03 -0500
From: claudia@med.wayne.edu
To: serg@telementor.org
Subject: HI
Date: Tue, 27 Jan 2004 12:26:01 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0003_7B029EE8.950B1227"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <200401271426515.SM04916@med.wayne.edu>



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Sent: Wednesday, January 28, 2004 6:46 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: MyDoom Countermeasures

Rose, Bobby wrote:

>You would think that the AV vendors would have posted this info when 
>they deconstructed it.  It also uses the domain name of the email 
>address that it's sending to as the source system hostname.
>
Are you sure about this? I'm seeing a lot of messages coming in that
don't look like that's the case.

Can you provide an example so I know I'm looking at the right stuff?

> I had a
>postmaster using Declude AV software email me about the virus coming 
>from us and I pointed out that the system hostname of the source 
>machine being used wouldn't resolve to the IP address of the source 
>machine.  I guess he wasn't doing reverse lookups.
>
>

Thanks,
Chris


From kevins at BMRB.CO.UK  Wed Jan 28 23:51:14 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:10 2006
Subject: MyDoom Countermeasures
In-Reply-To: <401849C1.1060302@fractalweb.com>
References: <D79A56AD131896448D0860DEE07CBE1F017444A1@med-core07.med.wayne.edu>
            <401849C1.1060302@fractalweb.com>
Message-ID: <1075333874.24361.91.camel@bach.kevinspicer.co.uk>

On Wed, 2004-01-28 at 23:46, Chris Yuzik wrote:
> >You would think that the AV vendors would have posted this info when
> >they deconstructed it.  It also uses the domain name of the email
> >address that it's sending to as the source system hostname.
> >
> Are you sure about this? I'm seeing a lot of messages coming in that
> don't look like that's the case.
>

I've seen this, but it is often obsured by being bounced though our
secondary MX




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From Kevin_Miller at CI.JUNEAU.AK.US  Wed Jan 28 23:58:33 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
Message-ID: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>

I think it's a ruse to get him w/in striking distance w/a sword.  In a
closed session of Parliment she was heard to mutter "Off w/his head".  More
power to her. ;-)

S'later...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500


>-----Original Message-----
>From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU]
>Sent: Wednesday, January 28, 2004 2:37 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: more IE6 vulnerabilities
>
>
>Jay Leno mentioned last night that Bill Gates is to be
>knighted by Queen
>E.  He made a joke about why Gates would want to be a knight of the
>British kingdom when his empire was bigger.  ;-)
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Chris Yuzik
>Sent: Wednesday, January 28, 2004 6:20 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: OT: more IE6 vulnerabilities
>
>Hi everyone,
>
>http://www.techworld.com/news/index.cfm?fuseaction=displaynews&
>NewsID=94
>4
>
>Every time I read articles like this one, I get a bad taste in
>my mouth.
>Lovely.  Then I think about Microsoft's "Trusted Computing" initiative,
>and the sour taste gets worse. How can a company that has more money
>than most countries leave its users open to crap like this? It's bad
>enough that they seem to build security holes into their products from
>the beginning, then never seem to bother testing anything before
>shipping it.
>
>I particularly love the part where the writer says, "We also
>have reason
>to believe there is no fix." This gets better all the time. Now we can
>not only be fooled into believing that we're on our bank's website, but
>we can acquire a worm while they're robbing us blind. Thanks,
>Microsoft.
>
>I'll be using Mozilla exclusively from now on. Long live open source.
>
>Cheers,
>Chris
>

From mkettler at EVI-INC.COM  Thu Jan 29 00:06:35 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.1.1.2.20040128154117.02e18ec0@email.potlatchcorp.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
            <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
            <1075331824.24361.77.camel@bach.kevinspicer.co.uk>
            <6.0.1.1.2.20040128154117.02e18ec0@email.potlatchcorp.com>
Message-ID: <6.0.0.22.0.20040128185024.024d7d68@xanadu.evi-inc.com>

At 06:43 PM 1/28/2004, you wrote:
>Not all viruses automatically email themselves. That's the point to my
>answer. He wanted an example and I gave one. :)

Fair enough.. I guess I live in a hole, since I've not seen a copy of a
file-infector virus that doesn't also do mass emailing running around in
the wild in several years. Sure they were all the rage in 1996 and I've
seen plenty of them, but it's been a while.

Mass-mailing email worms with forged From's are the _only_ viruses I've
seen, or heard of anyone encountering, in the past 2 years. Some of them do
file infections and travel over file-sharing tools and/or LAN shares as
well, but since they also mass-mail they can't be counted for this.

I've also seen some trojan's floating about, but those aren't file
infectors and there's no reason to reply to the sender.. the originator of
a trojan knows they did it, and is usually sent attached to some kind of
"free porn" spam with forged headers.

However, looking on the AV websites, such file-only infectors of recent
design do exist, albeit not very widespread:

i.e:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.pokibat.html

So I guess the crux of the problem is, how can MailScanner be made to get
reliable information from the AV scanner as to wether or not a virus
mass-mails. If you can do that, the reply-to-sender might become useful again.

Otherwise, you're in a situation where you need to keep it off, or keep
manually updating a list of "silent viruses" before too much damage can be
done.

From kevin at KEVINSPICER.CO.UK  Thu Jan 29 00:15:36 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:10 2006
Subject: MailScanner-MRTG-0.07 problems - update
Message-ID: <1075335337.19014.105.camel@bach.kevinspicer.co.uk>

[I thought it was about time to start a new thread!]
I'd also like to thank Julian and all those who don't use MSMRTG for
being tolerant of this discussion taking place here.  Thanks guys!
hopefully the pain is nearly over.

UPDATE:  I've now carefully re-read all the error reports I've have
(almost all net-snmp related).  Some were my fault, others were
misunderstandings of changes and net-snmp configuration issues.  I've
now put together a further package which I hope fixes all known issues. 
Before I release this on the public at large would any of the folks who
were having trouble with net-snmp care to test it for me?  If so please
email me off list stating preference of tarball or rpm.

Thanks

Kevin
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040129/bf466e9e/attachment.bin
From imiller at BSD.UCHICAGO.EDU  Thu Jan 29 00:19:37 2004
From: imiller at BSD.UCHICAGO.EDU (Ian Miller)
Date: Thu Jan 12 21:22:10 2006
Subject: MailScanner-MRTG-0.07 problems - update
In-Reply-To: <1075335337.19014.105.camel@bach.kevinspicer.co.uk>
References: <1075335337.19014.105.camel@bach.kevinspicer.co.uk>
Message-ID: <1075335577.40185199a2077@webemail.bsd.uchicago.edu>

I am having other issues with it but I will move my conversation to the forum
on sourceforge.
-Ian

Quoting Kevin Spicer <kevin@KEVINSPICER.CO.UK>:

> [I thought it was about time to start a new thread!]
> I'd also like to thank Julian and all those who don't use MSMRTG for
> being tolerant of this discussion taking place here.  Thanks guys!
> hopefully the pain is nearly over.
>
> UPDATE:  I've now carefully re-read all the error reports I've have
> (almost all net-snmp related).  Some were my fault, others were
> misunderstandings of changes and net-snmp configuration issues.  I've
> now put together a further package which I hope fixes all known issues.
> Before I release this on the public at large would any of the folks who
> were having trouble with net-snmp care to test it for me?  If so please
> email me off list stating preference of tarball or rpm.
>
> Thanks
>
> Kevin
> --
> Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)
>
> This message is digitally signed using the GNU Privacy Guard.
> My public key may be obtained from http://www.keyserver.net
>


--
Ian Miller
Sr. Systems Engineer
University of Chicago
imiller@bsd.uchicago.edu

From robert at FENLANARENA.CO.UK  Thu Jan 29 00:46:59 2004
From: robert at FENLANARENA.CO.UK (Robert Harpham)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
Message-ID: <002401c3e601$67aa0fa0$2101a8c0@robert>

> >Jay Leno mentioned last night that Bill Gates is to be
> >knighted by Queen
erm am not right in saying you have to be British to be knighted. but he can
have other titles that are available but not to be called 'Sir'
----- Original Message -----
From: "Kevin Miller" <Kevin_Miller@CI.JUNEAU.AK.US>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Wednesday, January 28, 2004 11:58 PM
Subject: Re: more IE6 vulnerabilities


> I think it's a ruse to get him w/in striking distance w/a sword.  In a
> closed session of Parliment she was heard to mutter "Off w/his head".
More
> power to her. ;-)
>
> S'later...
>
> ...Kevin
> --
> Kevin Miller                Registered Linux User No: 307357
> CBJ MIS Dept.               Network Systems Administrator, Mail
> Administrator
> 155 South Seward Street     ph: (907) 586-0242
> Juneau, Alaska 99801        fax: (907 586-4500
>
>
> >-----Original Message-----
> >From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU]
> >Sent: Wednesday, January 28, 2004 2:37 PM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: more IE6 vulnerabilities
> >
> >
> >Jay Leno mentioned last night that Bill Gates is to be
> >knighted by Queen
> >E.  He made a joke about why Gates would want to be a knight of the
> >British kingdom when his empire was bigger.  ;-)
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> >Behalf Of Chris Yuzik
> >Sent: Wednesday, January 28, 2004 6:20 PM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: OT: more IE6 vulnerabilities
> >
> >Hi everyone,
> >
> >http://www.techworld.com/news/index.cfm?fuseaction=displaynews&
> >NewsID=94
> >4
> >
> >Every time I read articles like this one, I get a bad taste in
> >my mouth.
> >Lovely.  Then I think about Microsoft's "Trusted Computing" initiative,
> >and the sour taste gets worse. How can a company that has more money
> >than most countries leave its users open to crap like this? It's bad
> >enough that they seem to build security holes into their products from
> >the beginning, then never seem to bother testing anything before
> >shipping it.
> >
> >I particularly love the part where the writer says, "We also
> >have reason
> >to believe there is no fix." This gets better all the time. Now we can
> >not only be fooled into believing that we're on our bank's website, but
> >we can acquire a worm while they're robbing us blind. Thanks,
> >Microsoft.
> >
> >I'll be using Mozilla exclusively from now on. Long live open source.
> >
> >Cheers,
> >Chris
> >
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> MailScanner thanks transtec Computers for their support.

From kevins at BMRB.CO.UK  Thu Jan 29 00:59:35 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
In-Reply-To: <002401c3e601$67aa0fa0$2101a8c0@robert>
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
             <002401c3e601$67aa0fa0$2101a8c0@robert>
Message-ID: <1075337976.24361.135.camel@bach.kevinspicer.co.uk>

On Thu, 2004-01-29 at 00:46, Robert Harpham wrote:
> > >Jay Leno mentioned last night that Bill Gates is to be
> > >knighted by Queen
> erm am not right in saying you have to be British to be knighted. but he can
> have other titles that are available but not to be called 'Sir'

IIRC You can have an honorary knighthood, but you can't use the title
sir.  I think this is what happened to Bob Geldof (because he is Irish)






BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From Jan-Peter.Koopmann at SECEIDOS.DE  Thu Jan 29 01:16:56 2004
From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann)
Date: Thu Jan 12 21:22:10 2006
Subject: SPF support
Message-ID: <B9D9BD71E387E24AB1D619FE4B748CC70C81CB@ERWIN.intern.seceidos.de>

Hi Julian,

I was having a look at spf (http://spf.pobox.com) which I personally think is a great idea. I setup everything in exim, got the spf support to work and was pretty happy with myself until I had a look at the maillog:

Jan 29 02:13:40 proxy.intern.seceidos.de MailScanner[95138]: Batch: Ignoring invalid queue file for message 1Am0ft-0000qI-0M-H

I suppose this is because the spf procedure is adding several additional acls thich get reported in the queue file. MailScanner obviously checks the syntax but fails. Could you have a look at this? IMHO additional queue file tags should pose no problem to MailScanner.

Here is the contents of one queue file:

1Am0fa-0000qC-6s-H
root 0 0
<>
1075338514 0
-helo_name mx02.nic.name
-host_address 198.41.1.56.44518
-host_name mx02.nic.name
-interface_address 192.168.200.2.25
-ident nobody
-received_protocol smtp
-acl 17 78
proxy.intern.seceidos.de: domain of  does not designate permitted sender hosts
-acl 18 7
unknown
-acl 19 706
result="unknown" smtp_comment="SPF: domain of sender mx02.nic.name does not designate mailers" header_comment="proxy.intern.seceidos
.de: domain of  does not designate permitted sender hosts" guess="pass" smtp_guess="Please see http://spf.pobox.com/why.html?sender=
mx02.nic.name&ip=198.41.1.56&receiver=proxy.intern.seceidos.de: mx02.nic.name A 198.41.1.56" header_guess="seems reasonable for mx02
.nic.name to mail through 198.41.1.56" guess_tf="pass" smtp_tf="Please see http://spf.pobox.com/why.html?sender=mx02.nic.name&ip=198
.41.1.56&receiver=proxy.intern.seceidos.de: 56.1.41.198.wl.trusted-forwarder.org found" header_tf="seems reasonable for mx02.nic.nam
e to mail through 198.41.1.56" spf_record=""

-body_linecount 71
-deliver_firsttime
XX
1
jan-peter.koopmann@seceidos.de

200P Received: from mx02.nic.name ([198.41.1.56] ident=nobody)
        by mail.seceidos.de with smtp (Exim 4.30; FreeBSD)
        id 1Am0fa-0000qC-6s
        for jan-peter.koopmann@seceidos.de; Thu, 29 Jan 2004 02:08:34 +0100
076P Received: (qmail 23758 invoked for bounce); Thu, 29 Jan 2004 01:08:33 -0000
038  Date: Thu, 29 Jan 2004 01:08:33 -0000
053F From: ".name mail system" <postmaster@lastname.name>
057  Subject: There has been a problem delivering your email.
093  Received-SPF: proxy.intern.seceidos.de: domain of  does not designate permitted sender hosts


Regards,
  JP


From jaearick at COLBY.EDU  Thu Jan 29 02:08:22 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F01646890@med-core07.med.wayne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F01646890@med-core07.med.wayne.edu>
Message-ID: <Pine.GSO.4.58.0401282103480.16601@emerald>

I hope the Queen will use that sword to lop off his head instead.
Maybe Her Majesty's PC will have MyDoom by ceremony time.
Julian deserves knighthood more than Gates does.

On Wed, 28 Jan 2004, Rose, Bobby wrote:

> Date: Wed, 28 Jan 2004 18:36:31 -0500
> From: "Rose, Bobby" <brose@MED.WAYNE.EDU>
> Reply-To: MailScanner mailing list <MAILSCANNER@JISCMAIL.AC.UK>
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: more IE6 vulnerabilities
>
> Jay Leno mentioned last night that Bill Gates is to be knighted by Queen
> E.  He made a joke about why Gates would want to be a knight of the
> British kingdom when his empire was bigger.  ;-)
>

From anders.andersson at LTKALMAR.SE  Thu Jan 29 08:22:39 2004
From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT)
Date: Thu Jan 12 21:22:10 2006
Subject: SV: rant about anti-virus and spam, MS flamed
Message-ID: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se>

> -----Ursprungligt meddelande-----
> Fr?n: Matt Kettler [mailto:mkettler@EVI-INC.COM] 
> Skickat: den 29 januari 2004 00:37
> Till: MAILSCANNER@JISCMAIL.AC.UK
> ?mne: Re: rant about anti-virus and spam, MS flamed
> 
> At 06:09 PM 1/28/2004, Leonard Hermens wrote:
> > >Can you cite an example of when, at the present time, it is a good 
> > >idea to have a mailserver configured to auto respond to a 
> sender and 
> > >notify them that a message sent contained a live virus infection?
> >
> >Any virus or macro virus that is sent manually by the sender.
> 
> I'll agree that is a particular email where it is good for a 
> server to autorespond.
> 
> However, that's not an answer to the question.

As long as mailscanner will first scan for virus before it scans for file
types/names I dont mind if auto-responses are turned of for viruses. Maybe
its already doing that when I think about it?


> 
> A mailserver can't be configured to tell the difference 
> between a manual send and an automated one, so your example 
> is a single isolated email example. I'm asking for a 
> situation where it's a good idea to configure your mailserver 
> in such a manner, not a single message case.
> 
> Real world, real mailserver, present time, realistic 
> situation where it would be a good idea to have a server do 
> this. (ie: how can you do it on an automated basis without 
> inflicting casualties, and still reap some useful
> benefit.)
> 


From bagt at TVS2NET.CH  Thu Jan 29 08:30:42 2004
From: bagt at TVS2NET.CH (Bagt)
Date: Thu Jan 12 21:22:10 2006
Subject: Message in a spam and a virus
Message-ID: <6.0.0.22.2.20040129093034.02a84600@mail.vsnet.ch>

hi,

I use mailscanner-4.25-14 and I have in mailwatch this logs

Date/Time               From                    To      Subject         Size            SA Score        Status
29/01/04 08:09:20       notfallstation@...      ...     Hello           30.9Kb                          Virus
(W32/MyDoom-A)
29/01/04 08:09:20       sandra@...              ....    test            31.8Kb          6.09            Spam, Virus
(W32/MyDoom-A)

If a message contains a virus, I would like not to analyze this message for
spam detection.

Is a mailscanner rules in MailScanner.conf for that ?

Cheers,

Thierry

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 08:56:23 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: more IE6 vulnerabilities
In-Reply-To: <401843AC.2010906@fractalweb.com>
References: <401843AC.2010906@fractalweb.com>
Message-ID: <6.0.1.1.2.20040129085337.03be1370@imap.ecs.soton.ac.uk>

I recommend 1 change to the filename.rules.conf file

Find the "deny" rule protecting against filenames ending in CLSID's.
Remove the "$" from the expression.
Reload/restart MailScanner.

This will be in 4.26.6.

At 23:20 28/01/2004, you wrote:
>Hi everyone,
>
>http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=944
>
>Every time I read articles like this one, I get a bad taste in my mouth.
>Lovely.  Then I think about Microsoft's "Trusted Computing" initiative,
>and the sour taste gets worse. How can a company that has more money
>than most countries leave its users open to crap like this? It's bad
>enough that they seem to build security holes into their products from
>the beginning, then never seem to bother testing anything before
>shipping it.
>
>I particularly love the part where the writer says, "We also have reason
>to believe there is no fix." This gets better all the time. Now we can
>not only be fooled into believing that we're on our bank's website, but
>we can acquire a worm while they're robbing us blind. Thanks, Microsoft.
>
>I'll be using Mozilla exclusively from now on. Long live open source.
>
>Cheers,
>Chris

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 09:09:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: Message in a spam and a virus
In-Reply-To: <6.0.0.22.2.20040129093034.02a84600@mail.vsnet.ch>
References: <6.0.0.22.2.20040129093034.02a84600@mail.vsnet.ch>
Message-ID: <6.0.1.1.2.20040129090851.06f2d008@imap.ecs.soton.ac.uk>

At 08:30 29/01/2004, you wrote:
>hi,
>
>I use mailscanner-4.25-14 and I have in mailwatch this logs
>
>Date/Time               From                    To      Subject
>Size            SA Score        Status
>29/01/04
>08:09:20       notfallstation@...      ...     Hello           30.9Kb
>                     Virus
>(W32/MyDoom-A)
>29/01/04
>08:09:20       sandra@...              ....    test            31.8Kb
>     6.09            Spam, Virus
>(W32/MyDoom-A)
>
>If a message contains a virus, I would like not to analyze this message for
>spam detection.
>
>Is a mailscanner rules in MailScanner.conf for that ?

Spam detection is done before virus detection, sorry.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 09:08:23 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: SPF support
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C81CB@ERWIN.intern.seceid os.de>
References: <B9D9BD71E387E24AB1D619FE4B748CC70C81CB@ERWIN.intern.seceidos.de>
Message-ID: <6.0.1.1.2.20040129090538.06f2d3e0@imap.ecs.soton.ac.uk>

There's a loop at line 284 of Exim.pm that appears to do all this stuff. I
didn't write it and I can't figure how the heck it works. Does some very
strange things, but appears to assume that all lines starting with "-" have
a unique key after them. This obviously isn't the case with SPF acl's.

Nick --- Got any ideas on this one please?

At 01:16 29/01/2004, you wrote:
>Hi Julian,
>
>I was having a look at spf (http://spf.pobox.com) which I personally think
>is a great idea. I setup everything in exim, got the spf support to work
>and was pretty happy with myself until I had a look at the maillog:
>
>Jan 29 02:13:40 proxy.intern.seceidos.de MailScanner[95138]: Batch:
>Ignoring invalid queue file for message 1Am0ft-0000qI-0M-H
>
>I suppose this is because the spf procedure is adding several additional
>acls thich get reported in the queue file. MailScanner obviously checks
>the syntax but fails. Could you have a look at this? IMHO additional queue
>file tags should pose no problem to MailScanner.
>
>Here is the contents of one queue file:
>
>1Am0fa-0000qC-6s-H
>root 0 0
><>
>1075338514 0
>-helo_name mx02.nic.name
>-host_address 198.41.1.56.44518
>-host_name mx02.nic.name
>-interface_address 192.168.200.2.25
>-ident nobody
>-received_protocol smtp
>-acl 17 78
>proxy.intern.seceidos.de: domain of  does not designate permitted sender hosts
>-acl 18 7
>unknown
>-acl 19 706
>result="unknown" smtp_comment="SPF: domain of sender mx02.nic.name does
>not designate mailers" header_comment="proxy.intern.seceidos
>.de: domain of  does not designate permitted sender hosts" guess="pass"
>smtp_guess="Please see http://spf.pobox.com/why.html?sender=
>mx02.nic.name&ip=198.41.1.56&receiver=proxy.intern.seceidos.de:
>mx02.nic.name A 198.41.1.56" header_guess="seems reasonable for mx02
>.nic.name to mail through 198.41.1.56" guess_tf="pass" smtp_tf="Please see
>http://spf.pobox.com/why.html?sender=mx02.nic.name&ip=198
>.41.1.56&receiver=proxy.intern.seceidos.de:
>56.1.41.198.wl.trusted-forwarder.org found" header_tf="seems reasonable
>for mx02.nic.nam
>e to mail through 198.41.1.56" spf_record=""
>
>-body_linecount 71
>-deliver_firsttime
>XX
>1
>jan-peter.koopmann@seceidos.de
>
>200P Received: from mx02.nic.name ([198.41.1.56] ident=nobody)
>         by mail.seceidos.de with smtp (Exim 4.30; FreeBSD)
>         id 1Am0fa-0000qC-6s
>         for jan-peter.koopmann@seceidos.de; Thu, 29 Jan 2004 02:08:34 +0100
>076P Received: (qmail 23758 invoked for bounce); Thu, 29 Jan 2004 01:08:33
>-0000
>038  Date: Thu, 29 Jan 2004 01:08:33 -0000
>053F From: ".name mail system" <postmaster@lastname.name>
>057  Subject: There has been a problem delivering your email.
>093  Received-SPF: proxy.intern.seceidos.de: domain of  does not designate
>permitted sender hosts
>
>
>Regards,
>   JP

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 08:45:12 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se>
References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se>
Message-ID: <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk>

I contacted the author, and received the following polite response:

: Please note that all new installations of MailScanner do not reply to
: any senders of viruses, and old installations of viruses have a list of
: viruses which they should not respond to. If system administrators
: insist on just copying their old settings to new upgrades, and do not
: update their list of non-respond viruses, then there is little I can do
: to educate them. Other than try to contact them to update their
: settings, which I do.
:
: I appreciate your point of view, and I am actively trying to pursuade
: them to update their settings.

Glad to hear that =) As you can probably guess, you are the only AV vendor
who rplied at all.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 08:48:05 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <D79A56AD131896448D0860DEE07CBE1F0164688D@med-core07.med.wa
              yne.edu>
References: <D79A56AD131896448D0860DEE07CBE1F0164688D@med-core07.med.wayne.edu>
Message-ID: <6.0.1.1.2.20040129084636.077607b8@imap.ecs.soton.ac.uk>

I also have 1 other trick up my sleeve.

The new configuration option "Notify Senders Of Viruses" is set to "no" by
default. So if you upgrade and don't manually enable it, the default will
be to never notify senders of viruses. Which is what we are trying to achieve.

And no, I didn't do that by mistake :-)

At 23:16 28/01/2004, you wrote:
>But the default option in MailScanner is All-Silent for many versions
>now.
>
>Remember how sendmail used to be distributed with anti-relay off by
>default.  And years after the newer versions had it on by default, you
>still had *nix vendors shipping the old versions on their system and
>also had sendmail start on boot.
>
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
>Behalf Of Jeff A. Earickson
>Sent: Wednesday, January 28, 2004 5:00 PM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: rant about anti-virus and spam, MS flamed
>
>Gang,
>
>See:
>
>http://www.attrition.org/security/rant/av-spammers.html
>
>MailScanner is torched about halfway down, along with every other
>anti-virus thingee out there.  The guy has a half a point.  As well as
>retiring the bounce option maybe Julian should consider making the
>"Silent Virus"
>the only option in the next MS.
>
>(rant found by way of www.fark.com, the best "news"
>source on the Internet).
>
>Jeff Earickson
>Colby College

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wilsmann at ADVANTIC.DE  Thu Jan 29 09:11:25 2004
From: wilsmann at ADVANTIC.DE (Wilsmann, Dennis)
Date: Thu Jan 12 21:22:10 2006
Subject: Problems installing Mailscanner on Postfix, clamav, spamassasin
Message-ID: <5AF7F4D7005B5A46A54B55892011D09435C47D@pc.hl.advantic.de>

Hi!

Well I have a small problem. I'cant get Mailscanner to work properly with
postfix. Everything seems all right, but when I start postfix and postfix.in
no more Messages are delivered to my Mail accounts on the server, they not
even bounce they just disappear. Crazy huh? Well If anyone has an idea or a
hint I would be very gratefull. 

Thanks in advance

Dennis Wilsmann
------------------------------------------------------------------------------

?ber 230 Installationen in 13 Bundesl?ndern garantieren 
Ihnen Investitionssicherheit und Erfolg auf breiter Basis.

iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
?ffentlicher Verwaltungen und Verb?nde.

------------------------------------------------------------------------------


From chris at FRACTALWEB.COM  Thu Jan 29 09:26:26 2004
From: chris at FRACTALWEB.COM (Chris Yuzik)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: more IE6 vulnerabilities
In-Reply-To: <6.0.1.1.2.20040129085337.03be1370@imap.ecs.soton.ac.uk>
References: <401843AC.2010906@fractalweb.com>
            <6.0.1.1.2.20040129085337.03be1370@imap.ecs.soton.ac.uk>
Message-ID: <4018D1C2.6070401@fractalweb.com>

Julian Field wrote:

> I recommend 1 change to the filename.rules.conf file
>
> Find the "deny" rule protecting against filenames ending in CLSID's.
> Remove the "$" from the expression.
> Reload/restart MailScanner.
>
> This will be in 4.26.6.

Thanks again Julian. I've done this now.

When is 4.26.6 coming out? :-)

Cheers,
Chris

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 09:24:21 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: Problems installing Mailscanner on Postfix, clamav, spamassasin
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C47D@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C47D@pc.hl.advantic.de>
Message-ID: <6.0.1.1.2.20040129092023.07438ec0@imap.ecs.soton.ac.uk>

Check the paths to the incoming, working and outgoing directories are all 
correct. Sounds like it might be getting the messages but putting them in 
the wrong place.

At 09:11 29/01/2004, you wrote:
>Hi!
>
>Well I have a small problem. I'cant get Mailscanner to work properly with
>postfix. Everything seems all right, but when I start postfix and postfix.in
>no more Messages are delivered to my Mail accounts on the server, they not
>even bounce they just disappear. Crazy huh? Well If anyone has an idea or a
>hint I would be very gratefull.
>
>Thanks in advance
>
>Dennis Wilsmann
>------------------------------------------------------------------------------
>
>?ber 230 Installationen in 13 Bundesl?ndern garantieren
>Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
>
>iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
>?ffentlicher Verwaltungen und Verb?nde.
>
>------------------------------------------------------------------------------

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Thu Jan 29 09:24:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: more IE6 vulnerabilities
In-Reply-To: <4018D1C2.6070401@fractalweb.com>
References: <401843AC.2010906@fractalweb.com>
            <6.0.1.1.2.20040129085337.03be1370@imap.ecs.soton.ac.uk>
            <4018D1C2.6070401@fractalweb.com>
Message-ID: <6.0.1.1.2.20040129092427.0739fd90@imap.ecs.soton.ac.uk>

At 09:26 29/01/2004, you wrote:
>Julian Field wrote:
>
>>I recommend 1 change to the filename.rules.conf file
>>
>>Find the "deny" rule protecting against filenames ending in CLSID's.
>>Remove the "$" from the expression.
>>Reload/restart MailScanner.
>>
>>This will be in 4.26.6.
>
>Thanks again Julian. I've done this now.
>
>When is 4.26.6 coming out? :-)

Aiming for this weekend, preferably Saturday.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From P.G.M.Peters at utwente.nl  Thu Jan 29 09:26:26 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: Article disparaging email scanners, MailScanner included
In-Reply-To: <6.0.1.1.2.20040128220927.048ecf20@imap.ecs.soton.ac.uk>
References: <00f101c3e5e9$3419c2b0$0501a8c0@darkside>
            <6.0.1.1.2.20040128220927.048ecf20@imap.ecs.soton.ac.uk>
Message-ID: <ibkh105vmefn1u05p039ahbrh236pg333f@4ax.com>

On Wed, 28 Jan 2004 22:09:41 +0000, you wrote:

>I have tried to "educate" him.

I also try to educate admins using MS "the wrong way".

But one thing he is right:
|The most damning mail from these products not only purport to "warn you
|of infection", but they go so far as to advertise the product to you.
|This is unsolicited commercial e-mail (UCE, aka "spam") in its purest
|form.

A large number of these message I handle as spam and complain about.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From martinh at SOLID-STATE-LOGIC.COM  Thu Jan 29 09:27:53 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:10 2006
Subject: av-spammers
Message-ID: <4018D219.1090107@solid-state-logic.com>

Brian

thankyou for your article regarding some 'bad' things that happen with
anti-virus and spam systems.

But I feel I must correct you on a couple of points

1) MailScanner does not 'name' viruses. The name of the latest
'MyDoom/Novarg" virus you attribute to MailScanner is in fact the name
used by ClamAV, the open source virus scanner.

2) MailScanner is merely a wrapper scripper (a very good one!) for
Spamassassin, RBL's and over a dozen virus scanning engines (commercial
and free). It an be configured 'not' to bounce any spam or virus
messages. This is the default in current versions, but people may not be
upgrading, or upgrading their config to the current default for this
setting.

A product with a large userbase (and one of the first commericial email
gateway scanners) is Mailsweeper by Clearswift. Perhaps you'd to see how
that 'performs' as well. Again this relies on third party virus
scanners, but does have its own anti-spam system.

I totally agree with the virus 'name game' issues. It wasn't that long
ago that things seemed to be much more standard, but in the last few
months the names have digressed from 'standards'.

Overall a good article, which reminds us that 'bouncing' spam/virus
notices is a 'bad thing(tm)' in todays environment, but that many
unpatched/non-upgraded systems out there (not just AV/spam systems), the
problem IMHO falls down to poor systems administration and poor change
management in general not just for AV systems.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From P.G.M.Peters at utwente.nl  Thu Jan 29 09:32:01 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:10 2006
Subject: MyDoom Countermeasures
In-Reply-To: <s017dbd2.072@gc6.jefferson.co.us>
References: <s017dbd2.072@gc6.jefferson.co.us>
Message-ID: <3nkh10t59irtbau8cl1ekee216b2e1amql@4ax.com>

On Wed, 28 Jan 2004 15:56:53 -0700, you wrote:

>I added this list of names to my sendmail access file,
>and the number of MyDoom's/hr dropped significantly.
>
>YMMV
>
># MyDoom countermeasures. It forges the username for email
># address. Here are some of the ones we've seen that don't
># exist.
>peter@                          DROP

Can't do this one. Admin's priviledges. ;-)

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From P.G.M.Peters at utwente.nl  Thu Jan 29 09:30:32 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:10 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.0.22.0.20040128185024.024d7d68@xanadu.evi-inc.com>
References: <Pine.GSO.4.58.0401281654500.7403@cayuga>
            <6.0.0.22.0.20040128171143.024cd628@xanadu.evi-inc.com>
            <40183962.1010304@uptime.at>
            <6.0.0.22.0.20040128174447.025b7098@xanadu.evi-inc.com>
            <6.0.1.1.2.20040128150747.02f7f418@email.potlatchcorp.com>
            <1075331824.24361.77.camel@bach.kevinspicer.co.uk>
            <6.0.1.1.2.20040128154117.02e18ec0@email.potlatchcorp.com>
            <6.0.0.22.0.20040128185024.024d7d68@xanadu.evi-inc.com>
Message-ID: <ogkh10174vpr0gfs6gudkq9agdj7tk2glt@4ax.com>

On Wed, 28 Jan 2004 19:06:35 -0500, you wrote:

>>Not all viruses automatically email themselves. That's the point to my
>>answer. He wanted an example and I gave one. :)
>
>Fair enough.. I guess I live in a hole, since I've not seen a copy of a
>file-infector virus that doesn't also do mass emailing running around in
>the wild in several years. Sure they were all the rage in 1996 and I've
>seen plenty of them, but it's been a while.

When I check what my scanner trapped during a month I get the
occasionally (really old) virus that does not falsify the from address.
But I don't send any bounces then either. I find it more safe to use
all-viruses to prevent me from forgetting one.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From wilsmann at ADVANTIC.DE  Thu Jan 29 09:40:43 2004
From: wilsmann at ADVANTIC.DE (Wilsmann, Dennis)
Date: Thu Jan 12 21:22:10 2006
Subject: AW: Problems installing Mailscanner on Postfix, clamav, spamassasin
Message-ID: <5AF7F4D7005B5A46A54B55892011D09435C47E@pc.hl.advantic.de>

Well these are my dirs configured in the MailScanner.conf
they exist and seem to be right (with etc, usr,... and so on)
Is there a different possibility of problem I might have?

Incoming Queue Dir = /var/spool/postfix.in/deferred
Outgoing Queue Dir = /var/spool/postfix/incoming

Thanks Dennis

-----Urspr?ngliche Nachricht-----
Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Gesendet: Donnerstag, 29. Januar 2004 10:24
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: Re: Problems installing Mailscanner on Postfix, clamav,
spamassasin


Check the paths to the incoming, working and outgoing directories are all 
correct. Sounds like it might be getting the messages but putting them in 
the wrong place.

At 09:11 29/01/2004, you wrote:
>Hi!
>
>Well I have a small problem. I'cant get Mailscanner to work properly with
>postfix. Everything seems all right, but when I start postfix and postfix.in
>no more Messages are delivered to my Mail accounts on the server, they not
>even bounce they just disappear. Crazy huh? Well If anyone has an idea or a
>hint I would be very gratefull.
>
>Thanks in advance
>
>Dennis Wilsmann
>----------------------------------------------------------------------------
--
>
>?ber 230 Installationen in 13 Bundesl?ndern garantieren
>Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
>
>iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
>?ffentlicher Verwaltungen und Verb?nde.
>
>----------------------------------------------------------------------------
--

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From P.G.M.Peters at utwente.nl  Thu Jan 29 09:45:46 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
In-Reply-To: <Pine.GSO.4.58.0401282103480.16601@emerald>
References: <D79A56AD131896448D0860DEE07CBE1F01646890@med-core07.med.wayne.edu>
            <Pine.GSO.4.58.0401282103480.16601@emerald>
Message-ID: <ohlh10d2pp1ks5a6afluvhfpsfokan0f4o@4ax.com>

On Wed, 28 Jan 2004 21:08:22 -0500, you wrote:

>I hope the Queen will use that sword to lop off his head instead.
>Maybe Her Majesty's PC will have MyDoom by ceremony time.
>Julian deserves knighthood more than Gates does.

How do you nominate people for knighthood?

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From Kevin.Spicer at BMRB.CO.UK  Thu Jan 29 09:49:35 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:10 2006
Subject: more IE6 vulnerabilities
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016499FE@pascal.priv.bmrb.co.uk>

Peter Peters wrote:
> On Wed, 28 Jan 2004 21:08:22 -0500, you wrote:
> 
>> I hope the Queen will use that sword to lop off his head instead.
>> Maybe Her Majesty's PC will have MyDoom by ceremony time.
>> Julian deserves knighthood more than Gates does.
> 
> How do you nominate people for knighthood?

You can't, Microsoft have patented the process.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From artem at voila.fr  Thu Jan 29 09:44:34 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <9534567.1075369474687.JavaMail.www@wwinf4004>

hello,

i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected it from relay in the access file :
localhost.localdomain    550 Go away and do not spam us anymore
localhost    relay
127.0.0.1   relay
192.168.1   relay

this configuration worked well.

some time ago, i've installed procmail + spamassassin + mailscanner to filter the incomming spam. all worked well but some days ago, we've seen that our server allows relay !

i tried to stop spamassassin and mailscanner but relay is always permetted !

do you have an idea ? thanks !

------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 10:02:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
In-Reply-To: <9534567.1075369474687.JavaMail.www@wwinf4004>
References: <9534567.1075369474687.JavaMail.www@wwinf4004>
Message-ID: <6.0.1.1.2.20040129100128.03ec5ec0@imap.ecs.soton.ac.uk>

At 09:44 29/01/2004, you wrote:
>hello,
>
>i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected it from
>relay in the access file :
>localhost.localdomain    550 Go away and do not spam us anymore
>localhost    relay
>127.0.0.1   relay
>192.168.1   relay
>
>this configuration worked well.
>
>some time ago, i've installed procmail + spamassassin + mailscanner to
>filter the incomming spam. all worked well but some days ago, we've seen
>that our server allows relay !
>
>i tried to stop spamassassin and mailscanner but relay is always permetted !
>
>do you have an idea ? thanks !

Why install procmail? MailScanner will happily use SpamAssassin without the
need for anything extra running. There is also no point in running spamd
either as MailScanner doesn't use it.

If you just installed MailScanner and SpamAssassin, you do not have to
change your sendmail configuration at all. Just leave it alone.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 09:57:58 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: AW: Problems installing Mailscanner on Postfix, clamav, spamassasin
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C47E@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C47E@pc.hl.advantic.de>
Message-ID: <6.0.1.1.2.20040129095749.073c8998@imap.ecs.soton.ac.uk>

What do your mail logs say on the subject?

At 09:40 29/01/2004, you wrote:
>Well these are my dirs configured in the MailScanner.conf
>they exist and seem to be right (with etc, usr,... and so on)
>Is there a different possibility of problem I might have?
>
>Incoming Queue Dir = /var/spool/postfix.in/deferred
>Outgoing Queue Dir = /var/spool/postfix/incoming
>
>Thanks Dennis
>
>-----Urspr?ngliche Nachricht-----
>Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Gesendet: Donnerstag, 29. Januar 2004 10:24
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: Re: Problems installing Mailscanner on Postfix, clamav,
>spamassasin
>
>
>Check the paths to the incoming, working and outgoing directories are all
>correct. Sounds like it might be getting the messages but putting them in
>the wrong place.
>
>At 09:11 29/01/2004, you wrote:
> >Hi!
> >
> >Well I have a small problem. I'cant get Mailscanner to work properly with
> >postfix. Everything seems all right, but when I start postfix and postfix.in
> >no more Messages are delivered to my Mail accounts on the server, they not
> >even bounce they just disappear. Crazy huh? Well If anyone has an idea or a
> >hint I would be very gratefull.
> >
> >Thanks in advance
> >
> >Dennis Wilsmann
> >----------------------------------------------------------------------------
>--
> >
> >?ber 230 Installationen in 13 Bundesl?ndern garantieren
> >Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
> >
> >iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
> >?ffentlicher Verwaltungen und Verb?nde.
> >
> >----------------------------------------------------------------------------
>--
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From artem at voila.fr  Thu Jan 29 10:16:18 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <4795147.1075371378843.JavaMail.www@wwinf4004>

thanks for your answer.

i've installed procmail for spamassassin. i've found this for sendmail : http://davespicks.com/writing/programming/spamassassinopenbsd.html and i've done it with some differences.

after i've installed mailscanner and in the config file, i've uncommented lines for spamassassin.

but there were no relay and it appears some days (4or 5) ago



> At 09:44 29/01/2004, you wrote:
> >hello,
> >
> >i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected it from
> >relay in the access file :
> >localhost.localdomain    550 Go away and do not spam us anymore
> >localhost    relay
> >127.0.0.1   relay
> >192.168.1   relay
> >
> >this configuration worked well.
> >
> >some time ago, i've installed procmail + spamassassin + mailscanner to
> >filter the incomming spam. all worked well but some days ago, we've seen
> >that our server allows relay !
> >
> >i tried to stop spamassassin and mailscanner but relay is always permetted !
> >
> >do you have an idea ? thanks !
>
> Why install procmail? MailScanner will happily use SpamAssassin without the
> need for anything extra running. There is also no point in running spamd
> either as MailScanner doesn't use it.
>
> If you just installed MailScanner and SpamAssassin, you do not have to
> change your sendmail configuration at all. Just leave it alone.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 10:22:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
In-Reply-To: <4795147.1075371378843.JavaMail.www@wwinf4004>
References: <4795147.1075371378843.JavaMail.www@wwinf4004>
Message-ID: <6.0.1.1.2.20040129102047.0739fc48@imap.ecs.soton.ac.uk>

I would advise you to remove procmail again (it's extra complexity you
don't need). Then put your sendmail configuration back exactly the way it
was before you started doing all this.

To use SpamAssassin from MailScanner, all you need to do is set
Use SpamAssassin = yes
in MailScanner.conf.

No procmail, no extra spamd daemons, no sendmail config changes, none of
that stuff.

At 10:16 29/01/2004, you wrote:
>thanks for your answer.
>
>i've installed procmail for spamassassin. i've found this for sendmail :
>http://davespicks.com/writing/programming/spamassassinopenbsd.html and
>i've done it with some differences.
>
>after i've installed mailscanner and in the config file, i've uncommented
>lines for spamassassin.
>
>but there were no relay and it appears some days (4or 5) ago
>
>
>
> > At 09:44 29/01/2004, you wrote:
> > >hello,
> > >
> > >i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected it from
> > >relay in the access file :
> > >localhost.localdomain    550 Go away and do not spam us anymore
> > >localhost    relay
> > >127.0.0.1   relay
> > >192.168.1   relay
> > >
> > >this configuration worked well.
> > >
> > >some time ago, i've installed procmail + spamassassin + mailscanner to
> > >filter the incomming spam. all worked well but some days ago, we've seen
> > >that our server allows relay !
> > >
> > >i tried to stop spamassassin and mailscanner but relay is always
> permetted !
> > >
> > >do you have an idea ? thanks !
> >
> > Why install procmail? MailScanner will happily use SpamAssassin without the
> > need for anything extra running. There is also no point in running spamd
> > either as MailScanner doesn't use it.
> >
> > If you just installed MailScanner and SpamAssassin, you do not have to
> > change your sendmail configuration at all. Just leave it alone.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>------------------------------------------
>
>Faites un voeu et puis Voila ! www.voila.fr

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From rwmailscanner at LACASITA.DEMON.CO.UK  Thu Jan 29 10:37:49 2004
From: rwmailscanner at LACASITA.DEMON.CO.UK (Robert Richard Wallace)
Date: Thu Jan 12 21:22:10 2006
Subject: tons of infected files getting though???
Message-ID: <LISTSERV%2004012910374914@JISCMAIL.AC.UK>

Where I work we have been using MailScanner coupled with Sophos and some of
the attachments still get through. Maybe Julian can confirm this but I
believe MailScanner pulls the mail apart into attachments using the
MIME-tools and this is where the problem is occuring as it cant detect the
attachment.

Juju is  MIME and i believe uudecoder it was written in plain ANSI C from
what i can tell. NOTE Programming aint really my area. The code is licensed
under the GPL so we can modify it if need be, if anyone feels it would be
worth it.

If anyone wants a copy then email me and i will send it to you, as i cant
find it on any webpages these days. Not much need for utils that decode
attachments from mail when everyones got decent Mail Clients.


>>>>>>>>>>>>>>>>>

Chris wrote:>

So, the question is: is our problem with some of these emails related to
MailScanner or ClamAV or ???

I'm not familiar with "juju". Is this something that can be accessed
from Perl?

From wilsmann at ADVANTIC.DE  Thu Jan 29 10:31:10 2004
From: wilsmann at ADVANTIC.DE (Wilsmann, Dennis)
Date: Thu Jan 12 21:22:10 2006
Subject: AW: AW: Problems installing Mailscanner on Postfix, clamav, spamassasin
Message-ID: <5AF7F4D7005B5A46A54B55892011D09435C47F@pc.hl.advantic.de>

Well there is an error ...
it sais:
"Error in configuration file line 107, directory
/var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not
readable)"

AND

"Could not read directory /var/spool/MailScanner/incoming"

but I switched to these dirs and nothing seemed to be wrong. the owner is
postfix:postfix and in the conf it is also statet to run MailScanner as
postfix:postfix....

What could that be?!


-----Urspr?ngliche Nachricht-----
Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Gesendet: Donnerstag, 29. Januar 2004 10:58
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: Re: AW: Problems installing Mailscanner on Postfix, clamav,
spamassasin


What do your mail logs say on the subject?

At 09:40 29/01/2004, you wrote:
>Well these are my dirs configured in the MailScanner.conf
>they exist and seem to be right (with etc, usr,... and so on)
>Is there a different possibility of problem I might have?
>
>Incoming Queue Dir = /var/spool/postfix.in/deferred
>Outgoing Queue Dir = /var/spool/postfix/incoming
>
>Thanks Dennis
>
>-----Urspr?ngliche Nachricht-----
>Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Gesendet: Donnerstag, 29. Januar 2004 10:24
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: Re: Problems installing Mailscanner on Postfix, clamav,
>spamassasin
>
>
>Check the paths to the incoming, working and outgoing directories are all
>correct. Sounds like it might be getting the messages but putting them in
>the wrong place.
>
>At 09:11 29/01/2004, you wrote:
> >Hi!
> >
> >Well I have a small problem. I'cant get Mailscanner to work properly with
> >postfix. Everything seems all right, but when I start postfix and
postfix.in
> >no more Messages are delivered to my Mail accounts on the server, they not
> >even bounce they just disappear. Crazy huh? Well If anyone has an idea or
a
> >hint I would be very gratefull.
> >
> >Thanks in advance
> >
> >Dennis Wilsmann
>
>----------------------------------------------------------------------------
>--
> >
> >?ber 230 Installationen in 13 Bundesl?ndern garantieren
> >Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
> >
> >iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
> >?ffentlicher Verwaltungen und Verb?nde.
> >
>
>----------------------------------------------------------------------------
>--
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From Ulysees at ULYSEES.COM  Thu Jan 29 10:38:02 2004
From: Ulysees at ULYSEES.COM (Ulysees)
Date: Thu Jan 12 21:22:10 2006
Subject: Ouch!
References: <Pine.LNX.4.44.0401282102390.19181-100000@mailbox.prolocation.net>
Message-ID: <000401c3e654$3182e890$3201010a@nimitz>

Has anybody actually seen a copy of this ??
I've got loads of MyDoom-A & some ones which might be Mydoom-B just getting
caught by filename rules, nothing more though.
running clamavmodule and sophossavi

uly


> Hi!
>
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.B&VSect=T
>
> How many will we get this time ?
>
> Bye,
> Raymond.
>
>

From artem at voila.fr  Thu Jan 29 10:41:07 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <15821247.1075372867093.JavaMail.www@wwinf4004>

mailscanner will automatically launch spamd ?

the problem is that my default sendmail.cf (or sendmail.mc) file was like it's said in the link i've done. i had nothing to change there !? i was surptised the first time when i installed it on the test workstation (RH 9) but it was the same on the server (RH 8).

the first time, i've made this to launch mailscanner :
service sendmail stop
chkconfig sendmail off
chkconfig --level 2345 MailScanner on
service MailScanner start

what "chkconfig sendmail off" exactly means ?





> I would advise you to remove procmail again (it's extra complexity you
> don't need). Then put your sendmail configuration back exactly the way it
> was before you started doing all this.
>
> To use SpamAssassin from MailScanner, all you need to do is set
> Use SpamAssassin = yes
> in MailScanner.conf.
>
> No procmail, no extra spamd daemons, no sendmail config changes, none of
> that stuff.
>
> At 10:16 29/01/2004, you wrote:
> >thanks for your answer.
> >
> >i've installed procmail for spamassassin. i've found this for sendmail :
> >http://davespicks.com/writing/programming/spamassassinopenbsd.html and
> >i've done it with some differences.
> >
> >after i've installed mailscanner and in the config file, i've uncommented
> >lines for spamassassin.
> >
> >but there were no relay and it appears some days (4or 5) ago
> >
> >
> >
> > > At 09:44 29/01/2004, you wrote:
> > > >hello,
> > > >
> > > >i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected it from
> > > >relay in the access file :
> > > >localhost.localdomain    550 Go away and do not spam us anymore
> > > >localhost    relay
> > > >127.0.0.1   relay
> > > >192.168.1   relay
> > > >
> > > >this configuration worked well.
> > > >
> > > >some time ago, i've installed procmail + spamassassin + mailscanner to
> > > >filter the incomming spam. all worked well but some days ago, we've seen
> > > >that our server allows relay !
> > > >
> > > >i tried to stop spamassassin and mailscanner but relay is always
> > permetted !
> > > >
> > > >do you have an idea ? thanks !
> > >
> > > Why install procmail? MailScanner will happily use SpamAssassin without the
> > > need for anything extra running. There is also no point in running spamd
> > > either as MailScanner doesn't use it.
> > >
> > > If you just installed MailScanner and SpamAssassin, you do not have to
> > > change your sendmail configuration at all. Just leave it alone.
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> >------------------------------------------
> >
> >Faites un voeu et puis Voila ! www.voila.fr
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From gioia at bclink.it  Thu Jan 29 10:49:30 2004
From: gioia at bclink.it (Gioia Bastioni)
Date: Thu Jan 12 21:22:10 2006
Subject: R: AW: Problems installing Mailscanner on Postfix, clamav, spamassasin
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C47F@pc.hl.advantic.de>
Message-ID: <NGBBLAPAMLLGDEJPHEOAOEHFDBAA.gioia@bclink.it>

Hi Dennis,

did you follow all instructions given in the
http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml doc?
It seems like a ownership or permission problem..


-----Messaggio originale-----
Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per
conto di Wilsmann, Dennis
Inviato: gioved? 29 gennaio 2004 11.31
A: MAILSCANNER@JISCMAIL.AC.UK
Oggetto: AW: AW: Problems installing Mailscanner on Postfix, clamav,
spamassasin


Well there is an error ...
it sais:
"Error in configuration file line 107, directory
/var/spool/MailScanner/incoming for incomingworkdir does not exist (or is
not
readable)"

AND

"Could not read directory /var/spool/MailScanner/incoming"

but I switched to these dirs and nothing seemed to be wrong. the owner is
postfix:postfix and in the conf it is also statet to run MailScanner as
postfix:postfix....

What could that be?!


-----Urspr?ngliche Nachricht-----
Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
Gesendet: Donnerstag, 29. Januar 2004 10:58
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: Re: AW: Problems installing Mailscanner on Postfix, clamav,
spamassasin


What do your mail logs say on the subject?

At 09:40 29/01/2004, you wrote:
>Well these are my dirs configured in the MailScanner.conf
>they exist and seem to be right (with etc, usr,... and so on)
>Is there a different possibility of problem I might have?
>
>Incoming Queue Dir = /var/spool/postfix.in/deferred
>Outgoing Queue Dir = /var/spool/postfix/incoming
>
>Thanks Dennis
>
>-----Urspr?ngliche Nachricht-----
>Von: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Gesendet: Donnerstag, 29. Januar 2004 10:24
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: Re: Problems installing Mailscanner on Postfix, clamav,
>spamassasin
>
>
>Check the paths to the incoming, working and outgoing directories are all
>correct. Sounds like it might be getting the messages but putting them in
>the wrong place.
>
>At 09:11 29/01/2004, you wrote:
> >Hi!
> >
> >Well I have a small problem. I'cant get Mailscanner to work properly with
> >postfix. Everything seems all right, but when I start postfix and
postfix.in
> >no more Messages are delivered to my Mail accounts on the server, they
not
> >even bounce they just disappear. Crazy huh? Well If anyone has an idea or
a
> >hint I would be very gratefull.
> >
> >Thanks in advance
> >
> >Dennis Wilsmann
>
>---------------------------------------------------------------------------
-
>--
> >
> >?ber 230 Installationen in 13 Bundesl?ndern garantieren
> >Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
> >
> >iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
> >?ffentlicher Verwaltungen und Verb?nde.
> >
>
>---------------------------------------------------------------------------
-
>--
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 10:59:25 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:10 2006
Subject: Silent Viruses and Mydoom
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C49F@jessica.herefordshire.gov.uk>

If I had the time I'd update the Wiki - it still talks of a
viruses.to.delete file.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Sebastian Wiesinger
> Sent: 28 January 2004 16:56
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Silent Viruses and Mydoom
>
>
> * Matthew K Bowman <mkbowman@neo.rr.com> [2004-01-28 17:52]:
> > Hi,
> >
> > I setup a Ruleset for MyDoom but users are still be notified:
> >
> > Ruleset below:
> >
> > Virus: default yes
> > Virus: Bagle    no
> > Virus: MyDoom   no
> > Virus: NoVarg   no
> > FromOrTo: default yes
> >
> > Is my syntax and wording ok?
>
> First, the ruleset uses the first line matching, so put your first
> line from top to the bottom.
>
> If you're using ClamAV you should add:
>
> Virus: SCO      no
>
> before your default line.
>
> Like this:
>
> Virus: Bagle    no
> Virus: MyDoom   no
> Virus: NoVarg   no
> Virus: SCO      no
> Virus: default yes
>
> Sebastian
>

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 11:08:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
In-Reply-To: <15821247.1075372867093.JavaMail.www@wwinf4004>
References: <15821247.1075372867093.JavaMail.www@wwinf4004>
Message-ID: <6.0.1.1.2.20040129110339.03788d28@imap.ecs.soton.ac.uk>

At 10:41 29/01/2004, you wrote:
>mailscanner will automatically launch spamd ?

MailScanner calls the SpamAssassin Perl interface directly, it doesn't use
any external programs  (including spamd) to do it.

>the problem is that my default sendmail.cf (or sendmail.mc) file was like
>it's said in the link i've done. i had nothing to change there !? i was
>surptised the first time when i installed it on the test workstation (RH
>9) but it was the same on the server (RH 8).

Some part of your mail configuration must have changed if it is behaving
differently from the way it used to. Either that or it always actually
behaved that way. MailScanner does not get involved with any part of
sendmail to do with any of this.

>the first time, i've made this to launch mailscanner :
>service sendmail stop
>chkconfig sendmail off
>chkconfig --level 2345 MailScanner on
>service MailScanner start
>
>what "chkconfig sendmail off" exactly means ?

Stops the original sendmail setup starting at boot time. Starting up
MailScanner (either at boot time or by using the "service" command) will
also start up the 2 sendmail processes that MailScanner needs, in exactly
the configuration they need to be.






> > I would advise you to remove procmail again (it's extra complexity you
> > don't need). Then put your sendmail configuration back exactly the way it
> > was before you started doing all this.
> >
> > To use SpamAssassin from MailScanner, all you need to do is set
> > Use SpamAssassin = yes
> > in MailScanner.conf.
> >
> > No procmail, no extra spamd daemons, no sendmail config changes, none of
> > that stuff.
> >
> > At 10:16 29/01/2004, you wrote:
> > >thanks for your answer.
> > >
> > >i've installed procmail for spamassassin. i've found this for sendmail :
> > >http://davespicks.com/writing/programming/spamassassinopenbsd.html and
> > >i've done it with some differences.
> > >
> > >after i've installed mailscanner and in the config file, i've uncommented
> > >lines for spamassassin.
> > >
> > >but there were no relay and it appears some days (4or 5) ago
> > >
> > >
> > >
> > > > At 09:44 29/01/2004, you wrote:
> > > > >hello,
> > > > >
> > > > >i'm using sendmail 8.12.5 on linux redhat 8.0 and i've protected
> it from
> > > > >relay in the access file :
> > > > >localhost.localdomain    550 Go away and do not spam us anymore
> > > > >localhost    relay
> > > > >127.0.0.1   relay
> > > > >192.168.1   relay
> > > > >
> > > > >this configuration worked well.
> > > > >
> > > > >some time ago, i've installed procmail + spamassassin + mailscanner to
> > > > >filter the incomming spam. all worked well but some days ago,
> we've seen
> > > > >that our server allows relay !
> > > > >
> > > > >i tried to stop spamassassin and mailscanner but relay is always
> > > permetted !
> > > > >
> > > > >do you have an idea ? thanks !
> > > >
> > > > Why install procmail? MailScanner will happily use SpamAssassin
> without the
> > > > need for anything extra running. There is also no point in running
> spamd
> > > > either as MailScanner doesn't use it.
> > > >
> > > > If you just installed MailScanner and SpamAssassin, you do not have to
> > > > change your sendmail configuration at all. Just leave it alone.
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > >------------------------------------------
> > >
> > >Faites un voeu et puis Voila ! www.voila.fr
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>------------------------------------------
>
>Faites un voeu et puis Voila ! www.voila.fr

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 11:23:02 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:10 2006
Subject: tons of infected files getting though???
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A0@jessica.herefordshire.gov.uk>

I'm no Perl expert so can't hack MIME-Tools to work properly but I wish
someone would.

We see the same problems here.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Robert Richard Wallace
> Sent: 29 January 2004 10:38
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: tons of infected files getting though???
>
>
> Where I work we have been using MailScanner coupled with
> Sophos and some of
> the attachments still get through. Maybe Julian can confirm this but I
> believe MailScanner pulls the mail apart into attachments using the
> MIME-tools and this is where the problem is occuring as it
> cant detect the
> attachment.
>
> Juju is  MIME and i believe uudecoder it was written in plain
> ANSI C from
> what i can tell. NOTE Programming aint really my area. The
> code is licensed
> under the GPL so we can modify it if need be, if anyone feels
> it would be
> worth it.
>
> If anyone wants a copy then email me and i will send it to
> you, as i cant
> find it on any webpages these days. Not much need for utils
> that decode
> attachments from mail when everyones got decent Mail Clients.
>
>
> >>>>>>>>>>>>>>>>>
>
> Chris wrote:>
>
> So, the question is: is our problem with some of these emails
> related to
> MailScanner or ClamAV or ???
>
> I'm not familiar with "juju". Is this something that can be accessed
> from Perl?
>

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 11:24:53 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: tons of infected files getting though???
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A0@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A0@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040129112402.0780ec80@imap.ecs.soton.ac.uk>

If someone can find one of the troublesome messages, and wrap it up in a
password-protected zip file and mail it to me (not the list!), I will take
a look and see if there is a simple solution to this one.

At 11:23 29/01/2004, you wrote:
>I'm no Perl expert so can't hack MIME-Tools to work properly but I wish
>someone would.
>
>We see the same problems here.
>
>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Robert Richard Wallace
> > Sent: 29 January 2004 10:38
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: tons of infected files getting though???
> >
> >
> > Where I work we have been using MailScanner coupled with
> > Sophos and some of
> > the attachments still get through. Maybe Julian can confirm this but I
> > believe MailScanner pulls the mail apart into attachments using the
> > MIME-tools and this is where the problem is occuring as it
> > cant detect the
> > attachment.
> >
> > Juju is  MIME and i believe uudecoder it was written in plain
> > ANSI C from
> > what i can tell. NOTE Programming aint really my area. The
> > code is licensed
> > under the GPL so we can modify it if need be, if anyone feels
> > it would be
> > worth it.
> >
> > If anyone wants a copy then email me and i will send it to
> > you, as i cant
> > find it on any webpages these days. Not much need for utils
> > that decode
> > attachments from mail when everyones got decent Mail Clients.
> >
> >
> > >>>>>>>>>>>>>>>>>
> >
> > Chris wrote:>
> >
> > So, the question is: is our problem with some of these emails
> > related to
> > MailScanner or ClamAV or ???
> >
> > I'm not familiar with "juju". Is this something that can be accessed
> > from Perl?
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Kevin.Spicer at BMRB.CO.UK  Thu Jan 29 11:45:22 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: more IE6 vulnerabilities
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE89@pascal.priv.bmrb.co.uk>

Matthew Day wrote:
> <snip>
>> Boy am I glad that we just implemented virus scanning on all our http
>> traffic (although https still worries me!).  Funny thing is that to
>> do it we had to put a squid box between our ISA server and the
>> internet! Yep we're proxying our proxy! 
>> 
> I'd be really glad to have this in place too - unfortunately I don't
> :) 
> 
> We're in the early stages of a project to set up a HTTP proxy and
> this looks like a massive point in favour of using squid. Are there
> any docs you can point me to on doing this?

Matthew, hope you don't mind that I've copied this back to the list - it may be off topic but it seems to be an area of concern for people on the list and yours is not the first enquiry I've had.

It was set up by a coleague, but from what he's told me he used DansGuardian Virus Scan http://www.pcxperience.org/dgvirus/ (this is a mix of DansGuardian and old MailScanner code and runs on top of squid)

He made a couple of changes to improve performance...
1) Use clamdscan rather than clamscan (for speed) this was simply a case of setting up clamd and adding the letter d to the appropriate place in the perl script.  One gotcha, make sure that freshclam/ clamd work together so that clamd picks up updates when they are loaded.
2) Using sophie (from http://www.vanja.com/tools/sophie/)  Sophie (for those that don't know) is a daemon for Sophos, which eliminates the Sophos startup time (6 seconds for each request!!!).  [Before anyone asks, the libsavi stuff wouldn't have worked because DVG calls the perl script for each request, so you would still have the startup time].  This required rather more work, and is still being tweaked, my coleague hopes to submit patches back to the project once he has cleaned it up a bit. 

We're using this as an upstream proxy to our ISA server, which does all the access control stuff for users.  Its added only a little latency, not really noticable - especially as the ISA server caches anyway.

It blocked a SCO.A this morning from someones webmail account, boy were we pleased!



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From pete at eatathome.com.au  Thu Jan 29 11:52:15 2004
From: pete at eatathome.com.au (Pete)
Date: Thu Jan 12 21:22:10 2006
Subject: Problems installing Mailscanner on Postfix, clamav, spamassasin
In-Reply-To: <6.0.1.1.2.20040129092023.07438ec0@imap.ecs.soton.ac.uk>
References: <5AF7F4D7005B5A46A54B55892011D09435C47D@pc.hl.advantic.de>
            <6.0.1.1.2.20040129092023.07438ec0@imap.ecs.soton.ac.uk>
Message-ID: <4018F3EF.6080102@eatathome.com.au>

Julian Field wrote:

> Check the paths to the incoming, working and outgoing directories are 
> all correct. Sounds like it might be getting the messages but putting 
> them in the wrong place.
>
> At 09:11 29/01/2004, you wrote:
>
>> Hi!
>>
>> Well I have a small problem. I'cant get Mailscanner to work properly 
>> with
>> postfix. Everything seems all right, but when I start postfix and 
>> postfix.in
>> no more Messages are delivered to my Mail accounts on the server, 
>> they not
>> even bounce they just disappear. Crazy huh? Well If anyone has an 
>> idea or a
>> hint I would be very gratefull.
>>
>> Thanks in advance
>>
>> Dennis Wilsmann
>> ------------------------------------------------------------------------------ 
>>
>>
>> ?ber 230 Installationen in 13 Bundesl?ndern garantieren
>> Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
>>
>> iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
>> ?ffentlicher Verwaltungen und Verb?nde.
>>
>> ------------------------------------------------------------------------------ 
>>
>
>
and post some log entries...


From rwmailscanner at lacasita.demon.co.uk  Thu Jan 29 12:30:57 2004
From: rwmailscanner at lacasita.demon.co.uk (rwmailscanner@lacasita.demon.co.uk)
Date: Thu Jan 12 21:22:10 2006
Subject: MIME Decode Problem - Sample Mail
Message-ID: <E1AmBJx-0004Q5-0Z@anchor-post-35.mail.demon.net>


This is a sample that gets past MailScanners MIME decode.

Password is virus and it was zipped on a Linux box incase you have problems.

I have had to blank out alot of the recieve headers for security concerns of the client. I have verifyed this version returns the same results using MIME-tools and juju that it did before removing the headers.

If you need any more information then get in touch.

Regards,

Robert Richard Wallace


From rwmailscanner at lacasita.demon.co.uk  Thu Jan 29 12:34:44 2004
From: rwmailscanner at lacasita.demon.co.uk (rwmailscanner@lacasita.demon.co.uk)
Date: Thu Jan 12 21:22:10 2006
Subject: MIME Decode Problem - Sample Mail
Message-ID: <E1AmBNc-000KvO-0Y@anchor-post-34.mail.demon.net>


This is a sample that gets past MailScanners MIME decode.

Password is virus and it was zipped on a Linux box incase you have problems.

I have had to blank out alot of the recieve headers for security concerns of the client. I have verifyed this version returns the same results using MIME-tools and juju that it did before removing the headers.

If you need any more information then get in touch.

Regards,

Robert Richard Wallace


From Kevin.Spicer at BMRB.CO.UK  Thu Jan 29 12:57:49 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:10 2006
Subject: SPF query
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A05@pascal.priv.bmrb.co.uk>

Michele Neylon :: Blacknight Solutions wrote:
> I was reading up on this a bit last night and was wondering what
> others thought.
> 
> My understanding is that SPF checks that the sender is *from* the
> domain, but how would that work in the case where the domain is split?
> ie. mail is handled in one location, web in another. The website, for
> example, generates emails to users with the From field

My understanding is slightly different.  I think you just nominate which machines are allowed to send mail for the domain.  This can be either specific hosts, all hosts in a domain, Mx's for a domain.  Thus machine.domain1.net can send mail for machine.domain2.net, so long as the SPF record for domain2.net nominates machine.domain1.net as a valid sender.

If you are talking about web forms (such as feedback forms) that ask the user for their address and when the form is submitted the web server sends a mail forging the sender address to be that the user typed in then I would say this is a misuse.  I believe (although I have not checked the standards, never having had to implement this myself) that the from address should be an account on the web server (i.e. the real 'from'), but that you could set the Reply-To header to ensure that replies are send to the address provided by the user.






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From artem at voila.fr  Thu Jan 29 13:28:43 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <22212903.1075382923119.JavaMail.www@wwinf4006>

i've compared line per line 2 sendmail.cf files, one from mine mailserver, the second one from a friend's one who uses the same version of sendmail and has the same access file. just the domain name is different, all the other lines are the same ! but he just has sendmail without any spam filter and without procmail.

i'll now remove promail but do you think i have relay problems because of it ?
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 11:25:10 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:10 2006
Subject: Message in a spam and a virus
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A1@jessica.herefordshire.gov.uk>

Julian,

Is there any way you can enhance MailScanner to always scan spams for
viruses?

Here's why...  Message tagged as spam gets accidentally released from
quarantine by administrator and boom!

We need to know if viruses are present, spam or not.

It would also help with statistics gathering.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 29 January 2004 09:09
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Message in a spam and a virus
>
>
> At 08:30 29/01/2004, you wrote:
> >hi,
> >
> >I use mailscanner-4.25-14 and I have in mailwatch this logs
> >
> >Date/Time               From                    To      Subject
> >Size            SA Score        Status
> >29/01/04
> >08:09:20       notfallstation@...      ...     Hello           30.9Kb
> >                     Virus
> >(W32/MyDoom-A)
> >29/01/04
> >08:09:20       sandra@...              ....    test            31.8Kb
> >     6.09            Spam, Virus
> >(W32/MyDoom-A)
> >
> >If a message contains a virus, I would like not to analyze
> this message for
> >spam detection.
> >
> >Is a mailscanner rules in MailScanner.conf for that ?
>
> Spam detection is done before virus detection, sorry.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 29 12:47:04 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:10 2006
Subject: OT: SPF query
In-Reply-To: <B9D9BD71E387E24AB1D619FE4B748CC70C81CB@ERWIN.intern.seceidos.de>
Message-ID: <LFENLEALDCBDKENCNLCNAELBDEAA.michele@blacknightsolutions.com>

I was reading up on this a bit last night and was wondering what others
thought.

My understanding is that SPF checks that the sender is *from* the domain,
but how would that work in the case where the domain is split?
ie. mail is handled in one location, web in another. The website, for
example, generates emails to users with the From field

or

In the case of some reseller type situations mail routed through a reseller
account is sent with the reseller's email in the From field

Maybe this is way OT and maybe I am missing something.. but any thoughts
would be appreciated

Thanks

Michele

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

From shrek-m at GMX.DE  Thu Jan 29 14:01:17 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
In-Reply-To: <22212903.1075382923119.JavaMail.www@wwinf4006>
References: <22212903.1075382923119.JavaMail.www@wwinf4006>
Message-ID: <4019122D.1050303@gmx.de>

Artem Batoussov wrote:

>i've compared line per line 2 sendmail.cf files, one from mine mailserver, the second one from a friend's one who uses the same version of sendmail and has the same access file. just the domain name is different, all the other lines are the same ! but he just has sendmail without any spam filter and without procmail.
>
>i'll now remove promail but do you think i have relay problems because of it ?
>------------------------------------------
>


i am surely no sendmail-guru, please correct me if i am wrong.

do you have this feature enabled?

$ grep access /etc/mail/sendmail.mc
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

$ grep -1 "OK RELAY" /etc/mail/sendmail.cf
# access_db acceptance class
C{Accept}OK RELAY

$ grep RELAY /etc/mail/access
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
192.168.0                     RELAY


http://www.sendmail.org/m4/

--
shrek-m

From artem at voila.fr  Thu Jan 29 14:06:05 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <5653062.1075385165799.JavaMail.www@wwinf4006>

you're right, there must be a difference because when i removed procmail and renamed procmailrc, sendmail were no more able to distribute emails. in log file, i've seen, it was because he wasn't able to find procmail bin files. i've compared my current sendmail.mc and the original one and it's the same. where is the difference ?

i replaced it, i've launched mailscanner without spamd and the mails where no more scanned :(

if i want all to work, i need to launch spamd and mailscanner service

do someone knows how to protect from relay procmail ?
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From artem at voila.fr  Thu Jan 29 14:09:15 2004
From: artem at voila.fr (Artem Batoussov)
Date: Thu Jan 12 21:22:10 2006
Subject: sendmail configuration
Message-ID: <8288517.1075385355455.JavaMail.www@wwinf4006>

yes it's right except for the access file. I have "localhost.localdomain  550 No spam, thanks"




> Artem Batoussov wrote:
>
> >i've compared line per line 2 sendmail.cf files, one from mine mailserver, the second one from a friend's one who uses the same version of sendmail and has the same access file. just the domain name is different, all the other lines are the same ! but he just has sendmail without any spam filter and without procmail.
> >
> >i'll now remove promail but do you think i have relay problems because of it ?
> >------------------------------------------
> >
>
>
> i am surely no sendmail-guru, please correct me if i am wrong.
>
> do you have this feature enabled?
>
> $ grep access /etc/mail/sendmail.mc
> FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
>
> $ grep -1 "OK RELAY" /etc/mail/sendmail.cf
> # access_db acceptance class
> C{Accept}OK RELAY
>
> $ grep RELAY /etc/mail/access
> localhost.localdomain           RELAY
> localhost                       RELAY
> 127.0.0.1                       RELAY
> 192.168.0                     RELAY
>
>
> http://www.sendmail.org/m4/
>
> --
> shrek-m
>
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 14:11:35 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: MIME Decode Problem - Sample Mail
In-Reply-To: <E1AmBNc-000KvO-0Y@anchor-post-34.mail.demon.net>
References: <E1AmBNc-000KvO-0Y@anchor-post-34.mail.demon.net>
Message-ID: <6.0.1.1.2.20040129140942.038ea298@imap.ecs.soton.ac.uk>

At 12:34 29/01/2004, you wrote:

>This is a sample that gets past MailScanners MIME decode.
>
>Password is virus and it was zipped on a Linux box incase you have problems.
>
>I have had to blank out alot of the recieve headers for security concerns
>of the client. I have verifyed this version returns the same results using
>MIME-tools and juju that it did before removing the headers.
>
>If you need any more information then get in touch.
>
>Regards,
>
>Robert Richard Wallace

I have run your sample message through my MailScanner and it successfully
spotted and removed the MyDoom-A virus from it. It reported it twice, but
that is a known quirk of Sophos with this virus.

Please check that your MIME-tools is properly patched with the 4 security
patches. There is nothing special about the MailScanner setup on my devel
boxes.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dot at DOTAT.AT  Thu Jan 29 14:17:27 2004
From: dot at DOTAT.AT (Tony Finch)
Date: Thu Jan 12 21:22:10 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <m2n.1Aluyw-0011Nh@chiark.greenend.org.uk>
References: <E1Alq9I-0004F1-00@chiark.greenend.org.uk>
Message-ID: <E1AmCz1-0002fh-00@chiark.greenend.org.uk>

Remco Barendse <mailscanner@BARENDSE.TO> wrote:
>On Wed, 28 Jan 2004, Tony Finch wrote:
>> Eric Dantan Rzewnicki <rzewnickie@RFA.ORG> wrote:
>> >
>> >However it appears that uvscan is being called with old dats that exist
>> >in /usr/local/uvscan/*.dat.
>>
>> These should be symlinks to datfiles/current/*.dat

I should probably also note that the autoupdate script will create the
datfiles directory and set up all the necessary symlinks the first time
it is run. Remove the datfiles directory before running it to get a
clean setup.


>Uhmm, not really You should *not* use any symlinks at all.

You're the first person to mention this problem. If you can pin it
down more precisely I would be interested -- i.e. steps I can follow
to reproduce the problem.

I wrote the McAfee update script and I haven't seen any reports of
viruses slipping through from my users. (30,000 users and over 500,000
messages per day.)

McAfee is a bit odd about symlinks, but AFAICT it works so long as the
directory containing the actual uvscan binary contains the DAT files, or
symlinks to the dat files.

Tony.
--
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
MULL OF KINTYRE TO ARDNAMURCHAN POINT: NORTHWEST, BACKING WEST OR SOUTHWEST, 5
OR 6. RISK OF SHOWERS, WINTRY AT FIRST. MAINLY GOOD. MODERATE OR ROUGH.

From jfraley at glenraven.com  Thu Jan 29 14:34:03 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:22:10 2006
Subject: Blocked content Warning.txt
Message-ID: <1075386843.2097.18.camel@jfraleyx.glenraven.com>

I have a user who daily gets a report from a customer in winmail.dat
form.  Occasionally, it can not be parsed and is reported as corrupt.
The user gets the warning message:

Warning: This message has had one or more attachments removed
Warning: (not named).
Warning: Please read the "Glen_Raven-Attachment-Warning.txt"
attachment(s) for more information.

However, the attachment is replaced with the corrupt winmail.dat file.
Is there anything I should look at to fix this?  We are using
MailScanner 4.25-14.

Thanks,

Jon

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 14:36:44 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:10 2006
Subject: Blocked content Warning.txt
In-Reply-To: <1075386843.2097.18.camel@jfraleyx.glenraven.com>
References: <1075386843.2097.18.camel@jfraleyx.glenraven.com>
Message-ID: <6.0.1.1.2.20040129143609.0381d0e8@imap.ecs.soton.ac.uk>

Try setting
TNEF Expander = internal
and restart MailScanner.

At 14:34 29/01/2004, you wrote:
>I have a user who daily gets a report from a customer in winmail.dat
>form.  Occasionally, it can not be parsed and is reported as corrupt.
>The user gets the warning message:
>
>Warning: This message has had one or more attachments removed
>Warning: (not named).
>Warning: Please read the "Glen_Raven-Attachment-Warning.txt"
>attachment(s) for more information.
>
>However, the attachment is replaced with the corrupt winmail.dat file.
>Is there anything I should look at to fix this?  We are using
>MailScanner 4.25-14.
>
>Thanks,
>
>Jon

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mike at UNIXSECURITY.ORG  Thu Jan 29 14:46:17 2004
From: mike at UNIXSECURITY.ORG (Mike Wallis)
Date: Thu Jan 12 21:22:10 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <1075330913.24492.75.camel@bach.kevinspicer.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE86@pascal.priv.bmrb.co.uk>    
            <401800E4.60708@unixsecurity.org>           
            <1075318511.24361.33.camel@bach.kevinspicer.co.uk>           
            <401816FF.7070301@unixsecurity.org>           
            <1075321608.24361.36.camel@bach.kevinspicer.co.uk>           
            <40183644.6060400@unixsecurity.org>
            <1075330913.24492.75.camel@bach.kevinspicer.co.uk>
Message-ID: <40191CB9.1000305@unixsecurity.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Spicer wrote:

| Can you give me the outputs of... snmpwalk -v2c -c public localhost
| .1.3.6.1.2.1.2.2.1.2 snmpwalk -v2c -c public localhost
| .1.3.6.1.2.1.2.2.1.10 snmpwalk -v2c -c public localhost
| .1.3.6.1.2.1.2.2.1.16

[root@deep-thought root]# snmpwalk -v2c -c public localhost
.1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
[root@deep-thought root]# snmpwalk -v2c -c public localhost
.1.3.6.1.2.1.2.2.1.10
IF-MIB::ifInOctets.1 = Counter32: 342368268
IF-MIB::ifInOctets.2 = Counter32: 2600699489
[root@deep-thought root]# snmpwalk -v2c -c public localhost
.1.3.6.1.2.1.2.2.1.16
IF-MIB::ifOutOctets.1 = Counter32: 342368927
IF-MIB::ifOutOctets.2 = Counter32: 1076359088

- --
Mike Wallis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAGRy5Xes7jE7XvgsRAqNlAKDFeMXk5CzBewUxG8GX2GSNelBmWQCgvgX7
jpMRDSLUB2Lm5AzeW9ZSyUE=
=Ja+7
-----END PGP SIGNATURE-----

From rwmailscanner at lacasita.demon.co.uk  Thu Jan 29 15:10:11 2004
From: rwmailscanner at lacasita.demon.co.uk (rwmailscanner@lacasita.demon.co.uk)
Date: Thu Jan 12 21:22:10 2006
Subject: MIME Decode - SAMPLE
In-Reply-To: <6.0.1.1.2.20040129140706.08181298@imap.ecs.soton.ac.uk>
Message-ID: <E1AmDo3-000CCV-0V@anchor-post-31.mail.demon.net>



> >
> >If you wish to receive a copy of the *infected* attachment, please
> >e-mail helpdesk and include the whole of this message
> >in your request. Alternatively, you can call them, with
> >the contents of this message to hand when you call.
> >
> >At Thu Jan 29 14:06:43 2004 the virus scanner said:
> >    Sophos: >>> Virus 'W32/MyDoom-A' found in file document.zip/document.txt=
> >                                                                       .scr
> >    Sophos: >>> Virus 'W32/MyDoom-A' found in file document.zip
> >
> >Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran=
> >tine/20040129 (message i0TDvqRs016305).
> >--
> >Postmaster
> >MailScanner thanks transtec Computers for their support
> 
> Admittedly it has a very odd filename, but it successfully found the virus 
> and removed it.
> 
> Are you 100% sure that your MIME-tools package is properly patched with the 
> 4 security patches?
> 
> Jules.
> -- 
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 

I have just found another example on a Redhat 9 box running mailscanner-4.25-14 and perl-MIME-tools-5.411pl4.2. So i do believe the problem still exists. 

If you run the example tool mimeexplode from MIME-tools over the file I sent you only get one out the txt part of the msg saved out  and not the zip file. I hope this helps


Robert




From postmaster at nospam.cyberscope.fr  Thu Jan 29 15:08:47 2004
From: postmaster at nospam.cyberscope.fr (MailScanner)
Date: Thu Jan 12 21:22:10 2006
Subject: Courriel non =?ISO-8859-1?Q?sollicit=E9?= =?ISO-8859-1?Q?_rejet=E9?=
Message-ID: <E1AmDmh-0002yJ-00@nospam.cyberscope.fr>

(English follows)

Notre détecteur de polluriel n'a pas aimé votre courriel:
  Ŕ: alexandre-c@cyberscope.fr
  Sujet:  Re: HELP!!!!
  Date: Thu Jan 29 16:08:47 2004
Celui-ci a été détruit. Les détecteurs qui ont pris cette décision sont:
polluriel, RFC-IGNORANT-WHOIS,
	SpamAssassin.

Le serveur qui envoie ce courriel vers notre site est inscrit sur une
liste noire de serveurs mal configurés ou mal utilisés.

Si vous avez des questions ŕ ce sujet ou si vous croyez avoir reçu ce
courriel par erreur, SVP contactez les administrateurs du systčme.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Our UCE (spam) detectors have been triggered by a message you sent:-
  To: alexandre-c@cyberscope.fr
  Subject:  Re: HELP!!!!
  Date: Thu Jan 29 16:08:47 2004
This message has been destroyed. The detectors that were triggered are
polluriel, RFC-IGNORANT-WHOIS,
	SpamAssassin.

The server which is sending the message to our site is listed in a
public blacklist of badly configured or misused mail systems.

If you have any questions about this, or you believe you have received
this message in error, please contact the site system administrators.

-- 
postmaster
MailScanner
www.mailscanner.info
MailScanner remercie transtec pour son soutien

From Kevin.Spicer at BMRB.CO.UK  Thu Jan 29 15:00:22 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:11 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A07@pascal.priv.bmrb.co.uk>

Mike Wallis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Kevin Spicer wrote:
> 
>> Can you give me the outputs of... snmpwalk -v2c -c public localhost
>> .1.3.6.1.2.1.2.2.1.2 snmpwalk -v2c -c public localhost
>> .1.3.6.1.2.1.2.2.1.10 snmpwalk -v2c -c public localhost
>> .1.3.6.1.2.1.2.2.1.16
> 
> [root@deep-thought root]# snmpwalk -v2c -c public localhost
> .1.3.6.1.2.1.2.2.1.2 IF-MIB::ifDescr.1 = STRING: lo
> IF-MIB::ifDescr.2 = STRING: eth0

If you've not already done so, please change this line (around line 465 ish)
  if (/.*ifDescr.(\d+) = (\w+)/) {
to
  if (/.*ifDescr.(\d+) = (?:STRING: )?(\w+)/) {



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From jase at SENSIS.COM  Thu Jan 29 15:05:18 2004
From: jase at SENSIS.COM (Desai, Jason)
Date: Thu Jan 12 21:22:11 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfi les/current
Message-ID: <ADF6087CA978A4418AF7F76DDCF2F7210275785A@europa.ats.sensis.com>

> >Uhmm, not really You should *not* use any symlinks at all.
>
> You're the first person to mention this problem. If you can pin it
> down more precisely I would be interested -- i.e. steps I can follow
> to reproduce the problem.
>
> I wrote the McAfee update script and I haven't seen any reports of
> viruses slipping through from my users. (30,000 users and over 500,000
> messages per day.)
>
> McAfee is a bit odd about symlinks, but AFAICT it works so long as the
> directory containing the actual uvscan binary contains the
> DAT files, or
> symlinks to the dat files.

Didn't the problem with McAfee and symlinks have to do with symlinks in the
path to the files you were scanning (i.e. Incoming Work Dir)?  I don't think
there is a problem with using symlinks to the DAT files.

Jason

From nathan at TCPNETWORKS.NET  Thu Jan 29 15:11:33 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:22:11 2006
Subject: Made it Past File Extension Filters
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BA57E@server1.in.tcpnetworks.com>

Yesterday a file w/ multiple extensions (or double file extensions) got
past the filters. I tested w/ a few sample files and it stopped them
all. Any idea why this one made it through?

The file is named "P30.Lease.001.wpd"

MIME-Version: 1.0
Content-type: multipart/mixed; 
	
Boundary="0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E"
Content-Disposition: inline
X-blah-MailScanner-Information: Please contact blah for more information
X-blah-MailScanner: Found to be clean
X-blah-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.062,
        required 4, BAYES_00 -4.90, MIME_MISSING_BOUNDARY 1.84)

--0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E
Content-type: text/plain; charset=us-ascii

--0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E
Content-type: application/octet-stream; 
        name="P30.Lease.001.wpd"
Content-Disposition: attachment; filename="P30.Lease.001.wpd"
Content-transfer-encoding: base64

Nathan

-----Original Message-----
From: Desai, Jason [mailto:jase@SENSIS.COM] 
Sent: Thursday, January 29, 2004 7:05 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: mcafee uvscan not using /usr/local/uvscan/datfi les/current


> >Uhmm, not really You should *not* use any symlinks at all.
>
> You're the first person to mention this problem. If you can pin it
> down more precisely I would be interested -- i.e. steps I can follow
> to reproduce the problem.
>
> I wrote the McAfee update script and I haven't seen any reports of
> viruses slipping through from my users. (30,000 users and over 500,000
> messages per day.)
>
> McAfee is a bit odd about symlinks, but AFAICT it works so long as the
> directory containing the actual uvscan binary contains the
> DAT files, or
> symlinks to the dat files.

Didn't the problem with McAfee and symlinks have to do with symlinks in
the
path to the files you were scanning (i.e. Incoming Work Dir)?  I don't
think
there is a problem with using symlinks to the DAT files.

Jason


From gdoris at ROGERS.COM  Thu Jan 29 15:13:25 2004
From: gdoris at ROGERS.COM (Gerry Doris)
Date: Thu Jan 12 21:22:11 2006
Subject: Trend Antivirus
In-Reply-To: <4018DAA0.9040604@avalonpub.com>
References: <4018DAA0.9040604@avalonpub.com>
Message-ID: <1075389204.5755.20.camel@jaguar.dorfam.ca>

On Thu, 2004-01-29 at 05:04, Daniel Kleinsinger wrote:
> Would the free for non-commercial use vscan product as described here
> work with MailScanner?
> http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=7353
> Solution 7353

Yes, it works great.  I've been using it for months now.

--
Gerry Doris <gdoris@rogers.com>

From jfraley at glenraven.com  Thu Jan 29 15:20:20 2004
From: jfraley at glenraven.com (Jon Fraley)
Date: Thu Jan 12 21:22:11 2006
Subject: Blocked content Warning.txt
In-Reply-To: <6.0.1.1.2.20040129143609.0381d0e8@imap.ecs.soton.ac.uk>
References: <1075386843.2097.18.camel@jfraleyx.glenraven.com>
            <6.0.1.1.2.20040129143609.0381d0e8@imap.ecs.soton.ac.uk>
Message-ID: <1075389619.2097.20.camel@jfraleyx.glenraven.com>

Still got the same results. -- Jon

On Thu, 2004-01-29 at 09:36, Julian Field wrote:
> Try setting
> TNEF Expander = internal
> and restart MailScanner.
>
> At 14:34 29/01/2004, you wrote:
> >I have a user who daily gets a report from a customer in winmail.dat
> >form.  Occasionally, it can not be parsed and is reported as corrupt.
> >The user gets the warning message:
> >
> >Warning: This message has had one or more attachments removed
> >Warning: (not named).
> >Warning: Please read the "Glen_Raven-Attachment-Warning.txt"
> >attachment(s) for more information.
> >
> >However, the attachment is replaced with the corrupt winmail.dat file.
> >Is there anything I should look at to fix this?  We are using
> >MailScanner 4.25-14.
> >
> >Thanks,
> >
> >Jon
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Thu Jan 29 15:20:15 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:11 2006
Subject: Message in a spam and a virus
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A1@jessica.herefordshire.gov.uk>
Message-ID: <401924AF.4729C1FE@ihs.com>

"Randal, Phil" wrote:
>
> Julian,
>
> Is there any way you can enhance MailScanner to always scan spams for
> viruses?
>
> Here's why...  Message tagged as spam gets accidentally released from
> quarantine by administrator and boom!

Not sure how you release spam from quarantine

I am using SpamAssassin and add a "SPAM_REQUESTED" with my quarantine
release script.  SPAM_REQUSTED is -100, so ought to get through another
round of spam testing, when I put it back in mqueue.in, and will then
get scanned for viruses.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From mailscanner at ecs.soton.ac.uk  Thu Jan 29 15:25:02 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <6.0.1.1.2.20040129151048.083cfee8@imap.ecs.soton.ac.uk>

Hi folks,

I have just posted 4.26.6 on the website for you all. Download from
www.mailscanner.info as usual.

This is intended as a final testing release before 4.26 goes stable, which
will hopefully be this weekend. If you could test it out and let me know of
any problems as soon as possible, I will get them fixed.

Thanks folks!

Changes this time are:

* New Features and Improvements *
- Improved configuration engine so that rules can now contain 2 tests
   separated by "and".
- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
   short text notification message to be sent to the recipients of the spam
   message. The filename of the report is set with the "Recipient Spam Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Removed the "bounce" spam action.
- Added regular rebuild of Bayes database. Has 2 options associated with it
   which I haven't included in the conf file yet.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
   you will want to uncomment this line if you are using the regular scheduled
   Bayes database expiry feature given above.
- Added "Minimum Stars If On Spam List" setting so that people who just filter
   on the "Spam Stars" can catch messages which only trigger the "Spam List"
   trap.
- Added "Log Non Spam" option to allow logging of all non-spam, which can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Added support for Norman virus scanner (www.norman.de).
- Added logging of ids of dropped silent viruses.
- Added "Too Many Attachments" error report in a message instead of old
   report saying it could not analyse the message.
- No longer stops or restarts after RPM upgrade.
- Added MCP patches for SpamAssassin 2.61 and 2.63.
- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.
- Spanish translations of languages.conf updated from Debian translators.
- Added Catalan translation of all report files.
- Added bogusmx list to supplied spam.lists.conf.
- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
- Changed the version number scheme from major.minor-teeny to
major.minor.teeny.
- Forced owner to be root.root in both RPM spec files, so can be re-built by
   non-root users.
- Added my Amazon.co.uk "wish list" to the donations page.
- Detailed spam report now includes auto-learn status if it was auto-learnt.

* Fixes *
- Fixed creation of MCP quarantine directory bug.
- Fix to Postfix message duplication problems. Must find "end of message"
   record now.
- Fix to duplicate recipient listing in postmaster notices.
- Fixed bug so filename/filetype rules configuration setting can be blank.
- Exim per-message log files are deleted correctly now.
- Fixed recipient duplication problems in sender messages and other reports.
- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
   own checks find multiple problems with 1 attachment.
- Fixed bug where _SCORE_ in subject line modifications is never more than 60.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From nathan at TCPNETWORKS.NET  Thu Jan 29 15:28:50 2004
From: nathan at TCPNETWORKS.NET (Nathan Johanson)
Date: Thu Jan 12 21:22:11 2006
Subject: Made it Past File Extension Filters
Message-ID: <CC6008BDBF458A4DB8456380C1BAB3800BA580@server1.in.tcpnetworks.com>

Please forgive the "hijacked" thread in my first post on this subject.
Changed the subject but forgot to kill the original message content.
Nathan

-----Original Message-----
From: Nathan Johanson 
Sent: Thursday, January 29, 2004 7:12 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Made it Past File Extension Filters


Yesterday a file w/ multiple extensions (or double file extensions) got
past the filters. I tested w/ a few sample files and it stopped them
all. Any idea why this one made it through?

The file is named "P30.Lease.001.wpd"

MIME-Version: 1.0
Content-type: multipart/mixed; 
	
Boundary="0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E"
Content-Disposition: inline
X-blah-MailScanner-Information: Please contact blah for more information
X-blah-MailScanner: Found to be clean
X-blah-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.062,
        required 4, BAYES_00 -4.90, MIME_MISSING_BOUNDARY 1.84)

--0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E
Content-type: text/plain; charset=us-ascii

--0__=07BBE4BADFCBA36E8f9e8a93df938690918c07BBE4BADFCBA36E
Content-type: application/octet-stream; 
        name="P30.Lease.001.wpd"
Content-Disposition: attachment; filename="P30.Lease.001.wpd"
Content-transfer-encoding: base64

Nathan


From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 15:27:51 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: Another new virus in the wild
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A9@jessica.herefordshire.gov.uk>

ClamAV's just detected Worm.Mimail.R here.

McAfee calls it Mimail.s - http://vil.nai.com/vil/content/v_100989.htm

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 15:28:56 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfi les/current
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AA@jessica.herefordshire.gov.uk>

Yes, that's it - there's a note in uvscan's readm about it, IIRC.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Desai, Jason
> Sent: 29 January 2004 15:05
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: mcafee uvscan not using /usr/local/uvscan/datfi
> les/current
>
>
> > >Uhmm, not really You should *not* use any symlinks at all.
> >
> > You're the first person to mention this problem. If you can pin it
> > down more precisely I would be interested -- i.e. steps I can follow
> > to reproduce the problem.
> >
> > I wrote the McAfee update script and I haven't seen any reports of
> > viruses slipping through from my users. (30,000 users and
> over 500,000
> > messages per day.)
> >
> > McAfee is a bit odd about symlinks, but AFAICT it works so
> long as the
> > directory containing the actual uvscan binary contains the
> > DAT files, or
> > symlinks to the dat files.
>
> Didn't the problem with McAfee and symlinks have to do with
> symlinks in the
> path to the files you were scanning (i.e. Incoming Work Dir)?
>  I don't think
> there is a problem with using symlinks to the DAT files.
>
> Jason
>

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 15:31:05 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AB@jessica.herefordshire.gov.uk>

An obvious enhancement to the autoupdate script would be to detect if the
dat files in /usr/local/uvscan are symlinks or not.  If not, recreate
datfiles and link.

That's paranoia, I know, but better safe than sorry.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Tony Finch
> Sent: 29 January 2004 14:17
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: mcafee uvscan not using
> /usr/local/uvscan/datfiles/current
>
>
> Remco Barendse <mailscanner@BARENDSE.TO> wrote:
> >On Wed, 28 Jan 2004, Tony Finch wrote:
> >> Eric Dantan Rzewnicki <rzewnickie@RFA.ORG> wrote:
> >> >
> >> >However it appears that uvscan is being called with old
> dats that exist
> >> >in /usr/local/uvscan/*.dat.
> >>
> >> These should be symlinks to datfiles/current/*.dat
>
> I should probably also note that the autoupdate script will create the
> datfiles directory and set up all the necessary symlinks the
> first time
> it is run. Remove the datfiles directory before running it to get a
> clean setup.
>
>
> >Uhmm, not really You should *not* use any symlinks at all.
>
> You're the first person to mention this problem. If you can pin it
> down more precisely I would be interested -- i.e. steps I can follow
> to reproduce the problem.
>
> I wrote the McAfee update script and I haven't seen any reports of
> viruses slipping through from my users. (30,000 users and over 500,000
> messages per day.)
>
> McAfee is a bit odd about symlinks, but AFAICT it works so long as the
> directory containing the actual uvscan binary contains the
> DAT files, or
> symlinks to the dat files.
>
> Tony.
> --
> f.a.n.finch  <dot@dotat.at>  http://dotat.at/
> MULL OF KINTYRE TO ARDNAMURCHAN POINT: NORTHWEST, BACKING
> WEST OR SOUTHWEST, 5
> OR 6. RISK OF SHOWERS, WINTRY AT FIRST. MAINLY GOOD. MODERATE
> OR ROUGH.
>

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 15:32:53 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: Message in a spam and a virus
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AC@jessica.herefordshire.gov.uk>

That's clever - I'm doing it from MailWatch's web front end, with
(in?)appropriate MailScanner rules.

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Dustin Baer
> Sent: 29 January 2004 15:20
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Message in a spam and a virus
>
>
> "Randal, Phil" wrote:
> >
> > Julian,
> >
> > Is there any way you can enhance MailScanner to always scan
> spams for
> > viruses?
> >
> > Here's why...  Message tagged as spam gets accidentally
> released from
> > quarantine by administrator and boom!
>
> Not sure how you release spam from quarantine
>
> I am using SpamAssassin and add a "SPAM_REQUESTED" with my quarantine
> release script.  SPAM_REQUSTED is -100, so ought to get
> through another
> round of spam testing, when I put it back in mqueue.in, and will then
> get scanned for viruses.
>
> Dustin
> --
> Dustin Baer
> Unix Administrator/Postmaster
> Information Handling Services
> 15 Inverness Way East
> Englewood, CO 80112
> 303-397-2836
>

From bpumphrey at WOODMACLAW.COM  Thu Jan 29 16:05:48 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:11 2006
Subject: Showing the spamassassin Score
Message-ID: <A6E4DAD94E656741BF330E1F7409350C4162AF@woodendc.woodmaclaw.local>

I'm not able to see this on my mailscanner.  How do I turn this on so
that the spam gets tagged with the following?

Spam detection software, running on the system "owl.dns-nac-zone.com",
has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Find Real Estate For Pennies On The Dollar! Get Your
  FREE VIDEO U.S. Government Tax Certificates The smartest way to invest
  [...] 

Content analysis details:   (13.6 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.1 CLICK_TO_REMOVE_1      BODY: Click to be removed
 0.1 HTML_FONTCOLOR_UNSAFE  BODY: HTML font color not in safe 6x6x6
palette
 0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
 0.3 HTML_SHOUTING4         BODY: HTML has very strong "shouting" markup
 0.1 HTML_TAG_EXISTS_TBODY  BODY: HTML has "tbody" tag
 0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
 0.1 HTML_FONT_BIG          BODY: HTML has a big font
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.7 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
 0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level
domain
 0.8 REMOVE_PAGE            URI: URL of page called "remove"
 0.5 FORGED_YAHOO_RCVD      'From' yahoo.com does not match 'Received'
headers
 2.5 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
                            [213.47.166.174 listed in dnsbl.sorbs.net]
 0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                            [213.47.166.174 listed in dnsbl.sorbs.net]
 1.1 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
 
[<http://dsbl.org/listing?ip=213.47.166.174>]
 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see
<http://www.spamcop.net/bl.shtml?213.47.166.174>]
 0.0 CLICK_BELOW            Asks you to click below
 1.7 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME
parts


From mailscanner at ecs.soton.ac.uk  Thu Jan 29 16:05:01 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: Showing the spamassassin Score
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C4162AF@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C4162AF@woodendc.woodmaclaw.local>
Message-ID: <6.0.1.1.2.20040129160434.083dcab8@imap.ecs.soton.ac.uk>

At 16:05 29/01/2004, you wrote:
>I'm not able to see this on my mailscanner.  How do I turn this on so
>that the spam gets tagged with the following?

The spam reports from SpamAssassin are all put in the headers by
MailScanner. It doesn't modify the original message body.


>Spam detection software, running on the system "owl.dns-nac-zone.com",
>has
>identified this incoming email as possible spam.  The original message
>has been attached to this so you can view it (if it isn't spam) or block
>similar future email.  If you have any questions, see
>the administrator of that system for details.
>
>Content preview:  Find Real Estate For Pennies On The Dollar! Get Your
>   FREE VIDEO U.S. Government Tax Certificates The smartest way to invest
>   [...]
>
>Content analysis details:   (13.6 points, 5.0 required)
>
>  pts rule name              description
>---- ----------------------
>--------------------------------------------------
>  1.1 CLICK_TO_REMOVE_1      BODY: Click to be removed
>  0.1 HTML_FONTCOLOR_UNSAFE  BODY: HTML font color not in safe 6x6x6
>palette
>  0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
>  0.3 HTML_SHOUTING4         BODY: HTML has very strong "shouting" markup
>  0.1 HTML_TAG_EXISTS_TBODY  BODY: HTML has "tbody" tag
>  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>  0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
>  0.1 HTML_FONT_BIG          BODY: HTML has a big font
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.7 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
>  0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level
>domain
>  0.8 REMOVE_PAGE            URI: URL of page called "remove"
>  0.5 FORGED_YAHOO_RCVD      'From' yahoo.com does not match 'Received'
>headers
>  2.5 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
>                             [213.47.166.174 listed in dnsbl.sorbs.net]
>  0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
>                             [213.47.166.174 listed in dnsbl.sorbs.net]
>  1.1 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
>
>[<http://dsbl.org/listing?ip=213.47.166.174>]
>  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>               [Blocked - see
><http://www.spamcop.net/bl.shtml?213.47.166.174>]
>  0.0 CLICK_BELOW            Asks you to click below
>  1.7 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
>  1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME
>parts

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From bpumphrey at WOODMACLAW.COM  Thu Jan 29 16:12:57 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:11 2006
Subject: Showing the spamassassin Score
Message-ID: <A6E4DAD94E656741BF330E1F7409350C4162B0@woodendc.woodmaclaw.local>

Ok cool, does that mean that the big text below is a part of
spamassassin still, but MailScanner don't let it do it?

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Sent: Thursday, January 29, 2004 11:05 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Showing the spamassassin Score

At 16:05 29/01/2004, you wrote:
>I'm not able to see this on my mailscanner.  How do I turn this on so
>that the spam gets tagged with the following?

The spam reports from SpamAssassin are all put in the headers by
MailScanner. It doesn't modify the original message body.


>Spam detection software, running on the system "owl.dns-nac-zone.com",
>has
>identified this incoming email as possible spam.  The original message
>has been attached to this so you can view it (if it isn't spam) or
block
>similar future email.  If you have any questions, see
>the administrator of that system for details.
>
>Content preview:  Find Real Estate For Pennies On The Dollar! Get Your
>   FREE VIDEO U.S. Government Tax Certificates The smartest way to
invest
>   [...]
>
>Content analysis details:   (13.6 points, 5.0 required)
>
>  pts rule name              description
>---- ----------------------
>--------------------------------------------------
>  1.1 CLICK_TO_REMOVE_1      BODY: Click to be removed
>  0.1 HTML_FONTCOLOR_UNSAFE  BODY: HTML font color not in safe 6x6x6
>palette
>  0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
>  0.3 HTML_SHOUTING4         BODY: HTML has very strong "shouting"
markup
>  0.1 HTML_TAG_EXISTS_TBODY  BODY: HTML has "tbody" tag
>  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME
parts
>  0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
>  0.1 HTML_FONT_BIG          BODY: HTML has a big font
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.7 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
>  0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level
>domain
>  0.8 REMOVE_PAGE            URI: URL of page called "remove"
>  0.5 FORGED_YAHOO_RCVD      'From' yahoo.com does not match 'Received'
>headers
>  2.5 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
>                             [213.47.166.174 listed in dnsbl.sorbs.net]
>  0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
>                             [213.47.166.174 listed in dnsbl.sorbs.net]
>  1.1 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
>
>[<http://dsbl.org/listing?ip=213.47.166.174>]
>  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
>               [Blocked - see
><http://www.spamcop.net/bl.shtml?213.47.166.174>]
>  0.0 CLICK_BELOW            Asks you to click below
>  1.7 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
tag
>  1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME
>parts

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.


From mailscanner at ecs.soton.ac.uk  Thu Jan 29 16:13:35 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: Showing the spamassassin Score
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C4162B0@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C4162B0@woodendc.woodmaclaw.local>
Message-ID: <6.0.1.1.2.20040129161227.08144d00@imap.ecs.soton.ac.uk>

At 16:12 29/01/2004, you wrote:
>Ok cool, does that mean that the big text below is a part of
>spamassassin still, but MailScanner don't let it do it?

MailScanner won't generate the huge report you included below. I reckoned
that thing was so big and ugly hardly anyone would really want it anyway.
If you have enough time in your day to read huge great spam reports on
every email you get, you should get out more! :-)


>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>Sent: Thursday, January 29, 2004 11:05 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: Showing the spamassassin Score
>
>At 16:05 29/01/2004, you wrote:
> >I'm not able to see this on my mailscanner.  How do I turn this on so
> >that the spam gets tagged with the following?
>
>The spam reports from SpamAssassin are all put in the headers by
>MailScanner. It doesn't modify the original message body.
>
>
> >Spam detection software, running on the system "owl.dns-nac-zone.com",
> >has
> >identified this incoming email as possible spam.  The original message
> >has been attached to this so you can view it (if it isn't spam) or
>block
> >similar future email.  If you have any questions, see
> >the administrator of that system for details.
> >
> >Content preview:  Find Real Estate For Pennies On The Dollar! Get Your
> >   FREE VIDEO U.S. Government Tax Certificates The smartest way to
>invest
> >   [...]
> >
> >Content analysis details:   (13.6 points, 5.0 required)
> >
> >  pts rule name              description
> >---- ----------------------
> >--------------------------------------------------
> >  1.1 CLICK_TO_REMOVE_1      BODY: Click to be removed
> >  0.1 HTML_FONTCOLOR_UNSAFE  BODY: HTML font color not in safe 6x6x6
> >palette
> >  0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"
> >  0.3 HTML_SHOUTING4         BODY: HTML has very strong "shouting"
>markup
> >  0.1 HTML_TAG_EXISTS_TBODY  BODY: HTML has "tbody" tag
> >  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME
>parts
> >  0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
> >  0.1 HTML_FONT_BIG          BODY: HTML has a big font
> >  0.0 HTML_MESSAGE           BODY: HTML included in message
> >  0.7 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
> >  0.8 BIZ_TLD                URI: Contains a URL in the BIZ top-level
> >domain
> >  0.8 REMOVE_PAGE            URI: URL of page called "remove"
> >  0.5 FORGED_YAHOO_RCVD      'From' yahoo.com does not match 'Received'
> >headers
> >  2.5 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
> >                             [213.47.166.174 listed in dnsbl.sorbs.net]
> >  0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
> >                             [213.47.166.174 listed in dnsbl.sorbs.net]
> >  1.1 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
> >
> >[<http://dsbl.org/listing?ip=213.47.166.174>]
> >  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
>bl.spamcop.net
> >               [Blocked - see
> ><http://www.spamcop.net/bl.shtml?213.47.166.174>]
> >  0.0 CLICK_BELOW            Asks you to click below
> >  1.7 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
>tag
> >  1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME
> >parts
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From shrek-m at GMX.DE  Thu Jan 29 16:17:27 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:11 2006
Subject: Another new virus in the wild
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A9@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4A9@jessica.herefordshire.gov.uk>
Message-ID: <40193217.8040006@gmx.de>

Randal, Phil wrote:

>ClamAV's just detected Worm.Mimail.R here.
>
>McAfee calls it Mimail.s - http://vil.nai.com/vil/content/v_100989.htm
>
>

and
eyeveg-b, mimail-s, mydoom-b, inor-c, stawin-a, mydoom-a


clamscan
Known viruses: 20585

sweep
Total viruses (with IDEs) : 86930


http://www.sophos.com/

$ date
Do Jan 29 17:09:25 CET 2004

$ ls -lt *.ide | head
-rw-r--r--    1 root     root         6709 29. Jan 14:11 eyeveg-b.ide
-rw-r--r--    1 root     root          481 29. Jan 04:08 mimail-s.ide
-rw-r--r--    1 root     root         1252 28. Jan 20:34 mydoom-b.ide
-rw-r--r--    1 root     root         5039 28. Jan 13:16 inor-c.ide
-rw-r--r--    1 root     root          676 28. Jan 08:06 stawin-a.ide
-rw-r--r--    1 root     root          864 27. Jan 01:32 mydoom-a.ide
-rw-r--r--    1 root     root          251 26. Jan 19:52 mimail-q.ide
-rw-r--r--    1 root     root         1830 26. Jan 18:15 dumaru-k.ide
-rw-r--r--    1 root     root         4538 26. Jan 15:37 sdbot-dc.ide
-rw-r--r--    1 root     root          588 24. Jan 20:24 dumaru-y.ide

--
shrek-m

From zeitgeist at GEISTERSTUNDE.ORG  Thu Jan 29 16:18:11 2004
From: zeitgeist at GEISTERSTUNDE.ORG (zeitgeist)
Date: Thu Jan 12 21:22:11 2006
Subject: Problems with local users
Message-ID: <BBA97FD2-5276-11D8-ADEE-000A958922D2@geisterstunde.org>

Hi!

I have a big problem with MailScanner. First of all, here is the setup
of my system:
RedHat 7.2 with sendmail 8.11.6
MailScanner Version 4.24, ClamAV Version 6.5 and SpamAssassin 2.63
Virtual Domains (Ensim system)

so much for the setup. On one of the virtual domains I have set up a
mailing list system via the sendmail alias file. On this virtual domain
there are also a lot of users which should have e-mail addressess on
the server.

The problem now is, that I can send E-Mails to the mailing list or to
one of the users which are on this virtual domain and everything works
as expected and the E-Mails are passed through MailScanner to the
mailing lists or to the user on the system.
However if one of the users on the system wants to send an e-mail
through the system, the system gladly accepts the e-mail via port 25
but then does not deliver them and there are no traces of the incoming
e-mail in the system logs. They seem to simply disappear or I am
looking in the wrong place for them. In any ways they are not
delivered, not locally nor remotly.
This might be a longer problem but I would be glad if someone could
help me with this.

Thanks,
zeitgeist

From mike at CAMAROSS.NET  Thu Jan 29 16:37:30 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:11 2006
Subject: Problems with local users
In-Reply-To: <BBA97FD2-5276-11D8-ADEE-000A958922D2@geisterstunde.org>
Message-ID: <200401291635.i0TGZvwQ028033@avwall.bladeware.com>

Can you provide some log entries to show us what is and is not happening?

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of zeitgeist
> Sent: Thursday, January 29, 2004 10:18 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Problems with local users
>
> Hi!
>
> I have a big problem with MailScanner. First of all, here is
> the setup of my system:
> RedHat 7.2 with sendmail 8.11.6
> MailScanner Version 4.24, ClamAV Version 6.5 and SpamAssassin
> 2.63 Virtual Domains (Ensim system)
>
> so much for the setup. On one of the virtual domains I have
> set up a mailing list system via the sendmail alias file. On
> this virtual domain there are also a lot of users which
> should have e-mail addressess on the server.
>
> The problem now is, that I can send E-Mails to the mailing
> list or to one of the users which are on this virtual domain
> and everything works as expected and the E-Mails are passed
> through MailScanner to the mailing lists or to the user on the system.
> However if one of the users on the system wants to send an
> e-mail through the system, the system gladly accepts the
> e-mail via port 25 but then does not deliver them and there
> are no traces of the incoming e-mail in the system logs. They
> seem to simply disappear or I am looking in the wrong place
> for them. In any ways they are not delivered, not locally nor remotly.
> This might be a longer problem but I would be glad if someone
> could help me with this.
>
> Thanks,
> zeitgeist
>

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 16:45:30 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AD@jessica.herefordshire.gov.uk>

OK, what have I done?

After installing 4.26.6 I get:

Jan 29 16:44:21 gateway MailScanner[11725]: Invalid rule of type , rule is
""
Jan 29 16:44:21 gateway last message repeated 19 times

Any clues?

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From mike at UNIXSECURITY.ORG  Thu Jan 29 16:49:20 2004
From: mike at UNIXSECURITY.ORG (Mike Wallis)
Date: Thu Jan 12 21:22:11 2006
Subject: Announce: MailScanner-MRTG version 0.07 released
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649A07@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB001649A07@pascal.priv.bmrb.co.uk>
Message-ID: <40193990.7050404@unixsecurity.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Spicer, Kevin wrote:

| If you've not already done so, please change this line (around line
| 465 ish) if (/.*ifDescr.(\d+) = (\w+)/) { to if (/.*ifDescr.(\d+) =
| (?:STRING: )?(\w+)/) {

That looks like it took care of it...

- --
Mike Wallis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAGTmPXes7jE7XvgsRAlh8AJ9lyLK2z2TaCMu/XQWE4p10cD6fhgCgm7f3
0ZZfBeoumX0TVJdgSJlixC4=
=hfjy
-----END PGP SIGNATURE-----

From ronnie at DASLWEB.COM  Thu Jan 29 16:44:54 2004
From: ronnie at DASLWEB.COM (Ronnie Regev)
Date: Thu Jan 12 21:22:11 2006
Subject: Delete incoming virus warnings
Message-ID: <LISTSERV%2004012916445406@JISCMAIL.AC.UK>

Hello,
i am running mailscanner 3.5 on redhat 7.3.
i cant seem to find a method of deleteing virus warning sent to mail boxes
rahter than have them being sent to the mail box.
What im looking for is a imilar function to

Spam Actions = Delete

but for the virus warnings with the subject heading of {Virus}

From Heinz.Knutzen at DATAPORT.DE  Thu Jan 29 16:53:24 2004
From: Heinz.Knutzen at DATAPORT.DE (Knutzen, Heinz (DZ-SH))
Date: Thu Jan 12 21:22:11 2006
Subject: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails
Message-ID: <FE3A7695B11ECF4A84708F7F79732ED73D6B7E@wscxpr07.fhhnet.stadt.hamburg.de>

For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get:
./install.sh
...
Attempting to build and install perl-Net-CIDR-0.08-2
Installiere perl-Net-CIDR-0.08-2.src.rpm
Fehler: Failed build dependencies:
        perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2

My perl is:
# rpm -q perl
perl-5.8.1-46
# perl -v
This is perl, v5.8.1 built for i586-linux-thread-multi
(with 1 registered patch, see perl -V for more detail)

I get this message for some perl packages, but nor for all of them.
Using "./install.sh nodeps" doesn't help, it gives the same error.

Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm" 
does help a bit, but aborts with:
"ERROR: EMPTY FILE LIST"

This doesn't seem to be a new problem, it occurs with 
MailScanner-4.25-14.suse.tar.gz as well.


Viele Gr??e

-- Heinz

-----Urspr?ngliche Nachricht-----
Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
Auftrag von Julian Field
Gesendet am: Donnerstag, 29. Januar 2004 16:25
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: ANNOUNCE: Beta 4.26.6 released

Hi folks,

I have just posted 4.26.6 on the website for you all. Download from
www.mailscanner.info as usual.

This is intended as a final testing release before 4.26 goes stable, which
will hopefully be this weekend. If you could test it out and let me know of
any problems as soon as possible, I will get them fixed.

Thanks folks!

Changes this time are:

* New Features and Improvements *
- Improved configuration engine so that rules can now contain 2 tests
   separated by "and".
- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
   short text notification message to be sent to the recipients of the spam
   message. The filename of the report is set with the "Recipient Spam Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Removed the "bounce" spam action.
- Added regular rebuild of Bayes database. Has 2 options associated with it
   which I haven't included in the conf file yet.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
   you will want to uncomment this line if you are using the regular scheduled
   Bayes database expiry feature given above.
- Added "Minimum Stars If On Spam List" setting so that people who just filter
   on the "Spam Stars" can catch messages which only trigger the "Spam List"
   trap.
- Added "Log Non Spam" option to allow logging of all non-spam, which can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Added support for Norman virus scanner (www.norman.de).
- Added logging of ids of dropped silent viruses.
- Added "Too Many Attachments" error report in a message instead of old
   report saying it could not analyse the message.
- No longer stops or restarts after RPM upgrade.
- Added MCP patches for SpamAssassin 2.61 and 2.63.
- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.
- Spanish translations of languages.conf updated from Debian translators.
- Added Catalan translation of all report files.
- Added bogusmx list to supplied spam.lists.conf.
- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
- Changed the version number scheme from major.minor-teeny to
major.minor.teeny.
- Forced owner to be root.root in both RPM spec files, so can be re-built by
   non-root users.
- Added my Amazon.co.uk "wish list" to the donations page.
- Detailed spam report now includes auto-learn status if it was auto-learnt.

* Fixes *
- Fixed creation of MCP quarantine directory bug.
- Fix to Postfix message duplication problems. Must find "end of message"
   record now.
- Fix to duplicate recipient listing in postmaster notices.
- Fixed bug so filename/filetype rules configuration setting can be blank.
- Exim per-message log files are deleted correctly now.
- Fixed recipient duplication problems in sender messages and other reports.
- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
   own checks find multiple problems with 1 attachment.
- Fixed bug where _SCORE_ in subject line modifications is never more than 60.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From acschmitt at BPA.GOV  Thu Jan 29 17:04:44 2004
From: acschmitt at BPA.GOV (Schmitt, Andy C - CIDD-2)
Date: Thu Jan 12 21:22:11 2006
Subject: Problems with local users
Message-ID: <242663BECAD80B4DAAF2E62788F96917044F33E5@exhq01.bud.bpa.gov>

Zeitgeist, another thing you could do is show us how you're starting sendmail.  And (shot in the dark) did you make any changes to your syslog setup that we should know about? You're not getting Sendmail log entries, from the sound of it, so the problem seems more fundamental than a MailScanner problem.

When I first installed MailScanner, I separated out mail service log entries to go to "/var/log/maillog" so things wouldn't get lost in the shuffle.  But I didn't restart syslogd, so nothing logged at all. :( Once syslogd was restarted, things worked fine.

Andy


-----Original Message-----
From: Mike Kercher [mailto:mike@CAMAROSS.NET]
Sent: Thursday, January 29, 2004 8:38 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Problems with local users


Can you provide some log entries to show us what is and is not happening?

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of zeitgeist
> Sent: Thursday, January 29, 2004 10:18 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Problems with local users
>
> Hi!
>
> I have a big problem with MailScanner. First of all, here is
> the setup of my system:
> RedHat 7.2 with sendmail 8.11.6
> MailScanner Version 4.24, ClamAV Version 6.5 and SpamAssassin
> 2.63 Virtual Domains (Ensim system)
>
> so much for the setup. On one of the virtual domains I have
> set up a mailing list system via the sendmail alias file. On
> this virtual domain there are also a lot of users which
> should have e-mail addressess on the server.
>
> The problem now is, that I can send E-Mails to the mailing
> list or to one of the users which are on this virtual domain
> and everything works as expected and the E-Mails are passed
> through MailScanner to the mailing lists or to the user on the system.
> However if one of the users on the system wants to send an
> e-mail through the system, the system gladly accepts the
> e-mail via port 25 but then does not deliver them and there
> are no traces of the incoming e-mail in the system logs. They
> seem to simply disappear or I am looking in the wrong place
> for them. In any ways they are not delivered, not locally nor remotly.
> This might be a longer problem but I would be glad if someone
> could help me with this.
>
> Thanks,
> zeitgeist
>

From mike at CAMAROSS.NET  Thu Jan 29 17:10:03 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:11 2006
Subject: Delete incoming virus warnings
In-Reply-To: <LISTSERV%2004012916445406@JISCMAIL.AC.UK>
Message-ID: <200401291708.i0TH8UwQ000903@avwall.bladeware.com>

Upgrade to the current version!

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ronnie Regev
> Sent: Thursday, January 29, 2004 10:45 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Delete incoming virus warnings
>
> Hello,
> i am running mailscanner 3.5 on redhat 7.3.
> i cant seem to find a method of deleteing virus warning sent
> to mail boxes rahter than have them being sent to the mail box.
> What im looking for is a imilar function to
>
> Spam Actions = Delete
>
> but for the virus warnings with the subject heading of {Virus}
>

From ronnie at DASLWEB.COM  Thu Jan 29 17:40:45 2004
From: ronnie at DASLWEB.COM (Ronnie Regev)
Date: Thu Jan 12 21:22:11 2006
Subject: Delete incoming virus warnings
Message-ID: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>

Thanks for the quick reply.
Is there anything i can do within the version i am currently running?
Unfortunaly with this bloody virus going around now, i cant afford to take
down MailScanner.
thanks

From prandal at HEREFORDSHIRE.GOV.UK  Thu Jan 29 17:54:30 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:11 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AF@jessica.herefordshire.gov.uk>

OK, the warning happens once for every rule in my rules files.

A slight bug in Config.pm, methinks.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 29 January 2004 16:46
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> OK, what have I done?
>
> After installing 4.26.6 I get:
>
> Jan 29 16:44:21 gateway MailScanner[11725]: Invalid rule of
> type , rule is
> ""
> Jan 29 16:44:21 gateway last message repeated 19 times
>
> Any clues?
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>

From mike at CAMAROSS.NET  Thu Jan 29 18:13:33 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:11 2006
Subject: Delete incoming virus warnings
In-Reply-To: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
Message-ID: <200401291812.i0TIC0wQ009831@avwall.bladeware.com>

You can upgrade a live system and have minimal downtime.  That's how the
rest of us do it :)
Just shutdown MailScanner for a few minutes. Emails will still be queued by
the incoming sendmail process and help for pickup by MailScanner and final
delivery.  You should be safe.

Mike



> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ronnie Regev
> Sent: Thursday, January 29, 2004 11:41 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Delete incoming virus warnings
>
> Thanks for the quick reply.
> Is there anything i can do within the version i am currently running?
> Unfortunaly with this bloody virus going around now, i cant
> afford to take down MailScanner.
> thanks
>

From hermit921 at YAHOO.COM  Thu Jan 29 18:17:52 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:22:11 2006
Subject: SPF and MailScanner
In-Reply-To: <200401291812.i0TIC0wQ009831@avwall.bladeware.com>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
            <200401291812.i0TIC0wQ009831@avwall.bladeware.com>
Message-ID: <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>

I read that SPF (Sender Permitted From) is being incorporated into
spamassassin 2.70.  Since the idea is to not accept (reject after HELO
step) any message that fails the SPF test, I conclude SPF can't be used by
MailScanner.  It can be implemented in postfix, exim, sendmail, etc before
MailScanner sees the message.  Is this a correct summary?

hermit921

From mkettler at EVI-INC.COM  Thu Jan 29 18:24:03 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:11 2006
Subject: Delete incoming virus warnings
In-Reply-To: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
Message-ID: <6.0.0.22.0.20040129131834.025afa60@xanadu.evi-inc.com>

At 12:40 PM 1/29/2004, you wrote:
>Thanks for the quick reply.
>Is there anything i can do within the version i am currently running?
>Unfortunaly with this bloody virus going around now, i cant afford to take
>down MailScanner.
>thanks

scratches head and tries to remember back to MailScanner 3.5...

Does 3.5 have the "Silent Viruses" and "Still Deliver Silent Viruses"
options, or are those 4.x generation stuff?

If you don't have at least the Silent Viruses option, do yourself and
everyone else a favor and upgrade ASAP or take your mailserver completely
offline until you can get a version of MS that doesn't respond to to
viruses in a broken manner.

I know the "All-Viruses" option for Silent Viruses is fairly new... But if
you at least have Silent Viruses, you can add mydoom, sco.a or whatever
your scanner calls it to the Silent Viruses list, and then set:

Still Deliver Silent Viruses = no

Which should prevent it from sending notices about the virus to anyone but
the postmaster.

From kevins at BMRB.CO.UK  Thu Jan 29 18:37:47 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:11 2006
Subject: SPF and MailScanner
In-Reply-To: <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
            <200401291812.i0TIC0wQ009831@avwall.bladeware.com>
            <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>
Message-ID: <1075401473.7581.7.camel@bach.kevinspicer.co.uk>

On Thu, 2004-01-29 at 18:17, hermit921 wrote:
> I read that SPF (Sender Permitted From) is being incorporated into
> spamassassin 2.70.  Since the idea is to not accept (reject after HELO
> step) any message that fails the SPF test, I conclude SPF can't be used by
> MailScanner.  It can be implemented in postfix, exim, sendmail, etc before
> MailScanner sees the message.  Is this a correct summary?
>
SPF is just another means to help determine the likelihood of a message
being spam or not.  It is true that many sites may eventually want to
use this to block mail, however this is not the only way to use it.
SpamAssassin is likely to use it like they use rbls, as a trigger for a
score.  So you certainly could use it with SA through MailScanner,
although this would not block the mail during the SMTP transaction (but
this is the same decision you take if you use RBLs in SA or MS rather
than your MTA.

That said, if SPF gains widespread acceptance (AOL is testing at the
moment I think, which is a good sign) and proves to be workable then
using it at the MTA level may be considerably more effective than using
RBL's in the MTA, with a much lower incidence of false positives (which
will invariably be caused by bad system administration of the senders
domain).





BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From jaearick at COLBY.EDU  Thu Jan 29 18:39:18 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:11 2006
Subject: 4.26.6: missing tweaks to SweepOther.pm
Message-ID: <Pine.GSO.4.58.0401291336380.8893@cayuga>

Julian,

   Somewhere in 4.25-14 I added the following changes to
lib/MailScanner/SweepOther.pm, per the suggestion of somebody
else on the list, something I find really useful:

*** SweepOther.pm.orig  Thu Dec  4 08:08:07 2003
--- SweepOther.pm       Thu Dec  4 08:17:18 2003
***************
*** 197,204 ****
            #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n";
            if ($allowdeny =~ 'deny') {
              # It's a rejection rule, so log the error.
!             MailScanner::Log::InfoLog("Filename Checks: %s (%s)",
!                                       $logtext, $attach);
              $message->{namereports}{$safename} .= "$usertext ($safename)\n";
              $message->{nametypes}{$safename}   .= "f";
              $counter++;
--- 197,204 ----
            #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n";
            if ($allowdeny =~ 'deny') {
              # It's a rejection rule, so log the error.
!             MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)",
!                                       $logtext, $id, $attach);
              $message->{namereports}{$safename} .= "$usertext ($safename)\n";
              $message->{nametypes}{$safename}   .= "f";
              $counter++;
***************
*** 206,217 ****
              # Do we want to delete the attachment or store it?
              $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
            } else {
!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s", $safename)
                if $LogNames;
            }
          }
!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s " .
!                                   "(no rule matched)", $safename)
            if $LogNames && !$MatchFound;
        }
      }
--- 206,217 ----
              # Do we want to delete the attachment or store it?
              $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
            } else {
!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", $id, $safename)
                if $LogNames;
            }
          }
!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " .
!                                   "(no rule matched)", $id, $safename)
            if $LogNames && !$MatchFound;
        }
      }
***************
*** 353,360 ****
          $MatchFound = 1;
          if ($allowdeny =~ /deny/) {
            # It's a rejection rule, so log the error.
!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s)",
!                                     $logtext, $attach);
            $message->{namereports}{$safename} .= "$usertext ($safename)\n";
            $message->{nametypes}{$safename}   .= "f";
            $counter++;
--- 353,360 ----
          $MatchFound = 1;
          if ($allowdeny =~ /deny/) {
            # It's a rejection rule, so log the error.
!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)",
!                                     $logtext, $id, $attach);
            $message->{namereports}{$safename} .= "$usertext ($safename)\n";
            $message->{nametypes}{$safename}   .= "f";
            $counter++;
***************
*** 362,368 ****
            # Do we want to delete the attachment or store it?
            $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
          } else {
!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", $safename)
              if $LogTypes;
          }
        }
--- 362,368 ----
            # Do we want to delete the attachment or store it?
            $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
          } else {
!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", $id, $safename)
              if $LogTypes;
          }
        }

I see that they didn't get into 4.26.6.  Any chance they
could?  Thanks.

Jeff Earickson
Colby College

From jaearick at COLBY.EDU  Thu Jan 29 18:44:47 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:11 2006
Subject: SweepOther.pm contextual diffs for 4.26.6
Message-ID: <Pine.GSO.4.58.0401291343390.8893@cayuga>

Julian,
   Attached is the "diff -c" changes to the 4.26.6 version
of SweepOther.pm, should have sent that along the first time.

Jeff
-------------- next part --------------
*** SweepOther.pm.orig	Thu Jan 29 13:40:18 2004
--- SweepOther.pm	Thu Jan 29 13:42:54 2004
***************
*** 197,204 ****
            #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n";
            if ($allowdeny =~ 'deny') {
              # It's a rejection rule, so log the error.
!             MailScanner::Log::InfoLog("Filename Checks: %s (%s)",
!                                       $logtext, $attach);
              $message->{namereports}{$safename} .= "$usertext ($safename)\n";
              $message->{nametypes}{$safename}   .= "f";
              $counter++;
--- 197,204 ----
            #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n";
            if ($allowdeny =~ 'deny') {
              # It's a rejection rule, so log the error.
!             MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)",
!                                       $logtext, $id, $attach);
              $message->{namereports}{$safename} .= "$usertext ($safename)\n";
              $message->{nametypes}{$safename}   .= "f";
              $counter++;
***************
*** 206,217 ****
              # Do we want to delete the attachment or store it?
              $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
            } else {
!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s", $safename)
                if $LogNames;
            }
          }
!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s " .
!                                   "(no rule matched)", $safename)
            if $LogNames && !$MatchFound;
        }
      }
--- 206,217 ----
              # Do we want to delete the attachment or store it?
              $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
            } else {
!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", $id, $safename)
                if $LogNames;
            }
          }
!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " .
!                                   "(no rule matched)", $id, $safename)
            if $LogNames && !$MatchFound;
        }
      }
***************
*** 353,360 ****
          $MatchFound = 1;
          if ($allowdeny =~ /deny/) {
            # It's a rejection rule, so log the error.
!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s)",
!                                     $logtext, $attach);
            $message->{namereports}{$safename} .= "$usertext ($safename)\n";
            $message->{nametypes}{$safename}   .= "f";
            $counter++;
--- 353,360 ----
          $MatchFound = 1;
          if ($allowdeny =~ /deny/) {
            # It's a rejection rule, so log the error.
!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)",
!                                     $logtext, $id, $attach);
            $message->{namereports}{$safename} .= "$usertext ($safename)\n";
            $message->{nametypes}{$safename}   .= "f";
            $counter++;
***************
*** 362,368 ****
            # Do we want to delete the attachment or store it?
            $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
          } else {
!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", $safename)
              if $LogTypes;
          }
        }
--- 362,368 ----
            # Do we want to delete the attachment or store it?
            $message->{deleteattach}{$safename} = 1 if $allowdeny =~ /delete/;
          } else {
!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", $id, $safename)
              if $LogTypes;
          }
        }
From mkbowman at neo.rr.com  Thu Jan 29 18:43:15 2004
From: mkbowman at neo.rr.com (Matthew K Bowman)
Date: Thu Jan 12 21:22:11 2006
Subject: silent virus ruleset
Message-ID: <000501c3e697$c16333a0$a767a8c0@MKBOWMAN2>

Hi,

Still having trouble with my ruleset being bypassed for Silent Viruses

Virus: Bagle    no
Virus: Mydoom   no
Virus: NoVarg   no
Virus: SCO      no
Virus: default yes
FromOrTo: default yes

I still want users' to receive notifications but not get swamped with the
MyDoom variations.

Anyone got suggestions?

MS 4.25-4/Redhat 9/sendmail

Thanks
Matthew

From tony.johansson at SVENSKAKYRKAN.SE  Thu Jan 29 18:38:00 2004
From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson)
Date: Thu Jan 12 21:22:11 2006
Subject: Clamav signature generation
Message-ID: <LISTSERV%2004012918380092@JISCMAIL.AC.UK>

These are the times when antivirus companies had a virus definition for
Mydoom.A:
(I dont know how accurate they are, I got them from a source at F-Secure)

McAfee (BETA) 2004-01-26, 22:20
F-Secure (BETA) 2004-01-26, 22:36
Symantec (BETA) 2004-01-26, 23:00
F-Secure 2004-01-26, 23:09
F-Prot 2004-01-26, 23:30
Trend Micro 2004-01-26, 23:35
Norman 2004-01-27, 00:05
Kaspersky 2004-01-27, 00:30

At our site, Clamav found the first Mydoom.A at 2004-01-26 22:02, this time
beating all the above commercial scanners. Clamav obviously did great this
time, but on other occasions they have been far behind.

Is there a way to redirect a file thats been flagged as a virus by one or
more scanners but not by clamav? It could be put in a special quarantine or
submitted automaticly to http://www.nervous.it/~nervous/cgi-
bin/sendvirus.cgi


Clamav would have the power of all scanners supported by MailScanner,
possibly never being beaten by more than on or two commercial scanners...

One could argue that theres a moral dilemma here, using the output from one
scanner to benifit another but I've seen nothing prohibiting this in the
license agreements I've read.

regards, Tony

From rzewnickie at RFA.ORG  Thu Jan 29 18:46:18 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:11 2006
Subject: mcafee uvscan not using /usr/local/uvscan/datfiles/current
In-Reply-To: <E1AmCz1-0002fh-00@chiark.greenend.org.uk>
References: <E1Alq9I-0004F1-00@chiark.greenend.org.uk>
            <E1AmCz1-0002fh-00@chiark.greenend.org.uk>
Message-ID: <20040129184618.GB2204@rfa.org>

On Thu, Jan 29, 2004 at 02:17:27PM +0000, Tony Finch wrote:
> Remco Barendse <mailscanner@BARENDSE.TO> wrote:
> >On Wed, 28 Jan 2004, Tony Finch wrote:
> >> Eric Dantan Rzewnicki <rzewnickie@RFA.ORG> wrote:
> >> >
> >> >However it appears that uvscan is being called with old dats that exist
> >> >in /usr/local/uvscan/*.dat.
> >>
> >> These should be symlinks to datfiles/current/*.dat
>
> I should probably also note that the autoupdate script will create the
> datfiles directory and set up all the necessary symlinks the first time
> it is run. Remove the datfiles directory before running it to get a
> clean setup.

This seems to be where my problem was ... i moved the datfiles directory
to datfiles.bak and ran mcafee-autoupdate. As you said it would, the
datfiles dir was recreated and the symlinks now exist in
/usr/local/uvscan for clean.dat, internet.dat, names.dat and scan.dat.

Thank you for clearing this up. I'm still puzzled as to why they weren't
created when I first ran the script, but it seems to be ok now.

Thanks,
Eric Rz.

From dan at OXNARDSD.ORG  Thu Jan 29 18:40:38 2004
From: dan at OXNARDSD.ORG (Dan Kubilos)
Date: Thu Jan 12 21:22:11 2006
Subject: silent virus ruleset
In-Reply-To: <000501c3e697$c16333a0$a767a8c0@MKBOWMAN2>
Message-ID: <Pine.LNX.4.44.0401291038160.24177-100000@mail.oxnardsd.org>

Is there a way to set up a ruleset such that

if an attachment is blocked by filename but is not found to be a virus by
the viruscanner Sender is notified.

?

On Thu, 29 Jan 2004, Matthew K Bowman wrote:

> Hi,
>
> Still having trouble with my ruleset being bypassed for Silent Viruses
>
> Virus: Bagle    no
> Virus: Mydoom   no
> Virus: NoVarg   no
> Virus: SCO      no
> Virus: default yes
> FromOrTo: default yes
>
> I still want users' to receive notifications but not get swamped with the
> MyDoom variations.
>
> Anyone got suggestions?
>
> MS 4.25-4/Redhat 9/sendmail
>
> Thanks
> Matthew
>

--
Dan Kubilos     __\o_ ^
K-8 Tech Coord
http://www.oxnardsd.org

From jaearick at COLBY.EDU  Thu Jan 29 18:55:16 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:11 2006
Subject: another 4.26.6 tweak
Message-ID: <Pine.GSO.4.58.0401291353270.8893@cayuga>

Julian,
   Can you add a comment to MailScanner.conf, before
Incoming Work Dir =
noting that this directory can safely use ramdisk/tmpfs,
eg /tmp on Solaris?  Newbies may not be aware of this.

Jeff

From rgreen at TRAYERPRODUCTS.COM  Thu Jan 29 19:12:39 2004
From: rgreen at TRAYERPRODUCTS.COM (Rodney Green)
Date: Thu Jan 12 21:22:11 2006
Subject: upgrade process
Message-ID: <40195B27.7070207@trayerproducts.com>

Greetings. I've been using MailScanner for a few months now. It's
working fine.

I'm running MailScanner with Postfix. I would like to know how to tell
what version of MailScanner I'm running and also is there a procedure
for upgrading to the latest version? Any recommendations as far as
backing up the current install so I can revert to that, if needed, would
also be helpful.

Thank you,
Rod

From ugob at CAMO-ROUTE.COM  Thu Jan 29 19:16:09 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:11 2006
Subject: upgrade process
Message-ID: <54C38A0B814C8E438EF73FC76F36292741085F@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Rodney Green [mailto:rgreen@TRAYERPRODUCTS.COM]
> Envoy? : Thursday, January 29, 2004 2:13 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : upgrade process
> 
> 
> Greetings. I've been using MailScanner for a few months now. It's
> working fine.
> 
> I'm running MailScanner with Postfix. I would like to know how to tell
> what version of MailScanner I'm running and also is there a procedure
> for upgrading to the latest version? Any recommendations as far as
> backing up the current install so I can revert to that, if 
> needed, would
> also be helpful.

Backing up what? settings?  this is done automatically.  You can backup your whole server if you want to.

To know the version, in redhat = rpm -q MailScanner

To upgrade, do as if you were installing, but run 'upgrade_mailscanner_conf' after.

hth
> 
> Thank you,
> Rod
> 


From FStein at THEHILL.ORG  Thu Jan 29 19:26:35 2004
From: FStein at THEHILL.ORG (Stein, Mr. Fred)
Date: Thu Jan 12 21:22:11 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <73F0CEC63C14FC41ACBE35A3E23DB9B3036679@dianna.thehill.org>

I have just upgraded from ver 4.26.5 to 4.26.6 Now I get the error isw
maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid rule of type
, rule is ""
Jan 29 14:24:46 butters last message repeated 709 times
RH9
Spamassassin 2.63
Any ideas?

Fred Stein
Network Administrator
The Hill School
717 High Street
Pottstown, PA 19464
610-326-1000 ext. 7356
fstein@thehill.org
www.thehill.org


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Thursday, January 29, 2004 10:25 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: ANNOUNCE: Beta 4.26.6 released

Hi folks,

I have just posted 4.26.6 on the website for you all. Download from
www.mailscanner.info as usual.

This is intended as a final testing release before 4.26 goes stable,
which
will hopefully be this weekend. If you could test it out and let me know
of
any problems as soon as possible, I will get them fixed.

Thanks folks!

Changes this time are:

* New Features and Improvements *
- Improved configuration engine so that rules can now contain 2 tests
   separated by "and".
- Added "notify" Spam Action and High Scoring Spam Action. This will
cause a
   short text notification message to be sent to the recipients of the
spam
   message. The filename of the report is set with the "Recipient Spam
Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Removed the "bounce" spam action.
- Added regular rebuild of Bayes database. Has 2 options associated with
it
   which I haven't included in the conf file yet.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf
as
   you will want to uncomment this line if you are using the regular
scheduled
   Bayes database expiry feature given above.
- Added "Minimum Stars If On Spam List" setting so that people who just
filter
   on the "Spam Stars" can catch messages which only trigger the "Spam
List"
   trap.
- Added "Log Non Spam" option to allow logging of all non-spam, which
can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Added support for Norman virus scanner (www.norman.de).
- Added logging of ids of dropped silent viruses.
- Added "Too Many Attachments" error report in a message instead of old
   report saying it could not analyse the message.
- No longer stops or restarts after RPM upgrade.
- Added MCP patches for SpamAssassin 2.61 and 2.63.
- Added 'SpamAssassin Site Rules Dir' setting to locate
/etc/mail/spamassassin.
- Spanish translations of languages.conf updated from Debian
translators.
- Added Catalan translation of all report files.
- Added bogusmx list to supplied spam.lists.conf.
- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
- Changed the version number scheme from major.minor-teeny to
major.minor.teeny.
- Forced owner to be root.root in both RPM spec files, so can be
re-built by
   non-root users.
- Added my Amazon.co.uk "wish list" to the donations page.
- Detailed spam report now includes auto-learn status if it was
auto-learnt.

* Fixes *
- Fixed creation of MCP quarantine directory bug.
- Fix to Postfix message duplication problems. Must find "end of
message"
   record now.
- Fix to duplicate recipient listing in postmaster notices.
- Fixed bug so filename/filetype rules configuration setting can be
blank.
- Exim per-message log files are deleted correctly now.
- Fixed recipient duplication problems in sender messages and other
reports.
- Fixed bug where extra ": " appears in VirusWarning.txt when
MailScanner's
   own checks find multiple problems with 1 attachment.
- Fixed bug where _SCORE_ in subject line modifications is never more
than 60.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From Kevin at MICA.NET  Thu Jan 29 19:36:01 2004
From: Kevin at MICA.NET (Kevin Hanser)
Date: Thu Jan 12 21:22:11 2006
Subject: FYI, the attrition.org Anti-Virus rant made it to slashdot
Message-ID: <8B699873CEBA3543926B467E768082321A68E9@sol.hq.mica.net>

Looks like that rant that someone pointed out a few days ago over @
attrition.org has made it to slashdot:
http://slashdot.org/article.pl?sid=04/01/29/1847211&mode=thread&tid=111&
tid=126&tid=172
 
FYI...
 
k
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040129/62a25b86/attachment.html
From mkettler at EVI-INC.COM  Thu Jan 29 19:40:07 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:11 2006
Subject: silent virus ruleset
In-Reply-To: <000501c3e697$c16333a0$a767a8c0@MKBOWMAN2>
References: <000501c3e697$c16333a0$a767a8c0@MKBOWMAN2>
Message-ID: <6.0.0.22.0.20040129143852.01e69708@xanadu.evi-inc.com>

At 01:43 PM 1/29/2004, Matthew K Bowman wrote:
>Still having trouble with my ruleset being bypassed for Silent Viruses
>
>Virus: Bagle    no
>Virus: Mydoom   no
>Virus: NoVarg   no
>Virus: SCO      no
>Virus: default yes
>FromOrTo: default yes
>
>I still want users' to receive notifications but not get swamped with the
>MyDoom variations.

you need to set "Still Deliver Silent Viruses" to no

By default, a "Silent Virus" is one that doesn't notify the sender, but
still notifies the recipient.

From hermit921 at YAHOO.COM  Thu Jan 29 20:14:20 2004
From: hermit921 at YAHOO.COM (hermit921)
Date: Thu Jan 12 21:22:11 2006
Subject: give virus high spam score
In-Reply-To: <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
            <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
Message-ID: <6.0.0.22.2.20040129121240.01ed1e50@pop.mail.yahoo.com>

Is there a way to increase the spam score by, say, 50 points if specific
viruses are found in the message?

hermit921

From raymond at PROLOCATION.NET  Thu Jan 29 20:21:07 2004
From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn)
Date: Thu Jan 12 21:22:11 2006
Subject: give virus high spam score
In-Reply-To: <6.0.0.22.2.20040129121240.01ed1e50@pop.mail.yahoo.com>
Message-ID: <Pine.LNX.4.44.0401292120540.13955-100000@mailbox.prolocation.net>

Hi!

> Is there a way to increase the spam score by, say, 50 points if specific
> viruses are found in the message?

Why would you want to do this ?

Bye,
Raymond.

From hermit921 at yahoo.com  Thu Jan 29 20:25:33 2004
From: hermit921 at yahoo.com (hermit921)
Date: Thu Jan 12 21:22:11 2006
Subject: give virus high spam score
In-Reply-To: <Pine.LNX.4.44.0401292120540.13955-100000@mailbox.prolocati
              on.net>
References: <6.0.0.22.2.20040129121240.01ed1e50@pop.mail.yahoo.com>
            <Pine.LNX.4.44.0401292120540.13955-100000@mailbox.prolocation.net>
Message-ID: <6.0.0.22.2.20040129122404.01e91418@pop.mail.yahoo.com>

At 12:21 PM 1/29/2004, Raymond Dijkxhoorn wrote:
>Hi!
>
> > Is there a way to increase the spam score by, say, 50 points if specific
> > viruses are found in the message?
>
>Why would you want to do this ?
>
>Bye,
>Raymond.


For those of us who can tag messages but are not allowed to drop them, this
would get the text remnants from virus emails into the user's spam folder
instead of inbox.

hermit921

From danielk at AVALONPUB.COM  Thu Jan 29 20:35:44 2004
From: danielk at AVALONPUB.COM (Daniel Kleinsinger)
Date: Thu Jan 12 21:22:11 2006
Subject: Trend virus reporting not working?
Message-ID: <40196EA0.9000601@avalonpub.com>

I've just installed some extra scanners into my MailScanner
configuration.  I now use sophossavi, f-prot, and trend (I was just
using sophossavi before).  The support for trend is apparently alpha (I
had to decrease my minimum code status to get it to work) and it doesn't
seem to log which virus it detected.  From my maillog:
Jan 29 11:29:07 nts-2 MailScanner[20732]: Virus and Content Scanning:
Starting
Jan 29 11:29:07 nts-2 MailScanner[20732]: INFECTED:: W32/MyDoom-A::
./i0TJT2iG028320/document.pif
Jan 29 11:29:07 nts-2 MailScanner[20732]: Virus Scanning: SophosSAVI
found 1 infections
Jan 29 11:29:07 nts-2 MailScanner[20732]:
/var/spool/MailScanner/incoming/20732/i0TJT2iG028320/document.pif
Infection: W32/Mydoom.A@mm
Jan 29 11:29:07 nts-2 MailScanner[20732]: Virus Scanning: F-Prot found
virus W32/Mydoom.A@mm
Jan 29 11:29:08 nts-2 MailScanner[20732]: Virus Scanning: F-Prot found 1
infections
Jan 29 11:29:08 nts-2 MailScanner[20732]: Virus Scanning: Trend found 1
infections
Jan 29 11:29:08 nts-2 MailScanner[20732]: Infected message
i0TJT2iG028320 came from 66.136.69.99
Jan 29 11:29:08 nts-2 MailScanner[20732]: Virus Scanning: Found 1 viruses

Looking through SweepViruses.pm it seems there is some code (lines
1902-1946 in version 4.24-5) to "ProcessTrendOutput", but in my case it
doesn't seem to be working.  Is it working for other people?
If not, do any Perl programmers want to take a look and see if they can
fix it?  The sample output (embedded as a comment in SweepViruses.pm)
that the current code was based on seems pretty similar to the current
output, so it's probably pretty easy to fix.  I'm not sure if I called
trend-wrapper correctly to generate the output below, let me know if
it's not correct.

Thanks,
Daniel

command run:
/usr/lib/MailScanner/trend-wrapper /usr/local/trend/ -a -za -r .

output:
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
        Pattern version 749
        Pattern number 58124
Configuration: -a -r -nl -c1 -c2 -u -s
Directory .
        ./eicar.com.txt
*** Found virus Eicar_test_file in file /root/spam/eicar.com.txt

==============================
Directory:
        Searched : 1
File:
        Searched : 1
            Scan : 1
        Infected : 1
        Infected : 1(Include files been compressed)
Time:
        Start : 1/29/04 12:22:32
         Stop : 1/29/04 12:22:32
         Used : 00:00

From shrek-m at GMX.DE  Thu Jan 29 21:01:05 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:11 2006
Subject: upgrade process
In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741085F@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F36292741085F@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <40197491.6020306@gmx.de>

Ugo Bellavance wrote:

>>I'm running MailScanner with Postfix. I would like to know how to tell
>>what version of MailScanner I'm running and also is there a procedure
>>for upgrading to the latest version? Any recommendations as far as
>>backing up the current install so I can revert to that, if
>>needed, would
>>also be helpful.
>>
>>
>
>Backing up what? settings?  this is done automatically.  You can backup your whole server if you want to.
>

$ rpm -ql mailscanner
you could at least save your
  /etc/MailScanner/
  /usr/lib/MailScanner/


for downgrade
    # rpm -Uvh --oldpackage --replacefiles --replacepkgs
mailscanner-<older-version>.rpm
    you have saved your old MailScanner.conf  ;-)

>To know the version, in redhat = rpm -q MailScanner
>
>
or
# vi  /var/log/maillog

>To upgrade, do as if you were installing, but run 'upgrade_mailscanner_conf' after.
>
>

--
shrek-m

From hywel at BURRIS.ORG.UK  Thu Jan 29 21:39:26 2004
From: hywel at BURRIS.ORG.UK (Hywel Burris)
Date: Thu Jan 12 21:22:11 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <4016F5A6.70303@ucgbook.com>
Message-ID: <200401292150.i0TLo9qs020601@mail.burris.org.uk>

Thanks Peter,

Sorry for the delay worked a treat :)

Hywel

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Peter Bonivart
Sent: 27 January 2004 23:35
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Upgrade to SpamAssassin-2.63-1 problem

Hywel Burris wrote:
> Hi Peter,
>
> Yes I installed from the RPM. If this can't be done could you briefly
> explain how. I seem to remember an email from this group about 6weeks ago
on
> this subject but couldn't find it.
>
> I have never had any issue like this before from upgrading SA, wonder why
> this ones different.
>
> Thanks

There's nothing wrong with the RPM if you want to use SA standalone but
it will not work with MailScanner, all paths will be screwed up and MS
will not find stuff. That's why it's OK to use SRPM because that's built
for your system.

I would recommend CPAN, I use that on Solaris also. Extremely simple:

# perl -e shell -MCPAN
cpan> install Mail::SpamAssassin

Of course, remove the RPM first.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From michele at BLACKNIGHTSOLUTIONS.COM  Thu Jan 29 21:55:56 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:11 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <200401292150.i0TLo9qs020601@mail.burris.org.uk>
Message-ID: <LFENLEALDCBDKENCNLCNOENHDEAA.michele@blacknightsolutions.com>

>
> There's nothing wrong with the RPM if you want to use SA standalone but
> it will not work with MailScanner, all paths will be screwed up and MS
> will not find stuff. That's why it's OK to use SRPM because that's built
> for your system.
If you use apt-get to install it and then disable it like you would with
sendmail it works fine

From peter at UCGBOOK.COM  Thu Jan 29 22:20:19 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:11 2006
Subject: Upgrade to SpamAssassin-2.63-1 problem
In-Reply-To: <200401292150.i0TLo9qs020601@mail.burris.org.uk>
References: <200401292150.i0TLo9qs020601@mail.burris.org.uk>
Message-ID: <40198723.4080902@ucgbook.com>

Hywel Burris wrote:
> Thanks Peter,
>
> Sorry for the delay worked a treat :)
>
> Hywel

Good to hear! :-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From rzewnickie at RFA.ORG  Thu Jan 29 22:32:24 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:11 2006
Subject: Don't Quarantine Viruses
In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>
References: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>
Message-ID: <20040129223224.GE2204@rfa.org>

Do these names have to match the name as reported by the virus scanners?
or is it case insensitive?

i.e., will:

Virus:   mydoom    no

prevent mydoom from being quarantined when caught by either sophossavi
or uvscan?

or do I need to do this? :

Virus:   W32/MyDoom-A      no
Virus:   W32/Mydoom.a@MM   no


Thanks,
Eric Rz.

On Wed, Jan 28, 2004 at 02:55:11PM -0500, Hirsh, Joshua wrote:
> > I'd like to be able to not quarantine viruses but still
> > quarantine filetype denies.
>
> Yup, you can distinguish between the two. You can set "Quarantine
> Infections" to match against a rule, and in the rules file have something
> like this:
>
> Virus:  sobig           no
> Virus:  dumaru  no
> Virus:  mimail  no
>
>
> Etc..
>
>
>  Cheers,
>
> -Joshua

From elhannaford at PSFINC.COM  Fri Jan 30 00:31:07 2004
From: elhannaford at PSFINC.COM (Edward L. Hannaford)
Date: Thu Jan 12 21:22:11 2006
Subject: Skip scan for viruses
Message-ID: <LISTSERV%2004013000310707@JISCMAIL.AC.UK>

Is there a way to configure MailScanner to skip the spam scan for emails
that have been found to contain a virus?  I tag my subject lines for both
positives and some users find this confusing.  I also have different
notification settings for the two types of "badmail" and I don't want them
mixing.

-Ed

From ree at THUNDERSTAR.NET  Fri Jan 30 00:39:41 2004
From: ree at THUNDERSTAR.NET (Ron E.)
Date: Thu Jan 12 21:22:11 2006
Subject: upgrading to SA 2.64, clamav 0.65 & MS 4.25-14
Message-ID: <Pine.BSO.4.44.0401291936260.15326-100000@ns1.thunderstar.net>

Hi All -

I'm currently running MailScanner 4.24-5, clamav 0.60 & spamassassin 2.60
- I'm planning to upgrade to current versions of everything shortly and
I'm just wondering if anyone knows of any particular gotchas on doing
this. I've done all this awhile ago and from what I remember everything
was pretty simple.

Currently running postfix but planning to switch to Exim sometime in the
not too distant future.


Thanks,

Ron

From rzewnickie at RFA.ORG  Fri Jan 30 01:00:40 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:11 2006
Subject: possible tabbing mis-conception?
Message-ID: <20040130010040.GI2204@rfa.org>

I somehow got the idea that .rules files need to be tab-delimited. But,
now I'm wondering if that is actually only needed in
file(type|name).rules.conf.

Can someone provide me some clarity on that?

Thanks,
Eric Rz.

From mike at CAMAROSS.NET  Fri Jan 30 01:54:25 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:11 2006
Subject: Sophos AND ClamAV Missing Some?
Message-ID: <200401300146.i0U1k7wQ010998@avwall.bladeware.com>

The characteristics look to be the same as the MyDoom...but it just gets
delete.  Does this look right?


Jan 29 19:44:27 avwall sendmail[10938]: i0U1iNwQ010938:
from=<lauralee11@charter.net>, size=31189, class=0, nrcpts=1,
msgid=<200401300144.i0U1iNwQ010938@avwall.bladeware.com>, proto=ESMTP,
daemon=MTA, relay=c66.169.156.15.ts46v-11.ftwrth.tx.charter.com
[66.169.156.15]
Jan 29 19:44:28 avwall MailScanner[17208]: New Batch: Scanning 1 messages,
31796 bytes
Jan 29 19:44:28 avwall MailScanner[17208]: Spam Checks: Starting
Jan 29 19:44:34 avwall MailScanner[17208]: Message i0U1iNwQ010938 from
66.169.156.15 (lauralee11@charter.net) to americanmedical-id.com is spam,
SpamAssassin (score=9.992, required 5.8, BAYES_56 0.00, DCC_CHECK 2.91,
FROM_ENDS_IN_NUMS 0.99, MICROSOFT_EXECUTABLE 0.10, MISSING_MIMEOLE 1.59,
MSGID_FROM_MTA_SHORT 3.03, NO_REAL_NAME 0.16, PRIORITY_NO_NAME 1.21)
Jan 29 19:44:34 avwall MailScanner[17208]: Spam Checks: Found 1 spam
messages
Jan 29 19:44:34 avwall MailScanner[17208]: Spam Actions: message
i0U1iNwQ010938 actions are delete


Mike

From victor at PIXELMAGICFX.COM  Fri Jan 30 02:04:31 2004
From: victor at PIXELMAGICFX.COM (Victor DiMichina)
Date: Thu Jan 12 21:22:11 2006
Subject: Panda question,  and introduction
Message-ID: <4019BBAF.4080909@pixelmagicfx.com>

Hello,  I am new to this list.     I have:

CommuniGatePro 4.1.6
Red Hat 8.0
MailScanner running F-secure,  SpamAssassin, and (attempting) Panda
command line.

F-secure and Spamassassin work marvelously through Mailscanner,  but
Panda 7.0.1 doesn't do a single thing.    I searched through the
archives of this mailing list for a patch to the panda wrapper,  and
found this one:
------------------------------------------------------------------
#              print TEMP $_;

-               if (/Encontrado virus:\s+((\w|\-|\_|\/)+)/) {
+               if (/(Found virus|Encontrado virus)\s*:\s*((\w|\-|\_|\/)
+)/) {
+               #if (/Encontrado virus:\s+((\w|\-|\_|\/)+)/) {
                         close SALIDA;
-                       return $1;
+                       #return $1;
+                       return $2;
                 }
         }
         close SALIDA;
-----------------------------------------------------------------

I have still had no luck.   I try sending it the e'i'c'a'r test virus,
 but F-secure does all of the work.  I have checked all of the paths as
well.    Is there a wrapper that will work for this program,  or even a
log file in Mailscanner that will give me a lead?

Thanks
Vic DiMichina

From victor at PIXELMAGICFX.COM  Fri Jan 30 03:26:42 2004
From: victor at PIXELMAGICFX.COM (Victor DiMichina)
Date: Thu Jan 12 21:22:11 2006
Subject: Panda question,  and introduction
References: <4019BBAF.4080909@pixelmagicfx.com>
Message-ID: <4019CEF2.10500@pixelmagicfx.com>

Victor DiMichina wrote:

> I have still had no luck.   I try sending it the e'i'c'a'r test virus,
> but F-secure does all of the work.  I have checked all of the paths as
> well.    Is there a wrapper that will work for this program,  or even a
> log file in Mailscanner that will give me a lead?

An update,  actually Panda's log file is showing that it's finding virus
e-mails,  but it doesn't show up in the reports from Mailscanner.   I'm
also not sure what it's doing with the infected files.

Thanks
Vic

From shrek-m at GMX.DE  Fri Jan 30 07:49:42 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:11 2006
Subject: possible tabbing mis-conception?
In-Reply-To: <20040130010040.GI2204@rfa.org>
References: <20040130010040.GI2204@rfa.org>
Message-ID: <401A0C96.6020004@gmx.de>

Eric Dantan Rzewnicki wrote:

>I somehow got the idea that .rules files need to be tab-delimited. But,
>now I'm wondering if that is actually only needed in
>file(type|name).rules.conf.
>
>Can someone provide me some clarity on that?
>

i think it is "important" for all rulesets,

eg.
$ vi /etc/MailScanner/filename.rules.conf
$ vi /etc/MailScanner/filetype.rules.conf
in both you can see this line:
# NOTE: Fields are separated by TAB characters --- Important!


for further infos|examples:
$ vi /etc/MailScanner/rules/README
$ vi /etc/MailScanner/rules/EXAMPLES

--
shrek-m

From garry at GLENDOWN.DE  Fri Jan 30 08:10:29 2004
From: garry at GLENDOWN.DE (Garry Glendown)
Date: Thu Jan 12 21:22:11 2006
Subject: Reliable spam/nospam bayes learner?
Message-ID: <401A1175.7070207@glendown.de>

Hi,

maybe I'm missing seeing the link, but I was looking for a script that I
can set up so users can forward false positives/negatives to so that
they will be learned by SA as spam or ham ... also, as it will be hard
enough to teach people to forward correctly, it has to learn from a
forwarded, not bounced, mail ... that is, ignore the information added
by the mail client and just look at the original mail (as far as
information is still available, like headers, etc.)

Help appreciated,

-garry

From m.althoff at BROMBERG.DEMON.NL  Fri Jan 30 08:16:21 2004
From: m.althoff at BROMBERG.DEMON.NL (Matthijs Althoff)
Date: Thu Jan 12 21:22:11 2006
Subject: Mydoom
Message-ID: <LISTSERV%2004013008162187@JISCMAIL.AC.UK>

On Wed, 28 Jan 2004 16:05:09 +0100, Peter Peters <P.G.M.Peters@UTWENTE.NL>
wrote:

>What I usually do in these cases is checking what I get with just
>grep MailScanner * | grep "Found the"
>Perhaps awk gives some error message that is piped into sort.

In your example it greps in all files (*). Therefore it
also grepped the file run I had created and found the
word awk at $9 ;-)I have replaced * for maillog* and
it works like charm.

$ ./run

Real e-mail received:    7681
Spam or spam-line mail:      62
Mail blocked by ruleset's:    4444
Mail send to non existing local users:    2483
M$ Outlook HTML abusers:     119
Current Mcafee Uvscan dat version: Virus data file v4321 created Jan 29 2004

Top 5 (and more) virussen found:

     22 W32/Swen@MM
      1 W32/Sober.c@MM
      1 W32/FunLove.gen

From lenaig at WANADOO.FR  Fri Jan 30 08:24:08 2004
From: lenaig at WANADOO.FR (Thierry)
Date: Thu Jan 12 21:22:11 2006
Subject: MailScanner does not run viruscan ??
Message-ID: <20040130082408.GA1049@maelenn>

Hi,
Using MailScanner-devel-4.26.4, f-prot-4.3.1, clamav-devel-20040116, on FreeBSD box.
So i am not sure that mailscanner is running f-pot and clamav ...
If i am checking on the log files, i can see that they are still empty.
But if i am running them directly from virus.scanners.conf :

/usr/local/libexec/MailScanner/clamav-wrapper   /usr/local -r /toto/titi -l /var/log/clamav/result.log
/usr/local/libexec/MailScanner/f-prot-wrapper   /usr/local/f-prot -report=/var/log/clamav/result_f.log /toto/titi

I can see that all of my log files are working ...
I check in /var/run mailscanner pid is here, i check on user/permission, it is ok
In /var/spool/MailScanner, Incoming is working, Quarantine always empty

MailScanner.conf:

Virus Scanning = yes
Virus Scanners = f-prot clamav

It will be a pleasure to give you more informations if necessary.

Thx
--
Thierry
Ne faites jamais un "apt-get install new-wife" avant
un "apt-get remove --purge current-wife"

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 30 09:16:48 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:11 2006
Subject: Reliable spam/nospam bayes learner?
In-Reply-To: <401A1175.7070207@glendown.de>
References: <401A1175.7070207@glendown.de>
Message-ID: <401A2100.7050201@solid-state-logic.com>

Garry Glendown wrote:
> Hi,
>
> maybe I'm missing seeing the link, but I was looking for a script that I
> can set up so users can forward false positives/negatives to so that
> they will be learned by SA as spam or ham ... also, as it will be hard
> enough to teach people to forward correctly, it has to learn from a
> forwarded, not bounced, mail ... that is, ignore the information added
> by the mail client and just look at the original mail (as far as
> information is still available, like headers, etc.)
>
> Help appreciated,
>
> -garry
Gary

I've got one that uses imap shared folders that users can drag their
corrections into. assumes of course your mail server is imap or imap
compatible (MS-Ex 5.5, not MS-EX 2000 as it break headers when moving
folders apparently!).

If you need more details let me know off list, or a previous response is
in the archives

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:18:36 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: 4.26.6: missing tweaks to SweepOther.pm
In-Reply-To: <Pine.GSO.4.58.0401291336380.8893@cayuga>
References: <Pine.GSO.4.58.0401291336380.8893@cayuga>
Message-ID: <6.0.1.1.2.20040130091833.03a104c0@imap.ecs.soton.ac.uk>

Added.

At 18:39 29/01/2004, you wrote:
>Julian,
>
>    Somewhere in 4.25-14 I added the following changes to
>lib/MailScanner/SweepOther.pm, per the suggestion of somebody
>else on the list, something I find really useful:
>
>*** SweepOther.pm.orig  Thu Dec  4 08:08:07 2003
>--- SweepOther.pm       Thu Dec  4 08:17:18 2003
>***************
>*** 197,204 ****
>             #print STDERR "\"$attach\" matched \"$regexp\" or
> \"$safename\" did\n";
>             if ($allowdeny =~ 'deny') {
>               # It's a rejection rule, so log the error.
>!             MailScanner::Log::InfoLog("Filename Checks: %s (%s)",
>!                                       $logtext, $attach);
>               $message->{namereports}{$safename} .= "$usertext
> ($safename)\n";
>               $message->{nametypes}{$safename}   .= "f";
>               $counter++;
>--- 197,204 ----
>             #print STDERR "\"$attach\" matched \"$regexp\" or
> \"$safename\" did\n";
>             if ($allowdeny =~ 'deny') {
>               # It's a rejection rule, so log the error.
>!             MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)",
>!                                       $logtext, $id, $attach);
>               $message->{namereports}{$safename} .= "$usertext
> ($safename)\n";
>               $message->{nametypes}{$safename}   .= "f";
>               $counter++;
>***************
>*** 206,217 ****
>               # Do we want to delete the attachment or store it?
>               $message->{deleteattach}{$safename} = 1 if $allowdeny =~
> /delete/;
>             } else {
>!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s",
>$safename)
>                 if $LogNames;
>             }
>           }
>!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s " .
>!                                   "(no rule matched)", $safename)
>             if $LogNames && !$MatchFound;
>         }
>       }
>--- 206,217 ----
>               # Do we want to delete the attachment or store it?
>               $message->{deleteattach}{$safename} = 1 if $allowdeny =~
> /delete/;
>             } else {
>!             MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s",
>$id, $safename)
>                 if $LogNames;
>             }
>           }
>!         MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " .
>!                                   "(no rule matched)", $id, $safename)
>             if $LogNames && !$MatchFound;
>         }
>       }
>***************
>*** 353,360 ****
>           $MatchFound = 1;
>           if ($allowdeny =~ /deny/) {
>             # It's a rejection rule, so log the error.
>!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s)",
>!                                     $logtext, $attach);
>             $message->{namereports}{$safename} .= "$usertext ($safename)\n";
>             $message->{nametypes}{$safename}   .= "f";
>             $counter++;
>--- 353,360 ----
>           $MatchFound = 1;
>           if ($allowdeny =~ /deny/) {
>             # It's a rejection rule, so log the error.
>!           MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)",
>!                                     $logtext, $id, $attach);
>             $message->{namereports}{$safename} .= "$usertext ($safename)\n";
>             $message->{nametypes}{$safename}   .= "f";
>             $counter++;
>***************
>*** 362,368 ****
>             # Do we want to delete the attachment or store it?
>             $message->{deleteattach}{$safename} = 1 if $allowdeny =~
> /delete/;
>           } else {
>!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s",
>$safename)
>               if $LogTypes;
>           }
>         }
>--- 362,368 ----
>             # Do we want to delete the attachment or store it?
>             $message->{deleteattach}{$safename} = 1 if $allowdeny =~
> /delete/;
>           } else {
>!           MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s",
>$id, $safename)
>               if $LogTypes;
>           }
>         }
>
>I see that they didn't get into 4.26.6.  Any chance they
>could?  Thanks.
>
>Jeff Earickson
>Colby College

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:13:43 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails
In-Reply-To: <FE3A7695B11ECF4A84708F7F79732ED73D6B7E@wscxpr07.fhhnet.sta
              dt.hamburg.de>
References: <FE3A7695B11ECF4A84708F7F79732ED73D6B7E@wscxpr07.fhhnet.stadt.hamburg.de>
Message-ID: <6.0.1.1.2.20040130091311.03aafe68@imap.ecs.soton.ac.uk>

Try just installing the Net-CIDR module with something like
rpm -Uvh --nodeps perl-Net-CIDR*
and then run ./install.sh.

At 16:53 29/01/2004, you wrote:
>For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get:
>./install.sh
>...
>Attempting to build and install perl-Net-CIDR-0.08-2
>Installiere perl-Net-CIDR-0.08-2.src.rpm
>Fehler: Failed build dependencies:
>         perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2
>
>My perl is:
># rpm -q perl
>perl-5.8.1-46
># perl -v
>This is perl, v5.8.1 built for i586-linux-thread-multi
>(with 1 registered patch, see perl -V for more detail)
>
>I get this message for some perl packages, but nor for all of them.
>Using "./install.sh nodeps" doesn't help, it gives the same error.
>
>Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm"
>does help a bit, but aborts with:
>"ERROR: EMPTY FILE LIST"
>
>This doesn't seem to be a new problem, it occurs with
>MailScanner-4.25-14.suse.tar.gz as well.
>
>
>Viele Gr??e
>
>-- Heinz
>
>-----Urspr?ngliche Nachricht-----
>Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
>Auftrag von Julian Field
>Gesendet am: Donnerstag, 29. Januar 2004 16:25
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: ANNOUNCE: Beta 4.26.6 released
>
>Hi folks,
>
>I have just posted 4.26.6 on the website for you all. Download from
>www.mailscanner.info as usual.
>
>This is intended as a final testing release before 4.26 goes stable, which
>will hopefully be this weekend. If you could test it out and let me know of
>any problems as soon as possible, I will get them fixed.
>
>Thanks folks!
>
>Changes this time are:
>
>* New Features and Improvements *
>- Improved configuration engine so that rules can now contain 2 tests
>    separated by "and".
>- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
>    short text notification message to be sent to the recipients of the spam
>    message. The filename of the report is set with the "Recipient Spam 
> Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of the settings.
>- Removed the "bounce" spam action.
>- Added regular rebuild of Bayes database. Has 2 options associated with it
>    which I haven't included in the conf file yet.
>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>    configure the operation of the regular Bayes database rebuilds.
>- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
>    you will want to uncomment this line if you are using the regular 
> scheduled
>    Bayes database expiry feature given above.
>- Added "Minimum Stars If On Spam List" setting so that people who just filter
>    on the "Spam Stars" can catch messages which only trigger the "Spam List"
>    trap.
>- Added "Log Non Spam" option to allow logging of all non-spam, which can be
>    coerced into logging SpamAssassin scores of non-spam mail.
>- Added support for Norman virus scanner (www.norman.de).
>- Added logging of ids of dropped silent viruses.
>- Added "Too Many Attachments" error report in a message instead of old
>    report saying it could not analyse the message.
>- No longer stops or restarts after RPM upgrade.
>- Added MCP patches for SpamAssassin 2.61 and 2.63.
>- Added 'SpamAssassin Site Rules Dir' setting to locate 
>/etc/mail/spamassassin.
>- Spanish translations of languages.conf updated from Debian translators.
>- Added Catalan translation of all report files.
>- Added bogusmx list to supplied spam.lists.conf.
>- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
>- Changed the version number scheme from major.minor-teeny to
>major.minor.teeny.
>- Forced owner to be root.root in both RPM spec files, so can be re-built by
>    non-root users.
>- Added my Amazon.co.uk "wish list" to the donations page.
>- Detailed spam report now includes auto-learn status if it was auto-learnt.
>
>* Fixes *
>- Fixed creation of MCP quarantine directory bug.
>- Fix to Postfix message duplication problems. Must find "end of message"
>    record now.
>- Fix to duplicate recipient listing in postmaster notices.
>- Fixed bug so filename/filetype rules configuration setting can be blank.
>- Exim per-message log files are deleted correctly now.
>- Fixed recipient duplication problems in sender messages and other reports.
>- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
>    own checks find multiple problems with 1 attachment.
>- Fixed bug where _SCORE_ in subject line modifications is never more than 60.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:21:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: another 4.26.6 tweak
In-Reply-To: <Pine.GSO.4.58.0401291353270.8893@cayuga>
References: <Pine.GSO.4.58.0401291353270.8893@cayuga>
Message-ID: <6.0.1.1.2.20040130092121.03a10db8@imap.ecs.soton.ac.uk>

Done.

At 18:55 29/01/2004, you wrote:
>Julian,
>    Can you add a comment to MailScanner.conf, before
>Incoming Work Dir =
>noting that this directory can safely use ramdisk/tmpfs,
>eg /tmp on Solaris?  Newbies may not be aware of this.
>
>Jeff

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:26:18 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: Don't Quarantine Viruses
In-Reply-To: <20040129223224.GE2204@rfa.org>
References: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>
            <20040129223224.GE2204@rfa.org>
Message-ID: <6.0.1.1.2.20040130092602.0741d660@imap.ecs.soton.ac.uk>

The test is a simple sub-string, so "mydoom" should match both of your
examples.

At 22:32 29/01/2004, you wrote:
>Do these names have to match the name as reported by the virus scanners?
>or is it case insensitive?
>
>i.e., will:
>
>Virus:   mydoom    no
>
>prevent mydoom from being quarantined when caught by either sophossavi
>or uvscan?
>
>or do I need to do this? :
>
>Virus:   W32/MyDoom-A      no
>Virus:   W32/Mydoom.a@MM   no
>
>
>Thanks,
>Eric Rz.
>
>On Wed, Jan 28, 2004 at 02:55:11PM -0500, Hirsh, Joshua wrote:
> > > I'd like to be able to not quarantine viruses but still
> > > quarantine filetype denies.
> >
> > Yup, you can distinguish between the two. You can set "Quarantine
> > Infections" to match against a rule, and in the rules file have something
> > like this:
> >
> > Virus:  sobig           no
> > Virus:  dumaru  no
> > Virus:  mimail  no
> >
> >
> > Etc..
> >
> >
> >  Cheers,
> >
> > -Joshua

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:28:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: possible tabbing mis-conception?
In-Reply-To: <20040130010040.GI2204@rfa.org>
References: <20040130010040.GI2204@rfa.org>
Message-ID: <6.0.1.1.2.20040130092725.07853cc8@imap.ecs.soton.ac.uk>

At 01:00 30/01/2004, you wrote:
>I somehow got the idea that .rules files need to be tab-delimited. But,
>now I'm wondering if that is actually only needed in
>file(type|name).rules.conf.
>
>Can someone provide me some clarity on that?

It is only needed in file(type|name).rules.conf. Those files contain data
including spaces, and therefore cannot be space-separated. So they have to
be tab-separated.

All other files will handle any sort of white space you care to use.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:26:55 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:11 2006
Subject: Skip scan for viruses
In-Reply-To: <LISTSERV%2004013000310707@JISCMAIL.AC.UK>
References: <LISTSERV%2004013000310707@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040130092624.0741d3d0@imap.ecs.soton.ac.uk>

No. The spam detection is done before the virus detection.
That way you can avoid the extra work of scanning spam messages you are
deleting anyway.

At 00:31 30/01/2004, you wrote:
>Is there a way to configure MailScanner to skip the spam scan for emails
>that have been found to contain a virus?  I tag my subject lines for both
>positives and some users find this confusing.  I also have different
>notification settings for the two types of "badmail" and I don't want them
>mixing.
>
>-Ed

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:12:09 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Delete incoming virus warnings
In-Reply-To: <6.0.0.22.0.20040129131834.025afa60@xanadu.evi-inc.com>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
            <6.0.0.22.0.20040129131834.025afa60@xanadu.evi-inc.com>
Message-ID: <6.0.1.1.2.20040130091141.07336528@imap.ecs.soton.ac.uk>

At 18:24 29/01/2004, you wrote:
>At 12:40 PM 1/29/2004, you wrote:
>>Thanks for the quick reply.
>>Is there anything i can do within the version i am currently running?
>>Unfortunaly with this bloody virus going around now, i cant afford to take
>>down MailScanner.
>>thanks
>
>scratches head and tries to remember back to MailScanner 3.5...
>
>Does 3.5 have the "Silent Viruses" and "Still Deliver Silent Viruses"
>options, or are those 4.x generation stuff?

I *think* they are 4.x features, but I'm not sure.

>If you don't have at least the Silent Viruses option, do yourself and
>everyone else a favor and upgrade ASAP or take your mailserver completely
>offline until you can get a version of MS that doesn't respond to to
>viruses in a broken manner.
>
>I know the "All-Viruses" option for Silent Viruses is fairly new... But if
>you at least have Silent Viruses, you can add mydoom, sco.a or whatever
>your scanner calls it to the Silent Viruses list, and then set:
>
>Still Deliver Silent Viruses = no
>
>Which should prevent it from sending notices about the virus to anyone but
>the postmaster.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:31:21 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Reliable spam/nospam bayes learner?
In-Reply-To: <401A1175.7070207@glendown.de>
References: <401A1175.7070207@glendown.de>
Message-ID: <6.0.1.1.2.20040130093054.073f5008@imap.ecs.soton.ac.uk>

I have posted my scripts to do this to this list a few times now. Try
searching for posts from me which include "notspam".

At 08:10 30/01/2004, you wrote:
>Hi,
>
>maybe I'm missing seeing the link, but I was looking for a script that I
>can set up so users can forward false positives/negatives to so that
>they will be learned by SA as spam or ham ... also, as it will be hard
>enough to teach people to forward correctly, it has to learn from a
>forwarded, not bounced, mail ... that is, ignore the information added
>by the mail client and just look at the original mail (as far as
>information is still available, like headers, etc.)
>
>Help appreciated,
>
>-garry

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:10:36 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AF@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4AF@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040130091024.07336150@imap.ecs.soton.ac.uk>

Fortunately a harmless error, but fixed now.

At 17:54 29/01/2004, you wrote:
>OK, the warning happens once for every rule in my rules files.
>
>A slight bug in Config.pm, methinks.
>
>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Randal, Phil
> > Sent: 29 January 2004 16:46
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> >
> >
> > OK, what have I done?
> >
> > After installing 4.26.6 I get:
> >
> > Jan 29 16:44:21 gateway MailScanner[11725]: Invalid rule of
> > type , rule is
> > ""
> > Jan 29 16:44:21 gateway last message repeated 19 times
> >
> > Any clues?
> >
> > Phil
> >
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:22:43 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: give virus high spam score
In-Reply-To: <6.0.0.22.2.20040129121240.01ed1e50@pop.mail.yahoo.com>
References: <LISTSERV%2004010702431714@JISCMAIL.AC.UK>
            <6.0.0.22.2.20040121134921.01cdc498@pop.mail.yahoo.com>
            <6.0.1.1.2.20040121215713.040fbad8@imap.ecs.soton.ac.uk>
            <6.0.0.22.2.20040129121240.01ed1e50@pop.mail.yahoo.com>
Message-ID: <6.0.1.1.2.20040130092239.03adbde8@imap.ecs.soton.ac.uk>

No.

At 20:14 29/01/2004, you wrote:
>Is there a way to increase the spam score by, say, 50 points if specific
>viruses are found in the message?
>
>hermit921

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wilsmann at ADVANTIC.DE  Fri Jan 30 09:41:22 2004
From: wilsmann at ADVANTIC.DE (Wilsmann, Dennis)
Date: Thu Jan 12 21:22:12 2006
Subject: Rights or whatever Problem, any Idea?!
Message-ID: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>

Hello please Help I still get following log entries:

"Jan 30 10:34:54 p15112534 MailScanner[23688]: Could not read directory
/var/spool/MailScanner/incoming
Jan 30 10:34:54 p15112534 MailScanner[23688]: Error in configuration file
line 109, directory /var/spool/MailScanner/incoming for incomingworkdir does
not exist (or is not readable)"

But the directories exist and have the correct rights:

"/var/spool/MailScanner 
drwxr-xr-x   13 root     root         4096 Jan 29 17:05 ..
drwxr-xr-x    2 postfix  postfix      4096 Jan 29 17:12 incoming
drwxr-xr-x    2 postfix  postfix      4096 Aug 27 16:12 quarantine
drwxr-xr-x    2 postfix  postfix      4096 Jan 28 16:03 spamassassin"


Thank YOU!!!!

Greets Dennis
------------------------------------------------------------------------------

?ber 230 Installationen in 13 Bundesl?ndern garantieren 
Ihnen Investitionssicherheit und Erfolg auf breiter Basis.

iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
?ffentlicher Verwaltungen und Verb?nde.

------------------------------------------------------------------------------


From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 30 09:51:17 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <6.0.1.1.2.20040130092624.0741d3d0@imap.ecs.soton.ac.uk>
References: <LISTSERV%2004013000310707@JISCMAIL.AC.UK>
            <6.0.1.1.2.20040130092624.0741d3d0@imap.ecs.soton.ac.uk>
Message-ID: <401A2915.1030606@solid-state-logic.com>

Julian

Our policy is to deliver spam and not viruses. This is so any FP's on
the spam checks are still delivered, but any virus infected emails are
not under any circumastances.

May I suggest a flag that sets what to do first, virus or spam checks.
That way if you deliver spam, but not viruses you don't waste CPU spam
checking viral email?

Not big deal for us as the machine is well capable of handling the load,
but anything can help make MS more efficient would be helpful to many
people.

Keep up the good work...and have fun at the UKUUG winter conference.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Julian Field wrote:
> No. The spam detection is done before the virus detection.
> That way you can avoid the extra work of scanning spam messages you are
> deleting anyway.
>
> At 00:31 30/01/2004, you wrote:
>
>> Is there a way to configure MailScanner to skip the spam scan for emails
>> that have been found to contain a virus?  I tag my subject lines for both
>> positives and some users find this confusing.  I also have different
>> notification settings for the two types of "badmail" and I don't want
>> them
>> mixing.
>>
>> -Ed
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From neilrobst at ALM.ORG.UK  Fri Jan 30 09:52:11 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:22:12 2006
Subject: mailling list subject tag
In-Reply-To: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
Message-ID: <1075456331.9785.12.camel@localhost.localdomain>

Hi Julian et al,

Would it be possible to setup the mailling list software that manages
this list to tag the subject of each mail with [MailScanner] or
something similiar please so I can see at a glance which mails are from
this list...?

Regards,
Neil

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:49:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Rights or whatever Problem, any Idea?!
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
Message-ID: <6.0.1.1.2.20040130094940.07a91008@imap.ecs.soton.ac.uk>

Do you have
Run As User = postfix
Run As Group = postfix
?

At 09:41 30/01/2004, you wrote:
>Hello please Help I still get following log entries:
>
>"Jan 30 10:34:54 p15112534 MailScanner[23688]: Could not read directory
>/var/spool/MailScanner/incoming
>Jan 30 10:34:54 p15112534 MailScanner[23688]: Error in configuration file
>line 109, directory /var/spool/MailScanner/incoming for incomingworkdir does
>not exist (or is not readable)"
>
>But the directories exist and have the correct rights:
>
>"/var/spool/MailScanner
>drwxr-xr-x   13 root     root         4096 Jan 29 17:05 ..
>drwxr-xr-x    2 postfix  postfix      4096 Jan 29 17:12 incoming
>drwxr-xr-x    2 postfix  postfix      4096 Aug 27 16:12 quarantine
>drwxr-xr-x    2 postfix  postfix      4096 Jan 28 16:03 spamassassin"
>
>
>Thank YOU!!!!
>
>Greets Dennis
>------------------------------------------------------------------------------
>
>?ber 230 Installationen in 13 Bundesl?ndern garantieren
>Ihnen Investitionssicherheit und Erfolg auf breiter Basis.
>
>iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
>?ffentlicher Verwaltungen und Verb?nde.
>
>------------------------------------------------------------------------------

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From wilsmann at ADVANTIC.DE  Fri Jan 30 09:56:44 2004
From: wilsmann at ADVANTIC.DE (Wilsmann, Dennis)
Date: Thu Jan 12 21:22:12 2006
Subject: AW: Rights or whatever Problem, any Idea?!
Message-ID: <5AF7F4D7005B5A46A54B55892011D094407DA3@pc.hl.advantic.de>

YUp it is running as postfix ... so that's not the prob I also lookt via ps
what user its running when its running. Perfectly all right... 

Mhhh

-----Urspr?ngliche Nachricht-----
Von: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM]
Gesendet: Freitag, 30. Januar 2004 10:54
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: Re: Rights or whatever Problem, any Idea?!


Wilsmann, Dennis wrote:
> Hello please Help I still get following log entries:
>
> "Jan 30 10:34:54 p15112534 MailScanner[23688]: Could not read directory
> /var/spool/MailScanner/incoming
> Jan 30 10:34:54 p15112534 MailScanner[23688]: Error in configuration file
> line 109, directory /var/spool/MailScanner/incoming for incomingworkdir
does
> not exist (or is not readable)"
>
> But the directories exist and have the correct rights:
>
> "/var/spool/MailScanner
> drwxr-xr-x   13 root     root         4096 Jan 29 17:05 ..
> drwxr-xr-x    2 postfix  postfix      4096 Jan 29 17:12 incoming
> drwxr-xr-x    2 postfix  postfix      4096 Aug 27 16:12 quarantine
> drwxr-xr-x    2 postfix  postfix      4096 Jan 28 16:03 spamassassin"
>
>
> Thank YOU!!!!
>
> Greets Dennis

Dennis

what user are you running MailScanner as?

In MailScanner.conf the following should be set (in your case)..

Run As User = postfix
Run As Group = postfix

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************
------------------------------------------------------------------------------

?ber 230 Installationen in 13 Bundesl?ndern garantieren 
Ihnen Investitionssicherheit und Erfolg auf breiter Basis.

iKISS - Die Gesamtl?sung f?r Inter-/ Intra- und Extranet
?ffentlicher Verwaltungen und Verb?nde.

------------------------------------------------------------------------------


From mailscanner at ecs.soton.ac.uk  Fri Jan 30 09:55:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: mailling list subject tag
In-Reply-To: <1075456331.9785.12.camel@localhost.localdomain>
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
            <1075456331.9785.12.camel@localhost.localdomain>
Message-ID: <6.0.1.1.2.20040130095530.078d72f8@imap.ecs.soton.ac.uk>

You can do this per-user yourself at www.jiscmail.ac.uk/lists/mailscanner.html

At 09:52 30/01/2004, you wrote:
>Hi Julian et al,
>
>Would it be possible to setup the mailling list software that manages
>this list to tag the subject of each mail with [MailScanner] or
>something similiar please so I can see at a glance which mails are from
>this list...?
>
>Regards,
>Neil

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From martinh at SOLID-STATE-LOGIC.COM  Fri Jan 30 09:54:15 2004
From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth)
Date: Thu Jan 12 21:22:12 2006
Subject: Rights or whatever Problem, any Idea?!
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
Message-ID: <401A29C7.8020909@solid-state-logic.com>

Wilsmann, Dennis wrote:
> Hello please Help I still get following log entries:
>
> "Jan 30 10:34:54 p15112534 MailScanner[23688]: Could not read directory
> /var/spool/MailScanner/incoming
> Jan 30 10:34:54 p15112534 MailScanner[23688]: Error in configuration file
> line 109, directory /var/spool/MailScanner/incoming for incomingworkdir does
> not exist (or is not readable)"
>
> But the directories exist and have the correct rights:
>
> "/var/spool/MailScanner
> drwxr-xr-x   13 root     root         4096 Jan 29 17:05 ..
> drwxr-xr-x    2 postfix  postfix      4096 Jan 29 17:12 incoming
> drwxr-xr-x    2 postfix  postfix      4096 Aug 27 16:12 quarantine
> drwxr-xr-x    2 postfix  postfix      4096 Jan 28 16:03 spamassassin"
>
>
> Thank YOU!!!!
>
> Greets Dennis

Dennis

what user are you running MailScanner as?

In MailScanner.conf the following should be set (in your case)..

Run As User = postfix
Run As Group = postfix

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

From P.G.M.Peters at utwente.nl  Fri Jan 30 10:09:15 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
In-Reply-To: <1075401473.7581.7.camel@bach.kevinspicer.co.uk>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
            <200401291812.i0TIC0wQ009831@avwall.bladeware.com>
            <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>
            <1075401473.7581.7.camel@bach.kevinspicer.co.uk>
Message-ID: <17bk10p2jivt3c6io9cbi1g8k2nvboou0v@4ax.com>

On Thu, 29 Jan 2004 18:37:47 +0000, you wrote:

>On Thu, 2004-01-29 at 18:17, hermit921 wrote:
>> I read that SPF (Sender Permitted From) is being incorporated into
>> spamassassin 2.70.  Since the idea is to not accept (reject after HELO
>> step) any message that fails the SPF test, I conclude SPF can't be used by
>> MailScanner.  It can be implemented in postfix, exim, sendmail, etc before
>> MailScanner sees the message.  Is this a correct summary?
>>
>SPF is just another means to help determine the likelihood of a message
>being spam or not.  It is true that many sites may eventually want to
>use this to block mail, however this is not the only way to use it.
>SpamAssassin is likely to use it like they use rbls, as a trigger for a
>score.  So you certainly could use it with SA through MailScanner,
>although this would not block the mail during the SMTP transaction (but
>this is the same decision you take if you use RBLs in SA or MS rather
>than your MTA.
>
>That said, if SPF gains widespread acceptance (AOL is testing at the
>moment I think, which is a good sign) and proves to be workable then
>using it at the MTA level may be considerably more effective than using
>RBL's in the MTA, with a much lower incidence of false positives (which
>will invariably be caused by bad system administration of the senders
>domain).

Just read a good piece in NANAE about reasons why SPF will not going to
work. At least for a whole lot of people and (small) bussinesses.

Eventually you would have to include all IP-addresses in the list from
where your domain can be used to send e-mail. Or restrict the use (and
ease) of e-mail.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 10:12:02 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
In-Reply-To: <17bk10p2jivt3c6io9cbi1g8k2nvboou0v@4ax.com>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>
            <200401291812.i0TIC0wQ009831@avwall.bladeware.com>
            <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>
            <1075401473.7581.7.camel@bach.kevinspicer.co.uk>
            <17bk10p2jivt3c6io9cbi1g8k2nvboou0v@4ax.com>
Message-ID: <6.0.1.1.2.20040130101002.06f39460@imap.ecs.soton.ac.uk>

At 10:09 30/01/2004, you wrote:
>On Thu, 29 Jan 2004 18:37:47 +0000, you wrote:
>
> >On Thu, 2004-01-29 at 18:17, hermit921 wrote:
> >> I read that SPF (Sender Permitted From) is being incorporated into
> >> spamassassin 2.70.  Since the idea is to not accept (reject after HELO
> >> step) any message that fails the SPF test, I conclude SPF can't be used by
> >> MailScanner.  It can be implemented in postfix, exim, sendmail, etc before
> >> MailScanner sees the message.  Is this a correct summary?
> >>
> >SPF is just another means to help determine the likelihood of a message
> >being spam or not.  It is true that many sites may eventually want to
> >use this to block mail, however this is not the only way to use it.
> >SpamAssassin is likely to use it like they use rbls, as a trigger for a
> >score.  So you certainly could use it with SA through MailScanner,
> >although this would not block the mail during the SMTP transaction (but
> >this is the same decision you take if you use RBLs in SA or MS rather
> >than your MTA.
> >
> >That said, if SPF gains widespread acceptance (AOL is testing at the
> >moment I think, which is a good sign) and proves to be workable then
> >using it at the MTA level may be considerably more effective than using
> >RBL's in the MTA, with a much lower incidence of false positives (which
> >will invariably be caused by bad system administration of the senders
> >domain).
>
>Just read a good piece in NANAE about reasons why SPF will not going to
>work. At least for a whole lot of people and (small) bussinesses.
>
>Eventually you would have to include all IP-addresses in the list from
>where your domain can be used to send e-mail. Or restrict the use (and
>ease) of e-mail.

I have yet to see a solution to the problem that actually will work in real
life. SPF requires me to keep track of all the IP addresses of every
outgoing-mail-server used by BTInternet, for example.They change their
setup (for maintenance or whatever) and all of a sudden all my mail is
rejected. Yeah, great idea :-(

People need to think a whole lot harder about solutions to this, SPF ain't it.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dh at UPTIME.AT  Fri Jan 30 10:16:19 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
In-Reply-To: <17bk10p2jivt3c6io9cbi1g8k2nvboou0v@4ax.com>
References: <LISTSERV%2004012917404510@JISCMAIL.AC.UK>           
            <200401291812.i0TIC0wQ009831@avwall.bladeware.com>           
            <6.0.0.22.2.20040129101356.01e9d5e8@pop.mail.yahoo.com>           
            <1075401473.7581.7.camel@bach.kevinspicer.co.uk>
            <17bk10p2jivt3c6io9cbi1g8k2nvboou0v@4ax.com>
Message-ID: <401A2EF3.20500@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Peter Peters wrote:
<snip>
>
> Just read a good piece in NANAE about reasons why SPF will not going to
> work. At least for a whole lot of people and (small) bussinesses.
>
> Eventually you would have to include all IP-addresses in the list from
> where your domain can be used to send e-mail. Or restrict the use (and
> ease) of e-mail.
>
I can only concurr.

- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAGi7zPMoaMn4kKR4RA1fuAJ9ZWoOUoSnAIR4Re2SH9GdciGBT1gCdFmXN
rZGD17UrM3fPcJlhpfzS5rs=
=SJks
-----END PGP SIGNATURE-----

From Kevin.Spicer at BMRB.CO.UK  Fri Jan 30 10:36:20 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE8D@pascal.priv.bmrb.co.uk>

Julian Field wrote:
> At 10:09 30/01/2004, you wrote:
>> Just read a good piece in NANAE about reasons why SPF will not going
>> to work. At least for a whole lot of people and (small) bussinesses.
>> 
>> Eventually you would have to include all IP-addresses in the list
>> from where your domain can be used to send e-mail. Or restrict the
>> use (and ease) of e-mail.

I thinks thats the crux of the matter.  But its a point of view as to whether that is a problem caused by SPF, or one of the causes of the current problems with forged senders that needs to be addressed

There is a page addressing common objections to SPF on their site http://spf.pobox.com/objections.html


> I have yet to see a solution to the problem that actually will work
> in real life. SPF requires me to keep track of all the IP addresses
> of every outgoing-mail-server used by BTInternet, for example.They
> change their setup (for maintenance or whatever) and all of a sudden
> all my mail is rejected. Yeah, great idea :-(

Having read (some) of the detail of SPF that seems a relatively straightforward problem and is already addressed in the specification.  Assuming that BTinternet were to publish spf records for their domains you can simply set an 'include' directive to use their spf records for your domain.

I'm not saying that SPF is the answer, but that it does seem to be gaining some momentum and may be useful in some cases if not all.  Even if it isn't universally accepted it will still be useful to help detect forged senders from some domains - even if this only means we increase the SpamAssassin score for those mails.

Of course what we really need is a properly designed, secure, mail system (i.e. scrap SMTP) - but the barriers to this get higher every day so we may have to wait until hell freezes over AND universal adoption of IPv6!



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From david at PLATFORMHOSTING.COM  Fri Jan 30 10:41:40 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE8D@pascal.priv.bmrb.co.uk>
Message-ID: <001901c3e71d$a64e19f0$0b00a8c0@djh01>

> -----Original Message-----
> Even if it
> isn't universally accepted it will still be useful to help detect forged
> senders from some domains - even if this only means we increase the
> SpamAssassin score for those mails.

Which in reality is probably the most rational way of implementing SPF
checks.

The real issue is going to be that without universal adoption of it,
spammers will just migrate from large well known (SPF implemented) domains
into smaller lesser known ones - something which is already happening
anyway.

Regards,

David Hooton


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 10:45:55 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Clamav signature generation
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B2@jessica.herefordshire.gov.uk>

The trouble with these timings is that there is no way to automate the
collection of (say) McAfee's extra.dats (I've discussed this at length with
NAI support), so we have to go by the times updated DAT files are released
for general consumption and can be picked up "robotically".

Here, in England, ClamAv updated its patterns at 2300GMT, detected first
MyDoom at 0020GMT the next day.  McAfee's 4319 patterns were picked up at
0500GMT, 6 hours after the ClamAV update.

Furthermore, there was a variant of MyDoom.A which ClamAv picked up here at
around 1430GMT on Wednesday, but McAfee's 4319 DATs didn't.  I submitted it
to McAfee Avert and it was fixed for the 4320 DAT files (I received
confirmation from Avert and the extra.dat file by email this morning, they
must have been flooded with samples), which came out 5 hours after we'd
detected it with ClamAV.

Similarly, ClamAV picked up a copy of Mimail.s here yesterday afternoon,
McAfee's 4321 DAT files were available some 5 hours later.

I hope this puts things into perspective.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Tony Johansson
> Sent: 29 January 2004 18:38
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Clamav signature generation
>
>
> These are the times when antivirus companies had a virus
> definition for
> Mydoom.A:
> (I dont know how accurate they are, I got them from a source
> at F-Secure)
>
> McAfee (BETA) 2004-01-26, 22:20
> F-Secure (BETA) 2004-01-26, 22:36
> Symantec (BETA) 2004-01-26, 23:00
> F-Secure 2004-01-26, 23:09
> F-Prot 2004-01-26, 23:30
> Trend Micro 2004-01-26, 23:35
> Norman 2004-01-27, 00:05
> Kaspersky 2004-01-27, 00:30
>
> At our site, Clamav found the first Mydoom.A at 2004-01-26
> 22:02, this time
> beating all the above commercial scanners. Clamav obviously
> did great this
> time, but on other occasions they have been far behind.
>
> Is there a way to redirect a file thats been flagged as a
> virus by one or
> more scanners but not by clamav? It could be put in a special
> quarantine or
> submitted automaticly to http://www.nervous.it/~nervous/cgi-
> bin/sendvirus.cgi
>
>
> Clamav would have the power of all scanners supported by MailScanner,
> possibly never being beaten by more than on or two commercial
> scanners...
>
> One could argue that theres a moral dilemma here, using the
> output from one
> scanner to benifit another but I've seen nothing prohibiting
> this in the
> license agreements I've read.
>
> regards, Tony
>

From neilrobst at ALM.ORG.UK  Fri Jan 30 10:46:13 2004
From: neilrobst at ALM.ORG.UK (Neil Robst)
Date: Thu Jan 12 21:22:12 2006
Subject: mailling list subject tag
In-Reply-To: <6.0.1.1.2.20040130095530.078d72f8@imap.ecs.soton.ac.uk>
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>
            <1075456331.9785.12.camel@localhost.localdomain>
            <6.0.1.1.2.20040130095530.078d72f8@imap.ecs.soton.ac.uk>
Message-ID: <1075459572.9785.19.camel@localhost.localdomain>

Thanks, Julian - guess I should realised this!
Regards,
Neil

On Fri, 2004-01-30 at 09:55, Julian Field wrote:
> You can do this per-user yourself at www.jiscmail.ac.uk/lists/mailscanner.html
>
> At 09:52 30/01/2004, you wrote:
> >Hi Julian et al,
> >
> >Would it be possible to setup the mailling list software that manages
> >this list to tag the subject of each mail with [MailScanner] or
> >something similiar please so I can see at a glance which mails are from
> >this list...?
> >
> >Regards,
> >Neil
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 10:49:06 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B3@jessica.herefordshire.gov.uk>

It really should be the other way round.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 30 January 2004 09:27
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> No. The spam detection is done before the virus detection.
> That way you can avoid the extra work of scanning spam
> messages you are
> deleting anyway.
>
> At 00:31 30/01/2004, you wrote:
> >Is there a way to configure MailScanner to skip the spam
> scan for emails
> >that have been found to contain a virus?  I tag my subject
> lines for both
> >positives and some users find this confusing.  I also have different
> >notification settings for the two types of "badmail" and I
> don't want them
> >mixing.
> >
> >-Ed
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 10:51:15 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B4@jessica.herefordshire.gov.uk>

I think it is absolutely essential, for security reasons, to identify all
virus-infected emails, spam or not.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Martin Hepworth
> Sent: 30 January 2004 09:51
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> Julian
>
> Our policy is to deliver spam and not viruses. This is so any FP's on
> the spam checks are still delivered, but any virus infected emails are
> not under any circumastances.
>
> May I suggest a flag that sets what to do first, virus or spam checks.
> That way if you deliver spam, but not viruses you don't waste CPU spam
> checking viral email?
>
> Not big deal for us as the machine is well capable of
> handling the load,
> but anything can help make MS more efficient would be helpful to many
> people.
>
> Keep up the good work...and have fun at the UKUUG winter conference.
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Julian Field wrote:
> > No. The spam detection is done before the virus detection.
> > That way you can avoid the extra work of scanning spam
> messages you are
> > deleting anyway.
> >
> > At 00:31 30/01/2004, you wrote:
> >
> >> Is there a way to configure MailScanner to skip the spam
> scan for emails
> >> that have been found to contain a virus?  I tag my subject
> lines for both
> >> positives and some users find this confusing.  I also have
> different
> >> notification settings for the two types of "badmail" and I
> don't want
> >> them
> >> mixing.
> >>
> >> -Ed
> >
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>

From dh at UPTIME.AT  Fri Jan 30 10:52:42 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B3@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B3@jessica.herefordshire.gov.uk>
Message-ID: <401A377A.9080601@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Randal, Phil wrote:

> It really should be the other way round.
>
<snip>

I have to agree in this case, for a very simple reason. I had to battle
with a system which obviously had a CPU too little for the amount of
Spam/Virus scanning it had to do. So I turned off the Spam Checks until
the new hardware arrived and that made a substantial change.

So it seems to me that SpamAssassin and its spam checks is more of a CPU
hog than the whole virus scanning process.

My thought would be

if a Virus is dropped before the Spam Scanning can even pick it up, that
would mean less work to the CPU, thus less ressources are consumed or am
I making a mistake?

- -d


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAGjd6PMoaMn4kKR4RA1JRAJ4wzmf+962BCPSrMO7FeUDGBrQu0gCdFe78
CHQIMOrhfvLjlqBD9Y78lGY=
=5TWi
-----END PGP SIGNATURE-----

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 10:52:46 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B5@jessica.herefordshire.gov.uk>

It's a minor bug in Config.pm.  All the rules still work.

As an aside, my load average seems to have dropped a bit with this version.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Stein, Mr. Fred
> Sent: 29 January 2004 19:27
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> I have just upgraded from ver 4.26.5 to 4.26.6 Now I get the error isw
> maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> rule of type
> , rule is ""
> Jan 29 14:24:46 butters last message repeated 709 times
> RH9
> Spamassassin 2.63
> Any ideas?
>
> Fred Stein
> Network Administrator
> The Hill School
> 717 High Street
> Pottstown, PA 19464
> 610-326-1000 ext. 7356
> fstein@thehill.org
> www.thehill.org
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: Thursday, January 29, 2004 10:25 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: ANNOUNCE: Beta 4.26.6 released
>
> Hi folks,
>
> I have just posted 4.26.6 on the website for you all. Download from
> www.mailscanner.info as usual.
>
> This is intended as a final testing release before 4.26 goes stable,
> which
> will hopefully be this weekend. If you could test it out and
> let me know
> of
> any problems as soon as possible, I will get them fixed.
>
> Thanks folks!
>
> Changes this time are:
>
> * New Features and Improvements *
> - Improved configuration engine so that rules can now contain 2 tests
>    separated by "and".
> - Added "notify" Spam Action and High Scoring Spam Action. This will
> cause a
>    short text notification message to be sent to the recipients of the
> spam
>    message. The filename of the report is set with the "Recipient Spam
> Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of
> the settings.
> - Removed the "bounce" spam action.
> - Added regular rebuild of Bayes database. Has 2 options
> associated with
> it
>    which I haven't included in the conf file yet.
> - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> options to
>    configure the operation of the regular Bayes database rebuilds.
> - Added commented "bayes_auto_expire 0" line to
> spam.assassin.prefs.conf
> as
>    you will want to uncomment this line if you are using the regular
> scheduled
>    Bayes database expiry feature given above.
> - Added "Minimum Stars If On Spam List" setting so that
> people who just
> filter
>    on the "Spam Stars" can catch messages which only trigger the "Spam
> List"
>    trap.
> - Added "Log Non Spam" option to allow logging of all non-spam, which
> can be
>    coerced into logging SpamAssassin scores of non-spam mail.
> - Added support for Norman virus scanner (www.norman.de).
> - Added logging of ids of dropped silent viruses.
> - Added "Too Many Attachments" error report in a message
> instead of old
>    report saying it could not analyse the message.
> - No longer stops or restarts after RPM upgrade.
> - Added MCP patches for SpamAssassin 2.61 and 2.63.
> - Added 'SpamAssassin Site Rules Dir' setting to locate
> /etc/mail/spamassassin.
> - Spanish translations of languages.conf updated from Debian
> translators.
> - Added Catalan translation of all report files.
> - Added bogusmx list to supplied spam.lists.conf.
> - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> - Changed the version number scheme from major.minor-teeny to
> major.minor.teeny.
> - Forced owner to be root.root in both RPM spec files, so can be
> re-built by
>    non-root users.
> - Added my Amazon.co.uk "wish list" to the donations page.
> - Detailed spam report now includes auto-learn status if it was
> auto-learnt.
>
> * Fixes *
> - Fixed creation of MCP quarantine directory bug.
> - Fix to Postfix message duplication problems. Must find "end of
> message"
>    record now.
> - Fix to duplicate recipient listing in postmaster notices.
> - Fixed bug so filename/filetype rules configuration setting can be
> blank.
> - Exim per-message log files are deleted correctly now.
> - Fixed recipient duplication problems in sender messages and other
> reports.
> - Fixed bug where extra ": " appears in VirusWarning.txt when
> MailScanner's
>    own checks find multiple problems with 1 attachment.
> - Fixed bug where _SCORE_ in subject line modifications is never more
> than 60.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From david at PLATFORMHOSTING.COM  Fri Jan 30 11:04:56 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <401A377A.9080601@uptime.at>
Message-ID: <001a01c3e720$e67d0ab0$0b00a8c0@djh01>

> So it seems to me that SpamAssassin and its spam checks is more of a CPU
> hog than the whole virus scanning process.

Depending on your configuration, but here it is...

> My thought would be
> 
> if a Virus is dropped before the Spam Scanning can even pick it up, that
> would mean less work to the CPU, thus less ressources are consumed or am
> I making a mistake?

This is a very dynamic situation, a little while ago it was suggested that
the order be configurable.  I forget where that thread ended, but in
situations like we've had this week it certainly would be nice to be able to
reverse the process to virus scan first.  _however_ we also have weeks when
spam traffic is very significantly higher than virus traffic in which case
obviously it would be good to have the other way around.

I would really love to see an option for this, it's been asked for before,
unless there is a serious security implication or it already exists!

Regards,
 
David Hooton


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================


From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:12:53 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>

No, spam can't directly compromise your PC, viruses can.

As it stands it is a gaping security hole in MailScanner.

Hypothethical example:  User phones, and says "your flipping anti-spam gizmo
has blocked an email which isn't spam, can you release it?".  You look at
the logs, see that Mailscanner doesn't think it's a virus and release it
from quarantine.  BOOM!

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of David Hooton
> Sent: 30 January 2004 11:05
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> > So it seems to me that SpamAssassin and its spam checks is
> more of a CPU
> > hog than the whole virus scanning process.
>
> Depending on your configuration, but here it is...
>
> > My thought would be
> >
> > if a Virus is dropped before the Spam Scanning can even
> pick it up, that
> > would mean less work to the CPU, thus less ressources are
> consumed or am
> > I making a mistake?
>
> This is a very dynamic situation, a little while ago it was
> suggested that
> the order be configurable.  I forget where that thread ended, but in
> situations like we've had this week it certainly would be
> nice to be able to
> reverse the process to virus scan first.  _however_ we also
> have weeks when
> spam traffic is very significantly higher than virus traffic
> in which case
> obviously it would be good to have the other way around.
>
> I would really love to see an option for this, it's been
> asked for before,
> unless there is a serious security implication or it already exists!
>
> Regards,
>
> David Hooton
>
>
> ==============================================================
> ==========
>  Pain free spam & virus protection by:
www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan 30 11:18:35 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B5@jessica.herefordshire.gov.uk>
Message-ID: <LFENLEALDCBDKENCNLCNKEBADFAA.michele@blacknightsolutions.com>

We noticed the same error. Regarding load - one server's load has almost
disappeared as a result of upgrading:
-MS to latest beta
-SA to latest
-DCC to latest
Prior to the upgrade an MS process had been hugging resources almost
constantly for the previous 24 hours


Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 30 January 2004 10:53
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> It's a minor bug in Config.pm.  All the rules still work.
>
> As an aside, my load average seems to have dropped a bit with
> this version.
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Stein, Mr. Fred
> > Sent: 29 January 2004 19:27
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> >
> >
> > I have just upgraded from ver 4.26.5 to 4.26.6 Now I get the error isw
> > maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> > rule of type
> > , rule is ""
> > Jan 29 14:24:46 butters last message repeated 709 times
> > RH9
> > Spamassassin 2.63
> > Any ideas?
> >
> > Fred Stein
> > Network Administrator
> > The Hill School
> > 717 High Street
> > Pottstown, PA 19464
> > 610-326-1000 ext. 7356
> > fstein@thehill.org
> > www.thehill.org
> >
> >
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of Julian Field
> > Sent: Thursday, January 29, 2004 10:25 AM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: ANNOUNCE: Beta 4.26.6 released
> >
> > Hi folks,
> >
> > I have just posted 4.26.6 on the website for you all. Download from
> > www.mailscanner.info as usual.
> >
> > This is intended as a final testing release before 4.26 goes stable,
> > which
> > will hopefully be this weekend. If you could test it out and
> > let me know
> > of
> > any problems as soon as possible, I will get them fixed.
> >
> > Thanks folks!
> >
> > Changes this time are:
> >
> > * New Features and Improvements *
> > - Improved configuration engine so that rules can now contain 2 tests
> >    separated by "and".
> > - Added "notify" Spam Action and High Scoring Spam Action. This will
> > cause a
> >    short text notification message to be sent to the recipients of the
> > spam
> >    message. The filename of the report is set with the "Recipient Spam
> > Report"
> >    configuration setting. There is also an MCP equivalent of this
> >    functionality. See the MCP documentation for details of
> > the settings.
> > - Removed the "bounce" spam action.
> > - Added regular rebuild of Bayes database. Has 2 options
> > associated with
> > it
> >    which I haven't included in the conf file yet.
> > - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> > options to
> >    configure the operation of the regular Bayes database rebuilds.
> > - Added commented "bayes_auto_expire 0" line to
> > spam.assassin.prefs.conf
> > as
> >    you will want to uncomment this line if you are using the regular
> > scheduled
> >    Bayes database expiry feature given above.
> > - Added "Minimum Stars If On Spam List" setting so that
> > people who just
> > filter
> >    on the "Spam Stars" can catch messages which only trigger the "Spam
> > List"
> >    trap.
> > - Added "Log Non Spam" option to allow logging of all non-spam, which
> > can be
> >    coerced into logging SpamAssassin scores of non-spam mail.
> > - Added support for Norman virus scanner (www.norman.de).
> > - Added logging of ids of dropped silent viruses.
> > - Added "Too Many Attachments" error report in a message
> > instead of old
> >    report saying it could not analyse the message.
> > - No longer stops or restarts after RPM upgrade.
> > - Added MCP patches for SpamAssassin 2.61 and 2.63.
> > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > /etc/mail/spamassassin.
> > - Spanish translations of languages.conf updated from Debian
> > translators.
> > - Added Catalan translation of all report files.
> > - Added bogusmx list to supplied spam.lists.conf.
> > - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> > - Changed the version number scheme from major.minor-teeny to
> > major.minor.teeny.
> > - Forced owner to be root.root in both RPM spec files, so can be
> > re-built by
> >    non-root users.
> > - Added my Amazon.co.uk "wish list" to the donations page.
> > - Detailed spam report now includes auto-learn status if it was
> > auto-learnt.
> >
> > * Fixes *
> > - Fixed creation of MCP quarantine directory bug.
> > - Fix to Postfix message duplication problems. Must find "end of
> > message"
> >    record now.
> > - Fix to duplicate recipient listing in postmaster notices.
> > - Fixed bug so filename/filetype rules configuration setting can be
> > blank.
> > - Exim per-message log files are deleted correctly now.
> > - Fixed recipient duplication problems in sender messages and other
> > reports.
> > - Fixed bug where extra ": " appears in VirusWarning.txt when
> > MailScanner's
> >    own checks find multiple problems with 1 attachment.
> > - Fixed bug where _SCORE_ in subject line modifications is never more
> > than 60.
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
>

From dh at UPTIME.AT  Fri Jan 30 11:20:16 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
Message-ID: <401A3DF0.7010602@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Randal, Phil wrote:

> No, spam can't directly compromise your PC, viruses can.
>
> As it stands it is a gaping security hole in MailScanner.
>
> Hypothethical example:  User phones, and says "your flipping anti-spam gizmo
> has blocked an email which isn't spam, can you release it?".  You look at
> the logs, see that Mailscanner doesn't think it's a virus and release it
> from quarantine.  BOOM!
>
<snip>

Actually I would call that a perfect case of "idiot operator".

a) _never_ trust a sofware solution completely
b) Since it is known that a possible Virus _could_ be quarantined, scan
it before you release it
c) IN a Company environment , Mailscanner yes or no, each computer
should run on-Demand Virus scanning.

But then again, that is my personal opinion

- -d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAGj3zPMoaMn4kKR4RA4A+AJ0e6tB/8FAvK9Ldn4h0vU4k3R4ZrgCfWG1Y
So6viEwvsr3BcxEsxtaSFxY=
=vPAp
-----END PGP SIGNATURE-----

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 11:23:22 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040130111949.078cd698@imap.ecs.soton.ac.uk>

At 11:12 30/01/2004, you wrote:
>No, spam can't directly compromise your PC, viruses can.
>
>As it stands it is a gaping security hole in MailScanner.

That's a bit strong....

>Hypothethical example:  User phones, and says "your flipping anti-spam gizmo
>has blocked an email which isn't spam, can you release it?".  You look at
>the logs, see that Mailscanner doesn't think it's a virus and release it
>from quarantine.  BOOM!

"MailScanner doesn't think it's a virus" is not the same as "MailScanner
doesn't know if it is a virus or not" which is what is actually happening here.

I need to take a look at this problem again. It would be nice to be able to
switch the evaluation order. It's not a trivial problem (I delay setting up
expensive data structures until the last moment so as not to waste CPU
doing it for messages which might get trashed anyway).

Let me have a think.
I'll get back to you.


>Phil
>
>---------------------------------------------
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of David Hooton
> > Sent: 30 January 2004 11:05
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Skip scan for viruses
> >
> >
> > > So it seems to me that SpamAssassin and its spam checks is
> > more of a CPU
> > > hog than the whole virus scanning process.
> >
> > Depending on your configuration, but here it is...
> >
> > > My thought would be
> > >
> > > if a Virus is dropped before the Spam Scanning can even
> > pick it up, that
> > > would mean less work to the CPU, thus less ressources are
> > consumed or am
> > > I making a mistake?
> >
> > This is a very dynamic situation, a little while ago it was
> > suggested that
> > the order be configurable.  I forget where that thread ended, but in
> > situations like we've had this week it certainly would be
> > nice to be able to
> > reverse the process to virus scan first.  _however_ we also
> > have weeks when
> > spam traffic is very significantly higher than virus traffic
> > in which case
> > obviously it would be good to have the other way around.
> >
> > I would really love to see an option for this, it's been
> > asked for before,
> > unless there is a serious security implication or it already exists!
> >
> > Regards,
> >
> > David Hooton
> >
> >
> > ==============================================================
> > ==========
> >  Pain free spam & virus protection by:
>www.mailsecurity.net.au
>  Forward undetected SPAM to:                   spam@mailsecurity.net.au
>========================================================================

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 11:24:15 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
In-Reply-To: <LFENLEALDCBDKENCNLCNKEBADFAA.michele@blacknightsolutions.c om>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B5@jessica.herefordshire.gov.uk>
            <LFENLEALDCBDKENCNLCNKEBADFAA.michele@blacknightsolutions.com>
Message-ID: <6.0.1.1.2.20040130112350.078a26f0@imap.ecs.soton.ac.uk>

Please do check that it is still catching everything it should be!

At 11:18 30/01/2004, you wrote:
>We noticed the same error. Regarding load - one server's load has almost
>disappeared as a result of upgrading:
>-MS to latest beta
>-SA to latest
>-DCC to latest
>Prior to the upgrade an MS process had been hugging resources almost
>constantly for the previous 24 hours
>
>
>Mr. Michele Neylon
>Blacknight Internet Solutions Ltd
>http://www.blacknightsolutions.ie/
>http://www.search.ie/
>Tel. + 353 (0)59 9137101
>Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Randal, Phil
> > Sent: 30 January 2004 10:53
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> >
> >
> > It's a minor bug in Config.pm.  All the rules still work.
> >
> > As an aside, my load average seems to have dropped a bit with
> > this version.
> >
> > Phil
> >
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Stein, Mr. Fred
> > > Sent: 29 January 2004 19:27
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > >
> > >
> > > I have just upgraded from ver 4.26.5 to 4.26.6 Now I get the error isw
> > > maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> > > rule of type
> > > , rule is ""
> > > Jan 29 14:24:46 butters last message repeated 709 times
> > > RH9
> > > Spamassassin 2.63
> > > Any ideas?
> > >
> > > Fred Stein
> > > Network Administrator
> > > The Hill School
> > > 717 High Street
> > > Pottstown, PA 19464
> > > 610-326-1000 ext. 7356
> > > fstein@thehill.org
> > > www.thehill.org
> > >
> > >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of Julian Field
> > > Sent: Thursday, January 29, 2004 10:25 AM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: ANNOUNCE: Beta 4.26.6 released
> > >
> > > Hi folks,
> > >
> > > I have just posted 4.26.6 on the website for you all. Download from
> > > www.mailscanner.info as usual.
> > >
> > > This is intended as a final testing release before 4.26 goes stable,
> > > which
> > > will hopefully be this weekend. If you could test it out and
> > > let me know
> > > of
> > > any problems as soon as possible, I will get them fixed.
> > >
> > > Thanks folks!
> > >
> > > Changes this time are:
> > >
> > > * New Features and Improvements *
> > > - Improved configuration engine so that rules can now contain 2 tests
> > >    separated by "and".
> > > - Added "notify" Spam Action and High Scoring Spam Action. This will
> > > cause a
> > >    short text notification message to be sent to the recipients of the
> > > spam
> > >    message. The filename of the report is set with the "Recipient Spam
> > > Report"
> > >    configuration setting. There is also an MCP equivalent of this
> > >    functionality. See the MCP documentation for details of
> > > the settings.
> > > - Removed the "bounce" spam action.
> > > - Added regular rebuild of Bayes database. Has 2 options
> > > associated with
> > > it
> > >    which I haven't included in the conf file yet.
> > > - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> > > options to
> > >    configure the operation of the regular Bayes database rebuilds.
> > > - Added commented "bayes_auto_expire 0" line to
> > > spam.assassin.prefs.conf
> > > as
> > >    you will want to uncomment this line if you are using the regular
> > > scheduled
> > >    Bayes database expiry feature given above.
> > > - Added "Minimum Stars If On Spam List" setting so that
> > > people who just
> > > filter
> > >    on the "Spam Stars" can catch messages which only trigger the "Spam
> > > List"
> > >    trap.
> > > - Added "Log Non Spam" option to allow logging of all non-spam, which
> > > can be
> > >    coerced into logging SpamAssassin scores of non-spam mail.
> > > - Added support for Norman virus scanner (www.norman.de).
> > > - Added logging of ids of dropped silent viruses.
> > > - Added "Too Many Attachments" error report in a message
> > > instead of old
> > >    report saying it could not analyse the message.
> > > - No longer stops or restarts after RPM upgrade.
> > > - Added MCP patches for SpamAssassin 2.61 and 2.63.
> > > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > > /etc/mail/spamassassin.
> > > - Spanish translations of languages.conf updated from Debian
> > > translators.
> > > - Added Catalan translation of all report files.
> > > - Added bogusmx list to supplied spam.lists.conf.
> > > - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> > > - Changed the version number scheme from major.minor-teeny to
> > > major.minor.teeny.
> > > - Forced owner to be root.root in both RPM spec files, so can be
> > > re-built by
> > >    non-root users.
> > > - Added my Amazon.co.uk "wish list" to the donations page.
> > > - Detailed spam report now includes auto-learn status if it was
> > > auto-learnt.
> > >
> > > * Fixes *
> > > - Fixed creation of MCP quarantine directory bug.
> > > - Fix to Postfix message duplication problems. Must find "end of
> > > message"
> > >    record now.
> > > - Fix to duplicate recipient listing in postmaster notices.
> > > - Fixed bug so filename/filetype rules configuration setting can be
> > > blank.
> > > - Exim per-message log files are deleted correctly now.
> > > - Fixed recipient duplication problems in sender messages and other
> > > reports.
> > > - Fixed bug where extra ": " appears in VirusWarning.txt when
> > > MailScanner's
> > >    own checks find multiple problems with 1 attachment.
> > > - Fixed bug where _SCORE_ in subject line modifications is never more
> > > than 60.
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> >

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:28:59 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B7@jessica.herefordshire.gov.uk>

Overstressed administrator, which, I'm sure most on this list would be
familiar with.

How the heck would the admin know the email has a virus, when Mailscanner
pretends it hasn't?

Look at my earlier mails to this list - viruses picked up by ClamAV 5 to 6
hours before the desktops have new patterns from the corporate AV vendor.
That's a huge windo for error and accidental damage.

I stand by what I said, it's an accident waiting to happen.

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of David H.
> Sent: 30 January 2004 11:20
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Randal, Phil wrote:
>
> > No, spam can't directly compromise your PC, viruses can.
> >
> > As it stands it is a gaping security hole in MailScanner.
> >
> > Hypothethical example:  User phones, and says "your
> flipping anti-spam gizmo
> > has blocked an email which isn't spam, can you release
> it?".  You look at
> > the logs, see that Mailscanner doesn't think it's a virus
> and release it
> > from quarantine.  BOOM!
> >
> <snip>
>
> Actually I would call that a perfect case of "idiot operator".
>
> a) _never_ trust a sofware solution completely
> b) Since it is known that a possible Virus _could_ be
> quarantined, scan
> it before you release it
> c) IN a Company environment , Mailscanner yes or no, each computer
> should run on-Demand Virus scanning.
>
> But then again, that is my personal opinion
>
> - -d
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (Darwin)
>
> iD8DBQFAGj3zPMoaMn4kKR4RA4A+AJ0e6tB/8FAvK9Ldn4h0vU4k3R4ZrgCfWG1Y
> So6viEwvsr3BcxEsxtaSFxY=
> =vPAp
> -----END PGP SIGNATURE-----
>

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:34:12 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B9@jessica.herefordshire.gov.uk>

All the rules are working, and we get the spurious error message once for
each rule.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 30 January 2004 11:24
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> Please do check that it is still catching everything it should be!
>
> At 11:18 30/01/2004, you wrote:
> >We noticed the same error. Regarding load - one server's
> load has almost
> >disappeared as a result of upgrading:
> >-MS to latest beta
> >-SA to latest
> >-DCC to latest
> >Prior to the upgrade an MS process had been hugging resources almost
> >constantly for the previous 24 hours
> >
> >
> >Mr. Michele Neylon
> >Blacknight Internet Solutions Ltd
> >http://www.blacknightsolutions.ie/
> >http://www.search.ie/
> >Tel. + 353 (0)59 9137101
> >Lowest price domains in Ireland
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Randal, Phil
> > > Sent: 30 January 2004 10:53
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > >
> > >
> > > It's a minor bug in Config.pm.  All the rules still work.
> > >
> > > As an aside, my load average seems to have dropped a bit with
> > > this version.
> > >
> > > Phil
> > >
> > > ---------------------------------------------
> > > Phil Randal
> > > Network Engineer
> > > Herefordshire Council
> > > Hereford, UK
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > > Behalf Of Stein, Mr. Fred
> > > > Sent: 29 January 2004 19:27
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > > >
> > > >
> > > > I have just upgraded from ver 4.26.5 to 4.26.6 Now I
> get the error isw
> > > > maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> > > > rule of type
> > > > , rule is ""
> > > > Jan 29 14:24:46 butters last message repeated 709 times
> > > > RH9
> > > > Spamassassin 2.63
> > > > Any ideas?
> > > >
> > > > Fred Stein
> > > > Network Administrator
> > > > The Hill School
> > > > 717 High Street
> > > > Pottstown, PA 19464
> > > > 610-326-1000 ext. 7356
> > > > fstein@thehill.org
> > > > www.thehill.org
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > > Behalf Of Julian Field
> > > > Sent: Thursday, January 29, 2004 10:25 AM
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: ANNOUNCE: Beta 4.26.6 released
> > > >
> > > > Hi folks,
> > > >
> > > > I have just posted 4.26.6 on the website for you all.
> Download from
> > > > www.mailscanner.info as usual.
> > > >
> > > > This is intended as a final testing release before 4.26
> goes stable,
> > > > which
> > > > will hopefully be this weekend. If you could test it out and
> > > > let me know
> > > > of
> > > > any problems as soon as possible, I will get them fixed.
> > > >
> > > > Thanks folks!
> > > >
> > > > Changes this time are:
> > > >
> > > > * New Features and Improvements *
> > > > - Improved configuration engine so that rules can now
> contain 2 tests
> > > >    separated by "and".
> > > > - Added "notify" Spam Action and High Scoring Spam
> Action. This will
> > > > cause a
> > > >    short text notification message to be sent to the
> recipients of the
> > > > spam
> > > >    message. The filename of the report is set with the
> "Recipient Spam
> > > > Report"
> > > >    configuration setting. There is also an MCP
> equivalent of this
> > > >    functionality. See the MCP documentation for details of
> > > > the settings.
> > > > - Removed the "bounce" spam action.
> > > > - Added regular rebuild of Bayes database. Has 2 options
> > > > associated with
> > > > it
> > > >    which I haven't included in the conf file yet.
> > > > - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> > > > options to
> > > >    configure the operation of the regular Bayes
> database rebuilds.
> > > > - Added commented "bayes_auto_expire 0" line to
> > > > spam.assassin.prefs.conf
> > > > as
> > > >    you will want to uncomment this line if you are
> using the regular
> > > > scheduled
> > > >    Bayes database expiry feature given above.
> > > > - Added "Minimum Stars If On Spam List" setting so that
> > > > people who just
> > > > filter
> > > >    on the "Spam Stars" can catch messages which only
> trigger the "Spam
> > > > List"
> > > >    trap.
> > > > - Added "Log Non Spam" option to allow logging of all
> non-spam, which
> > > > can be
> > > >    coerced into logging SpamAssassin scores of non-spam mail.
> > > > - Added support for Norman virus scanner (www.norman.de).
> > > > - Added logging of ids of dropped silent viruses.
> > > > - Added "Too Many Attachments" error report in a message
> > > > instead of old
> > > >    report saying it could not analyse the message.
> > > > - No longer stops or restarts after RPM upgrade.
> > > > - Added MCP patches for SpamAssassin 2.61 and 2.63.
> > > > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > > > /etc/mail/spamassassin.
> > > > - Spanish translations of languages.conf updated from Debian
> > > > translators.
> > > > - Added Catalan translation of all report files.
> > > > - Added bogusmx list to supplied spam.lists.conf.
> > > > - Added spamhaus-XBL and SBL+XBL lists to supplied
> spam.lists.conf.
> > > > - Changed the version number scheme from major.minor-teeny to
> > > > major.minor.teeny.
> > > > - Forced owner to be root.root in both RPM spec files, so can be
> > > > re-built by
> > > >    non-root users.
> > > > - Added my Amazon.co.uk "wish list" to the donations page.
> > > > - Detailed spam report now includes auto-learn status if it was
> > > > auto-learnt.
> > > >
> > > > * Fixes *
> > > > - Fixed creation of MCP quarantine directory bug.
> > > > - Fix to Postfix message duplication problems. Must find "end of
> > > > message"
> > > >    record now.
> > > > - Fix to duplicate recipient listing in postmaster notices.
> > > > - Fixed bug so filename/filetype rules configuration
> setting can be
> > > > blank.
> > > > - Exim per-message log files are deleted correctly now.
> > > > - Fixed recipient duplication problems in sender
> messages and other
> > > > reports.
> > > > - Fixed bug where extra ": " appears in VirusWarning.txt when
> > > > MailScanner's
> > > >    own checks find multiple problems with 1 attachment.
> > > > - Fixed bug where _SCORE_ in subject line modifications
> is never more
> > > > than 60.
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From shrek-m at GMX.DE  Fri Jan 30 11:37:20 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <401A3DF0.7010602@uptime.at>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
            <401A3DF0.7010602@uptime.at>
Message-ID: <401A41F0.8050200@gmx.de>

David H. wrote:

> c) IN a Company environment , Mailscanner yes or no, each computer
> should run on-Demand Virus scanning.


i prefer
clients - "on-access"
server - "on-demand"

--
shrek-m

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:37:07 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4BA@jessica.herefordshire.gov.uk>

The only thing I changed was MailScanner.

Off to grab the latest DCC 1.2.29 sources.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Michele Neylon :: Blacknight Solutions
> Sent: 30 January 2004 11:19
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> We noticed the same error. Regarding load - one server's load
> has almost
> disappeared as a result of upgrading:
> -MS to latest beta
> -SA to latest
> -DCC to latest
> Prior to the upgrade an MS process had been hugging resources almost
> constantly for the previous 24 hours
>
>
> Mr. Michele Neylon
> Blacknight Internet Solutions Ltd
> http://www.blacknightsolutions.ie/
> http://www.search.ie/
> Tel. + 353 (0)59 9137101
> Lowest price domains in Ireland
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Randal, Phil
> > Sent: 30 January 2004 10:53
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> >
> >
> > It's a minor bug in Config.pm.  All the rules still work.
> >
> > As an aside, my load average seems to have dropped a bit with
> > this version.
> >
> > Phil
> >
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Stein, Mr. Fred
> > > Sent: 29 January 2004 19:27
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > >
> > >
> > > I have just upgraded from ver 4.26.5 to 4.26.6 Now I get
> the error isw
> > > maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> > > rule of type
> > > , rule is ""
> > > Jan 29 14:24:46 butters last message repeated 709 times
> > > RH9
> > > Spamassassin 2.63
> > > Any ideas?
> > >
> > > Fred Stein
> > > Network Administrator
> > > The Hill School
> > > 717 High Street
> > > Pottstown, PA 19464
> > > 610-326-1000 ext. 7356
> > > fstein@thehill.org
> > > www.thehill.org
> > >
> > >
> > > -----Original Message-----
> > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > Behalf Of Julian Field
> > > Sent: Thursday, January 29, 2004 10:25 AM
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: ANNOUNCE: Beta 4.26.6 released
> > >
> > > Hi folks,
> > >
> > > I have just posted 4.26.6 on the website for you all.
> Download from
> > > www.mailscanner.info as usual.
> > >
> > > This is intended as a final testing release before 4.26
> goes stable,
> > > which
> > > will hopefully be this weekend. If you could test it out and
> > > let me know
> > > of
> > > any problems as soon as possible, I will get them fixed.
> > >
> > > Thanks folks!
> > >
> > > Changes this time are:
> > >
> > > * New Features and Improvements *
> > > - Improved configuration engine so that rules can now
> contain 2 tests
> > >    separated by "and".
> > > - Added "notify" Spam Action and High Scoring Spam
> Action. This will
> > > cause a
> > >    short text notification message to be sent to the
> recipients of the
> > > spam
> > >    message. The filename of the report is set with the
> "Recipient Spam
> > > Report"
> > >    configuration setting. There is also an MCP equivalent of this
> > >    functionality. See the MCP documentation for details of
> > > the settings.
> > > - Removed the "bounce" spam action.
> > > - Added regular rebuild of Bayes database. Has 2 options
> > > associated with
> > > it
> > >    which I haven't included in the conf file yet.
> > > - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> > > options to
> > >    configure the operation of the regular Bayes database rebuilds.
> > > - Added commented "bayes_auto_expire 0" line to
> > > spam.assassin.prefs.conf
> > > as
> > >    you will want to uncomment this line if you are using
> the regular
> > > scheduled
> > >    Bayes database expiry feature given above.
> > > - Added "Minimum Stars If On Spam List" setting so that
> > > people who just
> > > filter
> > >    on the "Spam Stars" can catch messages which only
> trigger the "Spam
> > > List"
> > >    trap.
> > > - Added "Log Non Spam" option to allow logging of all
> non-spam, which
> > > can be
> > >    coerced into logging SpamAssassin scores of non-spam mail.
> > > - Added support for Norman virus scanner (www.norman.de).
> > > - Added logging of ids of dropped silent viruses.
> > > - Added "Too Many Attachments" error report in a message
> > > instead of old
> > >    report saying it could not analyse the message.
> > > - No longer stops or restarts after RPM upgrade.
> > > - Added MCP patches for SpamAssassin 2.61 and 2.63.
> > > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > > /etc/mail/spamassassin.
> > > - Spanish translations of languages.conf updated from Debian
> > > translators.
> > > - Added Catalan translation of all report files.
> > > - Added bogusmx list to supplied spam.lists.conf.
> > > - Added spamhaus-XBL and SBL+XBL lists to supplied
> spam.lists.conf.
> > > - Changed the version number scheme from major.minor-teeny to
> > > major.minor.teeny.
> > > - Forced owner to be root.root in both RPM spec files, so can be
> > > re-built by
> > >    non-root users.
> > > - Added my Amazon.co.uk "wish list" to the donations page.
> > > - Detailed spam report now includes auto-learn status if it was
> > > auto-learnt.
> > >
> > > * Fixes *
> > > - Fixed creation of MCP quarantine directory bug.
> > > - Fix to Postfix message duplication problems. Must find "end of
> > > message"
> > >    record now.
> > > - Fix to duplicate recipient listing in postmaster notices.
> > > - Fixed bug so filename/filetype rules configuration
> setting can be
> > > blank.
> > > - Exim per-message log files are deleted correctly now.
> > > - Fixed recipient duplication problems in sender messages
> and other
> > > reports.
> > > - Fixed bug where extra ": " appears in VirusWarning.txt when
> > > MailScanner's
> > >    own checks find multiple problems with 1 attachment.
> > > - Fixed bug where _SCORE_ in subject line modifications
> is never more
> > > than 60.
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> >
>

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:46:35 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: [OT] Virus scanning strategies
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4BB@jessica.herefordshire.gov.uk>

> > c) IN a Company environment , Mailscanner yes or no, each computer
> > should run on-Demand Virus scanning.
>
>
> i prefer
> clients - "on-access"
> server - "on-demand"
>
> --
> shrek-m

When I set up our Netware servers I did virus scan on write, then a
scheduled overnight full scan.  But full on-access scanning on the desktop.

Times change, however, and this week is the first time since the Nimda worm
outbreak I've seen viruses arrive via email before we had the patterns from
our vendor to protect us (apart from ClamAv, which saved the day).

And it's that window of vulnerability which has me worried.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 11:53:32 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B8@jessica.herefords
              hire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B8@jessica.herefordshire.gov.uk>
Message-ID: <6.0.1.1.2.20040130114125.079ae320@imap.ecs.soton.ac.uk>

At 11:32 30/01/2004, you wrote:
>Thanks, Julian.
>The other issue is about accurate statistics gathering.
>MailScanner rocks.  It and ClamAV have been the only things preventing
>MyDoom.A and Mymail.s getting into our corporate network.

Wonderful!

I would possibly end up scanning everything, but as I say it's going to
take some considerable thought. The current architecture rolls along the
message batch data structures quite well, I need to start drawing stuff to
work out an alternative top-level architecture that could do this. And then
be able to switch between the two.

It would be cool if I could make it automatically switch modes depending on
the current mail activity, so when it starts seeing loads of viruses it
does virus scanning first, but normally runs the other way round (lots of
people don't deliver spam at all, which cuts down the load considerably as
it is not virus-scanned). Whether that is possible or not, I haven't a clue
at the moment. But as I said, I think it would be cool.

>I think we should all have a good look at your Amazon wish-list and
>contribute.

Sorry there aren't many cheap things on it at the moment. You could either
club together, or else just think up something you reckon I might like. I'm
sure I like loads of stuff that's not on my list, I just don't know it yet.

And if anyone fancies writing to the Queen and nominating me for the Honors
list, that would go down well too!
I didn't make the Open Source Initiative awards, not the Jan 2004 round
anyway. Next lot are due in April. Maybe I'll have better luck next time.

> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Julian Field
> > Sent: 30 January 2004 11:23
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Skip scan for viruses
> >
> >
> > At 11:12 30/01/2004, you wrote:
> > >No, spam can't directly compromise your PC, viruses can.
> > >
> > >As it stands it is a gaping security hole in MailScanner.
> >
> > That's a bit strong....
> >
> > >Hypothethical example:  User phones, and says "your flipping
> > anti-spam gizmo
> > >has blocked an email which isn't spam, can you release it?".
> >  You look at
> > >the logs, see that Mailscanner doesn't think it's a virus
> > and release it
> > >from quarantine.  BOOM!
> >
> > "MailScanner doesn't think it's a virus" is not the same as
> > "MailScanner
> > doesn't know if it is a virus or not" which is what is
> > actually happening here.
> >
> > I need to take a look at this problem again. It would be nice
> > to be able to
> > switch the evaluation order. It's not a trivial problem (I
> > delay setting up
> > expensive data structures until the last moment so as not to waste CPU
> > doing it for messages which might get trashed anyway).
> >
> > Let me have a think.
> > I'll get back to you.
> >
> >
> > >Phil
> > >
> > >---------------------------------------------
> > >Phil Randal
> > >Network Engineer
> > >Herefordshire Council
> > >Hereford, UK
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of David Hooton
> > > Sent: 30 January 2004 11:05
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Skip scan for viruses
> > >
> > >
> > > > So it seems to me that SpamAssassin and its spam checks is
> > > more of a CPU
> > > > hog than the whole virus scanning process.
> > >
> > > Depending on your configuration, but here it is...
> > >
> > > > My thought would be
> > > >
> > > > if a Virus is dropped before the Spam Scanning can even
> > > pick it up, that
> > > > would mean less work to the CPU, thus less ressources are
> > > consumed or am
> > > > I making a mistake?
> > >
> > > This is a very dynamic situation, a little while ago it was
> > > suggested that
> > > the order be configurable.  I forget where that thread ended, but in
> > > situations like we've had this week it certainly would be
> > > nice to be able to
> > > reverse the process to virus scan first.  _however_ we also
> > > have weeks when
> > > spam traffic is very significantly higher than virus traffic
> > > in which case
> > > obviously it would be good to have the other way around.
> > >
> > > I would really love to see an option for this, it's been
> > > asked for before,
> > > unless there is a serious security implication or it already exists!
> > >
> > > Regards,
> > >
> > > David Hooton
> > >
> > >
> > > ==============================================================
> > > ==========
> > >  Pain free spam & virus protection by:
> >www.mailsecurity.net.au
> >  Forward undetected SPAM to:                   spam@mailsecurity.net.au
> >========================================================================
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 11:32:52 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B8@jessica.herefordshire.gov.uk>

Thanks, Julian.

The other issue is about accurate statistics gathering.

MailScanner rocks.  It and ClamAV have been the only things preventing
MyDoom.A and Mymail.s getting into our corporate network.

I think we should all have a good look at your Amazon wish-list and
contribute.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 30 January 2004 11:23
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> At 11:12 30/01/2004, you wrote:
> >No, spam can't directly compromise your PC, viruses can.
> >
> >As it stands it is a gaping security hole in MailScanner.
>
> That's a bit strong....
>
> >Hypothethical example:  User phones, and says "your flipping
> anti-spam gizmo
> >has blocked an email which isn't spam, can you release it?".
>  You look at
> >the logs, see that Mailscanner doesn't think it's a virus
> and release it
> >from quarantine.  BOOM!
>
> "MailScanner doesn't think it's a virus" is not the same as
> "MailScanner
> doesn't know if it is a virus or not" which is what is
> actually happening here.
>
> I need to take a look at this problem again. It would be nice
> to be able to
> switch the evaluation order. It's not a trivial problem (I
> delay setting up
> expensive data structures until the last moment so as not to waste CPU
> doing it for messages which might get trashed anyway).
>
> Let me have a think.
> I'll get back to you.
>
>
> >Phil
> >
> >---------------------------------------------
> >Phil Randal
> >Network Engineer
> >Herefordshire Council
> >Hereford, UK
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list
[mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of David Hooton
> > Sent: 30 January 2004 11:05
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Skip scan for viruses
> >
> >
> > > So it seems to me that SpamAssassin and its spam checks is
> > more of a CPU
> > > hog than the whole virus scanning process.
> >
> > Depending on your configuration, but here it is...
> >
> > > My thought would be
> > >
> > > if a Virus is dropped before the Spam Scanning can even
> > pick it up, that
> > > would mean less work to the CPU, thus less ressources are
> > consumed or am
> > > I making a mistake?
> >
> > This is a very dynamic situation, a little while ago it was
> > suggested that
> > the order be configurable.  I forget where that thread ended, but in
> > situations like we've had this week it certainly would be
> > nice to be able to
> > reverse the process to virus scan first.  _however_ we also
> > have weeks when
> > spam traffic is very significantly higher than virus traffic
> > in which case
> > obviously it would be good to have the other way around.
> >
> > I would really love to see an option for this, it's been
> > asked for before,
> > unless there is a serious security implication or it already exists!
> >
> > Regards,
> >
> > David Hooton
> >
> >
> > ==============================================================
> > ==========
> >  Pain free spam & virus protection by:
>www.mailsecurity.net.au
>  Forward undetected SPAM to:                   spam@mailsecurity.net.au
>========================================================================

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From P.G.M.Peters at utwente.nl  Fri Jan 30 12:49:30 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:12 2006
Subject: SPF and MailScanner
In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE8D@pascal.priv.bmrb.co.uk>
References: <5C0296D26910694BB9A9BBFC577E7AB0A4AE8D@pascal.priv.bmrb.co.uk>
Message-ID: <nkkk10hv2cfgbbs8pp925ob0ti9b6dl4kn@4ax.com>

On Fri, 30 Jan 2004 10:36:20 -0000, you wrote:

>There is a page addressing common objections to SPF on their site http://spf.pobox.com/objections.html

I find a number of objections in the answers pobox gives to them. Some
of which even greater than the original objection.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From tony.johansson at SVENSKAKYRKAN.SE  Fri Jan 30 12:43:27 2004
From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson)
Date: Thu Jan 12 21:22:12 2006
Subject: Clamav signature generation
Message-ID: <LISTSERV%2004013012432749@JISCMAIL.AC.UK>

>
>I hope this puts things into perspective.
>
>Phil

Well yes, but thats not the issue here.
I'm looking for a way (without putting all viruses in quarantine) to store
files that are flagged as viruses by scanners other than Clamav.

I could then submit this file to Clamav or produce my own signature.

Regards, Tony




>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
>> Behalf Of Tony Johansson
>> Sent: 29 January 2004 18:38
>> To: MAILSCANNER@JISCMAIL.AC.UK
>> Subject: Clamav signature generation
>>
>>
>> These are the times when antivirus companies had a virus
>> definition for
>> Mydoom.A:
>> (I dont know how accurate they are, I got them from a source
>> at F-Secure)
>>
>> McAfee (BETA) 2004-01-26, 22:20
>> F-Secure (BETA) 2004-01-26, 22:36
>> Symantec (BETA) 2004-01-26, 23:00
>> F-Secure 2004-01-26, 23:09
>> F-Prot 2004-01-26, 23:30
>> Trend Micro 2004-01-26, 23:35
>> Norman 2004-01-27, 00:05
>> Kaspersky 2004-01-27, 00:30
>>
>> At our site, Clamav found the first Mydoom.A at 2004-01-26
>> 22:02, this time
>> beating all the above commercial scanners. Clamav obviously
>> did great this
>> time, but on other occasions they have been far behind.
>>
>> Is there a way to redirect a file thats been flagged as a
>> virus by one or
>> more scanners but not by clamav? It could be put in a special
>> quarantine or
>> submitted automaticly to http://www.nervous.it/~nervous/cgi-
>> bin/sendvirus.cgi
>>
>>
>> Clamav would have the power of all scanners supported by MailScanner,
>> possibly never being beaten by more than on or two commercial
>> scanners...
>>
>> One could argue that theres a moral dilemma here, using the
>> output from one
>> scanner to benifit another but I've seen nothing prohibiting
>> this in the
>> license agreements I've read.
>>
>> regards, Tony
>>

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 13:00:52 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4BE@jessica.herefordshire.gov.uk>

OK folks, I reckon Julian's far more deserving of honours than Sir Bill.

UK citizens might like to download the form at

  http://www.cabinet-office.gov.uk/ceremonial/index/nomination.htm

and do their bit.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 30 January 2004 11:54
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> At 11:32 30/01/2004, you wrote:
> >Thanks, Julian.
> >The other issue is about accurate statistics gathering.
> >MailScanner rocks.  It and ClamAV have been the only things
> preventing
> >MyDoom.A and Mymail.s getting into our corporate network.
>
> Wonderful!
>
> I would possibly end up scanning everything, but as I say
> it's going to
> take some considerable thought. The current architecture
> rolls along the
> message batch data structures quite well, I need to start
> drawing stuff to
> work out an alternative top-level architecture that could do
> this. And then
> be able to switch between the two.
>
> It would be cool if I could make it automatically switch
> modes depending on
> the current mail activity, so when it starts seeing loads of
> viruses it
> does virus scanning first, but normally runs the other way
> round (lots of
> people don't deliver spam at all, which cuts down the load
> considerably as
> it is not virus-scanned). Whether that is possible or not, I
> haven't a clue
> at the moment. But as I said, I think it would be cool.
>
> >I think we should all have a good look at your Amazon wish-list and
> >contribute.
>
> Sorry there aren't many cheap things on it at the moment. You
> could either
> club together, or else just think up something you reckon I
> might like. I'm
> sure I like loads of stuff that's not on my list, I just
> don't know it yet.
>
> And if anyone fancies writing to the Queen and nominating me
> for the Honors
> list, that would go down well too!
> I didn't make the Open Source Initiative awards, not the Jan
> 2004 round
> anyway. Next lot are due in April. Maybe I'll have better
> luck next time.
>
> > > -----Original Message-----
> > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Julian Field
> > > Sent: 30 January 2004 11:23
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: Skip scan for viruses
> > >
> > >
> > > At 11:12 30/01/2004, you wrote:
> > > >No, spam can't directly compromise your PC, viruses can.
> > > >
> > > >As it stands it is a gaping security hole in MailScanner.
> > >
> > > That's a bit strong....
> > >
> > > >Hypothethical example:  User phones, and says "your flipping
> > > anti-spam gizmo
> > > >has blocked an email which isn't spam, can you release it?".
> > >  You look at
> > > >the logs, see that Mailscanner doesn't think it's a virus
> > > and release it
> > > >from quarantine.  BOOM!
> > >
> > > "MailScanner doesn't think it's a virus" is not the same as
> > > "MailScanner
> > > doesn't know if it is a virus or not" which is what is
> > > actually happening here.
> > >
> > > I need to take a look at this problem again. It would be nice
> > > to be able to
> > > switch the evaluation order. It's not a trivial problem (I
> > > delay setting up
> > > expensive data structures until the last moment so as not
> to waste CPU
> > > doing it for messages which might get trashed anyway).
> > >
> > > Let me have a think.
> > > I'll get back to you.
> > >
> > >
> > > >Phil
> > > >
> > > >---------------------------------------------
> > > >Phil Randal
> > > >Network Engineer
> > > >Herefordshire Council
> > > >Hereford, UK
> > > >
> > > > > -----Original Message-----
> > > > > From: MailScanner mailing list
> >[mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > > Behalf Of David Hooton
> > > > Sent: 30 January 2004 11:05
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: Re: Skip scan for viruses
> > > >
> > > >
> > > > > So it seems to me that SpamAssassin and its spam checks is
> > > > more of a CPU
> > > > > hog than the whole virus scanning process.
> > > >
> > > > Depending on your configuration, but here it is...
> > > >
> > > > > My thought would be
> > > > >
> > > > > if a Virus is dropped before the Spam Scanning can even
> > > > pick it up, that
> > > > > would mean less work to the CPU, thus less ressources are
> > > > consumed or am
> > > > > I making a mistake?
> > > >
> > > > This is a very dynamic situation, a little while ago it was
> > > > suggested that
> > > > the order be configurable.  I forget where that thread
> ended, but in
> > > > situations like we've had this week it certainly would be
> > > > nice to be able to
> > > > reverse the process to virus scan first.  _however_ we also
> > > > have weeks when
> > > > spam traffic is very significantly higher than virus traffic
> > > > in which case
> > > > obviously it would be good to have the other way around.
> > > >
> > > > I would really love to see an option for this, it's been
> > > > asked for before,
> > > > unless there is a serious security implication or it
> already exists!
> > > >
> > > > Regards,
> > > >
> > > > David Hooton
> > > >
> > > >
> > > > ==============================================================
> > > > ==========
> > > >  Pain free spam & virus protection by:
> > >www.mailsecurity.net.au
> > >  Forward undetected SPAM to:
> spam@mailsecurity.net.au
> >
> >=============================================================
> ===========
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From michele at BLACKNIGHTSOLUTIONS.COM  Fri Jan 30 13:23:08 2004
From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions)
Date: Thu Jan 12 21:22:12 2006
Subject: ANNOUNCE: Beta 4.26.6 released
In-Reply-To: <6.0.1.1.2.20040130112350.078a26f0@imap.ecs.soton.ac.uk>
Message-ID: <LFENLEALDCBDKENCNLCNIEBODFAA.michele@blacknightsolutions.com>

We ran it in debug mode etc., and it was working fine. I'm at a total loss
as to why it decided to misbehave

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: 30 January 2004 11:24
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: ANNOUNCE: Beta 4.26.6 released
>
>
> Please do check that it is still catching everything it should be!
>
> At 11:18 30/01/2004, you wrote:
> >We noticed the same error. Regarding load - one server's load has almost
> >disappeared as a result of upgrading:
> >-MS to latest beta
> >-SA to latest
> >-DCC to latest
> >Prior to the upgrade an MS process had been hugging resources almost
> >constantly for the previous 24 hours
> >
> >
> >Mr. Michele Neylon
> >Blacknight Internet Solutions Ltd
> >http://www.blacknightsolutions.ie/
> >http://www.search.ie/
> >Tel. + 353 (0)59 9137101
> >Lowest price domains in Ireland
> >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > Behalf Of Randal, Phil
> > > Sent: 30 January 2004 10:53
> > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > >
> > >
> > > It's a minor bug in Config.pm.  All the rules still work.
> > >
> > > As an aside, my load average seems to have dropped a bit with
> > > this version.
> > >
> > > Phil
> > >
> > > ---------------------------------------------
> > > Phil Randal
> > > Network Engineer
> > > Herefordshire Council
> > > Hereford, UK
> > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > > > Behalf Of Stein, Mr. Fred
> > > > Sent: 29 January 2004 19:27
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: Re: ANNOUNCE: Beta 4.26.6 released
> > > >
> > > >
> > > > I have just upgraded from ver 4.26.5 to 4.26.6 Now I get
> the error isw
> > > > maillog Jan 29 14:24:46 butters MailScanner[6361]: Invalid
> > > > rule of type
> > > > , rule is ""
> > > > Jan 29 14:24:46 butters last message repeated 709 times
> > > > RH9
> > > > Spamassassin 2.63
> > > > Any ideas?
> > > >
> > > > Fred Stein
> > > > Network Administrator
> > > > The Hill School
> > > > 717 High Street
> > > > Pottstown, PA 19464
> > > > 610-326-1000 ext. 7356
> > > > fstein@thehill.org
> > > > www.thehill.org
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > > > Behalf Of Julian Field
> > > > Sent: Thursday, January 29, 2004 10:25 AM
> > > > To: MAILSCANNER@JISCMAIL.AC.UK
> > > > Subject: ANNOUNCE: Beta 4.26.6 released
> > > >
> > > > Hi folks,
> > > >
> > > > I have just posted 4.26.6 on the website for you all. Download from
> > > > www.mailscanner.info as usual.
> > > >
> > > > This is intended as a final testing release before 4.26 goes stable,
> > > > which
> > > > will hopefully be this weekend. If you could test it out and
> > > > let me know
> > > > of
> > > > any problems as soon as possible, I will get them fixed.
> > > >
> > > > Thanks folks!
> > > >
> > > > Changes this time are:
> > > >
> > > > * New Features and Improvements *
> > > > - Improved configuration engine so that rules can now
> contain 2 tests
> > > >    separated by "and".
> > > > - Added "notify" Spam Action and High Scoring Spam Action. This will
> > > > cause a
> > > >    short text notification message to be sent to the
> recipients of the
> > > > spam
> > > >    message. The filename of the report is set with the
> "Recipient Spam
> > > > Report"
> > > >    configuration setting. There is also an MCP equivalent of this
> > > >    functionality. See the MCP documentation for details of
> > > > the settings.
> > > > - Removed the "bounce" spam action.
> > > > - Added regular rebuild of Bayes database. Has 2 options
> > > > associated with
> > > > it
> > > >    which I haven't included in the conf file yet.
> > > > - Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild"
> > > > options to
> > > >    configure the operation of the regular Bayes database rebuilds.
> > > > - Added commented "bayes_auto_expire 0" line to
> > > > spam.assassin.prefs.conf
> > > > as
> > > >    you will want to uncomment this line if you are using the regular
> > > > scheduled
> > > >    Bayes database expiry feature given above.
> > > > - Added "Minimum Stars If On Spam List" setting so that
> > > > people who just
> > > > filter
> > > >    on the "Spam Stars" can catch messages which only
> trigger the "Spam
> > > > List"
> > > >    trap.
> > > > - Added "Log Non Spam" option to allow logging of all
> non-spam, which
> > > > can be
> > > >    coerced into logging SpamAssassin scores of non-spam mail.
> > > > - Added support for Norman virus scanner (www.norman.de).
> > > > - Added logging of ids of dropped silent viruses.
> > > > - Added "Too Many Attachments" error report in a message
> > > > instead of old
> > > >    report saying it could not analyse the message.
> > > > - No longer stops or restarts after RPM upgrade.
> > > > - Added MCP patches for SpamAssassin 2.61 and 2.63.
> > > > - Added 'SpamAssassin Site Rules Dir' setting to locate
> > > > /etc/mail/spamassassin.
> > > > - Spanish translations of languages.conf updated from Debian
> > > > translators.
> > > > - Added Catalan translation of all report files.
> > > > - Added bogusmx list to supplied spam.lists.conf.
> > > > - Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> > > > - Changed the version number scheme from major.minor-teeny to
> > > > major.minor.teeny.
> > > > - Forced owner to be root.root in both RPM spec files, so can be
> > > > re-built by
> > > >    non-root users.
> > > > - Added my Amazon.co.uk "wish list" to the donations page.
> > > > - Detailed spam report now includes auto-learn status if it was
> > > > auto-learnt.
> > > >
> > > > * Fixes *
> > > > - Fixed creation of MCP quarantine directory bug.
> > > > - Fix to Postfix message duplication problems. Must find "end of
> > > > message"
> > > >    record now.
> > > > - Fix to duplicate recipient listing in postmaster notices.
> > > > - Fixed bug so filename/filetype rules configuration setting can be
> > > > blank.
> > > > - Exim per-message log files are deleted correctly now.
> > > > - Fixed recipient duplication problems in sender messages and other
> > > > reports.
> > > > - Fixed bug where extra ": " appears in VirusWarning.txt when
> > > > MailScanner's
> > > >    own checks find multiple problems with 1 attachment.
> > > > - Fixed bug where _SCORE_ in subject line modifications is
> never more
> > > > than 60.
> > > > --
> > > > Julian Field
> > > > www.MailScanner.info
> > > > MailScanner thanks transtec Computers for their support
> > > >
> > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > >
> > >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From mspieth at NEOD.NET  Fri Jan 30 13:17:14 2004
From: mspieth at NEOD.NET (Mark Spieth)
Date: Thu Jan 12 21:22:12 2006
Subject: rulesets for spam actions
Message-ID: <B4DD716FB99276439D77EF08F5DAD1D70E13DD@neo-exchange.int.neod.net>

Our MX servers are running version 4.24-5 and have approximately 1000+
domains on them and are running fine.. My question is how to setup
Mailscanner to use a ruleset so I can set by domain actions. Currently
all domains are bound by the same action.

High Scoring Spam Actions = delete

I have had some requests for a particular domain to have highspam to be
forwarded to a specific email address, However I don't want to implement
this system wide just for 1 domain and I cant afford to break the MX
servers. 

Any help would be appreciated..

Thanks

Mark 


From bpumphrey at WOODMACLAW.COM  Fri Jan 30 13:40:43 2004
From: bpumphrey at WOODMACLAW.COM (Billy A. Pumphrey)
Date: Thu Jan 12 21:22:12 2006
Subject: Basic config question
Message-ID: <A6E4DAD94E656741BF330E1F7409350C4162C3@woodendc.woodmaclaw.local>

I'm now getting this at the bottom of emails:

This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

MailScanner thanks transtec Computers for their support.

 

I didn't get this before, apparently it just started.  I have changed a
few settings in the conf such as

 

Deliver cleaned message = no

Notify senders to no

 

I'm guessing the below is the setting that signs the message, however I
have not changed that settings to yes so it must have always been yes.

Sign messages already processed = yes

 

Does anyone know why this started happening?

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/6e53fed8/attachment.html
From mailscanner at ecs.soton.ac.uk  Fri Jan 30 13:48:04 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: Basic config question
In-Reply-To: <A6E4DAD94E656741BF330E1F7409350C4162C3@woodendc.woodmaclaw
              .local>
References: <A6E4DAD94E656741BF330E1F7409350C4162C3@woodendc.woodmaclaw.local>
Message-ID: <6.0.1.1.2.20040130134653.07981618@imap.ecs.soton.ac.uk>

At 13:40 30/01/2004, you wrote:
>I'm now getting this at the bottom of emails:
>This message has been scanned for viruses and dangerous content by
>MailScanner, and is believed to be clean.
>MailScanner thanks transtec Computers for their support.
>
>I didn't get this before, apparently it just started.  I have changed a
>few settings in the conf such as
>
>Deliver cleaned message = no
>Notify senders to no
>
>I'm guessing the below is the setting that signs the message, however I
>have not changed that settings to yes so it must have always been yes.
>Sign messages already processed = yes

No, that means exactly what it says. If a message has already been
processed by one of your MailScanner servers, you probably don't want each
one to add its own signature on the bottom of the message, you just want 1
copy of the signature on each message.

The option you are looking for is:
Sign Clean Messages
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 13:46:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:12 2006
Subject: rulesets for spam actions
In-Reply-To: <B4DD716FB99276439D77EF08F5DAD1D70E13DD@neo-exchange.int.ne
              od.net>
References: <B4DD716FB99276439D77EF08F5DAD1D70E13DD@neo-exchange.int.neod.net>
Message-ID: <6.0.1.1.2.20040130134612.079ebf18@imap.ecs.soton.ac.uk>

Read about rulesets in /etc/MailScanner/rules/*. This will do exactly what
you are looking for.

At 13:17 30/01/2004, you wrote:
>Our MX servers are running version 4.24-5 and have approximately 1000+
>domains on them and are running fine.. My question is how to setup
>Mailscanner to use a ruleset so I can set by domain actions. Currently
>all domains are bound by the same action.
>
>High Scoring Spam Actions = delete
>
>I have had some requests for a particular domain to have highspam to be
>forwarded to a specific email address, However I don't want to implement
>this system wide just for 1 domain and I cant afford to break the MX
>servers.
>
>Any help would be appreciated..
>
>Thanks
>
>Mark

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From jaearick at COLBY.EDU  Fri Jan 30 13:55:57 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:12 2006
Subject: OT: got spam today that fooled Spamcop reporting
Message-ID: <Pine.GSO.4.58.0401300836410.10058@cayuga>

Gang,
  I got a spam today from 166.90.145.153 that I sent off to
spamcop for reporting.  When I got the response back and went
to the SpamCop link, its software had deduced that *my* mail
server was the spam source, not 166.90.145.153.  I looked at
the mail headers and found:

   From jaearick@colby.edu Fri Jan 30 06:40:02 2004 -0500
   Return-Path: <qsmj@ydrfcp.makeup-site.info>
   Received: from hqbzdctu.makeup-site.info ([166.90.145.153])
       by basalt.colby.edu (8.12.11/8.12.11/1.48') with ESMTP id
   i0UBdtTk029229
       for <jaearick@colby.edu>; Fri, 30 Jan 2004 06:39:56 -0500 (EST)

Ok so far, it agrees with my syslogs.  Then the bogosity begins:

   Resent-Date: Fri, 30 Jan 2004 06:39:55 -0500 (EST)
   Resent-From: qsmj@ydrfcp.makeup-site.info
   Resent-Message-Id: <200401301139.i0UBdtTk029229@basalt.colby.edu>
   Received: from basalt.colby.edu (137.146.210.56)
     by hqbzdctu.makeup-site.info with SMTP id CLQ8TSZ8TN7; Fri, 30 Jan 2004
   06:30:
   30 -0400
   Received: from nfgwb.makeup-site.info (HELO nfgwb) (172.16.78.185)
     by basalt.colby.edu with SMTP; Fri, 30 Jan 2004 06:30:30 -0400
   Reply-To: <qsmj@ydrfcp.makeup-site.info>
   From: "Elizabeth" <qsmj@ydrfcp.makeup-site.info>

Hmmm.  The bottom-most IP (172.16.78.185) is an IANA reserved number so
Spamcop throws it away.  The next number up is 137.146.210.56, my
mail server, so SpamCop locks onto that and says that my mail server
sent the spam.  Not so.  There is no msgid CLQ8TSZ8TN7 in my syslogs.
In fact it isn't even the right number of characters since my server
runs sendmail 8.12.11.  This header is totally forged.

So, spammers have figured out how to trick SpamCop into having spam
reporters blacklist their own sites.  Ouch.  If you are auto-reporting
spam to SpamCop, beware.

I have reported this to Julian Haight, owner of SpamCop, by email.
Spamcop doesn't have an email address for bug reporting so I had to
send it to him.

Jeff Earickson
Colby College

From mspieth at NEOD.NET  Fri Jan 30 13:55:17 2004
From: mspieth at NEOD.NET (Mark Spieth)
Date: Thu Jan 12 21:22:12 2006
Subject: rulesets for spam actions
Message-ID: <B4DD716FB99276439D77EF08F5DAD1D70E13E0@neo-exchange.int.neod.net>

Ok, I deserve to be spanked for that one.. I didn't notice that..


Mark

-----Original Message-----
From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] 
Sent: Friday, January 30, 2004 8:47 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: rulesets for spam actions

Read about rulesets in /etc/MailScanner/rules/*. This will do exactly
what
you are looking for.

At 13:17 30/01/2004, you wrote:
>Our MX servers are running version 4.24-5 and have approximately 1000+
>domains on them and are running fine.. My question is how to setup
>Mailscanner to use a ruleset so I can set by domain actions. Currently
>all domains are bound by the same action.
>
>High Scoring Spam Actions = delete
>
>I have had some requests for a particular domain to have highspam to be
>forwarded to a specific email address, However I don't want to
implement
>this system wide just for 1 domain and I cant afford to break the MX
>servers.
>
>Any help would be appreciated..
>
>Thanks
>
>Mark

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From shrek-m at GMX.DE  Fri Jan 30 14:07:56 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:12 2006
Subject: [OT] Virus scanning strategies
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4BB@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4BB@jessica.herefordshire.gov.uk>
Message-ID: <401A653C.2050401@gmx.de>

Randal, Phil wrote:

>>>c) IN a Company environment , Mailscanner yes or no, each computer
>>>should run on-Demand Virus scanning.
>>>
>>>
>>i prefer
>>clients - "on-access"
>>server - "on-demand"
>>
>>
>When I set up our Netware servers I did virus scan on write, then a
>scheduled overnight full scan.  But full on-access scanning on the desktop.
>
>

why not?
i can sleep very well with this setup since a few years

viruses on the server
  = 1 = eicar-test-virus
viruses on the clients immediately shutdown by sophos
  = no chance to infect other clients = ~ 30


our file-server (no internet-access) has enough to do with serving the
clients
the clients have no problems with this setup.
let tell it me "distributed server-virus-scanning from the client-side"


nice article
http://sophos.com/pressoffice/pressrel/us/20040121veritest.html

--
shrek-m

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 14:17:12 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:12 2006
Subject: [OT] Virus scanning strategies
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C2@jessica.herefordshire.gov.uk>

It all falls apart when for whatever reason the antivirus fails (either
totally or to update patterns) on one or more of the desktops.  That's why
defence in depth is needed.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of shrek-m@gmx.de
> Sent: 30 January 2004 14:08
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: [OT] Virus scanning strategies
>
>
> Randal, Phil wrote:
>
> >>>c) IN a Company environment , Mailscanner yes or no, each computer
> >>>should run on-Demand Virus scanning.
> >>>
> >>>
> >>i prefer
> >>clients - "on-access"
> >>server - "on-demand"
> >>
> >>
> >When I set up our Netware servers I did virus scan on write, then a
> >scheduled overnight full scan.  But full on-access scanning
> on the desktop.
> >
> >
>
> why not?
> i can sleep very well with this setup since a few years
>
> viruses on the server
>   = 1 = eicar-test-virus
> viruses on the clients immediately shutdown by sophos
>   = no chance to infect other clients = ~ 30
>
>
> our file-server (no internet-access) has enough to do with serving the
> clients
> the clients have no problems with this setup.
> let tell it me "distributed server-virus-scanning from the
> client-side"
>
>
> nice article
> http://sophos.com/pressoffice/pressrel/us/20040121veritest.html
>
> --
> shrek-m
>

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 14:25:18 2004
From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk)
Date: Thu Jan 12 21:22:12 2006
Subject: NOTIFY-New Guestbook Entry
Message-ID: <200401301425.i0UEPI4x021004@seer.ecs.soton.ac.uk>

New Guestbook-Entry from Ryan Starck

We run a departmental listserver with MailScanner and Sophos that sends about 500 messages per week. We can\'\'t be happier with the performance, ease of use and results we get from MailScanner.<br />
<BR><br />
<BR>The Division of Rhetoric and Composition at the University of Texas at Austin thanks you.  Great work!!!

From taz at AZTEK-ENG.COM  Fri Jan 30 14:41:36 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:12 2006
Subject: Recommended site for mandrake, sendmail, mailscanner
Message-ID: <004601c3e73f$29bfafd0$270100bf@backlab>

Hello all,
  We would like to begin looking and testing a replacement server four our current server.   We are looking at Mandrake 9.1 with Mailscanner, Spam Assassin and sophos.  Any recommended sites for looking at to set this up as a new secure mailserver for the internet (on DMZ).

Thanks,
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/d6431e58/attachment.html
From ugob at CAMO-ROUTE.COM  Fri Jan 30 14:45:08 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:12 2006
Subject: Recommended site for mandrake, sendmail, mailscanner
Message-ID: <54C38A0B814C8E438EF73FC76F362927410867@mtlnt501fs.CAMOROUTE.COM>

have you tried searching "secure mail server linux"
 
here is what I found within 10 results
http://www.linuxdevcenter.com/pub/a/linux/2003/09/25/advanced_mail_server.html

-----Message d'origine-----
De : taz [mailto:taz@AZTEK-ENG.COM]
Envoy? : Friday, January 30, 2004 9:42 AM
? : MAILSCANNER@JISCMAIL.AC.UK
Objet : Recommended site for mandrake, sendmail, mailscanner


Hello all,
  We would like to begin looking and testing a replacement server four our current server.   We are looking at Mandrake 9.1 with Mailscanner, Spam Assassin and sophos.  Any recommended sites for looking at to set this up as a new secure mailserver for the internet (on DMZ).
 
Thanks,
Travis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/85cb7f88/attachment.html
From Kevin.Spicer at BMRB.CO.UK  Fri Jan 30 14:45:32 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:12 2006
Subject: Recommended site for mandrake, sendmail, mailscanner
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A11@pascal.priv.bmrb.co.uk>

taz wrote:
> Hello all,
>   We would like to begin looking and testing a replacement server
> four our current server.   We are looking at Mandrake 9.1 with
> Mailscanner, Spam Assassin and sophos.  Any recommended sites for
> looking at to set this up as a new secure mailserver for the internet
> (on DMZ).    
> 

www.mailscanner.info  !!

Use the rpm install but specify nodeps to the install.sh script.

This is my setup (near enough) so I'll be happy to try and answer any specific questions you have.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From Kevin.Spicer at BMRB.CO.UK  Fri Jan 30 14:49:32 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:12 2006
Subject: Recommended site for mandrake, sendmail, mailscanner
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A12@pascal.priv.bmrb.co.uk>

taz wrote:
> Hello all,
>   We would like to begin looking and testing a replacement server
> four our current server.   We are looking at Mandrake 9.1 with
> Mailscanner, Spam Assassin and sophos.  Any recommended sites for
> looking at to set this up as a new secure mailserver for the internet
> (on DMZ).    
> 

Forgot to mention that I use sendmail on Mandrake (rather than the default postfix install).  It works well, but don't use Mandrake's default sendmail.mc



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


From ugob at CAMO-ROUTE.COM  Fri Jan 30 14:50:32 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:12 2006
Subject: rulesets for spam actions
Message-ID: <54C38A0B814C8E438EF73FC76F362927410868@mtlnt501fs.CAMOROUTE.COM>

see tutorial at http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/230.html

> -----Message d'origine-----
> De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
> Envoy? : Friday, January 30, 2004 8:47 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: rulesets for spam actions
> 
> 
> Read about rulesets in /etc/MailScanner/rules/*. This will do 
> exactly what
> you are looking for.
> 
> At 13:17 30/01/2004, you wrote:
> >Our MX servers are running version 4.24-5 and have 
> approximately 1000+
> >domains on them and are running fine.. My question is how to setup
> >Mailscanner to use a ruleset so I can set by domain actions. 
> Currently
> >all domains are bound by the same action.
> >
> >High Scoring Spam Actions = delete
> >
> >I have had some requests for a particular domain to have 
> highspam to be
> >forwarded to a specific email address, However I don't want 
> to implement
> >this system wide just for 1 domain and I cant afford to break the MX
> >servers.
> >
> >Any help would be appreciated..
> >
> >Thanks
> >
> >Mark
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 


From campbell at CNPAPERS.COM  Fri Jan 30 14:47:07 2004
From: campbell at CNPAPERS.COM (Stephe Campbell)
Date: Thu Jan 12 21:22:12 2006
Subject: mailling list subject tag
References: <08146035CA49D6119A36009027AC822A0264ED5F@CITY-EXCH-NTS>           
            <1075456331.9785.12.camel@localhost.localdomain>           
            <6.0.1.1.2.20040130095530.078d72f8@imap.ecs.soton.ac.uk> 
            <1075459572.9785.19.camel@localhost.localdomain>
Message-ID: <00b101c3e73f$ef509f20$5d01a8c0@cnpapers.net>

Just be sure when you update the list options using the "double click" on
the list name that you don't select "Leave MailScanner" or whatever it says.
This will unsubscribe you. This doesn't mean leave the Mailscanner page!

Guess how I know this!

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers

----- Original Message -----
From: "Neil Robst" <neilrobst@ALM.ORG.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 5:46 AM
Subject: Re: mailling list subject tag


> Thanks, Julian - guess I should realised this!
> Regards,
> Neil
>
> On Fri, 2004-01-30 at 09:55, Julian Field wrote:
> > You can do this per-user yourself at
www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > At 09:52 30/01/2004, you wrote:
> > >Hi Julian et al,
> > >
> > >Would it be possible to setup the mailling list software that manages
> > >this list to tag the subject of each mail with [MailScanner] or
> > >something similiar please so I can see at a glance which mails are from
> > >this list...?
> > >
> > >Regards,
> > >Neil
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From taz at AZTEK-ENG.COM  Fri Jan 30 15:04:35 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
Message-ID: <006601c3e742$5f9d54b0$270100bf@backlab>

I have a question about mail and port 25 in general.  I know that this is really not on the mailscanner subject so if I don't get an answer that is ok.  There are lots of servers that accept email, but don't allow you to telnet to port 25.  Since port 25 is a port that mail talks on how does one secure this port to only allow email to talk to it and not allow the "telnet hostname 25" action.  I know in this case telnet is disabled on the mail server.  Sorry for being so dopey on this one.

Thanks,
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/66ec67c8/attachment.html
From taz at AZTEK-ENG.COM  Fri Jan 30 15:05:48 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:13 2006
Subject: Recommended site for mandrake, sendmail, mailscanner
References: <5C0296D26910694BB9A9BBFC577E7AB001649A12@pascal.priv.bmrb.co.uk>
Message-ID: <007001c3e742$8b17dac0$270100bf@backlab>

Will do.  I will make sure I start with a new tarball and/or rpm.
----- Original Message -----
From: "Spicer, Kevin" <Kevin.Spicer@BMRB.CO.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 7:49 AM
Subject: Re: Recommended site for mandrake, sendmail, mailscanner


> taz wrote:
> > Hello all,
> >   We would like to begin looking and testing a replacement server
> > four our current server.   We are looking at Mandrake 9.1 with
> > Mailscanner, Spam Assassin and sophos.  Any recommended sites for
> > looking at to set this up as a new secure mailserver for the internet
> > (on DMZ).
> >
>
> Forgot to mention that I use sendmail on Mandrake (rather than the default
postfix install).  It works well, but don't use Mandrake's default
sendmail.mc
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
>
>

From ugob at CAMO-ROUTE.COM  Fri Jan 30 15:05:37 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
Message-ID: <54C38A0B814C8E438EF73FC76F36292741086A@mtlnt501fs.CAMOROUTE.COM>

telnet hostname 25 doesn't talk to the telnet server, it talks to the smtp server.  You cannot prevent this.  If you block port 25, you cannot receive mail. What you can do is prevent relaying.

-----Message d'origine-----
De : taz [mailto:taz@AZTEK-ENG.COM]
Envoy? : Friday, January 30, 2004 10:05 AM
? : MAILSCANNER@JISCMAIL.AC.UK
Objet : Port 25 vulnerability


I have a question about mail and port 25 in general.  I know that this is really not on the mailscanner subject so if I don't get an answer that is ok.  There are lots of servers that accept email, but don't allow you to telnet to port 25.  Since port 25 is a port that mail talks on how does one secure this port to only allow email to talk to it and not allow the "telnet hostname 25" action.  I know in this case telnet is disabled on the mail server.  Sorry for being so dopey on this one.
 
Thanks,
Travis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/d76d723d/attachment.html
From mkettler at EVI-INC.COM  Fri Jan 30 15:15:27 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <006601c3e742$5f9d54b0$270100bf@backlab>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
Message-ID: <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>

At 10:04 AM 1/30/2004, you wrote:
>I have a question about mail and port 25 in general.  I know that this is
>really not on the mailscanner subject so if I don't get an answer that is ok.

>  There are lots of servers that accept email, but don't allow you to
> telnet to port 25.

Really? I doubt that is true... Can you name one server that will accept a
SMTP transaction, but not a telnet to port 25 from the same host?


>  Since port 25 is a port that mail talks on how does one secure this port
> to only allow email to talk to it and not allow the "telnet hostname 25"
> action.  I know in this case telnet is disabled on the mail
> server.  Sorry for being so dopey on this one.

AFAIK it is impossible to do what you suggest.

Telnet is a more-or-less generic client.

As far as the mailserver is concerned, the only difference between a telnet
session and another mailserver, or a mailclient, is the speed of data entry.

It's extraordinarily difficult to tell the difference between the two.

Besides, most attacks on mailservers aren't done using telnet, they are
done using netcat. Blocking telnet connections doesn't really buy you
anything of any significance security wise, and it's not possible.

From taz at AZTEK-ENG.COM  Fri Jan 30 15:36:49 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
References: <006601c3e742$5f9d54b0$270100bf@backlab> 
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
Message-ID: <008d01c3e746$e0958c50$270100bf@backlab>

Sure.
Try doing an nslookup with type=mx on amazon or microsoft or even
weldre5j.k12.co.us and then try telneting to port 25 of one of those servers
----- Original Message -----
From: "Matt Kettler" <mkettler@EVI-INC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 8:15 AM
Subject: Re: [OT] Port 25 vulnerability


> At 10:04 AM 1/30/2004, you wrote:
> >I have a question about mail and port 25 in general.  I know that this is
> >really not on the mailscanner subject so if I don't get an answer that is
ok.
>
> >  There are lots of servers that accept email, but don't allow you to
> > telnet to port 25.
>
> Really? I doubt that is true... Can you name one server that will accept a
> SMTP transaction, but not a telnet to port 25 from the same host?
>
>
> >  Since port 25 is a port that mail talks on how does one secure this
port
> > to only allow email to talk to it and not allow the "telnet hostname 25"
> > action.  I know in this case telnet is disabled on the mail
> > server.  Sorry for being so dopey on this one.
>
> AFAIK it is impossible to do what you suggest.
>
> Telnet is a more-or-less generic client.
>
> As far as the mailserver is concerned, the only difference between a
telnet
> session and another mailserver, or a mailclient, is the speed of data
entry.
>
> It's extraordinarily difficult to tell the difference between the two.
>
> Besides, most attacks on mailservers aren't done using telnet, they are
> done using netcat. Blocking telnet connections doesn't really buy you
> anything of any significance security wise, and it's not possible.
>

From dkoobs at FCSSERVICES.COM  Fri Jan 30 15:26:25 2004
From: dkoobs at FCSSERVICES.COM (Doug Koobs)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
Message-ID: <007d01c3e745$6c9e76f0$a07ac80a@fcsservices.com>

> >  There are lots of servers that accept email, but don't
> allow you to
> > telnet to port 25.
>
> Really? I doubt that is true... Can you name one server that
> will accept a SMTP transaction, but not a telnet to port 25
> from the same host?
I believe the Merak mail server somehow lets you do this...




Confidential: This electronic message and all contents contain information from
Financial Credit Services which may be privileged, confidential or otherwise protected
from disclosure. The information is intended to be for the addressee only. If you are
not the addressee, any disclosure, copy, distribution or use of the contents of this
message is prohibited. If you have received this electronic message in error, please
notify the sender and destroy the original message and all copies.

From ugob at CAMO-ROUTE.COM  Fri Jan 30 15:37:23 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
Message-ID: <54C38A0B814C8E438EF73FC76F362927410876@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : taz [mailto:taz@AZTEK-ENG.COM]
> Envoy? : Friday, January 30, 2004 10:37 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: [OT] Port 25 vulnerability
> 
> 
> Sure.
> Try doing an nslookup with type=mx on amazon or microsoft or even
> weldre5j.k12.co.us and then try telneting to port 25 of one 
> of those servers

[ugo@host ugo]# telnet service-4.amazon.com 25
Trying 207.171.178.141...
Connected to service-4.amazon.com.
Escape character is '^]'.
220 service-4.amazon.com Generic SMTP handler


> ----- Original Message -----
> From: "Matt Kettler" <mkettler@EVI-INC.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 8:15 AM
> Subject: Re: [OT] Port 25 vulnerability
> 
> 
> > At 10:04 AM 1/30/2004, you wrote:
> > >I have a question about mail and port 25 in general.  I 
> know that this is
> > >really not on the mailscanner subject so if I don't get an 
> answer that is
> ok.
> >
> > >  There are lots of servers that accept email, but don't 
> allow you to
> > > telnet to port 25.
> >
> > Really? I doubt that is true... Can you name one server 
> that will accept a
> > SMTP transaction, but not a telnet to port 25 from the same host?
> >
> >
> > >  Since port 25 is a port that mail talks on how does one 
> secure this
> port
> > > to only allow email to talk to it and not allow the 
> "telnet hostname 25"
> > > action.  I know in this case telnet is disabled on the mail
> > > server.  Sorry for being so dopey on this one.
> >
> > AFAIK it is impossible to do what you suggest.
> >
> > Telnet is a more-or-less generic client.
> >
> > As far as the mailserver is concerned, the only difference between a
> telnet
> > session and another mailserver, or a mailclient, is the 
> speed of data
> entry.
> >
> > It's extraordinarily difficult to tell the difference 
> between the two.
> >
> > Besides, most attacks on mailservers aren't done using 
> telnet, they are
> > done using netcat. Blocking telnet connections doesn't 
> really buy you
> > anything of any significance security wise, and it's not possible.
> >
> 


From mike at CAMAROSS.NET  Fri Jan 30 15:51:18 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <200401301542.i0UFgxwQ030023@avwall.bladeware.com>

# telnet maila.microsoft.com 25
Trying 131.107.3.125...
Connected to maila.microsoft.com.
Escape character is '^]'.
220 inet-imc-01.redmond.corp.microsoft.com Microsoft.com ESMTP Server Fri,
30 Jan 2004 07:43:23 -0800
quit
Connection closed by foreign host.


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of taz
> Sent: Friday, January 30, 2004 9:37 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: [OT] Port 25 vulnerability
>
> Sure.
> Try doing an nslookup with type=mx on amazon or microsoft or
> even weldre5j.k12.co.us and then try telneting to port 25 of
> one of those servers
> ----- Original Message -----
> From: "Matt Kettler" <mkettler@EVI-INC.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 8:15 AM
> Subject: Re: [OT] Port 25 vulnerability
>
>
> > At 10:04 AM 1/30/2004, you wrote:
> > >I have a question about mail and port 25 in general.  I know that
> > >this is really not on the mailscanner subject so if I don't get an
> > >answer that is
> ok.
> >
> > >  There are lots of servers that accept email, but don't
> allow you to
> > > telnet to port 25.
> >
> > Really? I doubt that is true... Can you name one server that will
> > accept a SMTP transaction, but not a telnet to port 25 from
> the same host?
> >
> >
> > >  Since port 25 is a port that mail talks on how does one
> secure this
> port
> > > to only allow email to talk to it and not allow the
> "telnet hostname 25"
> > > action.  I know in this case telnet is disabled on the
> mail server.
> > > Sorry for being so dopey on this one.
> >
> > AFAIK it is impossible to do what you suggest.
> >
> > Telnet is a more-or-less generic client.
> >
> > As far as the mailserver is concerned, the only difference between a
> telnet
> > session and another mailserver, or a mailclient, is the
> speed of data
> entry.
> >
> > It's extraordinarily difficult to tell the difference
> between the two.
> >
> > Besides, most attacks on mailservers aren't done using telnet, they
> > are done using netcat. Blocking telnet connections doesn't
> really buy
> > you anything of any significance security wise, and it's
> not possible.
> >
>

From mike at CAMAROSS.NET  Fri Jan 30 15:53:04 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <200401301544.i0UFijwQ030274@avwall.bladeware.com>

This one works too:

# telnet jmail.weldre5j.k12.co.us 25
Trying 209.120.160.154...
Connected to jmail.weldre5j.k12.co.us.
Escape character is '^]'.
220 weldre5j.k12.co.us Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713
ready at  Fri, 30 Jan 2004 08:42:13 -0700


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of taz
> Sent: Friday, January 30, 2004 9:37 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: [OT] Port 25 vulnerability
>
> Sure.
> Try doing an nslookup with type=mx on amazon or microsoft or
> even weldre5j.k12.co.us and then try telneting to port 25 of
> one of those servers
> ----- Original Message -----
> From: "Matt Kettler" <mkettler@EVI-INC.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 8:15 AM
> Subject: Re: [OT] Port 25 vulnerability
>
>
> > At 10:04 AM 1/30/2004, you wrote:
> > >I have a question about mail and port 25 in general.  I know that
> > >this is really not on the mailscanner subject so if I don't get an
> > >answer that is
> ok.
> >
> > >  There are lots of servers that accept email, but don't
> allow you to
> > > telnet to port 25.
> >
> > Really? I doubt that is true... Can you name one server that will
> > accept a SMTP transaction, but not a telnet to port 25 from
> the same host?
> >
> >
> > >  Since port 25 is a port that mail talks on how does one
> secure this
> port
> > > to only allow email to talk to it and not allow the
> "telnet hostname 25"
> > > action.  I know in this case telnet is disabled on the
> mail server.
> > > Sorry for being so dopey on this one.
> >
> > AFAIK it is impossible to do what you suggest.
> >
> > Telnet is a more-or-less generic client.
> >
> > As far as the mailserver is concerned, the only difference between a
> telnet
> > session and another mailserver, or a mailclient, is the
> speed of data
> entry.
> >
> > It's extraordinarily difficult to tell the difference
> between the two.
> >
> > Besides, most attacks on mailservers aren't done using telnet, they
> > are done using netcat. Blocking telnet connections doesn't
> really buy
> > you anything of any significance security wise, and it's
> not possible.
> >
>

From Ulysees at ULYSEES.COM  Fri Jan 30 15:45:26 2004
From: Ulysees at ULYSEES.COM (Ulysees)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
References: <006601c3e742$5f9d54b0$270100bf@backlab>            
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com> 
            <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <000401c3e748$66fd1730$3201010a@nimitz>

> Sure.
> Try doing an nslookup with type=mx on amazon or microsoft or even
> weldre5j.k12.co.us and then try telneting to port 25 of one of those
servers


 dig microsoft.com mx

; <<>> DiG 9.2.2-P3 <<>> microsoft.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33020
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; QUESTION SECTION:
;microsoft.com.                 IN      MX

;; ANSWER SECTION:
microsoft.com.          3600    IN      MX      10 maila.microsoft.com.
microsoft.com.          3600    IN      MX      10 mailb.microsoft.com.
microsoft.com.          3600    IN      MX      10 mailc.microsoft.com.



telnet maila.microsoft.com 25
Trying 131.107.3.124...
Connected to maila.microsoft.com.
Escape character is '^]'.
220 inet-imc-02.redmond.corp.microsoft.com Microsoft.com ESMTP Server Fri,
30 Jan 2004 07:43:13 -0800



what part doesn't work ?

uly

From brose at MED.WAYNE.EDU  Fri Jan 30 15:59:21 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
Message-ID: <D79A56AD131896448D0860DEE07CBE1F017444B2@med-core07.med.wayne.edu>

I don't about anyone else but I've used telnet as a diag tool for investigating smtp problems.   It allows you to see the responses in realtime when you type in the proper smtp commands.  I use ehloe, mail from, and recpt to quite a bit when testing.  You can telnet to practically any port you want it.  It just a matter of what the server daemon does with the commands given to it.
 
  _____  

From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance
Sent: Friday, January 30, 2004 10:06 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Port 25 vulnerability


telnet hostname 25 doesn't talk to the telnet server, it talks to the smtp server.  You cannot prevent this.  If you block port 25, you cannot receive mail. What you can do is prevent relaying.

        -----Message d'origine-----
        De : taz [mailto:taz@AZTEK-ENG.COM]
        Envoy? : Friday, January 30, 2004 10:05 AM
        ? : MAILSCANNER@JISCMAIL.AC.UK
        Objet : Port 25 vulnerability
	
	
        I have a question about mail and port 25 in general.  I know that this is really not on the mailscanner subject so if I don't get an answer that is ok.  There are lots of servers that accept email, but don't allow you to telnet to port 25.  Since port 25 is a port that mail talks on how does one secure this port to only allow email to talk to it and not allow the "telnet hostname 25" action.  I know in this case telnet is disabled on the mail server.  Sorry for being so dopey on this one.
         
        Thanks,
        Travis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/0a3df532/attachment.html
From bill at DISTMIRR.COM  Fri Jan 30 16:01:37 2004
From: bill at DISTMIRR.COM (Bill Omer)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
In-Reply-To: <006601c3e742$5f9d54b0$270100bf@backlab>
Message-ID: <000a01c3e74a$574dd2a0$62751542@laptop>

The only thing I can think of to do this would have to be done on the
packet level.  Something could be made that monitors traffic on port 25.
There would have to be a difference in the packets generated by an MUA
vs packets generated by a telnet client.  Based on that information, a
connection could be dropped when it's triggered.  I guess it could be
possible to use tcpdump to do this, if there is a difference in the
packets.

-B

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of taz
Sent: Friday, January 30, 2004 9:05 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Port 25 vulnerability


I have a question about mail and port 25 in general.  I know that this
is really not on the mailscanner subject so if I don't get an answer
that is ok.  There are lots of servers that accept email, but don't
allow you to telnet to port 25.  Since port 25 is a port that mail talks
on how does one secure this port to only allow email to talk to it and
not allow the "telnet hostname 25" action.  I know in this case telnet
is disabled on the mail server.  Sorry for being so dopey on this one.

Thanks,
Travis

From james at CHE.UTEXAS.EDU  Fri Jan 30 16:12:13 2004
From: james at CHE.UTEXAS.EDU (James Hammett)
Date: Thu Jan 12 21:22:13 2006
Subject: NOT A VULNERABILY (Was port 25 vulnerability)
In-Reply-To: <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
Message-ID: <p06020406bc4031054533@[128.83.162.148]>

Telnet is just the name of the PROGRAM you are using to connect to a
SOCKET.  A socket is defined as an IP Address and a PORT.  It is used
to send TEXT over TCP/IP. The Telnet program can talk to any open
port, whether the program understands and responds, varies.

NORMALLY TELNET TALKS TO PORT 23.  The Telnet DAEMON listens on port
23.  It accepts incoming login sessions.

SMTP listens on Port 25.  It only accepts SMTP commands on port 25.
Popper listens on Port 110.

Other programs listen on other ports.  If you want to troubleshoot
POP or Sendmail, use telnet to connect to the appropriate port and
issue SMTP or POP3 commands to test the server. (I've done it
frequently.  Also you could read your email using telnet and
connecting to the Pop Daemon).

later,
James
--

--------------------------------------------------------------------------
James Hammett
Users Services / Server and Lab Administration (SLAM)
Information Technology Services ( (ITS)                          CPE 4.442
Chemical Engineering Unix Support                                   471-9701
----------------------------------------------------------------------------
        An injustice anywhere is a threat to justice everywhere - MLK jr.
----------------------------------------------------------------------------

From mdlaney at MOREHOUSE.EDU  Fri Jan 30 16:13:48 2004
From: mdlaney at MOREHOUSE.EDU (Matt Laney)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <20040130161348.GA26573@morehouse.edu>

Travis,

> Try doing an nslookup with type=mx on amazon or microsoft or even
> weldre5j.k12.co.us and then try telneting to port 25 of one of those servers

As others have shown, this works just fine, as well it should since telnet
and your MTA's SMTP are doing the same thing when they contact a remote
mail server.

Any chance you're behind a firewall that lets you connect to port 25 of
your ISP's mail servers but denies connections to other ports 25?

If your mail servers send mail out via your ISP's mail systems, that
would produce the behaviour you're seeing.



-Matt

--
Matt Laney, mdlaney@morehouse.edu
Network and Unix Systems Engineer
Morehouse College --- Atlanta, GA

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 16:06:41 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C8@jessica.herefordshire.gov.uk>

I'd guess the only way to differentiate is timing.

When you telnet in, there's some delay before you send any commands.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Bill Omer
> Sent: 30 January 2004 16:02
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Port 25 vulnerability
>
>
> The only thing I can think of to do this would have to be done on the
> packet level.  Something could be made that monitors traffic
> on port 25.
> There would have to be a difference in the packets generated by an MUA
> vs packets generated by a telnet client.  Based on that information, a
> connection could be dropped when it's triggered.  I guess it could be
> possible to use tcpdump to do this, if there is a difference in the
> packets.
>
> -B
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of taz
> Sent: Friday, January 30, 2004 9:05 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Port 25 vulnerability
>
>
> I have a question about mail and port 25 in general.  I know that this
> is really not on the mailscanner subject so if I don't get an answer
> that is ok.  There are lots of servers that accept email, but don't
> allow you to telnet to port 25.  Since port 25 is a port that
> mail talks
> on how does one secure this port to only allow email to talk to it and
> not allow the "telnet hostname 25" action.  I know in this case telnet
> is disabled on the mail server.  Sorry for being so dopey on this one.
>
> Thanks,
> Travis
>

From ugob at CAMO-ROUTE.COM  Fri Jan 30 16:21:40 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
Message-ID: <54C38A0B814C8E438EF73FC76F362927410878@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK]
> Envoy? : Friday, January 30, 2004 11:07 AM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Port 25 vulnerability
> 
> 
> I'd guess the only way to differentiate is timing.
> 
> When you telnet in, there's some delay before you send any commands.
Isn't that caused by a reverse lookup that fails?

Ugo
> 
> Phil
> 
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
> 
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Bill Omer
> > Sent: 30 January 2004 16:02
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Port 25 vulnerability
> >
> >
> > The only thing I can think of to do this would have to be 
> done on the
> > packet level.  Something could be made that monitors traffic
> > on port 25.
> > There would have to be a difference in the packets 
> generated by an MUA
> > vs packets generated by a telnet client.  Based on that 
> information, a
> > connection could be dropped when it's triggered.  I guess 
> it could be
> > possible to use tcpdump to do this, if there is a difference in the
> > packets.
> >
> > -B
> >
> > -----Original Message-----
> > From: MailScanner mailing list 
[mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of taz
> Sent: Friday, January 30, 2004 9:05 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Port 25 vulnerability
>
>
> I have a question about mail and port 25 in general.  I know that this
> is really not on the mailscanner subject so if I don't get an answer
> that is ok.  There are lots of servers that accept email, but don't
> allow you to telnet to port 25.  Since port 25 is a port that
> mail talks
> on how does one secure this port to only allow email to talk to it and
> not allow the "telnet hostname 25" action.  I know in this case telnet
> is disabled on the mail server.  Sorry for being so dopey on this one.
>
> Thanks,
> Travis
>


From mailscanner at ecs.soton.ac.uk  Fri Jan 30 16:22:45 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <20040130161348.GA26573@morehouse.edu>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
            <20040130161348.GA26573@morehouse.edu>
Message-ID: <6.0.1.1.2.20040130162021.0783f0f0@imap.ecs.soton.ac.uk>

Please can we call a halt to all this. This is totally off-topic and not a
very good question in the first place.

Fundamentally whether you connect to port 25 using telnet or your email
application, there is no difference. Just using your email application
saves you having to know the SMTP protocol.

End of thread.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mkettler at EVI-INC.COM  Fri Jan 30 16:28:01 2004
From: mkettler at EVI-INC.COM (Matt Kettler)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <6.0.0.22.0.20040130111237.023d7a40@xanadu.evi-inc.com>

At 10:36 AM 1/30/2004, you wrote:

>Sure.
>Try doing an nslookup with type=mx on amazon or microsoft or even
>weldre5j.k12.co.us and then try telneting to port 25 of one of those servers

Amazon Works flawlessly for me.

I think you're confusing servers blocking your IP address from connecting
with them blocking telnet connections. The two are NOT the same. (ie: if
you fail to telnet to amazon's mailserver on port 25, a local copy of
sendmail would also fail).

So, I repeat my statement that it's not simple for a mailserver to discern
wether it is being connected to by a telnet client, a mail client, or a
mail server application.

Theoretically you could make a mailserver issue out some telnet terminal
emulation commands to see if a telnet client on the other end answers them.
However this would likely confuse real mailservers trying to deliver mail.

I assume this is what merakmail does.. Not that the feature offers any
noticeable security benefits, as someone can merely use netcat instead
(netcat doesn't do terminal emulations, thus won't respond to, or be
thwarted by this). Most amateur skript-kiddies use netcat or c-code and not
telnet anyway, so even most of your unsophisticated attackers can waltz
right past it. (it's difficult to automate telnet from a script, but netcat
is made for it, hence it's favored for such things).


As for amazon:
----------------

;; QUESTION SECTION:
;amazon.com.                    IN      MX

;; ANSWER SECTION:
amazon.com.             7200    IN      MX      10 service-4.amazon.com.
amazon.com.             7200    IN      MX      10 service-5.amazon.com.
amazon.com.             7200    IN      MX      10 service-3.amazon.com.


$telnet service-4.amazon.com 25
Trying 207.171.178.141...
Connected to service-4.amazon.com.
Escape character is '^]'.
220 service-4.amazon.com Generic SMTP handler
HELO xanadu2.evi-inc.com
250 service-4.amazon.com talking to xanadu2.evi-inc.com ([208.39.141.93])

From henker at S-H-COM.DE  Fri Jan 30 16:25:24 2004
From: henker at S-H-COM.DE (Steffan Henke)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <20040130161348.GA26573@morehouse.edu>
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
            <20040130161348.GA26573@morehouse.edu>
Message-ID: <Pine.WNT.4.58.0401301723250.3476@henker.shcom.biz>

Could we please stop this discussion on the MS list, even the subject says
it's OT.

Regards,

Steffan

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 16:29:02 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C9@jessica.herefordshire.gov.uk>

No, it's caused by you being a human being and being slow (in computer
terms) at typing.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Ugo Bellavance
> Sent: 30 January 2004 16:22
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: [OT] Port 25 vulnerability
> 
> 
> > -----Message d'origine-----
> > De : Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK]
> > Envoy? : Friday, January 30, 2004 11:07 AM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Re: Port 25 vulnerability
> > 
> > 
> > I'd guess the only way to differentiate is timing.
> > 
> > When you telnet in, there's some delay before you send any commands.
> Isn't that caused by a reverse lookup that fails?
> 
> Ugo
> > 
> > Phil
> > 
> > ---------------------------------------------
> > Phil Randal
> > Network Engineer
> > Herefordshire Council
> > Hereford, UK
> > 
> > > -----Original Message-----
> > > From: MailScanner mailing list 
[mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Bill Omer
> > Sent: 30 January 2004 16:02
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Port 25 vulnerability
> >
> >
> > The only thing I can think of to do this would have to be 
> done on the
> > packet level.  Something could be made that monitors traffic
> > on port 25.
> > There would have to be a difference in the packets 
> generated by an MUA
> > vs packets generated by a telnet client.  Based on that 
> information, a
> > connection could be dropped when it's triggered.  I guess 
> it could be
> > possible to use tcpdump to do this, if there is a difference in the
> > packets.
> >
> > -B
> >
> > -----Original Message-----
> > From: MailScanner mailing list 
[mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of taz
> Sent: Friday, January 30, 2004 9:05 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Port 25 vulnerability
>
>
> I have a question about mail and port 25 in general.  I know that this
> is really not on the mailscanner subject so if I don't get an answer
> that is ok.  There are lots of servers that accept email, but don't
> allow you to telnet to port 25.  Since port 25 is a port that
> mail talks
> on how does one secure this port to only allow email to talk to it and
> not allow the "telnet hostname 25" action.  I know in this case telnet
> is disabled on the mail server.  Sorry for being so dopey on this one.
>
> Thanks,
> Travis
>


From Heinz.Knutzen at DATAPORT.DE  Fri Jan 30 16:34:03 2004
From: Heinz.Knutzen at DATAPORT.DE (Knutzen, Heinz (DZ-SH))
Date: Thu Jan 12 21:22:13 2006
Subject: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails
Message-ID: <FE3A7695B11ECF4A84708F7F79732ED73D6B87@wscxpr07.fhhnet.stadt.hamburg.de>

It doesn't help to install perl-Net-CIDR manually, 
because the package doesn't build at all:
"ERROR: EMPTY FILE LIST"

On a system with SuSE 8.0 perl-Net-CIDR builds nicly.
I compared the output of rpmbuild at both systems and found
the underlying problem.

When calling rpmbuild with SuSE 9.0 this results in paths 
where BuildRoot occurs twice:
Installing /var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm

perl-Net-CIDR.spec defines BuildRoot as
%{_tmppath}/%{name}-%{version}-%{release}-root

The first occurence comes from
        perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix}

It appears twice, because SuSE defines it's own version
of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros:
%makeinstall            make DESTDIR=%{buildroot} install

The problem didn't occur with SuSE 8.0, 
because it uses an older version of ExtUtils::MakeMaker, 
where the resuting Makefile is ignoring it's parameter 
"DESTDIR" and hence (accidently) successfully creates the package.

A possible solution would be to call "make install" directly
instead of "%makeinstall" in perl-Net-CIDR.spec.

This would solve the problem for SuSE.
It shouldn't hurt for other rpm based distributions,
because the standard definition of %makeinstall effectivly calls
"make install" with many paramters defining prefixes and directories.
But these are useless, because PREFIX is already set 
when processing Makefile.PL.


I still need --nodeps to build this package.
If I change "BuildRequires" to
BuildRequires: perl >= 0:5.5.3
it works fine for SuSE 8.0 and 9.0 without using --nodeps.

Viele Gr??e

Heinz Knutzen

Dataport
Altenholzer Str 10-14, 24161 Altenholz, Germany
http://www.dataport.de/
mailto:Heinz.Knutzen@dataport.de
Tel: +49.431.3295.6581 Fax: +49.431.3295.410 



-----Urspr?ngliche Nachricht-----
Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
Auftrag von Julian Field
Gesendet am: Freitag, 30. Januar 2004 10:14
An: MAILSCANNER@JISCMAIL.AC.UK
Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails

Try just installing the Net-CIDR module with something like
rpm -Uvh --nodeps perl-Net-CIDR*
and then run ./install.sh.

At 16:53 29/01/2004, you wrote:
>For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get:
>./install.sh
>...
>Attempting to build and install perl-Net-CIDR-0.08-2
>Installiere perl-Net-CIDR-0.08-2.src.rpm
>Fehler: Failed build dependencies:
>         perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2
>
>My perl is:
># rpm -q perl
>perl-5.8.1-46
># perl -v
>This is perl, v5.8.1 built for i586-linux-thread-multi
>(with 1 registered patch, see perl -V for more detail)
>
>I get this message for some perl packages, but nor for all of them.
>Using "./install.sh nodeps" doesn't help, it gives the same error.
>
>Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm"
>does help a bit, but aborts with:
>"ERROR: EMPTY FILE LIST"
>
>This doesn't seem to be a new problem, it occurs with
>MailScanner-4.25-14.suse.tar.gz as well.
>
>
>Viele Gr??e
>
>-- Heinz
>
>-----Urspr?ngliche Nachricht-----
>Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
>Auftrag von Julian Field
>Gesendet am: Donnerstag, 29. Januar 2004 16:25
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: ANNOUNCE: Beta 4.26.6 released
>
>Hi folks,
>
>I have just posted 4.26.6 on the website for you all. Download from
>www.mailscanner.info as usual.
>
>This is intended as a final testing release before 4.26 goes stable, which
>will hopefully be this weekend. If you could test it out and let me know of
>any problems as soon as possible, I will get them fixed.
>
>Thanks folks!
>
>Changes this time are:
>
>* New Features and Improvements *
>- Improved configuration engine so that rules can now contain 2 tests
>    separated by "and".
>- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
>    short text notification message to be sent to the recipients of the spam
>    message. The filename of the report is set with the "Recipient Spam 
> Report"
>    configuration setting. There is also an MCP equivalent of this
>    functionality. See the MCP documentation for details of the settings.
>- Removed the "bounce" spam action.
>- Added regular rebuild of Bayes database. Has 2 options associated with it
>    which I haven't included in the conf file yet.
>- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
>    configure the operation of the regular Bayes database rebuilds.
>- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
>    you will want to uncomment this line if you are using the regular 
> scheduled
>    Bayes database expiry feature given above.
>- Added "Minimum Stars If On Spam List" setting so that people who just filter
>    on the "Spam Stars" can catch messages which only trigger the "Spam List"
>    trap.
>- Added "Log Non Spam" option to allow logging of all non-spam, which can be
>    coerced into logging SpamAssassin scores of non-spam mail.
>- Added support for Norman virus scanner (www.norman.de).
>- Added logging of ids of dropped silent viruses.
>- Added "Too Many Attachments" error report in a message instead of old
>    report saying it could not analyse the message.
>- No longer stops or restarts after RPM upgrade.
>- Added MCP patches for SpamAssassin 2.61 and 2.63.
>- Added 'SpamAssassin Site Rules Dir' setting to locate 
>/etc/mail/spamassassin.
>- Spanish translations of languages.conf updated from Debian translators.
>- Added Catalan translation of all report files.
>- Added bogusmx list to supplied spam.lists.conf.
>- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
>- Changed the version number scheme from major.minor-teeny to
>major.minor.teeny.
>- Forced owner to be root.root in both RPM spec files, so can be re-built by
>    non-root users.
>- Added my Amazon.co.uk "wish list" to the donations page.
>- Detailed spam report now includes auto-learn status if it was auto-learnt.
>
>* Fixes *
>- Fixed creation of MCP quarantine directory bug.
>- Fix to Postfix message duplication problems. Must find "end of message"
>    record now.
>- Fix to duplicate recipient listing in postmaster notices.
>- Fixed bug so filename/filetype rules configuration setting can be blank.
>- Exim per-message log files are deleted correctly now.
>- Fixed recipient duplication problems in sender messages and other reports.
>- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
>    own checks find multiple problems with 1 attachment.
>- Fixed bug where _SCORE_ in subject line modifications is never more than 60.
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From taz at AZTEK-ENG.COM  Fri Jan 30 16:40:50 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C8@jessica.herefordshire.gov.uk>
Message-ID: <00af01c3e74f$d1b09870$270100bf@backlab>

That would be the problem then.  I am dial up, but will be on a T1 in about
an hour.
----- Original Message -----
From: "Randal, Phil" <prandal@HEREFORDSHIRE.GOV.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 9:06 AM
Subject: Re: Port 25 vulnerability


> I'd guess the only way to differentiate is timing.
>
> When you telnet in, there's some delay before you send any commands.
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> > Behalf Of Bill Omer
> > Sent: 30 January 2004 16:02
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Re: Port 25 vulnerability
> >
> >
> > The only thing I can think of to do this would have to be done on the
> > packet level.  Something could be made that monitors traffic
> > on port 25.
> > There would have to be a difference in the packets generated by an MUA
> > vs packets generated by a telnet client.  Based on that information, a
> > connection could be dropped when it's triggered.  I guess it could be
> > possible to use tcpdump to do this, if there is a difference in the
> > packets.
> >
> > -B
> >
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> > Behalf Of taz
> > Sent: Friday, January 30, 2004 9:05 AM
> > To: MAILSCANNER@JISCMAIL.AC.UK
> > Subject: Port 25 vulnerability
> >
> >
> > I have a question about mail and port 25 in general.  I know that this
> > is really not on the mailscanner subject so if I don't get an answer
> > that is ok.  There are lots of servers that accept email, but don't
> > allow you to telnet to port 25.  Since port 25 is a port that
> > mail talks
> > on how does one secure this port to only allow email to talk to it and
> > not allow the "telnet hostname 25" action.  I know in this case telnet
> > is disabled on the mail server.  Sorry for being so dopey on this one.
> >
> > Thanks,
> > Travis
> >
>

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 16:37:54 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:13 2006
Subject: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails
In-Reply-To: <FE3A7695B11ECF4A84708F7F79732ED73D6B87@wscxpr07.fhhnet.sta
              dt.hamburg.de>
References: <FE3A7695B11ECF4A84708F7F79732ED73D6B87@wscxpr07.fhhnet.stadt.hamburg.de>
Message-ID: <6.0.1.1.2.20040130163730.07e02cd0@imap.ecs.soton.ac.uk>

Thanks for the info. I haven't tried SuSE 9 yet.

At 16:34 30/01/2004, you wrote:
>It doesn't help to install perl-Net-CIDR manually,
>because the package doesn't build at all:
>"ERROR: EMPTY FILE LIST"
>
>On a system with SuSE 8.0 perl-Net-CIDR builds nicly.
>I compared the output of rpmbuild at both systems and found
>the underlying problem.
>
>When calling rpmbuild with SuSE 9.0 this results in paths
>where BuildRoot occurs twice:
>Installing 
>/var/tmp/perl-Net-CIDR-root/var/tmp/perl-Net-CIDR-root/usr/share/man/man3/Net::CIDR.3pm
>
>perl-Net-CIDR.spec defines BuildRoot as
>%{_tmppath}/%{name}-%{version}-%{release}-root
>
>The first occurence comes from
>         perl Makefile.PL PREFIX=$RPM_BUILD_ROOT%{_prefix}
>
>It appears twice, because SuSE defines it's own version
>of the rpm macro %makeinstall in /usr/lib/rpm/suse_macros:
>%makeinstall            make DESTDIR=%{buildroot} install
>
>The problem didn't occur with SuSE 8.0,
>because it uses an older version of ExtUtils::MakeMaker,
>where the resuting Makefile is ignoring it's parameter
>"DESTDIR" and hence (accidently) successfully creates the package.
>
>A possible solution would be to call "make install" directly
>instead of "%makeinstall" in perl-Net-CIDR.spec.
>
>This would solve the problem for SuSE.
>It shouldn't hurt for other rpm based distributions,
>because the standard definition of %makeinstall effectivly calls
>"make install" with many paramters defining prefixes and directories.
>But these are useless, because PREFIX is already set
>when processing Makefile.PL.
>
>
>I still need --nodeps to build this package.
>If I change "BuildRequires" to
>BuildRequires: perl >= 0:5.5.3
>it works fine for SuSE 8.0 and 9.0 without using --nodeps.
>
>Viele Gr??e
>
>Heinz Knutzen
>
>Dataport
>Altenholzer Str 10-14, 24161 Altenholz, Germany
>http://www.dataport.de/
>mailto:Heinz.Knutzen@dataport.de
>Tel: +49.431.3295.6581 Fax: +49.431.3295.410
>
>
>
>-----Urspr?ngliche Nachricht-----
>Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
>Auftrag von Julian Field
>Gesendet am: Freitag, 30. Januar 2004 10:14
>An: MAILSCANNER@JISCMAIL.AC.UK
>Betreff: Re: 4.25-14 or 4.26.6 & SuSE 9.0: perl-Net-CIDR fails
>
>Try just installing the Net-CIDR module with something like
>rpm -Uvh --nodeps perl-Net-CIDR*
>and then run ./install.sh.
>
>At 16:53 29/01/2004, you wrote:
> >For SuSE 9.0 with MailScanner-4.26.6-1.suse.tar.gz I get:
> >./install.sh
> >...
> >Attempting to build and install perl-Net-CIDR-0.08-2
> >Installiere perl-Net-CIDR-0.08-2.src.rpm
> >Fehler: Failed build dependencies:
> >         perl >= 0:5.00503 is needed by perl-Net-CIDR-0.08-2
> >
> >My perl is:
> ># rpm -q perl
> >perl-5.8.1-46
> ># perl -v
> >This is perl, v5.8.1 built for i586-linux-thread-multi
> >(with 1 registered patch, see perl -V for more detail)
> >
> >I get this message for some perl packages, but nor for all of them.
> >Using "./install.sh nodeps" doesn't help, it gives the same error.
> >
> >Using "rpmbuild --rebuild --nodeps perl-Net-CIDR-0.08-2.src.rpm"
> >does help a bit, but aborts with:
> >"ERROR: EMPTY FILE LIST"
> >
> >This doesn't seem to be a new problem, it occurs with
> >MailScanner-4.25-14.suse.tar.gz as well.
> >
> >
> >Viele Gr??e
> >
> >-- Heinz
> >
> >-----Urspr?ngliche Nachricht-----
> >Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im
> >Auftrag von Julian Field
> >Gesendet am: Donnerstag, 29. Januar 2004 16:25
> >An: MAILSCANNER@JISCMAIL.AC.UK
> >Betreff: ANNOUNCE: Beta 4.26.6 released
> >
> >Hi folks,
> >
> >I have just posted 4.26.6 on the website for you all. Download from
> >www.mailscanner.info as usual.
> >
> >This is intended as a final testing release before 4.26 goes stable, which
> >will hopefully be this weekend. If you could test it out and let me know of
> >any problems as soon as possible, I will get them fixed.
> >
> >Thanks folks!
> >
> >Changes this time are:
> >
> >* New Features and Improvements *
> >- Improved configuration engine so that rules can now contain 2 tests
> >    separated by "and".
> >- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
> >    short text notification message to be sent to the recipients of the spam
> >    message. The filename of the report is set with the "Recipient Spam
> > Report"
> >    configuration setting. There is also an MCP equivalent of this
> >    functionality. See the MCP documentation for details of the settings.
> >- Removed the "bounce" spam action.
> >- Added regular rebuild of Bayes database. Has 2 options associated with it
> >    which I haven't included in the conf file yet.
> >- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
> >    configure the operation of the regular Bayes database rebuilds.
> >- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
> >    you will want to uncomment this line if you are using the regular
> > scheduled
> >    Bayes database expiry feature given above.
> >- Added "Minimum Stars If On Spam List" setting so that people who just 
> filter
> >    on the "Spam Stars" can catch messages which only trigger the "Spam 
> List"
> >    trap.
> >- Added "Log Non Spam" option to allow logging of all non-spam, which can be
> >    coerced into logging SpamAssassin scores of non-spam mail.
> >- Added support for Norman virus scanner (www.norman.de).
> >- Added logging of ids of dropped silent viruses.
> >- Added "Too Many Attachments" error report in a message instead of old
> >    report saying it could not analyse the message.
> >- No longer stops or restarts after RPM upgrade.
> >- Added MCP patches for SpamAssassin 2.61 and 2.63.
> >- Added 'SpamAssassin Site Rules Dir' setting to locate
> >/etc/mail/spamassassin.
> >- Spanish translations of languages.conf updated from Debian translators.
> >- Added Catalan translation of all report files.
> >- Added bogusmx list to supplied spam.lists.conf.
> >- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
> >- Changed the version number scheme from major.minor-teeny to
> >major.minor.teeny.
> >- Forced owner to be root.root in both RPM spec files, so can be re-built by
> >    non-root users.
> >- Added my Amazon.co.uk "wish list" to the donations page.
> >- Detailed spam report now includes auto-learn status if it was auto-learnt.
> >
> >* Fixes *
> >- Fixed creation of MCP quarantine directory bug.
> >- Fix to Postfix message duplication problems. Must find "end of message"
> >    record now.
> >- Fix to duplicate recipient listing in postmaster notices.
> >- Fixed bug so filename/filetype rules configuration setting can be blank.
> >- Exim per-message log files are deleted correctly now.
> >- Fixed recipient duplication problems in sender messages and other reports.
> >- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
> >    own checks find multiple problems with 1 attachment.
> >- Fixed bug where _SCORE_ in subject line modifications is never more 
> than 60.
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From jvane at INVITATION.ORG  Fri Jan 30 15:44:40 2004
From: jvane at INVITATION.ORG (Jim VanEtten)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>
References: <006601c3e742$5f9d54b0$270100bf@backlab>            
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <401A7BE8.3000608@invitation.org>

telnet maila.microsoft.com 25
Trying 131.107.3.125...
Connected to mail1.microsoft.com (131.107.3.125).
Escape character is '^]'.
220 inet-imc-01.redmond.corp.microsoft.com Microsoft.com ESMTP Server
Fri, 30 Jan 2004 07:41:09 -0800



taz wrote:

>Sure.
>Try doing an nslookup with type=mx on amazon or microsoft or even
>weldre5j.k12.co.us and then try telneting to port 25 of one of those servers
>----- Original Message -----
>From: "Matt Kettler" <mkettler@EVI-INC.COM>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Friday, January 30, 2004 8:15 AM
>Subject: Re: [OT] Port 25 vulnerability
>
>

From gebhard at EPOST.DE  Fri Jan 30 16:53:13 2004
From: gebhard at EPOST.DE (Holger Gebhard)
Date: Thu Jan 12 21:22:13 2006
Subject: Vexira AV Support in 4.26.6?
Message-ID: <LISTSERV%2004013016531313@JISCMAIL.AC.UK>

Will Support for Vexira Antivirus added in MailScanner Version 4.26.6?


Thanks

Holger

From dnsadmin at 1BIGTHINK.COM  Fri Jan 30 17:01:22 2004
From: dnsadmin at 1BIGTHINK.COM (DNSAdmin)
Date: Thu Jan 12 21:22:13 2006
Subject: OT: got spam today that fooled Spamcop reporting
In-Reply-To: <Pine.GSO.4.58.0401300836410.10058@cayuga>
Message-ID: <5.2.1.1.0.20040130115650.04e00008@mail.1bigthink.com>

At 08:55 AM 1/30/2004 -0500, you wrote:
>Gang,
>   I got a spam today from 166.90.145.153 that I sent off to
>spamcop for reporting.  When I got the response back and went
>to the SpamCop link, its software had deduced that *my* mail
>server was the spam source, not 166.90.145.153.  I looked at
>the mail headers and found:
>
>    From jaearick@colby.edu Fri Jan 30 06:40:02 2004 -0500
>    Return-Path: <qsmj@ydrfcp.makeup-site.info>
>    Received: from hqbzdctu.makeup-site.info ([166.90.145.153])
>        by basalt.colby.edu (8.12.11/8.12.11/1.48') with ESMTP id
>    i0UBdtTk029229
>        for <jaearick@colby.edu>; Fri, 30 Jan 2004 06:39:56 -0500 (EST)
>
>Ok so far, it agrees with my syslogs.  Then the bogosity begins:
>
>    Resent-Date: Fri, 30 Jan 2004 06:39:55 -0500 (EST)
>    Resent-From: qsmj@ydrfcp.makeup-site.info
>    Resent-Message-Id: <200401301139.i0UBdtTk029229@basalt.colby.edu>
>    Received: from basalt.colby.edu (137.146.210.56)
>      by hqbzdctu.makeup-site.info with SMTP id CLQ8TSZ8TN7; Fri, 30 Jan 2004
>    06:30:
>    30 -0400
>    Received: from nfgwb.makeup-site.info (HELO nfgwb) (172.16.78.185)
>      by basalt.colby.edu with SMTP; Fri, 30 Jan 2004 06:30:30 -0400
>    Reply-To: <qsmj@ydrfcp.makeup-site.info>
>    From: "Elizabeth" <qsmj@ydrfcp.makeup-site.info>
>
>Hmmm.  The bottom-most IP (172.16.78.185) is an IANA reserved number so
>Spamcop throws it away.  The next number up is 137.146.210.56, my
>mail server, so SpamCop locks onto that and says that my mail server
>sent the spam.  Not so.  There is no msgid CLQ8TSZ8TN7 in my syslogs.
>In fact it isn't even the right number of characters since my server
>runs sendmail 8.12.11.  This header is totally forged.

--SNIP--

>Jeff Earickson
>Colby College

Hi Jeff,

Feel free to block that IP, No RDNS on it and Level3 has whole 'C' blocks
that they protect for spammers.

I hate Level3 for that!

Anyone: If you are on Level3 Networks, you support spammers. Take your
business elsewhere!

Cheers!

From mailscanner at ecs.soton.ac.uk  Fri Jan 30 16:59:49 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:13 2006
Subject: Vexira AV Support in 4.26.6?
In-Reply-To: <LISTSERV%2004013016531313@JISCMAIL.AC.UK>
References: <LISTSERV%2004013016531313@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040130165921.0790fae0@imap.ecs.soton.ac.uk>

At 16:53 30/01/2004, you wrote:
>Will Support for Vexira Antivirus added in MailScanner Version 4.26.6?

No, sorry. I haven't had time to test it myself. It will have to wait for
4.27.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From P.G.M.Peters at utwente.nl  Sat Jan 31 12:26:09 2004
From: P.G.M.Peters at utwente.nl (Peter Peters)
Date: Thu Jan 12 21:22:13 2006
Subject: Port 25 vulnerability
In-Reply-To: <00af01c3e74f$d1b09870$270100bf@backlab>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C8@jessica.herefordshire.gov.uk>
            <00af01c3e74f$d1b09870$270100bf@backlab>
Message-ID: <ck7n10pq0cn3m60k7n0e8iohai3q967jc9@4ax.com>

On Fri, 30 Jan 2004 09:40:50 -0700, you wrote:

>That would be the problem then.  I am dial up, but will be on a T1 in about
>an hour.

That won't help. You won't be fast enough. I have don some dumping and
examining packets and an average server responds in ranges from 0.01 to
0.10 seconds. You wouldn't have time to read the response let alone type
the response.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ

From lists at TRCINTL.COM  Fri Jan 30 17:07:28 2004
From: lists at TRCINTL.COM (Kyle Harris)
Date: Thu Jan 12 21:22:13 2006
Subject: _SCORE_ Tag
Message-ID: <LISTSERV%2004013017072876@JISCMAIL.AC.UK>

I have been using the _SCORE_ tag and have found it to be very useful.  I
am curious about one thing.  The highest score it seems to be able to
report is 60?  Even if the headers show a score of higher, the _SCORE_ will
only show 60?

Certainly not a big deal, I'm just curious if anyone else has noticed
this?  I'm using SA version 4.24-5.

Thanks

From mike at CAMAROSS.NET  Fri Jan 30 17:11:37 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <6.0.1.1.2.20040130162021.0783f0f0@imap.ecs.soton.ac.uk>
Message-ID: <200401301710.i0UHA2wQ010867@avwall.bladeware.com>

Everyone please remember there is an offtopic list here:

http://bladeware.com/mailman/listinfo/mailscanner-wizards

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field
> Sent: Friday, January 30, 2004 10:23 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: [OT] Port 25 vulnerability
>
> Please can we call a halt to all this. This is totally
> off-topic and not a very good question in the first place.
>
> Fundamentally whether you connect to port 25 using telnet or
> your email application, there is no difference. Just using
> your email application saves you having to know the SMTP protocol.
>
> End of thread.
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

From lenaig at WANADOO.FR  Fri Jan 30 17:12:25 2004
From: lenaig at WANADOO.FR (Thierry)
Date: Thu Jan 12 21:22:13 2006
Subject: BSD pb running MailScanner
Message-ID: <20040130171225.GA1022@maelenn>

Hi,
I am using MailScanner-devel-4.26.4, f-prot-4.3.1, clamav-devel-20040116,
+on
+FreeBSD box.
So i am not sure that mailscanner is running f-pot and clamav ...
If i am checking on the log files, i can see that they are still empty.
But if i am running them directly from virus.scanners.conf :

/usr/local/libexec/MailScanner/clamav-wrapper   /usr/local -r /toto/titi -l
+/var/log/clamav/result.log
/usr/local/libexec/MailScanner/f-prot-wrapper   /usr/local/f-prot
+-report=/var/log/clamav/result_f.log /toto/titi

I can see that all of my log files are working ...
I check in /var/run mailscanner pid is here, i check on user/permission, it
+is ok
In /var/spool/MailScanner, Incoming is working, Quarantine always empty

MailScanner.conf:

Virus Scanning = yes
Virus Scanners = f-prot clamav

It will be a pleasure to give you more informations if necessary.

Thx


--
Thierry
Ne faites jamais un "apt-get install new-wife" avant
un "apt-get remove --purge current-wife"

From rzewnickie at RFA.ORG  Fri Jan 30 17:20:56 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:13 2006
Subject: Don't Quarantine Viruses
In-Reply-To: <6.0.1.1.2.20040130092602.0741d660@imap.ecs.soton.ac.uk>
References: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>
            <20040129223224.GE2204@rfa.org>
            <6.0.1.1.2.20040130092602.0741d660@imap.ecs.soton.ac.uk>
Message-ID: <20040130172056.GC2936@rfa.org>

Thanks Julian,

I've implemented this with "mydoom" and it's saving us a lot of disk
space.

What are the chances of having All-Viruses as in the Silent Viruses
config option available as a special case in this ruleset? Something like:

Virus:     All-Viruses     no
Virus:     default         yes

so we could quarantine only filename, filetype and html-tag "virus"
detected mail.

Is this possible? Would it be a good idea?

-Eric Rz.

On Fri, Jan 30, 2004 at 09:26:18AM +0000, Julian Field wrote:
> The test is a simple sub-string, so "mydoom" should match both of your
> examples.
>
> At 22:32 29/01/2004, you wrote:
> >Do these names have to match the name as reported by the virus scanners?
> >or is it case insensitive?
> >
> >i.e., will:
> >
> >Virus:   mydoom    no
> >
> >prevent mydoom from being quarantined when caught by either sophossavi
> >or uvscan?
> >
> >or do I need to do this? :
> >
> >Virus:   W32/MyDoom-A      no
> >Virus:   W32/Mydoom.a@MM   no
> >
> >
> >Thanks,
> >Eric Rz.
> >
> >On Wed, Jan 28, 2004 at 02:55:11PM -0500, Hirsh, Joshua wrote:
> >> > I'd like to be able to not quarantine viruses but still
> >> > quarantine filetype denies.
> >>
> >> Yup, you can distinguish between the two. You can set "Quarantine
> >> Infections" to match against a rule, and in the rules file have something
> >> like this:
> >>
> >> Virus:  sobig           no
> >> Virus:  dumaru  no
> >> Virus:  mimail  no
> >>
> >>
> >> Etc..
> >>
> >>
> >>  Cheers,
> >>
> >> -Joshua
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From lists at STHOMAS.NET  Fri Jan 30 17:37:49 2004
From: lists at STHOMAS.NET (Steve Thomas)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
In-Reply-To: <008d01c3e746$e0958c50$270100bf@backlab>; from taz@AZTEK-ENG.COM
              on Fri, Jan 30, 2004 at 08:36:49AM -0700
References: <006601c3e742$5f9d54b0$270100bf@backlab>
            <6.0.0.22.0.20040130101001.027e21c0@xanadu.evi-inc.com>
            <008d01c3e746$e0958c50$270100bf@backlab>
Message-ID: <20040130093749.C30502@sthomas.net>

On Fri, Jan 30, 2004 at 08:36:49AM -0700, taz is rumored to have said:
>
> Sure.
> Try doing an nslookup with type=mx on amazon or microsoft or even
> weldre5j.k12.co.us and then try telneting to port 25 of one of those servers

# dig microsoft.com mx

; <<>> DiG 9.2.1 <<>> microsoft.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61982
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; QUESTION SECTION:
;microsoft.com.                 IN      MX

;; ANSWER SECTION:
microsoft.com.          3600    IN      MX      10 maila.microsoft.com.
microsoft.com.          3600    IN      MX      10 mailb.microsoft.com.
microsoft.com.          3600    IN      MX      10 mailc.microsoft.com.


# telnet maila.microsoft.com 25
Trying 131.107.3.125...
Connected to maila.microsoft.com.
Escape character is '^]'.
220 inet-imc-01.redmond.corp.microsoft.com Microsoft.com ESMTP Server Fri, 30 Jan 2004 09:34:05 -0800
quit
221 2.0.0 inet-imc-01.redmond.corp.microsoft.com Service closing transmission channel
Connection closed by foreign host.


All telnet does is open a TCP session. There's no way for the server to know what client is being used to initiate the connection - that's kind of the point of using a standard protocol (TCP over IP)...


--
"My occupation now, I suppose, is jail inmate."
- Unibomber Theodore Kaczynski, when asked in court what his current profession was

From David.While at UCE.AC.UK  Fri Jan 30 15:44:28 2004
From: David.While at UCE.AC.UK (David While)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Port 25 vulnerability
Message-ID: <107DE25EC0216C45AEF670016024245F6FDC@exchangea.staff.uce.ac.uk>

I can telnet on port 25 to these machines no problem. I can't see how the software can distinguish between a genuine SMTP session from some SMTP software and an SMTP session via a telnet session. Apart from the speed there is no difference.
-----------------------------------------------------------------
David While
Technical Development Manager
Faculty of Computing, Information & English
University of Central England
Tel: 0121 331 6211
-----------------------------------------------------------------



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of taz
Sent: 30 January 2004 15:37
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: [OT] Port 25 vulnerability


Sure.
Try doing an nslookup with type=mx on amazon or microsoft or even
weldre5j.k12.co.us and then try telneting to port 25 of one of those servers
----- Original Message -----
From: "Matt Kettler" <mkettler@EVI-INC.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 8:15 AM
Subject: Re: [OT] Port 25 vulnerability


> At 10:04 AM 1/30/2004, you wrote:
> >I have a question about mail and port 25 in general.  I know that this is
> >really not on the mailscanner subject so if I don't get an answer that is
ok.
>
> >  There are lots of servers that accept email, but don't allow you to
> > telnet to port 25.
>
> Really? I doubt that is true... Can you name one server that will accept a
> SMTP transaction, but not a telnet to port 25 from the same host?
>
>
> >  Since port 25 is a port that mail talks on how does one secure this
port
> > to only allow email to talk to it and not allow the "telnet hostname 25"
> > action.  I know in this case telnet is disabled on the mail
> > server.  Sorry for being so dopey on this one.
>
> AFAIK it is impossible to do what you suggest.
>
> Telnet is a more-or-less generic client.
>
> As far as the mailserver is concerned, the only difference between a
telnet
> session and another mailserver, or a mailclient, is the speed of data
entry.
>
> It's extraordinarily difficult to tell the difference between the two.
>
> Besides, most attacks on mailservers aren't done using telnet, they are
> done using netcat. Blocking telnet connections doesn't really buy you
> anything of any significance security wise, and it's not possible.
>


From elhannaford at PSFINC.COM  Fri Jan 30 17:41:43 2004
From: elhannaford at PSFINC.COM (Edward L. Hannaford)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
Message-ID: <LISTSERV%2004013017414351@JISCMAIL.AC.UK>

On Fri, 30 Jan 2004 09:26:55 +0000, Julian Field
<mailscanner@ECS.SOTON.AC.UK> wrote:

>No. The spam detection is done before the virus detection.
>That way you can avoid the extra work of scanning spam messages you are
>deleting anyway.
>
Really?  My MailScanner seems to do both anti-virus and spam scanning.  I
get quite a few messages with tags from both processes.  Or perhaps I'm just
unaware of one of the inner processes; is MailScanner supposed to skip
anti-virus scanning for all spams or just the ones that aren't forwarded on
to users (high-scoring spams, in my case)?

I also must agree with some other posters.  Spam-scanning is nice but, spam
or not, anti-virus scanning is essential.  I do *not* want MailScanner to
skip anti-virus scanning of *any* message!

-Ed

From rzewnickie at RFA.ORG  Fri Jan 30 17:55:58 2004
From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki)
Date: Thu Jan 12 21:22:13 2006
Subject: Reliable spam/nospam bayes learner?
In-Reply-To: <6.0.1.1.2.20040130093054.073f5008@imap.ecs.soton.ac.uk>
References: <401A1175.7070207@glendown.de>
            <6.0.1.1.2.20040130093054.073f5008@imap.ecs.soton.ac.uk>
Message-ID: <20040130175558.GD2936@rfa.org>

Julian's scripts are in this FAQ.

http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html

They will only work on bounced/resent messages.

If you can get the user's to send you the headers, it's pretty easy to
match up the date and queuefile-id with archived mail if you keep your
archives as queuefiles. I posted a half-baked solution for this a while
back:

http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&P=R65809&I=-1

Others have suggested getting the headers is possible if the users
can forward the mail as an attachment.

I'm working out a script to do what you have asked for. It's tricky
because outlook changes the headers it includes in the forward, but I
think I (maybe) can get it to work.

I'm now archiving all mail for 7 days in mbox format. My plan is to use
a combination of formail and grep to get what information I can out of
the user's forwarded spam/notspam messages. i.e., subject, sender and
recipient. Then use grepmail to match that with the pristine original
message in the archive mbox and feed it to sa-learn.

Things have been a little crazy here this week what with the weather,
protracted flakiness (several outages including one >7 hours, ugh) on
the part of our ISP, tracking this mydoom explosion, double checking
everything to make sure it doesn't slip through the cracks, and
responding to all the "I didn't send this. Why are they telling me I
have a virus"-type inquiries from management and users. So, I haven't
gotten very far with it...

I'll see if I can make some more progress on it today. I'll share
whatever I come up with, whenever I come up with it.

-Eric Rz.

On Fri, Jan 30, 2004 at 09:31:21AM +0000, Julian Field wrote:
> I have posted my scripts to do this to this list a few times now. Try
> searching for posts from me which include "notspam".
>
> At 08:10 30/01/2004, you wrote:
> >Hi,
> >
> >maybe I'm missing seeing the link, but I was looking for a script that I
> >can set up so users can forward false positives/negatives to so that
> >they will be learned by SA as spam or ham ... also, as it will be hard
> >enough to teach people to forward correctly, it has to learn from a
> >forwarded, not bounced, mail ... that is, ignore the information added
> >by the mail client and just look at the original mail (as far as
> >information is still available, like headers, etc.)
> >
> >Help appreciated,
> >
> >-garry
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 18:20:28 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4CA@jessica.herefordshire.gov.uk>

I've just double-checked, the issue is only with high-scoring spam actions.

We have

  Spam Actions = store striphtml deliver
  High Scoring Spam Actions = store delete

Maybe another option for this one?

I want unconditional virus scanning for us - that way we get accurate
statistics, others might want to only scan the stuff which is stored
because, if you're deleting and not storing and don't need to keep stats,
there's no need to scan.

I think that anything other than "delete" on its own should force a scan by
default, with an additional "Virus Scan Everything" option for the paranoid
and statistics gatherers amongst us (like me).

i.e. Anything we store or forward / bounce to others should be scanned by
default.

Cheers,

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
> Behalf Of Edward L. Hannaford
> Sent: 30 January 2004 17:42
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Skip scan for viruses
>
>
> On Fri, 30 Jan 2004 09:26:55 +0000, Julian Field
> <mailscanner@ECS.SOTON.AC.UK> wrote:
>
> >No. The spam detection is done before the virus detection.
> >That way you can avoid the extra work of scanning spam
> messages you are
> >deleting anyway.
> >
> Really?  My MailScanner seems to do both anti-virus and spam
> scanning.  I
> get quite a few messages with tags from both processes.  Or
> perhaps I'm just
> unaware of one of the inner processes; is MailScanner supposed to skip
> anti-virus scanning for all spams or just the ones that
> aren't forwarded on
> to users (high-scoring spams, in my case)?
>
> I also must agree with some other posters.  Spam-scanning is
> nice but, spam
> or not, anti-virus scanning is essential.  I do *not* want
> MailScanner to
> skip anti-virus scanning of *any* message!
>
> -Ed
>

From dustin.baer at IHS.COM  Fri Jan 30 18:19:30 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
Message-ID: <401AA032.8FC7E858@ihs.com>

"Randal, Phil" wrote:
>
> No, spam can't directly compromise your PC, viruses can.
>
> As it stands it is a gaping security hole in MailScanner.

That is a ridiculous statement.

> Hypothethical example:  User phones, and says "your flipping anti-spam gizmo
> has blocked an email which isn't spam, can you release it?".  You look at
> the logs, see that Mailscanner doesn't think it's a virus and release it
> from quarantine.  BOOM!
>
> Phil

Then the admin who released it is at fault.  I release spam everyday,
but put it back through MailScanner, AFTER adding a specific header
(X-SpamRequested-Email) that will subract 100 points from SpamAssassin.
The -100 score was added 1.5 years ago, when I did release infected
message into mqueue.  I sure as hell didn't blame MailScanner, or Julian
for my stupidity.  Luckily, Norton caught it on our Lotus Notes server,
before any problems were caused.

It is not a gaping security hole in MailScanner, but it is a gaping
security hole for an admin to send an email on without scanning it for
viruses.

It really doesn't matter if a file is stopped because of spam first, as
long as you are smart enough to know to check it for viruses, before
giving it to an end user.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From email at ace.net.au  Fri Jan 30 18:19:19 2004
From: email at ace.net.au (Peter Nitschke)
Date: Thu Jan 12 21:22:13 2006
Subject: another 4.26.6 tweak
In-Reply-To: <6.0.1.1.2.20040130092121.03a10db8@imap.ecs.soton.ac.uk>
References: <Pine.GSO.4.58.0401291353270.8893@cayuga>
            <6.0.1.1.2.20040130092121.03a10db8@imap.ecs.soton.ac.uk>
Message-ID: <200401310449190027.11CF5223@smtp1.ace.net.au>

Any chance of adding the version number inside MailScanner.conf so I can
make sure I am not using a mismatched version?

Peter


*********** REPLY SEPARATOR  ***********

On 30/01/2004 at 9:21 AM Julian Field wrote:

>Done.
>
>At 18:55 29/01/2004, you wrote:
>>Julian,
>>    Can you add a comment to MailScanner.conf, before
>>Incoming Work Dir =
>>noting that this directory can safely use ramdisk/tmpfs,
>>eg /tmp on Solaris?  Newbies may not be aware of this.
>>
>>Jeff
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Fri Jan 30 18:22:53 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
Message-ID: <401AA0FD.62CF5D78@ihs.com>

"Randal, Phil" wrote:
>
> No, spam can't directly compromise your PC, viruses can.
>
> As it stands it is a gaping security hole in MailScanner.
>
> Hypothethical example:  User phones, and says "your flipping anti-spam gizmo
> has blocked an email which isn't spam, can you release it?".  You look at
> the logs, see that Mailscanner doesn't think it's a virus and release it
> from quarantine.  BOOM!

Phil,

Do you not also have virus protection at the desktop in your
corporation?

Dustin

--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From dustin.baer at IHS.COM  Fri Jan 30 18:26:29 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:13 2006
Subject: Sophos AND ClamAV Missing Some?
References: <200401300146.i0U1k7wQ010998@avwall.bladeware.com>
Message-ID: <401AA1D5.BD166437@ihs.com>

Mike Kercher wrote:
>
> The characteristics look to be the same as the MyDoom...but it just gets
> delete.  Does this look right?
>
> [snip]
>
> Jan 29 19:44:34 avwall MailScanner[17208]: Spam Actions: message
> i0U1iNwQ010938 actions are delete
>
> Mike

Mike,

 Do you have spam set to delete?  Spam checking is done before virus
checking.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From peter at UCGBOOK.COM  Fri Jan 30 18:28:43 2004
From: peter at UCGBOOK.COM (Peter Bonivart)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
In-Reply-To: <401AA032.8FC7E858@ihs.com>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk>
            <401AA032.8FC7E858@ihs.com>
Message-ID: <401AA25B.5050801@ucgbook.com>

Dustin Baer wrote:
> Then the admin who released it is at fault.  I release spam everyday,
> but put it back through MailScanner, AFTER adding a specific header
> (X-SpamRequested-Email) that will subract 100 points from SpamAssassin.
> The -100 score was added 1.5 years ago, when I did release infected
> message into mqueue.  I sure as hell didn't blame MailScanner, or Julian
> for my stupidity.  Luckily, Norton caught it on our Lotus Notes server,
> before any problems were caused.

Could you post how you add the extra header and the SA rule that gives
it -100? I'm sure many would be interested in using that approach.

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP

From prandal at HEREFORDSHIRE.GOV.UK  Fri Jan 30 18:37:02 2004
From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4CB@jessica.herefordshire.gov.uk>

> Then the admin who released it is at fault.  I release spam everyday,
> but put it back through MailScanner, AFTER adding a specific header
> (X-SpamRequested-Email) that will subract 100 points from
> SpamAssassin.
> The -100 score was added 1.5 years ago, when I did release infected
> message into mqueue.  I sure as hell didn't blame
> MailScanner, or Julian
> for my stupidity.  Luckily, Norton caught it on our Lotus
> Notes server,
> before any problems were caused.

That's a good point.  I'm just using an out of the box (ish) version of
MailWatch to handle the releases, which doesn't add that header.  I feel an
enhancement request for MailWatch coming up ;-)  Documentation about best
practices will help here.

> It is not a gaping security hole in MailScanner, but it is a gaping
> security hole for an admin to send an email on without scanning it for
> viruses.
>
> It really doesn't matter if a file is stopped because of spam
> first, as
> long as you are smart enough to know to check it for viruses, before
> giving it to an end user.
>
> Dustin

Releasing a file to a user and then having the release bounce back is a
cumbersome way to do things.

and from another post...

> Do you not also have virus protection at the desktop in your corporation?

We do indeed, but the AV vendor lagged well behind ClamAV with updated
patterns, hence the window of vulnerability I mentioned in an earlier post.

I really don't want to go on about this.  I'd just like everything delivered
or quarantined scanned.

Well, everything, but if you are in an environment where you have a high
spam to ham ratio, you might feel differently.  But I've just covered this
in a different post.

Cheers,

Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

From kevins at BMRB.CO.UK  Fri Jan 30 18:42:23 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
In-Reply-To: <401AA25B.5050801@ucgbook.com>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk> <401AA032.8FC7E858@ihs.com>  
            <401AA25B.5050801@ucgbook.com>
Message-ID: <1075488152.17925.7.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 18:28, Peter Bonivart wrote:
> Could you post how you add the extra header and the SA rule that gives
> it -100? I'm sure many would be interested in using that approach.
>
How long before Mr. Evil Spammer starts adding X-SpamRequested-Email: to
all his spams!   (yes I know this is unlikely unless it got really
widespread, but...)

Wouldn't it be better to spam whitelist the IP address of the
MailScanner machine (which is presumably where the message would be sent
from)?




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From dwinkler at ALGORITHMICS.COM  Fri Jan 30 18:44:31 2004
From: dwinkler at ALGORITHMICS.COM (Derek Winkler)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B183@tormail2.algorithmics.com>

I think with sendmail anyways, you'd need to change the ip address in the qf
file.

Change it to 127.0.0.1 and whitelist that address.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On
Behalf Of Kevin Spicer
Sent: Friday, January 30, 2004 1:42 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: Skip scan for viruses


On Fri, 2004-01-30 at 18:28, Peter Bonivart wrote:
> Could you post how you add the extra header and the SA rule that gives
> it -100? I'm sure many would be interested in using that approach.
>
How long before Mr. Evil Spammer starts adding X-SpamRequested-Email: to
all his spams!   (yes I know this is unlikely unless it got really
widespread, but...)

Wouldn't it be better to spam whitelist the IP address of the
MailScanner machine (which is presumably where the message would be sent
from)?




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From sveinn at SVEINNG.COM  Fri Jan 30 19:01:46 2004
From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson)
Date: Thu Jan 12 21:22:13 2006
Subject: Don't Quarantine Viruses
In-Reply-To: <20040130172056.GC2936@rfa.org>
Message-ID: <200401301900.i0UJ06wQ12935300@cg.c.is>

How about a rule that makes use of the MassMail flag that most virus engines
output (@mm)

Would a rule like this make the trick?

Virus:  \@mm            yes
Virus:  default no


Cheers,
Svenni...


> I've implemented this with "mydoom" and it's saving us a lot of disk
> space.
>
> What are the chances of having All-Viruses as in the Silent Viruses
> config option available as a special case in this ruleset? Something like:
>
> Virus:     All-Viruses     no
> Virus:     default         yes
>
> so we could quarantine only filename, filetype and html-tag "virus"
> detected mail.
>
> Is this possible? Would it be a good idea?
>
> -Eric Rz.
>
> On Fri, Jan 30, 2004 at 09:26:18AM +0000, Julian Field wrote:
> > The test is a simple sub-string, so "mydoom" should match both of your
> > examples.
> >
> > At 22:32 29/01/2004, you wrote:
> > >Do these names have to match the name as reported by the virus
> scanners?
> > >or is it case insensitive?
> > >
> > >i.e., will:
> > >
> > >Virus:   mydoom    no
> > >
> > >prevent mydoom from being quarantined when caught by either sophossavi
> > >or uvscan?
> > >
> > >or do I need to do this? :
> > >
> > >Virus:   W32/MyDoom-A      no
> > >Virus:   W32/Mydoom.a@MM   no
> > >
> > >
> > >Thanks,
> > >Eric Rz.
> > >
> > >On Wed, Jan 28, 2004 at 02:55:11PM -0500, Hirsh, Joshua wrote:
> > >> > I'd like to be able to not quarantine viruses but still
> > >> > quarantine filetype denies.
> > >>
> > >> Yup, you can distinguish between the two. You can set "Quarantine
> > >> Infections" to match against a rule, and in the rules file have
> something
> > >> like this:
> > >>
> > >> Virus:  sobig           no
> > >> Virus:  dumaru  no
> > >> Virus:  mimail  no
> > >>
> > >>
> > >> Etc..
> > >>
> > >>
> > >>  Cheers,
> > >>
> > >> -Joshua
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dustin.baer at IHS.COM  Fri Jan 30 19:01:21 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk> <401AA032.8FC7E858@ihs.com>
            <401AA25B.5050801@ucgbook.com>
Message-ID: <401AAA01.A98E0DF0@ihs.com>

Peter Bonivart wrote:
>
> Dustin Baer wrote:
> > Then the admin who released it is at fault.  I release spam everyday,
> > but put it back through MailScanner, AFTER adding a specific header
> > (X-SpamRequested-Email) that will subract 100 points from SpamAssassin.
> > The -100 score was added 1.5 years ago, when I did release infected
> > message into mqueue.  I sure as hell didn't blame MailScanner, or Julian
> > for my stupidity.  Luckily, Norton caught it on our Lotus Notes server,
> > before any problems were caused.
>
> Could you post how you add the extra header and the SA rule that gives
> it -100? I'm sure many would be interested in using that approach.
>
> --
> /Peter Bonivart

Of course.

If you want the full script(s), I can give you that too, but the short
version of piece you are asking about is (for Sendmail):

#!/bin/ksh

sed 's/^.$/H??X-SpamRequested-Email: Requested\
./' qf$emailID > qf$emailID.$$ && mv qf$emailID.$$ qf$emailID

cp *$emailID /var/spool/mqueue.in

The SpamAssassin rule is:

header   SPAM_REQUESTED X-SpamRequested-Email =~ /Requested/
describe SPAM_REQUESTED Email requested from the MailScanner quarantine
directory
score    SPAM_REQUESTED -100

What I do is send out an overnight HTML email notifying individuals of
what was quarantined.  They can click on a link that will send the email
ID, email address and quarantined date to an email address that calls a
longer version of the above script.  The longer version will check to
see if there is more than one recipient.  If so, it will then modify the
qf file to only send to that person.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From dustin.baer at IHS.COM  Fri Jan 30 19:06:40 2004
From: dustin.baer at IHS.COM (Dustin Baer)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4B6@jessica.herefordshire.gov.uk> <401AA032.8FC7E858@ihs.com>
            <401AA25B.5050801@ucgbook.com>
            <1075488152.17925.7.camel@bach.kevinspicer.co.uk>
Message-ID: <401AAB40.856224@ihs.com>

Kevin Spicer wrote:
>
> On Fri, 2004-01-30 at 18:28, Peter Bonivart wrote:
> > Could you post how you add the extra header and the SA rule that gives
> > it -100? I'm sure many would be interested in using that approach.
> >
> How long before Mr. Evil Spammer starts adding X-SpamRequested-Email: to
> all his spams!   (yes I know this is unlikely unless it got really
> widespread, but...)

LOL!  Now that they are probably reading this list, very soon...

> Wouldn't it be better to spam whitelist the IP address of the
> MailScanner machine (which is presumably where the message would be sent
> from)?

The MailScanner machine is whitelisted, but I add the header to the
original qf, and send the df/qf pair back through.  That way, the logs
remain consistent.

Although now that you bring it up, I might mess with changing the $_
flag in the qf file, rather than adding the header.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836

From mike at CAMAROSS.NET  Fri Jan 30 19:09:06 2004
From: mike at CAMAROSS.NET (Mike Kercher)
Date: Thu Jan 12 21:22:13 2006
Subject: Sophos AND ClamAV Missing Some?
In-Reply-To: <401AA1D5.BD166437@ihs.com>
Message-ID: <200401301907.i0UJ7UH2027476@avwall.bladeware.com>

I *am* deleting spam.  That would explain it :)  Thanks!

Mike


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Dustin Baer
> Sent: Friday, January 30, 2004 12:26 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: Sophos AND ClamAV Missing Some?
>
> Mike Kercher wrote:
> >
> > The characteristics look to be the same as the MyDoom...but it just
> > gets delete.  Does this look right?
> >
> > [snip]
> >
> > Jan 29 19:44:34 avwall MailScanner[17208]: Spam Actions: message
> > i0U1iNwQ010938 actions are delete
> >
> > Mike
>
> Mike,
>
>  Do you have spam set to delete?  Spam checking is done
> before virus checking.
>
> Dustin
> --
> Dustin Baer
> Unix Administrator/Postmaster
> Information Handling Services
> 15 Inverness Way East
> Englewood, CO 80112
> 303-397-2836
>

From shrek-m at GMX.DE  Fri Jan 30 19:24:50 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:13 2006
Subject: [OT] Virus scanning strategies
In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C2@jessica.herefordshire.gov.uk>
References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C4C2@jessica.herefordshire.gov.uk>
Message-ID: <401AAF82.5020802@gmx.de>

Randal, Phil wrote:

>It all falls apart when for whatever reason the antivirus fails (either
>totally
>

you can see if the intercheck-client isn?t startet
red intercheck-monitor = all is ok
grey = inactive

> or to update patterns)
>

a linuxbox wget, unzip, cp  the sophos-ides to the intercheck-server 
(w2k) and mails me what happened,
if there should be problems, savadmin (i haven?t tested em) shows me the 
status on the clients.

> on one or more of the desktops.
>

one desktop = could happen
more desktops = could happen
undergoing earth = could hapen
human beings on mars = could happen

>  That's why
>defence in depth is needed.
>

iptables
snort
mrtg
ntop
...

and very important: the own feeling for the network

-- 
shrek-m


From shrek-m at GMX.DE  Fri Jan 30 19:42:48 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:13 2006
Subject: spaces-mydooma--mix
Message-ID: <401AB3B8.4050709@gmx.de>

hi,

got someone the same mixture
spaces/mydoom-a ?


From: jrocha@mtc.gob.pe
To: shrek-m@gmx.de
Subject: {Virus?} HELLO
Date: Fri, 30 Jan 2004 13:57:30 -0500

At Fri Jan 30 20:01:07 2004 the virus scanner said:
   Sophos: >>> Virus 'W95/Spaces' found in file message.zip/message.pif
   Sophos: >>> Virus 'W32/MyDoom-A' found in file message.zip
   ClamAV: message.zip contains Worm.SCO.A


$ sweep /data4/doku/viren/zip/message.zip
>>> Virus 'W32/MyDoom-A' gefunden in Datei /data4/doku/viren/zip/message.zip

$ sweep -archive /data4/doku/viren/zip/message.zip
>>> Virus 'W95/Spaces' gefunden in Datei /data4/doku/viren/zip/message.zip/message.pif
>>> Virus 'W32/MyDoom-A' gefunden in Datei /data4/doku/viren/zip/message.zip

$ clamscan /data4/doku/viren/zip/message.zip
/data4/doku/viren/zip/message.zip: Worm.SCO.A FOUND

--
shrek-m

From Kevin_Miller at CI.JUNEAU.AK.US  Fri Jan 30 19:49:22 2004
From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller)
Date: Thu Jan 12 21:22:13 2006
Subject: Skip scan for viruses
Message-ID: <08146035CA49D6119A36009027AC822A0264ED80@CITY-EXCH-NTS>

>-----Original Message-----
>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK]
>
>Let me have a think.
>I'll get back to you.

Here's my tuppence worth.  Currently, I deep six virii, forward spam to
Alphonse Spamdog (a dummy user in Exchange).  I can easily recover a false
positive that way.  I would hazard a guess that *most* people quarentine
spam and delete virus infected messages.  I know there are some that drop
spam and others that quarentine viruses, but my gut feeling is they're
(especially the latter) the minority.  I may well be wrong of course.

For every message, both spam and virus scanning happens.  If the order were
reversed, I could scan for virii, delete the message if infected, and not
have to do the spam scanning.  This would entail a status check between
processes of course - not sure if there is one now or if it all happens at
the end of the spam/virus scan cycle.

During high spam, low virus times, the utilization would be roughly the same
regardless of the order as both processes happen and the percentage of virus
infected messages is pretty low.  During a high virus, high spam (I don't
see spam abating significantly like viruses do)
I would drop a lot of virii before they got to the spam stage thus saving
some CPU cycles.

So, for us, virus scanning first makes the most sense, assuming the
mechanism is in place to drop the message w/o bothering w/spam scanning.

Either way though, I figure we outta start refering to JF as Sir Julian
irrespective of what the Queen does.  So what's her email address again? <g>

S'later...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Administrator, Mail
Administrator
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

From tduvally at BROWN.EDU  Fri Jan 30 19:49:59 2004
From: tduvally at BROWN.EDU (Thomas DuVally)
Date: Thu Jan 12 21:22:13 2006
Subject: Possible wishlist item - attachment decisions
Message-ID: <1075492199.28494.25.camel@cis-staff-kntx90.cis.brown.edu>

I thought I saw a discussion about this, but I can't seem to find it
again, so I am going to ask:

Can MailScanner be told NOT the virus-scan a message (and/or
attachments) if the filename.rules are going to deny it anyway?

I thought I saw some discussion about this and that is was not something
one would want, but it would be if lack of it makes higher-ups want to
change e-mail products...  which I would rather not do.



-- 
Thomas J. DuVally
Lead Systems Prog.
CIS, Brown Univ.

GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/c9b46277/attachment.bin
From kevins at BMRB.CO.UK  Fri Jan 30 19:54:52 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:13 2006
Subject: spaces-mydooma--mix
In-Reply-To: <401AB3B8.4050709@gmx.de>
References: <401AB3B8.4050709@gmx.de>
Message-ID: <1075492493.17947.12.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 19:42, shrek-m@gmx.de wrote:
> From: jrocha@mtc.gob.pe
> To: shrek-m@gmx.de
> Subject: {Virus?} HELLO
> Date: Fri, 30 Jan 2004 13:57:30 -0500
>
> At Fri Jan 30 20:01:07 2004 the virus scanner said:
>    Sophos: >>> Virus 'W95/Spaces' found in file message.zip/message.pif
>    Sophos: >>> Virus 'W32/MyDoom-A' found in file message.zip
>    ClamAV: message.zip contains Worm.SCO.A
>
Spaces is a very old virus and, according to Sophos's site, spreads in
exe files (it doesn't mention pif files).  Also its finding myDoom in
the zip, but the only file in the zip is a pif file containing a
different virus??? Where did MyDoom go?

I suspect that Spaces is a false positive - if you managed to quarantine
the file you might like to send it to Sophos for further analysis.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Fri Jan 30 19:56:56 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:13 2006
Subject: Possible wishlist item - attachment decisions
In-Reply-To: <1075492199.28494.25.camel@cis-staff-kntx90.cis.brown.edu>
References: <1075492199.28494.25.camel@cis-staff-kntx90.cis.brown.edu>
Message-ID: <1075492616.17947.15.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 19:49, Thomas DuVally wrote:
> I thought I saw a discussion about this, but I can't seem to find it
> again, so I am going to ask:
>
> Can MailScanner be told NOT the virus-scan a message (and/or
> attachments) if the filename.rules are going to deny it anyway?
>
IIRC the answer is no, because the whole batch of messages is virus
scanned together.  There might have been a reason to do with the order
of the checks as well.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From ugob at CAMO-ROUTE.COM  Fri Jan 30 19:58:17 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:13 2006
Subject: Possible wishlist item - attachment decisions
Message-ID: <54C38A0B814C8E438EF73FC76F36292741087C@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Kevin Spicer [mailto:kevins@BMRB.CO.UK]
> Envoy? : Friday, January 30, 2004 2:57 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Possible wishlist item - attachment decisions
> 
> 
> On Fri, 2004-01-30 at 19:49, Thomas DuVally wrote:
> > I thought I saw a discussion about this, but I can't seem to find it
> > again, so I am going to ask:
> >
> > Can MailScanner be told NOT the virus-scan a message (and/or
> > attachments) if the filename.rules are going to deny it anyway?
> >
> IIRC the answer is no, because the whole batch of messages is virus
> scanned together.  There might have been a reason to do with the order
> of the checks as well.

Well, would it be a rule, or for _all_ messages?
> 
> 
> 
> 
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
> 


From merkel at METALINK.NET  Fri Jan 30 19:49:17 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:13 2006
Subject: Performance problems...
Message-ID: <00db01c3e76a$320b8030$22c8a8c0@staff.metalink.net>

I am in the process of converting our SMTP(sendmail) relay servers to
MailScanner & F-PROT. Previously we had been using RAV antivirus with
libmilter to scan all incoming and outgoing emails for viruses. Since moving
to MailScanner & F-PROT it seems as though my messages are getting back
logged quite quickly. The server prior to the switch had an average uptime
of 1.0 - 3.0. Now I am consistantly running at 10.00 - 13.00 load average
and have about 28,000 files waiting in the mqueue.in directory to be
processed only a few hours after putting into production.

I've tried turning off all virus notifications and tweaked the
mailscanner.conf to process messages both in batch and in queue. While in
batch mode, I also tried changing the number of messages in the batch to
process at any one time but it doesn't seem like mailscanner can keep up
with the number of incoming messages passing thru the system. I've also
lowered sendmail's logging level to 0, turned off fsync on /var/log/maillog.
I tried splitting the mqueue.in directory into multiple directories but
couldn't get sendmail to drop the files into directories under mqueue.in.
Yes I did change the sendmail startup command to change the incoming queue
directory to mqueue.in/* and also in mailscanner.conf. So at last, I am
wondering what else I can try to improve the throughput of the system?

The specs on the system are as follows:

Intel PIII 700Mhz
512K RAM
Ultra2-160 SCSI LVD drives
RedHat 9 + Sendmail 8.12.8 + MailScanner 4.25-14

I know this system is not very high powered, but I have systems identical to
this one in a SMTP load-balanced cluster runnig RAV + libmilter wirh no such
issues.

Thanks for any advice you might lend.

Eric Merkel / MetaLINK Technologies, Inc
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Email: merkel@metalink.net
Phone: 419-782-3472
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

From ugob at CAMO-ROUTE.COM  Fri Jan 30 20:05:08 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:13 2006
Subject: Performance problems...
Message-ID: <54C38A0B814C8E438EF73FC76F36292741087D@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eric J Merkel [mailto:merkel@METALINK.NET]
> Envoy? : Friday, January 30, 2004 2:49 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Performance problems...
> 
> 
> I am in the process of converting our SMTP(sendmail) relay servers to
> MailScanner & F-PROT. Previously we had been using RAV antivirus with
> libmilter to scan all incoming and outgoing emails for 
> viruses. Since moving
> to MailScanner & F-PROT it seems as though my messages are 
> getting back
> logged quite quickly. The server prior to the switch had an 
> average uptime
> of 1.0 - 3.0. Now I am consistantly running at 10.00 - 13.00 
> load average
> and have about 28,000 files waiting in the mqueue.in directory to be
> processed only a few hours after putting into production.
> 
> I've tried turning off all virus notifications and tweaked the
> mailscanner.conf to process messages both in batch and in 
> queue. While in
> batch mode, I also tried changing the number of messages in 
> the batch to
> process at any one time but it doesn't seem like mailscanner 
> can keep up
> with the number of incoming messages passing thru the system. 
> I've also
> lowered sendmail's logging level to 0, turned off fsync on 
> /var/log/maillog.
> I tried splitting the mqueue.in directory into multiple 
> directories but
> couldn't get sendmail to drop the files into directories 
> under mqueue.in.
> Yes I did change the sendmail startup command to change the 
> incoming queue
> directory to mqueue.in/* and also in mailscanner.conf. So at 
> last, I am
> wondering what else I can try to improve the throughput of the system?
> 
> The specs on the system are as follows:
> 
> Intel PIII 700Mhz
> 512K RAM
> Ultra2-160 SCSI LVD drives
> RedHat 9 + Sendmail 8.12.8 + MailScanner 4.25-14
> 
> I know this system is not very high powered, but I have 
> systems identical to
> this one in a SMTP load-balanced cluster runnig RAV + 
> libmilter wirh no such
> issues.
> 
> Thanks for any advice you might lend.

Please let you know the output of :

free

(to see if you are swapping)

vmstat 5

iostat 5


Also, check your logs for timeouts.

Do you have a caching DNS server on this machine?  If not you should.

hth

Ugo
> 
> Eric Merkel / MetaLINK Technologies, Inc
> ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
> Email: merkel@metalink.net
> Phone: 419-782-3472
> ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
> 


From shrek-m at GMX.DE  Fri Jan 30 20:31:26 2004
From: shrek-m at GMX.DE (shrek-m@gmx.de)
Date: Thu Jan 12 21:22:13 2006
Subject: spaces-mydooma--mix
In-Reply-To: <1075492493.17947.12.camel@bach.kevinspicer.co.uk>
References: <401AB3B8.4050709@gmx.de>
            <1075492493.17947.12.camel@bach.kevinspicer.co.uk>
Message-ID: <401ABF1E.5070002@gmx.de>

Kevin Spicer wrote:

>Spaces is a very old virus and, according to Sophos's site, spreads in
>exe files (it doesn't mention pif files).  Also its finding myDoom in
>the zip, but the only file in the zip is a pif file containing a
>different virus??? Where did MyDoom go?
>
>I suspect that Spaces is a false positive
>

i hope
http://sophos.com/virusinfo/analyses/w95spaces.html

>if you managed to quarantine
>the file you might like to send it to Sophos for further analysis.
>
>

this is always my first step with  potential viruses  before i post it
to a list

--------
200.60.237.158
please check your system

$ host -t mx 200.60.237.158
158.237.60.200.in-addr.arpa domain name pointer client-200.60.237.158.speedy.net.pe.
--------


--
shrek-m

From kevins at BMRB.CO.UK  Fri Jan 30 20:31:12 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:13 2006
Subject: Performance problems...
In-Reply-To: <00db01c3e76a$320b8030$22c8a8c0@staff.metalink.net>
References: <00db01c3e76a$320b8030$22c8a8c0@staff.metalink.net>
Message-ID: <1075494672.17947.25.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 19:49, Eric J Merkel wrote:
> I've tried turning off all virus notifications and tweaked the
> mailscanner.conf to process messages both in batch and in queue. While in
> batch mode, I also tried changing the number of messages in the batch to
> process at any one time but it doesn't seem like mailscanner can keep up
> with the number of incoming messages passing thru the system. I've also
> lowered sendmail's logging level to 0, turned off fsync on /var/log/maillog.
> I tried splitting the mqueue.in directory into multiple directories but
> couldn't get sendmail to drop the files into directories under mqueue.in.
> Yes I did change the sendmail startup command to change the incoming queue
> directory to mqueue.in/* and also in mailscanner.conf. So at last, I am
> wondering what else I can try to improve the throughput of the system?
>

If you have not done so already try putting the MailScanner work
directory (/var/spool/mailscanner/incoming) in tmpfs  (assuming memory
isn't the issue of course).  I presume you are not using SpamAssassin?

I'd guess you are getting a lot of MyDoom related emails?  One problem
this causes is messages to accounts that don't exist.  If you have
MailScanner set to still deliver disinfected / cleaned messages then the
bounces from these may cause extra load on your server.

There were some useful sendmail rules (both subject and recipient)
posted to the list which can help to block MyDoom.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From kevins at BMRB.CO.UK  Fri Jan 30 20:34:49 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Possible wishlist item - attachment decisions
In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741087C@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F36292741087C@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <1075494890.17925.29.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 19:58, Ugo Bellavance wrote:
> > IIRC the answer is no, because the whole batch of messages is virus
> > scanned together.  There might have been a reason to do with the order
> > of the checks as well.
>
> Well, would it be a rule, or for _all_ messages?

Ugo, maybe its late and I'm tired but I really can't work out what you
are asking, principally I can't work out what the 'it' refers to.  Would
you mind elaborating.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From phil at netxp.com.au  Fri Jan 30 20:16:02 2004
From: phil at netxp.com.au (Phil Grainger)
Date: Thu Jan 12 21:22:14 2006
Subject: postfix oddity
Message-ID: <2744.203.221.17.62.1075493762.squirrel@webmail.netxp.com.au>

hi

i am installing mailscan with clamav on a freebsd 4 ssytem
using mailscan 2.45-14

oddly enough i have the mail sitting in the queue but mailscan
can seem to process it?

doing a postfix flush is the only way to deliver the mail.

the postfix directory
is /var/spool/postfix.in/deferred
and mailscan nukes itself if i
use anything other than
/var/spool/postfix.in/deferred/* in the conf file.

any ideas? tia!


Phil Grainger



Phil Grainger
----------------------------------------------------------------------------

netxp.com.au user support
                     technical services
http://netxp.com.au/
Unlimited ADSL from $69.95 p/m.

----------------------------------------------------------------------------

From ugob at CAMO-ROUTE.COM  Fri Jan 30 20:39:45 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: Possible wishlist item - attachment decisions
Message-ID: <54C38A0B814C8E438EF73FC76F362927410882@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Kevin Spicer [mailto:kevins@BMRB.CO.UK]
> Envoy? : Friday, January 30, 2004 3:35 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Possible wishlist item - attachment decisions
> 
> 
> On Fri, 2004-01-30 at 19:58, Ugo Bellavance wrote:
> > > IIRC the answer is no, because the whole batch of 
> messages is virus
> > > scanned together.  There might have been a reason to do 
> with the order
> > > of the checks as well.
> >
> > Well, would it be a rule, or for _all_ messages?
> 
> Ugo, maybe its late and I'm tired but I really can't work out what you
> are asking, principally I can't work out what the 'it' refers 
> to.  Would
> you mind elaborating.

No prob.

There are two possible situation 

- Someone wants to disable virus scanning on all message received, relying only on filetype and filename rules.

=> Here, I think it is feasible.

- Some wants to disable virus scanning only on specific messages received, using rules.

=> Here, you say it is not feasible, which makes sense.

Hope this is clearer.  Don't be affraid to tell me if I'm wrong.

Thanks

Ugo
> 
> 
> 
> 
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material.  If you have received this in error, please contact the
> sender and delete this message immediately.  Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited.  BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
> 


From lenaig at WANADOO.FR  Fri Jan 30 21:06:39 2004
From: lenaig at WANADOO.FR (Thierry)
Date: Thu Jan 12 21:22:14 2006
Subject: BSD pb running MailScanner
In-Reply-To: <20040130171225.GA1022@maelenn>
References: <20040130171225.GA1022@maelenn>
Message-ID: <20040130210639.GA1297@maelenn>

Just to know, i am not really use sendmail, but ssmtp ... Can it be the origin of the problem ?

thx

--
Thierry
Ne faites jamais un "apt-get install new-wife" avant
un "apt-get remove --purge current-wife"

From merkel at METALINK.NET  Fri Jan 30 21:06:54 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
References: <54C38A0B814C8E438EF73FC76F36292741087D@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <011b01c3e774$fda30dd0$22c8a8c0@staff.metalink.net>

See response in line....

----- Original Message ----- 
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 3:05 PM
Subject: Re: Performance problems...


> > -----Message d'origine-----
> > De : Eric J Merkel [mailto:merkel@METALINK.NET]
> > Envoy? : Friday, January 30, 2004 2:49 PM
> > ? : MAILSCANNER@JISCMAIL.AC.UK
> > Objet : Performance problems...
> >
> >
> > I am in the process of converting our SMTP(sendmail) relay servers to
> > MailScanner & F-PROT. Previously we had been using RAV antivirus with
> > libmilter to scan all incoming and outgoing emails for
> > viruses. Since moving
> > to MailScanner & F-PROT it seems as though my messages are
> > getting back
> > logged quite quickly. The server prior to the switch had an
> > average uptime
> > of 1.0 - 3.0. Now I am consistantly running at 10.00 - 13.00
> > load average
> > and have about 28,000 files waiting in the mqueue.in directory to be
> > processed only a few hours after putting into production.
> >
> > I've tried turning off all virus notifications and tweaked the
> > mailscanner.conf to process messages both in batch and in
> > queue. While in
> > batch mode, I also tried changing the number of messages in
> > the batch to
> > process at any one time but it doesn't seem like mailscanner
> > can keep up
> > with the number of incoming messages passing thru the system.
> > I've also
> > lowered sendmail's logging level to 0, turned off fsync on
> > /var/log/maillog.
> > I tried splitting the mqueue.in directory into multiple
> > directories but
> > couldn't get sendmail to drop the files into directories
> > under mqueue.in.
> > Yes I did change the sendmail startup command to change the
> > incoming queue
> > directory to mqueue.in/* and also in mailscanner.conf. So at
> > last, I am
> > wondering what else I can try to improve the throughput of the system?
> >
> > The specs on the system are as follows:
> >
> > Intel PIII 700Mhz
> > 512K RAM
> > Ultra2-160 SCSI LVD drives
> > RedHat 9 + Sendmail 8.12.8 + MailScanner 4.25-14
> >
> > I know this system is not very high powered, but I have
> > systems identical to
> > this one in a SMTP load-balanced cluster runnig RAV +
> > libmilter wirh no such
> > issues.
> >
> > Thanks for any advice you might lend.
>
> Please let you know the output of :
>
> free
>
> (to see if you are swapping)

It doesn't appear to be swapping...

             total       used       free     shared    buffers     cached
Mem:        514684     352560     162124          0      91748      80912
-/+ buffers/cache:     179900     334784
Swap:      1020116        124    1019992

>
> vmstat 5
>
> iostat 5
>

I do not seem to have iostat on this machine but here is a sample of the
vmstat.

   procs                      memory      swap          io     system
cpu
 r  b  w   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy
id
10  0  0    124  96680  92392  79592    0    0     0  1045  460   574 54 46
0
10  2  2    124  73732  92396  86048    0    0  1225  1006  612   851 58 42
0
 8  2  1    124  65824  92396  93740    0    0  1454  1766  807  1114 39 30
31
15  0  0    124  69712  92396  94212    0    0    34  1318  518   721 62 38
0
 7  0  0    124  81264  92404  94660    0    0     0  1736  602   852 67 33
0
11  4  1    124  84936  92408  95012    0    0     0  1547  493   763 47 23
30
13  1  2    124  92588  92412  94440    0    0     0  1803  510   761 63 37
0
 9  0  1    124  84756  92416  94764    0    0     0  1641  584   849 58 42
0
 8  2  1    124  87576  92420  94612    0    0     0  1310  576   773 65 35
0
 8  1  1    124  83644  92424  94956    0    0     0  1365  475   672 68 32
0
10  0  0    124  81748  92428  94148    0    0     0  1412  463   662 64 36
0
13  0  0    124  81020  92432  94656    0    0     0  1192  448   664 60 40
0
 9  1  1    124  79820  92436  94968    0    0     0  1106  477   702 57 43
0
 9  4  1    124  73908  92440  95200    0    0     0   859  363   492 50 34
16
 9  1  1    124  76824  92444  95544    0    0     0   894  363   557 63 37
0
12  0  1    124  89176  92452  95840    0    0     0  1388  545   758 71 29
0
 8  0  0    124  79660  92456  96108    0    0     0  1355  496   708 69 31
0
 6 23  0    124  81944  92464  95516    0    0     0  1722  620   790 61 39
0
 7  0  0    124  72148  92472  95560    0    0     0  2358  817  1199 62 38
0

>
> Also, check your logs for timeouts.
>
> Do you have a caching DNS server on this machine?  If not you should.
>

There are a fair number of timeouts. I do not have a caching name server on
this server, but I am going to load one on and see if that helps. I am
running three RBL's on this system so their are a lot of DNS lookups
happening.

Eric


From merkel at METALINK.NET  Fri Jan 30 21:10:56 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
References: <00db01c3e76a$320b8030$22c8a8c0@staff.metalink.net>
            <1075494672.17947.25.camel@bach.kevinspicer.co.uk>
Message-ID: <012101c3e775$8d8aa750$22c8a8c0@staff.metalink.net>

See comments in-line...
----- Original Message -----
From: "Kevin Spicer" <kevins@BMRB.CO.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 3:31 PM
Subject: Re: Performance problems...


> On Fri, 2004-01-30 at 19:49, Eric J Merkel wrote:
> > I've tried turning off all virus notifications and tweaked the
> > mailscanner.conf to process messages both in batch and in queue. While
in
> > batch mode, I also tried changing the number of messages in the batch to
> > process at any one time but it doesn't seem like mailscanner can keep up
> > with the number of incoming messages passing thru the system. I've also
> > lowered sendmail's logging level to 0, turned off fsync on
/var/log/maillog.
> > I tried splitting the mqueue.in directory into multiple directories but
> > couldn't get sendmail to drop the files into directories under
mqueue.in.
> > Yes I did change the sendmail startup command to change the incoming
queue
> > directory to mqueue.in/* and also in mailscanner.conf. So at last, I am
> > wondering what else I can try to improve the throughput of the system?
> >
>
> If you have not done so already try putting the MailScanner work
> directory (/var/spool/mailscanner/incoming) in tmpfs  (assuming memory
> isn't the issue of course).  I presume you are not using SpamAssassin?
>

No we are not using SA. I will look into mounting the MS incoming directory
on a tempfs. Do you have any recommendation on how much RAM I should set
aside for the tmpfs?

> I'd guess you are getting a lot of MyDoom related emails?  One problem
> this causes is messages to accounts that don't exist.  If you have
> MailScanner set to still deliver disinfected / cleaned messages then the
> bounces from these may cause extra load on your server.
>

I do not have it set to deliver cleaned/disinfected messages. I do have a
fair number of bounced spam messages from unknown user accounts on our
system. Right now I have a script clean out the mqueue every 10 minutes of
all invalid bounce messages.

> There were some useful sendmail rules (both subject and recipient)
> posted to the list which can help to block MyDoom.
>

I just joined the list today so I didn't get a chance to see those filters.
Do you have the subject of those messages so I can look them up in the
archive?

Thanks in advance,

Eric

From mickey-ml at GREENGLOW.ORG  Fri Jan 30 21:17:04 2004
From: mickey-ml at GREENGLOW.ORG (Mickey Everts)
Date: Thu Jan 12 21:22:14 2006
Subject: many spamassassin timeouts
In-Reply-To: <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>
Message-ID: <002901c3e776$69113b40$630a0a0a@gyruss>

I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing
output similar to below in maillog.  Should I be looking elsewhere else? I
am trying to track down the source of some spamassassin timeouts I have been
having.  Ideally I need to log the equivalent of "spamassassin -D" for a few
hours.

Thanks!

Mickey

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Piet Bos
Sent: Monday, January 26, 2004 3:02 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: many spamassassin timeouts

a part of the debug output.
I find the  0 behind Net::DNS resolver unavailable rather curious
do you agree?

grtz Piet

debug: running raw-body-text per-line regexp tests; score so far=4.3
debug: running uri tests; score so far=4.3
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=4.3
debug: Razor2 is not available
debug: DCC is not available: dccproc not found
debug: Razor1 is not available
debug: Pyzor is not available: pyzor not found
debug: is Net::DNS::Resolver unavailable? 0
debug: trying (3) gwdg.de...
debug: looking up MX for 'gwdg.de'
debug: MX for 'gwdg.de' exists? 1
debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available to
hardcode)
debug: is DNS available? 1
debug: running meta tests; score so far=5.3
----- Original Message -----
From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Monday, January 26, 2004 9:39 AM
Subject: Re: many spamassassin timeouts


> Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> slow-down is.
>
> At 08:33 26/01/2004, you wrote:
> >Experiencing many spamassassin timeouts lately.
> >Is there a valid reason for that?
> >I'm using version 4.26-1 starting
> >my settings in MailScanner.conf are:
> >SpamAssassin Timeout = 40
> >Max SpamAssassin Timeouts = 50
> >
> >Any suggestions?
> >brgds Piet
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From ugob at CAMO-ROUTE.COM  Fri Jan 30 21:13:56 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
Message-ID: <54C38A0B814C8E438EF73FC76F362927410885@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eric J Merkel [mailto:merkel@METALINK.NET]
> Envoy? : Friday, January 30, 2004 4:11 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Performance problems...
> 
> 
> See comments in-line...
> ----- Original Message -----
> From: "Kevin Spicer" <kevins@BMRB.CO.UK>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 3:31 PM
> Subject: Re: Performance problems...
> 
> 
> > On Fri, 2004-01-30 at 19:49, Eric J Merkel wrote:
> > > I've tried turning off all virus notifications and tweaked the
> > > mailscanner.conf to process messages both in batch and in 
> queue. While
> in
> > > batch mode, I also tried changing the number of messages 
> in the batch to
> > > process at any one time but it doesn't seem like 
> mailscanner can keep up
> > > with the number of incoming messages passing thru the 
> system. I've also
> > > lowered sendmail's logging level to 0, turned off fsync on
> /var/log/maillog.
> > > I tried splitting the mqueue.in directory into multiple 
> directories but
> > > couldn't get sendmail to drop the files into directories under
> mqueue.in.
> > > Yes I did change the sendmail startup command to change 
> the incoming
> queue
> > > directory to mqueue.in/* and also in mailscanner.conf. So 
> at last, I am
> > > wondering what else I can try to improve the throughput 
> of the system?
> > >
> >
> > If you have not done so already try putting the MailScanner work
> > directory (/var/spool/mailscanner/incoming) in tmpfs  
> (assuming memory
> > isn't the issue of course).  I presume you are not using 
> SpamAssassin?
> >
> 
> No we are not using SA. I will look into mounting the MS 
> incoming directory
> on a tempfs. Do you have any recommendation on how much RAM I 
> should set
> aside for the tmpfs?

Redhat?  It will allocate it dynamically

> 
> > I'd guess you are getting a lot of MyDoom related emails?  
> One problem
> > this causes is messages to accounts that don't exist.  If you have
> > MailScanner set to still deliver disinfected / cleaned 
> messages then the
> > bounces from these may cause extra load on your server.
> >
> 
> I do not have it set to deliver cleaned/disinfected messages. 
> I do have a
> fair number of bounced spam messages from unknown user accounts on our
> system. Right now I have a script clean out the mqueue every 
> 10 minutes of
> all invalid bounce messages.
> 
> > There were some useful sendmail rules (both subject and recipient)
> > posted to the list which can help to block MyDoom.
> >
> 
> I just joined the list today so I didn't get a chance to see 
> those filters.
> Do you have the subject of those messages so I can look them up in the
> archive?
> 
> Thanks in advance,
> 
> Eric
> 


From ugob at CAMO-ROUTE.COM  Fri Jan 30 21:16:09 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
Message-ID: <54C38A0B814C8E438EF73FC76F3629273132F5@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eric J Merkel [mailto:merkel@METALINK.NET]
> Envoy? : Friday, January 30, 2004 4:07 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Performance problems...
> 
<snip>

> > >
> > > The specs on the system are as follows:
> > >
> > > Intel PIII 700Mhz
> > > 512K RAM
> > > Ultra2-160 SCSI LVD drives
> > > RedHat 9 + Sendmail 8.12.8 + MailScanner 4.25-14
> > >
> > > I know this system is not very high powered, but I have
> > > systems identical to
> > > this one in a SMTP load-balanced cluster runnig RAV +
> > > libmilter wirh no such
> > > issues.
> > >
> > > Thanks for any advice you might lend.
> >
> > Please let you know the output of :
> >
> > free
> >
> > (to see if you are swapping)
> 
> It doesn't appear to be swapping...
> 
>              total       used       free     shared    
> buffers     cached
> Mem:        514684     352560     162124          0      
> 91748      80912
> -/+ buffers/cache:     179900     334784
> Swap:      1020116        124    1019992

You are right.  But make sure you make top and look if it ever swaps.
> 
> >
> > vmstat 5
> >
> > iostat 5
> >
> 
> I do not seem to have iostat on this machine but here is a 
> sample of the
> vmstat.
> 
>    procs                      memory      swap          io     system
> cpu
>  r  b  w   swpd   free   buff  cache   si   so    bi    bo   
> in    cs us sy
> id
> 10  0  0    124  96680  92392  79592    0    0     0  1045  
> 460   574 54 46
> 0
> 10  2  2    124  73732  92396  86048    0    0  1225  1006  
> 612   851 58 42
> 0
>  8  2  1    124  65824  92396  93740    0    0  1454  1766  
> 807  1114 39 30
> 31
> 15  0  0    124  69712  92396  94212    0    0    34  1318  
> 518   721 62 38
> 0
>  7  0  0    124  81264  92404  94660    0    0     0  1736  
> 602   852 67 33
> 0
> 11  4  1    124  84936  92408  95012    0    0     0  1547  
> 493   763 47 23
> 30
> 13  1  2    124  92588  92412  94440    0    0     0  1803  
> 510   761 63 37
> 0
>  9  0  1    124  84756  92416  94764    0    0     0  1641  
> 584   849 58 42
> 0
>  8  2  1    124  87576  92420  94612    0    0     0  1310  
> 576   773 65 35
> 0
>  8  1  1    124  83644  92424  94956    0    0     0  1365  
> 475   672 68 32
> 0
> 10  0  0    124  81748  92428  94148    0    0     0  1412  
> 463   662 64 36
> 0
> 13  0  0    124  81020  92432  94656    0    0     0  1192  
> 448   664 60 40
> 0
>  9  1  1    124  79820  92436  94968    0    0     0  1106  
> 477   702 57 43
> 0
>  9  4  1    124  73908  92440  95200    0    0     0   859  
> 363   492 50 34
> 16
>  9  1  1    124  76824  92444  95544    0    0     0   894  
> 363   557 63 37
> 0
> 12  0  1    124  89176  92452  95840    0    0     0  1388  
> 545   758 71 29
> 0
>  8  0  0    124  79660  92456  96108    0    0     0  1355  
> 496   708 69 31
> 0
>  6 23  0    124  81944  92464  95516    0    0     0  1722  
> 620   790 61 39
> 0
>  7  0  0    124  72148  92472  95560    0    0     0  2358  
> 817  1199 62 38
> 0

It seems to be primarily cpu-bound (first column tells you how many processes are queued for cpu time), but it is not that bad.

> 
> >
> > Also, check your logs for timeouts.
> >
> > Do you have a caching DNS server on this machine?  If not 
> you should.
> >
> 
> There are a fair number of timeouts. 

Timeouts on what? RBL? Spamassassin?

>I do not have a caching 
> name server on
> this server, but I am going to load one on and see if that helps.

if redhat, install the packages called caching-nameserver

> I am
> running three RBL's on this system so their are a lot of DNS lookups
> happening.

hence the advantage of having a caching dns on the same machine.
> 
> Eric
> 


From kevins at BMRB.CO.UK  Fri Jan 30 21:18:20 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Possible wishlist item - attachment decisions
In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410882@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F362927410882@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <1075497501.17947.38.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 20:39, Ugo Bellavance wrote:
>
> There are two possible situation
>
> - Someone wants to disable virus scanning on all message received, relying only on filetype and filename rules.
>
> => Here, I think it is feasible.
Yes, I agree. Simply set Virus Scanners = none
(note that Virus Scanners may not be a ruleset)
>
> - Some wants to disable virus scanning only on specific messages received, using rules.
>
> => Here, you say it is not feasible, which makes sense.

Yes, can't be done because whole batches are scanned at a time.
Just to be clear though you can turn off all virus/ filename/type checks
using a ruleset on the Virus Scanning directive.
>
> Hope this is clearer.  Don't be affraid to tell me if I'm wrong.
>
Much clearer, thanks!




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From jaearick at COLBY.EDU  Fri Jan 30 21:24:24 2004
From: jaearick at COLBY.EDU (Jeff A. Earickson)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410885@mtlnt501fs.CAMOROUTE.COM>
References: <54C38A0B814C8E438EF73FC76F362927410885@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <Pine.GSO.4.58.0401301621360.720@cayuga>

I *really* recommend running a caching DNS server on your
box (and adding the physical memory to support it).  Between the
MTA, RBLs, MailScanner, SA, etc, etc, you will do a bzillion DNS
lookups to get the mail delivered.  Local caching is vital.

Jeff Earickson
Colby College

From brose at MED.WAYNE.EDU  Fri Jan 30 21:29:11 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:14 2006
Subject: Possible wishlist item - attachment decisions
Message-ID: <D79A56AD131896448D0860DEE07CBE1F016468C3@med-core07.med.wayne.edu>

I recall asking along time ago if the virus scan could be done before
the spam so that MailScanner wouldn't have to SA check virus messages
because they'd be removed from the batch sent to the SA subroutine.

I thought it made sense.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Thomas DuVally
Sent: Friday, January 30, 2004 2:50 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Possible wishlist item - attachment decisions

I thought I saw a discussion about this, but I can't seem to find it
again, so I am going to ask:

Can MailScanner be told NOT the virus-scan a message (and/or
attachments) if the filename.rules are going to deny it anyway?

I thought I saw some discussion about this and that is was not something
one would want, but it would be if lack of it makes higher-ups want to
change e-mail products...  which I would rather not do.



--
Thomas J. DuVally
Lead Systems Prog.
CIS, Brown Univ.

GPG fingerprint = FB59 8265 0865 0CB8 94B5 FC26 F573 F09C 15F2 33F6


From ugob at CAMO-ROUTE.COM  Fri Jan 30 21:29:30 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: BSD pb running MailScanner
Message-ID: <54C38A0B814C8E438EF73FC76F362927410887@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Thierry [mailto:lenaig@WANADOO.FR]
> Envoy? : Friday, January 30, 2004 4:07 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: BSD pb running MailScanner
> 
> 
> Just to know, i am not really use sendmail, but ssmtp ... Can 
> it be the origin of the problem ?
> 
yes, since it is not officially supported by MailScanner.

Ugo

> thx
> 
> --
> Thierry
> Ne faites jamais un "apt-get install new-wife" avant
> un "apt-get remove --purge current-wife"
> 


From brose at MED.WAYNE.EDU  Fri Jan 30 21:32:22 2004
From: brose at MED.WAYNE.EDU (Rose, Bobby)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
Message-ID: <D79A56AD131896448D0860DEE07CBE1F016468C4@med-core07.med.wayne.edu>

Are you using any of the SA Custom rules talked about on the SA lists?
My performance problems diminished after I got rid of the
blacklist-uri.cf which is a very large ruleset.  I'm still using
bigevil, tripwire, etc.  Just got rid of the URI.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf Of Eric J Merkel
Sent: Friday, January 30, 2004 2:49 PM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Performance problems...

I am in the process of converting our SMTP(sendmail) relay servers to
MailScanner & F-PROT. Previously we had been using RAV antivirus with
libmilter to scan all incoming and outgoing emails for viruses. Since
moving to MailScanner & F-PROT it seems as though my messages are
getting back logged quite quickly. The server prior to the switch had an
average uptime of 1.0 - 3.0. Now I am consistantly running at 10.00 -
13.00 load average and have about 28,000 files waiting in the mqueue.in
directory to be processed only a few hours after putting into
production.

I've tried turning off all virus notifications and tweaked the
mailscanner.conf to process messages both in batch and in queue. While
in batch mode, I also tried changing the number of messages in the batch
to process at any one time but it doesn't seem like mailscanner can keep
up with the number of incoming messages passing thru the system. I've
also lowered sendmail's logging level to 0, turned off fsync on
/var/log/maillog.
I tried splitting the mqueue.in directory into multiple directories but
couldn't get sendmail to drop the files into directories under
mqueue.in.
Yes I did change the sendmail startup command to change the incoming
queue directory to mqueue.in/* and also in mailscanner.conf. So at last,
I am wondering what else I can try to improve the throughput of the
system?

The specs on the system are as follows:

Intel PIII 700Mhz
512K RAM
Ultra2-160 SCSI LVD drives
RedHat 9 + Sendmail 8.12.8 + MailScanner 4.25-14

I know this system is not very high powered, but I have systems
identical to this one in a SMTP load-balanced cluster runnig RAV +
libmilter wirh no such issues.

Thanks for any advice you might lend.

Eric Merkel / MetaLINK Technologies, Inc
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Email: merkel@metalink.net
Phone: 419-782-3472
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*


From merkel at METALINK.NET  Fri Jan 30 21:32:14 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
References: <54C38A0B814C8E438EF73FC76F3629273132F5@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <014201c3e778$8773c970$22c8a8c0@staff.metalink.net>

----- Original Message -----
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 4:16 PM
Subject: Re: Performance problems...


[SNIP]

> >
> > There are a fair number of timeouts.
>
> Timeouts on what? RBL? Spamassassin?
>

Sendmail collecting input from & to some SMTP servers....

> >I do not have a caching
> > name server on
> > this server, but I am going to load one on and see if that helps.
>
> if redhat, install the packages called caching-nameserver
>
> > I am
> > running three RBL's on this system so their are a lot of DNS lookups
> > happening.
>
> hence the advantage of having a caching dns on the same machine.

I've loaded a caching nameserver on this system. Just watching it a few
minutes, it does seem to have improved much. I am still falling about 200
messages behind every few minutes....

My current settings for the batch mode is below.

Max Unscanned Messages Per Scan = 500
Max Unsafe Messages Per Scan = 30

I also tried these at 30/30, 100/50, & 500/100 with no noticeable
difference. Should I just stick with the defaults of 30/30?

Eric

From ugob at CAMO-ROUTE.COM  Fri Jan 30 21:35:15 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
Message-ID: <54C38A0B814C8E438EF73FC76F362927410888@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eric J Merkel [mailto:merkel@METALINK.NET]
> Envoy? : Friday, January 30, 2004 4:32 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Performance problems...
> 
> 
> ----- Original Message -----
> From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 4:16 PM
> Subject: Re: Performance problems...
> 
> 
> [SNIP]
> 
> > >
> > > There are a fair number of timeouts.
> >
> > Timeouts on what? RBL? Spamassassin?
> >
> 
> Sendmail collecting input from & to some SMTP servers....

So no mailscanner-related timeouts?  

Could we see a couple of these lines of logs?
> 
> > >I do not have a caching
> > > name server on
> > > this server, but I am going to load one on and see if that helps.
> >
> > if redhat, install the packages called caching-nameserver
> >
> > > I am
> > > running three RBL's on this system so their are a lot of 
> DNS lookups
> > > happening.
> >
> > hence the advantage of having a caching dns on the same machine.
> 
> I've loaded a caching nameserver on this system. Just 
> watching it a few
> minutes, it does seem to have improved much. I am still 
> falling about 200
> messages behind every few minutes....
> 
> My current settings for the batch mode is below.
> 
> Max Unscanned Messages Per Scan = 500
> Max Unsafe Messages Per Scan = 30
> 
> I also tried these at 30/30, 100/50, & 500/100 with no noticeable
> difference. Should I just stick with the defaults of 30/30?

When you look in your logs how big are, in average, your batches?
> 
> Eric
> 


From kevins at BMRB.CO.UK  Fri Jan 30 21:34:56 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
In-Reply-To: <012101c3e775$8d8aa750$22c8a8c0@staff.metalink.net>
References: <00db01c3e76a$320b8030$22c8a8c0@staff.metalink.net>
            <1075494672.17947.25.camel@bach.kevinspicer.co.uk>
            <012101c3e775$8d8aa750$22c8a8c0@staff.metalink.net>
Message-ID: <1075498496.17925.55.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 21:10, Eric J Merkel wrote:
>
> No we are not using SA. I will look into mounting the MS incoming directory
> on a tempfs. Do you have any recommendation on how much RAM I should set
> aside for the tmpfs?

You don't need to worry about that, tmpfs looks after itself in that
regard (unlike using a ramdisk).  Just add this to /etc/fstab

none /var/spool/MailScanner/incoming tmpfs defaults 0 0

Then do
service MailScanner stop
mount /var/spool/MailScanner/incoming
service MailScanner start

> I do not have it set to deliver cleaned/disinfected messages. I do have a
> fair number of bounced spam messages from unknown user accounts on our
> system. Right now I have a script clean out the mqueue every 10 minutes of
> all invalid bounce messages.

Might be worth grabbing the addresses of the invalid recipients and
adding them to your access database

To: user@domain.com             REJECT

Doing this really reduced the load on my system.

>
> > There were some useful sendmail rules (both subject and recipient)
> > posted to the list which can help to block MyDoom.
> >
>
> I just joined the list today so I didn't get a chance to see those filters.
> Do you have the subject of those messages so I can look them up in the
> archive?

I just realised I posted the subject rules that I used for Sobig, so I
should probably post updated ones for MyDoom.  Here they are

LOCAL_RULESETS
## Common Virus Subjects
##
HSubject:               $>Check_Subject
D{VMsg}" - This message may contain a virus - This subject is associated
with a known virus, for genuine mail please resend with different
subject text."
SCheck_SubjectRerror                  $#error $: 550 5.7.0 ${VMsg}
Rhello                  $#error $: 550 5.7.0 ${VMsg}
Rhi                     $#error $: 550 5.7.0 ${VMsg}
Rmail delivery system   $#error $: 550 5.7.0 ${VMsg}
Rmail transaction failed        $#error $: 550 5.7.0 ${VMsg}
Rserver report          $#error $: 550 5.7.0 ${VMsg}
Rstatus         $#error $: 550 5.7.0 ${VMsg}
Rtest           $#error $: 550 5.7.0 ${VMsg}

These should be added to the end of your sendmail.mc and the sendmail.cf
rebuilt.

The list of users is in a post entitled 'MyDoom Countermeasures' posted
to the list on Jan28 by Jeff Falgout.  I added these to my system,
adding my domains after the @.  Whether these are of use to you rather
depends on your username naming policy.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From merkel at METALINK.NET  Fri Jan 30 21:43:16 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
References: <54C38A0B814C8E438EF73FC76F362927410888@mtlnt501fs.CAMOROUTE.COM>
Message-ID: <01a001c3e77a$11c3d920$22c8a8c0@staff.metalink.net>

----- Original Message -----
From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 4:35 PM
Subject: Re: Performance problems...


> > > >
> > > > There are a fair number of timeouts.
> > >
> > > Timeouts on what? RBL? Spamassassin?
> > >
> >
> > Sendmail collecting input from & to some SMTP servers....
>
> So no mailscanner-related timeouts?
>

No I have not seen any mailscanner timeouts.

[SNIP]

> > I've loaded a caching nameserver on this system. Just
> > watching it a few
> > minutes, it does seem to have improved much. I am still
> > falling about 200
> > messages behind every few minutes....
> >
> > My current settings for the batch mode is below.
> >
> > Max Unscanned Messages Per Scan = 500
> > Max Unsafe Messages Per Scan = 30
> >
> > I also tried these at 30/30, 100/50, & 500/100 with no noticeable
> > difference. Should I just stick with the defaults of 30/30?
>
> When you look in your logs how big are, in average, your batches?

Jan 30 16:38:26 mail-relay2 MailScanner[21342]: New Batch: Found 1780
messages waiting
Jan 30 16:38:26 mail-relay2 MailScanner[21342]: New Batch: Scanning 30
messages, 180920 bytes
Jan 30 16:38:31 mail-relay2 MailScanner[21070]: New Batch: Found 1770
messages waiting
Jan 30 16:38:31 mail-relay2 MailScanner[21070]: New Batch: Scanning 30
messages, 162553 bytes
Jan 30 16:39:16 mail-relay2 MailScanner[21202]: New Batch: Found 1853
messages waiting
Jan 30 16:39:16 mail-relay2 MailScanner[21202]: New Batch: Scanning 30
messages, 164949 bytes
Jan 30 16:39:16 mail-relay2 MailScanner[20746]: New Batch: Found 1847
messages waiting
Jan 30 16:39:16 mail-relay2 MailScanner[20746]: New Batch: Scanning 30
messages, 238563 bytes
Jan 30 16:39:23 mail-relay2 MailScanner[20943]: New Batch: Found 1805
messages waiting
Jan 30 16:39:23 mail-relay2 MailScanner[20943]: New Batch: Scanning 30
messages, 430321 bytes
Jan 30 16:39:24 mail-relay2 MailScanner[21070]: New Batch: Found 1804
messages waiting
Jan 30 16:39:24 mail-relay2 MailScanner[21070]: New Batch: Scanning 30
messages, 233221 bytes
Jan 30 16:39:31 mail-relay2 MailScanner[21342]: New Batch: Found 1790
messages waiting
Jan 30 16:39:31 mail-relay2 MailScanner[21342]: New Batch: Scanning 30
messages, 153695 bytes

This seems about typical...

Eric

From merkel at METALINK.NET  Fri Jan 30 21:46:25 2004
From: merkel at METALINK.NET (Eric J Merkel)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
References: <D79A56AD131896448D0860DEE07CBE1F016468C4@med-core07.med.wayne.edu>
Message-ID: <01ac01c3e77a$82711020$22c8a8c0@staff.metalink.net>

----- Original Message -----
From: "Rose, Bobby" <brose@MED.WAYNE.EDU>
To: <MAILSCANNER@JISCMAIL.AC.UK>
Sent: Friday, January 30, 2004 4:32 PM
Subject: Re: Performance problems...


> Are you using any of the SA Custom rules talked about on the SA lists?
> My performance problems diminished after I got rid of the
> blacklist-uri.cf which is a very large ruleset.  I'm still using
> bigevil, tripwire, etc.  Just got rid of the URI.
>
>

No I am not using SA at this time...

From ugob at CAMO-ROUTE.COM  Fri Jan 30 21:48:49 2004
From: ugob at CAMO-ROUTE.COM (Ugo Bellavance)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
Message-ID: <54C38A0B814C8E438EF73FC76F36292741088A@mtlnt501fs.CAMOROUTE.COM>

> -----Message d'origine-----
> De : Eric J Merkel [mailto:merkel@METALINK.NET]
> Envoy? : Friday, January 30, 2004 4:43 PM
> ? : MAILSCANNER@JISCMAIL.AC.UK
> Objet : Re: Performance problems...
> 
> 
> ----- Original Message -----
> From: "Ugo Bellavance" <ugob@CAMO-ROUTE.COM>
> To: <MAILSCANNER@JISCMAIL.AC.UK>
> Sent: Friday, January 30, 2004 4:35 PM
> Subject: Re: Performance problems...
> 
> 
> > > > >
> > > > > There are a fair number of timeouts.
> > > >
> > > > Timeouts on what? RBL? Spamassassin?
> > > >
> > >
> > > Sendmail collecting input from & to some SMTP servers....
> >
> > So no mailscanner-related timeouts?
> >
> 
> No I have not seen any mailscanner timeouts.
> 
> [SNIP]
> 
> > > I've loaded a caching nameserver on this system. Just
> > > watching it a few
> > > minutes, it does seem to have improved much. I am still
> > > falling about 200
> > > messages behind every few minutes....
> > >
> > > My current settings for the batch mode is below.
> > >
> > > Max Unscanned Messages Per Scan = 500
> > > Max Unsafe Messages Per Scan = 30
> > >
> > > I also tried these at 30/30, 100/50, & 500/100 with no noticeable
> > > difference. Should I just stick with the defaults of 30/30?
> >
> > When you look in your logs how big are, in average, your batches?
> 
> Jan 30 16:38:26 mail-relay2 MailScanner[21342]: New Batch: Found 1780
> messages waiting
> Jan 30 16:38:26 mail-relay2 MailScanner[21342]: New Batch: Scanning 30
> messages, 180920 bytes
> Jan 30 16:38:31 mail-relay2 MailScanner[21070]: New Batch: Found 1770
> messages waiting
> Jan 30 16:38:31 mail-relay2 MailScanner[21070]: New Batch: Scanning 30
> messages, 162553 bytes
> Jan 30 16:39:16 mail-relay2 MailScanner[21202]: New Batch: Found 1853
> messages waiting
> Jan 30 16:39:16 mail-relay2 MailScanner[21202]: New Batch: Scanning 30
> messages, 164949 bytes
> Jan 30 16:39:16 mail-relay2 MailScanner[20746]: New Batch: Found 1847
> messages waiting
> Jan 30 16:39:16 mail-relay2 MailScanner[20746]: New Batch: Scanning 30
> messages, 238563 bytes
> Jan 30 16:39:23 mail-relay2 MailScanner[20943]: New Batch: Found 1805
> messages waiting
> Jan 30 16:39:23 mail-relay2 MailScanner[20943]: New Batch: Scanning 30
> messages, 430321 bytes
> Jan 30 16:39:24 mail-relay2 MailScanner[21070]: New Batch: Found 1804
> messages waiting
> Jan 30 16:39:24 mail-relay2 MailScanner[21070]: New Batch: Scanning 30
> messages, 233221 bytes
> Jan 30 16:39:31 mail-relay2 MailScanner[21342]: New Batch: Found 1790
> messages waiting
> Jan 30 16:39:31 mail-relay2 MailScanner[21342]: New Batch: Scanning 30
> messages, 153695 bytes
> 
> This seems about typical...

How many child process do you use? (5 is the default)
Is your CPU usage always at 100%?

> 
> Eric
> 


From kevins at BMRB.CO.UK  Fri Jan 30 21:52:11 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
In-Reply-To: <014201c3e778$8773c970$22c8a8c0@staff.metalink.net>
References: <54C38A0B814C8E438EF73FC76F3629273132F5@mtlnt501fs.CAMOROUTE.COM>
            <014201c3e778$8773c970$22c8a8c0@staff.metalink.net>
Message-ID: <1075499531.27758.59.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 21:32, Eric J Merkel wrote:

> > > I am
> > > running three RBL's on this system so their are a lot of DNS lookups
> > > happening.
> >
If you are just deleting mail based on RBLs then this is best handled in
the MTA (maybe this is what you are doing?).  If this is what you are
doing make sure you have
Spam List =
and
Spam Domain List =

in mailscanner.conf




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From taz at AZTEK-ENG.COM  Fri Jan 30 21:58:15 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:14 2006
Subject: sophos downloads
Message-ID: <01a501c3e77c$299fdf10$270100bf@backlab>

I am trying to get a new copy of the sophos virus stuff on trial, but it seems to take forever.  I have a version from last year, but it was for the sparc platform on solaris.  Since, I am working on putting this on a Mandrake 9.1x machine I was wondering if anyone has the package tarred that they could throw up in email.  I emailed them as a new trial person yesterday and it still is has not shown up in my email yet.  I also just did a trial today from another email account around noon (MST) and no go.   Any ideas?

Thanks again.

Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/76e6694c/attachment.html
From kevins at BMRB.CO.UK  Fri Jan 30 22:00:22 2004
From: kevins at BMRB.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
In-Reply-To: <01a001c3e77a$11c3d920$22c8a8c0@staff.metalink.net>
References: <54C38A0B814C8E438EF73FC76F362927410888@mtlnt501fs.CAMOROUTE.COM>
            <01a001c3e77a$11c3d920$22c8a8c0@staff.metalink.net>
Message-ID: <1075500023.27758.67.camel@bach.kevinspicer.co.uk>

On Fri, 2004-01-30 at 21:43, Eric J Merkel wrote:
>
> > > > >
> > > > > There are a fair number of timeouts.
> > > Sendmail collecting input from & to some SMTP servers....
> >
If you have a lot of messages in your outgoing queue then its possible
that your sendmail queue running is eating up too many resources.  In
this case it may be helpful to change the queue running interval to a
higher number (by default this is 15 minutes and is set by changing
QUEUETIME in /etc/sysconfig/MailScanner).  So long as you have left
Delivery Method = Batch in MailScanner.conf MailScanner will still
attempt to send every message once before queuing it, so this shouldn't
have a negative effect on most mail.

If you look into the sendmail queue timeouts etc. I think (vague memory)
there are all sorts of clever things you can do (like send failed mail
to a seperate box for further attempts).  I think it may even be
possible to have several queues (with queue runners with different
intervals set) for different failure reasons.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

From taz at AZTEK-ENG.COM  Fri Jan 30 22:37:12 2004
From: taz at AZTEK-ENG.COM (taz)
Date: Thu Jan 12 21:22:14 2006
Subject: sophos downloads
References: <01a501c3e77c$299fdf10$270100bf@backlab>
Message-ID: <01df01c3e781$9ae3be80$270100bf@backlab>

Thanks to all who responded.  I got what I needed and am now moving further.


  ----- Original Message ----- 
  From: taz 
  To: MAILSCANNER@JISCMAIL.AC.UK 
  Sent: Friday, January 30, 2004 2:58 PM
  Subject: sophos downloads


  I am trying to get a new copy of the sophos virus stuff on trial, but it seems to take forever.  I have a version from last year, but it was for the sparc platform on solaris.  Since, I am working on putting this on a Mandrake 9.1x machine I was wondering if anyone has the package tarred that they could throw up in email.  I emailed them as a new trial person yesterday and it still is has not shown up in my email yet.  I also just did a trial today from another email account around noon (MST) and no go.   Any ideas?

  Thanks again.

  Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/425246e3/attachment.html
From kevin at KEVINSPICER.CO.UK  Fri Jan 30 22:44:25 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Two Patches
Message-ID: <1075502665.28759.11.camel@bach.kevinspicer.co.uk>

Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040130/c7994eb2/attachment.bin
From jpenix at BINARYTRIBE.COM  Sat Jan 31 02:07:12 2004
From: jpenix at BINARYTRIBE.COM (Joshua Penix)
Date: Thu Jan 12 21:22:14 2006
Subject: rant about anti-virus and spam, MS flamed
In-Reply-To: <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk>
References: <0B646CB9C2952C46B0E819F6C42DA5DB19E856@lkl61.ltkalmar.se>
            <6.0.1.1.2.20040129084433.03e2d220@imap.ecs.soton.ac.uk>
Message-ID: <1075514831.21246.17.camel@jepdesk.projectdesign.com>

On Thu, 2004-01-29 at 00:45, Julian Field wrote:
> I contacted the author, and received the following polite response:

Looks like he also updated his webpage, hopefully before the /. crowd
got there:

"Update 1/29/04 - It has been brought to my attention that MailScanner
is a) freeware, b) receives its virus naming from other software and c)
defaults to not sending such warnings. Kudos to the MailScanner devs for
recognizing the problem and reconfiguring long before this article
appeared."

--
Joshua Penix                                http://www.binarytribe.com
Binary Tribe           Linux Integration Services & Network Consulting

From spam at CRYING.COM  Sat Jan 31 03:53:41 2004
From: spam at CRYING.COM (Howard)
Date: Thu Jan 12 21:22:14 2006
Subject: Installing on Verio Iserver freebsd?
Message-ID: <LISTSERV%2004013103534154@JISCMAIL.AC.UK>

I'm trying to install mailscanner from scratch on a verio iserver (freebsd)
I downloaded the freebsd version via wget to my root. Then did a make
install. It ran through a bunch of stuff and now I'm kinda at a loss of
what to do next....

Anyone out here using a Verio Iserver? If so, I'd beg for help on exactly
what to do....

Thanks

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:18:39 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: Don't Quarantine Viruses
In-Reply-To: <20040130172056.GC2936@rfa.org>
References: <75FEDC422E2309419A9303E7B18F206E04DB5F87@eqmail1.efni.vpn>
            <20040129223224.GE2204@rfa.org>
            <6.0.1.1.2.20040130092602.0741d660@imap.ecs.soton.ac.uk>
            <20040130172056.GC2936@rfa.org>
Message-ID: <6.0.1.1.2.20040131141812.036fc008@imap.ecs.soton.ac.uk>

At 17:20 30/01/2004, you wrote:
>Thanks Julian,
>
>I've implemented this with "mydoom" and it's saving us a lot of disk
>space.
>
>What are the chances of having All-Viruses as in the Silent Viruses
>config option available as a special case in this ruleset? Something like:
>
>Virus:     All-Viruses     no
>Virus:     default         yes
>
>so we could quarantine only filename, filetype and html-tag "virus"
>detected mail.
>
>Is this possible? Would it be a good idea?

Not sure if it will work, but try
Virus:  /./     no
Virus:  default yes


>-Eric Rz.
>
>On Fri, Jan 30, 2004 at 09:26:18AM +0000, Julian Field wrote:
> > The test is a simple sub-string, so "mydoom" should match both of your
> > examples.
> >
> > At 22:32 29/01/2004, you wrote:
> > >Do these names have to match the name as reported by the virus scanners?
> > >or is it case insensitive?
> > >
> > >i.e., will:
> > >
> > >Virus:   mydoom    no
> > >
> > >prevent mydoom from being quarantined when caught by either sophossavi
> > >or uvscan?
> > >
> > >or do I need to do this? :
> > >
> > >Virus:   W32/MyDoom-A      no
> > >Virus:   W32/Mydoom.a@MM   no
> > >
> > >
> > >Thanks,
> > >Eric Rz.
> > >
> > >On Wed, Jan 28, 2004 at 02:55:11PM -0500, Hirsh, Joshua wrote:
> > >> > I'd like to be able to not quarantine viruses but still
> > >> > quarantine filetype denies.
> > >>
> > >> Yup, you can distinguish between the two. You can set "Quarantine
> > >> Infections" to match against a rule, and in the rules file have
> something
> > >> like this:
> > >>
> > >> Virus:  sobig           no
> > >> Virus:  dumaru  no
> > >> Virus:  mimail  no
> > >>
> > >>
> > >> Etc..
> > >>
> > >>
> > >>  Cheers,
> > >>
> > >> -Joshua
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:17:25 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: _SCORE_ Tag
In-Reply-To: <LISTSERV%2004013017072876@JISCMAIL.AC.UK>
References: <LISTSERV%2004013017072876@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040131141707.040374e8@imap.ecs.soton.ac.uk>

Already fixed in 4.26.

At 17:07 30/01/2004, you wrote:
>I have been using the _SCORE_ tag and have found it to be very useful.  I
>am curious about one thing.  The highest score it seems to be able to
>report is 60?  Even if the headers show a score of higher, the _SCORE_ will
>only show 60?
>
>Certainly not a big deal, I'm just curious if anyone else has noticed
>this?  I'm using SA version 4.24-5.
>
>Thanks

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:19:56 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: Skip scan for viruses
In-Reply-To: <LISTSERV%2004013017414351@JISCMAIL.AC.UK>
References: <LISTSERV%2004013017414351@JISCMAIL.AC.UK>
Message-ID: <6.0.1.1.2.20040131141904.036fce00@imap.ecs.soton.ac.uk>

At 17:41 30/01/2004, you wrote:
>On Fri, 30 Jan 2004 09:26:55 +0000, Julian Field
><mailscanner@ECS.SOTON.AC.UK> wrote:
>
> >No. The spam detection is done before the virus detection.
> >That way you can avoid the extra work of scanning spam messages you are
> >deleting anyway.
> >
>Really?  My MailScanner seems to do both anti-virus and spam scanning.  I
>get quite a few messages with tags from both processes.  Or perhaps I'm just
>unaware of one of the inner processes; is MailScanner supposed to skip
>anti-virus scanning for all spams or just the ones that aren't forwarded on
>to users (high-scoring spams, in my case)?

If you have a Spam Action which is "delete", then it won't bother
virus-scanning it as you are throwing it away anyway.

>I also must agree with some other posters.  Spam-scanning is nice but, spam
>or not, anti-virus scanning is essential.  I do *not* want MailScanner to
>skip anti-virus scanning of *any* message!

Agreed.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:34:51 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: postfix oddity
In-Reply-To: <2744.203.221.17.62.1075493762.squirrel@webmail.netxp.com.a u>
References: <2744.203.221.17.62.1075493762.squirrel@webmail.netxp.com.au>
Message-ID: <6.0.1.1.2.20040131143356.03f62680@imap.ecs.soton.ac.uk>

At 20:16 30/01/2004, you wrote:
>hi
>
>i am installing mailscan with clamav on a freebsd 4 ssytem
>using mailscan 2.45-14
>
>oddly enough i have the mail sitting in the queue but mailscan
>can seem to process it?
>
>doing a postfix flush is the only way to deliver the mail.
>
>the postfix directory
>is /var/spool/postfix.in/deferred
>and mailscan nukes itself if i
>use anything other than
>/var/spool/postfix.in/deferred/* in the conf file.

Please define "nuke". The setting you should have is
/var/spool/postfix.in/deferred.

If you add the /* on the end, then it won't find any incoming mail.


>any ideas? tia!
>
>
>Phil Grainger
>
>
>
>Phil Grainger
>----------------------------------------------------------------------------
>
>netxp.com.au user support
>                      technical services
>http://netxp.com.au/
>Unlimited ADSL from $69.95 p/m.
>
>----------------------------------------------------------------------------

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:51:03 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: Two Patches
In-Reply-To: <1075502665.28759.11.camel@bach.kevinspicer.co.uk>
References: <1075502665.28759.11.camel@bach.kevinspicer.co.uk>
Message-ID: <6.0.1.1.2.20040131145024.0407c150@imap.ecs.soton.ac.uk>

Thanks for that. I moved the sm-client.pid into a configurable variable too.
Will be in 4.26.7.

At 22:44 30/01/2004, you wrote:
>Please find attached patches to
>
>/etc/init.d/MailScanner         (initscript.diff)
>/etc/sysconfig/MailScanner      (sysconfig.diff)
>
>These correct an issue with stoping the sendmail sm-msp-queue process.
>'service MailScanner stop' on Mandrake 9.0 was failing to stop the
>sm-msp-queue runner. The fix should not adversely affect other
>distributions.
>
>On Mandrake the sm-msp-queue sendmail process runs as mail:mail not
>smmsp:smmsp, therefore I have made this configurable by adding two new
>variables to both init script and sysconfig file (left these set to
>smmsp for convenience of most users).  Additionally the sm-msp-queue
>process was not creating the pid file in the expected place, so this is
>now specified in the command.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:37:24 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: many spamassassin timeouts
In-Reply-To: <002901c3e776$69113b40$630a0a0a@gyruss>
References: <011601c3e3fb$c8cd73b0$a0ef15ab@ka.klm.nl>
            <002901c3e776$69113b40$630a0a0a@gyruss>
Message-ID: <6.0.1.1.2.20040131143546.03bc2d30@imap.ecs.soton.ac.uk>

At 21:17 30/01/2004, you wrote:
>I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing
>output similar to below in maillog.  Should I be looking elsewhere else? I
>am trying to track down the source of some spamassassin timeouts I have been
>having.  Ideally I need to log the equivalent of "spamassassin -D" for a few
>hours.

Those 2 options will cause "check_mailscanner" to log all the SA output to
the terminal. It will process 1 batch of messages and then quit.
I have been getting a lot of Razor timeouts recently, and have currently
disabled it. You can do this by adding
use_razor2 0
to your spam.assassin.prefs.conf and restarting MailScanner.



>Thanks!
>
>Mickey
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
>Of Piet Bos
>Sent: Monday, January 26, 2004 3:02 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: many spamassassin timeouts
>
>a part of the debug output.
>I find the  0 behind Net::DNS resolver unavailable rather curious
>do you agree?
>
>grtz Piet
>
>debug: running raw-body-text per-line regexp tests; score so far=4.3
>debug: running uri tests; score so far=4.3
>debug: uri tests: Done uriRE
>debug: running full-text regexp tests; score so far=4.3
>debug: Razor2 is not available
>debug: DCC is not available: dccproc not found
>debug: Razor1 is not available
>debug: Pyzor is not available: pyzor not found
>debug: is Net::DNS::Resolver unavailable? 0
>debug: trying (3) gwdg.de...
>debug: looking up MX for 'gwdg.de'
>debug: MX for 'gwdg.de' exists? 1
>debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available to
>hardcode)
>debug: is DNS available? 1
>debug: running meta tests; score so far=5.3
>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 26, 2004 9:39 AM
>Subject: Re: many spamassassin timeouts
>
>
> > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > slow-down is.
> >
> > At 08:33 26/01/2004, you wrote:
> > >Experiencing many spamassassin timeouts lately.
> > >Is there a valid reason for that?
> > >I'm using version 4.26-1 starting
> > >my settings in MailScanner.conf are:
> > >SpamAssassin Timeout = 40
> > >Max SpamAssassin Timeouts = 50
> > >
> > >Any suggestions?
> > >brgds Piet
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 14:30:57 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: Possible wishlist item - attachment decisions
In-Reply-To: <1075492616.17947.15.camel@bach.kevinspicer.co.uk>
References: <1075492199.28494.25.camel@cis-staff-kntx90.cis.brown.edu>
            <1075492616.17947.15.camel@bach.kevinspicer.co.uk>
Message-ID: <6.0.1.1.2.20040131143004.036fadf8@imap.ecs.soton.ac.uk>

At 19:56 30/01/2004, you wrote:
>On Fri, 2004-01-30 at 19:49, Thomas DuVally wrote:
> > I thought I saw a discussion about this, but I can't seem to find it
> > again, so I am going to ask:
> >
> > Can MailScanner be told NOT the virus-scan a message (and/or
> > attachments) if the filename.rules are going to deny it anyway?
> >
>IIRC the answer is no, because the whole batch of messages is virus
>scanned together.  There might have been a reason to do with the order
>of the checks as well.

Finding all the names of the attachments (which involves extracting them)
is the expensive bit. Virus scanning a couple more files each time costs
almost nothing. So there's no speed advantage in not scanning them.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From david at PLATFORMHOSTING.COM  Sat Jan 31 15:05:25 2004
From: david at PLATFORMHOSTING.COM (David Hooton)
Date: Thu Jan 12 21:22:14 2006
Subject: Performance problems...
In-Reply-To: <014201c3e778$8773c970$22c8a8c0@staff.metalink.net>
Message-ID: <008601c3e80b$a91696a0$0b00a8c0@djh01>

> My current settings for the batch mode is below.
> 
> Max Unscanned Messages Per Scan = 500
> Max Unsafe Messages Per Scan = 30
> 
> I also tried these at 30/30, 100/50, & 500/100 with no noticeable
> difference. Should I just stick with the defaults of 30/30?

On the box you have I would say you should set it up as follows:

Max Children: 3
Max Unscanned Messages Per Scan = 10
Max Unsafe Messages Per Scan = 10

Your box is going to work better with only a few children doing lots of
small batches.

Do stick your MailScanner work directory into tempfs, this provided much
better performance as you'll see below.  Over the last couple of weeks we've
found that we're running out of IO capacity on a fair few of our boxes,
reducing disk IO helps us squeeze that not so little bit more out of the
box.

Performance Tests - 50 Message Batch
=============================================
Children        Msg/Scan        Mins            WorkDir
4               5               0:08:39 DISK
3               5               0:08:05 DISK
3               10              0:09:38 DISK
2               10              0:13:07 DISK
1               10              0:17:00 DISK
0               10              0:15:00 DISK
3               5               0:01:51 TMPFS
3               10              0:01:02 TMPFS
3               15              0:01:10 TMPFS

Machine Specs:
AMD 1.3Ghz
80Gig 7200 rpm IDE HDD
1 Gig RAM
Running a _lot_ of spamassassin rules, RBL's, DCC, Razor, ClamAV, Mcafee

Of course please use this info as a guide only it may or may not be truly
indicative of how things will work out for you.  If anyone has any other
tuning tips I'd love to try them out I'll happily publish the results.

Regards,

David Hooton


========================================================================
 Pain free spam & virus protection by:          www.mailsecurity.net.au
 Forward undetected SPAM to:                   spam@mailsecurity.net.au
========================================================================


From mailscanner at ecs.soton.ac.uk  Sat Jan 31 15:38:50 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: ANNOUNCE: Stable 4.26.7 released
Message-ID: <6.0.1.1.2.20040131152437.03bc2e78@imap.ecs.soton.ac.uk>

I have just released the new stable version 4.26.7 on www.mailscanner.info.

Main new features this time are:
        - Each line in a ruleset can have 2 tests "and-ed" together.
        - Scheduled rebuild of the Bayes database with full locking so MailScanner
won't timeout during the rebuild. This should remove all those pesky
bayes_toks.new files.
        - Appearance on a "Spam List" can be used to modify the spam score, so
users with mail filters looking for the SpamScore header can easily match
spam that only appeared on a Spam List.
        - Added "notify" Spam Action so that users can be informed they received a
spam without actually being able to directly see the spam message itself.
Could be very useful in high school installations and others with children
using e-mail.
        - Hopefully fixed the last of the Postfix problems.

(In the RPM distributions, the only file that has changed since the last
release is the main MailScanner rpm itself)

The full ChangeLog is this:

New in Version 4.26.7
===============================
* New Features and Improvements *
- Improved configuration engine so that rules can now contain 2 tests
   separated by "and".
- Added "notify" Spam Action and High Scoring Spam Action. This will cause a
   short text notification message to be sent to the recipients of the spam
   message. The filename of the report is set with the "Recipient Spam Report"
   configuration setting. There is also an MCP equivalent of this
   functionality. See the MCP documentation for details of the settings.
- Removed the "bounce" spam action.
- Added regular rebuild of Bayes database. Has 2 options associated with it
   which I haven't included in the conf file yet.
- Added "Rebuild Bayes Every" and "Wait During Bayes Rebuild" options to
   configure the operation of the regular Bayes database rebuilds.
- Added commented "bayes_auto_expire 0" line to spam.assassin.prefs.conf as
   you will want to uncomment this line if you are using the regular scheduled
   Bayes database expiry feature given above.
- Added "Minimum Stars If On Spam List" setting so that people who just filter
   on the "Spam Stars" can catch messages which only trigger the "Spam List"
   trap.
- Added "Log Non Spam" option to allow logging of all non-spam, which can be
   coerced into logging SpamAssassin scores of non-spam mail.
- Added support for Norman virus scanner (www.norman.de).
- Added logging of ids of dropped silent viruses.
- Added "Too Many Attachments" error report in a message instead of old
   report saying it could not analyse the message.
- No longer stops or restarts after RPM upgrade.
- Added MCP patches for SpamAssassin 2.61 and 2.63.
- Added 'SpamAssassin Site Rules Dir' setting to locate /etc/mail/spamassassin.
- Spanish translations of languages.conf updated from Debian translators.
- Added Catalan translation of all report files.
- Added bogusmx list to supplied spam.lists.conf.
- Added spamhaus-XBL and SBL+XBL lists to supplied spam.lists.conf.
- Changed the version number scheme from major.minor-teeny to
major.minor.teeny.
- Forced owner to be root.root in both RPM spec files, so can be re-built by
   non-root users.
- Added my Amazon.co.uk "wish list" to the donations page.
- Detailed spam report now includes auto-learn status if it was auto-learnt.
- Added sendmail submit MSPUSER and MSPGROUP for better compatibility with
Mandrake.

* Fixes *
- Fixed creation of MCP quarantine directory bug.
- Fix to Postfix message duplication problems. Must find "end of message"
   record now.
- Fix to duplicate recipient listing in postmaster notices.
- Fixed bug so filename/filetype rules configuration setting can be blank.
- Exim per-message log files are deleted correctly now.
- Fixed recipient duplication problems in sender messages and other reports.
- Fixed bug where extra ": " appears in VirusWarning.txt when MailScanner's
   own checks find multiple problems with 1 attachment.
- Fixed bug where _SCORE_ in subject line modifications is never more than 60.
- Fixed bug where rules generated a harmless warning in the log.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From dh at UPTIME.AT  Sat Jan 31 17:15:28 2004
From: dh at UPTIME.AT (David H.)
Date: Thu Jan 12 21:22:14 2006
Subject: ANNOUNCE: Stable 4.26.7 released
In-Reply-To: <6.0.1.1.2.20040131152437.03bc2e78@imap.ecs.soton.ac.uk>
References: <6.0.1.1.2.20040131152437.03bc2e78@imap.ecs.soton.ac.uk>
Message-ID: <401BE2B0.9090806@uptime.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Julian Field wrote:

> I have just released the new stable version 4.26.7 on www.mailscanner.info.
<snip>

Something I noticed during a full ./install.sh executed RPM install.

Is this something I should be concerned about?

Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/perl-MIME-tools-root
warning: Installed (but unpackaged) file(s) found:
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod

/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.packlist
Wrote: /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.411-pl4.2.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.5613

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAG+K0PMoaMn4kKR4RAwU4AJ4rrez3azFDHVoysxXpJfPmH0B/1wCeL7hC
SSuxvfy+NJzko7OjAeJEnKw=
=Uwp9
-----END PGP SIGNATURE-----

From mailscanner at ecs.soton.ac.uk  Sat Jan 31 17:18:25 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: ANNOUNCE: Stable 4.26.7 released
In-Reply-To: <401BE2B0.9090806@uptime.at>
References: <6.0.1.1.2.20040131152437.03bc2e78@imap.ecs.soton.ac.uk>
            <401BE2B0.9090806@uptime.at>
Message-ID: <6.0.1.1.2.20040131171804.040241c8@imap.ecs.soton.ac.uk>

At 17:15 31/01/2004, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Julian Field wrote:
>
>>I have just released the new stable version 4.26.7 on www.mailscanner.info.
><snip>
>
>Something I noticed during a full ./install.sh executed RPM install.
>
>Is this something I should be concerned about?
>
>Checking for unpackaged file(s): /usr/lib/rpm/check-files
>/var/tmp/perl-MIME-tools-root
>warning: Installed (but unpackaged) file(s) found:
>    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod

Totally harmless.


>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.packlist
>Wrote: /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.411-pl4.2.noarch.rpm
>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.5613
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (Darwin)
>
>iD8DBQFAG+K0PMoaMn4kKR4RAwU4AJ4rrez3azFDHVoysxXpJfPmH0B/1wCeL7hC
>SSuxvfy+NJzko7OjAeJEnKw=
>=Uwp9
>-----END PGP SIGNATURE-----

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From wppiphoto at wppi.com  Sat Jan 31 18:43:37 2004
From: wppiphoto at wppi.com (SW)
Date: Thu Jan 12 21:22:14 2006
Subject: FREE RBLs & Spam reporting {Scanned}
Message-ID: <004501c3e82a$2683fb00$0d01a8c0@Toshiba>

Can someone tell me what are some of the best FREE rbls I can use in
mailscanner? I'm curruntly using the following:

Spam List = ORDB-RBL SBL+XBL spamcop.net


I was also using NJABL but mailscanner started giving me time-out errors a
few days ago and I removed from my spam list.

Also, where can I report spam that makes it through still? I tried
submitting spam to spamcop.net but it failed to read the e-mail header
information correctly and kept reporting "No IP address found in e-mail
header".

Thanks,

SW



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------

From kevin at KEVINSPICER.CO.UK  Sat Jan 31 19:09:08 2004
From: kevin at KEVINSPICER.CO.UK (Kevin Spicer)
Date: Thu Jan 12 21:22:14 2006
Subject: Two Patches
In-Reply-To: <6.0.1.1.2.20040131145024.0407c150@imap.ecs.soton.ac.uk>
References: <1075502665.28759.11.camel@bach.kevinspicer.co.uk>
            <6.0.1.1.2.20040131145024.0407c150@imap.ecs.soton.ac.uk>
Message-ID: <1075576149.28759.54.camel@bach.kevinspicer.co.uk>

On Sat, 2004-01-31 at 14:51, Julian Field wrote:
> Thanks for that. I moved the sm-client.pid into a configurable variable too.
> Will be in 4.26.7.
> 
Cheers Julian,

I posted some changes to the clamav-wrapper a while ago (to get the
external unpackers working properly where MS runs as root).  I presume
this slipped under the radar, as it didn't make it into the package (I
imagine you would have said if you had a problem with it).  Any chance
that will make it this time?
-- 
Kevin Spicer (kevin AT kevinspicer DOT co DOT uk)

This message is digitally signed using the GNU Privacy Guard.  
My public key may be obtained from http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040131/bb81a16c/attachment.bin
From mailscanner at ecs.soton.ac.uk  Sat Jan 31 20:11:30 2004
From: mailscanner at ecs.soton.ac.uk (Julian Field)
Date: Thu Jan 12 21:22:14 2006
Subject: Two Patches
In-Reply-To: <1075576149.28759.54.camel@bach.kevinspicer.co.uk>
References: <1075502665.28759.11.camel@bach.kevinspicer.co.uk>
            <6.0.1.1.2.20040131145024.0407c150@imap.ecs.soton.ac.uk>
            <1075576149.28759.54.camel@bach.kevinspicer.co.uk>
Message-ID: <6.0.1.1.2.20040131201059.044e5ef8@imap.ecs.soton.ac.uk>

At 19:09 31/01/2004, you wrote:
>On Sat, 2004-01-31 at 14:51, Julian Field wrote:
> > Thanks for that. I moved the sm-client.pid into a configurable variable
> too.
> > Will be in 4.26.7.
>
>Cheers Julian,
>
>I posted some changes to the clamav-wrapper a while ago (to get the
>external unpackers working properly where MS runs as root).  I presume
>this slipped under the radar, as it didn't make it into the package (I
>imagine you would have said if you had a problem with it).  Any chance
>that will make it this time?

Can you send me it again?
Exactly how critical is it? (Already released 4.26.7 stable).
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

From mickey-ml at GREENGLOW.ORG  Sat Jan 31 19:54:23 2004
From: mickey-ml at GREENGLOW.ORG (Mickey Everts)
Date: Thu Jan 12 21:22:14 2006
Subject: many spamassassin timeouts
In-Reply-To: <6.0.1.1.2.20040131143546.03bc2d30@imap.ecs.soton.ac.uk>
Message-ID: <00d301c3e834$06408160$630a0a0a@gyruss>

Here is something very weird I just noticed in trying to track this down.
Here is just a small sample of my logs, but notice the time outs happen
almost exactly every ten minutes? I am running mailscanner-4.25-14. 

Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10 
Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and was
killed, consecutive failure 1 of 10

Mickey

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf
Of Julian Field
Sent: Saturday, January 31, 2004 6:37 AM
To: MAILSCANNER@JISCMAIL.AC.UK
Subject: Re: many spamassassin timeouts

At 21:17 30/01/2004, you wrote:
>I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing
>output similar to below in maillog.  Should I be looking elsewhere else? I
>am trying to track down the source of some spamassassin timeouts I have
been
>having.  Ideally I need to log the equivalent of "spamassassin -D" for a
few
>hours.

Those 2 options will cause "check_mailscanner" to log all the SA output to
the terminal. It will process 1 batch of messages and then quit.
I have been getting a lot of Razor timeouts recently, and have currently
disabled it. You can do this by adding
use_razor2 0
to your spam.assassin.prefs.conf and restarting MailScanner.



>Thanks!
>
>Mickey
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
Behalf
>Of Piet Bos
>Sent: Monday, January 26, 2004 3:02 AM
>To: MAILSCANNER@JISCMAIL.AC.UK
>Subject: Re: many spamassassin timeouts
>
>a part of the debug output.
>I find the  0 behind Net::DNS resolver unavailable rather curious
>do you agree?
>
>grtz Piet
>
>debug: running raw-body-text per-line regexp tests; score so far=4.3
>debug: running uri tests; score so far=4.3
>debug: uri tests: Done uriRE
>debug: running full-text regexp tests; score so far=4.3
>debug: Razor2 is not available
>debug: DCC is not available: dccproc not found
>debug: Razor1 is not available
>debug: Pyzor is not available: pyzor not found
>debug: is Net::DNS::Resolver unavailable? 0
>debug: trying (3) gwdg.de...
>debug: looking up MX for 'gwdg.de'
>debug: MX for 'gwdg.de' exists? 1
>debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available
to
>hardcode)
>debug: is DNS available? 1
>debug: running meta tests; score so far=5.3
>----- Original Message -----
>From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
>To: <MAILSCANNER@JISCMAIL.AC.UK>
>Sent: Monday, January 26, 2004 9:39 AM
>Subject: Re: many spamassassin timeouts
>
>
> > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > slow-down is.
> >
> > At 08:33 26/01/2004, you wrote:
> > >Experiencing many spamassassin timeouts lately.
> > >Is there a valid reason for that?
> > >I'm using version 4.26-1 starting
> > >my settings in MailScanner.conf are:
> > >SpamAssassin Timeout = 40
> > >Max SpamAssassin Timeouts = 50
> > >
> > >Any suggestions?
> > >brgds Piet
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


From steve.swaney at FSL.COM  Sat Jan 31 20:07:20 2004
From: steve.swaney at FSL.COM (Stephen Swaney)
Date: Thu Jan 12 21:22:14 2006
Subject: many spamassassin timeouts
In-Reply-To: <00d301c3e834$06408160$630a0a0a@gyruss>
Message-ID: <20040131200719.D96E221C298@mail.fsl.com>

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf Of Mickey Everts
> Sent: Saturday, January 31, 2004 2:54 PM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: many spamassassin timeouts
>
> Here is something very weird I just noticed in trying to track this down.
> Here is just a small sample of my logs, but notice the time outs happen
> almost exactly every ten minutes? I am running mailscanner-4.25-14.
>
[SKS]
Do you have an event that is slowing down you network every 10 minutes.
Try a sniffer and see.

This is the typical cause for SpamAssassin timeouts.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney@FSL.com


> Jan 31 05:48:41 defender MailScanner[18146]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 05:59:05 defender MailScanner[17813]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 06:09:02 defender MailScanner[17717]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 06:19:03 defender MailScanner[18146]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 06:29:41 defender MailScanner[17795]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 06:39:26 defender MailScanner[17813]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 06:50:14 defender MailScanner[17717]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:00:05 defender MailScanner[18146]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:10:43 defender MailScanner[17795]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:20:32 defender MailScanner[17795]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:30:42 defender MailScanner[17784]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:40:45 defender MailScanner[17717]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 07:50:53 defender MailScanner[18146]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 08:00:48 defender MailScanner[17717]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 08:11:01 defender MailScanner[17795]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
> Jan 31 08:20:59 defender MailScanner[17717]: SpamAssassin timed out and
> was
> killed, consecutive failure 1 of 10
>
> Mickey
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf
> Of Julian Field
> Sent: Saturday, January 31, 2004 6:37 AM
> To: MAILSCANNER@JISCMAIL.AC.UK
> Subject: Re: many spamassassin timeouts
>
> At 21:17 30/01/2004, you wrote:
> >I turned on Debug = yes and Debug SpamAssassin = yes but I am not seeing
> >output similar to below in maillog.  Should I be looking elsewhere else?
> I
> >am trying to track down the source of some spamassassin timeouts I have
> been
> >having.  Ideally I need to log the equivalent of "spamassassin -D" for a
> few
> >hours.
>
> Those 2 options will cause "check_mailscanner" to log all the SA output to
> the terminal. It will process 1 batch of messages and then quit.
> I have been getting a lot of Razor timeouts recently, and have currently
> disabled it. You can do this by adding
> use_razor2 0
> to your spam.assassin.prefs.conf and restarting MailScanner.
>
>
>
> >Thanks!
> >
> >Mickey
> >
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On
> Behalf
> >Of Piet Bos
> >Sent: Monday, January 26, 2004 3:02 AM
> >To: MAILSCANNER@JISCMAIL.AC.UK
> >Subject: Re: many spamassassin timeouts
> >
> >a part of the debug output.
> >I find the  0 behind Net::DNS resolver unavailable rather curious
> >do you agree?
> >
> >grtz Piet
> >
> >debug: running raw-body-text per-line regexp tests; score so far=4.3
> >debug: running uri tests; score so far=4.3
> >debug: uri tests: Done uriRE
> >debug: running full-text regexp tests; score so far=4.3
> >debug: Razor2 is not available
> >debug: DCC is not available: dccproc not found
> >debug: Razor1 is not available
> >debug: Pyzor is not available: pyzor not found
> >debug: is Net::DNS::Resolver unavailable? 0
> >debug: trying (3) gwdg.de...
> >debug: looking up MX for 'gwdg.de'
> >debug: MX for 'gwdg.de' exists? 1
> >debug: MX lookup of gwdg.de succeeded => Dns available (set dns_available
> to
> >hardcode)
> >debug: is DNS available? 1
> >debug: running meta tests; score so far=5.3
> >----- Original Message -----
> >From: "Julian Field" <mailscanner@ECS.SOTON.AC.UK>
> >To: <MAILSCANNER@JISCMAIL.AC.UK>
> >Sent: Monday, January 26, 2004 9:39 AM
> >Subject: Re: many spamassassin timeouts
> >
> >
> > > Run with Debug = yes and Debug SpamAssassin = yes, and see where the
> > > slow-down is.
> > >
> > > At 08:33 26/01/2004, you wrote:
> > > >Experiencing many spamassassin timeouts lately.
> > > >Is there a valid reason for that?
> > > >I'm using version 4.26-1 starting
> > > >my settings in MailScanner.conf are:
> > > >SpamAssassin Timeout = 40
> > > >Max SpamAssassin Timeouts = 50
> > > >
> > > >Any suggestions?
> > > >brgds Piet
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> Fortress Systems Ltd.
> www.fsl.com
>



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Fortress Systems Ltd.
www.fsl.com

From dene at datatechie.com  Sat Jan 31 20:28:04 2004
From: dene at datatechie.com (Dene Ulmschneider)
Date: Thu Jan 12 21:22:14 2006
Subject: issues during upgrade to latest version jsut released.
Message-ID: <200401312025.i0VKPav24370@neo.datatechie.com>

Hey all-

I just tried upgrading my MailScanner installation and ran into trouble at
the lat part of the install script.

When it got to the part of the script that it actually ran the MailScanner
RPM - it gave an error that said "Segmentation Fault"

I am running version 4.14 now and am upgrading to 4.26.7-1 on an RHL 7.3
system. I have been running my current version of MS for quite a while now.

Any assistance would be appreciated.

Regards,

Dene Ulmschneider
DATATECHIE
142 Willis Avenue
Mineola, N.Y. 11501
516.741.7533
866.MY.PC.HELP
www.datatechie.com <BLOCKED::BLOCKED::http://www.datatechie.com>
dene@datatechie.com <BLOCKED::BLOCKED::mailto:dene@datatechie.com>

DATATECHIE now offers free web based email accounts. Get your free email
account now at "http://register.zerostamps.com". This service is provided
FREE of charge. All email are VIRUS scanned and filtered for SPAM using our
award winning email service "S.A.V.E." (spam and virus eliminator).


--
This message has been scanned for viruses and dangerous
content by Data Techie, and is believed to be clean.
Data Techie... always there to protect you!
http://www.datatechie.com

From Kevin.Spicer at BMRB.CO.UK  Sat Jan 31 20:38:32 2004
From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin)
Date: Thu Jan 12 21:22:14 2006
Subject: Two Patches
Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649A1A@pascal.priv.bmrb.co.uk>

Julian Field wrote:
> Can you send me it again?
> Exactly how critical is it? (Already released 4.26.7 stable).

Not too critical, since most unpacking is handled by the internal unpacker.  It stops the external unpacker failing.  This happens because it trys to use /root/tmp as unpacking space, but clam drops privileges to the clamav user which doesn't have permission to write to /root/tmp.
The wrapper script creates a directory in the mailscanner work directory with the appropriate permissions and tells clam to use this as temp space (this should also improve performance if the work dir is in tmpfs).  

It also corrects some misunderstanding of the various command line flags.

e.g. --unzip means attempt to use an external unzipper if the internal one fails.  The internal one will always be attempted first (even if the --unzip option isn't given).  

Each of the external unpackers can be given the path to the appropriate command (e.g. -unzip=/usr/bin/unzip).  I've added all the external unpacker options to the file (with the uncommon ones commented out).

Because the internal unpacker is always attempted I've moved --unzip to ExtraScanOptions as it could cause a failure.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav-wrapper.working
Type: application/octet-stream
Size: 5825 bytes
Desc: clamav-wrapper.working
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040131/bec43d48/clamav-wrapper.obj
From mailscanner at pdscc.com  Sat Jan 31 18:48:34 2004
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Thu Jan 12 21:22:14 2006
Subject: sending mail to 2 locations
Message-ID: <200401311910.LAA12534@sheridan.sibble.net>

Is there an easy way in postfix or in MS to send mail to 2 locations?

Situation, isp currently hosts dns and email accounts for client. We have an
internal mailserver with an MS box as the mail relay for the internal server.
We want to test with a few of the accounts that currently exist with the isp,
so the we have the following transport map on the MS box

username1@domain.com smtp:[192.168.x.x]
username2@domain.com smtp:[192.168.x.x]
domain.com       smtp:isp mailserver (primary mx for domain)

The plan is to switch the primary MX to the MS box and have isp as secondary
and the MS box will forward the test accounts to the internal server and any
other mail with go to the isp.  Telneting into the MS box, this all works
fine. Now however I am wondering how to have the MS box send mail for the 2
test accounts to both the internal server and isp mailserver.

The reason we are going this way is that we want to keep all the current mail
running as it is while still be able to test and use the internal mailserver
until we are satisfied that it is ready for production use.  Can anyone
suggest a better method of accomplishing the same goal?

--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

From cstamas at digitus.itk.ppke.hu  Sat Jan 31 22:06:24 2004
From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=)
Date: Thu Jan 12 21:22:15 2006
Subject: Rights or whatever Problem, any Idea?!
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C480@pc.hl.advantic.de>
Message-ID: <20040131220624.GI24228@digitus>

On 01/30, Wilsmann, Dennis wrote:
> Hello please Help I still get following log entries:
>
> "Jan 30 10:34:54 p15112534 MailScanner[23688]: Could not read directory
> /var/spool/MailScanner/incoming
> Jan 30 10:34:54 p15112534 MailScanner[23688]: Error in configuration file
> line 109, directory /var/spool/MailScanner/incoming for incomingworkdir does
> not exist (or is not readable)"
>
> But the directories exist and have the correct rights:
>
> "/var/spool/MailScanner
> drwxr-xr-x   13 root     root         4096 Jan 29 17:05 ..
> drwxr-xr-x    2 postfix  postfix      4096 Jan 29 17:12 incoming
> drwxr-xr-x    2 postfix  postfix      4096 Aug 27 16:12 quarantine
> drwxr-xr-x    2 postfix  postfix      4096 Jan 28 16:03 spamassassin"
chown postfix.postfix /var/spool/MailScanner
>
--
cstamas

From cstamas at digitus.itk.ppke.hu  Sat Jan 31 21:53:36 2004
From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=)
Date: Thu Jan 12 21:22:15 2006
Subject: AW: Problems installing Mailscanner on Postfix, clamav, spamassasin
In-Reply-To: <5AF7F4D7005B5A46A54B55892011D09435C47F@pc.hl.advantic.de>
References: <5AF7F4D7005B5A46A54B55892011D09435C47F@pc.hl.advantic.de>
Message-ID: <20040131215336.GH24228@digitus>

On 01/29, Wilsmann, Dennis wrote:
> Well there is an error ...
> it sais:
> "Error in configuration file line 107, directory
> /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not
> readable)"
>
> AND
>
> "Could not read directory /var/spool/MailScanner/incoming"
Do not forget to put x bit on the parent directories!
or do chown postfix:postfix /var/spool/MailScanner/ too not only
incoming!!
[...]

--
cstamas

*BSD is like a wigwam: NO windows, NO gates and an Apache inside!