From list at souil.com Mon Mar 1 04:09:51 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:48 2006 Subject: Found to be clean? In-Reply-To: <40413673.5000302@themarshalls.co.uk> Message-ID: <20043112951.982958@bensil> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/1479c4aa/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Mon Mar 1 04:38:22 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:48 2006 Subject: Found to be clean? In-Reply-To: <20043112951.982958@bensil> Message-ID: "Found to be clean" means it's not a virus. Your email generated the following header for me (lines of gunk cut): X-Camelot.Blacknight.ie-MailScanner: Found to be clean - your email message is neither a virus or banned file type X-Camelot.Blacknight.ie-MailScanner-SpamCheck: not spam - it's not spam If you compare to your own, you'll see that it is being tagged: X--MailScanner: Found to be clean - - not a virus X--MailScanner-SpamCheck: spam, SpamAssassin (score=24.001, -- clearly marked as spam required 5, HTML_MESSAGE 0.00, RM_bw_VIAGRA 3.00, RM_sl_ForeignChar 3.00, RM_swm_DrugsVo2 18.00) (By the way - HTML format emails are not nice on mailing lists) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ben Sent: 01 March 2004 04:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] Found to be clean? Dear All, Why am i still getting the "Found to be clean" msg when the score is over the required? X--MailScanner-Information: Please contact the ISP for more information X--MailScanner: Found to be clean X--MailScanner-SpamCheck: spam, SpamAssassin (score=24.001, required 5, HTML_MESSAGE 0.00, RM_bw_VIAGRA 3.00, RM_sl_ForeignChar 3.00, RM_swm_DrugsVo2 18.00) X--MailScanner-SpamScore: 24 From iain at LMP.CO.UK Mon Mar 1 06:30:46 2004 From: iain at LMP.CO.UK (Iain McWilliams) Date: Thu Jan 12 21:22:48 2006 Subject: Broken messge id cause spam to be ignored? Message-ID: <11918B7348E7F047B84803317DDDBD3002E88E@tom3.LMP.LOCAL> HI, Running Mailscanner with Postfix and spamassassin, everything working well but some spam appears to be slipping through the net. The strange thing is they all have the same broken message id. Could the spammers have found a loophole? Iain Microsoft Mail Internet Headers Version 2.0 Received: from mailgate.lmp.co.uk ([192.168.2.5]) by lmp.co.uk with Microsoft SMTPSVC(6.0.3790.0); Sun, 29 Feb 2004 11:38:39 +0000 Received: by mailgate.lmp.co.uk (Postfix) id 5A3DD2C39F; Sun, 29 Feb 2004 11:39:13 +0000 (GMT) Delivered-To: iain@lmp.co.uk Received: from m156.net81-67-249.noos.fr (m156.net81-67-249.noos.fr [81.67.249.156]) by mailgate.lmp.co.uk (Postfix) with SMTP id B70232C39F for ; Sun, 29 Feb 2004 11:39:10 +0000 (GMT) Received: from 120.27.83.222 by 81.67.249.156; Sun, 29 Feb 2004 14:41:34 +0300 Message-ID: References: <11918B7348E7F047B84803317DDDBD3002E88E@tom3.LMP.LOCAL> Message-ID: <4042DE9D.5060704@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Iain McWilliams wrote: | | | HI, | | | | Running Mailscanner with Postfix and spamassassin, everything working | well but some spam appears to be slipping through the net. The strange | thing is they all have the same broken message id. Could the spammers | have found a loophole? | | Just on a sidenote, but why does your MTA accept messages that have an obviously broken Message-ID ? Or is that not so obvious? - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQt6dPMoaMn4kKR4RA87KAJ9nOIUUv6JZK9GssfX3g/WFV1aEkwCcC0mC oTWk6su1CiV12BYMAO2FnyQ= =DIcg -----END PGP SIGNATURE----- From iain at LMP.CO.UK Mon Mar 1 07:23:56 2004 From: iain at LMP.CO.UK (Iain McWilliams) Date: Thu Jan 12 21:22:48 2006 Subject: Broken messge id cause spam to be ignored? Message-ID: <11918B7348E7F047B84803317DDDBD3002E88F@tom3.LMP.LOCAL> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David H?hn > Sent: 01 March 2004 06:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Broken messge id cause spam to be ignored? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Iain McWilliams wrote: > > | > | > | HI, > | > | > | > | Running Mailscanner with Postfix and spamassassin, everything working > | well but some spam appears to be slipping through the net. The strange > | thing is they all have the same broken message id. Could the spammers > | have found a loophole? > | > | > > > Just on a sidenote, but why does your MTA accept messages that have an > obviously broken Message-ID ? > Or is that not so obvious? No idea, I imagine it's trying to be helpful! :-) Regards, Iain From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 1 08:47:05 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:48 2006 Subject: New Feature Request: Delayed Attachment Delivery Message-ID: Hi, > In the meantime, why not install some more virus scanners? we > only use clamav on the mail filters an this has worked > perfectly lately against mydoom and firends, then on each > mail server we run another brand of AV scanner, one of them > always picks it up. This will not help. One of my customers has just been hit with NetSky.C even though we have clamav and two commercial scanners up and running. The few hours between detection and signature updates was enough... :-( Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 1 08:49:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <40425104.1010004@gmx.de> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> Message-ID: <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> At 20:52 29/02/2004, you wrote: >Kevin Spicer wrote: > >>Theres been some discussion on the clamav list recently about the >>frequency of clients pulling database updates from their servers. the >>most notable point was that several of the clam developers urged users >>to schedule their cron jobs at a random minute past the hour to try and >>get a better distribution of load on the servers. I guess similar >>problems also afflict users of commercial scanners. >> >>Several things stuck me. >>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>therefore we, as a community, are probably responsible for a >>substantially increased load at one point every hour. >>2) Everyone updating at the same time increases the possibility of >>individual updates failing due to bandwidth/ server issues >>3) Any problems with the virus database introduced immediately before >>the point we all update are likely to affect all of us before they get >>fixed >>4) We all have the same window of opportunity in our update cycles >>during which a new virus could propagate very quickly, at least if we >>all updated at different times we may stand a better chance of slowing >>the rate of spread. >> >>I therefore propose that update_virus_scanners be moved from >>/etc/cron.hourly to a file in /etc/cron.d and that the minute at which >>it is scheduled in that file be generated either at random or be the >>same as the minute at which the file was installed. Obviously this >>would involve generating the file as part of the install process. > >could it be possible to set this in update_virus_scanners with a random >value >i hope that this would not stop other scripts in cron.hourly. > > ># vi /usr/sbin/update_virus_scanners > >#!/bin/bash > >sleep 300 > >SCANNERSCONF=/etc/MailScanner/virus.scanners.conf >[...] > > > >or ># crontab -e -umailscanner-user This is the new cron job. Delays by up to 30 minutes if you change the "0" to "1800". I will leave the delay at 0 by default for now, to see if this causes any problems or complaints. I might change the default to 1800 in a future release. #!/bin/bash # Insert a random delay up to this value, to spread virus updates round # the clock. 1800 seconds = 30 minutes. # Set this to 0 to disable it. DELAY=0 [ -x /usr/sbin/update_virus_scanners ] || exit 0 if [ "x$DELAY" = "x0" ]; then : else logger -p mail.info -t update.virus.scanners Delaying cron job up to $DELAY seconds perl -e "sleep int(rand($DELAY));" fi exec /usr/sbin/update_virus_scanners exit 0 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 09:07:39 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:48 2006 Subject: SA 3.0 heads up.. Message-ID: <4042FD5B.2040908@solid-state-logic.com> All I guess Julian has already this message on the SA-talk list, but the SA API's are changing for version 3.0 If someone could put something on the web page about this it would be useful when SA 3.0 actually pops out...ie if you're using SpamAssassin V3.0 or later you'll need to have version x.y.z of MailScanner, or something similar... -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 09:19:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301091745.073f8920@imap.ecs.soton.ac.uk> At 08:49 01/03/2004, you wrote: >At 20:52 29/02/2004, you wrote: >>Kevin Spicer wrote: >> >>>Theres been some discussion on the clamav list recently about the >>>frequency of clients pulling database updates from their servers. the >>>most notable point was that several of the clam developers urged users >>>to schedule their cron jobs at a random minute past the hour to try and >>>get a better distribution of load on the servers. I guess similar >>>problems also afflict users of commercial scanners. >>> >>>Several things stuck me. >>>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>>therefore we, as a community, are probably responsible for a >>>substantially increased load at one point every hour. >>>2) Everyone updating at the same time increases the possibility of >>>individual updates failing due to bandwidth/ server issues >>>3) Any problems with the virus database introduced immediately before >>>the point we all update are likely to affect all of us before they get >>>fixed >>>4) We all have the same window of opportunity in our update cycles >>>during which a new virus could propagate very quickly, at least if we >>>all updated at different times we may stand a better chance of slowing >>>the rate of spread. >>> >>>I therefore propose that update_virus_scanners be moved from >>>/etc/cron.hourly to a file in /etc/cron.d and that the minute at which >>>it is scheduled in that file be generated either at random or be the >>>same as the minute at which the file was installed. Obviously this >>>would involve generating the file as part of the install process. >> >>could it be possible to set this in update_virus_scanners with a random >>value >>i hope that this would not stop other scripts in cron.hourly. >> >> >># vi /usr/sbin/update_virus_scanners >> >>#!/bin/bash >> >>sleep 300 >> >>SCANNERSCONF=/etc/MailScanner/virus.scanners.conf >>[...] >> >> >> >>or >># crontab -e -umailscanner-user > >This is the new cron job. Delays by up to 30 minutes if you change the "0" >to "1800". I will leave the delay at 0 by default for now, to see if this >causes any problems or complaints. I might change the default to 1800 in a >future release. 2nd thoughts. I am going to make the random delay 10 minutes for now as I still want people to basically get updates every hour. >#!/bin/bash > ># Insert a random delay up to this value, to spread virus updates round ># the clock. 1800 seconds = 30 minutes. ># Set this to 0 to disable it. >DELAY=0 > >[ -x /usr/sbin/update_virus_scanners ] || exit 0 >if [ "x$DELAY" = "x0" ]; then > : >else > logger -p mail.info -t update.virus.scanners Delaying cron job up to >$DELAY seconds > perl -e "sleep int(rand($DELAY));" >fi >exec /usr/sbin/update_virus_scanners >exit 0 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 09:31:05 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Julian Field wrote: > 2nd thoughts. I am going to make the random delay 10 minutes for now > as I still want people to basically get updates every hour. > I wonder whether just pulling the 'inode modification time' (ls -lc) of update_virus_scanners and using the minutes & seconds from that to create a delay would be acceptable. That way the update would be every hour, but at the same (semi-random) time every hour. I _think_ the inode modification time is the time of install, as opposed to the modification time (which would be the same for everyone who hadn't altered the file) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From P.G.M.Peters at utwente.nl Mon Mar 1 09:14:13 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <40425104.1010004@gmx.de> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> Message-ID: On Sun, 29 Feb 2004 21:52:20 +0100, you wrote: >Kevin Spicer wrote: > >>Several things stuck me. >>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>therefore we, as a community, are probably responsible for a >>substantially increased load at one point every hour. > >could it be possible to set this in update_virus_scanners with a random >value >i hope that this would not stop other scripts in cron.hourly. > > ># vi /usr/sbin/update_virus_scanners > >#!/bin/bash > >sleep 300 I have seen some crontab scripts used for updating stuff having a random value as the parameter of sleep. Making it even random every time it runs. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Mar 1 10:02:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: install problem 2nd try In-Reply-To: <000001c3ff73$69148420$0c00a8c0@instalari> References: <000001c3ff73$69148420$0c00a8c0@instalari> Message-ID: <6.0.1.1.2.20040301100126.0730fd80@imap.ecs.soton.ac.uk> Install Net::CIDR from CPAN and then try it again: perl -MCPAN -e 'install Net::CIDR' At 12:09 28/02/2004, you wrote: >Hi, > >I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.2 Linux. >During the intalation script I get errors like: Net/CIDR........needs >perl-base>=5.800. I have perl-base-5.8.1-RC4.3mdk. > > MailScanner: Can't locate Net/CIDR.pm in @INC (@INC > contains: /usr/lib/MailScanner > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Config.pm line 34. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Config.pm line 34. >Compilation failed in require at /usr/sbin/MailScanner line 42. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42. > [ OK ] > >It is clear. the Net/CIDR.. does not instal because i have perl-base<5.800 >. But I have perl-base-5.8.1-RC4.3mdk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > >should I install an older version of MailScanner? > >pls Help me > >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:01:06 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: install problem 2nd try Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AD9@pascal.priv.bmrb.co.uk> Daniel Kostyal wrote: > Hi, > > I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.2 Linux. > During the intalation script I get errors like: Net/CIDR........needs > perl-base>=5.800. I have perl-base-5.8.1-RC4.3mdk. > You need to do ./install.sh nodeps Mandrake and RedHat named their perl rpms differently - but a default install of perl on Mandrake provides all the necessary modules. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:05:31 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> See this http://www.sophos.co.uk/virusinfo/analyses/w32baglef.html This virus is spreading rapidly, we've seen it overnight (although not in its password protected form - but we had no way of spotting that so it may have got through). I'm now blocking zip files (making me not very popular this morning!). Time to start a discussion about ways to block password protected zip files? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 10:09:33 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <40430BDD.8050700@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | | Time to start a discussion about ways to block password protected zip files? | Does th euser have to enter a password? is the password written down inside the Mail ? Is it a random string? - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQwvcPMoaMn4kKR4RAwmkAKCVenGrC2izY0YqvNjiFoiICFirBACfRI0h lfwuApbYQH8pQJsXt/WdM18= =tal+ -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:15:00 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> [third hand answers vorrowed from a discussion on the clam list] David H?hn wrote: > Does th euser have to enter a password? Yes > is the password written down > inside the Mail ? Yes, uses a social engineering trick to get them to enter it >Is it a random string? > Seems to be a random number from the two examples quoted so far BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 10:22:00 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> Message-ID: <40430EC8.2080204@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | [third hand answers vorrowed from a discussion on the clam list] | David H?hn wrote: | | Yes, uses a social engineering trick to get them to enter it | In this case I think it is not a programs duty to protect the Users but the security officers. Which means they should be warned. I know that does not do the trick in all cases but a software solution neither does. | |>Is it a random string? |> | | | Seems to be a random number from the two examples quoted so far | Is it something that could be hanlded fairly easily by MCP ? If so, I think that is the way to go - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQw7HPMoaMn4kKR4RA7mTAJ9Wto+Hnny/CsqU50Nwe2SdHeTuOgCgipgZ FoPXQqiSrXrgR4quni5NMpY= =tjz2 -----END PGP SIGNATURE----- From shrek-m at GMX.DE Mon Mar 1 10:23:53 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <40430F39.6090005@gmx.de> Spicer, Kevin wrote: >See this >http://www.sophos.co.uk/virusinfo/analyses/w32baglef.html > From: Sophos Alert System Date: Mon, 01 Mar 2004 04:40:10 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-G http://www.sophos.co.uk/virusinfo/analyses/w32bagleg.html From: Sophos Alert System Date: Mon, 01 Mar 2004 00:34:32 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-F From: Sophos Alert System Date: Sat, 28 Feb 2004 22:56:47 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-D ... -- shrek-m From raymond at PROLOCATION.NET Mon Mar 1 10:25:37 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: install problem 2nd try In-Reply-To: <000001c3ff73$69148420$0c00a8c0@instalari> Message-ID: Hi! > It is clear. the Net/CIDR.. does not instal because i have > perl-base<5.800 . But I have > perl-base-5.8.1-RC4.3mdk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > should I install an older version of MailScanner? Cant you install that module via CPAN ? Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 10:27:45 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: Hi! > This virus is spreading rapidly, we've seen it overnight (although not > in its password protected form - but we had no way of spotting that so > it may have got through). Also in non protected zips... Its in our top10 of today: 4747 W32/Netsky.B@mm 1275 W32/Swen.A@mm 404 W32/Sober.C@mm 337 W32/Mydoom.A@mm 200 W32/Netsky.C@mm 126 W32/Bugbear.B@mm 96 W32/Bagle.F@mm 57 W32/Bagle.E@mm 49 W32/Mydoom.E@mm 19 W32/Mimail.J@mm Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 10:29:29 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: Message-ID: Hi! > Its in our top10 of today: > > 4747 W32/Netsky.B@mm > 1275 W32/Swen.A@mm > 404 W32/Sober.C@mm > 337 W32/Mydoom.A@mm > 200 W32/Netsky.C@mm > 126 W32/Bugbear.B@mm > 96 W32/Bagle.F@mm > 57 W32/Bagle.E@mm > 49 W32/Mydoom.E@mm > 19 W32/Mimail.J@mm The G one also just came in twice: 2 W32/Bagle.G@mm Bye, Raymond. From list at souil.com Mon Mar 1 10:32:19 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:49 2006 Subject: Get some spams to test the new installation Message-ID: <200431183219.526111@bensil> Dear All, How could i get some more spams and hams to test the acuuracy of my new installation of the MS? I have to make sure it works well before applying it to my server with about 100 domains on it. From dh at UPTIME.AT Mon Mar 1 10:38:38 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: Get some spams to test the new installation In-Reply-To: <200431183219.526111@bensil> References: <200431183219.526111@bensil> Message-ID: <404312AE.6020808@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ben wrote: | Dear All, | | How could i get some more spams and hams to test the acuuracy of my new installation of the MS? | I have to make sure it works well before applying it to my server with about 100 domains on it. In short, you do not. The accuracy of Spamassassin its bayes DB and your set up very much depends on the kind of Mail Flow you have and that will differ from domain to domain or if you see your installation as a whole, it will differ on the 100 domain than what you could actually ever test. The first few weeks of a new Installation will surely be a matter of fine tuning things to your needs, the large amount of general spam will be caught at once anyways - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQxKtPMoaMn4kKR4RAyTpAJ4sa7I/mkpd3EPBHEiQZhjb0pJzwACZAU0d IHtz3nq+NlIOWYwxhQl69/Q= =RsXG -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Mon Mar 1 11:43:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released Message-ID: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Morning all, I have just released MailScanner 4.27.7. This is a stable release. The big question, as usual, is "should I upgrade?" The biggest change for this release is a couple of improvements to the robustness of the MIME decoder, which finds attachments hidden in messages. These improvements are quite important, but they do cause MailScanner to run more slowly than it did. I am sorry but there is nothing I can do about that, I have worked hard to minimise the impact on speed. So if your MailScanner server is running at full speed just to keep up, then you should compare the merits of better attachment extraction against the possible impact on your hardware. Keep the previous version kicking around so you can downgrade again if necessary. If you want to install it with Qmail, then at the moment the best method is to look at http://opencomputing.sourceforge.net/. The ChangeLog for this version is here: * New Features and Improvements * - Made the MIME parser much more robust to find messages hidden in messages. - Also made it more robust against parsing errors by the virus scanners. - Improved robust MIME decoding speed slightly. - Added "Non-Forging Viruses" list which works the opposite way around to the "Silent Viruses" list. If a virus report contains any words in this list, then the silent status is over-ridden by this. The net result is that you can put All-Viruses in the silent viruses list, so that by default no warnings are sent to senders. But put markers for joke programs or macro viruses in this list and the senders will still be warned about them, as they are known not to forge the From address. - Added options to add new headers containing the envelope sender and/or envelope recipients addresses. The names of the headers are, of course, configurable. - Added "Enable Spam Bounce" ruleset for selectively switching on permission to bounce spam for your most important customers. - When lots of consecutive SpamAssassin timeouts occur, all network tests are now stopped, not just RBL checks. - Improved Linux init.d scripts so that postfix and postfix.in settings are used throughout the init.d script. - Much improved clamav-wrapper, courtesy of Kevin Spicer. - Improved logging output from Trend autoupdater. - Improved logging output from Trend parser. - Added comment about absolute path to Incoming Work Dir config option. - Added old and new queue ids for Postfix to make for easy message tracking. - Removed 2 confusing harmless log entries in Postfix queue discovery. - Brazilian Portuguese reports are now all translated. - Improved Welsh translation of recipient spam and mcp reports. - Replaced original Catalan reports with new ones, with correct directory name. - Added $subject to Subject: line in sample recipient.spam.report.txt to show it can be used. Should ideally get all other languages translated. - Added support for Qmail. You will need the contents of qmail/qmail-queue.zip. - Added support for Symantec CarrierScan virus scanner (css). - Improved Symantec scanning support, courtesy of Kevin Spicer. - Added support for F-Secure 4.52. - Added Exim d2mbox to distribution. - Added optional random delay to update_virus_scanners cron job so as not to overload virus update servers once per hour. * Fixes * - Fixed bug in "Rebuild Bayes Every" feature on Solaris. - Exim bug with empty Subject headers being corrupted fixed. - Fixed bug in directory reading in new MIME parser code. - Exim multiple ACLs now supported for SPF compatibility. - Corrected all signature separators to "-- " instead of "--". - Worked around Perl bug in inclusion of @ in report files. - Fixed silent/noisy detection code when noisy list is empty. - Changed default MTA to sendmail in SuSE /etc/sysconfig/MailScanner. - Fixed bug in minimum number of stars!=0 not always generating X-Spam-Score header. - Fixed small bug in Exim d2mbox script for very long headers. - Outstanding: Quarantining warning message bug - cannot reproduce on any OS. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From P.G.M.Peters at utwente.nl Mon Mar 1 11:50:50 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: References: Message-ID: On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: >Hi! > >> Its in our top10 of today: >> >> 4747 W32/Netsky.B@mm >> 1275 W32/Swen.A@mm >> 404 W32/Sober.C@mm >> 337 W32/Mydoom.A@mm >> 200 W32/Netsky.C@mm >> 126 W32/Bugbear.B@mm >> 96 W32/Bagle.F@mm >> 57 W32/Bagle.E@mm >> 49 W32/Mydoom.E@mm >> 19 W32/Mimail.J@mm > >The G one also just came in twice: > >2 W32/Bagle.G@mm We got 12 removed 12 W32/Bagle.E@mm 1 removed 10 W32/Bagle.F@mm 8 W32/Bagle.C@mm 4 removed 4 W32/Bagle.D@mm 9 removed 1 W32/Bagle.G@mm -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From christo at IT4AFRICA.CO.ZA Mon Mar 1 11:50:46 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. Message-ID: <00fd01c3ff83$6f171c10$660210ac@christoxp> I changed my setting in the filetype.rules.conf to deny archive files. I have restarted mailscanner but still archives are delivered. I'm running RH9 latest stable Mailscanner and SA Kind Regards, Christo Bezuidenhout E-Commerce Manager IT for Africa * Email Christo@it4africa.co.za " Web http://www.ag-industries.com ( Switchboard +27 12 665 9900 6 Fax +27 12 665 9911 H Address Lunar Place 1 Eddington Crescent Highveld Techno Park Centurion -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/b20d2703/attachment.html From steve.freegard at LBSLTD.CO.UK Mon Mar 1 11:51:46 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Hi List, I've just noticed that Clam is catching these: ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite but Sophos isn't picking them up at all. Is anyone else seeing these?? - looks like another example of the Clam guys beating Sophos with their definitions... Regards, Steve. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dh at UPTIME.AT Mon Mar 1 11:53:53 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Message-ID: <40432451.607@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: | - Corrected all signature separators to "-- " instead of "--". I assume you did this because you are not sending your messages as "format=flowed" and never plan to do so? Because "-- " would be incorrect then, as per out discussion :) - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQyRQPMoaMn4kKR4RAxRrAJ0TkZfxMf4eXU/MWlaQXRtOHYr9AQCeKku9 NYbqkDnJbfEf33mkXPxFSfs= =jqzT -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 11:55:46 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AE2@pascal.priv.bmrb.co.uk> > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of > the Clam guys > beating Sophos with their definitions... > Yes, we're seeing lots of them - being caught by Clam, missed by Sophos and Symantec BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 11:57:03 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Message-ID: <4043250F.6000800@solid-state-logic.com> Steve seen about 5 of these today - better let sophos know I guess.. and yes Sophos do seem to be slightly more tardy than usual recently..cf mydoom.A as well. Perhaps that nice new building they've got is slowing the process down somehow.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of the Clam guys > beating Sophos with their definitions... > > Regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dh at UPTIME.AT Mon Mar 1 11:58:25 2004 From: dh at UPTIME.AT (=?UTF-8?B?RGF2aWQgSMO2aG4=?=) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Message-ID: <40432561.2060403@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Steve Freegard wrote: | Hi List, | | I've just noticed that Clam is catching these: | | ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite | Yes, just had the same behaviour, 3 of them in a row even and Sophos not yelling. - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQyVhPMoaMn4kKR4RAxZLAJ4xQv04ls5Rh7Bb+XRo2f+w3RCVUwCeNaPu LF654iS9wcV3diFAajgolu8= =DVuH -----END PGP SIGNATURE----- From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 11:56:43 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C58B@jessica.herefordshire.gov.uk> McAfee detects it as W32/Netsky.c@MM. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Steve Freegard > Sent: 01 March 2004 11:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Viruses picked up by Clam and not Sophos > > > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of > the Clam guys > beating Sophos with their definitions... > > Regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of > computer viruses. > From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 11:59:33 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Christo Bezuidenhout wrote: > I changed my setting in the filetype.rules.conf to deny archive > files. I have restarted mailscanner but still archives are delivered. > > I'm running RH9 latest stable Mailscanner and SA > Are you actually using the filetype rules - I think they are off by default. I've just blocked .zip in filename rules P.S. Please don't post in HTML P.P.S If your really must post in html please drop the animated signature - Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 12:05:40 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Message-ID: <40432714.6000806@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | | | | BMRB International | http://www.bmrb.co.uk | +44 (0)20 8566 5000 | _________________________________________________________________ | This message (and any attachment) is intended only for the | recipient and may contain confidential and/or privileged | material. If you have received this in error, please contact the | sender and delete this message immediately. Disclosure, copying | or other action taken in respect of this email or in | reliance on it is prohibited. BMRB International Limited | accepts no liability in relation to any personal emails, or | content of any email which does not directly relate to our | business. Could you please drop this legally completely no sense making and in Europe completely useless signature then :) PS: I am just kidding, so please take this with a grain of salt and simply laugh about it :) - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQycUPMoaMn4kKR4RAxs8AJ4rhJ9hBGQeYAzjue07eilDX0evFQCgk9yM b5+Pcxo1TTublcxwbWtazxQ= =q7n0 -----END PGP SIGNATURE----- From steve.freegard at LBSLTD.CO.UK Mon Mar 1 12:10:30 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> Thanks for all the replies... It looks like Sophos released an IDE for Netsky-D during the last hour which was just picked up by update_virus_scanners, as it now seems to be catching this: SophosSAVI: document_word.pif was infected by W32/Netsky-D ClamAV Module: document_word.pif was infected: Worm.SomeFool.B-petite Cheers, Steve. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 01 March 2004 11:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Viruses picked up by Clam and not Sophos > > > McAfee detects it as W32/Netsky.c@MM. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Steve Freegard > > Sent: 01 March 2004 11:52 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Viruses picked up by Clam and not Sophos > > > > > > Hi List, > > > > I've just noticed that Clam is catching these: > > > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > > > but Sophos isn't picking them up at all. > > > > Is anyone else seeing these?? - looks like another example > of the Clam > > guys beating Sophos with their definitions... > > > > Regards, > > Steve. > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > > > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 12:13:54 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <40432902.8020101@solid-state-logic.com> All looks they've got it finally!!! -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Sophos Alert System Subject: Sophos Anti-Virus IDE alert: W32/Netsky-D Date: Mon, 01 Mar 2004 11:51:01 +0000 (GMT) Size: 2842 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/fc733e44/Netsky-D.mht From steve.freegard at LBSLTD.CO.UK Mon Mar 1 12:22:40 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> Hi Martin, This is pretty poor really isn't it - I've actually just changed my MailWatch set-up to use Clam as the primary scanner for reporting and I've added 'Worm' to silent viruses as there isn't an easy way to achieve this with Sophos (unlike McAfee with the @MM suffix). If things don't improve soon, McAfee will have a new customer when our contract with Sophos expires... Kind regards, Steve. > -----Original Message----- > From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > Sent: 01 March 2004 12:14 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > > > All > > looks they've got it finally!!! > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 12:27:56 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> Message-ID: <40432C4C.8050107@solid-state-logic.com> Steve I note that it only seems to be slow at certain times. I wonder if one of the shifts is slow or not as strong as the others...Some of the guys on my LUG are sophos guys - I'll try and dig some dirt :-) So when did McAfee have the update out? They used to the pretty slow in the past themselves.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi Martin, > > This is pretty poor really isn't it - I've actually just changed my > MailWatch set-up to use Clam as the primary scanner for reporting and I've > added 'Worm' to silent viruses as there isn't an easy way to achieve this > with Sophos (unlike McAfee with the @MM suffix). > > If things don't improve soon, McAfee will have a new customer when our > contract with Sophos expires... > > Kind regards, > Steve. > > > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From christo at IT4AFRICA.CO.ZA Mon Mar 1 12:29:30 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Message-ID: <010e01c3ff88$d94097b0$660210ac@christoxp> Yes we are using the filetype rules with great affect. It works fine for all other attachments. Sorry for the Animated Sig. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > Sent: 01 March 2004 02:00 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > Christo Bezuidenhout wrote: > > I changed my setting in the filetype.rules.conf to deny > archive files. > > I have restarted mailscanner but still archives are delivered. > > > > I'm running RH9 latest stable Mailscanner and SA > > > > Are you actually using the filetype rules - I think they are > off by default. > > I've just blocked .zip in filename rules > > P.S. Please don't post in HTML > > P.P.S If your really must post in html please drop the > animated signature - Thanks > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 12:32:50 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C58C@jessica.herefordshire.gov.uk> Our McAfee patterns updated at 02:02 GMT this morning, so they came out some time after 01:00 GMT. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: 01 March 2004 12:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > > > Steve > > I note that it only seems to be slow at certain times. I wonder if one > of the shifts is slow or not as strong as the others...Some > of the guys > on my LUG are sophos guys - I'll try and dig some dirt :-) > > > So when did McAfee have the update out? They used to the > pretty slow in > the past themselves.... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Steve Freegard wrote: > > Hi Martin, > > > > This is pretty poor really isn't it - I've actually just changed my > > MailWatch set-up to use Clam as the primary scanner for > reporting and I've > > added 'Worm' to silent viruses as there isn't an easy way > to achieve this > > with Sophos (unlike McAfee with the @MM suffix). > > > > If things don't improve soon, McAfee will have a new > customer when our > > contract with Sophos expires... > > > > Kind regards, > > Steve. > > > > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From garry at GLENDOWN.DE Mon Mar 1 12:36:36 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> Message-ID: <40432E54.7060600@glendown.de> Steve Freegard wrote: > Hi Martin, > > This is pretty poor really isn't it - I've actually just changed my > MailWatch set-up to use Clam as the primary scanner for reporting and I've > added 'Worm' to silent viruses as there isn't an easy way to achieve this > with Sophos (unlike McAfee with the @MM suffix). > > If things don't improve soon, McAfee will have a new customer when our > contract with Sophos expires... We've had pretty good experiences with F-Prot ... usually had the first virus in the logfiles well before any announcement of the virus appeared on any geek news services -gg From sysadmin at FLEETONE.COM Mon Mar 1 12:38:21 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> <40432E54.7060600@glendown.de> Message-ID: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> ----- Original Message ----- From: "Garry Glendown" To: Sent: Monday, March 01, 2004 6:36 AM Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > Steve Freegard wrote: > > > Hi Martin, > > > > This is pretty poor really isn't it - I've actually just changed my > > MailWatch set-up to use Clam as the primary scanner for reporting and > I've > > added 'Worm' to silent viruses as there isn't an easy way to achieve this > > with Sophos (unlike McAfee with the @MM suffix). > > > > If things don't improve soon, McAfee will have a new customer when our > > contract with Sophos expires... > > > We've had pretty good experiences with F-Prot ... usually had the first > virus in the logfiles well before any announcement of the virus appeared > on any geek news services > > -gg I second that for f-prot. We use it here at work and I use it at home. They send out their updates fast. Rob From pb at WANTECH.SE Mon Mar 1 12:31:01 2004 From: pb at WANTECH.SE (=?iso-8859-1?Q?Patrik_B=E4ckstr=F6m?=) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs Message-ID: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Hello. I've searched the list archives and browsed the FAQ(s) but i can't find anything that would solve my problem. We use MailScanner for several customers/domains (currently version 4.25-14) and we would like to gather statistics per customer on how many mails scanned (that i can get from postfix), how many rejected and why and so on. Currently, it only tells us that something has been blocked and why, but not from or, more importat, to who the mail was sent. Is there some configuration option i've missed or is there any other way to make MailScanner log this kind of information? /pb -- Patrik B?ckstr?m - pb@wantech.se Wantech AB - http://www.wantech.se Askims Verkstads v?g 4 - 436 34 Askim Dir: 031-748 49 11 - Mob: 070-378 49 11 Vxl: 031-748 49 00 - Fax: 031-748 49 19 From christo at IT4AFRICA.CO.ZA Mon Mar 1 12:43:19 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] {Virus Scanned} In-Reply-To: <40432902.8020101@solid-state-logic.com> Message-ID: <011501c3ff8a$c6937c70$660210ac@christoxp> F-secure still working on the Firus Update. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth > Sent: 01 March 2004 02:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > {Virus Scanned} > > > All > > looks they've got it finally!!! > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From dh at UPTIME.AT Mon Mar 1 12:56:06 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> References: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: <404332E6.7090304@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Patrik B?ckstr?m wrote: | | Is there some configuration option i've missed or is there any other way to | make MailScanner log this kind of information? | | /pb | have a look at mailwatch.sf.net - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQzLlPMoaMn4kKR4RAwyQAJwIUCOv5xRpXG8onSuPdkjOrwTLwgCfcqeP /bHhhy6GJVuSnvRgH6ELKb4= =jX8j -----END PGP SIGNATURE----- From david at PLATFORMHOSTING.COM Mon Mar 1 12:59:27 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Patrik B?ckstr?m > Sent: Monday, 1 March 2004 11:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: More details in the logs > > We use MailScanner for several customers/domains (currently version 4.25- > 14) > and we would like to gather statistics per customer on how many mails > scanned (that i can get from postfix), how many rejected and why and so > on. > > Currently, it only tells us that something has been blocked and why, but > not > from or, more importat, to who the mail was sent. http://mailwatch.sf.net/ Will allow you to setup per domain/user etc etc stats for users, very useful tool indeed. Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From spamtrap71892316634 at ANIME.NET Mon Mar 1 13:16:04 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> Message-ID: On Mon, 1 Mar 2004, Rob wrote: > > Steve Freegard wrote: > > We've had pretty good experiences with F-Prot ... usually had the first > > virus in the logfiles well before any announcement of the virus appeared > > on any geek news services > I second that for f-prot. We use it here at work and I use it at home. > They send out their updates fast. thirded for f-prot. i use it on win32 as well as linux. integrates nicely with mailscanner. they are always current. two thumbs up. -Dan From mailscanner at MANGO.ZW Mon Mar 1 13:24:58 2004 From: mailscanner at MANGO.ZW (Jim Holland) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: Hi On Mon, 1 Mar 2004, Patrik B?ckstr?m wrote: > We use MailScanner for several customers/domains (currently version > 4.25-14) and we would like to gather statistics per customer on how > many mails scanned (that i can get from postfix), how many rejected > and why and so on. > > Currently, it only tells us that something has been blocked and why, > but not from or, more importat, to who the mail was sent. I think this is an important requirement. Unlike with worms, it is not possible to be 100% certain that a particular message is spam. I would like to use a very agressive spam blocklist - eg dnsbl.net.au. However if spam is quarantined without a notice to either sender or recipient it is quite possible that genuine mail will be lost. The use of the "notify" option is not really an option, as I would not like to receive a separate notification for each of the 150 spam messages per day that people normally try to send me. Before using MailScanner we could simply analyse the sendmail maillog file for details of recipients whose mail had been blocked. Sadly, I now see that in a significant number of cases where spam is blocked there is no longer a sendmail entry indicating who it was going to be delivered to (see more details appended), and the MailScanner Spam Actions entry does not indicate the recipient either. What we are doing now is to run a nightly script that analyses the headers of all quarantined spam for recipients, and also checks the maillog file for recipients that might be listed there for the same quarantined messages. We then send a summary to our users that lists details of all quarantined mail. I think the concept of a daily archival notice is a good compromise between sending no notices at all and sending a separate notice for each message. Another way of handling this issue would be to write the MailScanner notification messages to a separate log file instead of delivering them to the recipients. That log file could then be analysed separately. However there is currently no option for sending the notifications anywhere other than to the recipient. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Logging of blocked spam Normally the sendmail maillog file will have the following entries: sendmail from= line with details of sender sendmail to= line indicating recipient, stat=queued MailScanner RBL checks: details of why message is blocked MailScanner Message line, eg: Message i21D03F24046 from 213.120.110.92 (manmeet@liquidstorms.com) to mango.zw is spam, spamhaus-XBL MailScanner Spam Actions . . . actions are store For reasons I don't understand, the second (or more, if there are multiple recipients) sendmail line is not always present, so there is no consistent log info about the recipient(s). If the MailScanner Message line could include the details of the recipients in it then it would be possible to meet the requirements of Patrik for statistics, and also use it for purposes of user notifications. A more advanced option might be for MailScanner to provide a proper daily archival notification facility rather than the current per message notification which is really unworkable given the huge volume of spam. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 13:35:08 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: References: Message-ID: <40433C0C.8090108@solid-state-logic.com> Ok I get the message... Anyone got any indication of price in the UK? Either that or I'll just contact a reseller.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Dan Hollis wrote: > On Mon, 1 Mar 2004, Rob wrote: > >>>Steve Freegard wrote: >>>We've had pretty good experiences with F-Prot ... usually had the first >>>virus in the logfiles well before any announcement of the virus appeared >>>on any geek news services >> >>I second that for f-prot. We use it here at work and I use it at home. >>They send out their updates fast. > > > thirded for f-prot. > > i use it on win32 as well as linux. integrates nicely with mailscanner. > they are always current. > > two thumbs up. > > -Dan ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 13:39:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <40433C0C.8090108@solid-state-logic.com> References: <40433C0C.8090108@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> I bought it straight off their website. Price is in US$. At 13:35 01/03/2004, you wrote: >Ok I get the message... > >Anyone got any indication of price in the UK? > >Either that or I'll just contact a reseller.. > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Dan Hollis wrote: >>On Mon, 1 Mar 2004, Rob wrote: >> >>>>Steve Freegard wrote: >>>>We've had pretty good experiences with F-Prot ... usually had the first >>>>virus in the logfiles well before any announcement of the virus appeared >>>>on any geek news services >>> >>>I second that for f-prot. We use it here at work and I use it at home. >>>They send out their updates fast. >> >> >>thirded for f-prot. >> >>i use it on win32 as well as linux. integrates nicely with mailscanner. >>they are always current. >> >>two thumbs up. >> >>-Dan > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at TRADOC.FR Mon Mar 1 13:55:25 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: References: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> Message-ID: <70g640dfebn2cjqrpqalekafjr71i9rdig@tradoc.fr> On Mon, 1 Mar 2004 05:16:04 -0800, Dan Hollis wrote: > thirded for f-prot. In general I'd agree with you, though today for Somefool.B / Netsky.D they were about 12 hours behind clamav. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 13:56:03 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> References: <40433C0C.8090108@solid-state-logic.com> <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> Message-ID: <404340F3.1050909@solid-state-logic.com> OK, so why should buy a Mailserver when the Fileserver version is over 100 euro cheaper - what's the difference as far as they are concerned? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > I bought it straight off their website. Price is in US$. > > At 13:35 01/03/2004, you wrote: > >> Ok I get the message... >> >> Anyone got any indication of price in the UK? >> >> Either that or I'll just contact a reseller.. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> Dan Hollis wrote: >> >>> On Mon, 1 Mar 2004, Rob wrote: >>> >>>>> Steve Freegard wrote: >>>>> We've had pretty good experiences with F-Prot ... usually had the >>>>> first >>>>> virus in the logfiles well before any announcement of the virus >>>>> appeared >>>>> on any geek news services >>>> >>>> >>>> I second that for f-prot. We use it here at work and I use it at home. >>>> They send out their updates fast. >>> >>> >>> >>> thirded for f-prot. >>> >>> i use it on win32 as well as linux. integrates nicely with mailscanner. >>> they are always current. >>> >>> two thumbs up. >>> >>> -Dan >> >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From chris at TRUDEAU.ORG Mon Mar 1 13:57:36 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} References: <010e01c3ff88$d94097b0$660210ac@christoxp> Message-ID: <020e01c3ff95$270bf190$4d19000a@ATLCPW13671> Just tossing this out there...seemed to resolve my undetectable errors... Make sure you're using TAB instead of "spaces" in the config file :) that get's me everytime! CT ----- Original Message ----- From: "Christo Bezuidenhout" To: Sent: Monday, March 01, 2004 7:29 AM Subject: Re: Trying to get zip files blocked. {Virus Scanned} > Yes we are using the filetype rules with great affect. It works fine for > all other attachments. Sorry for the Animated Sig. > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > > Sent: 01 March 2004 02:00 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > > > Christo Bezuidenhout wrote: > > > I changed my setting in the filetype.rules.conf to deny > > archive files. > > > I have restarted mailscanner but still archives are delivered. > > > > > > I'm running RH9 latest stable Mailscanner and SA > > > > > > > Are you actually using the filetype rules - I think they are > > off by default. > > > > I've just blocked .zip in filename rules > > > > P.S. Please don't post in HTML > > > > P.P.S If your really must post in html please drop the > > animated signature - Thanks > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > Mailscanner thanks IT For Africa for their support. > > > > From christo at IT4AFRICA.CO.ZA Mon Mar 1 14:34:28 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} In-Reply-To: <020e01c3ff95$270bf190$4d19000a@ATLCPW13671> Message-ID: <011f01c3ff9a$4dce7b90$660210ac@christoxp> Found my problem. Copied the line from one file to other and it added a space between deny and archive. Thanx > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau > Sent: 01 March 2004 03:58 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > Just tossing this out there...seemed to resolve my > undetectable errors... > > Make sure you're using TAB instead of "spaces" in the config file :) > > that get's me everytime! > > CT > > ----- Original Message ----- > From: "Christo Bezuidenhout" > To: > Sent: Monday, March 01, 2004 7:29 AM > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > Yes we are using the filetype rules with great affect. It > works fine > > for all other attachments. Sorry for the Animated Sig. > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > On Behalf Of Spicer, Kevin > > > Sent: 01 March 2004 02:00 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > > > > > > Christo Bezuidenhout wrote: > > > > I changed my setting in the filetype.rules.conf to deny > > > archive files. > > > > I have restarted mailscanner but still archives are delivered. > > > > > > > > I'm running RH9 latest stable Mailscanner and SA > > > > > > > > > > Are you actually using the filetype rules - I think they > are off by > > > default. > > > > > > I've just blocked .zip in filename rules > > > > > > P.S. Please don't post in HTML > > > > > > P.P.S If your really must post in html please drop the animated > > > signature - Thanks > > > > > > > > > > > > BMRB International > > > http://www.bmrb.co.uk > > > +44 (0)20 8566 5000 > > > _________________________________________________________________ > > > This message (and any attachment) is intended only for > the recipient > > > and may contain confidential and/or privileged material. If you > > > have received this in error, please contact the sender and delete > > > this message immediately. Disclosure, copying or other > action taken > > > in respect of this email or in reliance on it is > prohibited. BMRB > > > International Limited accepts no liability in relation to any > > > personal emails, or content of any email which does not directly > > > relate to our business. > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean. > > > Mailscanner thanks IT For Africa for their support. > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 1 14:43:52 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released Message-ID: Hi Julian, the reports/cat directory is empty... Is this on purpose? If not could you fix the tar distribution please? Regards, JP From rcooper at DWFORD.COM Mon Mar 1 14:54:08 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: Message-ID: I have patched Message.pm to provide all the "To:" information as well as the subject in the logs. it would produce output such as: Mar 1 08:26:35 west MailScanner[17879]: Message 1AxnR4-0006Rt-5n from 66.148.140.2 (sender@domain.com) to ourdomain.com is spam, SpamAssassin (score=5.978, required 5, BODY_8BITS 1.50, HTML_70_80 1.50, HTML_COMMENT_SAVED_URL 0.82, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_FACE_BAD 0.20, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.26, HTML_TAG_BALANCE_TABLE 0.20, J_CHICKENPOX_110 0.30, J_CHICKENPOX_210 0.30, J_CHICKENPOX_33 0.30, b_OBFU_QnoU 0.50 Report Len is 323) :someone@ourdomain.com;someoneelse@ourdomain.com : FWNew ESP contact details. The spam report is truncated to 500 chars if over 500 (I have seen chickenpox/tripwire combos produce lines over 1000) and original length is show at the end of the report (ex: Len is/truncated from 323) and the "To" and Subject info is separated by colons with the multiple recipients being separated by semi-colons. I have a script that parses the output above into a HTML email in table form so it makes for easy reading. the line is: date time host MailScanner log tag message I remote host (sender_domain) "to domain" spam tag SpamAssassin report TO(s) and subject If you want to try the patch (applies cleanly to vers from at least 4.23-5 through 4.27-7) I have attached it. I did the patch because I can generally look at the to, subject and report and tell if it's really spam or a false positive without bothering to look at the actual message text. The patch includes full comments so if someone sees a cleaner way to do it please feel free to change it. Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jim Holland > Sent: Monday, March 01, 2004 8:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: More details in the logs > > > Hi > > On Mon, 1 Mar 2004, Patrik B?ckstr?m wrote: > > > We use MailScanner for several customers/domains > (currently version > > 4.25-14) and we would like to gather statistics per > customer on how > > many mails scanned (that i can get from postfix), > how many rejected > > and why and so on. > > > > Currently, it only tells us that something has been > blocked and why, > > but not from or, more importat, to who the mail was sent. > > I think this is an important requirement. Unlike with > worms, it is not > possible to be 100% certain that a particular message > is spam. I would > like to use a very agressive spam blocklist - eg > dnsbl.net.au. However if > spam is quarantined without a notice to either sender > or recipient it is > quite possible that genuine mail will be lost. The > use of the "notify" > option is not really an option, as I would not like to > receive a separate > notification for each of the 150 spam messages per day > that people > normally try to send me. Before using MailScanner we > could simply analyse > the sendmail maillog file for details of recipients > whose mail had been > blocked. Sadly, I now see that in a significant > number of cases where > spam is blocked there is no longer a sendmail entry > indicating who it was > going to be delivered to (see more details appended), > and the MailScanner > Spam Actions entry does not indicate the recipient either. > > What we are doing now is to run a nightly script that > analyses the headers > of all quarantined spam for recipients, and also > checks the maillog file > for recipients that might be listed there for the same > quarantined > messages. We then send a summary to our users that > lists details of all > quarantined mail. I think the concept of a daily > archival notice is a > good compromise between sending no notices at all and > sending a separate > notice for each message. > > Another way of handling this issue would be to write > the MailScanner > notification messages to a separate log file instead > of delivering them to > the recipients. That log file could then be analysed > separately. However > there is currently no option for sending the > notifications anywhere other > than to the recipient. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > Logging of blocked spam > > Normally the sendmail maillog file will have the > following entries: > > sendmail from= line with details of sender > sendmail to= line indicating recipient, stat=queued > MailScanner RBL checks: details of why message > is blocked > MailScanner Message line, eg: > Message i21D03F24046 from 213.120.110.92 > (manmeet@liquidstorms.com) to mango.zw > is spam, spamhaus-XBL > MailScanner Spam Actions . . . actions are store > > For reasons I don't understand, the second (or more, > if there are multiple > recipients) sendmail line is not always present, so > there is no consistent > log info about the recipient(s). If the MailScanner > Message line could > include the details of the recipients in it then it > would be possible to > meet the requirements of Patrik for statistics, and > also use it for > purposes of user notifications. > > A more advanced option might be for MailScanner to > provide a proper daily > archival notification facility rather than the current > per message > notification which is really unworkable given the huge > volume of spam. > -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.patch Type: application/octet-stream Size: 2313 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/ca56addc/Message.obj From mailscanner at ecs.soton.ac.uk Mon Mar 1 15:26:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: References: Message-ID: <6.0.1.1.2.20040301150702.072e33e0@imap.ecs.soton.ac.uk> At 14:43 01/03/2004, you wrote: >Hi Julian, > >the reports/cat directory is empty... Is this on purpose? If not could you >fix the tar distribution please? But there should be a reports/ca directory which contains the Catalan reports. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 15:37:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Some code to help you with the current outbreak of viruses hiding inside zip files. It will scan zip archives down to a max nesting depth set in MailScanner.conf like this: Maximum Zip Archive Depth = 3 So now you can employ filename and file content checks on files hidden in zip files. If the zip file is password-protected, then zero-length versions of each of its members will be created, so you can still do filename checks. Finding a bad file inside a zip file results in the entire message being marked as bad, not just the zip file. I intend to fix that later. You must install the Perl module Archive::Zip first, before trying to run this version. It will not run without it, and none of the installation scripts will install it for you. I suggest something like this: perl -MCPAN -e shell install Archive::Zip It has a few dependencies, which is why I haven't had a chance to package it all up for you. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkipness at GENIANT.COM Mon Mar 1 15:55:07 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller Message-ID: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/9e84ab59/attachment.html From jflowers at EZO.NET Mon Mar 1 15:29:44 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:49 2006 Subject: bayes_toks corrupted Message-ID: <20040301150713.M70986@ezo.net> I'm not sure which feature you are referencing. I see these main choices: 1. Run MailScanner 'out of the box' with: MailScanner.conf ---------------- Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no spam.assassin.prefs.conf ------------------------ # bayes_auto_expire 0 2. Run MailScanner with rebuild/expire scheduled by MailScanner MailScanner.conf ---------------- Rebuild Bayes Every = 14400 # every 4 hours Wait During Bayes Rebuild = no # or yes spam.assassin.prefs.conf ------------------------ bayes_auto_expire 0 3. Run MailScanner with rebuild/expire scheduled by crontab MailScanner.conf ---------------- Rebuild Bayes Every = 0 # don't do it? Wait During Bayes Rebuild = no # doesn't matter spam.assassin.prefs.conf ------------------------ bayes_auto_expire 0 # don't do it? /etc/crontab ------------ when-stuff sa-learn --force-expire # includes rebuild In case 1, do I understand expire/rebuild is run after each scan? In case 2, expire/rebuild is run every 4 hours (or as configured). In case 3, expire/rebuild is run once per day via crontab. I have to admit to being confused about the different combinations. Is the above correct and which (or what) combination do you use? -- Jim Flowers From wkuiters at FREE.FR Mon Mar 1 13:28:46 2004 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> Message-ID: <20040301132846.GA1624@bragann> On Mon, Mar 01, 2004 at 12:10:30PM -0000, Steve Freegard wrote: > Thanks for all the replies... > > It looks like Sophos released an IDE for Netsky-D during the last hour which > was just picked up by update_virus_scanners, as it now seems to be catching > this: > > SophosSAVI: document_word.pif was infected by W32/Netsky-D > ClamAV Module: document_word.pif was infected: Worm.SomeFool.B-petite Yep. ClamAV caught 12 of these here before Sophos released the Netsky-D ide. From sysadmin at FLEETONE.COM Mon Mar 1 13:43:35 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] References: <40433C0C.8090108@solid-state-logic.com> Message-ID: <045501c3ff93$319f1350$45a610ac@fleetone.com> According to the f-prot site, it would be ?239.51 for it. Rob ----- Original Message ----- From: "Martin Hepworth" To: Sent: Monday, March 01, 2004 7:35 AM Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > Ok I get the message... > > Anyone got any indication of price in the UK? > > Either that or I'll just contact a reseller.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Dan Hollis wrote: > > On Mon, 1 Mar 2004, Rob wrote: > > > >>>Steve Freegard wrote: > >>>We've had pretty good experiences with F-Prot ... usually had the first > >>>virus in the logfiles well before any announcement of the virus appeared > >>>on any geek news services > >> > >>I second that for f-prot. We use it here at work and I use it at home. > >>They send out their updates fast. > > > > > > thirded for f-prot. > > > > i use it on win32 as well as linux. integrates nicely with mailscanner. > > they are always current. > > > > two thumbs up. > > > > -Dan > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 16:01:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040301160004.076bdd78@imap.ecs.soton.ac.uk> At 15:55 01/03/2004, you wrote: >Hi All, > >I've been running MailScanner for a while for a few clients. I just signed >on a new client that was using SpamKiller by Mcafee I believe. The main >reason for the service is for queueing their mail when their Exchange >server goes down which it has been every weekend due to scheduled power >outages. However, they are still relying on the Spam and Virus filtration. > >The problem is that they decided to turn off SpamKiller the other day, and >started getting spam that they assumed MailScanner would stop. Bottom line >is that when SpamKiller is enabled, they get close to no spam at all. Some >of the samples that they sent me are the very basic couple of lines type >of spam that gets a very low score. Here is what I have running: > >SpamAssassin 2.63 >ORDB-RBL >spamhaus.org >spamcop.net >dsbl.org >abuseat.org >blitzed.org >Razor2 > >I'm not doing Bayes at the moment as it seems to be a real hassle doing >the training. > >So my question is what can I do to improve the whole system? What tweaks? >Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Make sure you have Net::DNS installed. Use the xbl as well as the sbl from spamhaus. What is your Required SpamAssassin Score? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Mon Mar 1 16:10:29 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:49 2006 Subject: A few questions I can't find in archive... References: <403FB59E.7040500@1SEO.net> Message-ID: <40436075.8060002@bangor.ac.uk> Nick Nelson wrote: > In that case, and with the talk of SATA drives possibly not doing as > well, I'll probably just skip back to Dual Xeons with SCSI drives. The > cost is less on the Dual Xeons as well, which is a good thing of course. Did anyone else see the stuff which suggested that cheap SATA and IDE drives weren't designed for 24/7 server use but SCSI stuff is? Something in some Hitachi or IBM warranty stuff I think it was. Any thoughts on this? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From nnelson at 1SEO.NET Mon Mar 1 16:14:09 2004 From: nnelson at 1SEO.NET (Nick Nelson) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40435E7A.5090005@solid-state-logic.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> Message-ID: <40436151.3000208@1SEO.net> Martin Hepworth wrote: > Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, > yes bayes really does make that much difference! I'd really suggest you > spend some time to give it the initial 200 instances of spam and ham... If you are using the machine as only a gateway (mail only passes through, never is stored on the server.) What's the best way to train it? I saw a post on the list of a script so that you could just forward spam to a certain address and it'll train it, is that the best way? I'd definitely like to use bayes however not sure of best way since no mail will stay on this server. nick -- Nick Nelson www.easyservermanagement.com We Make Server Management Easy! From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 16:17:19 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40436151.3000208@1SEO.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> <40436151.3000208@1SEO.net> Message-ID: <4043620F.7090906@solid-state-logic.com> Nick I use a imap share folder, then a script (which I've posted several times on this list) to pick up the new spam and ham. and yes my machine is also a mailgateway.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Nick Nelson wrote: > Martin Hepworth wrote: > >> Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, >> yes bayes really does make that much difference! I'd really suggest you >> spend some time to give it the initial 200 instances of spam and ham... > > > > If you are using the machine as only a gateway (mail only passes > through, never is stored on the server.) > > What's the best way to train it? I saw a post on the list of a script so > that you could just forward spam to a certain address and it'll train > it, is that the best way? I'd definitely like to use bayes however not > sure of best way since no mail will stay on this server. > > nick > > > -- > Nick Nelson > www.easyservermanagement.com > We Make Server Management Easy! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mkettler at EVI-INC.COM Mon Mar 1 16:24:34 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <6.0.0.22.0.20040301111051.028184e8@xanadu.evi-inc.com> At 10:55 AM 3/1/2004, Max Kipness wrote: >So my question is what can I do to improve the whole system? What tweaks? >Will DCC help out a lot? DCC helps quite a bit. It's slightly lower hitrate than razor in the GA tests the sa-dev team runs, but it's also less prone to service outages and timeouts due to excessive load on the checksum database servers. If you are high-volume (>100k messages/day) you can even save bandwidth by setting up a local DCC server and subscribe to the floods of server updates. >Are there any better RBLs? Tweaks to SpamAssassin? Bayes is a big help to sa, and training doesn't have to be so bad... Personally, I do it by having spamtraps and "nonspamtraps" that I feed to SA using a short shell script (I could even cron-job it, and have the cronjob email me a list of message subjects to make sure nothing got mis-placed) The spamtraps are addresses that get nothing but spam. Some are system accounts that shouldn't be used by anyone but have accounts and thus mail service on many Linux distros (ie: gopher@example.com, where example.com doesn't run a gopher service). Others are addresses I've seeded in message bodies while posting to mailing lists. For example on a sysadmin list I might discuss having an internal script which emails my pager at mkettler_sensor1@evi-inc.com whenever my server gets a http request for some oddball web page. Obviously I'd never post the real address I use, so I make up a plausible example and hope that spambots skimming archives pick it up. The "nonspamtraps" are accounts I purposefully set up, and have subscribed to reputable mailing lists that my users subscribe to. General news feeds, Industry newsletters, etc. For me, this works pretty well.. However, I have a userbase which all work for one company, thus have one primary market, making choice of nonspam newsletters pretty easy. It may or may not work for you, but it's a suggestion for a "reduced hassle" bayes training system. If things get bad and bayes can't help you, you might want to look at some of the add-on rulesets developed by some of the more avid SpamAssassin users. http://wiki.spamassassin.org/w/CustomRulesets (Disclaimer: I developed one of the add-on sets, so I am biased here.) From ugob at CAMO-ROUTE.COM Mon Mar 1 16:22:12 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:50 2006 Subject: A few questions I can't find in archive... Message-ID: <54C38A0B814C8E438EF73FC76F36292741094C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] >Envoy? : 1 mars, 2004 11:10 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: A few questions I can't find in archive... > > >Nick Nelson wrote: >> In that case, and with the talk of SATA drives possibly not doing as >> well, I'll probably just skip back to Dual Xeons with SCSI >drives. The >> cost is less on the Dual Xeons as well, which is a good >thing of course. > >Did anyone else see the stuff which suggested that cheap SATA and IDE >drives weren't designed for 24/7 server use but SCSI stuff is? >Something >in some Hitachi or IBM warranty stuff I think it was. Yes, it was from IBM (at the time they were not with Hitachi yet). For sure, I'd go with IDE drives with 3 or 5 year warranty. On could also have a look at the MTBF data of the drives. > >Any thoughts on this? > >Cheers, > >Martin > >-- >Martin Sapsed >Information Services "Who do you say I am?" >University of Wales, Bangor Jesus of Nazareth > From steve.freegard at LBSLTD.CO.UK Mon Mar 1 16:28:04 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <67D9E7698329D411936E00508B6590B902773F0A@neelix.lbsltd.co.uk> Hi Max, I thought I might have been dreaming this so I double-checked it out on Google: SpamKiller uses the SpamAssassin engine, see http://www.google.com/url?sa=U &start=9&q=http://www.asapsoftware.com/mcafee/spamkiller.htm&e=7627 I'd suggest getting them to do a scan of the local disks of the server looking for 'bayes*' files - if they exist you'll be able to copy them to the MailScanner box, and hey presto! - a pre-trained bayes database. Hope this helps. Kind regards, Steve. -----Original Message----- From: Max Kipness [mailto:mkipness@GENIANT.COM] Sent: 01 March 2004 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner vs. SpamKiller Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/6a371966/attachment.html From maillists at CONACTIVE.COM Mon Mar 1 16:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:50 2006 Subject: bayes_toks corrupted In-Reply-To: <20040301150713.M70986@ezo.net> References: <20040301150713.M70986@ezo.net> Message-ID: Jim Flowers wrote on Mon, 1 Mar 2004 10:29:44 -0500: > In case 1, do I understand expire/rebuild is run after each scan? > No. SA will determine if it is necessary to run an expire based on a token limit (which you can configure) and do it while you are scanning. If you are a very large site this could happen several times a day and slow down processing. The other two options are for avoiding this. Running it once per day during low volume hours should be most effective. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From rcooper at DWFORD.COM Mon Mar 1 16:46:49 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Monday, March 01, 2004 10:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.1 released > > > Some code to help you with the current outbreak of > viruses hiding inside > zip files. > > It will scan zip archives down to a max nesting depth set in > MailScanner.conf like this: > Maximum Zip Archive Depth = 3 > > So now you can employ filename and file content checks > on files hidden in > zip files. If the zip file is password-protected, then > zero-length versions > of each of its members will be created, so you can > still do filename checks. > > Finding a bad file inside a zip file results in the > entire message being > marked as bad, not just the zip file. I intend to fix > that later. When you work on that, would it be possible to designate separate files for the file name and type rules? For instance archive.filename.rules.conf and I could have an entry like: deny (?:Picture|caroline|Katrina|kleopatra|Caitie|Mary-Anne|Lisa|Bad girl,Julie|Aline|Anna|Barbi|Katrina|Juli|Mary|Mandy|Sara|rebecca| Jammie,kate|Audra|stacy|Rena|Kelley|Tammy|myfotos|Gallery|It_I|Ph otoalbum,Photomontage)\.(?:pif|exe|scr)$ Zipped Worm Bagle-G Detected Zipped Worm Bagle-G Detected allow \.exe$ Basically allow for a different policy for files inside archives than is enforced for raw files. > > You must install the Perl module Archive::Zip first, > before trying to run > this version. It will not run without it, and none of > the installation > scripts will install it for you. I suggest something like this: > perl -MCPAN -e shell > install Archive::Zip > It has a few dependencies, which is why I haven't had > a chance to package > it all up for you. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From mkipness at GENIANT.COM Mon Mar 1 16:46:03 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.net> > Make sure you have Net::DNS installed. Use the xbl as well as the sbl from > spamhaus. > What is your Required SpamAssassin Score? I will install Net::DNS. For this domain it's 7. I will probably move it down, but some of the spam they forward to me has a score of 1 - 3. Thanks, Max From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 16:55:11 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AEBB@pascal.priv.bmrb.co.uk> Julian Field wrote: > Some code to help you with the current outbreak of viruses hiding > inside zip files. > > It will scan zip archives down to a max nesting depth set in > MailScanner.conf like this: Maximum Zip Archive Depth = 3 > This looks very promising, I've just had a read of the code as I'm not in a position to do an install right now. If I'm reading it correctly it identifies archives by extension (right now this is a good thing for me, as it provides a way of deliberately getting a zip through). Two questions... This uses the same filename and filetype rules as the rest of the message, which could be problematic (for example I might wish to ban pif/scr/bat files but allow zipped exe files through) - I imagine doing anything about that might be a right PITA. Slightly less difficult I hope, is it possible to have the option to mark a file for deletion if it contains an element that cannot be unpacked (e.g. specifically a password protected file). Right now that would be very useful indeed. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jaearick at COLBY.EDU Mon Mar 1 16:57:17 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:50 2006 Subject: bigevil, backhair... STILL confused Message-ID: Gang, Back in late December there was discussion on the list about installing and having SA find local rule sets like bigevil.cf, etc. Bobby Rose offered the following hack to SA.pm to get extra rulesets to be found: Before $settings{dont_copy_prefs} = 1; # Removes need for home directory $prefs = MailScanner::Config::Value('spamassassinprefsfile'); After $settings{dont_copy_prefs} = 1; # Removes need for home directory $settings{site_rules_filename} = "/etc/mail/spamassassin"; $prefs = MailScanner::Config::Value('spamassassinprefsfile'); In private emails with Julian, he warned against this hack. I've also discovered in the list archives that (maybe) the setting "SpamAssassin Site Rules Dir" is supposed to handle this. Well, I have "SpamAssassin Site Rules Dir" defined as /etc/mail/spamassassin. In there I have local.cf as a symlink to /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, the bigevil/backhair/antidrug rules never get touched ("ls -lu") or used. Is there some other MailScanner.conf setting I have missed? Does this work for other people??? Setup: Solaris 9, MS 4.28.1, SA 2.63. Jeff Earickson Colby College From jaearick at COLBY.EDU Mon Mar 1 16:59:36 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: Julian, Is there any syslog evidence of the "Maximum Zip Archive Depth" that we can look for? I've got 4.28.1 running on my system just fine, wondering what to look for... Jeff Earickson Colby College From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 17:02:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <40436CBB.304@solid-state-logic.com> Jeff make sure the .cf files are readable by the MailScanner user you defined in MailScanner.conf.. should pick them up, does on my system.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jeff Earickson wrote: > Gang, > > Back in late December there was discussion on the list about > installing and having SA find local rule sets like bigevil.cf, etc. > Bobby Rose offered the following hack to SA.pm to get extra > rulesets to be found: > > Before > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > After > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > In private emails with Julian, he warned against this hack. I've > also discovered in the list archives that (maybe) the setting > "SpamAssassin Site Rules Dir" is supposed to handle this. > > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. > > Jeff Earickson > Colby College ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 17:06:04 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths Message-ID: We have MailScanner running great here, using Clam but we want to test F-Prot to see if we want an additional VS to catch all these bad email viruses (sp) In looking at the notices send to us to make sure we are getting viruses caught I only see Clam running the scan; Report: ClamAV: application.pif contains Worm.SomeFool.B-petite MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (application.pif) We did the .deb install of F-Prot from their site and it seems that everything is in /usr/local/f-prot and in looking at the f-prot wrapper and autoupdate in MS the paths all want /usr/lib/f-prot :( Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings in f-prot wrapper and autoupdate? Which is the better path to take, not the easiest:)) One other thing (If I should post a separate message I can, whack me on the head) Still trying to get this whole SA and Bayes and custom rules figured out, any good pointers would be great too, we are using BigEvil, Backhair and James Grey's rules in /etc/mail/spamasassin/ I am to assume that MailScanner will know to pickup theses additional rules here? But the above is more of a concern. TIA -- Thanks!! David Thurman List Only at Web Presence Group Net From pete at eatathome.com.au Mon Mar 1 21:01:52 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <4043620F.7090906@solid-state-logic.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> <40436151.3000208@1SEO.net> <4043620F.7090906@solid-state-logic.com> Message-ID: <4043A4C0.9010007@eatathome.com.au> Martin Hepworth wrote: > Nick > > I use a imap share folder, then a script (which I've posted several > times on this list) to pick up the new spam and ham. > > and yes my machine is also a mailgateway.. > -- > > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Nick Nelson wrote: > >> Martin Hepworth wrote: >> >>> Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, >>> yes bayes really does make that much difference! I'd really suggest you >>> spend some time to give it the initial 200 instances of spam and ham... >> >> >> >> >> If you are using the machine as only a gateway (mail only passes >> through, never is stored on the server.) >> >> What's the best way to train it? I saw a post on the list of a script so >> that you could just forward spam to a certain address and it'll train >> it, is that the best way? I'd definitely like to use bayes however not >> sure of best way since no mail will stay on this server. >> >> nick >> >> >> -- >> Nick Nelson >> www.easyservermanagement.com >> We Make Server Management Easy! > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > We arent going to manual train either, just doesnt fit the culture here - asking staff to copy emails to spam folders, its too hard for them. So i turned on autolearn for bayes, and will start with deleting and rebuilding ther bayes DB once a month, i believe it was about 3 months last time before it poisened byond use - combine wiuth the ruledejour and you're set, will stop a LOT of spam. From pete at eatathome.com.au Mon Mar 1 21:06:04 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: References: Message-ID: <4043A5BC.2010806@eatathome.com.au> Dave's List Addy wrote: >On 3/1/04 10:58 AM, "Julian Field" wrote: > > > >>If Net::DNS is not installed, that would make a huge difference to your >>spam-spotting success rate. SpamAssassin would not be checking any of the >>RBL's, you would only get MailScanner RBL checking (which doesn't rely on >>Net::DNS). >> >> > >So using the above method or perl mod, should we turn RBL off in MS and on >in SA then? > >Sorry for sounding dumb, the SA part of all this is the more confusing >thing, MS seems to be for the most part straight forward. >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net > > > > > See the faq on www.mailscanner.info there is some important reading in there and in the list archives before you ask that question. From mailscanner at ecs.soton.ac.uk Mon Mar 1 16:58:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> At 16:46 01/03/2004, you wrote: > > Make sure you have Net::DNS installed. Use the xbl as well as the sbl >from > > spamhaus. > > What is your Required SpamAssassin Score? > >I will install Net::DNS. If Net::DNS is not installed, that would make a huge difference to your spam-spotting success rate. SpamAssassin would not be checking any of the RBL's, you would only get MailScanner RBL checking (which doesn't rely on Net::DNS). >For this domain it's 7. I will probably move it down, but some of the >spam they forward to me has a score of 1 - 3. You should find that greatly improves with Net::DNS. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 17:11:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths In-Reply-To: References: Message-ID: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> At 17:06 01/03/2004, you wrote: >We have MailScanner running great here, using Clam but we want to test >F-Prot to see if we want an additional VS to catch all these bad email >viruses (sp) > >In looking at the notices send to us to make sure we are getting viruses >caught I only see Clam running the scan; > > Report: ClamAV: application.pif contains Worm.SomeFool.B-petite > MailScanner: Shortcuts to MS-Dos programs are very dangerous in >email (application.pif) > >We did the .deb install of F-Prot from their site and it seems that >everything is in /usr/local/f-prot and in looking at the f-prot wrapper and >autoupdate in MS the paths all want /usr/lib/f-prot :( The non-Debian versions of MailScanner all expect /usr/local/f-prot to be the installation directory by default. You will need to change the path in /etc/MailScanner/virus.scanners.conf or wherever the Debian guys have put that file. Don't alter the scripts at all. >Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings >in f-prot wrapper and autoupdate? Which is the better path to take, not the >easiest:)) Neither. Use the virus.scanners.conf file. This is exactly why it is there. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 17:03:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301165913.03da0f60@imap.ecs.soton.ac.uk> At 16:59 01/03/2004, you wrote: >Julian, > > Is there any syslog evidence of the "Maximum Zip Archive Depth" >that we can look for? I've got 4.28.1 running on my system just >fine, wondering what to look for... No sorry, it just gets written as a report in the message. No syslog-ing yet. To do this properly, I need to re-architect a chunk of MailScanner so that each attachment file has a proper "parent file". I've never implemented this properly before, as it wasn't needed. For now the current version you have will have to do, it's going to take me a little while to have the time to write it all "properly" as it affects all the TNEF-handling code as well. As for the separate filename.rules.conf and filetype.rules.conf for inside archives as well as one for outside archives, I think a lot of less experienced admins will get confused about this. I would rather solve it in a way that is rather easier to understand and use, or not solve it at all. You need to remember that a lot of MailScanner admins are not very experienced. One of the reasons they chose MailScanner over the competition was that it was easy to use and get going. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 16:01:28 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C598@jessica.herefordshire.gov.uk> No Bayes? Therein lies your problem, or part of it. Without Bayes you'll need lots of additional rules to trap stuff. spamhaus has two RBLs these days, use both or the combined one. Add in the backhair, bigevil, evilnumbers, popcorn, etc. Check the CustomRules entry in Spamassassin's Wiki. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Max Kipness Sent: 01 March 2004 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner vs. SpamKiller Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/44dbc42d/attachment.html From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 16:02:02 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <40435E7A.5090005@solid-state-logic.com> Max last week several peopl (including myself) posted what extra rules we run for SA.. have a look in the archives. Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, yes bayes really does make that much difference! I'd really suggest you spend some time to give it the initial 200 instances of spam and ham... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Max Kipness wrote: > Hi All, > > > > I?ve been running MailScanner for a while for a few clients. I just > signed on a new client that was using SpamKiller by Mcafee I believe. > The main reason for the service is for queueing their mail when their > Exchange server goes down which it has been every weekend due to > scheduled power outages. However, they are still relying on the Spam and > Virus filtration. > > > > The problem is that they decided to turn off SpamKiller the other day, > and started getting spam that they assumed MailScanner would stop. > Bottom line is that when SpamKiller is enabled, they get close to no > spam at all. Some of the samples that they sent me are the very basic > couple of lines type of spam that gets a very low score. Here is what I > have running: > > > > SpamAssassin 2.63 > > ORDB-RBL > > spamhaus.org > > spamcop.net > > dsbl.org > > abuseat.org > > blitzed.org > > Razor2 > > > > I?m not doing Bayes at the moment as it seems to be a real hassle doing > the training. > > > > So my question is what can I do to improve the whole system? What > tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to > SpamAssassin? > > > > Thanks, > > Max > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dustin.baer at IHS.COM Mon Mar 1 17:17:05 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Stable 4.27.7 released References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Message-ID: <40437011.660C81E6@ihs.com> <<< No Message Collected >>> From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 17:20:14 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 11:11 AM, "Julian Field" wrote: >> We did the .deb install of F-Prot from their site and it seems that >> everything is in /usr/local/f-prot and in looking at the f-prot wrapper and >> autoupdate in MS the paths all want /usr/lib/f-prot :( > > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > the installation directory by default. > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > wherever the Debian guys have put that file. Don't alter the scripts at all. > >> Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings >> in f-prot wrapper and autoupdate? Which is the better path to take, not the >> easiest:)) > > Neither. Use the virus.scanners.conf file. This is exactly why it is there. Thanks Julian, we will comply :)) -- Thanks!! David Thurman List Only at Web Presence Group Net From dustin.baer at IHS.COM Mon Mar 1 17:19:10 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Stable 4.27.7 released References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> <40437011.660C81E6@ihs.com> Message-ID: <4043708E.642C0511@ihs.com> Dustin Baer wrote: > > Julian Field wrote: > > > > > - Added options to add new headers containing the envelope sender and/or > > envelope recipients addresses. The names of the headers are, of course, > > configurable. > > Is there a reason that these headers (X-MailScanner-To:, > X-MailScanner-From:) don't include %org-name%? WHOOPS! Accidentally clicked send. Obviously, this can be changed to "X-%org-name%-MailScanner-From:", but I wanted to make sure there wasn't a good reason not to add %org-name%. Thanks Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From t.d.lee at DURHAM.AC.UK Mon Mar 1 17:26:39 2004 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: On Mon, 1 Mar 2004, Julian Field wrote: > [...] > You must install the Perl module Archive::Zip first, before trying to run > this version. It will not run without it, and none of the installation > scripts will install it for you. I suggest something like this: > perl -MCPAN -e shell > install Archive::Zip > It has a few dependencies, which is why I haven't had a chance to package > it all up for you. Thanks. While you are looking at this "convenience" packaging aspect for Redhat, could you also look at the things I sent you a couple of weeks ago for similar convenience packaging for other OSes and distribution types, please? (This was so that "install.sh", so useful on Redhat for installing the perl pre-requisites, can potentially also work on any other OS.) Thanks. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From raymond at PROLOCATION.NET Mon Mar 1 17:39:47 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: Message-ID: Hi! > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. Yes, works like a charm for me. Bye, Raymond. From cparker at SWATGEAR.COM Mon Mar 1 17:33:05 2004 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Peter Peters on Monday, March 01, 2004 3:51 AM said: >>> Its in our top10 of today: >>> >>> 4747 W32/Netsky.B@mm >>> 1275 W32/Swen.A@mm >>> 404 W32/Sober.C@mm >>> 337 W32/Mydoom.A@mm >>> 200 W32/Netsky.C@mm >>> 126 W32/Bugbear.B@mm >>> 96 W32/Bagle.F@mm >>> 57 W32/Bagle.E@mm >>> 49 W32/Mydoom.E@mm >>> 19 W32/Mimail.J@mm >> >> The G one also just came in twice: >> >> 2 W32/Bagle.G@mm > > We got > 12 removed > 12 W32/Bagle.E@mm > 1 removed > 10 W32/Bagle.F@mm > 8 W32/Bagle.C@mm > 4 removed > 4 W32/Bagle.D@mm > 9 removed > 1 W32/Bagle.G@mm peter/raymond, what is it that you are using to create those reports? chris. From dustin.baer at IHS.COM Mon Mar 1 17:49:48 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files References: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Message-ID: <404377BC.49FC7130@ihs.com> "Chris W. Parker" wrote: > > Peter Peters > on Monday, March 01, 2004 3:51 AM said: > > >>> Its in our top10 of today: > >>> > >>> 4747 W32/Netsky.B@mm > >>> 1275 W32/Swen.A@mm > >>> 404 W32/Sober.C@mm > >>> 337 W32/Mydoom.A@mm > >>> 200 W32/Netsky.C@mm > >>> 126 W32/Bugbear.B@mm > >>> 96 W32/Bagle.F@mm > >>> 57 W32/Bagle.E@mm > >>> 49 W32/Mydoom.E@mm > >>> 19 W32/Mimail.J@mm > > peter/raymond, > > what is it that you are using to create those reports? > > chris. I am not peter or raymond, but... grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed "s/found.*//" | sort | uniq -c | sort -n -r Dustin From raymond at PROLOCATION.NET Mon Mar 1 17:55:10 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Message-ID: Hi! > > We got > > 12 removed > > 12 W32/Bagle.E@mm > > 1 removed > > 10 W32/Bagle.F@mm > > 8 W32/Bagle.C@mm > > 4 removed > > 4 W32/Bagle.D@mm > > 9 removed > > 1 W32/Bagle.G@mm > > peter/raymond, > > what is it that you are using to create those reports? We are using some custom scripts ourelves. They are integrated with our whole backend system so we for example block local virus senders, like Julian does with his patch, but then centralized for all our mailscanner boxes. Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 17:58:15 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <404377BC.49FC7130@ihs.com> Message-ID: Hi! > > >>> Its in our top10 of today: > > >>> > > >>> 4747 W32/Netsky.B@mm > > >>> 1275 W32/Swen.A@mm > > >>> 404 W32/Sober.C@mm > > >>> 337 W32/Mydoom.A@mm > > >>> 200 W32/Netsky.C@mm > > >>> 126 W32/Bugbear.B@mm > > >>> 96 W32/Bagle.F@mm > > >>> 57 W32/Bagle.E@mm > > >>> 49 W32/Mydoom.E@mm > > >>> 19 W32/Mimail.J@mm > I am not peter or raymond, but... > > grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed > "s/found.*//" | sort | uniq -c | sort -n -r You might want to do this a little smarter :) We for example parse around 1.5 GB logfiles, your disk wont be happy if you grep those all over from the start again and again :) We update every 5 minutes now and have around 5-6 seconds parsing time on that :) Bye, Raymond. From dot at DOTAT.AT Mon Mar 1 17:52:02 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:51 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: I like this new ability to check files inside zips. In order for it to be useful here, I would need to be able to distinguish password-protected zips from cleartext zips (so I can let my users use the former to get past my filter when they need to), and I'd like to be able to e.g. only splat the zip file if its only contents is an executable file (requiring a custom config function for this is OK). Tony. -- f.a.n.finch http://dotat.at/ FAIR ISLE: WESTERLY BACKING SOUTHERLY 4 OR 5, OCCASIONALLY 6. OCCASIONAL RAIN. MODERATE OR GOOD. From peter at UCGBOOK.COM Mon Mar 1 18:07:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bayes_toks corrupted In-Reply-To: <20040301150713.M70986@ezo.net> References: <20040301150713.M70986@ezo.net> Message-ID: <40437BD4.80804@ucgbook.com> Jim Flowers wrote: > In case 1, do I understand expire/rebuild is run after each scan? No, SA determines when it should/can do it, it's partly configurable but it doesn't work well at all. > In case 2, expire/rebuild is run every 4 hours (or as configured). Yes. > In case 3, expire/rebuild is run once per day via crontab. Yes, or more often if you want, use crontab as usual to schedule it. I run it at night when I have little traffic. I recommend not redirecting output so you can see what's going on in your root mail, you can redirect later when you feel confident that it's OK. > I have to admit to being confused about the different combinations. Is the > above correct and which (or what) combination do you use? Nice summary you did, it's correct. I use #3 since I don't have 4.26 (which introduced #2). You can use #2 or #3 but don't trust #1 do the job. I have had no Bayes trouble for almost 2 months now. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From sevans at FOUNDATION.SDSU.EDU Mon Mar 1 18:07:11 2004 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:22:51 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <3A411846CD3C0D4CB3D8704F937353705891BD@be-00.foundation.sdsu.edu> Some of the new viruses send a password protected zip file, with the password in the body of the message, so this would probably be a bad idea. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tony Finch Sent: Monday, March 01, 2004 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Unstable 4.28.1 released I like this new ability to check files inside zips. In order for it to be useful here, I would need to be able to distinguish password-protected zips from cleartext zips (so I can let my users use the former to get past my filter when they need to), and I'd like to be able to e.g. only splat the zip file if its only contents is an executable file (requiring a custom config function for this is OK). Tony. -- f.a.n.finch http://dotat.at/ FAIR ISLE: WESTERLY BACKING SOUTHERLY 4 OR 5, OCCASIONALLY 6. OCCASIONAL RAIN. MODERATE OR GOOD. From Janssen at RZ.UNI-FRANKFURT.DE Mon Mar 1 18:10:16 2004 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:22:51 2006 Subject: Virus update times In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 1 Mar 2004, Spicer, Kevin wrote: > Julian Field wrote: > > > 2nd thoughts. I am going to make the random delay 10 minutes for now > > as I still want people to basically get updates every hour. > > > I wonder whether just pulling the 'inode modification time' (ls -lc) > of update_virus_scanners and using the minutes & seconds from that to > create a delay would be acceptable. That way the update would be > every hour, but at the same (semi-random) time every hour. This way you also know when protection came in without examinig the logs (given that you know the hour by notifications or dramatical increase of found virusses ;-). But I don't like to use the ctime. When you happen to have more than one mailscanner server, you will have different update times between servers, which might make the things complicate to track. I would use the domainname to create a semi-random number and the machines update at the same time within this domain. Unfurtunately, I don't know how to do it in perl. Shell could be: NUMERICAL_VALUE=`domainname | md5sum | \ od --address-radix=n --read-bytes 4 --format d4` DELAY=$(( NUMERICAL_VALUE % 3600 )) but this has to many assumption on installed programms (domainname is to much of a assumption). Can someone suggest how to compute the domainname with perl and turn it into a relatively random number then do "% 3600" and sleep about? Michael From m.sapsed at BANGOR.AC.UK Mon Mar 1 18:16:17 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:51 2006 Subject: Has Sophos got slower again? Message-ID: <40437DF1.4060000@bangor.ac.uk> Hi folks, My EM Library has installed Sophos 3.79 for me on my test (Debian stable, MailScanner-4.26-4, Sophos linux.intel.libc6.glibc.2.2) box and I've noticed it being a bit sluggish today. As this box only handles my e-mail (I say only, but that's still quite a bit) it got me wondering. I tried just starting sweep on a tiny file and it took maybe 15 seconds. I tried the older version (3.78d) and it was maybe 6 seconds. Is anyone else with 3.79 seeing this slowdown? Maybe I should look at sophossavi again....? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From jaearick at COLBY.EDU Mon Mar 1 18:17:38 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: Gang, Discovered the problem after a good lunch and more staring at debug output. I had for settings: SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = and got debug output of: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir Wrong! My perl is installed in /opt/perl5, dunno where these pathes came from. Changed the two blank config settings above to "/etc/mail/spamassassin" and the debug output changed to: debug: using "/etc/mail/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir and now backhair/bigevil/antidrug are being used by SA. Problem solved, but I don't know why MS was picking up my perl install path for blank rules directories. Jeff Earickson Colby College On Mon, 1 Mar 2004, Jeff Earickson wrote: > Date: Mon, 1 Mar 2004 11:57:17 -0500 > From: Jeff Earickson > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: bigevil, backhair... STILL confused > > Gang, > > Back in late December there was discussion on the list about > installing and having SA find local rule sets like bigevil.cf, etc. > Bobby Rose offered the following hack to SA.pm to get extra > rulesets to be found: > > Before > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > After > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > In private emails with Julian, he warned against this hack. I've > also discovered in the list archives that (maybe) the setting > "SpamAssassin Site Rules Dir" is supposed to handle this. > > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. > > Jeff Earickson > Colby College > From peter at UCGBOOK.COM Mon Mar 1 18:18:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <40437E68.7020507@ucgbook.com> Max Kipness wrote: > I?m not doing Bayes at the moment as it seems to be a real hassle doing > the training. I don't know for other sites but I don't bother with training. I use the default autolearn feature (<0.1 ham, >12 spam) and it works great. If you have Exchange on the inside it's not easy to get a correct mail to learn from. > So my question is what can I do to improve the whole system? What > tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to > SpamAssassin? Definitely turn on Bayes, it will help a lot even without additional training. Also use DCC, it's a really good design. It's easy to install, fast and stable. Here are my top SA traps: SpamAssassin 369,153 ...HTML_MESSAGE 290,859 ...BAYES_99 285,210 ...RCVD_IN_BL_SPAMCOP_NET 255,030 ...DCC_CHECK 232,846 Out of a total of 369,153 messages identified as spam Bayes was 99% sure that 285,210 were spam, that's 5.4 points right there. The best RBL for me, as you can see, is spamcop and right after that follows the DCC checks. HTML_MESSAGE is a low scoring test that doesn't affect the total much. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From raymond at PROLOCATION.NET Mon Mar 1 18:19:57 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40437E68.7020507@ucgbook.com> Message-ID: Hi! > SpamAssassin 369,153 > ...HTML_MESSAGE 290,859 > ...BAYES_99 285,210 > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > ...DCC_CHECK 232,846 > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > that 285,210 were spam, that's 5.4 points right there. The best RBL for > me, as you can see, is spamcop and right after that follows the DCC > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > much. Do you also run with DSBL ? If not, may i suggest you give it a try ? >From today: 56397 DSBL 51884 spamcop.net 44260 SBL+XBL 38351 SORBS-DNSBL 31593 NJABL 22035 RFC-IGNORANT-ABUSE 21560 RFC-IGNORANT-POSTMASTER 7370 RFC-IGNORANT-DSN 5783 RFC-IGNORANT-WHOIS 1595 RFC-IGNORANT-BOGUSMX 821 CBL 743 SORBS-DUL Total hits on RBL lists: 282392 Bye, Raymond. From peter at UCGBOOK.COM Mon Mar 1 18:25:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <4043800C.7000106@ucgbook.com> Jeff Earickson wrote: > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. I have BigEvil and AntiDrug in /etc/mail/spamassassin and they work just fine. If you run "spamassassin -D", does it say that it uses /etc/mail/spamassassin as site rules dir? It should be near the top of the output. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From mkettler at EVI-INC.COM Mon Mar 1 18:37:35 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> At 11:57 AM 3/1/2004, Jeff Earickson wrote: >Well, I have "SpamAssassin Site Rules Dir" defined as >/etc/mail/spamassassin. In there I have local.cf as a symlink to >/opt/MailScanner/etc/spam.assassin.prefs.conf, 1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? In general that's a bad idea. If nothing else, you're forcing SA to double-parse that file when mailscanner initializes. If you really want the contents of your spam.assassin.prefs.conf to apply globally, copy it to local.cf and put a blank spam.assassin.prefs.conf in /opt/MailScanner. There's no good reason for both files to have SA config data in them. 2) Have you run spamassassin --lint against your files? Slight typoes can cause SA to get irritable and spit out whole files at a time without parsing them. From leduc at CTS.COM Mon Mar 1 18:39:26 2004 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <200403011039.26528.leduc@cts.com> Hi Kevin, My company has always blocked passworded zips. If the gateway can't unzip the file, it gets blocked. It's a brain-dead gateway, so I won't embarrass myself (by association) by saying what it is. On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: > This virus is spreading rapidly, we've seen it overnight (although not in > its password protected form - but we had no way of spotting that so it may > have got through). > > I'm now blocking zip files (making me not very popular this morning!). > > Time to start a discussion about ways to block password protected zip > files? From kodak at FRONTIERHOMEMORTGAGE.COM Mon Mar 1 18:39:37 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:51 2006 Subject: Has Sophos got slower again? In-Reply-To: <40437DF1.4060000@bangor.ac.uk> Message-ID: <014f01c3ffbc$8ca08350$0501a8c0@darkside> > >My EM Library has installed Sophos 3.79 for me on my test (Debian >stable, MailScanner-4.26-4, Sophos linux.intel.libc6.glibc.2.2) box and >I've noticed it being a bit sluggish today. As this box only handles my >e-mail (I say only, but that's still quite a bit) it got me >wondering. I >tried just starting sweep on a tiny file and it took maybe 15 >seconds. I >tried the older version (3.78d) and it was maybe 6 seconds. Is anyone >else with 3.79 seeing this slowdown? > >Maybe I should look at sophossavi again....? I haven't had any issues with Sophos recently. I am using sophossavi, though. You should think about doing the same, I can't think of a reason not to. 15 seconds is a long time for one file, even with sweep. What's the load on your box when you're running it? You've got a bottleneck somewhere, and since you mentioned you're not running savi... that's probably it. HTH, --J(K) From peter at UCGBOOK.COM Mon Mar 1 18:41:50 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: Feature suggestion: quarantine password protected zip messages Message-ID: <404383EE.5030508@ucgbook.com> I would like to have a switch so I could choose to quarantine messages that contain unscannable attachments. A report should be sent out to the recipient with the usual from/to/subject/date that is usually enough to determine that it's nothing they asked for so they don't ask me to release it from quarantine. But if they do, I can check inside the message for the password and scan it manually before I do so. It seems to be a trend to send viruses through password protected zips now and I think this would help. What do you think? -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Mon Mar 1 18:46:09 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> References: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> Message-ID: <404384F1.7040701@ucgbook.com> Matt Kettler wrote: > 1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? > > In general that's a bad idea. If nothing else, you're forcing SA to > double-parse that file when mailscanner initializes. Would this double-parsing be invoked every time a message is scanned by MS/SA or only at the start of a new MS child? -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 18:52:02 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:51 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 11:11 AM, "Julian Field" wrote: > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > the installation directory by default. > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > wherever the Debian guys have put that file. Don't alter the scripts at all. Okay we have modified the virus.scanners.conf Old f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/lib/f-prot New f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/local/f-prot Looks like that was the cure :)) But on the /etc/MailScanner/autoupdate/f-prot-autoupdate We have use Sys::Syslog; use IO::File; # Stop syslogd from needing external access (or -r) eval { Sys::Syslog::setlogsock('unix'); }; $PackageDir = "/usr/lib/f-prot"; And # N.B. TempDir DIRECTORY WILL BE CLEARED so # you *really* don't want to share it with # anything else. $TempDir = "/var/tmp/f-prot"; $DefDir = "/var/lib/f-prot"; Will the autoupdate know to tap into /usr/local/f-prot Those looked hard-coded? -- Thanks!! David Thurman List Only at Web Presence Group Net From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 19:10:12 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 10:58 AM, "Julian Field" wrote: > > If Net::DNS is not installed, that would make a huge difference to your > spam-spotting success rate. SpamAssassin would not be checking any of the > RBL's, you would only get MailScanner RBL checking (which doesn't rely on > Net::DNS). So using the above method or perl mod, should we turn RBL off in MS and on in SA then? Sorry for sounding dumb, the SA part of all this is the more confusing thing, MS seems to be for the most part straight forward. -- Thanks!! David Thurman List Only at Web Presence Group Net From mikea at MIKEA.ATH.CX Mon Mar 1 19:11:01 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: ; from P.G.M.Peters@utwente.nl on Mon, Mar 01, 2004 at 12:50:50PM +0100 References: Message-ID: <20040301131101.A70553@mikea.ath.cx> On Mon, Mar 01, 2004 at 12:50:50PM +0100, Peter Peters wrote: > On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: > > >Hi! > > > >> Its in our top10 of today: > >> > >> 4747 W32/Netsky.B@mm > >> 1275 W32/Swen.A@mm > >> 404 W32/Sober.C@mm > >> 337 W32/Mydoom.A@mm > >> 200 W32/Netsky.C@mm > >> 126 W32/Bugbear.B@mm > >> 96 W32/Bagle.F@mm > >> 57 W32/Bagle.E@mm > >> 49 W32/Mydoom.E@mm > >> 19 W32/Mimail.J@mm > > > >The G one also just came in twice: > > > >2 W32/Bagle.G@mm > > We got > 12 removed > 12 W32/Bagle.E@mm > 1 removed > 10 W32/Bagle.F@mm > 8 W32/Bagle.C@mm > 4 removed > 4 W32/Bagle.D@mm > 9 removed > 1 W32/Bagle.G@mm Here at WeBuildHighways, it's a lot like this: $ FOUNDnow # This is /home/mikea/bin/FOUND. # Start Input Phase on 2004.60 (2004 Mar 1) at 13:08:49 local Worm.Bagle.A3 1 every 1.88 hours Worm.Bagle.E 1 every 1.01 hours Worm.Bagle.F 1 every 1.88 hours Worm.Mydoom.F 1 every 52.59 minutes Worm.SCO.A 1 every 13.15 hours Worm.SomeFool 1 every 10.11 minutes Worm.SomeFool.B 1 every 56.34 minutes Worm.SomeFool.B-petite 1 every 19.72 minutes Total 1 every 4.51 minutes Now, does anyone have a pointer to translating from ClamAV's malware names to, say, Norton's, so I can see how our stats compare to others? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From gdoris at rogers.com Mon Mar 1 19:21:27 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40437E68.7020507@ucgbook.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40437E68.7020507@ucgbook.com> Message-ID: <48210.129.80.22.143.1078168887.squirrel@65.48.246.102> > Max Kipness wrote: >> I?m not doing Bayes at the moment as it seems to be a real hassle doing >> the training. > > I don't know for other sites but I don't bother with training. I use the > default autolearn feature (<0.1 ham, >12 spam) and it works great. If > you have Exchange on the inside it's not easy to get a correct mail to > learn from. > >> So my question is what can I do to improve the whole system? What >> tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to >> SpamAssassin? > > Definitely turn on Bayes, it will help a lot even without additional > training. Also use DCC, it's a really good design. It's easy to install, > fast and stable. > > Here are my top SA traps: > > SpamAssassin 369,153 > ...HTML_MESSAGE 290,859 > ...BAYES_99 285,210 > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > ...DCC_CHECK 232,846 > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > that 285,210 were spam, that's 5.4 points right there. The best RBL for > me, as you can see, is spamcop and right after that follows the DCC > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > much. > > -- > /Peter Bonivart I have also found Spamcop to be pretty accurate for the mail I receive. As such, I've bumped the spam score for it up a little from the default. Gerry From raymond at PROLOCATION.NET Mon Mar 1 19:45:44 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <48210.129.80.22.143.1078168887.squirrel@65.48.246.102> Message-ID: Hi! > > SpamAssassin 369,153 > > ...HTML_MESSAGE 290,859 > > ...BAYES_99 285,210 > > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > > ...DCC_CHECK 232,846 > > > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > > that 285,210 were spam, that's 5.4 points right there. The best RBL for > > me, as you can see, is spamcop and right after that follows the DCC > > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > > much. > > > > -- > > /Peter Bonivart > > I have also found Spamcop to be pretty accurate for the mail I receive. > As such, I've bumped the spam score for it up a little from the default. And you can put some more RBL checks enabled :) # # Extra DNSBL checks: # # AHBL RBL checks header RCVD_IN_AHBL eval:check_rbl_txt('ahbl', 'dnsbl.ahbl.org.') describe RCVD_IN_AHBL Received via a relay in dnsbl.ahbl.org tflags RCVD_IN_AHBL net score RCVD_IN_AHBL 0 1.271 0 2.0 # RSL RBL checks header RCVD_IN_RSL eval:check_rbl_txt('rsl', 'relays.visi.com.') describe RCVD_IN_RSL Received via a relay in relays.visi.com. tflags RCVD_IN_RSL net score RCVD_IN_RSL 0 1.271 0 1.6 # CBL RBL checks header RCVD_IN_CBL eval:check_rbl_txt('cbl', 'cbl.abuseat.org.') describe RCVD_IN_CBL Received via a relay in cbl.abuseat.org. tflags RCVD_IN_CBL net score RCVD_IN_CBL 0 1.271 0 1.6 # ORDB RBL checks header RCVD_IN_ORDB eval:check_rbl_txt('ordb', 'relays.ordb.org.') describe RCVD_IN_ORDB Received via a relay in relays.ordb.org. tflags RCVD_IN_ORDB net score RCVD_IN_ORDB 0 1.271 0 1.0 score RCVD_IN_DSBL 0 1.271 0 1.6 Plus i raised the DSBL score a little. Bye, Raymond. From gdoris at rogers.com Mon Mar 1 19:54:19 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: <49777.129.80.22.143.1078170859.squirrel@65.48.246.102> > Gang, > Discovered the problem after a good lunch and more staring at > debug output. I had for settings: > > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > > and got debug output of: > > debug: using "/opt/perl5/share/spamassassin" for default rules dir > debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir > > Wrong! My perl is installed in /opt/perl5, dunno where these pathes > came from. Changed the two blank config settings above to > "/etc/mail/spamassassin" and the debug output changed to: > > debug: using "/etc/mail/spamassassin" for default rules dir > debug: using "/etc/mail/spamassassin" for site rules dir > > and now backhair/bigevil/antidrug are being used by SA. Problem > solved, but I don't know why MS was picking up my perl install path > for blank rules directories. > > Jeff Earickson > Colby College If you're not already using the "rules_du_jour" script I highly recommend it. The various rules change regularly as well as the script. Running it as a cron job will ensure you're always current. Gerry From maillists at CONACTIVE.COM Mon Mar 1 20:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: Jeff Earickson wrote on Mon, 1 Mar 2004 13:17:38 -0500: > debug: using "/opt/perl5/share/spamassassin" for default rules dir > debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir > > Wrong! My perl is installed in /opt/perl5, dunno where these pathes > came from. Changed the two blank config settings above to > "/etc/mail/spamassassin" and the debug output changed to: > this is wrong again. Default Rules Dir should point to the SA default rules dir which is /usr/share/spamassassin on most platforms. I don't know what Local Rules Dir should be, maybe the dir (not the path) within each users homedir. Compare that: SpamAssassin Site Rules Dir = /etc/mail/spamassassin debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir see the difference? Either there is a small bug in MS which adds instead of replaces the Site Rules Dir or there is another problem. If you have a correctly installed SA this line should do it alone: SpamAssassin Prefs File = /etc/mail/spamassassin/local.cf (note: no Rules Dir whatsoever stuff!) if /etc/mail/spamassassin/ is the Sites Rules Dir (can be found out by running spamassassin --lint). Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From shrek-m at GMX.DE Mon Mar 1 20:44:39 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:51 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <40432902.8020101@solid-state-logic.com> References: <40432902.8020101@solid-state-logic.com> Message-ID: <4043A0B7.3060400@gmx.de> Martin Hepworth wrote: > looks they've got it finally!!! ohhh, they are awaken and back im game ? From: Sophos Alert System Date: Mon, 01 Mar 2004 11:51:01 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Netsky-D From: Sophos Alert System Date: Mon, 01 Mar 2004 17:25:14 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Netsky-E From: Sophos Alert System Date: Mon, 01 Mar 2004 17:59:27 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-H From: Sophos Alert System Date: Mon, 01 Mar 2004 19:57:05 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-H -- shrek-m From pete at eatathome.com.au Mon Mar 1 20:48:55 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:51 2006 Subject: More details in the logs In-Reply-To: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> References: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> Message-ID: <4043A1B7.2090100@eatathome.com.au> David Hooton wrote: >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Patrik B?ckstr?m >>Sent: Monday, 1 March 2004 11:31 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: More details in the logs >> >> >> > > > > > >>We use MailScanner for several customers/domains (currently version 4.25- >>14) >>and we would like to gather statistics per customer on how many mails >>scanned (that i can get from postfix), how many rejected and why and so >>on. >> >>Currently, it only tells us that something has been blocked and why, but >>not >>from or, more importat, to who the mail was sent. >> >> > >http://mailwatch.sf.net/ > >Will allow you to setup per domain/user etc etc stats for users, very useful >tool indeed. > >Dave > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== > > > > > If you want a text only version you could get and run the pflogsum.pl script from sourceforge too - simple perl script that greps the maillog and produces a nice report each night and emails it to me.. sample.. Postfix log summaries for Feb 26 Grand Totals ------------ messages 223 received 113 delivered 0 forwarded 187 deferred (190 deferrals) 0 bounced 17 rejected (13%) 0 reject warnings 0 held 0 discarded (0%) 4389k bytes received 3657k bytes delivered 156 senders 132 sending hosts/domains 74 recipients 3 recipient hosts/domains Per-Hour Traffic Summary time received delivered deferred bounced rejected -------------------------------------------------------------------- 0000-0100 5 0 5 0 0 0100-0200 4 0 3 0 1 0200-0300 5 1 5 0 0 0300-0400 2 1 0 0 0 0400-0500 5 4 2 0 0 0500-0600 2 0 2 0 0 0600-0700 3 0 2 0 1 Host/Domain Summary: Message Delivery sent cnt bytes defers avg dly max dly host/domain -------- ------- ------- ------- ------- ----------- 102 3539k 181 5.5 m 21.2 m primary.com.au 8 116487 9 7.6 m 16.4 m students.primary.com.au 3 3614 0 0.3 s 1.0 s mail02.primary.com.au Host/Domain Summary: Messages Received msg cnt bytes host/domain -------- ------- ----------- 9 417475 enewsletters.f2network.com.au 9 205721 yahoo.com.au 7 43904 yahoo.com 4 537k mannatech.com.au 4 123015 national.com.au 4 32121 sesahs.nsw.gov.au 4 29103 mail02.primary.com.au 4 13800 lyris.isworld.org From JLimmer at CURAGEN.COM Mon Mar 1 21:35:05 2004 From: JLimmer at CURAGEN.COM (Limmer, Jim) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. Message-ID: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/f19bfa95/attachment.html From steve.swaney at FSL.COM Mon Mar 1 21:54:01 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <20040301215603.9ED4721C141@mail.fsl.com> ? ________________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Limmer, Jim Sent: Monday, March 01, 2004 4:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. ?My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. I believe; 1. It's the best solution at any price. 2. It provides more features than any other commercial application. 3. It's updated much more frequently than the commercial solutions. This is very important in accurately detecting spam. It's a race between the spammers and SpamAssassin and the ruleset writers. 4. It can use multiple virus scanners of your choice at the same time. This was very important today where a lot of folks got burned by a single virus scanner (thank you ClamAV!). Your virus scanners are updated hourly. I'm sure you'll get a few other responses :) Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From dparter at CS.WISC.EDU Mon Mar 1 21:49:56 2004 From: dparter at CS.WISC.EDU (David Parter) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. In-Reply-To: Message from "Limmer, Jim" of "Mon, 01 Mar 2004 16:35:05 EST." <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <200403012149.PAA12186@yfandes.cs.wisc.edu> > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > Unfortunatley, those answers arent going to satisfy the higher ups. > > Anyone seen any good articles, or have any comment that may help me put > together a good answer to this? how about: The amount of time we will have to spend learning and maintaining the "commercial" system is very close to the amount of time we would spend putting it together ourselves, with the added bonus that it will more closely meet our needs, and we can be more flexible and responsive to changing conditions and requirements. --david From dparter at CS.WISC.EDU Mon Mar 1 21:52:54 2004 From: dparter at CS.WISC.EDU (David Parter) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner (part 2) In-Reply-To: Message from "Limmer, Jim" of "Mon, 01 Mar 2004 16:35:05 EST." <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <200403012152.PAA12232@yfandes.cs.wisc.edu> > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? I forgot an important point: e-mail is so important to this organization, I'm more comfortable with in-house expertise to support it. Virus scanning is only part of a larger system of mail delivery and transport, which we already maintain. It is critical that we are able to support and maintain each component ... --david From jmckee at RESODYN.COM Mon Mar 1 21:53:35 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems Message-ID: <1078178015.2258.72.camel@localhost.localdomain> Good afternoon, I've recently installed MailScanner for the sole purpose of blocking attachments. I am not interested in Spam blocking or antivirus scanning (via MailScanner) at this time. My problem is that although the types are specified, .txt, .bat,. pif, etc. they are all being allowed through. I haven't been able to locate a log file specifically for MailScanner. I have watched traffic through /var/spool/maillog and messages on var/spool/messages; but nothing is making itself apparent. MailScanner does appear to be running, determined through various restarts via 'service MailScanner restart". Fedora Core 1. Sendmail 8.12.10. I have scanned the help files, google, etc. Where else can I look? I'm willing to post various log files, confs, etc if someone can help me out. Thanks, John McKee From kodak at FRONTIERHOMEMORTGAGE.COM Mon Mar 1 22:07:53 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <018a01c3ffd9$a4f80690$0501a8c0@darkside> Pocket the money and just tell them you've installed a commercial solution. :) Or , more seriously, buy "MailScanner Enterprise" from Steve and Julians company. --J(K) From jrudd at UCSC.EDU Mon Mar 1 22:04:11 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <4043B35B.3E1D45AC@ucsc.edu> > "Limmer, Jim" wrote: > > My company has budgeted a good amount of money for a spam/virus > filtering email gateway, similar to what I can accomplish with > mailscanner. We've tested a few commercial products, none to our > satisfaction. While we are meeting with their sales staff I typically > jot down each application they are using. It's amazing the amount of > money some of these vendors are charging for what is 99% open source > software. Typically these boxes are running redhat, postfix, sa, > razor... the list goes on. The only proprietary software I see on > these boxes are their web gui front ends, which are typically > attractive, but IMHO - useless. > > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to > cover a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > 1) With the open source solution, you likely will have exactly the system you need instead of something that is dictated to you by the commercial vendor (this is espeically true with the 2nd item I'm about to mention, but even without that, you are always able to tailor the code to your needs, where with non-open solutions you are often prevented from going down that path). 2) MailScanner's developer is very attentive to the needs of his user community, is up front about what features he will or wont add, and has even changed his mind through discussion with his users about features. I have yet to meet a commercial vendor that does any of those things. 3) by using Open Source software, you're not locked into the whims or economic ups and downs of a commercial vendor. If the developer decides to change directions, abandon the project, etc. you're bascially in the cold with the non-open source solution. With open source, you and the community can pick up where the developer left off. 4) With the specifics you've mentioned, they're basically charging you money for a pretty (and useless) gui as a front end to tools you can otherwise get for free. I would counter with the question "how can you justify paying for their product when the same or better is free?" 5) with Mailscanner specifically, you're not locked into specific platforms (both on the hardware and software fronts). If, for whatever reason, your IT staff decides that it is time to change platforms, you can do so without significant changes in your service offering. These days, it's harder and harder to find vendors that support identical software on mulitple platforms. Don't let vendors dictate your hardware, OS, and MTA choices to you. From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 1 22:17:06 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> Le lun 01/03/2004 ? 16:53, John McKee a ?crit : > Good afternoon, > > > I've recently installed MailScanner for the sole purpose of blocking > attachments. I am not interested in Spam blocking or antivirus scanning > (via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, > etc. they are all being allowed through. > > I haven't been able to locate a log file specifically for > MailScanner. I have watched traffic through /var/spool/maillog and > messages on var/spool/messages; but nothing is making itself apparent. > MailScanner does appear to be running, determined through various > restarts via 'service MailScanner restart". > > Fedora Core 1. Sendmail 8.12.10. > > I have scanned the help files, google, etc. Where else can I look? > I'm willing to post various log files, confs, etc if someone can help me > out. > > Thanks, > John McKee John, You probably have sendmail running alongside MailScanner. Do "service sendmail stop" and "chkconfig sendmail off", make sure no sendmail is still running and then restart MailScanner. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kevins at BMRB.CO.UK Mon Mar 1 22:22:11 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <1078179731.428.21.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 21:53, John McKee wrote: > I've recently installed MailScanner for the sole purpose of blocking > attachments. I am not interested in Spam blocking or antivirus scanning > (via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, > etc. they are all being allowed through. > I have scanned the help files, google, etc. Where else can I look? > I'm willing to post various log files, confs, etc if someone can help me > out. > May a hazard a guess that perhaps you have set Virus Scanning = no in MailScanner.conf? Because filename and filetype rules are considered part of the virus scanning process this will turn these checks off. Try setting Virus Scanning = yes Virus Scanners = none BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:18:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040301221524.04403e58@imap.ecs.soton.ac.uk> At 21:53 01/03/2004, you wrote: >Good afternoon, > > > I've recently installed MailScanner for the sole purpose of blocking >attachments. I am not interested in Spam blocking or antivirus scanning >(via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, >etc. they are all being allowed through. > > I haven't been able to locate a log file specifically for >MailScanner. I have watched traffic through /var/spool/maillog and >messages on var/spool/messages; but nothing is making itself apparent. >MailScanner does appear to be running, determined through various >restarts via 'service MailScanner restart". MailScanner logs into /var/log/maillog via your normal syslog service. Its log entries are all marked with "MailScanner". You should set "Virus Checking = yes" and "Virus Scanners = none" to get the effect you want. The "Virus Checking" option controls the filename and filetype checking as well as the actual virus scanning, for historical reasons. > Fedora Core 1. Sendmail 8.12.10. I have run it myself on this exact configuration, so I know it works just fine. Did you install it by running the "./install.sh" script as instructed? > I have scanned the help files, google, etc. Where else can I look? >I'm willing to post various log files, confs, etc if someone can help me >out. > >Thanks, >John McKee -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 21:55:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: <4043708E.642C0511@ihs.com> References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> <40437011.660C81E6@ihs.com> <4043708E.642C0511@ihs.com> Message-ID: <6.0.1.1.2.20040301215346.02d92ec8@imap.ecs.soton.ac.uk> At 17:19 01/03/2004, you wrote: >Dustin Baer wrote: > > > > Julian Field wrote: > > > > > > > > - Added options to add new headers containing the envelope sender and/or > > > envelope recipients addresses. The names of the headers are, of > course, > > > configurable. > > > > Is there a reason that these headers (X-MailScanner-To:, > > X-MailScanner-From:) don't include %org-name%? > >WHOOPS! Accidentally clicked send. > >Obviously, this can be changed to "X-%org-name%-MailScanner-From:", but >I wanted to make sure there wasn't a good reason not to add %org-name%. I did it to minimise the information leakage caused when people Bcc people, which these headers cause to be shown in the message headers. Headers added by later MailScanners will override those placed by earlier ones, which will reduce the Envelope-To to just those in your domain, -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:07:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: References: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301220603.04346008@imap.ecs.soton.ac.uk> At 19:10 01/03/2004, you wrote: >On 3/1/04 10:58 AM, "Julian Field" wrote: > > > > > If Net::DNS is not installed, that would make a huge difference to your > > spam-spotting success rate. SpamAssassin would not be checking any of the > > RBL's, you would only get MailScanner RBL checking (which doesn't rely on > > Net::DNS). > >So using the above method or perl mod, should we turn RBL off in MS and on >in SA then? There are pros and cons for using the RBLs in any of 1) MTA 2) MailScanner 3) SpamAssassin This has been discussed here before. You definitely want at least (3). Use (1) if you want to reject connections at SMTP time. Use (2) if you want membership of any RBL to cause a message to be considered as spam. Certainly reasonable with the SBL and XBL blacklists from spamhaus.org (there is 1 list that combines both of them). >Sorry for sounding dumb, the SA part of all this is the more confusing >thing, MS seems to be for the most part straight forward. >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:05:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: References: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301220455.0433bbe0@imap.ecs.soton.ac.uk> The f-prot-autoupdate should (unless the Debian packagers have played with it) take the installation directory on the command line, just like the f-prot-wrapper does. At 18:52 01/03/2004, you wrote: >On 3/1/04 11:11 AM, "Julian Field" wrote: > > > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > > the installation directory by default. > > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > > wherever the Debian guys have put that file. Don't alter the scripts at > all. > >Okay we have modified the virus.scanners.conf > >Old >f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/lib/f-prot >New >f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/local/f-prot > >Looks like that was the cure :)) > >But on the /etc/MailScanner/autoupdate/f-prot-autoupdate > >We have > >use Sys::Syslog; >use IO::File; ># Stop syslogd from needing external access (or -r) >eval { Sys::Syslog::setlogsock('unix'); }; > >$PackageDir = "/usr/lib/f-prot"; > > >And > > ># N.B. TempDir DIRECTORY WILL BE CLEARED so ># you *really* don't want to share it with ># anything else. >$TempDir = "/var/tmp/f-prot"; >$DefDir = "/var/lib/f-prot"; > > >Will the autoupdate know to tap into /usr/local/f-prot Those looked >hard-coded? > >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:04:02 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: <404384F1.7040701@ucgbook.com> References: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> <404384F1.7040701@ucgbook.com> Message-ID: <6.0.1.1.2.20040301220252.04383e18@imap.ecs.soton.ac.uk> At 18:46 01/03/2004, you wrote: >Matt Kettler wrote: >>1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? >> >>In general that's a bad idea. If nothing else, you're forcing SA to >>double-parse that file when mailscanner initializes. > >Would this double-parsing be invoked every time a message is scanned by >MS/SA or only at the start of a new MS child? Only at the start of a new MS child, so it's no big deal. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jmckee at RESODYN.COM Mon Mar 1 22:23:02 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1078179782.2258.77.camel@localhost.localdomain> Denis, Thanks for the reply. I tried what you suggested and it didn't work apparently. Can I try something else, check a log file for that last command set? It did throw this on the Mailscanner restart "incoming sendmail: head: /var/run/sm-client.pid: No such file or directory" Thanks, John McKee On Mon, 2004-03-01 at 15:17, Denis Beauchemin wrote: > Le lun 01/03/2004 à 16:53, John McKee a écrit : > > Good afternoon, > > > > > > I've recently installed MailScanner for the sole purpose of blocking > > attachments. I am not interested in Spam blocking or antivirus scanning > > (via MailScanner) at this time. > > > > My problem is that although the types are specified, .txt, .bat,. pif, > > etc. they are all being allowed through. > > > > I haven't been able to locate a log file specifically for > > MailScanner. I have watched traffic through /var/spool/maillog and > > messages on var/spool/messages; but nothing is making itself apparent. > > MailScanner does appear to be running, determined through various > > restarts via 'service MailScanner restart". > > > > Fedora Core 1. Sendmail 8.12.10. > > > > I have scanned the help files, google, etc. Where else can I look? > > I'm willing to post various log files, confs, etc if someone can help me > > out. > > > > Thanks, > > John McKee > > John, > > You probably have sendmail running alongside MailScanner. Do "service > sendmail stop" and "chkconfig sendmail off", make sure no sendmail is > still running and then restart MailScanner. > > Denis From jmckee at RESODYN.COM Mon Mar 1 22:26:46 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078179731.428.21.camel@bach.kevinspicer.co.uk> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> Message-ID: <1078180005.2258.79.camel@localhost.localdomain> Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "Resodyn Corp-Attachment-Warning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" is on the list of unacceptable attachments for this site and has been replaced by this warning message. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. At Mon Mar 1 15:22:28 2004 the virus scanner said: MailScanner: (msg-10413-745.txt) -- Postmaster MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Mon Mar 1 22:29:38 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <20040301215603.9ED4721C141@mail.fsl.com>; from steve.swaney@FSL.COM on Mon, Mar 01, 2004 at 04:54:01PM -0500 References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> <20040301215603.9ED4721C141@mail.fsl.com> Message-ID: <20040301162938.A71816@mikea.ath.cx> On Mon, Mar 01, 2004 at 04:54:01PM -0500, Stephen Swaney wrote: > ? > ________________________________________ > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Limmer, Jim > Sent: Monday, March 01, 2004 4:35 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Justification for mailscanner. > > > ?My company has budgeted a good amount of money for a spam/virus filtering > email gateway, similar to what I can accomplish with mailscanner. We've > tested a few commercial products, none to our satisfaction. While we are > meeting with their sales staff I typically jot down each application they > are using. It's amazing the amount of money some of these vendors are > charging for what is 99% open source software. Typically these boxes are > running redhat, postfix, sa, razor the list goes on. The only proprietary > software I see on these boxes are their web gui front ends, which are > typically attractive, but IMHO - useless. > Anyway, the question was put to me today - how can you justify wanting to > spend valuable man hours building and configuring our own system based on > open source, when we've already budgeted enough money to cover a commercial > solution? > While the simple answers are the ones that make sense to us technological > people > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > I believe; > > 1. It's the best solution at any price. > > 2. It provides more features than any other commercial application. > > 3. It's updated much more frequently than the commercial solutions. This is > very important in accurately detecting spam. It's a race between the > spammers and SpamAssassin and the ruleset writers. > > 4. It can use multiple virus scanners of your choice at the same time. This > was very important today where a lot of folks got burned by a single virus > scanner (thank you ClamAV!). Your virus scanners are updated hourly. > > I'm sure you'll get a few other responses :) I'll add to Steve's observations my own: The price was right. The bosses here at WeBuildHighways would have devoted one full-time equivalent to this function in any event, whether the solution was free or commercial, because we were being swamped. The proposed solution would have required a Sun or RS/6K box, and (I'm told) products that would have cost upward of US$30K/year in license fees, as well as that same FTE. My solution has been MailScanner, SpamAssassin, and ClamAV, all on top of FreeBSD. Every bit and byte of it has been free, as have the PeeCees, which were rescued from our to-surplus pile. The only costs have been for power and my salary, both of which would have been costs in any event. I have far better control, don't have to worry about contract and license expiration, and have at least as good support here and in the SpamAssassin-Talk list as I've ever had from any contract vendor. Ditto for FreeBSD and ClamAV. If they _insist_ on commercial support, it's available for FreeBSD and (IIRC) for MailScanner, and ISTR it may be available for SpamAssassin as well. They don't have to use ClamAV; they can pay for something else that's not-quite-as-good. This stuff Just Works, and my bosses at all levels have expressed complete satisfaction with the open-source solution. If you've got money in the budget for a commercial solution, use some of it to license the commercial AV scanners. See if the remainder can be used for getting you more-and-better hardware. Show your bosses that you're _saving_ money, and what you're spending is being spent wisely. I'd turn the question around: when there's a good, free solution to the problem, how can they justify paying for a commercial solution? That's like going into a restaurant and buying a meal when it's raining soup! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From mikes at HARTWELLCORP.COM Mon Mar 1 22:32:09 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> Kevin Spicer wrote: [snip] > I therefore propose that update_virus_scanners be moved from > /etc/cron.hourly to a file in /etc/cron.d and that the minute at which > it is scheduled in that file be generated either at random or be the > same as the minute at which the file was installed. Obviously this > would involve generating the file as part of the install process. But it's not an issue if you are running freshclam in daemon mode, is it? -- Michael St. Laurent Hartwell Corporation From kevins at BMRB.CO.UK Mon Mar 1 22:32:15 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180005.2258.79.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> <1078180005.2258.79.camel@localhost.localdomain> Message-ID: <1078180335.32607.24.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:26, John McKee wrote: > Warning: This message has had one or more attachments removed > Warning: (the entire message). Looks like you have a botched regular expression in your filename.rules.conf. Suggest you restore the original. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lindsay at PA.NET Mon Mar 1 22:35:38 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <018a01c3ffd9$a4f80690$0501a8c0@darkside> References: <018a01c3ffd9$a4f80690$0501a8c0@darkside> Message-ID: <4043BABA.5080607@pa.net> Jason Balicki wrote: > Pocket the money and just tell them you've installed a commercial > solution. :) > > Or , more seriously, buy "MailScanner Enterprise" from Steve and > Julians company. I'd love to see you take the money and send it to Julian for all of his efforts. -lindsay > > --J(K) From kevins at BMRB.CO.UK Mon Mar 1 22:35:20 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> Message-ID: <1078180520.32607.27.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:32, Michael St. Laurent wrote: > Kevin Spicer wrote: > [snip] > > I therefore propose that update_virus_scanners be moved from > > /etc/cron.hourly to a file in /etc/cron.d and that the minute at which > > it is scheduled in that file be generated either at random or be the > > same as the minute at which the file was installed. Obviously this > > would involve generating the file as part of the install process. > > But it's not an issue if you are running freshclam in daemon mode, is it? > Probably not, but most MailScanner users won't be, they'll be using upgrade_virus_scanners. This is the best solution since it stops scanning whilst updating so theres no risk of using a corrupted or partial database. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Mon Mar 1 22:37:58 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180335.32607.24.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > > Warning: This message has had one or more attachments removed > > Warning: (the entire message). > > Looks like you have a botched regular expression in your > filename.rules.conf. Suggest you restore the original. It seems he got it working now hihi :) Bye, Raymond. From mikes at HARTWELLCORP.COM Mon Mar 1 22:48:15 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> Raymond Dijkxhoorn wrote: >> This virus is spreading rapidly, we've seen it overnight (although >> not in its password protected form - but we had no way of spotting >> that so it may have got through). > > Also in non protected zips... > > Its in our top10 of today: > > 4747 W32/Netsky.B@mm > 1275 W32/Swen.A@mm > 404 W32/Sober.C@mm > 337 W32/Mydoom.A@mm > 200 W32/Netsky.C@mm > 126 W32/Bugbear.B@mm > 96 W32/Bagle.F@mm > 57 W32/Bagle.E@mm > 49 W32/Mydoom.E@mm > 19 W32/Mimail.J@mm Ohhh, you have a top 10 virus summary report script? Would you mind sharing that? I'd love to send that out to management each morning. -- Michael St. Laurent Hartwell Corporation From mikes at HARTWELLCORP.COM Mon Mar 1 22:50:06 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> Kevin Spicer wrote: > Probably not, but most MailScanner users won't be, they'll be using > upgrade_virus_scanners. This is the best solution since it stops > scanning whilst updating so theres no risk of using a corrupted or > partial database. Mmmm, yes, I see that in /etc/cron.hourly. That means that I'm doing double duty :-( I should turn off the freshclam daemon then? -- Michael St. Laurent Hartwell Corporation From kevins at BMRB.CO.UK Mon Mar 1 22:59:50 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> Message-ID: <1078181990.7996.29.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:50, Michael St. Laurent wrote: > Kevin Spicer wrote: > > Probably not, but most MailScanner users won't be, they'll be using > > upgrade_virus_scanners. This is the best solution since it stops > > scanning whilst updating so theres no risk of using a corrupted or > > partial database. > > Mmmm, yes, I see that in /etc/cron.hourly. That means that I'm doing double > duty :-( I should turn off the freshclam daemon then? > Yes, I think the clam folks would probable prefer if you did ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rich at MAIL.WVNET.EDU Mon Mar 1 23:11:40 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <200403011039.26528.leduc@cts.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> Message-ID: <4043C32C.5050204@mail.wvnet.edu> Gene LeDuc wrote: >Hi Kevin, > >My company has always blocked passworded zips. If the gateway can't unzip the >file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >myself (by association) by saying what it is. > >On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: > > >>This virus is spreading rapidly, we've seen it overnight (although not in >>its password protected form - but we had no way of spotting that so it may >>have got through). >> >>I'm now blocking zip files (making me not very popular this morning!). >> >>Time to start a discussion about ways to block password protected zip >>files? >> >> Kevin, Did you find a way to block only password protected zips? We've seen a couple of hundred Bagle.F and Bagle.H incidents today. An update from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm blocking all zips. I'd like to just block the password protected ones but haven't figured out a way to do it. I suspect Mcafee uses a simplistic approach to detecting this. I won't go into why I think this for security reasons. I do think were rapidly heading towards permanently restricted password protected zips. If the content of any type of file can't be validated then we'll have to restricted it. So, any idea how to do this? -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From kk at KEEPMEDIA.COM Mon Mar 1 23:02:43 2004 From: kk at KEEPMEDIA.COM (Kristine Kimm) Date: Thu Jan 12 21:22:52 2006 Subject: deny allow rules Message-ID: Hello, Perhaps this question has already been answered - I have been unable to yet find an answer in the archives. Is it possible to deny all .zip files but allow a .zip with a specified name? I tried the following in filename.rules.conf: allow ^test\.zip$ - - deny \.zip$ - - But the deny always seems to be applied. Is there a way to set an override for an allow? I thought order in the file might have an impact but deny always was applied regardless of which statement came first. Thanks in advance for assistance with this question. -KK From doko at CS.TU-BERLIN.DE Mon Mar 1 23:12:26 2004 From: doko at CS.TU-BERLIN.DE (Matthias Klose) Date: Thu Jan 12 21:22:52 2006 Subject: F-Prot - Debian - MailScanner paths In-Reply-To: References: Message-ID: <16451.50010.999979.307502@gargle.gargle.HOWL> installing the f-prot-installer package should be fine. Dave's List Addy writes: > We have MailScanner running great here, using Clam but we want to test > F-Prot to see if we want an additional VS to catch all these bad email > viruses (sp) > > In looking at the notices send to us to make sure we are getting viruses > caught I only see Clam running the scan; > > Report: ClamAV: application.pif contains Worm.SomeFool.B-petite > MailScanner: Shortcuts to MS-Dos programs are very dangerous in > email (application.pif) > > We did the .deb install of F-Prot from their site and it seems that > everything is in /usr/local/f-prot and in looking at the f-prot wrapper and > autoupdate in MS the paths all want /usr/lib/f-prot :( > > Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings > in f-prot wrapper and autoupdate? Which is the better path to take, not the > easiest:)) > > One other thing (If I should post a separate message I can, whack me on the > head) > > Still trying to get this whole SA and Bayes and custom rules figured out, > any good pointers would be great too, we are using BigEvil, Backhair and > James Grey's rules in /etc/mail/spamasassin/ I am to assume that MailScanner > will know to pickup theses additional rules here? But the above is more of a > concern. > > TIA > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net From shrek-m at GMX.DE Mon Mar 1 23:18:40 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180005.2258.79.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> <1078180005.2258.79.camel@localhost.localdomain> Message-ID: <4043C4D0.1080504@gmx.de> John McKee wrote: >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "Resodyn Corp-Attachment-Warning.txt" attachment(s) for more information. > >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "the entire message" >is on the list of unacceptable attachments for this site and has been >replaced by this warning message. > >Due to limitations placed on us by the Regulation of Investigatory Powers >Act 2000, we were unable to keep a copy of the original attachment. > >At Mon Mar 1 15:22:28 2004 the virus scanner said: > MailScanner: (msg-10413-745.txt) > > afair you have to allow txt and html afterwards deny . -- shrek-m From kevins at BMRB.CO.UK Mon Mar 1 23:25:25 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <4043C32C.5050204@mail.wvnet.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> Message-ID: <1078183526.7996.35.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 23:11, Richard Lynch wrote: > Kevin, Did you find a way to block only password protected zips? No, I got as far as trying to persuade Julian that this would be a good feature to add to the zip file recursion code in the latest beta. I'm blocking all zips for now too. I don't think theres any 'security' implications in discussing McAfees workaround [maybe you looked security up in a Microsoft dictionary). Its a common sense approach, but doubtless one that will be defeated by future viruses > We've > seen a couple of hundred Bagle.F and Bagle.H incidents today. An update > from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm > blocking all zips. I'd like to just block the password protected ones > but haven't figured out a way to do it. I suspect Mcafee uses a > simplistic approach to detecting this. I won't go into why I think this > for security reasons. I do think were rapidly heading towards > permanently restricted password protected zips. If the content of any > type of file can't be validated then we'll have to restricted it. So, > any idea how to do this? > > -- > Richard E. Lynch > Systems Programming Manager > West Virginia Network (WVNET) > 837 Chestnut Ridge Road > Morgantown, WV 26505 > (304) 293-5192 x243 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikes at HARTWELLCORP.COM Mon Mar 1 23:32:11 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Defunct MailScanner procs Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.hartwellcorp.com> I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct MailScanner processes on my system. I don't know if they existed before the upgrade or not as I didn't really go looking for them. Does this indicate a problem? -- Michael St. Laurent Hartwell Corporation From brent.addis at ROAMAD.COM Mon Mar 1 23:50:04 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:52 2006 Subject: AVG Message-ID: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> Hey A couple of weeks ago I queried the possibility of MailScanner supporting AVG, I was just wondering if anything had been done on this at all? Management want some sort of solution using AVG, and it would be most cool if MailScanner could do it. thanks :) -- Brent Addis Systems Administrator From miguelk at konsultex.com.br Tue Mar 2 01:14:01 2004 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <20040302010054.M33911@konsultex.com.br> Jim; I'm sure other have replied along these lines to your question but I'll add to this because I want to reinforce the message. The reason I use open source (Mail Scanner) and the reason we recommend it and install/configure it for others is: 1) You can use the amount you already budgeted for other good uses like solid hardware and more profits (or better salaries). Better hardware, usually, reduces costs and leads to more profits because of the reduced maintenance and all around problems. So it is in my experience. 2) Having control over you infrastructure is extremely important; you must know what is running on your infrastructure and how to correct problems. 3) Being able to tweak the code in an emergency is priceless. 4) Implementing MailScanner/Clam is in my opinion as easy as any other solution (perhaps even easier). 5) All the effort you put into tweaking the configuration is knowledge invested into the people in the company, making the knowledge base of the company more valuable. Of course you have to remember that this applies to the mail server only. If you count Clam it applies to a samba file server too. But for a complete system you need protection for Windows servers and workstations. That's where the traditional vendors come in. So if you have a company with a Unix/Linux mail server and Linux/samba file and print servers you just need to spend a little (or a lot) for the Windows (and Mac) PCs. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: "Limmer, Jim" To: MAILSCANNER@JISCMAIL.AC.UK Sent: Mon, 1 Mar 2004 16:35:05 -0500 Subject: Justification for mailscanner. > My company has budgeted a good amount of money for a spam/virus > filtering email gateway, similar to what I can accomplish with > mailscanner. We've tested a few commercial products, none to our > satisfaction. While we are meeting with their sales staff I typically > jot down each application they are using. It's amazing the amount of > money some of these vendors are charging for what is 99% open source > software. Typically these boxes are running redhat, postfix, sa, > razor... the list goes on. The only proprietary software I see on these > boxes are their web gui front ends, which are typically attractive, but > IMHO - useless. > > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > Unfortunatley, those answers arent going to satisfy the higher ups. > > Anyone seen any good articles, or have any comment that may help me put > together a good answer to this? > > Thanks, > > -Jim > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From schristen at RESOTECH.COM Tue Mar 2 03:46:39 2004 From: schristen at RESOTECH.COM (Stephan Christen) Date: Thu Jan 12 21:22:52 2006 Subject: Messages stuck in queue with Qmail Message-ID: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> I struggle now for some time to get my qmail installation working correctly. I know it's quite a long post and therefore even more i appreciate any hint or suggestion somebody can give me. Thank you! I'm not sure if this an issue with MailScanner or QMail, but because it happens where both interface i post on this mailling list. Having a new server with plesk 7.0 management software installed i've wanted to improve my basic qmail server by using MailScanner. The basic qmail server installed by plesk was working perfectly, i was able to send and receive email. At openprotect side i've found a promising package of opensource tools ( MailScanner, SpamAssassin and Clam AV) with support for qmail ( still beta they say). In order to support qmail they provide a new qmail-queue binary which basically reroutes all traffic to a newly created 'queue.in' directory. From matt at FILEHOLDER.NET Tue Mar 2 03:43:32 2004 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:22:52 2006 Subject: SMTP vs. POP3 Scanning Message-ID: <001701c40008$89026370$6500a8c0@matthewmpqowmc> When a new virus comes out it could be hours before a signature is available for the virus scanner and in that time it could slip into many mailboxes. When it does get in the virus scanner database it does nothing for the mail already in mailboxes. Many users only check there email once a day if that. Would it not be an added benefit to scan at the POP3 phase as well as SMTP? Just a thought and sorry if this has been covered before. I have got emails from a user before that had his virus scanner catch viruses mine missed. I tell all users they should still keep there virus scanners up to date. But as well as ClamAV + MS has worked for us many don't. Matt From list at souil.com Tue Mar 2 03:44:55 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:52 2006 Subject: Get some spams to test the new installation In-Reply-To: <404312AE.6020808@uptime.at> Message-ID: <200432114455.395777@bensil> Dear David, That's true, it's not easy to check the accuracy for 100 domains. But at leawst, before making it to production, i need to further test it in depth and have some ideas on the MS in mind. I have make me the first one to use the MS. but only a few is caught, about 5% is caught. Yesterday i have grep some more rules on the net and have it in the spamassassin config and it's now much better, about 50% caught. So, more msg and test is needed to make it more accurate and i am still testing methods to forward mail to the SA to learn. Anyway thanks for your info. :> On Mon, 1 Mar 2004 11:38:38 +0100, David Höhn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > > Ben wrote: > > > | Dear All, > | > | How could i get some more spams and hams to test the acuuracy of > my new installation of the MS? > | I have to make sure it works well before applying it to my server > with about 100 domains on it. In short, you do not. > > The accuracy of Spamassassin its bayes DB and your set up very much > depends on the kind of Mail Flow you have and that will differ from > domain to domain or if you see your installation as a whole, it > will differ on the 100 domain than what you could actually ever > test. > > The first few weeks of a new Installation will surely be a matter > of fine tuning things to your needs, the large amount of general > spam will be caught at once anyways > > - -d > > > - -- > nee amata wo mitsukete soshite midoto wasrezu > ~     domma mi mumega itakutemo soba mi iru mo > ~                        zutto...zutto...zutto > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (Darwin) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > iD8DBQFAQxKtPMoaMn4kKR4RAyTpAJ4sa7I/mkpd3EPBHEiQZhjb0pJzwACZAU0d > IHtz3nq+NlIOWYwxhQl69/Q= =RsXG -----END PGP SIGNATURE----- From ugob at CAMO-ROUTE.COM Tue Mar 2 03:45:42 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:52 2006 Subject: SMTP vs. POP3 Scanning Message-ID: <54C38A0B814C8E438EF73FC76F362927410951@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Matt [mailto:matt@FILEHOLDER.NET] >Envoy? : 1 mars, 2004 22:44 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : SMTP vs. POP3 Scanning > > >When a new virus comes out it could be hours before a >signature is available >for the virus scanner and in that time it could slip into many >mailboxes. >When it does get in the virus scanner database it does nothing >for the mail >already in mailboxes. Many users only check there email once >a day if that. >Would it not be an added benefit to scan at the POP3 phase as >well as SMTP? > >Just a thought and sorry if this has been covered before. I >have got emails >from a user before that had his virus scanner catch viruses >mine missed. I >tell all users they should still keep there virus scanners up >to date. But >as well as ClamAV + MS has worked for us many don't. > MailScanner's role stops after the delivery of the message, independantly of the way it is retreived. I think you should do a search on anti-virus with the name of your pop3 server (qpopper?), on google or sourceforge. Hth Ugo >Matt > From vinayakm at THEARGONCOMPANY.COM Tue Mar 2 05:14:47 2004 From: vinayakm at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age Message-ID: <200403021044.47005.vinayakm@theargoncompany.com> Hi We are using Mailscanner along with Sendmail 8.12 There are a lot of entries in our log which states that Mailscanner dying of old age. Is this a symptom of a deeper problem or a problem by itself? :-) -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Tel: 91-22 - 2288 2163 Ext 121 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com Linux. The Choice of the GNU generation From james at grayonline.id.au Tue Mar 2 05:39:03 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age In-Reply-To: <200403021044.47005.vinayakm@theargoncompany.com> References: <200403021044.47005.vinayakm@theargoncompany.com> Message-ID: <200403021639.04562.james@grayonline.id.au> On Tue, 2 Mar 2004 04:14 pm, Vinayakam Murugan wrote: > Hi > > We are using Mailscanner along with Sendmail 8.12 > > There are a lot of entries in our log which states that Mailscanner dying > of old age. Is this a symptom of a deeper problem or a problem by itself? > :-) > > > -- > Warm Regards > ~~~~~~~~~~~~~~~~~~~~~~~ > Vinayakam Murugan This is normal behaviour for MailScanner. In MailScanner.conf you'll find an option like this "Restart Every = 14400". As the name suggests this will cause the child to restart after 14400 seconds (4 hours). By doing this, MailScanner works around resource leak and DoS type problems. Julian can explain it much better than I can :) James -- Fortune cookies says: BOFH excuse #303: fractal radiation jamming the backbone From help at opencompt.com Tue Mar 2 05:56:38 2004 From: help at opencompt.com (Opencomputing Team) Date: Thu Jan 12 21:22:52 2006 Subject: Messages stuck in queue with Qmail In-Reply-To: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> References: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> Message-ID: <40442216.9030102@opencompt.com> Dear Stephan Christen, > There are no message hung in the "queue.in" directory. Once messages are got into the real /var/qmail/queue, it is all upto qmail-send to deliver. The part until getting the queue files into /var/qmail/queue is handled by MailScanner. It would help if you send me the results of the below, preferably off the list: stop MailScanner or openprotect send a mail. get the corresponding /var/qmail/queue.in/intd/xxxxxxx and /var/qmail/queue.in/mess/yy/xxxxxxx where yy = xxxxxxx % conf-split now stop qmail and start MailScanner or openprotect and get the corresponding /var/qmail/queue/intd/zzzzzzz and /var/qmail/queue/mess/aa/zzzzzzz again, where aa = zzzzzzz % conf-split and zzzzzzz is a random number. cheers, Ganesh, KM. -- Opencomputing Team | Ph/Fax: +91 (0) 44 52166646 Opencomputing Technologies | http://opencompt.com Server Side E-Mail Protection. From raymond at PROLOCATION.NET Tue Mar 2 07:49:46 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age In-Reply-To: <200403021044.47005.vinayakm@theargoncompany.com> Message-ID: Hi! > We are using Mailscanner along with Sendmail 8.12 > > There are a lot of entries in our log which states that Mailscanner dying of > old age. Is this a symptom of a deeper problem or a problem by itself? :-) Never noticed this config setting? # To avoid resource leaks, re-start periodically Restart Every = 3600 Thats what it is. Bye, Raymond. From P.G.M.Peters at utwente.nl Tue Mar 2 08:40:06 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 1 Mar 2004 19:10:16 +0100, you wrote: >I would use the domainname to create a semi-random number and the >machines update at the same time within this domain. Unfurtunately, I >don't know how to do it in perl. Shell could be: > >NUMERICAL_VALUE=`domainname | md5sum | \ > od --address-radix=n --read-bytes 4 --format d4` >DELAY=$(( NUMERICAL_VALUE % 3600 )) > > >but this has to many assumption on installed programms (domainname is to >much of a assumption). What about using org-name from MailScanner.conf? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 2 09:07:33 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: FreeBSD port mailscanner-devel 4.28.1 released Message-ID: For all of you who do not want to wait for the port to be submitted... Regards, Jan-Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-devel.tgz Type: application/x-compressed Size: 9365 bytes Desc: mailscanner-devel.tgz Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/8194f718/mailscanner-devel.bin From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:28:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> This version can now detect and block password-protected zip files. By default it will block all of them, but you can of course use a ruleset to govern the behaviour of the new option Allow Password-Protected Archives Download as usual from www.mailscanner.info. I wonder what next mysteries and hacks they will throw at me today :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:29:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <4043C32C.5050204@mail.wvnet.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> At 23:11 01/03/2004, you wrote: >Gene LeDuc wrote: > >>Hi Kevin, >> >>My company has always blocked passworded zips. If the gateway can't >>unzip the >>file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >>myself (by association) by saying what it is. >> >>On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: >> >> >>>This virus is spreading rapidly, we've seen it overnight (although not in >>>its password protected form - but we had no way of spotting that so it may >>>have got through). >>> >>>I'm now blocking zip files (making me not very popular this morning!). >>> >>>Time to start a discussion about ways to block password protected zip >>>files? >>> >Kevin, Did you find a way to block only password protected zips? We've >seen a couple of hundred Bagle.F and Bagle.H incidents today. An update >from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm >blocking all zips. I'd like to just block the password protected ones >but haven't figured out a way to do it. I suspect Mcafee uses a >simplistic approach to detecting this. I won't go into why I think this >for security reasons. I do think were rapidly heading towards >permanently restricted password protected zips. If the content of any >type of file can't be validated then we'll have to restricted it. So, >any idea how to do this? See 4.28.2. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 2 09:42:15 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: Will this work for ZIPs only or for RAR etc. as well? Any more perl modules needed? Do you have a text for the manpage already? :-) Regards, JP > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 02, 2004 10:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.2 released > > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course > use a ruleset to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From P.G.M.Peters at utwente.nl Tue Mar 2 09:48:51 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> Message-ID: On Mon, 1 Mar 2004 14:48:15 -0800, you wrote: >Ohhh, you have a top 10 virus summary report script? Would you mind sharing >that? I'd love to send that out to management each morning. I have a very rudimantary script that needs a lot of optimizing. But I run in only once a month when I am writing an abuse report for management. I start the script when I start writing the report. When I need the figures the script is ready. See http://home.student.utwente.nl/p.g.m.peters/MailScanner/report -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From prandal at HEREFORDSHIRE.GOV.UK Tue Mar 2 09:56:43 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C59B@jessica.herefordshire.gov.uk> Free upgrades for ever. Free technical support, second to none. Full access to the source, so you can cuatomise it to your own needs, if ever you should want to. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Limmer, Jim Sent: 01 March 2004 21:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/9f48f383/attachment.html From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 09:38:51 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AF4@pascal.priv.bmrb.co.uk> Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a > ruleset to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. Julian, you never cease to amaze me! Thanks very much, I'll be trying this out this evening. > I wonder what next mysteries and hacks they will throw at me today :-) I'm sure we can think of something.... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:41:50 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Defunct MailScanner procs In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040302094101.081967e0@imap.ecs.soton.ac.uk> Check your mail log. You probably have a syntax error somewhere, your log will tell you where. Or else you might have upgraded from a version that didn't need Net::CIDR and forgotten to read the docs and install that first? At 23:32 01/03/2004, you wrote: >I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct MailScanner >processes on my system. I don't know if they existed before the upgrade or >not as I didn't really go looking for them. > >Does this indicate a problem? > >-- >Michael St. Laurent >Hartwell Corporation -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:40:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: deny allow rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302093927.038e11c0@imap.ecs.soton.ac.uk> At 23:02 01/03/2004, you wrote: >Hello, >Perhaps this question has already been answered - I have been unable to yet >find an answer in the archives. > >Is it possible to deny all .zip files but allow a .zip with a specified >name? > >I tried the following in filename.rules.conf: >allow ^test\.zip$ - - >deny \.zip$ - - > >But the deny always seems to be applied. Is there a way to set an override >for an allow? > >I thought order in the file might have an impact but deny always was >applied regardless of which statement came first. It does indeed check the rules in the order they are given in the file. Check to ensure you have separated the "fields" on each of those 2 lines with tabs and not just spaces. It is the one place in MailScanner where you have to use tabs, as each of the output strings will normally contain spaces, so MailScanner can't work out where to split up the line. >Thanks in advance for assistance with this question. > >-KK -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:42:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: AVG In-Reply-To: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> References: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> Message-ID: <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> Sorry, haven't had time. At 23:50 01/03/2004, you wrote: >Hey > >A couple of weeks ago I queried the possibility of MailScanner supporting >AVG, I was just wondering if anything had been done on this at all? >Management want some sort of solution using AVG, and it would be most >cool if MailScanner could do it. >thanks :) > > >-- >Brent Addis >Systems Administrator -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:56:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302095435.08195388@imap.ecs.soton.ac.uk> At 09:42 02/03/2004, you wrote: >Will this work for ZIPs only or for RAR etc. as well? Any more perl >modules needed? Only zips I'm afraid. >Do you have a text for the manpage already? :-) Just after "Block Unencrypted Messages" there is now # Should archives which contain any password-protected files be allowed? # Leaving this set to "no" is a good way of protecting against all the # protected zip files used by viruses at the moment. # This can also be the filename of a ruleset. Allow Password-Protected Archives = no Just after "Maximum Attachment Size" there is now # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. Maximum Archive Depth = 3 >Regards, > JP > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 02, 2004 10:29 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: Unstable 4.28.2 released > > > > This version can now detect and block password-protected zip files. > > > > By default it will block all of them, but you can of course > > use a ruleset to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > > > I wonder what next mysteries and hacks they will throw at me today :-) > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From slwatts at WINCKWORTHS.CO.UK Tue Mar 2 10:50:59 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. Message-ID: Well, in the case of mailscanner there is no real reason to pay through the nose for any other product (IMHO!), unless of course you do not like the way mailscanner works for some reason. Main reasons for choosing opensource in addition to those below: No lock-in contracts No forced upgrade Large support community The only reason I can see for choosing a commercial product is if you need maintenance contracts - I am sure Julian or perhaps others here would be more than happy to provide such commercial support. As far as man hours setup and administering Mailscanner goes - If you have linux skills already then its no more effort than installing a commercial product. If you do not have linux skills then it will take some time to get used to and I would advise you do spend some of that money reserved for this project to get an expert to install it for you. Perhaps you need to persuade the 'higher ups' that more money does not always equate to more quality. It also helps if you give them the ballenced picture for each solution. ie. factor in man hours for implementation, projected administration and maintenance and training. Opensource is by no means free. >From personal experience working with both Mailscanner and one of the main commercial mailsweeping (hint) products I would choose Mailscanner every time - even tho it has no built in graphical interface it has been easier to administer and just doesnt go wrong (unless I have done something stupid) Hope this helps in your decision making.... Sam P.S. What really sold it to me was when our Mailscanner server blew up (almost literally). It took a whole 30 minutes to setup another server. 20 minutes of that was installing SuSE! -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 02 March 2004 09:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Justification for mailscanner. Free upgrades for ever. Free technical support, second to none. Full access to the source, so you can cuatomise it to your own needs, if ever you should want to. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Limmer, Jim Sent: 01 March 2004 21:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/4e768884/attachment.html From pete at eatathome.com.au Tue Mar 2 11:23:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: References: Message-ID: <40446EAD.8090900@eatathome.com.au> Hasnt some one already given the answer? MailScanner the product is almost no cost (shouldnt use the word free), but the developer HIMSELF offers a PRO support package - what else do you want? A Developer/Author of the product givin you direct support? Why not use this type of argument to actualy get your company to spen what i assume is going to be a small slice of the budget on MaiLScanner commercial support version? There really is nothing they can complain about this way? From pete at eatathome.com.au Tue Mar 2 11:35:29 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: <40446EAD.8090900@eatathome.com.au> References: <40446EAD.8090900@eatathome.com.au> Message-ID: <40447181.4060708@eatathome.com.au> Pete wrote: > Hasnt some one already given the answer? MailScanner the product is > almost no cost (shouldnt use the word free), but the developer HIMSELF > offers a PRO support package - what else do you want? A Developer/Author > of the product givin you direct support? > > Why not use this type of argument to actualy get your company to spen > what i assume is going to be a small slice of the budget on MaiLScanner > commercial support version? > > There really is nothing they can complain about this way? > > > . > I was going to ask some of you who have to face the poriginal posters situation of trying to convince the purse strings not to part with money (this probably makes them suss to start with) and go for a no cost solution but requiring more effort - what sort of comments have you had from your IT managers? Mine proudly announced in a meeting last month that Linux will finally 'arrive' as a serious server solution this year, while looking at me expecting some accompanying comments, and me looking at him like he has just walked down the gangway from his recently landed space ship...only recently with so much published material in so many publications has he ben unable to keep to his original arguments for BANNING linux at work, like its insecure, immature, un supported etc etc, this guy still enforces the use of an NT4 network and users having 3 or 4 user accounts for service running on the domain, "we dont need directory services" he says...anyway, we work for a Ludite, so its interesting to hear what others are up against while trying to implement awesome products like mailscanner... From pete at eatathome.com.au Tue Mar 2 11:37:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner (part 2) In-Reply-To: <200403012152.PAA12232@yfandes.cs.wisc.edu> References: <200403012152.PAA12232@yfandes.cs.wisc.edu> Message-ID: <404471F5.5090402@eatathome.com.au> David Parter wrote: >>Anyway, the question was put to me today - how can you justify wanting >>to spend valuable man hours building and configuring our own system >>based on open source, when we've already budgeted enough money to cover >>a commercial solution? >> >> > >I forgot an important point: > > e-mail is so important to this organization, I'm more comfortable with > in-house expertise to support it. Virus scanning is only part of a > larger system of mail delivery and transport, which we already > maintain. It is critical that we are able to support and maintain > each component ... > > --david > > > > > Then reduncy would be important - and mailscanner can easily be incorporated, various methods, to make sure that IF it should fail, it wont stop mail, or mail could be scanned by a 2nd server on lesser hardware while you repair the first, or hold all mail, whatever, no need to make mail delivery dependant on MS being up? From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 10:37:43 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: SMTP vs. POP3 Scanning In-Reply-To: <001701c40008$89026370$6500a8c0@matthewmpqowmc> References: <001701c40008$89026370$6500a8c0@matthewmpqowmc> Message-ID: <404463F7.5000800@solid-state-logic.com> Yes I always install a virus scanner on the desaktop. Viruses travel not just by email, but IRC,ICQ, html downloads. Securing the incoming email is just part of the solution, not the whole. Mind you given the lax way most of commercial scanners updated the Netsky-D varient it would't have me much anyhow... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matt wrote: > When a new virus comes out it could be hours before a signature is available > for the virus scanner and in that time it could slip into many mailboxes. > When it does get in the virus scanner database it does nothing for the mail > already in mailboxes. Many users only check there email once a day if that. > Would it not be an added benefit to scan at the POP3 phase as well as SMTP? > > Just a thought and sorry if this has been covered before. I have got emails > from a user before that had his virus scanner catch viruses mine missed. I > tell all users they should still keep there virus scanners up to date. But > as well as ClamAV + MS has worked for us many don't. > > Matt ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Tue Mar 2 12:45:10 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: Installed 4.28.2 and when I restarted MailScanner log showed: Mar 2 07:27:56 srv2 MailScanner[26019]: Syntax error(s) in configuration file: Mar 2 07:27:56 srv2 MailScanner[26019]: Unrecognised keyword "maximumarchivedepth" at line 294 Mar 2 07:27:56 srv2 MailScanner[26019]: Aborting due to syntax errors in /opt/MailScanner/etc/MailScanner.conf. I looked in ConfigDefs.pl and noticed: maxzipdepth = maximumziparchivedepth So "I changed Maximum Archive Depth =" To "Max Zip Depth =" Was there something in the docs, or changelog or perhaps the list, I missed on this? Also, If I change the above to 0 will that disable filename/type checking inside the archives? I am not sure I want to do that just yet, although I just LOVE the reject password protected archive option I have to generate rules that will allow the normal periodic updates that sales recieves from a couple vendors that zip the exe (since we don't allow exes) > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, March 02, 2004 4:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.2 released > > > This version can now detect and block > password-protected zip files. > > By default it will block all of them, but you can of > course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw > at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rich at MAIL.WVNET.EDU Tue Mar 2 13:27:40 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:53 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> Message-ID: <40448BCC.9090606@mail.wvnet.edu> Julian Field wrote: > At 23:11 01/03/2004, you wrote: > >> Gene LeDuc wrote: >> >>> Hi Kevin, >>> >>> My company has always blocked passworded zips. If the gateway can't >>> unzip the >>> file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >>> myself (by association) by saying what it is. >>> >>> On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: >>> >>> >>>> This virus is spreading rapidly, we've seen it overnight (although >>>> not in >>>> its password protected form - but we had no way of spotting that so >>>> it may >>>> have got through). >>>> >>>> I'm now blocking zip files (making me not very popular this morning!). >>>> >>>> Time to start a discussion about ways to block password protected zip >>>> files? >>>> >> Kevin, Did you find a way to block only password protected zips? We've >> seen a couple of hundred Bagle.F and Bagle.H incidents today. An update >> from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm >> blocking all zips. I'd like to just block the password protected ones >> but haven't figured out a way to do it. I suspect Mcafee uses a >> simplistic approach to detecting this. I won't go into why I think this >> for security reasons. I do think were rapidly heading towards >> permanently restricted password protected zips. If the content of any >> type of file can't be validated then we'll have to restricted it. So, >> any idea how to do this? > > > See 4.28.2. > -- I know I've said it before but I'll say it again. You are the most responsive developer I've encountered. Honestly! I've dealt with all the major vendors at one time or another and nothing comes close. Thank you. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From craig at WESTPRESS.COM Tue Mar 2 13:31:29 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: References: Message-ID: You've already seen what everyone else has said. I am new to MailScanner, and I find myself wondering how I was getting by without it. I have seen some of the commercial solutions out there. In fact, we were considering purchasing the commercial mail server solution that SmoothWall is soon to unveil (we use their 'Corporate Server' firewall) to see if it would be any better at stopping spam, but since stumbling across MailScanner, I don't think so. Being new to MailScanner, I don't feel as though my words carry much weight, but I would suggest MailScanner, and even suggest that you look to http://www.mailscanner.biz for the professional venue of MailScanner to keep your administrative folks happy. As far as a GUI goes, might I suggest taking a look at Steve Freegard's project, MailWatch. You can find it at http://mailwatch.sourceforge.net and it have proven it's worth and in my opinion makes MailScanner whole (not that it was lacking before mind you.) It certainly has proven in-valuable with the reports and graphs, etc. That's my two cents worth, Kind regards, Craig D. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From newcomer at DICKINSON.EDU Tue Mar 2 13:25:46 2004 From: newcomer at DICKINSON.EDU (Don Newcomer) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in Message-ID: We're using MailScanner 4.26.8 and we're in the process of testing SpamAssassin 2.63. The plan is to adopt it site-wide but I like the idea of allowing users to "opt-in" to having their mail scanned for spam. I set up a ruleset that's applied to the config parameters "Spam Checks" and "Use SpamAssassin". It's working fine in testing but I've run into a few problems. This ruleset is based on "to" addresses that determines whether spam checking is done. Unfortunately, as you all know, we get lots of e-mail with forged headers that, based on the header information, shouldn't even appear in your mailbox. This makes using this ruleset for opt-in a little ineffective. Does anyone have any suggestions as to how to either (a) work around this problem or (b) a better way to allow opt-in? Thanks in advance. ================================================================================ Don Newcomer Dickinson College Senior Manager, Systems P.O. Box 1773 newcomer@dickinson.edu Carlisle, PA 17013 Phone: (717) 245-1256 FAX: (717) 245-1690 From raymond at PROLOCATION.NET Tue Mar 2 14:09:36 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in In-Reply-To: Message-ID: Hi! > spam checking is done. Unfortunately, as you all know, we get lots of > e-mail with forged headers that, based on the header information, shouldn't > even appear in your mailbox. This makes using this ruleset for opt-in a > little ineffective. > > Does anyone have any suggestions as to how to either (a) work around this > problem or (b) a better way to allow opt-in? Thanks in advance. Just do splitting on MTA level if you use sendmail, then you also avoid a to: and a cc: problem, if one user (to: one) sets spam check on and the other (cc: one) doesnt you are toast now :) You have to split each message and process them seperate. Else its just one message and if its tagged its tagged. Bye, Raymond. From prandal at HEREFORDSHIRE.GOV.UK Tue Mar 2 14:14:44 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5A3@jessica.herefordshire.gov.uk> I hate to say this, but why don't you give up and not allow opt-in? And what if users say "we'll have spam, but block all objectionable content"?. What if corporate policies require you to prevent certain material from reaching mailboxes? I guess they don't, but maybe they should. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Don Newcomer > Sent: 02 March 2004 13:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: opt-in > > > We're using MailScanner 4.26.8 and we're in the process of testing > SpamAssassin 2.63. The plan is to adopt it site-wide but I > like the idea > of allowing users to "opt-in" to having their mail scanned > for spam. I set > up a ruleset that's applied to the config parameters "Spam > Checks" and "Use > SpamAssassin". It's working fine in testing but I've run into a few > problems. This ruleset is based on "to" addresses that > determines whether > spam checking is done. Unfortunately, as you all know, we get lots of > e-mail with forged headers that, based on the header > information, shouldn't > even appear in your mailbox. This makes using this ruleset > for opt-in a > little ineffective. > > Does anyone have any suggestions as to how to either (a) work > around this > problem or (b) a better way to allow opt-in? Thanks in advance. > > ============================================================== > ================== > Don Newcomer > Dickinson College > Senior Manager, Systems P.O. Box 1773 > newcomer@dickinson.edu > Carlisle, PA 17013 > > Phone: (717) 245-1256 > > FAX: (717) 245-1690 > From drew at THEMARSHALLS.CO.UK Tue Mar 2 14:24:04 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV Message-ID: <14409.194.70.180.170.1078237444.squirrel@net.themarshalls.co.uk> All Following the excitement of the last few days/ weeks speed of definition update is king. Now I currently use F-Prot and Antivir. Both work well, F-Prot probably better than Antivir as it was able to better scan the boken mime formatted mail that came from those nice mailserver bounces which included the infected message. I also don't use the MS update scripts, preferring my own cron jobs spaced at different hourly times so that if MS is called while an update is happening the other scanner will still work and to attempt to ensure that one scanner should catch updates no matter which half of the hour they are posted. I nearly got caught with he Netsky.D when several went through 3 minutes before both scanners updated (Good old MS blocked the files as they were .pif executables, so the user was protected). Cutting to the chase (Sorry it's been longer winded that I anticipated) should I also run Clam (Which was updated quite quickly yesterday, no promise that it wil be in the future but...) or is 3 AV products over kill. The box it's on is not that big so will Clam use huge amounts of system to run? If not 3 which 2? So many questions I know but I would appreciate your thoughts. Thanks Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From sysadmins at ENHTECH.COM Tue Mar 2 14:30:43 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:53 2006 Subject: Default rules remove .wav files. Message-ID: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> Hi - Just wanted to inquire with the experts :) The default file attachment rules remove .wav files. Just curious as to why. Errol Neal From john at TRADOC.FR Tue Mar 2 14:31:49 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes rebuild never completes Message-ID: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> I've realised that since updating to 4.26.8 and setting Rebuild Bayes Every = 86400, my Bayes db has never been expired. Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes database rebuild preparing" then "SpamAssassin Bayes database rebuild starting", but never get as far as the "SpamAssassin Bayes database rebuild completed" that I see in the code. Any ideas what I'm doing wrong? This is on redhat 9, with postfix 2.0.16, if it makes any difference. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 14:31:21 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> Drew Marshall wrote: > I also don't > use the MS update scripts, preferring my own cron jobs spaced at > different hourly times so that if MS is called while an update is > happening the other scanner will still work and to attempt to ensure > that one scanner should catch updates no matter which half of the > hour they are posted. The mailscanner update script *update_virus_scanners) creates a lock file which makes MailScanner wait for the scanner updates to complete before continuing with scanning, this should be safer than your method. > should I also run Clam (Which was updated quite quickly > yesterday, no promise that it wil be in the future but...) or is 3 AV > products over kill. I now use Sophos, Clam and Symantec - Having seem the varience in update times the more the merrier is my angle. > The box it's on is not that big so will Clam use > huge amounts of system to run? Not huge (nothing like the load of Spamassassin). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 15:04:12 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <4044A26C.5060103@solid-state-logic.com> Julian initial test using the tar version on FreeBSD look good. However I note that ClamAV just blocked a passwd protects zip Bagle that MS did nothing about. I've got the default Allow Password-Protected Archives = no set, and installed the perl zip module so I'm not sure what happened there.. looking at that message, the zip file is part of a mailing list digest form, rather than an list individual message style..... PS - way top go Clam, they've beaten the commercial scanners again being the first (?) to scan inside passwd protected xzip files... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From brose at MED.WAYNE.EDU Tue Mar 2 15:15:43 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: What should MailScanner say in the logs for this? Mar 2 10:01:32 eeyore MailScanner[15039]: New Batch: Scanning 3 messages, 79390 bytes Mar 2 10:01:32 eeyore MailScanner[15039]: MCP Checks completed at 79390 bytes per second Mar 2 10:01:32 eeyore MailScanner[15039]: Spam Checks: Starting Mar 2 10:02:19 eeyore MailScanner[15039]: Spam Checks completed at 1689 bytes per second Mar 2 10:02:55 eeyore MailScanner[15039]: Password-protected archive in i22F0v6R016094 Mar 2 10:02:55 eeyore MailScanner[15039]: Virus and Content Scanning: Starting Mar 2 10:02:55 eeyore MailScanner[15039]: ERROR:: File was encrypted (530):: ./i22F0v6R016094/ctr2055.zip Mar 2 10:03:00 eeyore MailScanner[15039]: Virus Scanning: SophosSAVI found 1 infections Mar 2 10:03:01 eeyore MailScanner[15039]: Virus Scanning completed at 1890 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Uninfected: Delivered 3 messages Mar 2 10:03:02 eeyore MailScanner[15039]: Virus Processing completed at 79390 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Disinfection completed at 79390 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Batch completed at 882 bytes per second (79390 / 90) This looks like it let it thru. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, March 02, 2004 4:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Unstable 4.28.2 released This version can now detect and block password-protected zip files. By default it will block all of them, but you can of course use a ruleset to govern the behaviour of the new option Allow Password-Protected Archives Download as usual from www.mailscanner.info. I wonder what next mysteries and hacks they will throw at me today :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 15:18:43 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> Martin Hepworth wrote: > Julian > > initial test using the tar version on FreeBSD look good. > > However I note that ClamAV just blocked a passwd protects zip Bagle > that MS did nothing about. > According to the clam list clam doesn't scan inside password protected archives, however they have added a signature that detects the encrypted zip file. Are you sure that this particular instance of Bagle was password protected (not all copies are) - did you save a copy? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From wei at ENG.FSU.EDU Tue Mar 2 15:19:15 2004 From: wei at ENG.FSU.EDU (Wei Li) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A26C.5060103@solid-state-logic.com> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> Message-ID: <4044A5F3.2010306@eng.fsu.edu> Hi, all, We met a .zip virus in our system and have to block all encrypted .zip files. I modified filename.rules.conf in /opt/MailScanner/etc as #allow \.zip$ - - deny \.zip$ and in filetype.rules.conf I denied: deny archive - - deny self-extract No self-extracting archives No self-extracting archives allowed But the infected .zip file still could pass through the filter. We are using the latest mcfee data file. Any suggestion? Thanks a lot Wei From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 15:22:53 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> Message-ID: <4044A6CD.30805@solid-state-logic.com> Kevin yes and yes... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Spicer, Kevin wrote: > Martin Hepworth wrote: > >>Julian >> >>initial test using the tar version on FreeBSD look good. >> >>However I note that ClamAV just blocked a passwd protects zip Bagle >>that MS did nothing about. >> > > According to the clam list clam doesn't scan inside password protected archives, however they have added a signature that detects the encrypted zip file. > Are you sure that this particular instance of Bagle was password protected (not all copies are) - did you save a copy? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:34:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes rebuild never completes In-Reply-To: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: <6.0.1.1.2.20040302153357.09e7a150@imap.ecs.soton.ac.uk> I have seen this too. When I get a chance, I will take a look at it. At 14:31 02/03/2004, you wrote: >I've realised that since updating to 4.26.8 and setting Rebuild Bayes >Every = 86400, my Bayes db has never been expired. > >Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes >database rebuild preparing" then "SpamAssassin Bayes database rebuild >starting", but never get as far as the "SpamAssassin Bayes database >rebuild completed" that I see in the code. > >Any ideas what I'm doing wrong? This is on redhat 9, with postfix >2.0.16, if it makes any difference. > >John. > >-- >-- Over 2400 webcams from ski resorts around the world - www.snoweye.com >-- Translate your technical documents and web pages - www.tradoc.fr -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:33:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Default rules remove .wav files. In-Reply-To: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> References: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040302153248.09eed528@imap.ecs.soton.ac.uk> At 14:30 02/03/2004, you wrote: >Hi - > >Just wanted to inquire with the experts :) >The default file attachment rules remove .wav files. Just curious as to why. Just to remove big audio files, I thought some people might find it useful when I wrote the example ruleset. I don't know of any exploits that have been done using wav files. Feel free to remove the rule if you don't want it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:27:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> I fixed this is 4.28.2-2. Sorry about that one. At 12:45 02/03/2004, you wrote: >Installed 4.28.2 and when I restarted MailScanner log showed: >Mar 2 07:27:56 srv2 MailScanner[26019]: Syntax error(s) in >configuration file: >Mar 2 07:27:56 srv2 MailScanner[26019]: Unrecognised keyword >"maximumarchivedepth" at line 294 >Mar 2 07:27:56 srv2 MailScanner[26019]: Aborting due to syntax >errors in /opt/MailScanner/etc/MailScanner.conf. > >I looked in ConfigDefs.pl and noticed: >maxzipdepth = maximumziparchivedepth > >So "I changed Maximum Archive Depth =" To "Max Zip Depth =" > >Was there something in the docs, or changelog or perhaps the >list, I missed on this? In MailScanner.conf you should have put Maximum Zip Archive Depth = >Also, If I change the above to 0 will that disable filename/type >checking inside the archives? I think so, yes. If 0 doesn't disable it, then -1 certainly will. > I am not sure I want to do that >just yet, although I just LOVE the reject password protected >archive option I have to generate rules that will allow the >normal periodic updates that sales recieves from a couple vendors >that zip the exe (since we don't allow exes) > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Tuesday, March 02, 2004 4:29 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: Unstable 4.28.2 released > > > > > > This version can now detect and block > > password-protected zip files. > > > > By default it will block all of them, but you can of > > course use a ruleset > > to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > > > I wonder what next mysteries and hacks they will throw > > at me today :-) > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > > 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From davidnalley at BRYANRAMEY.COM Tue Mar 2 15:46:07 2004 From: davidnalley at BRYANRAMEY.COM (David Nalley) Date: Thu Jan 12 21:22:53 2006 Subject: Clam-AV/MailScanner Configuration Message-ID: <23CF5E8FD4EA414184A3AF27AEE7630618973D@bdr1.bryanramey.com> I seem to be having a problem with my current configuration. I have a relatively large percentage of virus laden emails which get past ClamAV but are trapped by SA as spam. Running clamscan on the quarantined spam clearly reveals them. I figure I must have something incorrectly configured. While I have worked through the documentation, the only thing that immediately jumps to mind is the following section from MailScanner.conf Btw, I am using MS 4.25, ClamAV 0.65, and SA 2.63 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 0 Max Unsafe Messages Per Scan = 30 Thanks in advance, David Nalley From rcooper at DWFORD.COM Tue Mar 2 15:34:07 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:53 2006 Subject: Problems with 4.28-2 Message-ID: Ok, I ran some test messages with 4.28-7 and when I sent a zip with a password or bad filename the log showed: Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 messages, 988519 bytes Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin returned 0 Mar 2 09:00:48 srv2 MailScanner[29720]: Created attachment dirs for 1 messages Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content Scanning: Starting Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by f-prot... Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by f-prot Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by clamavmodule... Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by clamavmodule Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: Windows/DOS Executable (1AyARd-0007mi-Kk 0) Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by /usr/bin/file Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No executables (1AyARd-0007mi-Kk 0) Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 problems This would repeat over and over with the same e-mail until I killed MailScanner. I put it in debug and got: Debug: In Debugging mode, not forking... Unmatched ( in regex; marked by <-- HERE in m/the sender of these problems anymore ( <-- HERE since we cannot tell legitimate senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line 1913, line 18. So I looked in the report and saw it was puking on a sentence enclosed in (). I looked at Message.pm line 1913 and noted: $line =~ s/"/\\"/g; # Escape any " characters $line =~ s/@/\\@/g; # Escape any @ characters So I removed the ( and ) and it puked on a sentence that was enclosed by **. I did some other checks and it puked on any regex reserved character and didn't like words surrounded by quotes like "To" (it did not puke on them but it complained about them) . So I commented out the two lines above and added: $line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any regex characters and everything worked fine again. I found I could not escape the "$" because it blew the eval() below this section. I have used the same reports for months and have never had this happen before. Did something change here? I'm confused as to if this problem has to do with something on this end as I have not seen other comments about the "Maximum Archive Depth", or this problem, on the list. Although I guess unless your virus.deleted or filename.deleted reports contained the same characters [()* or .*] you wouldn't notice.. come to think about it I recently add the text that was enclosed parenthetically. Might be something to look at Julian. -- Rick Cooper From raymond at PROLOCATION.NET Tue Mar 2 16:01:24 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:53 2006 Subject: Clam-AV/MailScanner Configuration In-Reply-To: <23CF5E8FD4EA414184A3AF27AEE7630618973D@bdr1.bryanramey.com> Message-ID: Hi! > but are trapped by SA as spam. Running clamscan on the quarantined spam > clearly reveals them. I figure I must have something incorrectly > configured. While I have worked through the documentation, the only > thing that immediately jumps to mind is the following section from > MailScanner.conf > Btw, I am using MS 4.25, ClamAV 0.65, and SA 2.63 > > Max Unscanned Bytes Per Scan = 100000000 > Max Unsafe Bytes Per Scan = 50000000 > Max Unscanned Messages Per Scan = 0 > Max Unsafe Messages Per Scan = 30 As you could read the mime stuff is changed recently, that might be your problem. I would suggest first upgrade to the latest stabil version and then look again. Bye, Raymond. From dnsadmin at 1BIGTHINK.COM Tue Mar 2 16:09:37 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A5F3.2010306@eng.fsu.edu> References: <4044A26C.5060103@solid-state-logic.com> <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> Message-ID: <5.2.1.1.0.20040302110852.0905c8a0@mail.1bigthink.com> At 10:19 AM 3/2/2004 -0500, you wrote: >Hi, all, > >We met a .zip virus in our system and have to block all encrypted .zip >files. I modified filename.rules.conf in /opt/MailScanner/etc as > >#allow \.zip$ - - >deny \.zip$ Wei, It appears you missed the two TAB characters and the dashes in your deny line above. >and in filetype.rules.conf I denied: >deny archive - - >deny self-extract No self-extracting archives No self-extracting >archives allowed > >But the infected .zip file still could pass through the filter. We are >using the latest mcfee data file. > >Any suggestion? > >Thanks a lot > >Wei From nnelson at 1seo.net Tue Mar 2 16:17:32 2004 From: nnelson at 1seo.net (Nick Nelson) Date: Thu Jan 12 21:22:53 2006 Subject: FreeBSD 5.x Message-ID: <4044B39C.2070900@1SEO.net> Hey folks. Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) on FreeBSD? Anything I should take into consideration before starting the install? Will I lose a lot of performance going with something such as Fedora? RHES isn't an option unfortunately. Thanks.. From mailscanner at ecs.soton.ac.uk Tue Mar 2 16:11:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A5F3.2010306@eng.fsu.edu> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> <4044A5F3.2010306@eng.fsu.edu> Message-ID: <6.0.1.1.2.20040302161038.03f990f0@imap.ecs.soton.ac.uk> At 15:19 02/03/2004, you wrote: >Hi, all, > >We met a .zip virus in our system and have to block all encrypted .zip >files. I modified filename.rules.conf in /opt/MailScanner/etc as > >#allow \.zip$ - - >deny \.zip$ That will generate a syntax error in your maillog. There should be 2 text entries after the \.zip$ which are the log text and the user text of the warnings it should generate. Also, my comment below about tab separation applies here too. >and in filetype.rules.conf I denied: >deny archive - - >deny self-extract No self-extracting archives No self-extracting >archives allowed Are you sure those lines have the fields separated by tab characters? It clearly says at the top of the file that they need to be tab-separated. >But the infected .zip file still could pass through the filter. We are >using the latest mcfee data file. > >Any suggestion? > >Thanks a lot > >Wei -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 16:09:03 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Problems with 4.28-2 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Many thanks for letting me know about that one, and for writing the fix for me. It turns up 1 other time in Message.pm as well (look for "Escape any " and you will find it). Fixed for the next release. At 15:34 02/03/2004, you wrote: >Ok, I ran some test messages with 4.28-7 and when I sent a zip >with a password or bad filename the log showed: > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 >messages, 988519 bytes >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin returned 0 >Mar 2 09:00:48 srv2 MailScanner[29720]: Created attachment dirs >for 1 messages >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content >Scanning: Starting >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by >f-prot... >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by >f-prot >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by >clamavmodule... >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by >clamavmodule >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: >Windows/DOS Executable (1AyARd-0007mi-Kk 0) >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by >/usr/bin/file >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No >executables (1AyARd-0007mi-Kk 0) >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 >problems > >This would repeat over and over with the same e-mail until I >killed MailScanner. I put it in debug and got: > >Debug: >In Debugging mode, not forking... >Unmatched ( in regex; marked by <-- HERE in m/the sender of these >problems anymore ( <-- HERE since we cannot tell legitimate >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line >1913, line 18. > >So I looked in the report and saw it was puking on a sentence >enclosed in (). I looked at Message.pm line 1913 and noted: > > $line =~ s/"/\\"/g; # Escape any " characters > $line =~ s/@/\\@/g; # Escape any @ characters > >So I removed the ( and ) and it puked on a sentence that was >enclosed by **. I did some other checks and it puked on any regex >reserved character and didn't like words surrounded by quotes >like "To" (it did not puke on them but it complained about them) >. So I commented out the two lines above and added: > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any regex >characters > >and everything worked fine again. I found I could not escape the >"$" because it blew the eval() below this section. I have used >the same reports for months and have never had this happen >before. Did something change here? I'm confused as to if this >problem has to do with something on this end as I have not seen >other comments about the "Maximum Archive Depth", or this >problem, on the list. Although I guess unless your virus.deleted >or filename.deleted reports contained the same characters [()* or >.*] you wouldn't notice.. come to think about it I recently add >the text that was enclosed parenthetically. Might be something to >look at Julian. > > >-- >Rick Cooper -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bg.mahesh at INDIAINFO.COM Tue Mar 2 16:59:43 2004 From: bg.mahesh at INDIAINFO.COM (B.G. Mahesh) Date: Thu Jan 12 21:22:53 2006 Subject: SpamAssassin+sendmail config questions Message-ID: hi I have been using SpamAssassin so for Linux with sendmail+procmail. I decided to use ClamAV and Mailscanner today. I have few basic questions, 1. I had created /etc/procmailrc for SpamAssassin. Do I leave it "as is" ? 2. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml I see that I have to create, /var/spool/MailScanner/incoming /var/spool/MailScanner/quarantine What should be the permissions of these directories? Should they be the same as mqueue.in as mentioned on http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml ? 3. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml I see the instructions for modifying sendmail commands. In my /etc/init.d/sendmail I have, daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? What should the above lines change to? regards, B.G. Mahesh From marco at MUW.EDU Tue Mar 2 17:12:22 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> Message-ID: <1078247542.4044c0766a59a@webmail.MUW.Edu> I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From sconway at WLNET.COM Tue Mar 2 17:25:07 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078247542.4044c0766a59a@webmail.MUW.Edu> Message-ID: <200403021724.i22HOqk27186@zuga.wlnet.com> Good day: Correct me if I am wrong, but if the zip is password protected, how would the end user open it w/o a password? So should I be worried if some get through? We have clients with slow Satellite connections, so it is difficult for them to upgrade their virus defs, so we are there only line of defense. Is there a way for Sophos to scan password protected zip files? Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid Sent: Tuesday, March 02, 2004 12:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From cconn at ABACOM.COM Tue Mar 2 17:28:02 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:53 2006 Subject: Header problem, part 2 Message-ID: <4044C422.1080908@abacom.com> Hello, Just to add to my previous EMAIL, I find that pretty much every message I check that contains attachments has this header: MIME_MISSING_BOUNDARY 1.84 in the spamassassin score. Could this be related? Thanks in advance, Chris From marco at MUW.EDU Tue Mar 2 17:47:22 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <1078249642.4044c8aa87a59@webmail.MUW.Edu> The worm DOES provide the user with the password :) Some of our users, as little techie as they are, managed to extract and execute the zip file ... Sophos, in my case, has been able to intercept Bagel A through F. For some reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will make it through this time before I re-allow zip attachments on my site. Quoting Stephen Conway : > Good day: > > Correct me if I am wrong, but if the zip is password protected, how would > the end user open it w/o a password? So should I be worried if some get > through? We have clients with slow Satellite connections, so it is > difficult for them to upgrade their virus defs, so we are there only line of > defense. Is there a way for Sophos to scan password protected zip files? > > Thanks, > > SC > From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 17:38:43 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078249642.4044c8aa87a59@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <4044C6A3.6080103@solid-state-logic.com> Won't help ClamAV does spot this stuff though.. Also Julian's latest 4.28.2-2 doesn't catch it either (even though it should!). I guess he's got real work on at the moment, or scratching his head as to why it didn't work :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Marco Obaid wrote: > The worm DOES provide the user with the password :) > Some of our users, as little techie as they are, managed to extract and > execute the zip file ... > > Sophos, in my case, has been able to intercept Bagel A through F. For some > reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March > relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will > make it through this time before I re-allow zip attachments on my site. > > Quoting Stephen Conway : > > >>Good day: >> >>Correct me if I am wrong, but if the zip is password protected, how would >>the end user open it w/o a password? So should I be worried if some get >>through? We have clients with slow Satellite connections, so it is >>difficult for them to upgrade their virus defs, so we are there only line of >>defense. Is there a way for Sophos to scan password protected zip files? >> >>Thanks, >> >>SC >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Newcombe at MORDOR.CLAYTON.EDU Tue Mar 2 17:43:24 2004 From: Newcombe at MORDOR.CLAYTON.EDU (Dan Newcombe) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078249642.4044c8aa87a59@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: On Tue, 2 Mar 2004, Marco Obaid wrote: > Sophos, in my case, has been able to intercept Bagel A through F. For some > reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March > relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will > make it through this time before I re-allow zip attachments on my site. Is Sophos supposed to be able to identify the password-protected zip file or just the virus that's in the file itself? I would guess that the password is different from file to file making a signature very difficult. Just can't win - instead of setting up an ftp server for once-in-a-blue-moon files needed from off site, we asked people to just send a pw-protected ZIP file, and now those are on the evil list. Ah...microsoft security. From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 17:33:01 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <4044C54D.5020904@solid-state-logic.com> Stephen the password is sent as part of the email something like. hi here's the password you need: ahfhfghftgyghjg then the user unzips the attachment, types in the password as given and spltat they're hosed.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Stephen Conway wrote: > Good day: > > Correct me if I am wrong, but if the zip is password protected, how would > the end user open it w/o a password? So should I be worried if some get > through? We have clients with slow Satellite connections, so it is > difficult for them to upgrade their virus defs, so we are there only line of > defense. Is there a way for Sophos to scan password protected zip files? > > Thanks, > > SC > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Marco Obaid > Sent: Tuesday, March 02, 2004 12:12 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bagle-i worm > > I can confirm that Bagle-I worm did make it through our MS gateways. I am > running both Sophos and Command AV (up-to-date) and both let it slip > through. > We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it > helps. Meanwhile, I have blocked zip files temporarily. > > > Quoting Derek Winkler : > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm > > will > >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files as >>well, although they didn't specifically say. >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From stefanzman at yahoo.com Tue Mar 2 17:55:18 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV In-Reply-To: <14409.194.70.180.170.1078237444.squirrel@net.themarshalls.co.uk> Message-ID: <20040302175518.35156.qmail@web41310.mail.yahoo.com> If you want a commercial AV product that provides fast response for updates, the current leader in this category is Kaspersky. Check out the following article: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3316511 Also, we have numerous installations of MailScanner with KAV. Let me know if you have any questions. --- Drew Marshall wrote: > All > > Following the excitement of the last few days/ weeks > speed of definition > update is king. Now I currently use F-Prot and > Antivir. Both work well, > F-Prot probably better than Antivir as it was able > to better scan the > boken mime formatted mail that came from those nice > mailserver bounces > which included the infected message. I also don't > use the MS update > scripts, preferring my own cron jobs spaced at > different hourly times so > that if MS is called while an update is happening > the other scanner will > still work and to attempt to ensure that one scanner > should catch updates > no matter which half of the hour they are posted. I > nearly got caught with > he Netsky.D when several went through 3 minutes > before both scanners > updated (Good old MS blocked the files as they were > .pif executables, so > the user was protected). > > Cutting to the chase (Sorry it's been longer winded > that I anticipated) > should I also run Clam (Which was updated quite > quickly yesterday, no > promise that it wil be in the future but...) or is 3 > AV products over > kill. The box it's on is not that big so will Clam > use huge amounts of > system to run? If not 3 which 2? > > So many questions I know but I would appreciate your > thoughts. > > Thanks > > Drew > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From gercke at HNM.DE Tue Mar 2 17:50:06 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes filter engine {auf Viren geprüft} Message-ID: <4044C94E.1080004@hnm.de> I?ve read the article under: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html Now my question: Means : "people can just redirect wrongly-classiefied messages to one of the adresses" that people can forward this mail sin their mailprogramm to one of these adresses? Because i didn?t want, that the bayes engine think these forwarders are the sender of the spam... question two: How can i define that as "High Score" marked messages, will automated learned by the bayes engine? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From raymond at PROLOCATION.NET Tue Mar 2 18:05:24 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: Message-ID: Hi! > Has anyone out there modified the MailScanner-MRTG package to work with > Cricket instead of MRTG? > > Or is anyone doing monitoring with Cricket? We have setup monitoring around RRD, i guess thats what you mean? Bye, Raymond. From Newcombe at MORDOR.CLAYTON.EDU Tue Mar 2 18:03:09 2004 From: Newcombe at MORDOR.CLAYTON.EDU (Dan Newcombe) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring Message-ID: Has anyone out there modified the MailScanner-MRTG package to work with Cricket instead of MRTG? Or is anyone doing monitoring with Cricket? From marco at MUW.EDU Tue Mar 2 18:26:19 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <1078251979.4044d1cbd836d@webmail.MUW.Edu> Quoting Dan Newcombe : > Is Sophos supposed to be able to identify the password-protected zip file > or just the virus that's in the file itself? I believe that it attempts to scan the entire file; MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: W32/Bagle.E@mm MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- E:: ./i226Mcwt003303/eaaead.zip > Just can't win - instead of setting up an ftp server for > once-in-a-blue-moon files needed from off site, we asked people to just > send a pw-protected ZIP file, and now those are on the evil list. Can't you just temporarily white list their server's IP address to skip the the virus checks? I would not attempt to whitelist their domain since these worms are skilled at spoofing the sender's address. Marco From support at EPAXSYS.NET Tue Mar 2 18:27:24 2004 From: support at EPAXSYS.NET (Support ePaxsys/FRWS) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <1078251979.4044d1cbd836d@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <5.1.0.14.2.20040302111930.025b0080@mail.frws.com> Hey folks Would not an addition to the filename.rules.conf rules to adjust for allowed size ranges also help in this situation? If the Virus.ZIP file was say under 100k (and maybe check for PW protection if possible) they could be blocked instead of blocking ALL Zips. Sure its an interim fix as the Virus writers would just make them bigger or do something different - but it would give us all another weapon to use to slow this stuff down and not stop legitimate mail (our goal after all!) while the AV writers come up with a solution. Thoughts? We are blocking Zips under 200k with the word 'password:' in them using procmail right now, and it is effective. Not elegant, not perfect, but its a decent interim solution. Jerome At 12:26 PM 3/2/04 -0600, Marco Obaid wrote: >Quoting Dan Newcombe : > > > Is Sophos supposed to be able to identify the password-protected zip file > > or just the virus that's in the file itself? > >I believe that it attempts to scan the entire file; > >MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: >W32/Bagle.E@mm >MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- >E:: ./i226Mcwt003303/eaaead.zip > > > Just can't win - instead of setting up an ftp server for > > once-in-a-blue-moon files needed from off site, we asked people to just > > send a pw-protected ZIP file, and now those are on the evil list. > >Can't you just temporarily white list their server's IP address to skip the >the virus checks? I would not attempt to whitelist their domain since these >worms are skilled at spoofing the sender's address. > > >Marco ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help From dot at DOTAT.AT Tue Mar 2 18:11:06 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:54 2006 Subject: Header problem, part 2 Message-ID: I've written an auxiliary script to go with uvscan-update that finds fetches and installs extra.dat files from NAI. This should give you some useful additional protection from new viruses. Included below are my current uvscan-update and uvscan-extra scripts. Tony. -- f.a.n.finch http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST BACKING SOUTH 4 OR 5, DECREASING 3 AT TIMES. FAIR. GOOD. SLIGHT. ------------------------------------------------------------------------ #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.42 2004/03/02 18:03:11 fanf2 Exp $ # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run # uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) # and it will still look for the dat files here. If uvscan's library # dependencies can be found in a standard place (e.g. /usr/local/lib) # then you don't need a wrapper script to set LD_LIBRARY_PATH before # running it. # # The dat files are installed in a subdirectory of $DATDIR named # according to their version number, with symlinks from $PREFIX into # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. # defaults OPTS="" PREFIX=/opt/uvscan FTPDIR=http://download.nai.com/products/datfiles/4.x/nai # handle the command line usage () { echo "usage: $0 [-dfrtv] [prefix]" echo " -d delete old files" echo " -e get extra.dat" echo " -f force update" echo " -r show README" echo " -t timestamp output" echo " -v verbose" echo " prefix uvscan installation directory" exit 1 } case $# in 0|1|2) : ok ;; *) usage ;; esac for arg in "$@" do case $arg in -*) OPTS=$arg ;; /*) PREFIX=$arg ;; *) usage ;; esac done case $OPTS in *[!-dfrtv]*) usage esac option () { case $OPTS in -*$1*) eval $2=yes ;; *) eval $2=no ;; esac } option d DELETE option e EXTRA option f FORCE option r README option t TIME option v VERBOSE case $FORCE in yes) VERBOSE=yes esac # look for binaries and libraris in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX export PATH LD_LIBRARY_PATH # where this script finds things DATDIR=$PREFIX/datfiles SUBDIR=datfiles/current LINK=$PREFIX/$SUBDIR # wrapper functions for echo etc. timestamp () { case $TIME in yes) date "+%Y-%m-%d %H:%M:%S " esac } say () { case $VERBOSE in yes) echo "`timestamp`$*" esac } run () { say "> $*" "$@" } say Starting $0 say DELETE=$DELETE say FORCE=$FORCE say README=$README say TIME=$TIME say VERBOSE=$VERBOSE say PREFIX=$PREFIX if [ ! -h $LINK ] then INIT=yes VERBOSE=yes say Initial setup of $0 run mkdir -p $DATDIR fi run cd $DATDIR # version number pattern MATCH="[0-9][0-9][0-9][0-9]" # work out latest dat version CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" say "> $CMD" if eval "$CMD" then VERSION=`cat update.ini | sed "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` else cat update.err VERSION=UNKNOWN fi run rm -f update.* badversion () { VERBOSE=yes say "Failed to get McAfee datfile update from $FTPDIR" say "FTP version number \"$VERSION\" $*" run exit 1 } # check the format of the version number case $VERSION in $MATCH) : ok ;; *) badversion does not match "$MATCH" ;; esac # already got it? if [ -d $VERSION ] then case $FORCE in yes) say Forced removal of $VERSION run rm -rf $VERSION ;; *) say Already have $VERSION case $EXTRA in yes) say Checking for extra.dat file if [ ! -f $DATDIR/$VERSION/extra.dat ] then run uvscan-extra $PREFIX fi esac run exit 0 ;; esac fi # work out installed dat version PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` # check new version is actually newer if [ $PREVIOUS -gt $VERSION ] then badversion older than installed $PREVIOUS fi VERBOSE=yes say Installed dat file is $PREVIOUS say Latest dat file is $VERSION # protect against failure fail () { trap EXIT echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR run rm -rf $VERSION run exit 1 } trap fail EXIT # fetch and extract dat files TARFILE=dat-$VERSION.tar run mkdir $VERSION run cd $VERSION run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE # verify the contents CMD="uvscan --version --dat ." say "> $CMD" OUT=`$CMD 2>&1` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail esac # protection not needed now trap '' EXIT echo "$OUT" say Update OK # show information on this update? case $README in yes) run sed 's/[[:cntrl:]]//g 1,/^====================/d /^====================/,/^NEW VIRUSES DETECTED/d /^UNDERSTANDING VIRUS NAMES/,$d s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap run rm -f *.diz *.exe *.ini *.lst *.tar *.txt # do remaining part of initial setup case $INIT in yes) for file in *.dat extra.dat do run rm -f $PREFIX/$file run ln -s $SUBDIR/$file $PREFIX/$file done esac # update the current version link run rm -f $LINK run ln -s $VERSION $LINK # maybe delete old dat files case $DELETE in yes) run cd $DATDIR run rm -rf $PREVIOUS esac say Completed OK run exit 0 # done ------------------------------------------------------------------------ #!/usr/bin/perl -Tw # # Try to obtain McAfee extra.dat file. # # $Cambridge: hermes/build/bin/uvscan-extra,v 1.3 2004/03/02 17:34:12 fanf2 Exp $ use strict; use POSIX; use LWP::UserAgent; use HTTP::Status; # taint safety undef %ENV; # external requirements my $UNZIP = '/usr/local/bin/unzip'; my $VIL = 'http://vil.nai.com/vil'; my $VILNEW = "$VIL/newly-discovered-viruses.asp"; # uvscan directories and files my $PREFIX = @ARGV ? $ARGV[0] : '/opt/uvscan'; my $UVSCAN = "$PREFIX/uvscan"; my $DATDIR = "$PREFIX/datfiles"; my $SUBDIR = "datfiles/current"; my $LINK = "$PREFIX/$SUBDIR"; # find active dat directory my $CURDAT = do { my $link = readlink $LINK or die "readlink $LINK: $!\n"; $link =~ /^([0-9]{4})$/ or die "readlink $LINK: $link is not four digits\n"; $1; }; my $CURDIR = "$DATDIR/$CURDAT"; my $EXTRADAT = "$CURDIR/extra.dat"; # HTTP things my $ua = LWP::UserAgent->new; sub get ($) { my $url = shift; my $r = $ua->get($url); if ($r->code != RC_OK) { my $e = $r->status_line; die "GET $url: $e\n" } return $r->content; } # extract list of new viruses my @v; my $vilnew = get $VILNEW; while ($vilnew !~ m|^]*>\s* ]*>\s* ([^<]+) # name \s* \s* \s* ]*>\s* ]*>\s* ([0-9]{2})/([0-9]{2})/([0-9]{4})\s* # date \s* \s* ]*>\s* ]*>\s* ]*>\s* [^<]* # risk 1 \s* \s* \s* ]*>\s* ]*>\s* ]*>\s* [^<]* # risk 2 \s* \s* \s* ]*>\s* ]*>\s* ]*>\s* ([0-9]+)\s* # datnum \s* \s* \s* \s* ]*>\s* ||sx) { push @v, { url => $1, name => $2, date => "$5-$3-$4", datnum => $6 }; } undef $vilnew; # find out which ones have useful extra.dat files my $extraurl; for my $v (@v) { next unless $v->{datnum} > $CURDAT; $v->{page} = get "$VIL/$v->{url}"; if ($v->{page} =~ m|EXTRA.DAT|) { if (defined $extraurl) { warn "ignoring additional extra.dat $1\n" unless $extraurl eq $1; } else { $extraurl = $1; } } } exit unless defined $extraurl; warn "fetching $extraurl\n"; my $zipdata = get $extraurl; my $zipname = "$DATDIR/extra.zip"; my $datname = "$DATDIR/extra.dat"; if (not defined eval { chdir "$DATDIR" or die "chdir $DATDIR: $!\n"; # note the zip file is used to prevent concurrent running # so it is removed last sysopen ZIPFILE, $zipname, O_RDWR|O_CREAT|O_EXCL or die "open $zipname: $!\n"; syswrite ZIPFILE, $zipdata or die "write $zipname: $!\n"; close ZIPFILE or die "close $zipname: $!\n"; system $UNZIP, $zipname, 'extra.dat', '-d', $DATDIR and die "$UNZIP $zipname to $datname failed\n"; system $UVSCAN, '--extra', $datname, '--version' and die "$UVSCAN failed\n"; rename $datname, $EXTRADAT or die "rename $datname to $EXTRADAT: $!"; unlink $zipname or die "remove $zipname: $!"; print "Extra dat file installed OK.\n"; exit 0; }){ warn $@; unlink $datname or warn "remove $datname: $!\n"; unlink $zipname or warn "remove $zipname: $!\n"; exit 1; } ------------------------------------------------------------------------ From kevins at BMRB.CO.UK Tue Mar 2 18:40:30 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: References: Message-ID: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 18:03, Dan Newcombe wrote: > Has anyone out there modified the MailScanner-MRTG package to work with > Cricket instead of MRTG? I have a (long term) semi-plan to migrate MailScanner-MRTG to use rrd tool eventually. You should be able to use the main mailscanner-mrtg script to supply data to pretty much anything you like. Just remember that it must be called at 5 minute intervals. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From sconway at WLNET.COM Tue Mar 2 18:45:52 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <5.1.0.14.2.20040302111930.025b0080@mail.frws.com> Message-ID: <200403021845.i22Ijck13074@zuga.wlnet.com> Good day: Does Sophos latest ide catch these, even if pw protected? Or should we upgrade sophos engine itself? Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Support ePaxsys/FRWS Sent: Tuesday, March 02, 2004 1:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm Hey folks Would not an addition to the filename.rules.conf rules to adjust for allowed size ranges also help in this situation? If the Virus.ZIP file was say under 100k (and maybe check for PW protection if possible) they could be blocked instead of blocking ALL Zips. Sure its an interim fix as the Virus writers would just make them bigger or do something different - but it would give us all another weapon to use to slow this stuff down and not stop legitimate mail (our goal after all!) while the AV writers come up with a solution. Thoughts? We are blocking Zips under 200k with the word 'password:' in them using procmail right now, and it is effective. Not elegant, not perfect, but its a decent interim solution. Jerome At 12:26 PM 3/2/04 -0600, Marco Obaid wrote: >Quoting Dan Newcombe : > > > Is Sophos supposed to be able to identify the password-protected zip file > > or just the virus that's in the file itself? > >I believe that it attempts to scan the entire file; > >MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: >W32/Bagle.E@mm >MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- >E:: ./i226Mcwt003303/eaaead.zip > > > Just can't win - instead of setting up an ftp server for > > once-in-a-blue-moon files needed from off site, we asked people to just > > send a pw-protected ZIP file, and now those are on the evil list. > >Can't you just temporarily white list their server's IP address to skip the >the virus checks? I would not attempt to whitelist their domain since these >worms are skilled at spoofing the sender's address. > > >Marco ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 18:50:19 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021845.i22Ijck13074@zuga.wlnet.com> Message-ID: <00d201c40087$35804440$0501a8c0@darkside> > >Does Sophos latest ide catch these, even if pw protected? Or should we >upgrade sophos engine itself? > >Thanks, > If you want to send a copy to me I can let you know. I've got the latest Sophos (3.79) with up to date IDE's. I don't see any bagle-i in my logs, so that may or may not be a bad sign. I'm at a relatively low volume site. --J(K) From shrek-m at GMX.DE Tue Mar 2 18:49:35 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> Message-ID: <4044D73F.5070806@gmx.de> Kevin Spicer wrote: >On Tue, 2004-03-02 at 18:03, Dan Newcombe wrote: > > >>Has anyone out there modified the MailScanner-MRTG package to work with >>Cricket instead of MRTG? >> >> hi kevin, Operating Systems The following OS's have been reported to work with the current or previous releases: * Red Hat 9 (RPM) * ... you can add $ cat /etc/fedora-release Fedora Core release 1 (Yarrow) # rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm $ lynx localhost/mailscanner-mrtg works -- shrek-m From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:20:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <1078247542.4044c0766a59a@webmail.MUW.Edu> <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <6.0.1.1.2.20040302191910.03a33608@imap.ecs.soton.ac.uk> Short answer is "no there isn't". Upgrade to the latest beta release of MailScanner and you will be protected against password-encrypted zip files, which is about the only way to stop this at the gateway. At 17:25 02/03/2004, you wrote: >Good day: > >Correct me if I am wrong, but if the zip is password protected, how would >the end user open it w/o a password? So should I be worried if some get >through? We have clients with slow Satellite connections, so it is >difficult for them to upgrade their virus defs, so we are there only line of >defense. Is there a way for Sophos to scan password protected zip files? > >Thanks, > >SC > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Marco Obaid >Sent: Tuesday, March 02, 2004 12:12 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: bagle-i worm > >I can confirm that Bagle-I worm did make it through our MS gateways. I am >running both Sophos and Command AV (up-to-date) and both let it slip >through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > For Bagle-H Sophos included this note: > > > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > > detected by this identity. However, when unzipped by the user the worm >will > > be detected by Sophos Anti-Virus at the user's desktop." > > > > May be true of Bagle-I since it also uses password protected ZIP files as > > well, although they didn't specifically say. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:18:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: SpamAssassin+sendmail config questions In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302191547.03a31b38@imap.ecs.soton.ac.uk> At 16:59 02/03/2004, you wrote: >hi > >I have been using SpamAssassin so for Linux with sendmail+procmail. > >I decided to use ClamAV and Mailscanner today. I have few basic questions, > >1. I had created /etc/procmailrc for SpamAssassin. Do I leave it "as is" ? You can remove all the SpamAssassin stuff from this. MailScanner calls SpamAssassin directly, which is quicker than using the spamc/spamd route that is commonly used via procmail. >2. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml >I see >that I have to create, > > /var/spool/MailScanner/incoming > /var/spool/MailScanner/quarantine > >What should be the permissions of these directories? >Should they be the same as mqueue.in as mentioned on >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml ? They need to be writable by the user you are running MailScanner as. Probably root. >3. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml >I see the instructions for modifying sendmail commands. In my >/etc/init.d/sendmail I have, > > > daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > >What should the above lines change to? This makes it look like you are running RedHat Linux. If you are running RedHat or other rpm-based Linux distribution, you should be using the RPM-based distribution of MailScanner and just install it that way. Much easier. There are installation guides for the RPM-based distributions on the MailScanner website. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:21:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <4044C6A3.6080103@solid-state-logic.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> <4044C6A3.6080103@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040302192042.039354f8@imap.ecs.soton.ac.uk> Please can you put an example somewhere I can get it with a web browser? At 17:38 02/03/2004, you wrote: >Won't help > >ClamAV does spot this stuff though.. > >Also Julian's latest 4.28.2-2 doesn't catch it either (even though it >should!). I guess he's got real work on at the moment, or scratching his >head as to why it didn't work :-) > > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Marco Obaid wrote: >>The worm DOES provide the user with the password :) >>Some of our users, as little techie as they are, managed to extract and >>execute the zip file ... >> >>Sophos, in my case, has been able to intercept Bagel A through F. For some >>reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the >>March >>relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I >>will >>make it through this time before I re-allow zip attachments on my site. >> >>Quoting Stephen Conway : >> >> >>>Good day: >>> >>>Correct me if I am wrong, but if the zip is password protected, how would >>>the end user open it w/o a password? So should I be worried if some get >>>through? We have clients with slow Satellite connections, so it is >>>difficult for them to upgrade their virus defs, so we are there only line of >>>defense. Is there a way for Sophos to scan password protected zip files? >>> >>>Thanks, >>> >>>SC > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hzhu at wesleyan.edu Tue Mar 2 16:35:37 2004 From: hzhu at wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: Hi, we use sophos and latest bagle-i IDE was downloaded onto our mail server this morning, however we don't think mailscanner catch them as many have passed through... any idea? thanks, Hong From sconway at WLNET.COM Tue Mar 2 19:43:07 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <00d201c40087$35804440$0501a8c0@darkside> Message-ID: <200403021942.i22Jgq618927@zuga.wlnet.com> Good Day: We are using 3.78 as attached, we are not using mailscanner for our filtering engine at the present, although we are planning on installing soon. Our current filter process we have a lot of custom rules, i.e. if from user@a.com cc to user@b.com, or archive to /somedir/usera ..., Etc. Can mailscanner do these types of things? Also, we need a log of all messages sent through mailscanner with all details including size of message, does mailscanners logs have this? Also, we are interested to know how well does mailscanner perform under heavy loads, as we tend to send / receive messages in large batches, causing our existing filter processes to raise load averages and memory usage. Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki Sent: Tuesday, March 02, 2004 1:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm > >Does Sophos latest ide catch these, even if pw protected? Or should we >upgrade sophos engine itself? > >Thanks, > If you want to send a copy to me I can let you know. I've got the latest Sophos (3.79) with up to date IDE's. I don't see any bagle-i in my logs, so that may or may not be a bad sign. I'm at a relatively low volume site. --J(K) -------------- next part -------------- SWEEP virus detection utility Copyright (c) 1989,2004 Sophos Plc, www.sophos.com System time 14:35:35, System date 02 March 2004 Product version : 3.78 Engine version : 2.18 User interface version : 2.07.046 Platform : Linux/Intel Released : 02 February 2004 Total viruses (with IDEs) : 87555 Information on additional data files: Data file name : /usr/local/sav/agobo-aw.ide Data file type : IDE Data file date : 01 December 2003, 06:56:13 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotaa.ide Data file type : IDE Data file date : 22 October 2003, 11:33:58 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotab.ide Data file type : IDE Data file date : 15 October 2003, 11:29:16 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotac.ide Data file type : IDE Data file date : 24 October 2003, 05:54:09 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotaf.ide Data file type : IDE Data file date : 27 October 2003, 11:18:08 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotag.ide Data file type : IDE Data file date : 02 December 2003, 04:33:30 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotas.ide Data file type : IDE Data file date : 27 November 2003, 07:29:57 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotbd.ide Data file type : IDE Data file date : 08 December 2003, 11:32:52 Data file status : Loaded Data file name : /usr/local/sav/agobotbm.ide Data file type : IDE Data file date : 15 December 2003, 10:22:50 Data file status : Loaded Data file name : /usr/local/sav/agobotbt.ide Data file type : IDE Data file date : 30 December 2003, 06:31:52 Data file status : Loaded Data file name : /usr/local/sav/antkldam.ide Data file type : IDE Data file date : 30 December 2003, 07:38:17 Data file status : Loaded Data file name : /usr/local/sav/aozo-a.ide Data file type : IDE Data file date : 09 January 2004, 06:27:32 Data file status : Loaded Data file name : /usr/local/sav/bagle-a.ide Data file type : IDE Data file date : 18 January 2004, 20:56:53 Data file status : Loaded Data file name : /usr/local/sav/bdsinita.ide Data file type : IDE Data file date : 10 November 2003, 11:42:43 Data file status : Loaded but out of date Data file name : /usr/local/sav/bodiru-a.ide Data file type : IDE Data file date : 22 December 2003, 10:18:21 Data file status : Loaded Data file name : /usr/local/sav/corfloc.ide Data file type : IDE Data file date : 21 October 2003, 11:45:27 Data file status : Loaded but out of date Data file name : /usr/local/sav/dafly-b.ide Data file type : IDE Data file date : 21 October 2003, 05:31:52 Data file status : Loaded but out of date Data file name : /usr/local/sav/divix-a.ide Data file type : IDE Data file date : 16 January 2004, 12:26:49 Data file status : Loaded Data file name : /usr/local/sav/dloaderf.ide Data file type : IDE Data file date : 11 December 2003, 06:50:36 Data file status : Loaded Data file name : /usr/local/sav/dloaderk.ide Data file type : IDE Data file date : 06 January 2004, 05:37:59 Data file status : Loaded Data file name : /usr/local/sav/dloaderl.ide Data file type : IDE Data file date : 09 January 2004, 09:25:25 Data file status : Loaded Data file name : /usr/local/sav/donk-d.ide Data file type : IDE Data file date : 14 October 2003, 20:53:03 Data file status : Loaded but out of date Data file name : /usr/local/sav/donk-e.ide Data file type : IDE Data file date : 17 October 2003, 05:01:20 Data file status : Loaded but out of date Data file name : /usr/local/sav/dumaru-k.ide Data file type : IDE Data file date : 26 January 2004, 12:15:05 Data file status : Loaded Data file name : /usr/local/sav/dumaru-y.ide Data file type : IDE Data file date : 24 January 2004, 14:24:22 Data file status : Loaded Data file name : /usr/local/sav/eyeveg-b.ide Data file type : IDE Data file date : 29 January 2004, 08:11:20 Data file status : Loaded Data file name : /usr/local/sav/flea-a.ide Data file type : IDE Data file date : 23 October 2003, 06:15:08 Data file status : Loaded but out of date Data file name : /usr/local/sav/flea-b.ide Data file type : IDE Data file date : 20 November 2003, 11:21:57 Data file status : Loaded but out of date Data file name : /usr/local/sav/flopcopy.ide Data file type : IDE Data file date : 23 January 2004, 08:06:39 Data file status : Loaded Data file name : /usr/local/sav/gaggle-b.ide Data file type : IDE Data file date : 20 January 2004, 12:00:42 Data file status : Loaded Data file name : /usr/local/sav/hacdef84.ide Data file type : IDE Data file date : 26 November 2003, 11:36:01 Data file status : Loaded but out of date Data file name : /usr/local/sav/holar-i.ide Data file type : IDE Data file date : 29 October 2003, 07:04:19 Data file status : Loaded but out of date Data file name : /usr/local/sav/inmotcda.ide Data file type : IDE Data file date : 10 October 2003, 02:51:51 Data file status : Loaded but out of date Data file name : /usr/local/sav/inor-c.ide Data file type : IDE Data file date : 28 January 2004, 07:16:33 Data file status : Loaded Data file name : /usr/local/sav/inorb.ide Data file type : IDE Data file date : 14 January 2004, 05:43:00 Data file status : Loaded Data file name : /usr/local/sav/ircbot-p.ide Data file type : IDE Data file date : 20 October 2003, 21:15:13 Data file status : Loaded but out of date Data file name : /usr/local/sav/litmusas.ide Data file type : IDE Data file date : 25 November 2003, 09:47:50 Data file status : Loaded but out of date Data file name : /usr/local/sav/marq-a.ide Data file type : IDE Data file date : 27 October 2003, 10:03:38 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimail-l.ide Data file type : IDE Data file date : 01 December 2003, 23:27:46 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimail-m.ide Data file type : IDE Data file date : 31 December 2003, 06:48:05 Data file status : Loaded Data file name : /usr/local/sav/mimail-n.ide Data file type : IDE Data file date : 08 January 2004, 07:37:17 Data file status : Loaded Data file name : /usr/local/sav/mimail-q.ide Data file type : IDE Data file date : 26 January 2004, 13:52:26 Data file status : Loaded Data file name : /usr/local/sav/mimail-s.ide Data file type : IDE Data file date : 28 January 2004, 22:08:36 Data file status : Loaded Data file name : /usr/local/sav/mimailc.ide Data file type : IDE Data file date : 31 October 2003, 08:12:17 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimaile.ide Data file type : IDE Data file date : 01 November 2003, 19:56:49 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailf.ide Data file type : IDE Data file date : 02 November 2003, 21:14:53 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailh.ide Data file type : IDE Data file date : 03 November 2003, 10:47:49 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimaili.ide Data file type : IDE Data file date : 14 November 2003, 01:40:01 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailj.ide Data file type : IDE Data file date : 17 November 2003, 18:57:12 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailk.ide Data file type : IDE Data file date : 21 November 2003, 13:55:03 Data file status : Loaded but out of date Data file name : /usr/local/sav/mmdloada.ide Data file type : IDE Data file date : 15 January 2004, 09:43:40 Data file status : Loaded Data file name : /usr/local/sav/muly-a.ide Data file type : IDE Data file date : 12 November 2003, 10:13:25 Data file status : Loaded but out of date Data file name : /usr/local/sav/mydoom-a.ide Data file type : IDE Data file date : 26 January 2004, 19:32:05 Data file status : Loaded Data file name : /usr/local/sav/mydoom-b.ide Data file type : IDE Data file date : 30 January 2004, 10:41:30 Data file status : Loaded Data file name : /usr/local/sav/opaser-s.ide Data file type : IDE Data file date : 24 December 2003, 06:18:47 Data file status : Loaded Data file name : /usr/local/sav/opaservr.ide Data file type : IDE Data file date : 21 October 2003, 06:20:42 Data file status : Loaded but out of date Data file name : /usr/local/sav/opaservv.ide Data file type : IDE Data file date : 17 November 2003, 00:45:44 Data file status : Loaded but out of date Data file name : /usr/local/sav/proxin-a.ide Data file type : IDE Data file date : 20 January 2004, 05:36:23 Data file status : Loaded Data file name : /usr/local/sav/randex-i.ide Data file type : IDE Data file date : 17 October 2003, 09:50:45 Data file status : Loaded but out of date Data file name : /usr/local/sav/randex-q.ide Data file type : IDE Data file date : 23 October 2003, 10:59:33 Data file status : Loaded but out of date Data file name : /usr/local/sav/randex-y.ide Data file type : IDE Data file date : 12 January 2004, 06:43:48 Data file status : Loaded Data file name : /usr/local/sav/randonab.ide Data file type : IDE Data file date : 05 January 2004, 07:27:06 Data file status : Loaded Data file name : /usr/local/sav/rirc-a.ide Data file type : IDE Data file date : 15 January 2004, 05:24:33 Data file status : Loaded Data file name : /usr/local/sav/scold-a.ide Data file type : IDE Data file date : 11 December 2003, 06:19:01 Data file status : Loaded Data file name : /usr/local/sav/sdbot-dc.ide Data file type : IDE Data file date : 26 January 2004, 09:37:25 Data file status : Loaded Data file name : /usr/local/sav/sdbot-i.ide Data file type : IDE Data file date : 28 November 2003, 05:50:10 Data file status : Loaded but out of date Data file name : /usr/local/sav/sdbot-l.ide Data file type : IDE Data file date : 04 December 2003, 11:35:03 Data file status : Loaded Data file name : /usr/local/sav/sober-a.ide Data file type : IDE Data file date : 27 October 2003, 00:44:28 Data file status : Loaded but out of date Data file name : /usr/local/sav/sober-b.ide Data file type : IDE Data file date : 18 December 2003, 10:55:43 Data file status : Loaded Data file name : /usr/local/sav/sober-c.ide Data file type : IDE Data file date : 21 December 2003, 08:32:46 Data file status : Loaded Data file name : /usr/local/sav/soberenc.ide Data file type : IDE Data file date : 30 October 2003, 06:33:17 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-r.ide Data file type : IDE Data file date : 14 October 2003, 10:06:39 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-v.ide Data file type : IDE Data file date : 07 November 2003, 06:13:31 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-w.ide Data file type : IDE Data file date : 06 November 2003, 05:02:54 Data file status : Loaded but out of date Data file name : /usr/local/sav/start-bg.ide Data file type : IDE Data file date : 05 January 2004, 10:04:53 Data file status : Loaded Data file name : /usr/local/sav/stawin-a.ide Data file type : IDE Data file date : 28 January 2004, 02:06:53 Data file status : Loaded Data file name : /usr/local/sav/suzer-b.ide Data file type : IDE Data file date : 31 December 2003, 05:15:59 Data file status : Loaded Data file name : /usr/local/sav/sysbug-a.ide Data file type : IDE Data file date : 25 November 2003, 03:01:14 Data file status : Loaded but out of date Data file name : /usr/local/sav/tofger-a.ide Data file type : IDE Data file date : 19 November 2003, 11:46:00 Data file status : Loaded but out of date Data file name : /usr/local/sav/tofger-l.ide Data file type : IDE Data file date : 23 December 2003, 05:57:07 Data file status : Loaded Data file name : /usr/local/sav/uproot-a.ide Data file type : IDE Data file date : 02 January 2004, 05:54:44 Data file status : Loaded Data file name : /usr/local/sav/weasyw-a.ide Data file type : IDE Data file date : 16 January 2004, 11:34:55 Data file status : Loaded Data file name : /usr/local/sav/webberc.ide Data file type : IDE Data file date : 11 November 2003, 10:38:44 Data file status : Loaded but out of date Data file name : /usr/local/sav/yaha-x.ide Data file type : IDE Data file date : 05 November 2003, 11:02:27 Data file status : Loaded but out of date Data file name : /usr/local/sav/Yaha-y.ide Data file type : IDE Data file date : 10 December 2003, 10:24:10 Data file status : Loaded Data file name : /usr/local/sav/zana-a.ide Data file type : IDE Data file date : 09 December 2003, 10:05:23 Data file status : Loaded Data file name : /usr/local/sav/doomj-a.ide Data file type : IDE Data file date : 09 February 2004, 14:39:28 Data file status : Loaded Data file name : /usr/local/sav/doomj-b.ide Data file type : IDE Data file date : 11 February 2004, 12:27:15 Data file status : Loaded Data file name : /usr/local/sav/deadha-a.ide Data file type : IDE Data file date : 10 February 2004, 12:54:10 Data file status : Loaded Data file name : /usr/local/sav/wukill-b.ide Data file type : IDE Data file date : 10 February 2004, 04:48:21 Data file status : Loaded Data file name : /usr/local/sav/myss-c.ide Data file type : IDE Data file date : 09 February 2004, 11:33:43 Data file status : Loaded Data file name : /usr/local/sav/sdbot-fm.ide Data file type : IDE Data file date : 06 February 2004, 10:25:52 Data file status : Loaded Data file name : /usr/local/sav/agobotcp.ide Data file type : IDE Data file date : 06 February 2004, 08:36:19 Data file status : Loaded Data file name : /usr/local/sav/mimail-t.ide Data file type : IDE Data file date : 05 February 2004, 12:08:27 Data file status : Loaded Data file name : /usr/local/sav/holar-j.ide Data file type : IDE Data file date : 05 February 2004, 10:12:35 Data file status : Loaded Data file name : /usr/local/sav/agobotcs.ide Data file type : IDE Data file date : 04 February 2004, 05:50:40 Data file status : Loaded Data file name : /usr/local/sav/agobot-p.ide Data file type : IDE Data file date : 03 February 2004, 05:19:29 Data file status : Loaded Data file name : /usr/local/sav/sdbot-w.ide Data file type : IDE Data file date : 02 February 2004, 10:48:30 Data file status : Loaded Data file name : /usr/local/sav/nachi-b.ide Data file type : IDE Data file date : 11 February 2004, 22:53:39 Data file status : Loaded Data file name : /usr/local/sav/mydoom-e.ide Data file type : IDE Data file date : 15 February 2004, 23:14:28 Data file status : Loaded Data file name : /usr/local/sav/pinbol-a.ide Data file type : IDE Data file date : 13 February 2004, 07:21:43 Data file status : Loaded Data file name : /usr/local/sav/doomhu-a.ide Data file type : IDE Data file date : 13 February 2004, 00:36:53 Data file status : Loaded Data file name : /usr/local/sav/netsky-b.ide Data file type : IDE Data file date : 19 February 2004, 10:49:20 Data file status : Loaded Data file name : /usr/local/sav/tanx-a.ide Data file type : IDE Data file date : 17 February 2004, 07:51:25 Data file status : Loaded Data file name : /usr/local/sav/agobotcw.ide Data file type : IDE Data file date : 17 February 2004, 07:16:09 Data file status : Loaded Data file name : /usr/local/sav/deadh-b.ide Data file type : IDE Data file date : 16 February 2004, 10:57:55 Data file status : Loaded Data file name : /usr/local/sav/ddossm-b.ide Data file type : IDE Data file date : 19 February 2004, 07:02:25 Data file status : Loaded Data file name : /usr/local/sav/mydoom-f.ide Data file type : IDE Data file date : 20 February 2004, 12:17:03 Data file status : Loaded Data file name : /usr/local/sav/keyhosta.ide Data file type : IDE Data file date : 19 February 2004, 12:22:13 Data file status : Loaded Data file name : /usr/local/sav/bizex-a.ide Data file type : IDE Data file date : 24 February 2004, 17:44:31 Data file status : Loaded Data file name : /usr/local/sav/netsky-c.ide Data file type : IDE Data file date : 26 February 2004, 15:29:07 Data file status : Loaded Data file name : /usr/local/sav/narhem-a.ide Data file type : IDE Data file date : 26 February 2004, 04:39:25 Data file status : Loaded Data file name : /usr/local/sav/agobotfe.ide Data file type : IDE Data file date : 27 February 2004, 07:15:03 Data file status : Loaded Data file name : /usr/local/sav/nachi-d.ide Data file type : IDE Data file date : 27 February 2004, 11:49:41 Data file status : Loaded Data file name : /usr/local/sav/bagle-c.ide Data file type : IDE Data file date : 28 February 2004, 03:05:24 Data file status : Loaded Data file name : /usr/local/sav/maddis-a.ide Data file type : IDE Data file date : 27 February 2004, 22:18:02 Data file status : Loaded Data file name : /usr/local/sav/bagled.ide Data file type : IDE Data file date : 28 February 2004, 17:46:06 Data file status : Loaded Data file name : /usr/local/sav/bagle-f.ide Data file type : IDE Data file date : 29 February 2004, 19:26:23 Data file status : Loaded Data file name : /usr/local/sav/bagle-g.ide Data file type : IDE Data file date : 29 February 2004, 23:34:01 Data file status : Loaded Data file name : /usr/local/sav/netsky-d.ide Data file type : IDE Data file date : 02 March 2004, 07:57:01 Data file status : Loaded Data file name : /usr/local/sav/bagle-h.ide Data file type : IDE Data file date : 01 March 2004, 14:48:51 Data file status : Loaded Data file name : /usr/local/sav/netsky-e.ide Data file type : IDE Data file date : 01 March 2004, 12:18:26 Data file status : Loaded Data file name : /usr/local/sav/bagle-i.ide Data file type : IDE Data file date : 02 March 2004, 06:32:18 Data file status : Loaded From kevins at BMRB.CO.UK Tue Mar 2 20:01:52 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <1078257713.15140.35.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 09:28, Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > I've just installed and tested this - it seems to work as advertised. I appreciate the difficulty with removing individual archives, but just wanted to report one issue which is a side effect of removing all parts. When sending a pgp signed message the mime structure ends up wrong (you have a multipart/signed message without a signed part) which on Evolution at least results in a blank message (I'd guess this is MUA specific to some extent as the warning text is in the source, just isn't rendered due to the mime issues). Not particularly important to me, but just thought I'd mention it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Tue Mar 2 16:39:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: Hi! > we use sophos and latest bagle-i IDE was downloaded > onto our mail server this morning, however we don't > think mailscanner catch them as many have passed through... Can you verifu locally on the box that Sophos _IS_ detecting there? Also, be sure you are running the latest version, the changes on the MIME parts can help... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:11:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021942.i22Jgq618927@zuga.wlnet.com> References: <00d201c40087$35804440$0501a8c0@darkside> <200403021942.i22Jgq618927@zuga.wlnet.com> Message-ID: <6.0.1.1.2.20040302201048.03a28b18@imap.ecs.soton.ac.uk> At 19:43 02/03/2004, you wrote: >Good Day: > >We are using 3.78 as attached, we are not using mailscanner for our >filtering engine at the present, although we are planning on installing >soon. Our current filter process we have a lot of custom rules, i.e. if >from user@a.com cc to user@b.com, or archive to /somedir/usera ..., Etc. >Can mailscanner do these types of things? Yes. > Also, we need a log of all >messages sent through mailscanner with all details including size of >message, does mailscanners logs have this? What isn't provided by MailScanner logs is provided by MailWatch. Google will find it for you. >Also, we are interested to know how well does mailscanner perform under >heavy loads, as we tend to send / receive messages in large batches, causing >our existing filter processes to raise load averages and memory usage. It is designed to handle large loads, and shouldn't be a problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:18:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <1078257713.15140.35.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> At 20:01 02/03/2004, you wrote: >On Tue, 2004-03-02 at 09:28, Julian Field wrote: > > This version can now detect and block password-protected zip files. > > > > By default it will block all of them, but you can of course use a ruleset > > to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > >I've just installed and tested this - it seems to work as advertised. I >appreciate the difficulty with removing individual archives, but just >wanted to report one issue which is a side effect of removing all parts. > >When sending a pgp signed message the mime structure ends up wrong (you >have a multipart/signed message without a signed part) which on >Evolution at least results in a blank message (I'd guess this is MUA >specific to some extent as the warning text is in the source, just isn't >rendered due to the mime issues). Not particularly important to me, but >just thought I'd mention it. Thanks for that report. I intend to rewrite most or all of this code properly at some point soon, when I get time. It's going to be a good weekend job as I need some uninterrupted hours, which doesn't happen at work at the moment. The TNEF handling code will have to be rewritten as well. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hzhu at wesleyan.edu Tue Mar 2 16:43:17 2004 From: hzhu at wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: yes, "netsky-d" was downloaded later than "bagle-i" and I can see mailscanner has been catching "netsky-d" however not "bagle-i"... Data file name : /usr/local/Sophos/ide/netsky-d.ide Data file type : IDE Data file date : 02 March 2004, 07:57:01 Data file status : Loaded Data file name : /usr/local/Sophos/ide/bagle-i.ide Data file type : IDE Data file date : 02 March 2004, 06:32:18 Data file status : Loaded thanks, Hong > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@jiscmail.ac.uk]On > Behalf Of Raymond Dijkxhoorn > Sent: Tuesday, March 02, 2004 11:40 AM > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: bagle-i worm > > > Hi! > > > we use sophos and latest bagle-i IDE was downloaded > > onto our mail server this morning, however we don't > > think mailscanner catch them as many have passed through... > > Can you verifu locally on the box that Sophos _IS_ detecting there? Also, > be sure you are running the latest version, the changes on the MIME parts > can help... > > Bye, > Raymond. > From drew at THEMARSHALLS.CO.UK Tue Mar 2 16:42:09 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x Message-ID: <25163.194.70.180.170.1078245729.squirrel@net.themarshalls.co.uk> Nick Nelson said: > Hey folks. > > Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) on FreeBSD? Not that I have found. I'm running 5.2.1 with out problems. Anything I should take into consideration before starting > the install? > Not really. I always install from ports but otherwise... > Will I lose a lot of performance going with something such as Fedora? RHES isn't an option unfortunately. > > Thanks.. > Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From maillists at CONACTIVE.COM Tue Mar 2 20:31:37 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:54 2006 Subject: Bayes rebuild never completes In-Reply-To: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > database rebuild preparing" then "SpamAssassin Bayes database rebuild > starting", but never get as far as the "SpamAssassin Bayes database > rebuild completed" that I see in the code. > try a manual expire and see if it gets thru, it's possible that your Bayes db is corrupted and the Expire never completes. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From rcooper at DWFORD.COM Tue Mar 2 17:20:31 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:54 2006 Subject: Problems with 4.28-2 In-Reply-To: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, March 02, 2004 11:09 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems with 4.28-2 > > > Many thanks for letting me know about that one, and > for writing the fix for > me. It turns up 1 other time in Message.pm as well > (look for "Escape any " > and you will find it). > Fixed for the next release. > Your very welcome and thank you. Next item, are you aware that the messages sent upon detecting a bad file name or protected zip are blank and the warnings: Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "SystemWarning.txt" attachment(s) for more information. Are in the warning attachment instead? > At 15:34 02/03/2004, you wrote: > >Ok, I ran some test messages with 4.28-7 and when I sent a zip > >with a password or bad filename the log showed: > > > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, > >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 > >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 > >messages, 988519 bytes > >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting > >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin > returned 0 > >Mar 2 09:00:48 srv2 MailScanner[29720]: Created > attachment dirs > >for 1 messages > >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content > >Scanning: Starting > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > scanning by > >f-prot... > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > >f-prot > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > scanning by > >clamavmodule... > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > >clamavmodule > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: > >Windows/DOS Executable (1AyARd-0007mi-Kk 0) > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by > >/usr/bin/file > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No > >executables (1AyARd-0007mi-Kk 0) > >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 > >problems > > > >This would repeat over and over with the same e-mail until I > >killed MailScanner. I put it in debug and got: > > > >Debug: > >In Debugging mode, not forking... > >Unmatched ( in regex; marked by <-- HERE in m/the > sender of these > >problems anymore ( <-- HERE since we cannot tell legitimate > >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line > >1913, line 18. > > > >So I looked in the report and saw it was puking on a sentence > >enclosed in (). I looked at Message.pm line 1913 and noted: > > > > $line =~ s/"/\\"/g; # Escape any " characters > > $line =~ s/@/\\@/g; # Escape any @ characters > > > >So I removed the ( and ) and it puked on a sentence that was > >enclosed by **. I did some other checks and it puked > on any regex > >reserved character and didn't like words surrounded by quotes > >like "To" (it did not puke on them but it complained > about them) > >. So I commented out the two lines above and added: > > > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape > any regex > >characters > > > >and everything worked fine again. I found I could not > escape the > >"$" because it blew the eval() below this section. I have used > >the same reports for months and have never had this happen > >before. Did something change here? I'm confused as to if this > >problem has to do with something on this end as I > have not seen > >other comments about the "Maximum Archive Depth", or this > >problem, on the list. Although I guess unless your > virus.deleted > >or filename.deleted reports contained the same > characters [()* or > >.*] you wouldn't notice.. come to think about it I > recently add > >the text that was enclosed parenthetically. Might be > something to > >look at Julian. > > > > > >-- > >Rick Cooper > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From mikes at HARTWELLCORP.COM Tue Mar 2 20:33:45 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Defunct MailScanner procs Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0A@hart-exchange.hartwellcorp.com> Found it. Thanks. ;-D Julian Field wrote: > Check your mail log. You probably have a syntax error somewhere, your > log will tell you where. > Or else you might have upgraded from a version that didn't need > Net::CIDR and forgotten to read the docs and install that first? > > At 23:32 01/03/2004, you wrote: >> I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct >> MailScanner processes on my system. I don't know if they existed >> before the upgrade or not as I didn't really go looking for them. >> >> Does this indicate a problem? -- Michael St. Laurent Hartwell Corporation From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:48:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: Problems with 4.28-2 In-Reply-To: References: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040302204747.03a2be90@imap.ecs.soton.ac.uk> At 17:20 02/03/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Tuesday, March 02, 2004 11:09 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Problems with 4.28-2 > > > > > > Many thanks for letting me know about that one, and > > for writing the fix for > > me. It turns up 1 other time in Message.pm as well > > (look for "Escape any " > > and you will find it). > > Fixed for the next release. > > > >Your very welcome and thank you. Next item, are you aware that >the messages sent upon detecting a bad file name or protected zip >are blank and the warnings: > >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "SystemWarning.txt" attachment(s) for >more information. > >Are in the warning attachment instead? If it finds a protected zip file it knocks out the entire message, not just the zip file. Known issue. > > At 15:34 02/03/2004, you wrote: > > >Ok, I ran some test messages with 4.28-7 and when I sent a zip > > >with a password or bad filename the log showed: > > > > > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, > > >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 > > >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 > > >messages, 988519 bytes > > >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting > > >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin > > returned 0 > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Created > > attachment dirs > > >for 1 messages > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content > > >Scanning: Starting > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > > scanning by > > >f-prot... > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > > >f-prot > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > > scanning by > > >clamavmodule... > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > > >clamavmodule > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: > > >Windows/DOS Executable (1AyARd-0007mi-Kk 0) > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by > > >/usr/bin/file > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No > > >executables (1AyARd-0007mi-Kk 0) > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 > > >problems > > > > > >This would repeat over and over with the same e-mail until I > > >killed MailScanner. I put it in debug and got: > > > > > >Debug: > > >In Debugging mode, not forking... > > >Unmatched ( in regex; marked by <-- HERE in m/the > > sender of these > > >problems anymore ( <-- HERE since we cannot tell legitimate > > >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line > > >1913, line 18. > > > > > >So I looked in the report and saw it was puking on a sentence > > >enclosed in (). I looked at Message.pm line 1913 and noted: > > > > > > $line =~ s/"/\\"/g; # Escape any " characters > > > $line =~ s/@/\\@/g; # Escape any @ characters > > > > > >So I removed the ( and ) and it puked on a sentence that was > > >enclosed by **. I did some other checks and it puked > > on any regex > > >reserved character and didn't like words surrounded by quotes > > >like "To" (it did not puke on them but it complained > > about them) > > >. So I commented out the two lines above and added: > > > > > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape > > any regex > > >characters > > > > > >and everything worked fine again. I found I could not > > escape the > > >"$" because it blew the eval() below this section. I have used > > >the same reports for months and have never had this happen > > >before. Did something change here? I'm confused as to if this > > >problem has to do with something on this end as I > > have not seen > > >other comments about the "Maximum Archive Depth", or this > > >problem, on the list. Although I guess unless your > > virus.deleted > > >or filename.deleted reports contained the same > > characters [()* or > > >.*] you wouldn't notice.. come to think about it I > > recently add > > >the text that was enclosed parenthetically. Might be > > something to > > >look at Julian. > > > > > > > > >-- > > >Rick Cooper > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > > 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jase at SENSIS.COM Tue Mar 2 20:56:01 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:22:54 2006 Subject: McAfee PROBLEM !!! Message-ID: Thanks for this info - it was very helpful! I have the same results. Jason > -----Original Message----- > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > Sent: Tuesday, March 02, 2004 2:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > Hi, > > We installed the extra.dat this morning and it was catching some > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > Now that dat 4331 is out the same files are not detected as viruses > anymore!!! > > I reinstalled the extra.dat to be sure they are detected. > > Scan with 4331: > # uvscan --mime --mailbox --secure * > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > WBJAMVF.SCR > is password-protected. > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > ent.zip/WBJAMVF.SCR > is password-protected. > > Scan with 4331 and extra.dat: > # uvscan --mime --mailbox --secure * > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > From raymond at PROLOCATION.NET Tue Mar 2 17:59:04 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Header problem, part 2 In-Reply-To: <4044C422.1080908@abacom.com> Message-ID: Hi! > > Just to add to my previous EMAIL, I find that pretty much every message > I check that contains attachments has this header: > > MIME_MISSING_BOUNDARY 1.84 > > in the spamassassin score. > > Could this be related? Thats why i suggested upgrade MailScanner, there have been changes to the MIME stuff. Bye, Raymond. From mikes at HARTWELLCORP.COM Tue Mar 2 21:13:04 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0C@hart-exchange.hartwellcorp.com> I'm seeing a *lot* of messages such as the following in the /var/log/maillog file: Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf queue file for message i1PATTK9011213 Is there a way to configure MailScanner to do something about these instead of complaining about them incessantly? My log files are getting *Huge*! -- Michael St. Laurent Hartwell Corporation From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 16:35:59 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x In-Reply-To: <4044B39C.2070900@1SEO.net> References: <4044B39C.2070900@1SEO.net> Message-ID: <4044B7EF.2080905@solid-state-logic.com> Nick running freebsd 4.8 on a celeron 600/512MB ram with sophossavi/clamav/sa (with bayes and a whole bunch of extra rules and RBL's)/MailWatch/Mysql/Apache and exim as the MTA. I'm also running softupdates on all the filesytems (a single IDE hard disk). Using a ram disk (ie a linux style tmpfs) instead of a softupdate-ed file system made negligable performance improvements (1-2%). I get around 1200 messages an hour out of the thing, when its going full tilt. I average around 9000 messages a day no problems. BTW > 80% of my traffic is spam/viruses. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Nick Nelson wrote: > Hey folks. > > Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) > on FreeBSD? Anything I should take into consideration before starting > the install? > > Will I lose a lot of performance going with something such as Fedora? > RHES isn't an option unfortunately. > > Thanks.. v ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From kevins at BMRB.CO.UK Tue Mar 2 21:06:06 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> Message-ID: <1078261566.15141.60.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 20:18, Julian Field wrote: > At 20:01 02/03/2004, you wrote: > >On Tue, 2004-03-02 at 09:28, Julian Field wrote: > > > This version can now detect and block password-protected zip files. > > > > > > By default it will block all of them, but you can of course use a ruleset > > > to govern the behaviour of the new option > > > Allow Password-Protected Archives > > > > > > Download as usual from www.mailscanner.info. > > > One more thing to report... When the message contains a blocked file type within a zipfile the sender, recipient and postmaster get notified. (Okay) When the message contains an encrypted zip the recipient gets a warning, but neither sender nor postmaster get alerted. (Not Okay). Presumably this would vary according to the various Notify and Notices options, but personally I would like to see the same behaviour in both cases (since this is a policy decision not an actual found virus). For reference I'm running with all notifications on except notify senders of viruses. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Tue Mar 2 21:14:33 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D0C@hart-exchange.hartwellcorp.com> Message-ID: Hi! > Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf queue > file > for message i1PATTK9011213 > > Is there a way to configure MailScanner to do something about these instead > of complaining about them incessantly? My log files are getting *Huge*! What about cleaning out your incomming queue :) Thats where it starts. Bye, Raymond. From pete at eatathome.com.au Tue Mar 2 21:32:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Clam AV In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> Message-ID: <4044FD64.90308@eatathome.com.au> Spicer, Kevin wrote: >Drew Marshall wrote: > > >>I also don't >>use the MS update scripts, preferring my own cron jobs spaced at >>different hourly times so that if MS is called while an update is >>happening the other scanner will still work and to attempt to ensure >>that one scanner should catch updates no matter which half of the >>hour they are posted. >> >> > >The mailscanner update script *update_virus_scanners) creates a lock file which makes MailScanner wait for the scanner updates to complete before continuing with scanning, this should be safer than your method. > > > >>should I also run Clam (Which was updated quite quickly >>yesterday, no promise that it wil be in the future but...) or is 3 AV >>products over kill. >> >> > >I now use Sophos, Clam and Symantec - Having seem the varience in update times the more the merrier is my angle. > > > >>The box it's on is not that big so will Clam use >>huge amounts of system to run? >> >> > >Not huge (nothing like the load of Spamassassin). > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > > > > Web have 3 layers of AV. Firstly firewall does a lot of filetype filtering then 1=Clamav on MailScanners, 2=SAV on Domino MailGateway, 3=NAV on Domino home servers, 4=Etrust on Workstations, 5=Were using NAV on File servers - but are switching to 'havent decided yet' shortly. Note - we find NAV almost completely worthless, especially compared to etrust, which is fairluy good, but none we within 12 hours (and over 24 on one occaision) of clamav in providing updates for the last 3 or 4 large outbreaks. I would think clamav is essential on the mailscanner machine. From drew at THEMARSHALLS.CO.UK Tue Mar 2 21:33:35 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: References: Message-ID: <4044FDAF.3030102@themarshalls.co.uk> Jan Elmqvist Nielsen wrote: >Hi > >I have seen 1. >Kaspersky: >/var/spool/MailScanner/incoming/23295/i22K6AC28320/AttachedDocument.zip/ycfgeutj.scr >infected: I-Worm.Bagle.h > >in the mail is writing this: >You have won!!! >password -- 01251 > >I am also running f-prot, it dosn't catch it. > > F-Port haven't officially recognised it (Or not according to their website) so there isn't a definition yet. I've just installed Clam also, any one know how to check if that's got it covered yet? >I don't know how kaspersky detect it in the password protected zip fil. >But it does :-) >Last kaspersky update from 19.01 > >/Jan Elmqvist Nielsen > > > >>>>marco@MUW.EDU 02-03-04 18:12 >>> >>>> >>>> >I can confirm that Bagle-I worm did make it through our MS gateways. I >am >running both Sophos and Command AV (up-to-date) and both let it slip >through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if >it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm >> >> >will > > >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files >> >> >as > > >>well, although they didn't specifically say. >> >> >> -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/ee3b696a/attachment.html From jen at AH.DK Tue Mar 2 21:30:04 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm Message-ID: Hi I have seen 1. Kaspersky: /var/spool/MailScanner/incoming/23295/i22K6AC28320/AttachedDocument.zip/ycfgeutj.scr infected: I-Worm.Bagle.h in the mail is writing this: You have won!!! password -- 01251 I am also running f-prot, it dosn't catch it. I don't know how kaspersky detect it in the password protected zip fil. But it does :-) Last kaspersky update from 19.01 /Jan Elmqvist Nielsen >>> marco@MUW.EDU 02-03-04 18:12 >>> I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From raymond at PROLOCATION.NET Tue Mar 2 16:45:09 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: Hi! > yes, "netsky-d" was downloaded later than "bagle-i" > and I can see mailscanner has been catching "netsky-d" > however not "bagle-i"... > > Data file name : /usr/local/Sophos/ide/netsky-d.ide > Data file type : IDE > Data file date : 02 March 2004, 07:57:01 > Data file status : Loaded > > Data file name : /usr/local/Sophos/ide/bagle-i.ide > Data file type : IDE > Data file date : 02 March 2004, 06:32:18 > Data file status : Loaded I do not care much about the files being there, test it on some files yourself. It might be a variant that your scanner is not picking up for example. Bye, Raymond. From ugob at CAMO-ROUTE.COM Wed Mar 3 07:57:59 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:54 2006 Subject: Custom Scores Message-ID: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Pete [mailto:pete@eatathome.com.au] >Envoy? : 3 mars, 2004 01:26 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Custom Scores > > >Just installed DCC on one of my servers today and is working nicely - >made me think that, if some messages are listed with checks like DCC or >certain RBLs, then they must be alsmot %100 spam, or >undesirable emails? > >Has anyone heard of DCC or the best RBLs listing legit senders or >emails? is it worth giving these a much higher score so these message >score as High Spam and are deleted on the spot? > >OR am i am missing the central reaosns why this likes DCC only >score 1.81 ? > If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: (required 6, autolearn=spam, DCC_CHECK 2.91, HTML_50_60 0.10, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10, MIME_HEADER_CTYPE_ONLY 2.23, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, X_LIBRARY 1.58) Maybe it is a setting that is variable...maybe ask on the DCC list... hth Ugo From vermaas at JMDEJONG.NL Wed Mar 3 09:22:22 2004 From: vermaas at JMDEJONG.NL (Peter Vermaas) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <1078261566.15141.60.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> <1078261566.15141.60.camel@bach.kevinspicer.co.uk> Message-ID: <4045A3CE.10304@jmdejong.nl> Kevin Spicer wrote: > When the message contains an encrypted zip the recipient gets a warning, > but neither sender nor postmaster get alerted. (Not Okay). > Also the message doesn't seem to be quarantined, although the recipient gets a message which says it is quarantined. From dwinkler at ALGORITHMICS.COM Tue Mar 2 16:46:25 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> For Bagle-H Sophos included this note: "W32/Bagle-H sends itself as a password protected ZIP file that is not detected by this identity. However, when unzipped by the user the worm will be detected by Sophos Anti-Virus at the user's desktop." May be true of Bagle-I since it also uses password protected ZIP files as well, although they didn't specifically say. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Hong Zhu > Sent: Tuesday, March 02, 2004 11:36 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: bagle-i worm > > > Hi, > > we use sophos and latest bagle-i IDE was downloaded > onto our mail server this morning, however we don't > think mailscanner catch them as many have passed through... > > any idea? > > thanks, > Hong > From pete at eatathome.com.au Tue Mar 2 21:56:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Whic Version should i run? Message-ID: <40450305.1070207@eatathome.com.au> I am in the process of upgrading to latest stable release, but reading the list i am now not sure if i should be running the latest beta to protect against these latest password protected zip viruses? I dont really care about content scanning them, just if its a virus then trap the message, will latest stable and clamav stop these for me? I dont really want to run beta if i can avoid it. From shrek-m at GMX.DE Tue Mar 2 21:57:31 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: <1078254550.15141.5.camel@bach.kevinspicer.co.uk> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> <4044D73F.5070806@gmx.de> <1078254550.15141.5.camel@bach.kevinspicer.co.uk> Message-ID: <4045034B.2050100@gmx.de> Kevin Spicer wrote: >On Tue, 2004-03-02 at 18:49, shrek-m@gmx.de wrote: > > >>you can add >> >>$ cat /etc/fedora-release >>Fedora Core release 1 (Yarrow) >> >># rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm >> >>$ lynx localhost/mailscanner-mrtg >> >>works >> >> > >Thanks. Bet the graphs don't look too good through lynx ;) > > in comparison with mozilla, no :-) $ lynx localhost/mailscanner-mrtg MailScanner MRTG Index Page (p1 of 4) REFRESH(300 sec): http://localhost/mailscanner-mrtg/ MailScanner-MRTG Mail Relayed Daily Graph Mail Relayed Daily Graph Spam Identified Daily Graph Spam Identified Daily Graph Virii & Blocked Content Daily Graph Virii Caught Daily Graph MTA Processes Daily Graph MTA Processes Daily Graph Copies Of MailScanner Daily Graph Copies Of MailScanner Daily Graph MBytes of Mail Transferred Daily Graph -- Leertaste f?r n?chste Seite -- Pfeile: Auf/Ab: andere Seite im Text. Rechts: Verweis folgen; Links: zur?ck.H)il -- shrek-m From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 21:58:08 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <4044FDAF.3030102@themarshalls.co.uk> Message-ID: <010101c400a1$729be310$0501a8c0@darkside> >I've just installed Clam also, any one know how to check if that's got it covered yet? grep -i bagle /path/to/share/clamav/viruses.* | cut -f 1 -d " " viruses.db:Worm.Bagle.A viruses.db2:Worm.Bagle.A2 viruses.db2:Worm.Bagle.A2-unp viruses.db2:Worm.Bagle.A3 viruses.db2:Worm.Bagle.A3-unp viruses.db2:Worm.Bagle.E viruses.db2:Worm.Bagle.F viruses.db2:Worm.Bagle.F-zippwd viruses.db2:Worm.Bagle.H viruses.db2:Worm.Bagle.F-zippwd-2 viruses.db2:Worm.Bagle.I viruses.db2:Worm.Bagle.A2-dll HTH, --J(K) From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 22:12:49 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <4045054F.4010102@gmx.de> Message-ID: <010801c400a3$7ff13540$0501a8c0@darkside> >sigtool / ClamAV version 0.67 Ok, so I'm a little behind the times. :) --J(K) From shrek-m at GMX.DE Tue Mar 2 22:06:07 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <010101c400a1$729be310$0501a8c0@darkside> References: <010101c400a1$729be310$0501a8c0@darkside> Message-ID: <4045054F.4010102@gmx.de> Jason Balicki wrote: >>I've just installed Clam also, any one know how to check if that's got it >> >> >covered yet? > >grep -i bagle /path/to/share/clamav/viruses.* | cut -f 1 -d " " > >viruses.db:Worm.Bagle.A >viruses.db2:Worm.Bagle.A2 >viruses.db2:Worm.Bagle.A2-unp >viruses.db2:Worm.Bagle.A3 >viruses.db2:Worm.Bagle.A3-unp >viruses.db2:Worm.Bagle.E >viruses.db2:Worm.Bagle.F >viruses.db2:Worm.Bagle.F-zippwd >viruses.db2:Worm.Bagle.H >viruses.db2:Worm.Bagle.F-zippwd-2 >viruses.db2:Worm.Bagle.I >viruses.db2:Worm.Bagle.A2-dll > # file /usr/local/share/clamav/* /usr/local/share/clamav/daily.cvd: data /usr/local/share/clamav/main.cvd: data # sigtool --version; sigtool --list | grep -i bagle sigtool / ClamAV version 0.67 Worm.Bagle.A Worm.Bagle.A2 Worm.Bagle.A2-unp Worm.Bagle.A3 Worm.Bagle.A3-unp Worm.Bagle.E Worm.Bagle.F Worm.Bagle.F-zippwd Worm.Bagle.H Worm.Bagle.F-zippwd-2 Worm.Bagle.I Worm.Bagle.A2-dll -- shrek-m From mikes at HARTWELLCORP.COM Tue Mar 2 22:18:10 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.hartwellcorp.com> Raymond Dijkxhoorn wrote: >> Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf >> queue file for message i1PATTK9011213 >> >> Is there a way to configure MailScanner to do something about these >> instead of complaining about them incessantly? My log files are >> getting *Huge*! > > What about cleaning out your incomming queue :) Thats where it starts. I *am* cleaning it out. Each night I'm removing any file more than one day old. However, my log files are still getting bloated. -- Michael St. Laurent Hartwell Corporation From jamesb at LUDCASTLE.CO.UK Tue Mar 2 23:06:39 2004 From: jamesb at LUDCASTLE.CO.UK (James Beale) Date: Thu Jan 12 21:22:54 2006 Subject: Virus infected attachment removal Message-ID: Hi Firstly, apologies. I'm feeling a little sheepish that I can't work this out for myself! I'm using Mailscanner with Command Software's virus scanner. Mail is being picked up via Fetchmail. I am testing with Eicar test virus, and using Openwebmail as my client. Mailscanner correctly identifies that the incoming mail has a virus, and deposits {VIRUS?} in the subject field. What I can't seem to do is get the attachment either disinfected or removed from the message. Eicar is not in any activated "allowed" list or other. I have messed around with the following, and currently have them set to: Deliver To Recipients = yes Deliver From Local Domains = yes Action = delete Deliver Disinfected Files = yes Not for the first time I feel I'm missing something obvious... Thanks very much. James. From cconn at ABACOM.COM Tue Mar 2 17:09:51 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:54 2006 Subject: Cannot read header Message-ID: <4044BFDF.7010509@abacom.com> Hello, What can these messages represent? I have this occasionally when customers send attachments with messages: Mar 2 06:36:59 MailScanner[18007]: Cannot parse /var/spool/MailScanner/incoming/18007/i22Bav6Q016452.header and , Mar 2 06:48:35 MailScanner[18123]: Cannot parse /var/spool/MailScanner/incoming/18123/i22BmW6Q018078.header and , Mar 2 06:52:50 MailScanner[17930]: Cannot parse /var/spool/MailScanner/incoming/17930/i22Bqj6Q018717.header and , Mar 2 08:00:54 MailScanner[23072]: Cannot parse /var/spool/MailScanner/incoming/23072/i22D0h6R031169.header and , Mar 2 08:33:23 MailScanner[23190]: Cannot parse /var/spool/MailScanner/incoming/23190/i22DXG6Q006004.header and , Mar 2 11:13:17 MailScanner[23025]: Cannot parse /var/spool/MailScanner/incoming/23025/i22GD7rx016954.header and , Mar 2 11:43:37 MailScanner[17798]: Cannot parse /var/spool/MailScanner/incoming/17798/i22GhVrx026313.header and , Mar 2 11:46:55 MailScanner[18487]: Cannot parse /var/spool/MailScanner/incoming/18487/i22Gimrx026692.header and , The messages are delivered with the virus warning and no attachments. Attachment sizes vary from small to large. I am running MailScanner-4.25-14 on RH9, and the /var/spool/MailScanner/incoming/ is on a tmpfs directory in case that matters. Thanks in advance, Chris From rzewnickie at RFA.ORG Tue Mar 2 17:51:35 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:54 2006 Subject: More details in the logs In-Reply-To: <4043A1B7.2090100@eatathome.com.au> References: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> <4043A1B7.2090100@eatathome.com.au> Message-ID: <20040302175135.GC7683@rfa.org> On Tue, Mar 02, 2004 at 07:48:55AM +1100, Pete wrote: > If you want a text only version you could get and run the pflogsum.pl > script from sourceforge too - simple perl script that greps the maillog > and produces a nice report each night and emails it to me.. Where do you get this? I can't seem to find it on sf anywhere .... Is the version here the official, most recent version? http://jimsun.linxnet.com/postfix_contrib.html -Eric Rz. From isp-list at TULSACONNECT.COM Wed Mar 3 00:43:59 2004 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x In-Reply-To: <4044B39C.2070900@1SEO.net> Message-ID: <5.1.1.6.2.20040302183909.06d76b00@pop3.tulsaconnect.com> At 11:17 AM 3/2/2004 -0500, you wrote: >Hey folks. > >Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) >on FreeBSD? Anything I should take into consideration before starting >the install? > >Will I lose a lot of performance going with something such as Fedora? >RHES isn't an option unfortunately. > >Thanks.. We run 3 FreeBSD boxes, two are 4.9 and one is stil 4.8. Two of them are 2x2.8G Xeon w/1GB RAM and 36GB U320 SCSI drive, the other is a 2xP3-1.6G w/1GB RAM and 18GB SCSI. We run SA+Bayes+backhair/popcorn/evillist/others+SBL+XBL+spamcop.net with exim 4.x using MySQL as the back-end for relay list validation. softupdates is turned on, and noatime is set on each filesystem in /etc/fstab. /etc/sysctl.conf has several tweaks for high volume stuff. We process about 720,000 messages a day with this configuration. We are adding a 4th machine this week as the machines are starting to lag behind during very busy times of the day. --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From pete at eatathome.com.au Wed Mar 3 01:05:17 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Domino/Exchange MailScanner users Message-ID: <40452F4D.4060009@eatathome.com.au> I know this has been covered before, but we are a Domino shop with MailScanners running in front of our email borders. All non spam email is relayed to Domino servers. It is not possible in this environment to ask users to forward mail to spam/non spam addresses, or copy them to spam/non spam folders etc they just wont do it. Is it practical for me to archive some non spam email each day and some spam email then run sa-learn over it with Julian's bash scripts? Is this how people who dont have the spam/non spam boxes gather non spam for bayes? I keep trying to use autio learn but i dont think it work very well and is very quickly poisened and giving negative scores to spam. Not using bayes means too many newsgroup/newsletter emails are trapped as spam, being an academic facility i, like mailscanner, consider most of the emails these people get is spam, but they dont. So i need to put some effort into getting bayes working, but without any user input. 1. Is the abiove worthwhile persuing? or does bayes really need user to input spam/non spam? 2. If i archive non spam and feed it into bayes, i would need to have a good look at it first - is there a way to apply filters to mailwatch so that mailwatch will display say only Spam, or only High Spam, or only emails that were archived, or only Non Spam? With this filtering i could then check the mail each day easily and release the legit stuff and then run the scripts on the mail remaining. Thanks in advance for ANY suggestions. Pete From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 2 19:09:09 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:54 2006 Subject: McAfee PROBLEM !!! Message-ID: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> Hi, We installed the extra.dat this morning and it was catching some W32/Bagle.gen!pwdzip (ED) with dat 4330. Now that dat 4331 is out the same files are not detected as viruses anymore!!! I reinstalled the extra.dat to be sure they are detected. Scan with 4331: # uvscan --mime --mailbox --secure * /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/WBJAMVF.SCR is password-protected. /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip/WBJAMVF.SCR is password-protected. Scan with 4331 and extra.dat: # uvscan --mime --mailbox --secure * /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip Found the W32/Bagle.gen!pwdzip (ED) virus !!! /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip Found the W32/Bagle.gen!pwdzip (ED) virus !!! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kevins at BMRB.CO.UK Tue Mar 2 19:09:10 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:55 2006 Subject: Cricket for monitoring In-Reply-To: <4044D73F.5070806@gmx.de> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> <4044D73F.5070806@gmx.de> Message-ID: <1078254550.15141.5.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 18:49, shrek-m@gmx.de wrote: > you can add > > $ cat /etc/fedora-release > Fedora Core release 1 (Yarrow) > > # rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm > > $ lynx localhost/mailscanner-mrtg > > works Thanks. Bet the graphs don't look too good through lynx ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Wed Mar 3 01:41:47 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:55 2006 Subject: bagle-i worm In-Reply-To: <1078247542.4044c0766a59a@webmail.MUW.Edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> <1078247542.4044c0766a59a@webmail.MUW.Edu> Message-ID: <404537DB.5070509@themarshalls.co.uk> Now I'm hoping that I've hacked the best answer I can for this. Postfix can do header & body filtering so I've set up a load of discard rules based on the Bagle-i subject lines (Just hope I've got them all :-) ) Some thing of a moral dilemma in so much as the options really are discard, which deletes the message having given the sending server a 250 response (Breaks an RFC to two!) or reject but I just don't like the idea of sending the virus laden message back to some poor innocent party. Now just have to sit back and wait... Drew Marco Obaid wrote: >I can confirm that Bagle-I worm did make it through our MS gateways. I am >running both Sophos and Command AV (up-to-date) and both let it slip through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm will >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files as >>well, although they didn't specifically say. >> >> >> -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rich at MAIL.WVNET.EDU Wed Mar 3 02:05:10 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> Message-ID: <40453D56.70507@mail.wvnet.edu> Julian Field wrote: > At 12:45 02/03/2004, you wrote: > >> Also, If I change the above to 0 will that disable filename/type >> checking inside the archives? > > > I think so, yes. If 0 doesn't disable it, then -1 certainly will. > I tried setting Maximum Archive Depth = 0 (as well as -1) and the internal zip file checking was not disabled. The results were that all files including simple text messages received the warning... >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "VirusWarning.txt" attachment(s) for more information. > >This is a message from the WVNET MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------------- >The original e-mail attachment "the entire message" >was scanned by our antivirus software and determined to be >infected. It has been replaced by this warning message. > >At Tue Mar 2 16:39:24 2004 the virus scanner said: > Files hidden in very deeply nested archive I understand that this is beta code --I just wanted to report it. Ideally, we would like to disallow password protected zip files as well as disable the filename/type checking of normal zip files. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From pete at eatathome.com.au Wed Mar 3 02:19:26 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <010801c400a3$7ff13540$0501a8c0@darkside> References: <010801c400a3$7ff13540$0501a8c0@darkside> Message-ID: <404540AE.4090600@eatathome.com.au> Jason Balicki wrote: >>sigtool / ClamAV version 0.67 >> >> > >Ok, so I'm a little behind the times. :) > >--J(K) > > >. > > > For red Hat users, if you're hopeless at remember all those parameters, create a function command so you can execute it super easily, even tab completes like all other commands #function virus_search() >>{ >>sigtool --version; sigtool --list | grep -i $1 >>} # Then simply do #virus_search VIRUSNAME BTW thanks for the tip, very useful. From pete at eatathome.com.au Wed Mar 3 02:46:58 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Domino/Exchange MailScanner users In-Reply-To: <40452F4D.4060009@eatathome.com.au> References: <40452F4D.4060009@eatathome.com.au> Message-ID: <40454722.40103@eatathome.com.au> Pete wrote: > I know this has been covered before, but we are a Domino shop with > MailScanners running in front of our email borders. All non spam email > is relayed to Domino servers. > > It is not possible in this environment to ask users to forward mail to > spam/non spam addresses, or copy them to spam/non spam folders etc they > just wont do it. > > Is it practical for me to archive some non spam email each day and some > spam email then run sa-learn over it with Julian's bash scripts? > > Is this how people who dont have the spam/non spam boxes gather non spam > for bayes? I keep trying to use autio learn but i dont think it work > very well and is very quickly poisened and giving negative scores to > spam. > > Not using bayes means too many newsgroup/newsletter emails are trapped > as spam, being an academic facility i, like mailscanner, consider most > of the emails these people get is spam, but they dont. So i need to put > some effort into getting bayes working, but without any user input. > > 1. Is the abiove worthwhile persuing? or does bayes really need user to > input spam/non spam? > 2. If i archive non spam and feed it into bayes, i would need to have a > good look at it first - is there a way to apply filters to mailwatch so > that mailwatch will display say only Spam, or only High Spam, or only > emails that were archived, or only Non Spam? > > With this filtering i could then check the mail each day easily and > release the legit stuff and then run the scripts on the mail remaining. > > Thanks in advance for ANY suggestions. > Pete > > > Sorry for replying to own post - i have tried to create my own script (from Julian's example)to make this a little easier on myself, but as you will see i am a scripting gumby. I want to run this script at the end of each day, all the spam is kept in dirs named using the date. How do i set the SPAM variable to include the date in the path? You will see i have tried to do this is my script, but it doesnt work :( Nest I will try and work out how to handle ham, aside from archiving i dont see how i will... #!/bin/sh DATE=`date '+%Y%m%d'` touch /var/log/learn/learn.$DATE.log PREFS=/etc/MailScanner/spam.assassin.prefs.conf LOGFILE=/var/log/learn/learn.$DATE.log SPAM=/var/spool/MailScanner/quarantine/$DATE/spam SA=/usr/bin/sa-learn BOX=$SPAM.processing date >> $LOGFILE #Move the Mail for exclusive access mv $SPAM $BOX #Wait for the file move to complete sleep 5 #Learn all the stuff in the current days quarantine $SA --prefs-file=$PREFS --spam $BOX >> $LOGFILE 2>&1 #delete old spam rm -Rf $BOX #display the log file cat $LOGFILE From brent.addis at ROAMAD.COM Wed Mar 3 02:54:30 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:55 2006 Subject: AVG In-Reply-To: <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> References: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> Message-ID: <3220.210.55.100.176.1078282470.squirrel@webmail.roamad.com> Thats ok, I understand your busy :) Julian Field said: > Sorry, haven't had time. > > At 23:50 01/03/2004, you wrote: >>Hey >> >>A couple of weeks ago I queried the possibility of MailScanner >>supporting AVG, I was just wondering if anything had been done on this >>at all? Management want some sort of solution using AVG, and it would >>be most cool if MailScanner could do it. >>thanks :) >> >> >>-- >>Brent Addis >>Systems Administrator > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Brent Addis Systems Administrator RoamAD From david at PLATFORMHOSTING.COM Wed Mar 3 05:46:04 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Hi All, We have one box which for some reason seems to have been hit really hard by the latest version of MailScanner the strange thing about this is that it's the newest and most highly specified box we have. The only difference I can see with this box is that it's running multithreaded perl 5.8.0 is there any known issues with this at all? The box itself is a dual processor PIV with 1Gig of Ram running RedHat 9. We have the work dirs in tmpfs etc and have no problems with our other boxes, just this one which has gone from easily able to process 100,000 messages per day down to bearly processing 15,000 Any ideas would be greatly appreciated. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/b019b793/attachment.html From pete at eatathome.com.au Wed Mar 3 06:25:37 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Custom Scores Message-ID: <40457A61.7070104@eatathome.com.au> Just installed DCC on one of my servers today and is working nicely - made me think that, if some messages are listed with checks like DCC or certain RBLs, then they must be alsmot %100 spam, or undesirable emails? Has anyone heard of DCC or the best RBLs listing legit senders or emails? is it worth giving these a much higher score so these message score as High Spam and are deleted on the spot? OR am i am missing the central reaosns why this likes DCC only score 1.81 ? From pete at eatathome.com.au Wed Mar 3 06:29:44 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <40457B58.8080600@eatathome.com.au> David Hooton wrote: > Hi All, > > We have one box which for some reason seems to have been hit really > hard by the latest version of MailScanner the strange thing about this > is that it?s the newest and most highly specified box we have. > > The only difference I can see with this box is that it?s running > multithreaded perl 5.8.0 is there any known issues with this at all? > > The box itself is a dual processor PIV with 1Gig of Ram running RedHat > 9. We have the work dirs in tmpfs etc and have no problems with our > other boxes, just this one which has gone from easily able to process > 100,000 messages per day down to bearly processing 15,000 > > Any ideas would be greatly appreciated. > > Regards, > > David Hooton > > Senior Partner > > Platform Hosting > > www.platformhosting.com > > ------------------------------------------------------------------------ > Pain free spam & virus protection - Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > > > ------------------------------------------------------------------------ I know its not comparable spec/stats, but one of my servers i upgraded from 4.24-5 to latest stable, where it was a p200/512mb scanning 500 emails per day with 6 MS processes, now cant even really run 3 without every message passing with spamassassin time outs, which i am led to believe re caused by the load on the server? Was happily cruising along with .8 load avergae which is now alsmot 3 and sometimes 5 all the time. Upgraded mailwatch too, and this is now fast as. I believe i have this machine reasonably well tuned, and as i said was running dreamily before this upgrade...before i read this i figured i must have broken something? From bg.mahesh at INDIAINFO.COM Wed Mar 3 09:32:08 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> hi I have installed the latest versions of SA, MailScanner and ClamAV on RedHat linux When I start MailScanner /var/log/maillog reads, Mar 3 14:54:50 enter3 MailScanner[3555]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 3 14:54:50 enter3 MailScanner[3555]: SpamAssassin installation could not be found I checked the FAQs and google regarding the same. I have only one version of perl [binary] [root@enter3 site_perl]# which perl /usr/bin/perl [root@enter3 site_perl]# perl -v This is perl, v5.8.1 built for i686-linux /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin has the files. What could I be doing wrong? -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From pete at eatathome.com.au Wed Mar 3 09:55:58 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Custom Scores In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4045ABAE.5040100@eatathome.com.au> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Pete [mailto:pete@eatathome.com.au] >>Envoy? : 3 mars, 2004 01:26 >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Custom Scores >> >> >>Just installed DCC on one of my servers today and is working nicely - >>made me think that, if some messages are listed with checks like DCC or >>certain RBLs, then they must be alsmot %100 spam, or >>undesirable emails? >> >>Has anyone heard of DCC or the best RBLs listing legit senders or >>emails? is it worth giving these a much higher score so these message >>score as High Spam and are deleted on the spot? >> >>OR am i am missing the central reaosns why this likes DCC only >>score 1.81 ? >> >> >> > >If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: > > > (required 6, autolearn=spam, DCC_CHECK 2.91, HTML_50_60 0.10, > HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10, > MIME_HEADER_CTYPE_ONLY 2.23, MIME_HTML_NO_CHARSET 0.56, > MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, > PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, > RAZOR2_CHECK 1.05, X_LIBRARY 1.58) > >Maybe it is a setting that is variable...maybe ask on the DCC list... > >hth > >Ugo > > > > > Thanks, twas justa thought about these types of checks in general - seems like a lot of work for 1.81 - but its most likely because i dont understand enough about whether some of the entries in these lists are sometimes legit? From john at TRADOC.FR Wed Mar 3 09:56:55 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: Just spotted this on the clamav list: | Our signatures Worm.Bagle.F-zippwd* are based on the "real" contents of | mail messages (stream of characters as they are), while amavisd-new (and | probably amavis) "divide" messages to parts and decode them separately, | hence ClamAV doesn't get the original stream of chars. Does this also apply to MailScanner, or does MS pass the entire message to clamav(module)? John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From john at TRADOC.FR Wed Mar 3 10:15:11 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:55 2006 Subject: Bayes rebuild never completes In-Reply-To: References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> On Tue, 2 Mar 2004 21:31:37 +0100, Kai Schaetzl wrote: > John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > > > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > > database rebuild preparing" then "SpamAssassin Bayes database rebuild > > starting", but never get as far as the "SpamAssassin Bayes database > > rebuild completed" that I see in the code. > > > > try a manual expire and see if it gets thru, it's possible that your Bayes > db is corrupted and the Expire never completes. Yes, manual expire works fine. I've added some extra syslog calls in SA.pm - the init_learner() call completes, but rebuild_learner_caches() never does. Does that help at all, Julian? John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:12:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Whic Version should i run? In-Reply-To: <40450305.1070207@eatathome.com.au> References: <40450305.1070207@eatathome.com.au> Message-ID: <6.0.1.1.2.20040303101111.039a4950@imap.ecs.soton.ac.uk> At 21:56 02/03/2004, you wrote: >I am in the process of upgrading to latest stable release, but reading >the list i am now not sure if i should be running the latest beta to >protect against these latest password protected zip viruses? > >I dont really care about content scanning them, just if its a virus then >trap the message, will latest stable and clamav stop these for me? I >dont really want to run beta if i can avoid it. There are some viruses out there using randomly-encrypted zip archives, which cannot be scanned by the virus scanners as they are encrypted. The only exception is that ClamAV may detect them as being passworded zip archives. These viruses can only then be detected at the desktop when someone is daft enough to open one. So if you want the latest protection against this, go for 4.28.3 (assuming I don't put out any fixes later today). So wait a day first. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:15:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Virus infected attachment removal In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303101444.039bf9c8@imap.ecs.soton.ac.uk> You are running a *very* old version of MailScanner, probably version 3. Version 4 was released in the summer of 2002, to give you some idea. Upgrade to a rather more recent version. At 23:06 02/03/2004, you wrote: >Hi > >Firstly, apologies. I'm feeling a little sheepish that I can't work this >out for myself! > >I'm using Mailscanner with Command Software's virus scanner. Mail is being >picked up via Fetchmail. I am testing with Eicar test virus, and using >Openwebmail as my client. > >Mailscanner correctly identifies that the incoming mail has a virus, and >deposits {VIRUS?} in the subject field. What I can't seem to do is get the >attachment either disinfected or removed from the message. Eicar is not in >any activated "allowed" list or other. > >I have messed around with the following, and currently have them set to: >Deliver To Recipients = yes >Deliver From Local Domains = yes >Action = delete >Deliver Disinfected Files = yes > >Not for the first time I feel I'm missing something obvious... > >Thanks very much. > >James. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:22:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Bayes rebuild never completes In-Reply-To: <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> Message-ID: <6.0.1.1.2.20040303102218.03f81478@imap.ecs.soton.ac.uk> At 10:15 03/03/2004, you wrote: >On Tue, 2 Mar 2004 21:31:37 +0100, Kai Schaetzl wrote: > > John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > > > > > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > > > database rebuild preparing" then "SpamAssassin Bayes database rebuild > > > starting", but never get as far as the "SpamAssassin Bayes database > > > rebuild completed" that I see in the code. > > > > > > > try a manual expire and see if it gets thru, it's possible that your Bayes > > db is corrupted and the Expire never completes. > >Yes, manual expire works fine. > >I've added some extra syslog calls in SA.pm - the init_learner() call >completes, but rebuild_learner_caches() never does. Does that help at >all, Julian? It's a file locking subtlety that I haven't sussed out completely yet. Will work on it when password-protected zip files calm down a little bit. It's not top of the list right now :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:10:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <4045A3CE.10304@jmdejong.nl> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> <1078261566.15141.60.camel@bach.kevinspicer.co.uk> <4045A3CE.10304@jmdejong.nl> Message-ID: <6.0.1.1.2.20040303100944.039a4be0@imap.ecs.soton.ac.uk> At 09:22 03/03/2004, you wrote: >Kevin Spicer wrote: > >>When the message contains an encrypted zip the recipient gets a warning, >>but neither sender nor postmaster get alerted. (Not Okay). > >Also the message doesn't seem to be quarantined, although the recipient >gets a message which says it is quarantined. Try 4.28.3 :-) I have had a good few hours (relatively) uninterrupted work this morning, which has given me a chance to rewrite a fair chunk of the zip-file handling code. Should work rather better now. Read the docs about the Zip-Password keyword in Silent Viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:27:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released Message-ID: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Hi folks! The "fastest code factory in the West" has been running full tilt this morning :-) I have managed to rewrite a lot of the code that handles password-protected zip files. The logging, quarantining and notifications should work rather better now. I have hopefully fixed the other outstanding bugs in this area too. There is a new option keyword for the Silent Viruses list: "Zip-Password" which causes password-protected zip files to be treated "silently". I suggest you add it to your list. If "Warn Senders of Viruses" is off, then it also shouldn't send warnings about password-protected zip files, as they are more likely to be viruses than anything else, so I have treated them that way. Download as usual from www.mailscanner.info. Please report any problems! Boy, do I need a holiday... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:20:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. That can cripple Perl. At 05:46 03/03/2004, you wrote: >Hi All, > >We have one box which for some reason seems to have been hit really hard >by the latest version of MailScanner the strange thing about this is that >it's the newest and most highly specified box we have. > >The only difference I can see with this box is that it's running >multithreaded perl 5.8.0 is there any known issues with this at all? > >The box itself is a dual processor PIV with 1Gig of Ram running RedHat >9. We have the work dirs in tmpfs etc and have no problems with our other >boxes, just this one which has gone from easily able to process 100,000 >messages per day down to bearly processing 15,000 > >Any ideas would be greatly appreciated. > >Regards, > >David Hooton >Senior Partner >Platform Hosting >www.platformhosting.com > > >Pain free spam & virus protection - Mail >Security > >To report SPAM forward the message to: >spam@mailsecurity.net.au >To report incorrectly tagged messages: >notspam@mailsecurity.net.au > >28e3cd95.jpg > -------------- next part -------------- A non-text attachment was scrubbed... Name: 28e3cd95.jpg Type: image/jpeg Size: 12048 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/f74eae9e/28e3cd95.jpg -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:21:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> References: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040303102047.0407fa48@imap.ecs.soton.ac.uk> You probably installed SpamAssassin from the RPM distribution. Remove that rpm (use "rpm -e" to do it) and then install SpamAssassin either from source or from CPAN like this: perl -MCPAN -e shell install Mail::SpamAssassin Then you should find it works. At 09:32 03/03/2004, you wrote: >hi > >I have installed the latest versions of SA, MailScanner and ClamAV on >RedHat linux > >When I start MailScanner /var/log/maillog reads, > >Mar 3 14:54:50 enter3 MailScanner[3555]: MailScanner E-Mail Virus Scanner >version 4.27.7 starting... >Mar 3 14:54:50 enter3 MailScanner[3555]: SpamAssassin installation could >not be found > >I checked the FAQs and google regarding the same. I have only one version >of perl [binary] > >[root@enter3 site_perl]# which perl >/usr/bin/perl >[root@enter3 site_perl]# perl -v > >This is perl, v5.8.1 built for i686-linux > >/usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin has the files. What could >I be doing wrong? > > > >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:14:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Getting a *lot* of these In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040303101342.039bfc58@imap.ecs.soton.ac.uk> At 22:18 02/03/2004, you wrote: >Raymond Dijkxhoorn wrote: > >> Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf > >> queue file for message i1PATTK9011213 > >> > >> Is there a way to configure MailScanner to do something about these > >> instead of complaining about them incessantly? My log files are > >> getting *Huge*! > > > > What about cleaning out your incomming queue :) Thats where it starts. > >I *am* cleaning it out. Each night I'm removing any file more than one day >old. However, my log files are still getting bloated. How are these bad files being generated? I very rarely see this problem. I would definitely advise you to investigate the cause rather than just killing the symptom. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:19:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <40453D56.70507@mail.wvnet.edu> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> <40453D56.70507@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040303101901.03f3e278@imap.ecs.soton.ac.uk> At 02:05 03/03/2004, you wrote: >Julian Field wrote: > >>At 12:45 02/03/2004, you wrote: >> >>>Also, If I change the above to 0 will that disable filename/type >>>checking inside the archives? >> >> >>I think so, yes. If 0 doesn't disable it, then -1 certainly will. >I tried setting Maximum Archive Depth = 0 (as well as -1) and the >internal zip file checking was not disabled. The results were that all >files including simple text messages received the warning... It should work now (4.28.3). > >Warning: This message has had one or more attachments removed > >Warning: (the entire message). > >Warning: Please read the "VirusWarning.txt" attachment(s) for more >information. > > > >This is a message from the WVNET MailScanner E-Mail Virus Protection >Service > >---------------------------------------------------------------------------- > >The original e-mail attachment "the entire message" > >was scanned by our antivirus software and determined to be > >infected. It has been replaced by this warning message. > > > >At Tue Mar 2 16:39:24 2004 the virus scanner said: > > Files hidden in very deeply nested archive > >I understand that this is beta code --I just wanted to report it. >Ideally, we would like to disallow password protected zip files as well >as disable the filename/type checking of normal zip files. > >-- >Richard E. Lynch >Systems Programming Manager >West Virginia Network (WVNET) >837 Chestnut Ridge Road >Morgantown, WV 26505 >(304) 293-5192 x243 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 10:49:49 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045B84D.80907@solid-state-logic.com> Julian what you mean the two days in B'mouth at UKUUG wasn't a holiday :-) Thanks as always for the work - I was hoping to make it to UKUUG and buy you a drink, but 1) I'd have prob got killed in the rush.. 2) didn't make it anyhow.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Hi folks! > > The "fastest code factory in the West" has been running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that handles password-protected > zip files. > > The logging, quarantining and notifications should work rather better now. > I have hopefully fixed the other outstanding bugs in this area too. > > There is a new option keyword for the Silent Viruses list: "Zip-Password" > which causes password-protected zip files to be treated "silently". I > suggest you add it to your list. If "Warn Senders of Viruses" is off, then > it also shouldn't send warnings about password-protected zip files, as they > are more likely to be viruses than anything else, so I have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Wed Mar 3 10:55:47 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module In-Reply-To: <4045B3D2.8050505@solid-state-logic.com> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: Wednesday, March 03, 2004 5:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ClamAV module > > > Guys > > Which version of the tjhe clamAVmodule should I be > using. I recall > something about one of the versions not working > properly with MS, but i > can't see anything on the archives. > > (btw - running MS 4.28.2-2 and clamav 0.67) > I think it was 0.66 (maybe .65) and it didn't work period.. the developers accidentally left some code from the test phase that was to be removed upon install so the ClamAV.pm mod was looking for a file that did not exist and bailed (just so you know it wasn't a MS problem) > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ******************************************************* > *************** > > This email and any files transmitted with it are > confidential and > intended solely for the use of the individual or > entity to whom they > are addressed. If you have received this email in > error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed > to be clean. > > ******************************************************* > *************** > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From david at PLATFORMHOSTING.COM Wed Mar 3 10:57:22 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Message-ID: <200403031057.i23AvNC31852@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, 3 March 2004 9:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Multi Threaded Perl > > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > Certainly have :) It's the first thign I kill on a RedHat box :) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From steve.freegard at LBSLTD.CO.UK Wed Mar 3 10:37:10 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module Message-ID: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Hi Martin, I don't think it matters at all - this morning I just upgraded Clam to .67 as I realised I'd downloaded it but not installed it (Duh!). I was already running the Mail::ClamAV module so to be on the safe side I stopped MS just prior to the 'make install' of .67 and installed the latest Mail::ClamAV via CPAN at the same time, just in case the libraries had changed at all. Working nicely so far... Kind regards, Steve. > -----Original Message----- > From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > Sent: 03 March 2004 10:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ClamAV module > > > Guys > > Which version of the tjhe clamAVmodule should I be using. I recall > something about one of the versions not working properly with > MS, but i > can't see anything on the archives. > > (btw - running MS 4.28.2-2 and clamav 0.67) > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 10:30:42 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module Message-ID: <4045B3D2.8050505@solid-state-logic.com> Guys Which version of the tjhe clamAVmodule should I be using. I recall something about one of the versions not working properly with MS, but i can't see anything on the archives. (btw - running MS 4.28.2-2 and clamav 0.67) -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From david at PLATFORMHOSTING.COM Wed Mar 3 11:03:37 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces Message-ID: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> Hi All, We've got a domain that is being joe jobbed and we want to setup a special ruleset for any mail from <> to be handled differently. I've tried the following and it didn't work.. From: <> delete forward user@domain.com Any advice greatly appreciated. Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/a22a3316/attachment.html From kfliong at WOFS.COM Wed Mar 3 10:53:34 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration Message-ID: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> Hi, I have this email which is not spam but have a score of 5.642 which is high as default of more than 5 is considered spam. Can I know how I can reduce the score? spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING 2.30....where can i get more details on what those score means? Does mailscanner uses a different config file for controlling spamassassin? thanks in advance thanks From pete at eatathome.com.au Wed Mar 3 11:09:19 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> Message-ID: <4045BCDF.8020402@eatathome.com.au> kfliong wrote: > Hi, > > I have this email which is not spam but have a score of 5.642 which is > high > as default of more than 5 is considered spam. > > Can I know how I can reduce the score? > > spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, > DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, > HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) > > Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING > 2.30....where can i get more details on what those score means? Does > mailscanner uses a different config file for controlling spamassassin? > > thanks in advance > > > thanks > > > ISnt this a situation for learning as ham? I am NO expert, but if you have no other method maybe turn on archiving till you get a copy of this message, then sa-learn it as ham?: From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:23:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces In-Reply-To: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> References: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> At 11:03 03/03/2004, you wrote: >Hi All, > >We've got a domain that is being joe jobbed and we want to setup a special >ruleset for any mail from <> to be handled differently. I've tried the >following and it didn't work.. > >From: <> delete forward >user@domain.com Try From: /^$/ delete forward user@domain.com > >Any advice greatly appreciated. > >Regards, > >David Hooton > >Pain free spam & virus protection - Mail >Security > >To report SPAM forward the message to: >spam@mailsecurity.net.au >To report incorrectly tagged messages: >notspam@mailsecurity.net.au > >291d7c03.jpg > -------------- next part -------------- A non-text attachment was scrubbed... Name: 291d7c03.jpg Type: image/jpeg Size: 12048 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/8daf2f72/291d7c03.jpg -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at petermair.at Wed Mar 3 11:25:10 2004 From: mailscanner at petermair.at (Patrick Petermair) Date: Thu Jan 12 21:22:55 2006 Subject: Why is this mail spam? Message-ID: <4045C096.9060108@petermair.at> Hi! I've implemented mailscanner yesterday, and it seems to work fine. However, I have a some mails, that are marked as spam and are _under_ the spamscore of 5. I have even increased "Spam Lists To Reach High Score" to 3 instead of 2 (the mails that are marked as spam are found in only 1 Spam List. Here is an example from the logfile: Mar 3 03:09:59 watt MailScanner[3426]: New Batch: Scanning 1 messages, 4177 bytes Mar 3 03:09:59 watt MailScanner[3426]: MCP Checks completed at 4177 bytes per second Mar 3 03:09:59 watt MailScanner[3426]: Spam Checks: Starting Mar 3 03:10:01 watt MailScanner[3426]: RBL checks: 1AyLpd-0000tK-VF found in spamhaus.org Mar 3 03:10:05 watt MailScanner[3426]: Message 1AyLpd-0000tK-VF from 69.42.78.187 (bdbiflciclcdbagglbgabcgeba@dc41.com) to anecon.com is spam, spamhaus.org, SpamAssassin (score=3.634, required 5, BAYES_90 2.10, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, RCVD_IN_SBL 1.11) Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks: Found 1 spam messages Mar 3 03:10:05 watt MailScanner[3426]: Spam Actions: message 1AyLpd-0000tK-VF actions are store,deliver,striphtml Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks completed at 696 bytes per second As you can see, 5 points are required and this mail got 3.634 and was only in 1 RBL. What could trigger this? I have nothing special configured (no whitelists, no blacklists,..) Patrick From maillists at CONACTIVE.COM Wed Mar 3 11:31:28 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:55 2006 Subject: Svar: bagle-i worm In-Reply-To: <404540AE.4090600@eatathome.com.au> References: <010801c400a3$7ff13540$0501a8c0@darkside> <404540AE.4090600@eatathome.com.au> Message-ID: Pete wrote on Wed, 3 Mar 2004 13:19:26 +1100: > For red Hat users > Why do you think this is supposed to be limited to Red Hat users? It's standard shell functionality. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 11:36:33 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045C341.8020400@solid-state-logic.com> Julian the fastest code factory in the west ain't producing the fastet code:-( My CPU is running at 100% and just about keeping up with the mail traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was pushing about 1500 per hour.. eek! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Hi folks! > > The "fastest code factory in the West" has been running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that handles password-protected > zip files. > > The logging, quarantining and notifications should work rather better now. > I have hopefully fixed the other outstanding bugs in this area too. > > There is a new option keyword for the Silent Viruses list: "Zip-Password" > which causes password-protected zip files to be treated "silently". I > suggest you add it to your list. If "Warn Senders of Viruses" is off, then > it also shouldn't send warnings about password-protected zip files, as they > are more likely to be viruses than anything else, so I have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From andersjk at SOL-INVICTUS.ORG Wed Mar 3 11:39:55 2004 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces In-Reply-To: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> Message-ID: We had that happen as well, we setup a server just to handle those small domains, change the mx record and bingo, spam dropped off, as the hunters went off to spam the stand alone box... they don't realize the mails go nowhere. thanks, kevin On Wed, 3 Mar 2004, Julian Field wrote: > At 11:03 03/03/2004, you wrote: > >Hi All, > > > >We've got a domain that is being joe jobbed and we want to setup a special > >ruleset for any mail from <> to be handled differently. I've tried the > >following and it didn't work.. > > > >From: <> delete forward > >user@domain.com > > Try > From: /^$/ delete forward user@domain.com > > > > > >Any advice greatly appreciated. > > > >Regards, > > > >David Hooton > > > >Pain free spam & virus protection - Mail > >Security > > > >To report SPAM forward the message to: > >spam@mailsecurity.net.au > >To report incorrectly tagged messages: > >notspam@mailsecurity.net.au > > > >291d7c03.jpg > > > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:37:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Why is this mail spam? In-Reply-To: <4045C096.9060108@petermair.at> References: <4045C096.9060108@petermair.at> Message-ID: <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> At 11:25 03/03/2004, you wrote: >Hi! > >I've implemented mailscanner yesterday, and it seems to work fine. >However, I have a some mails, that are marked as spam and are _under_ >the spamscore of 5. I have even increased "Spam Lists To Reach High >Score" to 3 instead of 2 (the mails that are marked as spam are found in >only 1 Spam List. If it is found in 1 spam list it is still marked as spam. As the option name says, it is "Spam Lists to reach **High** score". High-scoring spam is handled according to the "High Scoring Spam Actions" actions. Normal spam is handled according to the "Spam Actions" setting. >Here is an example from the logfile: > >Mar 3 03:09:59 watt MailScanner[3426]: New Batch: Scanning 1 messages, >4177 bytes >Mar 3 03:09:59 watt MailScanner[3426]: MCP Checks completed at 4177 >bytes per second >Mar 3 03:09:59 watt MailScanner[3426]: Spam Checks: Starting >Mar 3 03:10:01 watt MailScanner[3426]: RBL checks: 1AyLpd-0000tK-VF >found in spamhaus.org >Mar 3 03:10:05 watt MailScanner[3426]: Message 1AyLpd-0000tK-VF from >69.42.78.187 (bdbiflciclcdbagglbgabcgeba@dc41.com) to anecon.com is >spam, spamhaus.org, SpamAssassin (score=3.634, required 5, BAYES_90 >2.10, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, RCVD_IN_SBL 1.11) >Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks: Found 1 spam messages >Mar 3 03:10:05 watt MailScanner[3426]: Spam Actions: message >1AyLpd-0000tK-VF actions are store,deliver,striphtml >Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks completed at 696 >bytes per second > > >As you can see, 5 points are required and this mail got 3.634 and was >only in 1 RBL. >What could trigger this? I have nothing special configured (no >whitelists, no blacklists,..) Appearance in 1 RBL causes the message to be marked as spam. If you don't like that, set "Spam List =" (i.e. set it to nothing) and just use the RBL functionality that is provided by SpamAssassin. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:43:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045C341.8020400@solid-state-logic.com> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045C341.8020400@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Can other people confirm this please? At 11:36 03/03/2004, you wrote: >Julian > >the fastest code factory in the west ain't producing the fastet code:-( > >My CPU is running at 100% and just about keeping up with the mail >traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >pushing about 1500 per hour.. > >eek! > > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Julian Field wrote: >>Hi folks! >> >>The "fastest code factory in the West" has been running full tilt this >>morning :-) >> >>I have managed to rewrite a lot of the code that handles password-protected >>zip files. >> >>The logging, quarantining and notifications should work rather better now. >>I have hopefully fixed the other outstanding bugs in this area too. >> >>There is a new option keyword for the Silent Viruses list: "Zip-Password" >>which causes password-protected zip files to be treated "silently". I >>suggest you add it to your list. If "Warn Senders of Viruses" is off, then >>it also shouldn't send warnings about password-protected zip files, as they >>are more likely to be viruses than anything else, so I have treated them >>that way. >> >>Download as usual from www.mailscanner.info. >> >>Please report any problems! >> >>Boy, do I need a holiday... ;-) >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From gercke at HNM.DE Wed Mar 3 11:39:45 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:55 2006 Subject: # SENDMAIL_RELAY Question Message-ID: <4045C401.20200@hnm.de> Hello, i have a problem. im running a mailserver with a lot of domains and users. now i hav setup another server with mailscanner. now for some domains i want incoming mails will go through mailscanner and mailscanner should relay this to the old mailserver. for mail coming for world this works fine. but wenn a lokal domain form mailserver sends to another lokal account this mail wouldn?t send through mailscanner this mail will localy delivered. Now my question: What would happen if i add SENDMAIL_RELAY="mailscanner" to sendmailconfig of mailserver ? Will there be a mailloop between these machines? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From kfliong at WOFS.COM Wed Mar 3 11:41:27 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <4045BCDF.8020402@eatathome.com.au> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> Message-ID: <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> err...what's "ham"? At 07:09 PM 3/3/2004, you wrote: >kfliong wrote: > >>Hi, >> >>I have this email which is not spam but have a score of 5.642 which is >>high >>as default of more than 5 is considered spam. >> >>Can I know how I can reduce the score? >> >>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, >>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) >> >>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>2.30....where can i get more details on what those score means? Does >>mailscanner uses a different config file for controlling spamassassin? >> >>thanks in advance >> >> >>thanks >> >> >ISnt this a situation for learning as ham? I am NO expert, but if you >have no other method maybe turn on archiving till you get a copy of this >message, then sa-learn it as ham?: thanks From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:47:13 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> Message-ID: <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> Stuff that isn't spam. At 11:41 03/03/2004, you wrote: >err...what's "ham"? > >At 07:09 PM 3/3/2004, you wrote: > >>kfliong wrote: >> >>>Hi, >>> >>>I have this email which is not spam but have a score of 5.642 which is >>>high >>>as default of more than 5 is considered spam. >>> >>>Can I know how I can reduce the score? >>> >>>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, >>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) >>> >>>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>2.30....where can i get more details on what those score means? Does >>>mailscanner uses a different config file for controlling spamassassin? >>> >>>thanks in advance >>> >>> >>>thanks >>> >>ISnt this a situation for learning as ham? I am NO expert, but if you >>have no other method maybe turn on archiving till you get a copy of this >>message, then sa-learn it as ham?: > >thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DWFORD.COM Wed Mar 3 11:57:17 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: Just installed 4.28.3 and ran a few tests. I sent a mail with a protected ZIP and a Zipped executable. It caught the protected zip and did the notice thing, and kept the message body (great thanks!) but passed the zipped executable on through in tact. The log looks like it stopped processing on the protected zip altogether. I sent another with just the zipped exe and it caught it that time. Did another test with the zipped exe being the first attachment and the protected zip being the second and it caught both. So I then sent a message with the protected zip as the first attachment and a raw exe as the second attachment, and it caught both of those. so it looks like zip processing halts when the password protected zip is found and the other file name/type checks must be performed prior to the zip extraction tests? In any event you probably want to fix it so subsequent zip files are processed after the protected zip fails or someone could just send the password protected as attachment one and then attach a zipped exe file in attachment two and the user may think attachment two is safe since it cleaned one and left the other. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Wednesday, March 03, 2004 5:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.3 released > > > Hi folks! > > The "fastest code factory in the West" has been > running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that > handles password-protected > zip files. > > The logging, quarantining and notifications should > work rather better now. > I have hopefully fixed the other outstanding bugs in > this area too. > > There is a new option keyword for the Silent Viruses > list: "Zip-Password" > which causes password-protected zip files to be > treated "silently". I > suggest you add it to your list. If "Warn Senders of > Viruses" is off, then > it also shouldn't send warnings about > password-protected zip files, as they > are more likely to be viruses than anything else, so I > have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From P.G.M.Peters at utwente.nl Wed Mar 3 11:58:41 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: On Wed, 3 Mar 2004 10:27:29 +0000, you wrote: >The "fastest code factory in the West" has been running full tilt this >morning :-) Big thanks. >There is a new option keyword for the Silent Viruses list: "Zip-Password" >which causes password-protected zip files to be treated "silently". I >suggest you add it to your list. If "Warn Senders of Viruses" is off, then >it also shouldn't send warnings about password-protected zip files, as they >are more likely to be viruses than anything else, so I have treated them >that way. Does this mean "All-viruses" does not include "Zip-Password"? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:56:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> References: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040303115547.04185f68@imap.ecs.soton.ac.uk> At 11:51 03/03/2004, you wrote: > > You probably installed SpamAssassin from the RPM distribution. Remove that > > rpm (use "rpm -e" to do it) and then install SpamAssassin either from > > source or from CPAN like this: > > perl -MCPAN -e shell > > install Mail::SpamAssassin > > > > Then you should find it works. > > > >Nops, I installed it from the source file. This box did not have a RPM >distribution before I started the installation from source. What does perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' produce? And what about which perl and /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at SMITS.CO.UK Wed Mar 3 12:11:20 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip.net> My /etc/sysconfig/i18n says: LANG="en_US.UTF-8" SUPPORTED="en_US.UTF:en_US:en" SYSFONT="latarcyrheb-sun16" Should I change that to: LANG="en_US" SUPPORTED="en_US:en" Can I keep the SYSFONT setting alone? Thanks, Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Posted At: 03 March 2004 10:57 Posted To: MailScanner Conversation: Multi Threaded Perl Subject: Re: Multi Threaded Perl > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, 3 March 2004 9:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Multi Threaded Perl > > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > Certainly have :) It's the first thign I kill on a RedHat box :) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 12:23:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045C341.8020400@solid-state-logic.com> <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Message-ID: <4045CE31.2000309@solid-state-logic.com> Julian Ok seems to have caught with itself now - I'll keep a check on processing times....The whole thing just seemed to take much much longer to spark into life. I'll now try and figure out why clammodule ain't working... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Can other people confirm this please? > > At 11:36 03/03/2004, you wrote: > >> Julian >> >> the fastest code factory in the west ain't producing the fastet code:-( >> >> My CPU is running at 100% and just about keeping up with the mail >> traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >> pushing about 1500 per hour.. >> >> eek! >> >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> Julian Field wrote: >> >>> Hi folks! >>> >>> The "fastest code factory in the West" has been running full tilt this >>> morning :-) >>> >>> I have managed to rewrite a lot of the code that handles >>> password-protected >>> zip files. >>> >>> The logging, quarantining and notifications should work rather better >>> now. >>> I have hopefully fixed the other outstanding bugs in this area too. >>> >>> There is a new option keyword for the Silent Viruses list: >>> "Zip-Password" >>> which causes password-protected zip files to be treated "silently". I >>> suggest you add it to your list. If "Warn Senders of Viruses" is off, >>> then >>> it also shouldn't send warnings about password-protected zip files, >>> as they >>> are more likely to be viruses than anything else, so I have treated them >>> that way. >>> >>> Download as usual from www.mailscanner.info. >>> >>> Please report any problems! >>> >>> Boy, do I need a holiday... ;-) >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mike-sender-1ed4e7 at zanker.org Wed Mar 3 12:24:24 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip .net> Message-ID: <264099984.1078316664@jemima.zanker.org> On 03 March 2004 12:11 +0000 MailScanner wrote: > Should I change that to: > > LANG="en_US" > SUPPORTED="en_US:en" Mine is: LANG="en_GB" SUPPORTED="en_GB:en" SYSFONT="latarcyrheb-sun16" and I never have any perl issues or any other system problems. Mike. From Peter.Bates at LSHTM.AC.UK Wed Mar 3 12:56:00 2004 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:22:55 2006 Subject: Selectively blocking .zip files with a ruleset Message-ID: Hello all... Until I get round to upgrading our creaking MS box to one of the unstable versions with more 'Zip savvy', I'm looking for a reasonable quick-fix. I'd like to go to deny \.zip$ in filename.rules.conf but I've been informed we have some users that regularly send data only in zip-files, and that can't be necessarily convinced to rename them (not a brilliant suggestion, I know, but...) How can I change 'Filename Rules' to be a ruleset, keep most of the ones I have already, but build up a list of 'allowed email senders' for .zip? Still running MS 4.25, SA 2.63, on Postfix... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From tony.johansson at SVENSKAKYRKAN.SE Wed Mar 3 13:03:13 2004 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME Message-ID: Apologies if this is Sendmail and not MailScanner related. Any pointers appriciated. We have some users that complain about email not beeing properly displayed in their clients. The headers show: X-MIME-Autoconverted: from 8bit to quoted-printable by scanner.ourdomain.com id i231555N010471 Is there a way to avoid converting messages? Does anyone have a solution to our problem? Regards, Tony From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 13:07:07 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> Tony Johansson wrote: > Apologies if this is Sendmail and not MailScanner related. Any > pointers appriciated. > > We have some users that complain about email not beeing properly > displayed in their clients. The headers show: > X-MIME-Autoconverted: from 8bit to quoted-printable by > scanner.ourdomain.com id i231555N010471 > Its a sendmail message, I've seen it before but I can't remember why. Have you checked the archives? Are you running the latest sendmail? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at SMITS.CO.UK Wed Mar 3 13:28:34 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Thanks Mike, I will make the change outside business hours. I'm assuming that MS will pick it up when it next accesses a Perl routine, or does it require a service MailScanner reload? Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: MailScanner Conversation: Multi Threaded Perl Subject: Re: Multi Threaded Perl On 03 March 2004 12:11 +0000 MailScanner wrote: > Should I change that to: > > LANG="en_US" > SUPPORTED="en_US:en" Mine is: LANG="en_GB" SUPPORTED="en_GB:en" SYSFONT="latarcyrheb-sun16" and I never have any perl issues or any other system problems. Mike. From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 13:38:59 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:55 2006 Subject: McAfee PROBLEM !!! Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Does DAT 4332 fix it? Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Desai, Jason > Sent: 02 March 2004 20:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: McAfee PROBLEM !!! > > > Thanks for this info - it was very helpful! I have the same results. > > Jason > > > -----Original Message----- > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > Sent: Tuesday, March 02, 2004 2:09 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > Hi, > > > > We installed the extra.dat this morning and it was catching some > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > Now that dat 4331 is out the same files are not detected as viruses > > anymore!!! > > > > I reinstalled the extra.dat to be sure they are detected. > > > > Scan with 4331: > > # uvscan --mime --mailbox --secure * > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > WBJAMVF.SCR > > is password-protected. > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > ent.zip/WBJAMVF.SCR > > is password-protected. > > > > Scan with 4331 and extra.dat: > > # uvscan --mime --mailbox --secure * > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > Denis > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > > From jfraley at glenraven.com Wed Mar 3 13:39:05 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:55 2006 Subject: sort virus results Message-ID: <1078321144.2142.19.camel@jfraleyx.glenraven.com> Is there away to have MailScanner write to a file the results of each of the virus scanner's results. We currently use McAfee and ClamAV and are looking to add at least one more scanner. I have been asked to be able to compare the performance of each scanner that we use. So, I need the information such as: Message ID Scanner Virus i23DR2KW026160 McAfee W32/Netsky.d@MM i23DR2KW026160 ClamAV Module Worm.SomeFool.D i23DR2KW026160 MailScanner Shortcuts to MS-Dos programs are very dangerous in email (your_details.pif) I can not easily get this from the logs. Jon From g.pentland at SOTON.AC.UK Wed Mar 3 13:42:44 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:55 2006 Subject: # SENDMAIL_RELAY Question Message-ID: Try this... LOCAL_CONFIG # If email is bound to the local domain, what will do local delivery for us? dnl D{DefaultLocalDeliveryHost}YOURHOST.DOMAIN.COM LOCAL_RULE_0 # Allocate a slot for the domain name R$+ $: < > $1 # Addresses qualified with the local machine name - unqualify them R< > $+ < @ $j . > $: < > $1 # Addresses qualified with a local domain - unqualify them R< > $+ < @ $=w . > $: < > $1 # Anything else on the qualification is non-local so return and parse normally R< > $* @ $* $@ $1 @ $2 # Anything unqualified qualify with the local domain R< > $+ $: < $M > $1 # Now send these local emails to the default local delivery servers R< $+ > $+ $#esmtp $@ ${DefaultLocalDeliveryHost} $: $2 < @ $1 . > Hope that helps. -----Original Message----- From: Daniel Gercke [mailto:gercke@HNM.DE] Sent: Wed 3/3/2004 11:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: # SENDMAIL_RELAY Question Hello, i have a problem. im running a mailserver with a lot of domains and users. now i hav setup another server with mailscanner. now for some domains i want incoming mails will go through mailscanner and mailscanner should relay this to the old mailserver. for mail coming for world this works fine. but wenn a lokal domain form mailserver sends to another lokal account this mail wouldn?t send through mailscanner this mail will localy delivered. Now my question: What would happen if i add SENDMAIL_RELAY="mailscanner" to sendmailconfig of mailserver ? Will there be a mailloop between these machines? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From rich at MAIL.WVNET.EDU Wed Mar 3 13:49:08 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045E254.900@mail.wvnet.edu> Julian Field wrote: > Download as usual from www.mailscanner.info. > > Please report any problems! Ok, something is still no right. I have... Allow Password-Protected Archives = no and Maximum Archive Depth = 0 (I also tried -1) When Maximum Archive Depth is set to -1 or 0 it will deliver a password protected zip file even though I have Allow Password-Protected Archives set to "no". If I have Maximum Archive Depth set to 3 then the protected zip is not delivered as expected but internal zip checking is done which is what I want to disable. I hope I'm not misinterpreting how this should work. > > Boy, do I need a holiday... ;-) > I can sympathize with that. I keep having visions of a nice trout stream in the mountains. :) -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 13:49:40 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:55 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: <1078321780.13811.283.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 08:38, Randal, Phil a ?crit : > Does DAT 4332 fix it? No. Still the same detection problem. I reinstalled my old extra.dat (101068-a.zip) and it now detects them OK. BTW with plain 4332 I unzipped one password-protected file and scanned its contents and it then recognized the virus. Denis > > > -----Original Message----- > > > > > > We installed the extra.dat this morning and it was catching some > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > anymore!!! > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > Scan with 4331: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > WBJAMVF.SCR > > > is password-protected. > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > ent.zip/WBJAMVF.SCR > > > is password-protected. > > > > > > Scan with 4331 and extra.dat: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From P.G.M.Peters at utwente.nl Wed Mar 3 13:50:41 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> Message-ID: On Wed, 3 Mar 2004 13:07:07 -0000, you wrote: >Tony Johansson wrote: >> Apologies if this is Sendmail and not MailScanner related. Any >> pointers appriciated. >> >> We have some users that complain about email not beeing properly >> displayed in their clients. The headers show: >> X-MIME-Autoconverted: from 8bit to quoted-printable by >> scanner.ourdomain.com id i231555N010471 >> >Its a sendmail message, I've seen it before but I can't remember why. Have you checked the archives? Are you running the latest sendmail? As far as I know this happens when sendmail notices that the receiving end does not support 8BITMIME. You can test it by connecting to the receiving server and issue "EHLO ". It should give something like: 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-XUSR 250 HELP -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 13:51:28 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Message-ID: <1078321887.13811.285.camel@dbeauchemin.sti.usherbrooke.ca> I always reboot after such a change... too many processes depending on this value... but maybe I am jus paranoid ;-) Denis Le mer 03/03/2004 ? 08:28, MailScanner a ?crit : > Thanks Mike, > > I will make the change outside business hours. I'm assuming that MS will > pick it up when it next accesses a Perl routine, or does it require a > service MailScanner reload? > > Bart... > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: > MailScanner > Conversation: Multi Threaded Perl > Subject: Re: Multi Threaded Perl > > > On 03 March 2004 12:11 +0000 MailScanner > wrote: > > > Should I change that to: > > > > LANG="en_US" > > SUPPORTED="en_US:en" > > Mine is: > > LANG="en_GB" > SUPPORTED="en_GB:en" > SYSFONT="latarcyrheb-sun16" > > and I never have any perl issues or any other system problems. > > Mike. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jfraley at glenraven.com Wed Mar 3 13:50:20 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:55 2006 Subject: sort virus results In-Reply-To: <6.0.0.22.2.20040303074435.02173ed0@spyderinternet.com> References: <1078321144.2142.19.camel@jfraleyx.glenraven.com> <6.0.0.22.2.20040303074435.02173ed0@spyderinternet.com> Message-ID: <1078321819.2142.24.camel@jfraleyx.glenraven.com> Yea, I have a report that I generate that looks like that, but I need to be able to tie the scanner to the message and the virus. Number of messages processed : 8243 Number of virus messages : 554 (6.72%) Number of spam messages : 1472 (17.85%) Number of clean messages : 6217 (75.42%) Top Spam Score : 47.472 Average Spam Score : 14.43 Viruses detected: W32/Bagle.c!zip 8 W32/Bagle.e!zip 15 W32/Bagle.f!pwdzip 2 W32/Bagle.j@MM 1 W32/Dumaru.a@MM 6 W32/Klez.h@MM 7 W32/Mimail.a@MM 2 W32/Mimail.j@MM 2 W32/Mydoom.a@MM 4 W32/Mydoom.f!zip 6 W32/Mydoom.f.zip 13 W32/Mydoom.f@MM 4 W32/Netsky.b@MM 14 W32/Netsky.b@MM!zip 7 W32/Netsky.c@MM 301 W32/Netsky.c@MM!zip 15 W32/Netsky.d@MM 173 W32/Swen@MM 2 On Wed, 2004-03-03 at 08:47, jester wrote: > john, > > I use this, dont know if there is a better way, and im sure its not > perfect, but, works for me :) > > cat maillog | grep "Virus '" | cut -f8 "-d " | sort | uniq -c | sort -k1 -n -r > > which out puts for me: > > 204 Virus > 81 'W32/Netsky-C' > 8 'W32/Gibe-F' > 2 'W32/Mydoom-F' > 1 'W32/MyDoom-A' > 1 'W32/Mimail-A' > 1 'W32/Bugbear-B' > 1 'Troj/Sefex-A' > > hope that helps > Michael > Spyderinternet > > At 07:39 AM 3/3/2004, you wrote: > > >Is there away to have MailScanner write to a file the results of each of > >the virus scanner's results. We currently use McAfee and ClamAV and are > >looking to add at least one more scanner. I have been asked to be able > >to compare the performance of each scanner that we use. So, I need the > >information such as: > > > >Message ID Scanner Virus > >i23DR2KW026160 McAfee W32/Netsky.d@MM > >i23DR2KW026160 ClamAV Module Worm.SomeFool.D > >i23DR2KW026160 MailScanner Shortcuts to MS-Dos programs are very > >dangerous in email (your_details.pif) > > > >I can not easily get this from the logs. > > > >Jon > > > >-- > >Spydernet has scanned this message for viruses and > >dangerous content. > > From shrek-m at GMX.DE Wed Mar 3 13:55:36 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:55 2006 Subject: Selectively blocking .zip files with a ruleset In-Reply-To: References: Message-ID: <4045E3D8.9040204@gmx.de> Peter Bates wrote: >I'd like to go to > >deny \.zip$ > >in filename.rules.conf > >but I've been informed we have some users that regularly send data only >in zip-files, and that can't be necessarily convinced to rename them >(not a brilliant suggestion, I know, but...) > >How can I change 'Filename Rules' to be a ruleset, keep most of the >ones I have already, but build up a list of 'allowed email senders' for >.zip? > >Still running MS 4.25, SA 2.63, on Postfix... > > search the archives and see /etc/MailScanner/rules/* eg. not tested and no guarantee. please correct me if i am wrong i have no great experiences with rules. i prefer [tab] as delimiter in all rules /etc/MailScanner/MailScanner.conf ##Filename Rules = %etc-dir%/filename.rules.conf Filename Rules = %etc-dir%/filename.rules /etc/MailScanner/filename.rules FromOrTo: user1@sld.tld %etc-dir%/rules/user.conf FromOrTo: user2@sld.tld %etc-dir%/rules/user.conf FromOrTo: default %etc-dir%/filename.rules.conf /etc/MailScanner/rules/user.conf allow \.zip$ - - -------- jump to "filename.rules" if user[12]@sld.tld" go to "user.conf" zip is allowed default go to "filename.rules.conf" ------- restart / reload mailscanner # service MailScanner restart check the logs # tail -f /var/log/maillog and test it -- shrek-m From mailscanner at petermair.at Wed Mar 3 14:05:56 2004 From: mailscanner at petermair.at (Patrick Petermair) Date: Thu Jan 12 21:22:56 2006 Subject: Why is this mail spam? In-Reply-To: <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> References: <4045C096.9060108@petermair.at> <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> Message-ID: <4045E644.9070706@petermair.at> Julian Field wrote: > Appearance in 1 RBL causes the message to be marked as spam. If you don't > like that, set "Spam List =" (i.e. set it to nothing) and just use the RBL > functionality that is provided by SpamAssassin. Thnx Julian, now it works as planned. However, for future releases a "Spam Lists to reach Spam score" would be nice, because "appearance in 1 spam list = spam" is pretty aggressive. Patrick From raymond at PROLOCATION.NET Wed Mar 3 14:09:42 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Message-ID: Hi! > I was already running the Mail::ClamAV module so to be on the safe side I > stopped MS just prior to the 'make install' of .67 and installed the latest > Mail::ClamAV via CPAN at the same time, just in case the libraries had > changed at all. > > Working nicely so far... Are you sure ? Mail-ClamAV-0.05 is broken, you should use .4 Bye, Raymond. From gdoris at rogers.com Wed Mar 3 14:12:18 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Message-ID: <40302.129.80.22.133.1078323138.squirrel@65.48.246.102> > Thanks Mike, > > I will make the change outside business hours. I'm assuming that MS will > pick it up when it next accesses a Perl routine, or does it require a > service MailScanner reload? > > Bart... > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: > MailScanner > Conversation: Multi Threaded Perl > Subject: Re: Multi Threaded Perl > > > On 03 March 2004 12:11 +0000 MailScanner > wrote: > >> Should I change that to: >> >> LANG="en_US" >> SUPPORTED="en_US:en" I have the following in my file: LANG="en_US" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" I had to change it from the RH default to get things working correctly. Gerry From dot at DOTAT.AT Wed Mar 3 14:04:15 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: Denis Beauchemin wrote: >Le mer 03/03/2004 =E0 08:38, Randal, Phil a =E9crit : >> Does DAT 4332 fix it? > >No. Still the same detection problem. I reinstalled my old extra.dat >(101068-a.zip) and it now detects them OK. > >BTW with plain 4332 I unzipped one password-protected file and scanned >its contents and it then recognized the virus. PLEASE PLEASE PLEASE report sightings to AVERT Labs so that they realise the 4332 dats have a problem! Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTH 4 OR 5, BUT 6 OR 7 LOCALLY GALE 8 IN THE WEST, LATER VEERING SOUTHWEST AND DECREASING 4 OR 5 GENERALLY. RAIN SPREADING FROM THE WEST, THEN TURNING SHOWERY. GOOD DECREASING MODERATE AT TIMES IN RAIN. MODERATE TO ROUGH BUILDING ROUGH TO VERY ROUGH FOR A TIME. From raymond at PROLOCATION.NET Wed Mar 3 14:17:49 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045C341.8020400@solid-state-logic.com> Message-ID: Hi! > the fastest code factory in the west ain't producing the fastet code:-( > > My CPU is running at 100% and just about keeping up with the mail > traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was > pushing about 1500 per hour.. I hope Julian also can have a look on the MIME fixes implented recently, it really drives my CPU up. My boxes can keep up, but i am sure it will break a lot of others. Bye, Raymond. From craig at WESTPRESS.COM Wed Mar 3 14:23:02 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? Message-ID: I have a co-worker who is expecting some files via file attachment for a job she is working on. When her client sends them to her, the files are being stripped out and she is receiving 'Bad Content' removed messages from MailScanner. The files that are being stripped out are *.lnk files. What are these? These should be MS Word or MS Publisher files. When I release these messages, they show up as folder shortcuts on a MS system, and useless files on a Macintosh. It is entirely possible that her client does not know how to send these files (though I may get the argument that 'they have always gotten files to us before and not had any problems'. You know what argument I'm talking about?) And while we're on the subject. Since I have installed MailScanner, I have noticed that a couple co-workers now have mail showing up that is split into multi-part messages. (ie. upwards of 16 different parts) What causes this to happen? The file attachments associated with these messages are typically un-usable, and the co-worker calls the client to figure something else out instead (like using the file transfer system we built into our website). And I notice that this is typically only MS stuff that I have problems with. Why does Microsoft have to suck so much? (That's a rhetorical question....) -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 14:22:20 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin err ors Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk> >From the Fedora list. Looks like MailScanner users running on Fedora should hold pack on the Perl 5.8.3 update. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: fedora-list-admin@redhat.com [mailto:fedora-list-admin@redhat.com]On Behalf Of G?tz Reinicke Sent: 03 March 2004 14:12 To: fedora-list@redhat.com Subject: Re: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin errors Furthormore this update stopped my mailserver :-( I'm using Mailscanner and Spamassasin. :-(((( Downgrading to the working old perl-5.8.1 worked! G?tz Reinicke wrote: <...> > But : > [root@mail etc]# slocate Glob.pm > /usr/lib/perl5/5.8.1/File/DosGlob.pm > /usr/lib/perl5/5.8.1/i386-linux-thread-multi/File/Glob.pm old slocate Data! G?tz -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list From raymond at PROLOCATION.NET Wed Mar 3 14:24:14 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Message-ID: Hi! > Can other people confirm this please? > >the fastest code factory in the west ain't producing the fastet code:-( > > > >My CPU is running at 100% and just about keeping up with the mail > >traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was > >pushing about 1500 per hour.. Can upgrade tonight to that version to check, but i can confirm (that was in the readme so no surprise) the new train is running much slower. So perhaps review the MIME code... I know you allready did all you could but it really is a pain like it is now. Bye, Raymond. From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 14:26:36 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BB@jessica.herefordshire.gov.uk> I've forward it to the Total Virus Defense Mailing list - the NAI guys who lurk there will doubtless look into it. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Finch > Sent: 03 March 2004 14:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: McAfee PROBLEM !!! > > > Denis Beauchemin wrote: > >Le mer 03/03/2004 =E0 08:38, Randal, Phil a =E9crit : > >> Does DAT 4332 fix it? > > > >No. Still the same detection problem. I reinstalled my old > extra.dat > >(101068-a.zip) and it now detects them OK. > > > >BTW with plain 4332 I unzipped one password-protected file > and scanned > >its contents and it then recognized the virus. > > PLEASE PLEASE PLEASE report sightings to AVERT Labs so that > they realise > the 4332 dats have a problem! > > Tony. > -- > f.a.n.finch http://dotat.at/ > LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: > SOUTH 4 OR 5, BUT 6 > OR 7 LOCALLY GALE 8 IN THE WEST, LATER VEERING SOUTHWEST AND > DECREASING 4 OR 5 > GENERALLY. RAIN SPREADING FROM THE WEST, THEN TURNING > SHOWERY. GOOD DECREASING > MODERATE AT TIMES IN RAIN. MODERATE TO ROUGH BUILDING ROUGH > TO VERY ROUGH FOR > A TIME. > From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 14:26:57 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B06@pascal.priv.bmrb.co.uk> Craig Daters wrote: > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. When I release > these messages, they show up as folder shortcuts on a MS system, and > useless files on a Macintosh. > It is entirely possible that her client does not know how to send these files Got it in one! Those are windows shortcuts. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gdoris at rogers.com Wed Mar 3 14:30:23 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: <45605.129.80.22.133.1078324223.squirrel@65.48.246.102> > I have a co-worker who is expecting some files via file attachment > for a job she is working on. When her client sends them to her, the > files are being stripped out and she is receiving 'Bad Content' > removed messages from MailScanner. > > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. When I release > these messages, they show up as folder shortcuts on a MS system, and > useless files on a Macintosh. It is entirely possible that her client > does not know how to send these files (though I may get the argument > that 'they have always gotten files to us before and not had any > problems'. You know what argument I'm talking about?) > *.lnk files are link files on an Microsoft system. I think this lady's clients are sending her the link instead of the file they're pointing to. Gerry From kodak at FRONTIERHOMEMORTGAGE.COM Wed Mar 3 14:36:01 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: Message-ID: <005101c4012c$d9d48970$0501a8c0@darkside> >The files that are being stripped out are *.lnk files. What are >these? These should be MS Word or MS Publisher files. When I release >these messages, they show up as folder shortcuts on a MS system, and >useless files on a Macintosh. It is entirely possible that her client >does not know how to send these files (though I may get the argument >that 'they have always gotten files to us before and not had any >problems'. You know what argument I'm talking about?) Most likely the person who's sending the files is sending a Microsoft shortcut instead of the actual file. Microsoft shortcuts are .lnk, which can be a shortcut to a file, program or a URL, but that's all it is, a "shortcut". Instruct the sender to send the actual file and you'll be fine. When something "suddenly stops working" the fault can always be blamed on some person, except in the case of automatic upgrades. :) I can't answer the second part of your question, sorry. >Why does Microsoft have to suck so much? (That's a rhetorical >question....) I know it's rhetorical, but it sucks so much so that you'll buy the next version in the hopes it'll be better. This tactic is nearing end-of-life, finally. --J(K) From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 14:35:51 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: <1078324551.13811.299.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 09:23, Craig Daters a ?crit : > And while we're on the subject. Since I have installed MailScanner, I > have noticed that a couple co-workers now have mail showing up that > is split into multi-part messages. (ie. upwards of 16 different > parts) What causes this to happen? The file attachments associated > with these messages are typically un-usable, and the co-worker calls > the client to figure something else out instead (like using the file > transfer system we built into our website). And I notice that this is > typically only MS stuff that I have problems with. All Microsoft email software has the ability to chop big emails in smaller parts that are supposed to be reassembled together on the destination PC (if it is from Microsoft, of course). This is another bad Microsoft design choice... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From james at DENY.ORG Wed Mar 3 14:33:56 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:56 2006 Subject: Postfix and spam.actions.rules and delete not working? Message-ID: <4045ECD4.6040406@deny.org> I use Postfix and MailScanner 4.26.5-1 and use spam.action.rules, however I have been testing the delete option and it does not seem to work at all. I still get tagged spam. I have included what I believe to be all pertinent lines from my configs. Any ideal what I munged up? MailScanner.conf : %rules-dir% = /etc/MailScanner/rules Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = %rules-dir%/high.spam.actions.rules Use Default Rules With Multiple Recipients = yes /etc/MailScanner/rules/spam.actions.rules : To: james@deny.org delete To: jimmy@isdn.net delete FromOrTo: default deliver /etc/MailScanner/rules/high.spam.actions.rules : FromOrTo: default delete From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 14:45:51 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS Message-ID: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Hi all, I tried to modify SweepViruses.pm so it could grab McAfee's "is password-protected" string and just treat the attachment as a virus but it doesn't work... I modified ProcessMcAfeeOutput() this way: #return 0 unless $line =~ /Found/; return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); Any ideas why it is not kicking in? Could it be because McAfee returns a zero return code if it detects a password-protected zip file (I know this is what it does)? If so, could there be another way of achieving the same result without having to upgrade to the latest unstable version? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Wed Mar 3 14:36:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045E254.900@mail.wvnet.edu> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> At 13:49 03/03/2004, you wrote: >Julian Field wrote: > >>Download as usual from www.mailscanner.info. >> >>Please report any problems! > >Ok, something is still no right. I have... > >Allow Password-Protected Archives = no > >and > >Maximum Archive Depth = 0 (I also tried -1) > >When Maximum Archive Depth is set to -1 or 0 it will deliver a password >protected zip file even though I have Allow Password-Protected Archives >set to "no". If I have Maximum Archive Depth set to 3 then the >protected zip is not delivered as expected but internal zip checking is >done which is what I want to disable. I hope I'm not misinterpreting >how this should work. You can't currently check the contents of the zip files without unpacking them. Unpacking them causes the other checks to be run on their members. So now I have changed it: setting the options as you have given it above will now just test the first level of zip files to see if their members are encrypted at all. It won't actually extract them. Because it doesn't extract them it can't do any more levels of nesting. BTW "All-Viruses" now includes "Zip-Password" in the silent viruses list. >>Boy, do I need a holiday... ;-) >I can sympathize with that. I keep having visions of a nice trout >stream in the mountains. :) Give me some nice looking hills, a comfy pair of boots, some sunshine, and a map. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bg.mahesh at INDIAINFO.COM Wed Mar 3 11:51:34 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:56 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> > You probably installed SpamAssassin from the RPM distribution. Remove that > rpm (use "rpm -e" to do it) and then install SpamAssassin either from > source or from CPAN like this: > perl -MCPAN -e shell > install Mail::SpamAssassin > > Then you should find it works. > Nops, I installed it from the source file. This box did not have a RPM distribution before I started the installation from source. -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From jamesb at LUDCASTLE.CO.UK Wed Mar 3 13:23:18 2004 From: jamesb at LUDCASTLE.CO.UK (James Beale) Date: Thu Jan 12 21:22:56 2006 Subject: Virus infected attachment removal Message-ID: Julian Thanks so much for the - as always - most helpful reply. And yes, dead right, version 3.22-10, to be precise! How did you know!?! :) (No reply needed to that!) I shall do as you advise, and upgrade to see what happens. Again, thank you. James. On Wed, 3 Mar 2004 10:15:29 +0000, Julian Field wrote: >You are running a *very* old version of MailScanner, probably version 3. >Version 4 was released in the summer of 2002, to give you some idea. >Upgrade to a rather more recent version. > >At 23:06 02/03/2004, you wrote: >>Hi >> >>Firstly, apologies. I'm feeling a little sheepish that I can't work this >>out for myself! >> >>I'm using Mailscanner with Command Software's virus scanner. Mail is being >>picked up via Fetchmail. I am testing with Eicar test virus, and using >>Openwebmail as my client. >> >>Mailscanner correctly identifies that the incoming mail has a virus, and >>deposits {VIRUS?} in the subject field. What I can't seem to do is get the >>attachment either disinfected or removed from the message. Eicar is not in >>any activated "allowed" list or other. >> >>I have messed around with the following, and currently have them set to: >>Deliver To Recipients = yes >>Deliver From Local Domains = yes >>Action = delete >>Deliver Disinfected Files = yes >> >>Not for the first time I feel I'm missing something obvious... >> >>Thanks very much. >> >>James. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tony.johansson at SVENSKAKYRKAN.SE Wed Mar 3 13:29:01 2004 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:22:56 2006 Subject: X-MIME Message-ID: On Wed, 3 Mar 2004 13:07:07 -0000, Spicer, Kevin wrote: >Tony Johansson wrote: >> Apologies if this is Sendmail and not MailScanner related. Any >> pointers appriciated. >> >> We have some users that complain about email not beeing properly >> displayed in their clients. The headers show: >> X-MIME-Autoconverted: from 8bit to quoted-printable by >> scanner.ourdomain.com id i231555N010471 >> >Its a sendmail message, I've seen it before but I can't remember why. >Have you checked the archives? Are you running the latest sendmail? Latest sendmail available with redhat enterprise linux, yes I found a reference to setting "O DefaultCharSet=iso-8859-1" in sendmail.cf, trying that now. It was in there but commented out for some reason Regards, Tony From dwinkler at ALGORITHMICS.COM Wed Mar 3 14:48:19 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:56 2006 Subject: X-MIME Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B289@tormail2.algorithmics.com> I think I remember this having something to do with the character set specified in the sendmail config. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Johansson > Sent: Wednesday, March 03, 2004 8:03 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: X-MIME > > > Apologies if this is Sendmail and not MailScanner related. > Any pointers > appriciated. > > We have some users that complain about email not beeing > properly displayed > in their clients. The headers show: > X-MIME-Autoconverted: from 8bit to quoted-printable by > scanner.ourdomain.com id i231555N010471 > > Is there a way to avoid converting messages? > Does anyone have a solution to our problem? > > Regards, Tony > From dwinkler at ALGORITHMICS.COM Wed Mar 3 14:43:11 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:56 2006 Subject: Custom Scores Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B288@tormail2.algorithmics.com> DCC tracks how many times it has seen the email based on some fuzzy hashes I believe. It tracks spam and ham. In the case of a heavily distributed mailing list, which may be considered ham, it would also trigger. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 1:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Custom Scores > > > Just installed DCC on one of my servers today and is working nicely - > made me think that, if some messages are listed with checks > like DCC or > certain RBLs, then they must be alsmot %100 spam, or > undesirable emails? > > Has anyone heard of DCC or the best RBLs listing legit senders or > emails? is it worth giving these a much higher score so these message > score as High Spam and are deleted on the spot? > > OR am i am missing the central reaosns why this likes DCC > only score 1.81 ? > From gdoris at rogers.com Wed Mar 3 14:51:47 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045E254.900@mail.wvnet.edu> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> Message-ID: <35919.129.80.22.133.1078325507.squirrel@65.48.246.102> > Julian Field wrote: > >> Download as usual from www.mailscanner.info. >> >> Please report any problems! > > Ok, something is still no right. I have... > > Allow Password-Protected Archives = no > > and > > Maximum Archive Depth = 0 (I also tried -1) > > When Maximum Archive Depth is set to -1 or 0 it will deliver a password > protected zip file even though I have Allow Password-Protected Archives > set to "no". If I have Maximum Archive Depth set to 3 then the > protected zip is not delivered as expected but internal zip checking is > done which is what I want to disable. I hope I'm not misinterpreting > how this should work. > >> >> Boy, do I need a holiday... ;-) >> > I can sympathize with that. I keep having visions of a nice trout > stream in the mountains. :) On a positive note.... The delay of up to 600 seconds for the upgrade_virus_scanners seems to be working just fine. Gerry From rabellino at DI.UNITO.IT Wed Mar 3 14:52:44 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <4045F13C.5060100@di.unito.it> Denis Beauchemin wrote: > Hi all, > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > password-protected" string and just treat the attachment as a virus but > it doesn't work... > > I modified ProcessMcAfeeOutput() this way: > #return 0 unless $line =~ /Found/; > return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); > > Any ideas why it is not kicking in? Could it be because McAfee returns > a zero return code if it detects a password-protected zip file (I know > this is what it does)? > > If so, could there be another way of achieving the same result without > having to upgrade to the latest unstable version? > > Thanks! > > Denis probably the message "password protected" is printed on a second line or to stderr. But I've read that the latest release of mailscanner can check Bagle's zip or I'm wrong ? thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mailscanner at ecs.soton.ac.uk Wed Mar 3 14:58:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Guess what.... 4.28.4 Message-ID: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Sorry the updates are appearing so thick and fast at the moment. I wish everything was rather quieter than it is right now. But you folks need protection against the latest nasties, so I haven't much option. I have corrected the problem with this morning's code where it wasn't correctly handling messages that contained both a password-protected zip and an unprotected zip. I have also added a check so that if you set the max nesting depth to 0 but still ban password-protected zip files, then the attachments are checked for password-protected zips without the other rules being enforced on the contents of the zip files. It will only check the first level of nesting though, as it obviously can't check a zip file it has been asked not to unpack or create in the first place. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 15:37:10 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BE@jessica.herefordshire.gov.uk> Phew, I might try it tomorrow night, then. I've noticed that Net::DNS and Net::CIDR have been updated since I first installed them a few months back, too. MailScanner works fine with the new versions. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Gerry Doris > Sent: 03 March 2004 15:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - > Webmin > > > >>From the Fedora list. Looks like MailScanner users running > on Fedora > >> should > > hold pack on the Perl 5.8.3 update. > > > > Cheers, > > > > Phil > > I upgraded Perl yesterday and later noticed that > MailScanner/SpamAssassin > had stopped running. I wasn't sure what had caused this. > Mail was just > piling up but not lost. > > I restarted the box and everything started working again. > There's been no > problems since. > > > Gerry > From dustin.baer at IHS.COM Wed Mar 3 15:31:36 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:56 2006 Subject: bagle SpamAssassin rule Message-ID: <4045FA58.C955B333@ihs.com> For those of you who want to try to catch these with SpamAssassin, I think the following should work: body BAGLE_PASSWORD /password.*[0-9]{4,}/i describe BAGLE_PASSWORD Password.*numbers score BAGLE_PASSWORD 6.5 If anyone has a better suggestion, let us know! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From vinayakm at THEARGONCOMPANY.COM Wed Mar 3 15:35:13 2004 From: vinayakm at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H Message-ID: <200403032105.13375.vinayakm@theargoncompany.com> Hi Some machine on our network has been infected by Worm.Bagel.J and other variants. This is spawning a whole lot of mails with password encrypted zip files which contain infected executables. We are using MailScanner-4.21 along with clamav-0.67-1. Anybody face a similar problem? Any pointers would be great. -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Tel: 91-22 - 2288 2163 Ext 121 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com Linux. The Choice of the GNU generation From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 15:46:37 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Message-ID: <4045FDDD.4030207@solid-state-logic.com> Julian OK got it , installed it, so far so good.. The 'slowness' does affect all 4.28 BTW - just didn't notice on 4.28.2-2 yesterday. I guess once features etc have been sorted the speed will have to be looked at (no I'm not volunteering as I'm no perl guru). For what it's worth 4.28.4 'feels' faster looking at the log files...no timings so I can't say for certain. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. > I wish everything was rather quieter than it is right now. But you folks > need protection against the latest nasties, so I haven't much option. > > I have corrected the problem with this morning's code where it wasn't > correctly handling messages that contained both a password-protected zip > and an unprotected zip. > > I have also added a check so that if you set the max nesting depth to 0 but > still ban password-protected zip files, then the attachments are checked > for password-protected zips without the other rules being enforced on the > contents of the zip files. It will only check the first level of nesting > though, as it obviously can't check a zip file it has been asked not to > unpack or create in the first place. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Wed Mar 3 15:48:21 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Craig Daters > Sent: Wednesday, March 03, 2004 9:23 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: What is this Eudora security hole attack? > > > I have a co-worker who is expecting some files via > file attachment > for a job she is working on. When her client sends > them to her, the > files are being stripped out and she is receiving 'Bad Content' > removed messages from MailScanner. If you click on an exe in Eudora it will pop up a box telling you executing this file could be dangerous but, on some versions, if you click on a shortcut (.lnk) to the same exe attachment it will run it without warning. And shortcuts can be quite dangerous because they execute another file such as, say format C: or the shortcut points to "c:\windows\commands\deltree.exe /Y c:\" > > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. > When I release > these messages, they show up as folder shortcuts on a > MS system, and > useless files on a Macintosh. It is entirely possible > that her client > does not know how to send these files (though I may > get the argument > that 'they have always gotten files to us before and > not had any > problems'. You know what argument I'm talking about?) > She is sending a shortcut to the file, not the file it's self > And while we're on the subject. Since I have installed > MailScanner, I > have noticed that a couple co-workers now have mail > showing up that > is split into multi-part messages. (ie. upwards of 16 different > parts) What causes this to happen? The file > attachments associated I would look at the size of the attachments and the tools->accounts-advanced tab and see if it's set to breakup messages over xxx bytes (seems like the default is like 2mg) > with these messages are typically un-usable, and the > co-worker calls > the client to figure something else out instead (like > using the file > transfer system we built into our website). And I > notice that this is > typically only MS stuff that I have problems with. > > Why does Microsoft have to suck so much? (That's a > rhetorical question....) There lucky they get through, I do not allow multi-part messages because they cannot be scanned for viruses or content... bad mojo. > -- > -- > > Craig Daters (craig@westpress.com) > Systems Administrator > West Press Printing > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > -- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 15:49:49 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Message-ID: <4045FE9D.9060906@solid-state-logic.com> only Mail::clamav i find at the moment is 0.06 which doesn't seem to work..just sits there after initialisting SophosSavi.... works on debug mode so I dunno why? anyone got a tar of 0.04 I can have to try that? Mail me direct of you have to save clogging the list. Ta -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi Martin, > > I don't think it matters at all - this morning I just upgraded Clam to .67 > as I realised I'd downloaded it but not installed it (Duh!). > > I was already running the Mail::ClamAV module so to be on the safe side I > stopped MS just prior to the 'make install' of .67 and installed the latest > Mail::ClamAV via CPAN at the same time, just in case the libraries had > changed at all. > > Working nicely so far... > > Kind regards, > Steve. > > >>-----Original Message----- >>From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] >>Sent: 03 March 2004 10:31 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: ClamAV module >> >> >>Guys >> >>Which version of the tjhe clamAVmodule should I be using. I recall >>something about one of the versions not working properly with >>MS, but i >>can't see anything on the archives. >> >>(btw - running MS 4.28.2-2 and clamav 0.67) >> >> >>-- >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************** >> > > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From henker at S-H-COM.DE Wed Mar 3 15:51:52 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: References: Message-ID: On Wed, 3 Mar 2004, Raymond Dijkxhoorn wrote: > Are you sure ? Mail-ClamAV-0.05 is broken, you should use .4 You can use .05, if you comment out the line regarding the "config.pl" as Julian suggested some time ago. But sticking with .04 sounds like a good idea. Regards, Steffan From craig at WESTPRESS.COM Wed Mar 3 15:55:38 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: >If you click on an exe in Eudora it will pop up a box telling you >executing this file could be dangerous but, on some versions, >if you click on a shortcut (.lnk) to the same exe attachment it >will run it without warning. And shortcuts can be quite dangerous >because they execute another file such as, say format C: or the >shortcut >points to "c:\windows\commands\deltree.exe /Y c:\" Thank you, that explains it. And "thank you" to everyone else that gave their input. All the information submitted was helpful. >I would look at the size of the attachments and the >tools->accounts-advanced >tab and see if it's set to breakup messages over xxx bytes (seems >like the >default is like 2mg) [- snip -] >There lucky they get through, I do not allow multi-part messages >because they cannot be scanned for viruses or content... bad >mojo. Yes, I agree it is bad mojo. I bet this feature was implemented to try and overcome the filesize limit imposed by some ISP regarding file attachments. I think file attachments are bad anyway, and never pass up an opportunity to try and sell FTP to someone. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From sysadmins at ENHTECH.COM Wed Mar 3 15:56:58 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:56 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: References: <404377BC.49FC7130@ihs.com> Message-ID: <6.0.2.0.0.20040303105604.027d6e00@mail.enhtech.com> At 12:58 PM 3/1/2004, Raymond Dijkxhoorn wrote: >Hi! > > > > >>> Its in our top10 of today: > > > >>> > > > >>> 4747 W32/Netsky.B@mm > > > >>> 1275 W32/Swen.A@mm > > > >>> 404 W32/Sober.C@mm > > > >>> 337 W32/Mydoom.A@mm > > > >>> 200 W32/Netsky.C@mm > > > >>> 126 W32/Bugbear.B@mm > > > >>> 96 W32/Bagle.F@mm > > > >>> 57 W32/Bagle.E@mm > > > >>> 49 W32/Mydoom.E@mm > > > >>> 19 W32/Mimail.J@mm > > > I am not peter or raymond, but... > > > > grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed > > "s/found.*//" | sort | uniq -c | sort -n -r > >You might want to do this a little smarter :) We for example parse around >1.5 GB logfiles, your disk wont be happy if you grep those all over from >the start again and again :) We update every 5 minutes now and have >around 5-6 seconds parsing time on that :) > >Bye, >Raymond. Raymond, How is it that you are detecting these viruses in the password protected archives? They just fly past sophos on my mailscanner Errol Neal From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 15:57:23 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> Vinayakam Murugan wrote: > Hi > > Some machine on our network has been infected by Worm.Bagel.J and > other variants. This is spawning a whole lot of mails with password > encrypted zip files which contain infected executables. > > We are using MailScanner-4.21 along with clamav-0.67-1. > > Anybody face a similar problem? Any pointers would be great. Find its IP, deny access to SMTP port via iptables. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Wed Mar 3 15:56:29 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <200403032105.13375.vinayakm@theargoncompany.com> References: <200403032105.13375.vinayakm@theargoncompany.com> Message-ID: <12951.194.70.180.170.1078329389.squirrel@net.themarshalls.co.uk> Vinayakam Murugan said: > Hi > > Some machine on our network has been infected by Worm.Bagel.J and other > variants. This is spawning a whole lot of mails with password encrypted > zip > files which contain infected executables. Shut down your network and get all those machines cleaned. > > We are using MailScanner-4.21 along with clamav-0.67-1. > Upgrade MS to the latest beta (And keep an eye on this list as Julian is working overtime at the moment keeping up. Ther have been 4 (Or is it 5, I've lost count!) new beta releases in just over 24 hours. (Got to take the oportunity to say, thanks Julian. No commercial software could keep up with that.) > Anybody face a similar problem? Any pointers would be great. > > -- > Warm Regards > ~~~~~~~~~~~~~~~~~~~~~~~ > Vinayakam Murugan > > Tel: 91-22 - 2288 2163 Ext 121 > Help Desk: 91-22 - 2288 2774 > Fax Number: 91-22 - 2288 2812 > > http://www.TheArgonCompany.com > > Viruses getting you down? > Get your virus protected mailbox at http://www.tassm.com > > Linux. The Choice of the GNU generation > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rcooper at DWFORD.COM Wed Mar 3 16:08:51 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Denis Beauchemin > Sent: Wednesday, March 03, 2004 9:46 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: McAfee and password-protected zip file detection in MS > > > Hi all, > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > password-protected" string and just treat the > attachment as a virus but > it doesn't work... > > I modified ProcessMcAfeeOutput() this way: > #return 0 unless $line =~ /Found/; > return 0 unless (($line =~ /Found/) or ($line =~ /is > password-protected/)); How about adding a log to stderr like: print STDERR "Line Was: $line\n"; return 0 unless $line =~ /Found|password-protected/ Then run MS in debug and watch and see what it is seeing, perhaps something is a bit different than you thought, like case? > > Any ideas why it is not kicking in? Could it be > because McAfee returns > a zero return code if it detects a password-protected > zip file (I know > this is what it does)? > > If so, could there be another way of achieving the > same result without > having to upgrade to the latest unstable version? > > Thanks! > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rcooper at DWFORD.COM Wed Mar 3 16:13:35 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: Encrypted Zip files - how to block In-Reply-To: <6.0.2.0.0.20040303100437.027d5810@mail.enhtech.com> Message-ID: yes, to 4.28.4 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: Wednesday, March 03, 2004 10:07 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Encrypted Zip files - how to block > > > Hi, > > We are getting a bunch of encrypted zip files making > it through our > MailScanners. I am running 4.25-14, the last stable > version with the > original bounce option. Would upgrading solve this > issue of these files > making it through? > > > Errol Neal > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From P.G.M.Peters at utwente.nl Wed Mar 3 16:17:58 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: References: <4045C341.8020400@solid-state-logic.com> Message-ID: On Wed, 3 Mar 2004 15:17:49 +0100, you wrote: >Hi! > >> the fastest code factory in the west ain't producing the fastet code:-( >> >> My CPU is running at 100% and just about keeping up with the mail >> traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >> pushing about 1500 per hour.. > >I hope Julian also can have a look on the MIME fixes implented recently, >it really drives my CPU up. My boxes can keep up, but i am sure it will >break a lot of others. I have installed the new version and it can clean incoming (I keep incoming sendmail running during upgrades) almost as fast as the old one. That's the indication for me whether a version is fast enough to handle our load. And I have another problem. Our third mailserver is behind a dead router so I had to redirect all pointers to the two servers locally. They now get 50% extra messages to chew on and they still manage to get it done. Nice piece of software. ;-) -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 16:18:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: MS 4.28.4 Message-ID: <40460545.6090708@solid-state-logic.com> Julian Using the default settings (including archive depth and so on) looks like MS just trapped one the the bagle varients.. Just need to confirm with the user in question, but the 'from address' is a Belgian domain and the ip, is a verizon NY dialup/broadband ip address so it's very suspect.. And ClamAV didn't spot it either.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mike at TC3NET.COM Wed Mar 3 16:25:00 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: References: Message-ID: <1078331100.3290.1.camel@mike-new2.tc3net.com> So is McAfee uvscan with the latest .dat working or not? I am seeing Bagle.j's caught, looking at my statistics. Regards MIKE > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Denis Beauchemin > > Sent: Wednesday, March 03, 2004 9:46 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: McAfee and password-protected zip file detection in MS > > > > > > Hi all, > > > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > > password-protected" string and just treat the > > attachment as a virus but > > it doesn't work... > > > > I modified ProcessMcAfeeOutput() this way: > > #return 0 unless $line =~ /Found/; > > return 0 unless (($line =~ /Found/) or ($line =~ /is > > password-protected/)); > > How about adding a log to stderr like: > print STDERR "Line Was: $line\n"; > return 0 unless $line =~ /Found|password-protected/ > > Then run MS in debug and watch and see what it is seeing, perhaps > something is a bit different than you thought, like case? > > > > > Any ideas why it is not kicking in? Could it be > > because McAfee returns > > a zero return code if it detects a password-protected > > zip file (I know > > this is what it does)? > > > > If so, could there be another way of achieving the > > same result without > > having to upgrade to the latest unstable version? > > > > Thanks! > > > > Denis > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 16:26:05 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files Message-ID: <4046071D.7040602@trayerproducts.com> I recently enabled "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. How do I send the queued message on to the intended recipient? Thanks, Rod From rcooper at DWFORD.COM Wed Mar 3 16:30:06 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <4045FE9D.9060906@solid-state-logic.com> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: Wednesday, March 03, 2004 10:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ClamAV module > > > only Mail::clamav i find at the moment is 0.06 which > doesn't seem to > work..just sits there after initialisting > SophosSavi.... works on debug > mode so I dunno why? > > anyone got a tar of 0.04 I can have to try that? Mail > me direct of you > have to save clogging the list. I am using the latest 0.06 and it works fine: Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found virus EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: /var/spool/mailscanner/incoming/17017/1AyZ9e-0004QW-EQ/eicar.com Infection: EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found virus EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: Completed scanning by f-prot Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found 2 infections Mar 3 11:23:37 srv2 MailScanner[17017]: Commencing scanning by clamavmodule... Mar 3 11:23:37 srv2 MailScanner[17017]: INFECTED:: Eicar-Test-Signature:: ./1AyZ9e-0004QW-EQ/eicar_com.zip Mar 3 11:23:37 srv2 MailScanner[17017]: INFECTED:: Eicar-Test-Signature:: ./1AyZ9e-0004QW-EQ/eicar.com Mar 3 11:23:37 srv2 MailScanner[17017]: Completed scanning by clamavmodule Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: ClamAV Module found 2 infections Mar 3 11:23:37 srv2 MailScanner[17017]: Infected message 1AyZ9e-0004QW-EQ came from 192.168.1.3 Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: Found 2 viruses Mar 3 11:23:37 srv2 MailScanner[17017]: Filename Checks: Windows/DOS Executable (1AyZ9e-0004QW-EQ eicar.com) Note both f-prot and clamavmodule reported both the Eicar signatures, the previous version was broken, more or less, but that problem was fixed (I checked for the lines related to the missing file) and obviously works now. > > Ta > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Steve Freegard wrote: > > Hi Martin, > > > > I don't think it matters at all - this morning I > just upgraded Clam to .67 > > as I realised I'd downloaded it but not installed it (Duh!). > > > > I was already running the Mail::ClamAV module so to > be on the safe side I > > stopped MS just prior to the 'make install' of .67 > and installed the latest > > Mail::ClamAV via CPAN at the same time, just in case > the libraries had > > changed at all. > > > > Working nicely so far... > > > > Kind regards, > > Steve. > > > > > >>-----Original Message----- > >>From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > >>Sent: 03 March 2004 10:31 > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: ClamAV module > >> > >> > >>Guys > >> > >>Which version of the tjhe clamAVmodule should I be > using. I recall > >>something about one of the versions not working properly with > >>MS, but i > >>can't see anything on the archives. > >> > >>(btw - running MS 4.28.2-2 and clamav 0.67) > >> > >> > >>-- > >>-- > >>Martin Hepworth > >>Snr Systems Administrator > >>Solid State Logic > >>Tel: +44 (0)1865 842300 > >> > >>***************************************************** > ***************** > >> > >>This email and any files transmitted with it are > confidential and > >>intended solely for the use of the individual or > entity to whom they > >>are addressed. If you have received this email in > error please notify > >>the system manager. > >> > >>This footnote confirms that this email message has been swept > >>for the presence of computer viruses and is believed > to be clean. > >> > >>***************************************************** > ***************** > >> > > > > > > -- > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message > has been swept by > > MailScanner (www.mailscanner.info) for the presence > of computer viruses. > > ******************************************************* > *************** > > This email and any files transmitted with it are > confidential and > intended solely for the use of the individual or > entity to whom they > are addressed. If you have received this email in > error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed > to be clean. > > ******************************************************* > *************** > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From maillists at CONACTIVE.COM Wed Mar 3 16:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F485.5060807@1SEO.net> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> Message-ID: Nick Nelson wrote on Wed, 3 Mar 2004 10:06:45 -0500: > Great idea. > You can already do that with the rules. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From wei at ENG.FSU.EDU Wed Mar 3 16:32:25 2004 From: wei at ENG.FSU.EDU (Wei Li) Date: Thu Jan 12 21:22:56 2006 Subject: .doc attachment stays in the queue In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> Message-ID: <40460899.1030703@eng.fsu.edu> Hi, One of the user could not send email with a .doc attachment. It stayed in the queue, even could not be sent mannually. I tried to send a .doc mail to myself, it does not work, too. Any suggestion? Thanks root:/var/spool/mqueue> grep microscopy5937-syl.doc * dfi23FuTI28433:Content-Type: application/msword; name="microscopy5937-syl.doc"; dfi23FuTI28433:Content-Disposition: attachment; filename="microscopy5937-syl.doc" Mar 3 10:56:32 sendmail[28433]: [ID 801593 mail.info] i23FuTI28433: from=, size=675222, class=0 , nrcpts=2, msgid=<6.0.0.22.2.20040303105755.01e98118@>, proto=ESMTP, daemon=MTA-IPv4, relay=cmsghost1 [ ] From kodak at FRONTIERHOMEMORTGAGE.COM Wed Mar 3 16:19:34 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> Message-ID: <008401c4013b$50d4d440$0501a8c0@darkside> >> Some machine on our network has been infected by Worm.Bagel.J and >> other variants. This is spawning a whole lot of mails with password >> encrypted zip files which contain infected executables. >> >> We are using MailScanner-4.21 along with clamav-0.67-1. >> >> Anybody face a similar problem? Any pointers would be great. > >Find its IP, deny access to SMTP port via iptables. > Better yet, unplug it from the network until you get it cleaned. --J(K) From mike at TC3NET.COM Wed Mar 3 16:34:56 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: <1078331696.3290.7.camel@mike-new2.tc3net.com> Good Question, Does DAT 4332 fix it, my understanding was that it handled the unzipping and so forth, and MailScanner interpreted the response, I'm looking for confirmation, I'm running an older version of MailScanner (4.25-14 I believe), I hate to upgrade unless it's necessary. Regards MIKE > Does DAT 4332 fix it? > > Phil > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Desai, Jason > > Sent: 02 March 2004 20:56 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: McAfee PROBLEM !!! > > > > > > Thanks for this info - it was very helpful! I have the same results. > > > > Jason > > > > > -----Original Message----- > > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > > Sent: Tuesday, March 02, 2004 2:09 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > > > > Hi, > > > > > > We installed the extra.dat this morning and it was catching some > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > anymore!!! > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > Scan with 4331: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > WBJAMVF.SCR > > > is password-protected. > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > ent.zip/WBJAMVF.SCR > > > is password-protected. > > > > > > Scan with 4331 and extra.dat: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > Denis > > > -- > > > Denis Beauchemin, analyste > > > Universit? de Sherbrooke, S.T.I. > > > T: 819.821.8000x2252 F: 819.821.8045 > > > > > > From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 16:38:05 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: References: Message-ID: <404609ED.4030605@solid-state-logic.com> Rick yeah 0.04 hangs as well, must be file permissions somewhere as it works find when running in debug mode...I'll have to have a poke around.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Martin Hepworth >>Sent: Wednesday, March 03, 2004 10:50 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: ClamAV module >> >> >>only Mail::clamav i find at the moment is 0.06 which >>doesn't seem to >>work..just sits there after initialisting >>SophosSavi.... works on debug >>mode so I dunno why? >> >>anyone got a tar of 0.04 I can have to try that? Mail >>me direct of you >>have to save clogging the list. > > > I am using the latest 0.06 and it works fine: > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gercke at HNM.DE Wed Mar 3 15:00:44 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:56 2006 Subject: Spam: Re: # SENDMAIL_RELAY Question In-Reply-To: References: Message-ID: <4045F31C.5040005@hnm.de> Sorry i?m not very familiar with sendmail config. Where should i add this (sendmail.m4 or sendmail.cf) When i add this, will the machine called mailscanner relay the mails or must i add all domains to /etc/mail/relay-domains ? Pentland G. schrieb: > Try this... > > LOCAL_CONFIG > # If email is bound to the local domain, what will do local delivery for us? > dnl > D{DefaultLocalDeliveryHost}YOURHOST.DOMAIN.COM > > LOCAL_RULE_0 > # Allocate a slot for the domain name > R$+ $: < > $1 > # Addresses qualified with the local machine name - unqualify them > R< > $+ < @ $j . > $: < > $1 > # Addresses qualified with a local domain - unqualify them > R< > $+ < @ $=w . > $: < > $1 > # Anything else on the qualification is non-local so return and parse normally > R< > $* @ $* $@ $1 @ $2 > # Anything unqualified qualify with the local domain > R< > $+ $: < $M > $1 > # Now send these local emails to the default local delivery servers > R< $+ > $+ $#esmtp $@ ${DefaultLocalDeliveryHost} $: $2 < @ $1 . > > > Hope that helps. > > -----Original Message----- > From: Daniel Gercke [mailto:gercke@HNM.DE] > Sent: Wed 3/3/2004 11:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: # SENDMAIL_RELAY Question > > > > Hello, > > i have a problem. im running a mailserver with a lot of domains and > users. now i hav setup another server with mailscanner. now for some > domains i want incoming mails will go through mailscanner and > mailscanner should relay this to the old mailserver. > for mail coming for world this works fine. but wenn a lokal domain form > mailserver sends to another lokal account this mail wouldn?t send > through mailscanner this mail will localy delivered. > Now my question: > What would happen if i add SENDMAIL_RELAY="mailscanner" to > sendmailconfig of mailserver ? Will there be a mailloop between these > machines? > > > > > > -- > Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > MailScanner dankt transtec fur die freundliche Unterstutzung. > > > From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 15:02:14 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments Message-ID: <4045F376.7030808@trayerproducts.com> Hello. Is it possible to prevent MailScanner from sending a "Blocked Attachment" message to a recipient when the file attachment that was blocked was say, a pif file? There's no reason to send a pif file therefore I would like the users not even notified about receiving and blocking it. Thanks, Rod From sysadmins at ENHTECH.COM Wed Mar 3 15:06:32 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:56 2006 Subject: Encrypted Zip files - how to block Message-ID: <6.0.2.0.0.20040303100437.027d5810@mail.enhtech.com> Hi, We are getting a bunch of encrypted zip files making it through our MailScanners. I am running 4.25-14, the last stable version with the original bounce option. Would upgrading solve this issue of these files making it through? Errol Neal From nnelson at 1seo.net Wed Mar 3 15:06:45 2004 From: nnelson at 1seo.net (Nick Nelson) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F376.7030808@trayerproducts.com> References: <4045F376.7030808@trayerproducts.com> Message-ID: <4045F485.5060807@1SEO.net> Rodney Green wrote: > Hello. Is it possible to prevent MailScanner from sending a "Blocked > Attachment" message to a recipient when the file attachment that was > blocked was say, a pif file? There's no reason to send a pif file > therefore I would like the users not even notified about receiving and > blocking it. > > Thanks, > Rod Great idea. I would agree, the definite viruses (pif, scr, etc) should have an option to turn on/off notifications. They only cause more questions. From mike-sender-1ed4e7 at zanker.org Wed Mar 3 15:07:43 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:22:56 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip .net> Message-ID: <273898531.1078326463@jemima.zanker.org> On 03 March 2004 13:28 +0000 MailScanner wrote: > I will make the change outside business hours. I'm assuming that MS > will pick it up when it next accesses a Perl routine, or does it > require a service MailScanner reload? If I were you I'd reboot the box. /etc/sysconfig/i18n is read by /etc/init.d/functions which, in turn, is used by just about everything else in /etc/init.d. Mike. From gdoris at rogers.com Wed Mar 3 15:20:37 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk > References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk> Message-ID: <56879.129.80.22.133.1078327237.squirrel@65.48.246.102> >>From the Fedora list. Looks like MailScanner users running on Fedora >> should > hold pack on the Perl 5.8.3 update. > > Cheers, > > Phil I upgraded Perl yesterday and later noticed that MailScanner/SpamAssassin had stopped running. I wasn't sure what had caused this. Mail was just piling up but not lost. I restarted the box and everything started working again. There's been no problems since. Gerry From rabellino at DI.UNITO.IT Wed Mar 3 15:22:16 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:56 2006 Subject: Upgrade from an very OLD release Message-ID: <4045F828.5080700@di.unito.it> I've not understood on how to re-create the old feature "Deliver From Local Domain = no" that was used in 3.x release of mailscanner... The conf's instructions tells me to create a "ruleset" for Deliver Cleaned ... (a file .conf ?) configured (I believe) like : From: mylocaldomain no FromOrTo: default yes But Mailscanner complain about a binary option (yes or no) only (... I was away for a while ...) Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From gdoris at rogers.com Wed Mar 3 15:26:59 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: Redhat Upgrades Perl to 5.8.3-10 Message-ID: <42735.129.80.22.133.1078327619.squirrel@65.48.246.102> In the for what it's worth department... Yesterday I updated my Fedora mail server to the latest Redhat perl 5.8.3-10. Later I noticed that mail was piling up in the inqueue and not being delivered. Checking the logs I found that they were filled with messages about not being able to find SpamAssassin and MailScanner was constantly restarting. I just rebooted the box and all went back to normal. Gerry From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 15:30:42 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> Julian Field sighed: > >>Boy, do I need a holiday... ;-) > >I can sympathize with that. I keep having visions of a nice trout > >stream in the mountains. :) > > Give me some nice looking hills, a comfy pair of boots, some > sunshine, and a map. It's much more fun without a map! Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mailscanner at ecs.soton.ac.uk Wed Mar 3 16:46:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Speed problems Message-ID: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> I have been trying to reproduce the loss of speed running various different versions on the same mail messages in debug mode. Unsuccessfully :-( I have used versions from 4.23 onwards. All appear to run at the same speed. I am using a "reasonable" configuration with 1 RBL check and F-Prot. The only thing is I am not running SpamAssassin, as its speed is very variable and so hides the real speed of the underlying process. If you are suffering speed problems, please can you tell me what was the last fast version you used, and what was the first slow version. Did you downgrade again to fix the problem? Was it successful, and what version was again nice and fast? If you run a batch through in Debug mode does it always take the same time regardless of what version you are running? Maybe the problem only surfaces when running lots of child processes? The better I can narrow down exactly when the problem occurred, the better chance I have of finding it. It doesn't appear to be in the more robust MIME code I implemented, that doesn't make any difference. Please can you help me folks? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Wed Mar 3 17:00:41 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files References: <4046071D.7040602@trayerproducts.com> Message-ID: <40460F39.20CC6455@ihs.com> Rodney Green wrote: > > I recently enabled > "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. > How do I send the queued message on to the intended recipient? > > Thanks, > Rod Move them both to mqueue (or your outgoing queue). Note that they will not have been checked for viruses, if they were quarantined as spam. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From bg.mahesh at INDIAINFO.COM Wed Mar 3 17:03:10 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:56 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303170310.6047F3AA466@ws5-8.us4.outblaze.com> > > What does > perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' > produce? % perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' 2.63 > And what about > which perl % whereis perl perl: /usr/bin/perl /usr/share/man/man1/perl.1 /usr/share/man/man1/perl.1.gz % which perl /usr/bin/perl > and > /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' % /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' 2.63 I saw there were multiple perl versions in /usr/local/lib/perl5 /usr/lib/perl5/. I got rid of the Mail directory in all non-5.8.1 directories and install SA again. Seems to work. The email headers don't talk about SA yet. I guess I need to look hard into the configuration file now. -- bgm -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:08:40 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40460F39.20CC6455@ihs.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> Message-ID: <40461118.2060108@trayerproducts.com> Thanks Dustin. By "both of them" do you mean the message and the attachment file? Rod Dustin Baer wrote: >Rodney Green wrote: > > >>I recently enabled >> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >>How do I send the queued message on to the intended recipient? >> >>Thanks, >>Rod >> >> > >Move them both to mqueue (or your outgoing queue). Note that they will >not have been checked for viruses, if they were quarantined as spam. > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 > > > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:06:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <4046071D.7040602@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303170607.03a23ab8@imap.ecs.soton.ac.uk> At 16:26 03/03/2004, you wrote: >I recently enabled >"Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >How do I send the queued message on to the intended recipient? Drop the files into /var/spool/mqueue. The next queue run will pick them up and deliver them. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:13:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F485.5060807@1SEO.net> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> Message-ID: <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> At 15:06 03/03/2004, you wrote: >Rodney Green wrote: >>Hello. Is it possible to prevent MailScanner from sending a "Blocked >>Attachment" message to a recipient when the file attachment that was >>blocked was say, a pif file? There's no reason to send a pif file >>therefore I would like the users not even notified about receiving and >>blocking it. >> >>Thanks, >>Rod > >Great idea. I would agree, the definite viruses (pif, scr, etc) should >have an option to turn on/off notifications. They only cause more questions. You can already effectively do this with the setting Notify Senders Of Blocked Filenames Or Filetypes = no -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:11:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <008401c4013b$50d4d440$0501a8c0@darkside> References: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> <008401c4013b$50d4d440$0501a8c0@darkside> Message-ID: <6.0.1.1.2.20040303170757.038e0500@imap.ecs.soton.ac.uk> At 16:19 03/03/2004, you wrote: > >> Some machine on our network has been infected by Worm.Bagel.J and > >> other variants. This is spawning a whole lot of mails with password > >> encrypted zip files which contain infected executables. > >> > >> We are using MailScanner-4.21 along with clamav-0.67-1. > >> > >> Anybody face a similar problem? Any pointers would be great. > > > >Find its IP, deny access to SMTP port via iptables. > > > >Better yet, unplug it from the network until you get it >cleaned. If you are using sendmail, take a look at the IPBlock code in CustomConfig.pm. You can create a configuration file which specifies how many messages per hour to accept from various hosts and networks. If a host on any of the defined networks exceeds its hourly rate, it is automatically blocked for the rest of that hour using sendmail's access database. At the end of the hour, the blocks are removed and mail can flow again, until a limit is exceeded again. It logs an entry every time a machine is blocked for exceeding its limit. So you can say that, for example, you expect at most 30 messages per hour from any internal computer, except for bigger limits (3000?) from your mail servers. It will stop you being flooded by mail from infected PCs until you get a chance to clean them. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:16:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Upgrade from an very OLD release In-Reply-To: <4045F828.5080700@di.unito.it> References: <4045F828.5080700@di.unito.it> Message-ID: <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> At 15:22 03/03/2004, you wrote: >I've not understood on how to re-create the old feature "Deliver From >Local Domain = no" that was used in 3.x release of >mailscanner... > >The conf's instructions tells me to create a "ruleset" for Deliver Cleaned >... (a file .conf ?) configured (I believe) >like : > >From: mylocaldomain no >FromOrTo: default yes > >But Mailscanner complain about a binary option (yes or no) only Set Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.cleaned.rules in MailScanner.conf. Then in /etc/MailScanner/rules/deliver.cleaned.rules put this: From: yourdomain.com no FromOrTo: default yes and substitute your own domain name for "yourdomain.com" in the line above. Then reload MailScanner (service MailScanner reload) or just restart it, and the rules will be applied. This general-purpose ruleset system applies to virtually all configuration options in MailScanner.conf, and so is a *lot* more flexible than the simple system I had in version 3. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:18:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40461118.2060108@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> At 17:08 03/03/2004, you wrote: >Thanks Dustin. By "both of them" do you mean the message and the >attachment file? He means the qf and df files (if you are using sendmail) or the -D and -H files (if you are using Exim). For other MTAs there is just 1 file (not sure about Qmail). >Rod > >Dustin Baer wrote: > >>Rodney Green wrote: >> >> >>>I recently enabled >>>"Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >>>How do I send the queued message on to the intended recipient? >>> >>>Thanks, >>>Rod >>> >> >>Move them both to mqueue (or your outgoing queue). Note that they will >>not have been checked for viruses, if they were quarantined as spam. >> >>Dustin >>-- >>Dustin Baer >>Unix Administrator/Postmaster >>Information Handling Services >>15 Inverness Way East >>Englewood, CO 80112 >>303-397-2836 >> >> >> > >-- >"Please remain calm...I may be mad, but I am a professional." > >-Mad Scientist -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 17:14:34 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078331696.3290.7.camel@mike-new2.tc3net.com> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> Message-ID: <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> Many infected password-protected zip files passed through our McAfee AV (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since midnight. To block password-protected zip files in my current MS (mailscanner-4.23-11), I did the following: - modify /usr/lib/MailScanner/mcafee-wrapper this way: #!/bin/bash # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script PackageDir=$1 shift prog=uvscan # `basename $0` datDIR=$PackageDir LD_LIBRARY_PATH=$PackageDir export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/$prog ] && exit 0 exit 1 fi OUTPUT=$(${PackageDir}/$prog -d $datDIR "$@" 2>&1 ) RC=$? if [[ "$OUTPUT" = "" ]]; then exit $RC else echo "$OUTPUT" if [[ $(echo "$OUTPUT" | grep -c "password-protected") > 0 ]]; then exit 13 else exit $RC fi fi - modify /usr/lib/MailScanner/MailScanner/SweepViruses.pm this way: in "sub ProcessMcAfeeOutput", change return 0 unless $line =~ /Found/; for return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); - stop MailScanner and restart it - remove any extra.dat that detects some password-protected zip files. Denis Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > Good Question, Does DAT 4332 fix it, my understanding was that it > handled the unzipping and so forth, and MailScanner interpreted the > response, I'm looking for confirmation, I'm running an older version of > MailScanner (4.25-14 I believe), I hate to upgrade unless it's > necessary. > > Regards > MIKE > > > Does DAT 4332 fix it? > > > > Phil > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Desai, Jason > > > Sent: 02 March 2004 20:56 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: McAfee PROBLEM !!! > > > > > > > > > Thanks for this info - it was very helpful! I have the same results. > > > > > > Jason > > > > > > > -----Original Message----- > > > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > > > Sent: Tuesday, March 02, 2004 2:09 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > > > > > > > Hi, > > > > > > > > We installed the extra.dat this morning and it was catching some > > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > > anymore!!! > > > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > > > Scan with 4331: > > > > # uvscan --mime --mailbox --secure * > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > > WBJAMVF.SCR > > > > is password-protected. > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > > ent.zip/WBJAMVF.SCR > > > > is password-protected. > > > > > > > > Scan with 4331 and extra.dat: > > > > # uvscan --mime --mailbox --secure * > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > > > Denis > > > > -- > > > > Denis Beauchemin, analyste > > > > Universit? de Sherbrooke, S.T.I. > > > > T: 819.821.8000x2252 F: 819.821.8045 > > > > > > > > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:22:40 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> Message-ID: <40461460.7020602@trayerproducts.com> I'm using Postfix. Moving the file to the /var/spool/mqueue directory isn't working for me. Where would I move for Postfix? Thanks, Rod Julian Field wrote: > At 17:08 03/03/2004, you wrote: > >> Thanks Dustin. By "both of them" do you mean the message and the >> attachment file? > > > He means the qf and df files (if you are using sendmail) or the -D and -H > files (if you are using Exim). For other MTAs there is just 1 file (not > sure about Qmail). > > >> Rod >> >> Dustin Baer wrote: >> >>> Rodney Green wrote: >>> >>> >>>> I recently enabled >>>> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf >>>> file. >>>> How do I send the queued message on to the intended recipient? >>>> >>>> Thanks, >>>> Rod >>>> >>> >>> Move them both to mqueue (or your outgoing queue). Note that they will >>> not have been checked for viruses, if they were quarantined as spam. >>> >>> Dustin >>> -- >>> Dustin Baer >>> Unix Administrator/Postmaster >>> Information Handling Services >>> 15 Inverness Way East >>> Englewood, CO 80112 >>> 303-397-2836 >>> >>> >>> >> >> -- >> "Please remain calm...I may be mad, but I am a professional." >> >> -Mad Scientist > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From craig at WESTPRESS.COM Wed Mar 3 17:24:03 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting Message-ID: Where is it better to whitelist people/mail-lists/etc.? In: /etc/MailScanner/spam.assassin.prefs.conf, or in /etc/MailScanner/rules/spam.whitelist.rules Is there a line of thought as to why I might want to in one versus the other? Does MailScanner prefer one over the other? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From mikes at HARTWELLCORP.COM Wed Mar 3 17:26:55 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D11@hart-exchange.hartwellcorp.com> I experienced *extreme* slowness of the entire system running MailScanner yesterday. A system reboot resulted in restored performance. I've not had time to try and diagnose the cause yet as it has not yet repeated. I'm using MailScanner-4.27.7-1 on a Red Hat 9 system with Spamassassin-2.63-5 and Clamav-0.67-1. I did not notice this happening with MailScanner-4.26.8-1. Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and > F-Prot. The only thing is I am not running SpamAssassin, as its speed > is very variable and so hides the real speed of the underlying > process. > > If you are suffering speed problems, please can you tell me what was > the last fast version you used, and what was the first slow version. > Did you downgrade again to fix the problem? Was it successful, and > what version was again nice and fast? > > If you run a batch through in Debug mode does it always take the same > time regardless of what version you are running? Maybe the problem > only surfaces when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the > better chance I have of finding it. It doesn't appear to be in the > more robust MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? -- Michael St. Laurent Hartwell Corporation From test at NEXTMILL.NET Wed Mar 3 17:27:56 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? Message-ID: What is the correct procedure to safely upgrade from 4.26.8 to the latest revision? The Installation Documentation and FAQ don't seem to mention an 'upgrade' procedure. Do I still use the ./install.sh script? (or is there an upgrade.sh script somewhere??) Do I need to backup any configuration files in the /etc/MailScanner folder? Which files are commonly modified during this install that I should be concerned it? MailScanner 4.26.8 currently SpamAssassin ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs partition) 512mb TMPFS partition for clamav and mailscanner /etc/MailScanner/spam.assassin.prefs.conf modified /etc/MailScanner/filename.rules.conf modified /etc/MailScanner/MailScanner.conf modified From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 17:21:01 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: <404613FD.2060605@solid-state-logic.com> Julian went from 4.24.4 to 4.28.2-2 yesterday and it's slow..running 4.28.4 right now and still slow. yes it seems alot faster in debug mode - perhaps this is also related to my clamavmodule problems which also works in debug mode, but not in forking mode (ooo err:-) dropping back to 4.24.4 gets me a nice speedy system again, but then I loose the passwded zip file functionality... I've tried dropping the number of Children down from 5 to 2 and this has made little differnce... top shows alot more 'system' activity when running 4.28 then 4.24, dunno why??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > I have been trying to reproduce the loss of speed running various different > versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and F-Prot. > The only thing is I am not running SpamAssassin, as its speed is very > variable and so hides the real speed of the underlying process. > > If you are suffering speed problems, please can you tell me what was the > last fast version you used, and what was the first slow version. Did you > downgrade again to fix the problem? Was it successful, and what version was > again nice and fast? > > If you run a batch through in Debug mode does it always take the same time > regardless of what version you are running? Maybe the problem only surfaces > when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the better > chance I have of finding it. It doesn't appear to be in the more robust > MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jase at SENSIS.COM Wed Mar 3 17:31:02 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:22:57 2006 Subject: ClamAV and Password Protected Bagles Message-ID: Hello. I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and ClamAV. I have had some of the latest Bagle viruses in password protected zip files get through. I know that various virus scanners are having trouble detecting these. I had one of these emails get quarantined because the attachment name was Message.zip. When testing to see if the virus would get caught yet I found something interesting with ClamAV. If I scan the attachment itself (Message.zip) clam reports it as clean. But if I scan the queue files (from Exim) clam finds the virus! Here is the output of a scan with the queue files and attachment in the same directory: # /opt/MailScanner/lib/clamav-wrapper . /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- 00-H: OK /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- 00-D: Worm.Bagle.F-zippwd-3 FOUND /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 20372 Scanned directories: 1 Scanned files: 3 Infected files: 1 Data scanned: 0.03 Mb I/O buffer size: 131072 bytes Time: 0.325 sec (0 m 0 s) # So I assume that MailScanner unpacks the attachment and just scans that. Does it make sense to allow the virus scanners to scan the queue files as well? Jason From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 17:34:53 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: BlackList / Whitelist settings in spam.assassin.prefs.conf Message-ID: Hi I have been reading the FAQ, searching the MailScanner archives and doing lot of Google'ing and can't seem get a good grip on this question. I want to have a whitelist and a blacklist using some of the lists from SpamAssassin's wiki. I am letting MailScanner do the white and blacklist work and I guess I am confused here. Can I use the blacklist from SA or would I be better off to use MS spam.assassin.prefs.conf. Also can I create a link to a blacklist and whitelist file in the spam.assassin.prefs.conf file, this would be the; whitelist_from and the blacklist_from Can I do this then? whitelist_from_path /etc/MailScanner/rules/whitelist_from.conf blacklist_from_path /etc/MailScanner/rules/blacklist_from.conf -- Thanks!! David Thurman List Only at Web Presence Group Net From rabellino at DI.UNITO.IT Wed Mar 3 17:41:02 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrade from an very OLD release In-Reply-To: <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> References: <4045F828.5080700@di.unito.it> <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> Message-ID: <404618AE.30906@di.unito.it> Julian Field wrote: > At 15:22 03/03/2004, you wrote: > >> I've not understood on how to re-create the old feature "Deliver From >> Local Domain = no" that was used in 3.x release of >> mailscanner... >> >> The conf's instructions tells me to create a "ruleset" for Deliver >> Cleaned >> ... (a file .conf ?) configured (I believe) >> like : >> >> From: mylocaldomain no >> FromOrTo: default yes >> >> But Mailscanner complain about a binary option (yes or no) only > > > Set > Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.cleaned.rules > in MailScanner.conf. > Then in /etc/MailScanner/rules/deliver.cleaned.rules put this: > From: yourdomain.com no > FromOrTo: default yes > and substitute your own domain name for "yourdomain.com" in the line above. > Then reload MailScanner (service MailScanner reload) or just restart it, > and the rules will be applied. > > This general-purpose ruleset system applies to virtually all configuration > options in MailScanner.conf, and so is a *lot* more flexible than the > simple system I had in version 3. > Thanks I was missing a space before the word default causing a syntax error . -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 17:35:14 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > Many infected password-protected zip files passed through our McAfee AV > (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since > midnight. > Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > > Good Question, Does DAT 4332 fix it, my understanding was that it > > handled the unzipping and so forth, and MailScanner interpreted the > > response, I'm looking for confirmation, I'm running an older version of > > MailScanner (4.25-14 I believe), I hate to upgrade unless it's > > necessary. I've taken a look at the Bagle.j detected so far and none were in a zip file (all were plain pif files). So I'd say 4332 is definitely not catching any password-protected Bagle! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:45:33 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40461460.7020602@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> <40461460.7020602@trayerproducts.com> Message-ID: <404619BD.10508@trayerproducts.com> I moved the file to /var/spool/postfix/incoming/ and that allowed it to be queued and sent. Rodney Green wrote: > I'm using Postfix. Moving the file to the /var/spool/mqueue directory > isn't working for me. Where would I move for Postfix? > > Thanks, > Rod > > Julian Field wrote: > >> At 17:08 03/03/2004, you wrote: >> >>> Thanks Dustin. By "both of them" do you mean the message and the >>> attachment file? >> >> >> >> He means the qf and df files (if you are using sendmail) or the -D >> and -H >> files (if you are using Exim). For other MTAs there is just 1 file (not >> sure about Qmail). >> >> >>> Rod >>> >>> Dustin Baer wrote: >>> >>>> Rodney Green wrote: >>>> >>>> >>>>> I recently enabled >>>>> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf >>>>> file. >>>>> How do I send the queued message on to the intended recipient? >>>>> >>>>> Thanks, >>>>> Rod >>>>> >>>> >>>> Move them both to mqueue (or your outgoing queue). Note that they >>>> will >>>> not have been checked for viruses, if they were quarantined as spam. >>>> >>>> Dustin >>>> -- >>>> Dustin Baer >>>> Unix Administrator/Postmaster >>>> Information Handling Services >>>> 15 Inverness Way East >>>> Englewood, CO 80112 >>>> 303-397-2836 >>>> >>>> >>>> >>> >>> -- >>> "Please remain calm...I may be mad, but I am a professional." >>> >>> -Mad Scientist >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> > > -- > "Please remain calm...I may be mad, but I am a professional." > > -Mad Scientist > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:49:49 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> Message-ID: <40461ABD.5080007@trayerproducts.com> That setting will prevent MailScanner from sending Blocked Attachment messages to the recipient? I'm not talking about the sender of the blocked attachment. I'm talking about the intended recipient. Just wanted to be clear about this. Thanks, Rod Julian Field wrote: > At 15:06 03/03/2004, you wrote: > >> Rodney Green wrote: >> >>> Hello. Is it possible to prevent MailScanner from sending a "Blocked >>> Attachment" message to a recipient when the file attachment that was >>> blocked was say, a pif file? There's no reason to send a pif file >>> therefore I would like the users not even notified about receiving and >>> blocking it. >>> >>> Thanks, >>> Rod >> >> >> Great idea. I would agree, the definite viruses (pif, scr, etc) should >> have an option to turn on/off notifications. They only cause more >> questions. > > > You can already effectively do this with the setting > Notify Senders Of Blocked Filenames Or Filetypes = no > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From rabellino at DI.UNITO.IT Wed Mar 3 17:51:35 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <40461B27.3050204@di.unito.it> Denis Beauchemin wrote: > Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > >>Many infected password-protected zip files passed through our McAfee AV >>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>midnight. >>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >> >>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>handled the unzipping and so forth, and MailScanner interpreted the >>>response, I'm looking for confirmation, I'm running an older version of >>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's >>>necessary. > > > I've taken a look at the Bagle.j detected so far and none were in a zip > file (all were plain pif files). > > So I'd say 4332 is definitely not catching any password-protected Bagle! > > Denis As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a virus encrypted in 999999 different forms ? (the password is 6 integer digits) I far as I know, the only solution is to trash any password protected zip at all, as the latest MS does; I've done today the upgrade from a 3.x release (yes was almost fine before today....) and all the Bagle was cutted off my inboxes. Bye. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jrudd at UCSC.EDU Wed Mar 3 17:55:31 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: On Mar 3, 2004, at 8:46 AM, Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different > versions on the same mail messages in debug mode. > Unsuccessfully :-( Didn't someone post an hour or so ago that their speed problem came from redhat's perl update, and not from mailscanner's update? Once they downgraded the speed problem went away? or something like that? (is anyone having the problem not using redhat, and if you're using redhat and having the speed problem, did you update your version of perl, via redhat instead of direct from perl, around the same time your speed problem started?) From victor at PIXELMAGICFX.COM Wed Mar 3 18:09:33 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:22:57 2006 Subject: Spamassassin stopped working Message-ID: <40461F5D.6050803@pixelmagicfx.com> I fed a few messages to spamassassin yesterday, and rebuilt the database. BAM, it stopped working, or works at about 20% of its former success rate. It gave me some feedback about "expired old bayes database entries" and gave a number of tokens it kept, and the number deleted. This is the first time I'd ever seen this message, and now it doesn't work. Any suggestions? I've already done a --forget on the files I learned yesterday, but it hasn't helped. Thanks Vic From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:02:01 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303175915.03af2e98@imap.ecs.soton.ac.uk> At 17:27 03/03/2004, you wrote: >What is the correct procedure to safely upgrade from 4.26.8 to the latest >revision? The Installation Documentation and FAQ don't seem to mention >an 'upgrade' procedure. > >Do I still use the ./install.sh script? (or is there an upgrade.sh script >somewhere??) I haven't changed anything in the other RPMs so you don't need to run install.sh but it won't do any harm. You could just use rpm -Uvh mailscanner*rpm >Do I need to backup any configuration files in the /etc/MailScanner folder? >Which files are commonly modified during this install that I should be >concerned it? They are all maintained for you. After upgrading the rpm run the "upgrade_MailScanner_conf" command and it will tell you what to do. If you had just run the ./install.sh script then it would have told you to do this anyway. >MailScanner 4.26.8 currently >SpamAssassin >ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs >partition) You will need to save a copy of that, as it will be overwritten by the upgrade with the latest version of the script. >512mb TMPFS partition for clamav and mailscanner >/etc/MailScanner/spam.assassin.prefs.conf modified >/etc/MailScanner/filename.rules.conf modified >/etc/MailScanner/MailScanner.conf modified Those 3 /etc files will be maintained. But you will need to upgrade MailScanner.conf using the command above. Just run the command, it will print out instructions on what to do. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:04:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: BlackList / Whitelist settings in spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303180340.03d9ce68@imap.ecs.soton.ac.uk> I would advise doing them with MailScanner.conf entries "Is Definitely Spam" (used for blacklisting) and "Is Definitely Not Spam" (used for whitelisting). The whitelist is already setup for you as an example. Just do the same for the blacklist. At 17:34 03/03/2004, you wrote: >Hi > >I have been reading the FAQ, searching the MailScanner archives and doing >lot of Google'ing and can't seem get a good grip on this question. > >I want to have a whitelist and a blacklist using some of the lists from >SpamAssassin's wiki. I am letting MailScanner do the white and blacklist >work and I guess I am confused here. Can I use the blacklist from SA or >would I be better off to use MS spam.assassin.prefs.conf. > >Also can I create a link to a blacklist and whitelist file in the >spam.assassin.prefs.conf file, this would be the; > > whitelist_from and the blacklist_from > >Can I do this then? > >whitelist_from_path /etc/MailScanner/rules/whitelist_from.conf >blacklist_from_path /etc/MailScanner/rules/blacklist_from.conf >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:06:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <40461ABD.5080007@trayerproducts.com> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> <40461ABD.5080007@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303180546.03afae58@imap.ecs.soton.ac.uk> I don't think you can do more than switch off "Deliver Cleaned Messages" (though you can switch it off for some users while it being on for other users, using a ruleset). At 17:49 03/03/2004, you wrote: >That setting will prevent MailScanner from sending Blocked Attachment >messages to the recipient? I'm not talking about the sender of the >blocked attachment. I'm talking about the intended recipient. Just >wanted to be clear about this. > >Thanks, >Rod > >Julian Field wrote: > >>At 15:06 03/03/2004, you wrote: >> >>>Rodney Green wrote: >>> >>>>Hello. Is it possible to prevent MailScanner from sending a "Blocked >>>>Attachment" message to a recipient when the file attachment that was >>>>blocked was say, a pif file? There's no reason to send a pif file >>>>therefore I would like the users not even notified about receiving and >>>>blocking it. >>>> >>>>Thanks, >>>>Rod >>> >>> >>>Great idea. I would agree, the definite viruses (pif, scr, etc) should >>>have an option to turn on/off notifications. They only cause more >>>questions. >> >> >>You can already effectively do this with the setting >>Notify Senders Of Blocked Filenames Or Filetypes = no >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > >-- >"Please remain calm...I may be mad, but I am a professional." > >-Mad Scientist -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 18:09:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: <40461F57.7030805@solid-state-logic.com> John Using FreeBSD 4.8 and perl 5.8.0 from ports, not changed Perl for ages.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 John Rudd wrote: > On Mar 3, 2004, at 8:46 AM, Julian Field wrote: > >> I have been trying to reproduce the loss of speed running various >> different >> versions on the same mail messages in debug mode. >> Unsuccessfully :-( > > > Didn't someone post an hour or so ago that their speed problem came > from redhat's perl update, and not from mailscanner's update? Once > they downgraded the speed problem went away? or something like that? > > (is anyone having the problem not using redhat, and if you're using > redhat and having the speed problem, did you update your version of > perl, via redhat instead of direct from perl, around the same time your > speed problem started?) ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at COLBY.EDU Wed Mar 3 18:24:53 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! Message-ID: Julian, Installed 4.28.4 this morning, turned on quarantining, works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam 0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). Lots of emails that generate: ERROR:: File was encrypted in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 when I fun the quarantined files thru clamscan. I also have not noticed any significant increase in load/ slowdown on my system (a Sun V1280) because of the new code. Great work, many thanks. Jeff Earickson Colby College From mike at TC3NET.COM Wed Mar 3 18:39:49 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:57 2006 Subject: Rules to catch bounces In-Reply-To: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> References: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> Message-ID: <1078339189.3290.18.camel@mike-new2.tc3net.com> Ok, so this ruleset will stop the addresses with no from address from being delivered? I'm looking at it, is user@domain.com a dummy address or an address where these mails are forwarded to? I just want them deleted, so will adding the following to my deliver.rules take care of it? From: /^$/ delete Regards MIKE > At 11:03 03/03/2004, you wrote: > >Hi All, > > > >We've got a domain that is being joe jobbed and we want to setup a special > >ruleset for any mail from <> to be handled differently. I've tried the > >following and it didn't work.. > > > >From: <> delete forward > >user@domain.com > > Try > From: /^$/ delete forward user@domain.com > > > > > >Any advice greatly appreciated. > > > >Regards, > > > >David Hooton > > > >Pain free spam & virus protection - Mail > >Security > > > >To report SPAM forward the message to: > >spam@mailsecurity.net.au > >To report incorrectly tagged messages: > >notspam@mailsecurity.net.au > > > >291d7c03.jpg > > > > ______________________________________________________________________ > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rabollinger at COMCAST.NET Wed Mar 3 18:56:44 2004 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee and password-protected zip file detection in MS References: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <036c01c40151$46155b40$8b030180@elliottturbo.com> Add this change to combine stderr with stdout: --- mcafee-wrapper.FCS Sat Dec 14 05:07:56 2002 +++ mcafee-wrapper Wed Mar 3 12:48:38 2004 @@ -46,5 +46,4 @@ exit 1 fi -exec ${PackageDir}/$prog -d $datDIR "$@" - +exec ${PackageDir}/$prog -d $datDIR "$@" 2>&1 ----- Original Message ----- From: "Denis Beauchemin" To: Sent: Wednesday, March 03, 2004 9:45 AM Subject: McAfee and password-protected zip file detection in MS Hi all, I tried to modify SweepViruses.pm so it could grab McAfee's "is password-protected" string and just treat the attachment as a virus but it doesn't work... I modified ProcessMcAfeeOutput() this way: #return 0 unless $line =~ /Found/; return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); Any ideas why it is not kicking in? Could it be because McAfee returns a zero return code if it detects a password-protected zip file (I know this is what it does)? If so, could there be another way of achieving the same result without having to upgrade to the latest unstable version? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 18:58:53 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <40461B27.3050204@di.unito.it> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> <40461B27.3050204@di.unito.it> Message-ID: <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : > Denis Beauchemin wrote: > > Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > > > >>Many infected password-protected zip files passed through our McAfee AV > >>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since > >>midnight. > >>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > >> > >>>Good Question, Does DAT 4332 fix it, my understanding was that it > >>>handled the unzipping and so forth, and MailScanner interpreted the > >>>response, I'm looking for confirmation, I'm running an older version of > >>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's > >>>necessary. > > > > > > I've taken a look at the Bagle.j detected so far and none were in a zip > > file (all were plain pif files). > > > > So I'd say 4332 is definitely not catching any password-protected Bagle! > > > > Denis > As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a > virus encrypted in 999999 different forms ? (the password is 6 integer digits) Sergio, They can't unzip the file but they can compare its size and some checksum they computed on infected zip files. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dev at ORIONHOST.NET Wed Mar 3 18:52:58 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <40461F5D.6050803@pixelmagicfx.com> References: <40461F5D.6050803@pixelmagicfx.com> Message-ID: <4046298A.1050709@orionhost.net> I am having a real problem with random word spam receiving a spam score zero or very low, less that 3. Lots of this type of spam is getting through, while many legitimate messages get scores over 4. Some of my users are getting a hundred or more spam messages per day, about 90% of their total incoming mail. Are other people having problems with this? Any suggestions? Thanks, Cathy Cramer From spamtrap71892316634 at ANIME.NET Wed Mar 3 19:03:59 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:57 2006 Subject: No subject Message-ID: Would it be possible for Mailscanner to unzip password protected zipfiles the same way some of the virus scanners do? Eg look for the text string in the message. It would make mailscanner work with f-prot to catch W32/Bagle. -Dan From lists at STHOMAS.NET Wed Mar 3 19:03:47 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <4046298A.1050709@orionhost.net>; from dev@ORIONHOST.NET on Wed, Mar 03, 2004 at 11:52:58AM -0700 References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: <20040303110347.A29084@sthomas.net> On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have said: > > I am having a real problem with random word spam receiving a spam score > zero or very low, less that 3. Lots of this type of spam is getting > through, while many legitimate messages get scores over 4. Some of my > users are getting a hundred or more spam messages per day, about 90% of > their total incoming mail. Are other people having problems with this? > Any suggestions? Are you using bayes and the DNSBLs? -- "Logic is in the eye of the logician." - Gloria Steinem From mkettler at EVI-INC.COM Wed Mar 3 19:11:58 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting In-Reply-To: References: Message-ID: <6.0.0.22.0.20040303140818.025beea8@xanadu.evi-inc.com> At 12:24 PM 3/3/2004, Craig Daters wrote: >Where is it better to whitelist people/mail-lists/etc.? In: > >/etc/MailScanner/spam.assassin.prefs.conf, or in >/etc/MailScanner/rules/spam.whitelist.rules > >Is there a line of thought as to why I might want to in one versus >the other? Does MailScanner prefer one over the other? It is SIGNIFICANTLY better to use spam.whitelist.rules. SA's whitelist features are, by definition, a hack. It's nearly always preferable to whitelist in a higher layer than spamassassin. Unless your MTA inserts a copy of the envelope recipient into the message headers, SA will not be able to effectively whitelist any CCed messages. SA doesn't get a copy of the envelope, so without hints, it doesn't know the true recipient. Also, if you use any spam lists at the MailScanner level, the whitelist will only be effective if it's in spam.whitelist.rules. From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:13:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: No subject In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303191243.03b15458@imap.ecs.soton.ac.uk> At 19:03 03/03/2004, you wrote: >Would it be possible for Mailscanner to unzip password protected zipfiles >the same way some of the virus scanners do? Eg look for the text string in >the message. > >It would make mailscanner work with f-prot to catch W32/Bagle. They aren't doing exactly that, I believe. They are simply looking for key-strings in the mail message or looking for details of the contents/size of the zip file. With the modern Zip encryption schemes, decrypting them is not trivial. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Wed Mar 3 19:28:46 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: Custom Scores In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> Message-ID: <404631EE.3060509@ucgbook.com> Sorry for answering two persons (Ugo and Pete) in one mail... >>Just installed DCC on one of my servers today and is working nicely - >>made me think that, if some messages are listed with checks like DCC or >>certain RBLs, then they must be alsmot %100 spam, or >>undesirable emails? RBL:s sometimes list legit servers for a while for several reasons and DCC doesn't even try to decide if a message is ham or spam, it just assumes that if really many of the same message circulate it's spam. That sounds crazy but it works really well. But you can't depend on any single one source, that's why SA adds them up. >>Has anyone heard of DCC or the best RBLs listing legit senders or >>emails? is it worth giving these a much higher score so these message >>score as High Spam and are deleted on the spot? Read above comment. Don't bump the score excessively. >>OR am i am missing the central reaosns why this likes DCC only >>score 1.81 ? It scores 1.81 because you don't use Bayes, if you did you would get 2.91. Bayes helps a lot, a BAYES99 adds 5.4 points. > If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: Read above comment. Look in /usr/share/spamassassin/50_scores.cf (or /usr/local/share/spamassassin/50_scores.cf), the last column is used when you have net tests and Bayes enabled. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From drew at THEMARSHALLS.CO.UK Wed Mar 3 19:28:01 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! In-Reply-To: References: Message-ID: <404631C1.7000408@themarshalls.co.uk> Jeff Earickson wrote: >Julian, > Installed 4.28.4 this morning, turned on quarantining, >works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam >0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). > >Lots of emails that generate: > >ERROR:: File was encrypted > >in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 >when I fun the quarantined files thru clamscan. > >I also have not noticed any significant increase in load/ >slowdown on my system (a Sun V1280) because of the new code. > >Great work, many thanks. > >Jeff Earickson >Colby College > > Julian I know you said that you weren't intending to do another stable release for several weeks but I think this change is such a major safety feature that it would be worth doing. What do you think? It would help those who only subscribe to the Freshmeat mailing list to get the new and improved version and I would think that you would be the first with a real, workable, secure solution to the password encrypted virus in a zip problem. A real coup! Just another point that made me smile today, I happened to notice that on the bottom of an automated signature from a company that pays $$$ to Messagelabs they were stating: 'This message has been scanned by Messagelabs for viruses, it should be noted that we can not scan encrypted or password protected messages'. Looks like even the mighty Messagelabs have not worked a fix yet!! Well done, a great result for MailScanner, still the best (IMHO ;-) ) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From kevins at BMRB.CO.UK Wed Mar 3 19:32:59 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Message-ID: <1078342380.689.18.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 14:58, Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. No need to apologise, I for one am very glad to see them! Just testing 4.28.4 - a great improvement! I've only got one (small) niggle. The all-viruses keyword seems to encompass the Zip-Pasword keyword, shouldn't All-Viruses only be viruses detected by scanners? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From garry at GLENDOWN.DE Wed Mar 3 19:38:47 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:57 2006 Subject: No subject In-Reply-To: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> Message-ID: <40463447.10806@glendown.de> Mike McMullen wrote: > Could a signature or checksum be calculated that was within a certain error > bounds that said it was the virus zip? > > I understand that extra random length files could be added to throw off a > checksum but at some point in the bitstream wouldn't there be a recognizable > pattern? Apart from the unencrypted part (which, as I understand, consists only of the filename, length, and checksum) I don't think there are any ways to identify a virus - after all, if you could it would defeat the reason (or quality) of an encryption. Of those listed above, the checksum will most likely be based on the encrypted data, which means it will be different for every key used. Also, the lenght (if not for this virus) might be different for every mail if the virus writer should decide to modify the amount of data written. So, just about anything left is the filename, which again only depends on the creativity of the programmer ... The only other possibility would be to find the password in the accompanying message and decrypt the zip using it ... (for encrypted zips, the scanner could use every string found in the message and try to decode with it ... that would work for any virus message, as the virus only makes sense if it is sent together with the password ...) -gg From craig at WESTPRESS.COM Wed Mar 3 19:39:43 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <4046298A.1050709@orionhost.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: Cathy, you should look to 'Rules Du Jour' to add SA Rule checks that would catch a lot of that if you are not already. Then SA-Learn goes a long way towards catching things like this too once it it trained. I trained mine real quick when one of our users was receiving so much spam, that we changed his email address. I turned his old email address into a 'spam trap'. I have a script written and set up as a cron job to parse these 'spam trap' accounts daily. Likewise I have a few 'ham trap' email addresses set up to do the same, though with the exception of one, I do not auto parse these as I want to puruse them beforehand to confirm that spam is not slipping in. The spam@ourdomain.com and notspam@ourdomain.com are emails that are set up for our users to bounce messages to that make it through. Check out the FAQ at http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/275.html Here is my script and crontab entry: crontab: 05 0 * * * /usr/local/bin/my_sa_learn.sh my_sa_learn.sh: #!/bin/sh if [ -e /var/mail/spam ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/spam rm /var/mail/spam > /dev/null fi if [ -e /var/mail/jet ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/jet rm /var/mail/jet > /dev/null fi if [ -e /var/mail/graphics ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/graphics rm /var/mail/graphics > /dev/null fi if [ -e /var/mail/notspam ]; then /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/notspam rm /var/mail/notspam > /dev/null fi /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf This has really helped to bring our spam problem to -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From ugob at CAMO-ROUTE.COM Wed Mar 3 19:39:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting Message-ID: <54C38A0B814C8E438EF73FC76F36292741096C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Craig Daters [mailto:craig@WESTPRESS.COM] >Envoy? : 3 mars, 2004 12:24 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Whitelisting > > >Where is it better to whitelist people/mail-lists/etc.? In: > >/etc/MailScanner/spam.assassin.prefs.conf, or in >/etc/MailScanner/rules/spam.whitelist.rules > >Is there a line of thought as to why I might want to in one versus >the other? Does MailScanner prefer one over the other? I think spam.whitelist.rules is better, since it probably disables DNSBL checks as well, not just SA >-- >-- > >Craig Daters (craig@westpress.com) >Systems Administrator >West Press Printing >1663 West Grant Road >Tucson, Arizona 85745-1433 > >Tel: 520-624-4939 >Fax: 520-624-2715 > >www.westpress.com > >-- > From ugob at CAMO-ROUTE.COM Wed Mar 3 19:40:43 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? Message-ID: <54C38A0B814C8E438EF73FC76F36292741096D@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Brian Lewis [mailto:test@NEXTMILL.NET] >Envoy? : 3 mars, 2004 12:28 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Upgrading from 4.26.8 to latest revision? > > >What is the correct procedure to safely upgrade from 4.26.8 to >the latest >revision? The Installation Documentation and FAQ don't seem to mention >an 'upgrade' procedure. > >Do I still use the ./install.sh script? (or is there an >upgrade.sh script >somewhere??) >Do I need to backup any configuration files in the >/etc/MailScanner folder? >Which files are commonly modified during this install that I should be >concerned it? The common upgrade procedure is using the install.sh, then run upgrade_mailscanner_conf. > >MailScanner 4.26.8 currently >SpamAssassin >ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs >partition) >512mb TMPFS partition for clamav and mailscanner >/etc/MailScanner/spam.assassin.prefs.conf modified >/etc/MailScanner/filename.rules.conf modified >/etc/MailScanner/MailScanner.conf modified > From spamtrap71892316634 at ANIME.NET Wed Mar 3 19:41:32 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:57 2006 Subject: your mail In-Reply-To: <6.0.1.1.2.20040303191243.03b15458@imap.ecs.soton.ac.uk> Message-ID: On Wed, 3 Mar 2004, Julian Field wrote: > At 19:03 03/03/2004, you wrote: > >Would it be possible for Mailscanner to unzip password protected zipfiles > >the same way some of the virus scanners do? Eg look for the text string in > >the message. > >It would make mailscanner work with f-prot to catch W32/Bagle. > They aren't doing exactly that, I believe. They are simply looking for > key-strings in the mail message or looking for details of the contents/size > of the zip file. > With the modern Zip encryption schemes, decrypting them is not trivial. Well, what techniques would be practical to add to mailscanner? Interfacing with /usr/bin/unzip (which does handle encryption)? -Dan From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:42:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! In-Reply-To: <404631C1.7000408@themarshalls.co.uk> References: <404631C1.7000408@themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040303194122.039bba58@imap.ecs.soton.ac.uk> At 19:28 03/03/2004, you wrote: >Jeff Earickson wrote: >>Julian, >> Installed 4.28.4 this morning, turned on quarantining, >>works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam >>0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). >> >>Lots of emails that generate: >> >>ERROR:: File was encrypted >> >>in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 >>when I fun the quarantined files thru clamscan. >> >>I also have not noticed any significant increase in load/ >>slowdown on my system (a Sun V1280) because of the new code. >> >>Great work, many thanks. >> >>Jeff Earickson >>Colby College >> >Julian > >I know you said that you weren't intending to do another stable release >for several weeks but I think this change is such a major safety feature >that it would be worth doing. What do you think? It would help those who >only subscribe to the Freshmeat mailing list to get the new and improved >version and I would think that you would be the first with a real, >workable, secure solution to the password encrypted virus in a zip >problem. A real coup! I just want to "settle" the code for a couple of days first. I don't want to do a stable release and have to replace it 24 hours later. But otherwise, great idea! >Just another point that made me smile today, I happened to notice that >on the bottom of an automated signature from a company that pays $$$ to >Messagelabs they were stating: 'This message has been scanned by >Messagelabs for viruses, it should be noted that we can not scan >encrypted or password protected messages'. Looks like even the mighty >Messagelabs have not worked a fix yet!! Aw, shucks :-) >Well done, a great result for MailScanner, still the best (IMHO ;-) ) Thankyou. That is much appreciated. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:44:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <1078342380.689.18.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> At 19:32 03/03/2004, you wrote: >On Wed, 2004-03-03 at 14:58, Julian Field wrote: > > Sorry the updates are appearing so thick and fast at the moment. > >No need to apologise, I for one am very glad to see them! > >Just testing 4.28.4 - a great improvement! I've only got one (small) >niggle. The all-viruses keyword seems to encompass the Zip-Pasword >keyword, shouldn't All-Viruses only be viruses detected by scanners? Yes, but pretty much all of them are appearing as part of undetectable viruses at the moment. Someone else suggested including them, and it seemed a good idea. I might add it as an option to the Non-Forging Viruses list. Would that solve the problem for you? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From denis at CROOMBS.ORG Wed Mar 3 19:49:38 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: I have installed this version, but when I do a restart, I get the following:- Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 /vendor_perl/5.6.1/i386- linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] And my mail system is broken Any clues Denis From peter at UCGBOOK.COM Wed Mar 3 19:51:49 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 In-Reply-To: References: Message-ID: <40463755.5070109@ucgbook.com> Denis Croombs wrote: > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- As stated above and in Julians posts and on the web site, install Archive::Zip. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From sysadmin at FLEETONE.COM Wed Mar 3 19:51:41 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <007301c40158$f2eb4030$45a610ac@fleetone.com> > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > For those of you who want to try to catch these with SpamAssassin, I > > think the following should work: > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > describe BAGLE_PASSWORD Password.*numbers > > score BAGLE_PASSWORD 6.5 > > > > If anyone has a better suggestion, let us know! > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > since we did a apt-get install :( Will know better next time :) > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net I forwarded an infected mail with the bagle zip attatchment and it caught it and threw it in my spam folder. The header information showed it was the BAGLE rule set that found it. Rob From sysadmin at FLEETONE.COM Wed Mar 3 19:53:20 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 References: Message-ID: <007d01c40159$2dbc9fb0$45a610ac@fleetone.com> Just a guess, but it sounds like you need to install the Perl module Archive::Zip Rob ----- Original Message ----- From: "Denis Croombs" To: Sent: Wednesday, March 03, 2004 1:49 PM Subject: System down ! with 4.28-4.1 > I have installed this version, but when I do a restart, I get the > following:- > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- > linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- > linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- > linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 > /vendor_perl/5.6.1/i386- > linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib > /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted > at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > And my mail system is broken > > Any clues > > Denis > From dustin.baer at IHS.COM Wed Mar 3 19:53:18 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <404637AE.8E125994@ihs.com> Dave's List Addy wrote: > > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > For those of you who want to try to catch these with SpamAssassin, I > > think the following should work: > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > describe BAGLE_PASSWORD Password.*numbers > > score BAGLE_PASSWORD 6.5 > > > > If anyone has a better suggestion, let us know! > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > since we did a apt-get install :( Will know better next time :) It works for me. I had to increase the score, since BAYES_00 was basically erasing the 6.5 I gave it. Dustin From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 19:54:00 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <007301c40158$f2eb4030$45a610ac@fleetone.com> Message-ID: On 3/3/04 1:51 PM, "Rob" wrote: >>> For those of you who want to try to catch these with SpamAssassin, I >>> think the following should work: >>> >>> body BAGLE_PASSWORD /password.*[0-9]{4,}/i >>> describe BAGLE_PASSWORD Password.*numbers >>> score BAGLE_PASSWORD 6.5 >>> >>> If anyone has a better suggestion, let us know! >> >> Has anyone found this to work? We can't upgrade as of yet to the latest MS >> since we did a apt-get install :( Will know better next time :) >> -- >> Thanks!! >> David Thurman >> List Only at Web Presence Group Net > > I forwarded an infected mail with the bagle zip attatchment and it caught it > and threw it in my spam folder. The header information showed it was the > BAGLE rule set that found it. Thanks!! Band-aid for now :) -- Thanks!! David Thurman List Only at Web Presence Group Net From denis at CROOMBS.ORG Wed Mar 3 19:54:51 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: Sorry forgot to include the following data:- Redhat 7.3, Installed from RPM, with Spam Assassin 2.63 & clamav Denis Croombs From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 19:49:02 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <4045FA58.C955B333@ihs.com> Message-ID: On 3/3/04 9:31 AM, "Dustin Baer" wrote: > For those of you who want to try to catch these with SpamAssassin, I > think the following should work: > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > describe BAGLE_PASSWORD Password.*numbers > score BAGLE_PASSWORD 6.5 > > If anyone has a better suggestion, let us know! Has anyone found this to work? We can't upgrade as of yet to the latest MS since we did a apt-get install :( Will know better next time :) -- Thanks!! David Thurman List Only at Web Presence Group Net From mlm at LOANPROCESSING.NET Wed Mar 3 19:16:33 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:57 2006 Subject: No subject References: Message-ID: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> From: "Dan Hollis" > Would it be possible for Mailscanner to unzip password protected zipfiles > the same way some of the virus scanners do? Eg look for the text string in > the message. > > It would make mailscanner work with f-prot to catch W32/Bagle. > > -Dan > Maybe this is a dumb question, but would it be possible to catch virues in password protected zip files without unzipping them at all? Could a signature or checksum be calculated that was within a certain error bounds that said it was the virus zip? I understand that extra random length files could be added to throw off a checksum but at some point in the bitstream wouldn't there be a recognizable pattern? Mike From sysadmin at FLEETONE.COM Wed Mar 3 19:55:32 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 References: Message-ID: <009301c40159$7c2eb750$45a610ac@fleetone.com> Depending on your version of linux, the RPM's can be found here for redhat or fedora systems: http://dag.wieers.com/packages/perl-Archive-Zip/ Rob ----- Original Message ----- From: "Denis Croombs" To: Sent: Wednesday, March 03, 2004 1:49 PM Subject: System down ! with 4.28-4.1 > I have installed this version, but when I do a restart, I get the > following:- > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- > linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- > linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- > linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 > /vendor_perl/5.6.1/i386- > linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib > /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted > at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > And my mail system is broken > > Any clues > > Denis > From denis at CROOMBS.ORG Wed Mar 3 20:03:13 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: Hi >Depending on your version of linux, the RPM's can be found here for redhat >or fedora systems: >http://dag.wieers.com/packages/perl-Archive-Zip/ >Rob Thanks for that that worked 1st time Denis Croombs From denis at CROOMBS.ORG Wed Mar 3 18:23:00 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28-4.1 Message-ID: <026e01c4014c$8fb8c610$85b8fea9@Laptop> I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed OK but when I try and restart it I get the following error:- MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Any clues ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From denis at CROOMBS.ORG Wed Mar 3 18:55:28 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! Message-ID: <028001c40151$192f5e50$85b8fea9@Laptop> I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed OK but when I try and restart it I get the following error:- MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Any clues ? Thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From marco at MUW.EDU Wed Mar 3 20:22:46 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: References: Message-ID: <1078345366.40463e96aeb70@webmail.MUW.Edu> Something I thought about this morning, since the protected-zip delimma ignited all over this list and that is: Is it safe to assume that virus-writers are getting desperate, that they are resorting to compressing their damage AND password-protect it and send it to users? Have they exahusted all other means? Is it safe to say the tools like the great MailScanner, and the work put forth by my hero Jules, that the robe is getting tighter around their necks? Maybe these questions can help us, MailScanner community, help MailScanner be more of a proactive tool. We seem to respond to crisis, after the fact, maybe the virus-writers ARE a step ahead. How can we catch up with them and maybe be a step ahead? I am just over-worked and in need of a good night sleep, just like all of you. Marco From dbird at SGHMS.AC.UK Wed Mar 3 20:10:41 2004 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! In-Reply-To: <028001c40151$192f5e50$85b8fea9@Laptop> References: <028001c40151$192f5e50$85b8fea9@Laptop> Message-ID: <40463BC1.7070801@sghms.ac.uk> Denis Croombs wrote: >I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed >OK but when I try and restart it I get the following error:- > > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: > /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 > /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 > /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 > /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux > /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line > 46. >BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > Any clues ? > > You need to install Compress::zlib and Archive:zip from www.cpan.org Dan >Thanks Denis > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Marvin the E-Mail scanner > > > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikes at HARTWELLCORP.COM Wed Mar 3 20:03:23 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:57 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D15@hart-exchange.hartwellcorp.com> Julian Field wrote: >>> What about cleaning out your incomming queue :) Thats where it >>> starts. >> >> I *am* cleaning it out. Each night I'm removing any file more than >> one day old. However, my log files are still getting bloated. > > How are these bad files being generated? I very rarely see this > problem. I would definitely advise you to investigate the cause > rather than just killing the symptom. Julian, My /var/log/maillog file now has almost 8 million lines in it. I don't have the luxury of trying to find out what is generating the files under these conditions. I've commented out the line in Sendmail.pm that makes the log entries for now. -- Michael St. Laurent Hartwell Corporation From chris at TRUDEAU.ORG Wed Mar 3 20:15:39 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:22:57 2006 Subject: No subject References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> <40463447.10806@glendown.de> Message-ID: <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> Sorry for the top post, but I found this on a Microsoft Mailing list, does this avenue provide a possible solution? I've found that the A/V software does see the file within the ZIP archive, but cannot process it because it does not recognize the extension. When the archive is password protected, the file enclosed receives a "+" character at the end of the extension (ie test.exe becomes test.exe+) Since the A/V software doesn't recognize that kind of extension, it lets it pass thru. I found that by adding the "+" character to file extensions that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file extension and perform the necessary actions on it. I know this would possibly require a change to filename routines, but is this possible using MailScanner? Just a thought. CT ----- Original Message ----- From: "Garry Glendown" To: Sent: Wednesday, March 03, 2004 2:38 PM > Mike McMullen wrote: > > Could a signature or checksum be calculated that was within a certain error > > bounds that said it was the virus zip? > > > > I understand that extra random length files could be added to throw off a > > checksum but at some point in the bitstream wouldn't there be a recognizable > > pattern? > > Apart from the unencrypted part (which, as I understand, consists only > of the filename, length, and checksum) I don't think there are any ways > to identify a virus - after all, if you could it would defeat the reason > (or quality) of an encryption. Of those listed above, the checksum will > most likely be based on the encrypted data, which means it will be > different for every key used. Also, the lenght (if not for this virus) > might be different for every mail if the virus writer should decide to > modify the amount of data written. So, just about anything left is the > filename, which again only depends on the creativity of the programmer ... > > The only other possibility would be to find the password in the > accompanying message and decrypt the zip using it ... (for encrypted > zips, the scanner could use every string found in the message and try to > decode with it ... that would work for any virus message, as the virus > only makes sense if it is sent together with the password ...) > > -gg From denis at CROOMBS.ORG Wed Mar 3 20:18:54 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! References: <028001c40151$192f5e50$85b8fea9@Laptop> <40463BC1.7070801@sghms.ac.uk> Message-ID: <02eb01c4015c$c0c261c0$85b8fea9@Laptop> >> You need to install Compress::zlib and Archive:zip from www.cpan.org > > Dan > Thanks I have now done that. Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From peter at UCGBOOK.COM Wed Mar 3 20:20:36 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: <1078345366.40463e96aeb70@webmail.MUW.Edu> References: <1078345366.40463e96aeb70@webmail.MUW.Edu> Message-ID: <40463E14.5030202@ucgbook.com> Marco Obaid wrote: > Is it safe to assume that virus-writers are getting desperate, that they are > resorting to compressing their damage AND password-protect it and send it to > users? Have they exahusted all other means? I have also thought about this and I wonder what their next step is going to be. They obviously want to send their attachments as executables for maximum chance of successful infection but many filter those out even without virus scanners and even the worst client of them all, Outlook, don't execute them automatically anymore. Then they started sending their attachments inside zips who usually goes through the filters and has to be virus scanned with an updated signature to be detected. But Julian now goes inside zips and allows us to block filenames in them so that doesn't work anymore. So they have finally resorted to sending their viruses in password protected zips but now we can block them too so how are they going to go around this last obstacle? I guess the real question is, how is it possible that there still is users stupid enough to spread this? :-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From brett at PROSOLUTIONSINC.COM Wed Mar 3 20:29:14 2004 From: brett at PROSOLUTIONSINC.COM (Brett) Date: Thu Jan 12 21:22:57 2006 Subject: whitelist per user Message-ID: ok question i set up /etc/MailScanner/spam.bydomain/whitelist/ and created user@domain.com and inside of that inserted the 3 domains i want whitelisted and iin mailscanner.conf put Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules to Is Definitely Not Spam = &ByDomainSpamWhiteList and retarted mailscanner was that all i had to do i feel like i missed something and how do i verifiy mailscanner is useing the file Thanks All Brett From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 20:30:01 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought [SCANNED] In-Reply-To: <40463E14.5030202@ucgbook.com> Message-ID: On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > I guess the real question is, how is it possible that there still is > users stupid enough to spread this? :-) I read something the other day that was a study of users and how they felt; A. The Help Desk should be handling this. B. They don't have time to make sure it's not a virus and should be able to open mail as they please (refer to A.) Or bother with updates. (Gotta EBay!!) C. Nothing they can do about it so what's the fuss. Many more but those seemed to stand out to me. This was a Novel Study I think done in the UK. -- Thanks!! David Thurman List Only at Web Presence Group Net From maillists at CONACTIVE.COM Wed Mar 3 20:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: I was wondering why I couldn't find any trace or mail with one of these Bagles on our machines, not even on high-traffic domains, and checked the virus description at f-secure.com. Bagle uses it's own SMTP engine and apparently connects directly to the target SMTP server. If you use RBLs for dialup and dynamic IP ranges and a good access list which also specializes in dialup IPs most if not all Bagles will simply bounce from your MTA. No Bagle problem at all. Same for many of the other mass-mailing worms. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From kevins at BMRB.CO.UK Wed Mar 3 20:33:56 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> Message-ID: <1078346036.690.50.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 19:44, Julian Field wrote: > >Just testing 4.28.4 - a great improvement! I've only got one (small) > >niggle. The all-viruses keyword seems to encompass the Zip-Pasword > >keyword, shouldn't All-Viruses only be viruses detected by scanners? > > Yes, but pretty much all of them are appearing as part of undetectable > viruses at the moment. Someone else suggested including them, and it seemed > a good idea. I might add it as an option to the Non-Forging Viruses list. > Would that solve the problem for you? Yes, I think it probably would. My issue is that I have, at times, suggested users use password protected zips for various reasons - so I would like to use a ruleset to ensure that any local senders are notified when they send a password protected zip. I presume the Non-Forging list overrides the Silent Viruses list, so... Silent Viruses = All-Viruses Non-Forging Viruses = Zip-Password Notify Senders of Viruses = /path/to/ruleset .. would do what I want?# A couple of points relating to reports I forgot to mention... I'm seeing duplicate lines in the postmaster and sender notifications, like this one from a copy of putty.exe zipped as putty.zip Report: Executable DOS/Windows programs are dangerous in email (putty.exe) No programs allowed (putty.exe) Report: Executable DOS/Windows programs are dangerous in email (putty.exe) No programs allowed (putty.exe) The recipient notification also isn't as clear as it might be (not sure if this is trivial or not). It seems to imply that there were two attachments, when in fact there was only one. Warning: This message has had one or more attachments removed Warning: (putty.exe, putty.zip). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. These are little niggles only, the core functionality is exactly what we need. Thank you so much. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From marco at MUW.EDU Wed Mar 3 20:51:16 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: References: Message-ID: <1078347076.4046454465774@webmail.MUW.Edu> Quoting Dave's List Addy : > On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > I guess the real question is, how is it possible that there still is > > users stupid enough to spread this? :-) > > I read something the other day that was a study of users and how they felt; > > A. The Help Desk should be handling this. > > B. They don't have time to make sure it's not a virus and should be able to > open mail as they please (refer to A.) Or bother with updates. (Gotta > EBay!!) > > C. Nothing they can do about it so what's the fuss. Add to this, that most Desktop Antivirus solutions do hijack system resources. I have caught many users turning off the Antivirus because it "slows down" their machines. I do not blame them, because I have done this myself a time or two when I was working on complex project with so many screens open. > > Many more but those seemed to stand out to me. This was a Novel Study I > think done in the UK. > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net > From dev at ORIONHOST.NET Wed Mar 3 20:37:49 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <20040303110347.A29084@sthomas.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> <20040303110347.A29084@sthomas.net> Message-ID: <4046421D.3020408@orionhost.net> Thanks Steve, I've got MailScanner v 4.26.8-1. Bayes is running automatically. To say that I am *using* it may be overstating. I don't know how to train Bayes. I've read that you are supposed to feed it using sa-learn, but it is not clear to me exactly how that is done. I've been trying to figure it out from the FAQ. It doesn't help that I don't know my way around Linux very well. I changed servers recently and the old Bayes database was copied to the new server. I don't think DNSBLs are used, but I am not sure. Cathy Cramer Steve Thomas wrote: > On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have said: > >>I am having a real problem with random word spam receiving a spam score >>zero or very low, less that 3. Lots of this type of spam is getting >>through, while many legitimate messages get scores over 4. Some of my >>users are getting a hundred or more spam messages per day, about 90% of >>their total incoming mail. Are other people having problems with this? >>Any suggestions? > > > Are you using bayes and the DNSBLs? > > > -- > "Logic is in the eye of the logician." > - Gloria Steinem > From dev at ORIONHOST.NET Wed Mar 3 20:42:57 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: <40464351.9080103@orionhost.net> Thanks Craig, RulesDuJour looks like it would help. I am trying to figure out how to install that now. Thanks also for the script below. It would be great if users could bounce back their spam for processing. I also have a user who is about ready to dump their old address and get a new one because the amount of spam is so bad. Cathy Cramer Craig Daters wrote: > Cathy, you should look to 'Rules Du Jour' to add SA Rule checks that > would catch a lot of that if you are not already. Then SA-Learn goes > a long way towards catching things like this too once it it trained. > > I trained mine real quick when one of our users was receiving so much > spam, that we changed his email address. I turned his old email > address into a 'spam trap'. I have a script written and set up as a > cron job to parse these 'spam trap' accounts daily. > > Likewise I have a few 'ham trap' email addresses set up to do the > same, though with the exception of one, I do not auto parse these as > I want to puruse them beforehand to confirm that spam is not slipping > in. > > The spam@ourdomain.com and notspam@ourdomain.com are emails that are > set up for our users to bounce messages to that make it through. > > Check out the FAQ at > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/275.html > > Here is my script and crontab entry: > > crontab: > > 05 0 * * * /usr/local/bin/my_sa_learn.sh > > my_sa_learn.sh: > > #!/bin/sh > > if [ -e /var/mail/spam ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/spam > rm /var/mail/spam > /dev/null > fi > > if [ -e /var/mail/jet ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/jet > rm /var/mail/jet > /dev/null > fi > > if [ -e /var/mail/graphics ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/graphics > rm /var/mail/graphics > /dev/null > fi > > if [ -e /var/mail/notspam ]; then > /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/notspam > rm /var/mail/notspam > /dev/null > fi > > /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf > > This has really helped to bring our spam problem to > -- > -- > > Craig Daters (craig@westpress.com) > Systems Administrator > West Press Printing > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > -- > From jen at AH.DK Wed Mar 3 20:43:13 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28-4.1 and Deliver Disinfected Files = Message-ID: Hi I have just install 4.28-4.1 on 2 MS servers and the first MS server marked Bagle zip files as virus and Dangerous. The second MS server found the Password-protected archive and put it into quarantine BUT didn't marked as virus and Dangerous!! And put this in the maillog: "Disinfection: Rescan found only 0 viruses" the first MS server has "Deliver Disinfected Files = no" the second "Deliver Disinfected Files = yes" When I change second MS server to "Deliver Disinfected Files = no" the Password-protected archive was marked as virus and Dangerous. /Jan Elmqvist Nielsen From gdoris at rogers.com Wed Mar 3 20:43:26 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: <1078347076.4046454465774@webmail.MUW.Edu> References: <1078347076.4046454465774@webmail.MUW.Edu> Message-ID: <34368.129.80.22.133.1078346606.squirrel@65.48.246.102> > Quoting Dave's List Addy : > >> On 3/3/04 2:20 PM, "Peter Bonivart" wrote: >> >> > I guess the real question is, how is it possible that there still is >> > users stupid enough to spread this? :-) >> >> I read something the other day that was a study of users and how they >> felt; >> >> A. The Help Desk should be handling this. >> >> B. They don't have time to make sure it's not a virus and should be able >> to >> open mail as they please (refer to A.) Or bother with updates. (Gotta >> EBay!!) >> >> C. Nothing they can do about it so what's the fuss. > > Add to this, that most Desktop Antivirus solutions do hijack system > resources. > I have caught many users turning off the Antivirus because it "slows down" > their machines. I do not blame them, because I have done this myself a > time or > two when I was working on complex project with so many screens open. More importantly those scanners really mess up Microsoft games! Gerry From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:34:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: No subject In-Reply-To: <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> <40463447.10806@glendown.de> <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> Message-ID: <6.0.1.1.2.20040303203422.03b22040@imap.ecs.soton.ac.uk> At 20:15 03/03/2004, you wrote: >Sorry for the top post, but I found this on a Microsoft Mailing list, does >this avenue provide a possible solution? > > >I've found that the A/V software does see the file within the ZIP archive, >but cannot process it because it does not recognize the extension. When the >archive is password protected, the file enclosed receives a "+" character at >the end of the extension (ie test.exe becomes test.exe+) Since the A/V >software doesn't recognize that kind of extension, it lets it pass thru. > >I found that by adding the "+" character to file extensions that are blocked >(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file >extension and perform the necessary actions on it. > > >I know this would possibly require a change to filename routines, but is >this possible using MailScanner? The zip archive unpacking I do doesn't add anything to the end of the filename. >Just a thought. > >CT > > >----- Original Message ----- >From: "Garry Glendown" >To: >Sent: Wednesday, March 03, 2004 2:38 PM > > > > Mike McMullen wrote: > > > Could a signature or checksum be calculated that was within a certain >error > > > bounds that said it was the virus zip? > > > > > > I understand that extra random length files could be added to throw off >a > > > checksum but at some point in the bitstream wouldn't there be a >recognizable > > > pattern? > > > > Apart from the unencrypted part (which, as I understand, consists only > > of the filename, length, and checksum) I don't think there are any ways > > to identify a virus - after all, if you could it would defeat the reason > > (or quality) of an encryption. Of those listed above, the checksum will > > most likely be based on the encrypted data, which means it will be > > different for every key used. Also, the lenght (if not for this virus) > > might be different for every mail if the virus writer should decide to > > modify the amount of data written. So, just about anything left is the > > filename, which again only depends on the creativity of the programmer ... > > > > The only other possibility would be to find the password in the > > accompanying message and decrypt the zip using it ... (for encrypted > > zips, the scanner could use every string found in the message and try to > > decode with it ... that would work for any virus message, as the virus > > only makes sense if it is sent together with the password ...) > > > > -gg -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:49:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: References: <40463E14.5030202@ucgbook.com> Message-ID: <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> At 20:30 03/03/2004, you wrote: >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > I guess the real question is, how is it possible that there still is > > users stupid enough to spread this? :-) > >I read something the other day that was a study of users and how they felt; > >A. The Help Desk should be handling this. > >B. They don't have time to make sure it's not a virus and should be able to >open mail as they please (refer to A.) Or bother with updates. (Gotta >EBay!!) > >C. Nothing they can do about it so what's the fuss. > >Many more but those seemed to stand out to me. This was a Novel Study I >think done in the UK. It was done by a marketing company called TNS I believe. The best report on it I have seen is here: http://www.theregister.co.uk/content/55/35393.html It makes for alarming reading! Believe me, the users really are that stupid. They don't care. Maybe responsible computer use needs to take the same path that Health and Safety has taken. People used to ignore that because they were "too busy" or other such lame excuses. Now they don't have an option, and can be disciplined/sued if they breach H+S legislation. These lame excuses cost real businesses real money, and I think it is up to the businesses to start enforcing their rules, just like they do now with H+S rules and policies. I would certainly back company policies governing computer use, as long as they were enforced. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:40:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <1078346036.690.50.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> <1078346036.690.50.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040303203917.03b38ec0@imap.ecs.soton.ac.uk> At 20:33 03/03/2004, you wrote: >On Wed, 2004-03-03 at 19:44, Julian Field wrote: > > >Just testing 4.28.4 - a great improvement! I've only got one (small) > > >niggle. The all-viruses keyword seems to encompass the Zip-Pasword > > >keyword, shouldn't All-Viruses only be viruses detected by scanners? > > > > Yes, but pretty much all of them are appearing as part of undetectable > > viruses at the moment. Someone else suggested including them, and it seemed > > a good idea. I might add it as an option to the Non-Forging Viruses list. > > Would that solve the problem for you? > >Yes, I think it probably would. My issue is that I have, at times, >suggested users use password protected zips for various reasons - so I >would like to use a ruleset to ensure that any local senders are >notified when they send a password protected zip. Will do. >I presume the Non-Forging list overrides the Silent Viruses list, so... Correct. >Silent Viruses = All-Viruses >Non-Forging Viruses = Zip-Password >Notify Senders of Viruses = /path/to/ruleset >.. would do what I want?# > >A couple of points relating to reports I forgot to mention... >I'm seeing duplicate lines in the postmaster and sender notifications, >like this one from a copy of putty.exe zipped as putty.zip > > Report: Executable DOS/Windows programs are dangerous in email >(putty.exe) > No programs allowed (putty.exe) > Report: Executable DOS/Windows programs are dangerous in email >(putty.exe) > No programs allowed (putty.exe) > > >The recipient notification also isn't as clear as it might be (not sure >if this is trivial or not). It seems to imply that there were two >attachments, when in fact there was only one. > >Warning: This message has had one or more attachments removed >Warning: (putty.exe, putty.zip). >Warning: Please read the "VirusWarning.txt" attachment(s) for more >information. I agree. Not trivial to fix I think. >These are little niggles only, the core functionality is exactly what we >need. Thank you so much. My pleasure. But feel free to buy me goodies from my wishlist even so :-)))))))) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:37:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: whitelist per user In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303203610.03b38d78@imap.ecs.soton.ac.uk> At 20:29 03/03/2004, you wrote: >ok question i set up /etc/MailScanner/spam.bydomain/whitelist/ >and created user@domain.com and inside of that inserted >the 3 domains i want whitelisted and iin mailscanner.conf >put >Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >to >Is Definitely Not Spam = &ByDomainSpamWhiteList >and retarted mailscanner > >was that all i had to do i feel like i missed something >and how do i verifiy mailscanner is useing the file Check in CustomConfig.pm. Add the top of the ByDomain white and blacklisting code, there are a couple of directory names defined that contain all the user@domain and domain files. Make sure that is set correctly. When you start up, it should print out the number of domains and users it has read white+blacklists for. Check that is roughly the figure you are expecting. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:52:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: low scoring spam In-Reply-To: <4046421D.3020408@orionhost.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> <20040303110347.A29084@sthomas.net> <4046421D.3020408@orionhost.net> Message-ID: <6.0.1.1.2.20040303204951.039c1da8@imap.ecs.soton.ac.uk> To a large extent, the Bayes database in SpamAssassin will teach itself. You don't actually need to do anything, except when it gets it wrong. Then you need to feed messages to "sa-learn". I'll leave others to explain how to use sa-learn, but there have been many discussions on this here before. But left to its own devices, SpamAssassin uses all its other rules to work out what is definitely spam and definitely non-spam, and feeds those definite messages back into the database learning code. So it trains itself. Neat huh? At 20:37 03/03/2004, you wrote: >Thanks Steve, > >I've got MailScanner v 4.26.8-1. > >Bayes is running automatically. To say that I am *using* it may be >overstating. I don't know how to train Bayes. I've read that you are >supposed to feed it using sa-learn, but it is not clear to me exactly >how that is done. I've been trying to figure it out from the FAQ. It >doesn't help that I don't know my way around Linux very well. > >I changed servers recently and the old Bayes database was copied to the >new server. > >I don't think DNSBLs are used, but I am not sure. > >Cathy Cramer > > > > >Steve Thomas wrote: > >>On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have >>said: >> >>>I am having a real problem with random word spam receiving a spam score >>>zero or very low, less that 3. Lots of this type of spam is getting >>>through, while many legitimate messages get scores over 4. Some of my >>>users are getting a hundred or more spam messages per day, about 90% of >>>their total incoming mail. Are other people having problems with this? >>>Any suggestions? >> >> >>Are you using bayes and the DNSBLs? >> >> >>-- >>"Logic is in the eye of the logician." >>- Gloria Steinem -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Wed Mar 3 20:47:10 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:58 2006 Subject: OT:Food for thought Message-ID: <54C38A0B814C8E438EF73FC76F362927410975@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Marco Obaid [mailto:marco@MUW.EDU] >Envoy? : 3 mars, 2004 15:51 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Food for thought > > >Quoting Dave's List Addy : > >> On 3/3/04 2:20 PM, "Peter Bonivart" wrote: >> >> > I guess the real question is, how is it possible that >there still is >> > users stupid enough to spread this? :-) >> >> I read something the other day that was a study of users and >how they felt; >> >> A. The Help Desk should be handling this. >> >> B. They don't have time to make sure it's not a virus and >should be able to >> open mail as they please (refer to A.) Or bother with updates. (Gotta >> EBay!!) >> >> C. Nothing they can do about it so what's the fuss. > >Add to this, that most Desktop Antivirus solutions do hijack >system resources. >I have caught many users turning off the Antivirus because it >"slows down" >their machines. I do not blame them, because I have done this >myself a time or >two when I was working on complex project with so many screens open. Your users should't be able do disable it. I used to work with Mcafee a lot and by tweaking the settings for some applications, we saw tremendous results. I just disabled the "scan all files" and enabled "scan executables only" (a lot more than .exe were on the list, though... dlls, and other types). We got from 1m40s for opening a map to 40 secs. We did that only for users using this specific application. Even with a careful analysis, i couldn't find exactly what type of files I had to exclude :(. The next day, I was recognized as a god in this department :) > > >> >> Many more but those seemed to stand out to me. This was a >Novel Study I >> think done in the UK. >> -- >> Thanks!! >> David Thurman >> List Only at Web Presence Group Net >> > From peter at UCGBOOK.COM Wed Mar 3 20:58:20 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <1078347076.4046454465774@webmail.MUW.Edu> References: <1078347076.4046454465774@webmail.MUW.Edu> Message-ID: <404646EC.1000001@ucgbook.com> Marco Obaid wrote: > Add to this, that most Desktop Antivirus solutions do hijack system resources. > I have caught many users turning off the Antivirus because it "slows down" > their machines. I do not blame them, because I have done this myself a time or > two when I was working on complex project with so many screens open. The user of a workstation should not be logged on as an admin and the virus scanner should run as an admin so it can't be closed by the user. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From jrudd at UCSC.EDU Wed Mar 3 20:53:32 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] References: <404637AE.8E125994@ihs.com> Message-ID: <404645CC.8EEA7401@ucsc.edu> Dustin Baer wrote: > > Dave's List Addy wrote: > > > > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > > > For those of you who want to try to catch these with SpamAssassin, I > > > think the following should work: > > > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > > describe BAGLE_PASSWORD Password.*numbers > > > score BAGLE_PASSWORD 6.5 > > > > > > If anyone has a better suggestion, let us know! > > > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > > since we did a apt-get install :( Will know better next time :) > > It works for me. I had to increase the score, since BAYES_00 was > basically erasing the 6.5 I gave it. > > Dustin Note, I've also seen them just use "pass" and not "password". From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:24:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: 4.28-4.1 and Deliver Disinfected Files = In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> Fixed in the next release. I have also added the Compress::Zlib and Archive::Zip modules to the RPM distributions and to the Perl module installation docs on the website. Getting closer to a stable release... At 20:43 03/03/2004, you wrote: >Hi > >I have just install 4.28-4.1 on 2 MS servers and the first MS server >marked Bagle zip files as virus and Dangerous. >The second MS server found the Password-protected archive and put it >into quarantine BUT didn't marked as virus and Dangerous!! >And put this in the maillog: >"Disinfection: Rescan found only 0 viruses" > >the first MS server has "Deliver Disinfected Files = no" >the second "Deliver Disinfected Files = yes" > >When I change second MS server to "Deliver Disinfected Files = no" the >Password-protected archive was marked as virus and Dangerous. > >/Jan Elmqvist Nielsen -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rob at thehostmasters.com Wed Mar 3 21:17:14 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: Beag.J getting through via zip files! Message-ID: <00e701c40164$e6aaff20$0d01a8c0@basement> only when its in a zip it does not get found... but yet I have found other viruses in zip just not this one as of today... what should I do I got 3 sent to me already! Any suggestions? They are not password protected, well I never tried to open them so I figure they are not... Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/b926d106/attachment.html From rob at thehostmasters.com Wed Mar 3 21:04:06 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: A virus got through my server after 3 years?!!? References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> Message-ID: <005801c40163$10cbd380$0d01a8c0@basement> I think a virus got through... here are the headers there is an attachemner that i have not opened... Why would this get through?? i never had a problem before... i use Macafee i am on 4333 not sure what virus it is though?? ------------------------------------ Return-Path: Received: from tipe.utoronto.ca (tst15.tst.utoronto.ca [128.100.56.15]) by localhost.localdomain (8.12.10/8.12.5) with SMTP id i23HdjsB029765 for ; Wed, 3 Mar 2004 12:39:45 -0500 Date: Wed, 03 Mar 2004 12:44:52 -0500 To: info@thehostmasters.com Subject: Warning about your e-mail account. From: noreply@thehostmasters.com Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------taojqrvqlobuwwcadujp" X-MailScanner-Information: Please contact info@thehostmasters.com for more info X-MailScanner: Found to be clean X-UIDL: Za&"!N#S"!)2N!!1#7!! ----------taojqrvqlobuwwcadujp Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello user of Thehostmasters.com e-mail server, Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. For details see the attached file. In order to read the attach you have to use the following password: 38683. The Management, The Thehostmasters.com team http://www.thehostmasters.com ----------taojqrvqlobuwwcadujp Content-Type: application/octet-stream; name="TextFile.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="TextFile.zip" ------------------------------------------------------------------- Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Peter Bonivart" To: Sent: Wednesday, March 03, 2004 3:58 PM Subject: Re: Food for thought > Marco Obaid wrote: > > Add to this, that most Desktop Antivirus solutions do hijack system resources. > > I have caught many users turning off the Antivirus because it "slows down" > > their machines. I do not blame them, because I have done this myself a time or > > two when I was working on complex project with so many screens open. > > The user of a workstation should not be logged on as an admin and the > virus scanner should run as an admin so it can't be closed by the user. > > -- > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 > From dz at SIAMESERESCUE.ORG Wed Mar 3 21:27:58 2004 From: dz at SIAMESERESCUE.ORG (Darrell) Date: Thu Jan 12 21:22:58 2006 Subject: Bagle Zip format (from nanog) Message-ID: <200403032128.i23LRxeg018538@siameserescue.net> Just in case this isn't common knowledge already. Z -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jeffrey I. Schiller Sent: Wednesday, March 03, 2004 4:13 PM To: Brian Wilson Cc: Dan Hollis; 'nanog@merit.edu' Subject: Re: dealing with w32/bagle Turns out that the ZIP file format that all of these beasties are using is a little bit non-standard. Specifically they are all version 1.0 zip archives and the first (and only) component is not compressed. At MIT we are matching these two strings to recognize the infected ZIP files while letting most (actually I have seen no false positives) if not all "real" ZIP files. We are matching them anywhere within an attachment (well, within the first 16K). However you really only need to see if they are the beginning characters (this is a ZIP file header). What follows are the base64 encoded strings. I have put an asterisk between the first and second character, so my own filters won't reject this message, do remove that before using... U*EsDBAoAAAAAA <= Matches unencrypted ZIP file U*EsDBAoAAQAAA <= Matches encrypted version. -Jeff From mlm at LOANPROCESSING.NET Wed Mar 3 21:15:54 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> Message-ID: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, March 03, 2004 12:49 PM Subject: Re: Food for thought > At 20:30 03/03/2004, you wrote: > >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > I guess the real question is, how is it possible that there still is > > > users stupid enough to spread this? :-) > > > >I read something the other day that was a study of users and how they felt; > > > >A. The Help Desk should be handling this. > > > >B. They don't have time to make sure it's not a virus and should be able to > >open mail as they please (refer to A.) Or bother with updates. (Gotta > >EBay!!) > > > >C. Nothing they can do about it so what's the fuss. > > > >Many more but those seemed to stand out to me. This was a Novel Study I > >think done in the UK. > > It was done by a marketing company called TNS I believe. The best report on > it I have seen is here: > http://www.theregister.co.uk/content/55/35393.html > It makes for alarming reading! > > Believe me, the users really are that stupid. They don't care. > > Maybe responsible computer use needs to take the same path that Health and > Safety has taken. People used to ignore that because they were "too busy" > or other such lame excuses. Now they don't have an option, and can be > disciplined/sued if they breach H+S legislation. > > These lame excuses cost real businesses real money, and I think it is up to > the businesses to start enforcing their rules, just like they do now with > H+S rules and policies. I would certainly back company policies governing > computer use, as long as they were enforced. > -- What it comes down to is nobody wants to take responsibility for themselves or their actions anymore. One reason why courts are full of frivolous lawsuits. Personally at an emotional level I feel that this whole password protected zip viri thing is the equivalent of FedEX delivering a package containing bullets and a gun with instructions to place bullet in gun, point barrel to head, and pull trigger. Repeat if necessary. Somehow FedEx would be sued for wrongful death. Opening up a password protected zip file with the password in the same email whether it is a known email address or not is the height of stupidity. Especially if the email body is as funky as the ones I've seen for Bagle. Mike From pete at eatathome.com.au Wed Mar 3 21:12:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: Multi Threaded Perl In-Reply-To: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Message-ID: <40464A39.9040908@eatathome.com.au> Julian Field wrote: > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > > At 05:46 03/03/2004, you wrote: > >> Hi All, >> >> We have one box which for some reason seems to have been hit really hard >> by the latest version of MailScanner the strange thing about this is >> that >> it's the newest and most highly specified box we have. >> >> The only difference I can see with this box is that it's running >> multithreaded perl 5.8.0 is there any known issues with this at all? >> >> The box itself is a dual processor PIV with 1Gig of Ram running RedHat >> 9. We have the work dirs in tmpfs etc and have no problems with our >> other >> boxes, just this one which has gone from easily able to process 100,000 >> messages per day down to bearly processing 15,000 >> >> Any ideas would be greatly appreciated. >> >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> www.platformhosting.com >> >> >> Pain free spam & virus protection - >> Mail >> Security >> >> To report SPAM forward the message to: >> spam@mailsecurity.net.au >> To report incorrectly tagged messages: >> notspam@mailsecurity.net.au >> >> 28e3cd95.jpg >> > > ------------------------------------------------------------------------ my file reads LANG="C" #LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" What should i change supported to? Just change to C? From pete at eatathome.com.au Wed Mar 3 21:20:34 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> Message-ID: <40464C22.7050002@eatathome.com.au> Julian Field wrote: > Stuff that isn't spam. > > At 11:41 03/03/2004, you wrote: > >> err...what's "ham"? >> >> At 07:09 PM 3/3/2004, you wrote: >> >>> kfliong wrote: >>> >>>> Hi, >>>> >>>> I have this email which is not spam but have a score of 5.642 which is >>>> high >>>> as default of more than 5 is considered spam. >>>> >>>> Can I know how I can reduce the score? >>>> >>>> spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>> DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE >>>> 0.10, >>>> HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A >>>> 0.20) >>>> >>>> Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>> 2.30....where can i get more details on what those score means? Does >>>> mailscanner uses a different config file for controlling spamassassin? >>>> >>>> thanks in advance >>>> >>>> >>>> thanks >>>> >>> ISnt this a situation for learning as ham? I am NO expert, but if you >>> have no other method maybe turn on archiving till you get a copy of >>> this >>> message, then sa-learn it as ham?: >> >> >> thanks > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Since i think Julian's comment is confirmation - this is the sort of thing that using Bayesian Learning (Bayes) with spama assassin will fix. I am not well versed enought o try and explain it, so have a search through the list archives, or google, its works plenty good with mailscanner and spam assassin. From kevins at BMRB.CO.UK Wed Mar 3 21:19:17 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> Message-ID: <1078348757.691.95.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 20:49, Julian Field wrote: > It was done by a marketing company called TNS I believe. The best report on > it I have seen is here: > http://www.theregister.co.uk/content/55/35393.html > It makes for alarming reading! It certainly does. TNS are a market research (not marketing) company - this means their research is independently conducted and meets certain standards (we are also a market research company and TNS are one of our main competitors). Knowing the professional standards they are obliged to work to concerns me more because I can't dismiss this as purely scare-mongering by a major IT firm (as I might if it was a 'Messagelabs say' type article). A colleague and I were today talking about launching some sort of 'web-wise' campaign internally to alert users to the risks they face (I'm particularly concerned about phishing - I had a really convincing scam email 'from Barclays' yesterday). This report will really help me push for permission to do this. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevin at KEVINSPICER.CO.UK Wed Mar 3 21:05:24 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <1078345366.40463e96aeb70@webmail.MUW.Edu> References: <1078345366.40463e96aeb70@webmail.MUW.Edu> Message-ID: <1078347924.689.77.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 20:22, Marco Obaid wrote: > Something I thought about this morning, since the protected-zip delimma > ignited all over this list and that is: > About a month ago a colleague and I were commenting on the virus in zip files thing and speculating how long it would be before we saw password protected zips being used (based on the principle that if you can trick a user into opening a zip and running the attachment you can get them to enter a password - after all it is there to protect them, right?). We weren't being entirely serious, so we were a little surprised when it actually happened! So the question is where next? Despite all the viruses circulating right now (or perhaps because of them) virus detection is getting better and better, more people (especially large ISP's and corportations) are implementing mail filtering. I don't think theres a lot of mileage left in the 'virus in attachment' issue - theres really only two other ways I can think of (off the top of my head). 1) Encryption (to make messages unscannable). It would be fairly easy to target PGP users by grabbing public keys and email addresses from the key servers. But most PGP users are more sophisticated users who aren't likely to fall for unsubtle social engineering tricks. Anyway there aren't (relatively speaking) very many PGP users around, so any virus targeting this method is unlikely to reach the critical mass required for a large scale outbreak. I imagine similar problems for virus writers attempting to use other encryption technologies. 2) Virus external to message. In other words social engineer the user into clicking a hyperlink in an html message. The first time I considered this I thought that it would be difficult because a website spreading a virus would probably be quickly disabled. Of course it could attempt to infect running webservers it finds and use those. But would this be enough to gain critical mass? We have already seen viruses running their own SMTP engine, I wonder how long before we see viruses with a built in HTTP server (trivial to code if you only want to return one page). We recently implemented HTTP filters and catch a few viruses every week (mostly javascript stuff), I think effective http filtering is likely to become increasingly important. I think there may be a sudden move back towards email as a primarily text only form of communication (as companies find themselves needing to block or strip html content in emails) My other prediction is that there will be more convergence between virus and spam traffic. Viruses spread most effectively by fooling users into thinking they are from someone they know, whereas spam is always from complete strangers. How long before the network of spam zombies starts sending spam to contacts found on the unfortunate user's hard drive, just as the virus that turned the machine into a zombie originally spread. It concerns me that this could lead to a major breakdown in the usefulness of email as a form of communication. Just my thoughts, anyone care to join in?... -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/e547b768/attachment.bin From lists at STHOMAS.NET Wed Mar 3 21:33:08 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:58 2006 Subject: FW: Re: dealing with w32/bagle Message-ID: <20040303133308.A899@sthomas.net> FYI - this is from the NANOG list. It may help some with creating filters for the bagle beasties. ----- Forwarded message from "Jeffrey I. Schiller" ----- Date: Wed, 3 Mar 2004 16:12:55 -0500 From: "Jeffrey I. Schiller" Subject: Re: dealing with w32/bagle Turns out that the ZIP file format that all of these beasties are using is a little bit non-standard. Specifically they are all version 1.0 zip archives and the first (and only) component is not compressed. At MIT we are matching these two strings to recognize the infected ZIP files while letting most (actually I have seen no false positives) if not all "real" ZIP files. We are matching them anywhere within an attachment (well, within the first 16K). However you really only need to see if they are the beginning characters (this is a ZIP file header). What follows are the base64 encoded strings. I have put an asterisk between the first and second character, so my own filters won't reject this message, do remove that before using... U*EsDBAoAAAAAA <= Matches unencrypted ZIP file U*EsDBAoAAQAAA <= Matches encrypted version. -Jeff ----- End forwarded message ----- -- "A narcissist is someone better looking than you are." - Gore Vidal From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:38:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Multi Threaded Perl In-Reply-To: <40464A39.9040908@eatathome.com.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> <40464A39.9040908@eatathome.com.au> Message-ID: <6.0.1.1.2.20040303213743.03b861f8@imap.ecs.soton.ac.uk> At 21:12 03/03/2004, you wrote: >Julian Field wrote: > >>Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. >>That can cripple Perl. >> >>At 05:46 03/03/2004, you wrote: >> >>>Hi All, >>> >>>We have one box which for some reason seems to have been hit really hard >>>by the latest version of MailScanner the strange thing about this is >>>that >>>it's the newest and most highly specified box we have. >>> >>>The only difference I can see with this box is that it's running >>>multithreaded perl 5.8.0 is there any known issues with this at all? >>> >>>The box itself is a dual processor PIV with 1Gig of Ram running RedHat >>>9. We have the work dirs in tmpfs etc and have no problems with our >>>other >>>boxes, just this one which has gone from easily able to process 100,000 >>>messages per day down to bearly processing 15,000 >>> >>>Any ideas would be greatly appreciated. >>> >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>www.platformhosting.com >>> >>> >>>Pain free spam & virus protection - >>>Mail >>>Security >>> >>>To report SPAM forward the message to: >>>spam@mailsecurity.net.au >>>To report incorrectly tagged messages: >>>notspam@mailsecurity.net.au >>> >>>28e3cd95.jpg >> >>------------------------------------------------------------------------ > >my file reads >LANG="C" >#LANG="en_US.UTF-8" >SUPPORTED="en_US.UTF-8:en_US:en" >SYSFONT="latarcyrheb-sun16" > > >What should i change supported to? Just change to C? Change the SUPPORTED to something like SUPPORTED="en_US:en" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Wed Mar 3 21:42:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems In-Reply-To: <40461F57.7030805@solid-state-logic.com> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> <40461F57.7030805@solid-state-logic.com> Message-ID: <40465130.7000204@eatathome.com.au> Martin Hepworth wrote: > John > > Using FreeBSD 4.8 and perl 5.8.0 from ports, not changed Perl for ages.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > John Rudd wrote: > >> On Mar 3, 2004, at 8:46 AM, Julian Field wrote: >> >>> I have been trying to reproduce the loss of speed running various >>> different >>> versions on the same mail messages in debug mode. >>> Unsuccessfully :-( >> >> >> >> Didn't someone post an hour or so ago that their speed problem came >> from redhat's perl update, and not from mailscanner's update? Once >> they downgraded the speed problem went away? or something like that? >> >> (is anyone having the problem not using redhat, and if you're using >> redhat and having the speed problem, did you update your version of >> perl, via redhat instead of direct from perl, around the same time your >> speed problem started?) > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Using RH9 and havent updated anything. 4.24-5 was perfect on this amchine, 4.26.8-1 almost no successfull scans, spamassassin would time out - i upgraded to SA 2.63, clamav.67, mailwatch.51 and mailscanner 4.26.8-1 all in one go. I reduce the child process to 2 and still the same. My i18n file looks like - am not sure if i should change anything, i had to chaneg teh LANG to a C or i couldnt compile stuff. LANG="C" #LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" From mikea at MIKEA.ATH.CX Wed Mar 3 21:45:35 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <40463E14.5030202@ucgbook.com>; from peter@UCGBOOK.COM on Wed, Mar 03, 2004 at 09:20:36PM +0100 References: <1078345366.40463e96aeb70@webmail.MUW.Edu> <40463E14.5030202@ucgbook.com> Message-ID: <20040303154535.A88296@mikea.ath.cx> On Wed, Mar 03, 2004 at 09:20:36PM +0100, Peter Bonivart wrote: [About various worms that require explicit user interaction to spread] > I guess the real question is, how is it possible that there still is > users stupid enough to spread this? :-) Where I work, a place which I'll refer to as WeBuildHighways, about 10% of the users are Registered Professional Engineers, and the rest are quite sharp in their technical specialties -- most of which have little or nothing to do with the internals of E-mail or operating systems. I get at least one "Should I do this" note per week from my user community about deleting the "JDBGMGR.EXE virus -- the one with the panda bear as the icon". Usually it's a forward from someone else at work who has just deleted that virus because someone outside told him/her/it to do so. It's no wonder at all to me that the social engineering in more recent worms works so well: these people are ignorant and gullible, and if (to quote a poster in another mailing list) each of them got a note with instructions to put a sharp pencil up against an eyelid and run down the hall as fast as possible, I suspect at least a few would do just that. This quote applies, too: "I think when people get on the Internet their common sense may be weakened if not suspended." -- Charles Harwood, regional director of the Federal Trade Commission's Seattle office. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From cstamas at digitus.itk.ppke.hu Wed Mar 3 21:46:25 2004 From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=) Date: Thu Jan 12 21:22:58 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <20040301131101.A70553@mikea.ath.cx> References: <20040301131101.A70553@mikea.ath.cx> Message-ID: <20040303214625.GN6156@digitus> On 03/01, mikea wrote: > On Mon, Mar 01, 2004 at 12:50:50PM +0100, Peter Peters wrote: > > On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: > > .... > # This is /home/mikea/bin/FOUND. > # Start Input Phase on 2004.60 (2004 Mar 1) at 13:08:49 local > Worm.Bagle.A3 1 every 1.88 hours > Worm.Bagle.E 1 every 1.01 hours > Worm.Bagle.F 1 every 1.88 hours > Worm.Mydoom.F 1 every 52.59 minutes > Worm.SCO.A 1 every 13.15 hours > Worm.SomeFool 1 every 10.11 minutes > Worm.SomeFool.B 1 every 56.34 minutes > Worm.SomeFool.B-petite 1 every 19.72 minutes > Total 1 every 4.51 minutes > > Now, does anyone have a pointer to translating from ClamAV's malware > names to, say, Norton's, so I can see how our stats compare to others? Look at this: http://sourceforge.net/mailarchive/forum.php?forum=clamav-virusdb -- cstamas From mikes at HARTWELLCORP.COM Wed Mar 3 21:51:24 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.hartwellcorp.com> Julian, I don't know if it is relevant but I tried switching from clamav to clamavmodule and within an hour my problems had returned. I had to switch back after running into horrible slowness issues. Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and > F-Prot. The only thing is I am not running SpamAssassin, as its speed > is very variable and so hides the real speed of the underlying > process. > > If you are suffering speed problems, please can you tell me what was > the last fast version you used, and what was the first slow version. > Did you downgrade again to fix the problem? Was it successful, and > what version was again nice and fast? > > If you run a batch through in Debug mode does it always take the same > time regardless of what version you are running? Maybe the problem > only surfaces when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the > better chance I have of finding it. It doesn't appear to be in the > more robust MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? -- Michael St. Laurent Hartwell Corporation From rob at thehostmasters.com Wed Mar 3 21:50:48 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: Bagle Zip format (from nanog) References: <200403032128.i23LRxeg018538@siameserescue.net> Message-ID: <01f401c40169$96e35050$0d01a8c0@basement> So can someone help me out and show me how I would create this filter as to catch a password encrypted zip file and not a regular zip file... I am not to keen on filters... thanks.... Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Darrell" To: Sent: Wednesday, March 03, 2004 4:27 PM Subject: Bagle Zip format (from nanog) > Just in case this isn't common knowledge already. > > Z > > -----Original Message----- > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf > Of Jeffrey I. Schiller > Sent: Wednesday, March 03, 2004 4:13 PM > To: Brian Wilson > Cc: Dan Hollis; 'nanog@merit.edu' > Subject: Re: dealing with w32/bagle > > Turns out that the ZIP file format that all of these beasties are > using is a little bit non-standard. Specifically they are all version > 1.0 zip archives and the first (and only) component is not > compressed. > > At MIT we are matching these two strings to recognize the infected ZIP > files while letting most (actually I have seen no false positives) if > not all "real" ZIP files. We are matching them anywhere within an > attachment (well, within the first 16K). However you really only need > to see if they are the beginning characters (this is a ZIP file > header). > > What follows are the base64 encoded strings. I have put an asterisk > between the first and second character, so my own filters won't reject > this message, do remove that before using... > > U*EsDBAoAAAAAA <= Matches unencrypted ZIP file > U*EsDBAoAAQAAA <= Matches encrypted version. > > -Jeff > From hermit921 at YAHOO.COM Wed Mar 3 21:46:26 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> Message-ID: <6.0.0.22.2.20040303133616.01c05b78@pop.mail.yahoo.com> At 01:15 PM 3/3/2004, Mike McMullen wrote: >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, March 03, 2004 12:49 PM >Subject: Re: Food for thought > > > > At 20:30 03/03/2004, you wrote: > > >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > > I guess the real question is, how is it possible that there still is > > > > users stupid enough to spread this? :-) > > > > > >I read something the other day that was a study of users and how they > felt; > > > > > >A. The Help Desk should be handling this. > > > > > >B. They don't have time to make sure it's not a virus and should be > able to > > >open mail as they please (refer to A.) Or bother with updates. (Gotta > EBay!!) > > > > > >C. Nothing they can do about it so what's the fuss. > > > > > >Many more but those seemed to stand out to me. This was a Novel Study I > > >think done in the UK. > > > > It was done by a marketing company called TNS I believe. The best report on > > it I have seen is here: > > http://www.theregister.co.uk/content/55/35393.html > > It makes for alarming reading! > > > > Believe me, the users really are that stupid. They don't care. > > > > Maybe responsible computer use needs to take the same path that Health and > > Safety has taken. People used to ignore that because they were "too busy" > > or other such lame excuses. Now they don't have an option, and can be > > disciplined/sued if they breach H+S legislation. > > > > These lame excuses cost real businesses real money, and I think it is up to > > the businesses to start enforcing their rules, just like they do now with > > H+S rules and policies. I would certainly back company policies governing > > computer use, as long as they were enforced. > > -- > >What it comes down to is nobody wants to take responsibility for themselves or >their actions anymore. One reason why courts are full of frivolous lawsuits. > >Personally at an emotional level I feel that this whole password protected >zip viri thing is the equivalent of FedEX delivering a package containing >bullets and a gun with instructions to place bullet in gun, point barrel to >head, and pull trigger. Repeat if necessary. > >Somehow FedEx would be sued for wrongful death. > >Opening up a password protected zip file with the password in the same email >whether it is a known email address or not is the height of stupidity. >Especially if the email body is as funky as the ones I've seen for Bagle. > >Mike More like a grenade wrapped in plain brown paper with the pin sticking out. You can't see it is a grenade, but you can still pull the pin. Grenades tend to have more collateral damage than guns. hermit921 From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:56:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040303215601.03b58360@imap.ecs.soton.ac.uk> What does your /etc/sysconfig/i18n file contain? At 21:51 03/03/2004, you wrote: >Julian, > >I don't know if it is relevant but I tried switching from clamav to >clamavmodule and within an hour my problems had returned. I had to switch >back after running into horrible slowness issues. > >Julian Field wrote: > > I have been trying to reproduce the loss of speed running various > > different versions on the same mail messages in debug mode. > > Unsuccessfully :-( > > I have used versions from 4.23 onwards. All appear to run at the same > > speed. I am using a "reasonable" configuration with 1 RBL check and > > F-Prot. The only thing is I am not running SpamAssassin, as its speed > > is very variable and so hides the real speed of the underlying > > process. > > > > If you are suffering speed problems, please can you tell me what was > > the last fast version you used, and what was the first slow version. > > Did you downgrade again to fix the problem? Was it successful, and > > what version was again nice and fast? > > > > If you run a batch through in Debug mode does it always take the same > > time regardless of what version you are running? Maybe the problem > > only surfaces when running lots of child processes? > > > > The better I can narrow down exactly when the problem occurred, the > > better chance I have of finding it. It doesn't appear to be in the > > more robust MIME code I implemented, that doesn't make any difference. > > > > Please can you help me folks? > > > >-- >Michael St. Laurent >Hartwell Corporation -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lindsay at pa.net Wed Mar 3 22:10:20 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <404657CC.9000802@pa.net> amavisd was patched to fix all of this mess by making the original email available in the 'parts' directory. If mailscanner dropped the original email in to be scanned, the virus scanner may be able to do the hard work. -lindsay Desai, Jason wrote: > Hello. > > I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and > ClamAV. I have had some of the latest Bagle viruses in password protected > zip files get through. I know that various virus scanners are having > trouble detecting these. I had one of these emails get quarantined because > the attachment name was Message.zip. When testing to see if the virus would > get caught yet I found something interesting with ClamAV. > > If I scan the attachment itself (Message.zip) clam reports it as clean. But > if I scan the queue files (from Exim) clam finds the virus! Here is the > output of a scan with the queue files and attachment in the same directory: > > # /opt/MailScanner/lib/clamav-wrapper . > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-H: OK > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-D: Worm.Bagle.F-zippwd-3 FOUND > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: > OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 20372 > Scanned directories: 1 > Scanned files: 3 > Infected files: 1 > Data scanned: 0.03 Mb > I/O buffer size: 131072 bytes > Time: 0.325 sec (0 m 0 s) > # > > So I assume that MailScanner unpacks the attachment and just scans that. > Does it make sense to allow the virus scanners to scan the queue files as > well? > > Jason From lindsay at PA.NET Wed Mar 3 22:10:20 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <404657CC.9000802@pa.net> amavisd was patched to fix all of this mess by making the original email available in the 'parts' directory. If mailscanner dropped the original email in to be scanned, the virus scanner may be able to do the hard work. -lindsay Desai, Jason wrote: > Hello. > > I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and > ClamAV. I have had some of the latest Bagle viruses in password protected > zip files get through. I know that various virus scanners are having > trouble detecting these. I had one of these emails get quarantined because > the attachment name was Message.zip. When testing to see if the virus would > get caught yet I found something interesting with ClamAV. > > If I scan the attachment itself (Message.zip) clam reports it as clean. But > if I scan the queue files (from Exim) clam finds the virus! Here is the > output of a scan with the queue files and attachment in the same directory: > > # /opt/MailScanner/lib/clamav-wrapper . > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-H: OK > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-D: Worm.Bagle.F-zippwd-3 FOUND > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: > OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 20372 > Scanned directories: 1 > Scanned files: 3 > Infected files: 1 > Data scanned: 0.03 Mb > I/O buffer size: 131072 bytes > Time: 0.325 sec (0 m 0 s) > # > > So I assume that MailScanner unpacks the attachment and just scans that. > Does it make sense to allow the virus scanners to scan the queue files as > well? > > Jason From kevins at BMRB.CO.UK Wed Mar 3 22:14:29 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <404657CC.9000802@pa.net> References: <404657CC.9000802@pa.net> Message-ID: <1078352069.690.118.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: > amavisd was patched to fix all of this mess by making the original email > available in the 'parts' directory. If mailscanner dropped the original > email in to be scanned, the virus scanner may be able to do the hard work. > -lindsay > On the other hand the virus scanner will attempt to unpack the parts too. I use three virus scanners so that means the original email would get unpacked 4 times. We're already unzipping things 4 times now! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Mar 3 21:32:59 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: {Blocked Attachment} A virus got through my server after 3 years?!!? In-Reply-To: <005801c40163$10cbd380$0d01a8c0@basement> References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> <005801c40163$10cbd380$0d01a8c0@basement> Message-ID: <1078349579.691.98.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 21:04, Rob Charles wrote: > Warning: Alert from BMRB Systems > Warning: This message has had one or more attachments removed > Warning: (the entire message). > Warning: Please read the "VirusWarning.txt" attachment(s) for more information. > Didn't get though mine! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Wed Mar 3 22:14:55 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <404657CC.9000802@pa.net> References: <404657CC.9000802@pa.net> Message-ID: <6.0.1.1.2.20040303221408.03943488@imap.ecs.soton.ac.uk> At 22:10 03/03/2004, you wrote: >amavisd was patched to fix all of this mess by making the original email >available in the 'parts' directory. If mailscanner dropped the original >email in to be scanned, the virus scanner may be able to do the hard work. I could have done this too. But it relies on the AV companies to be up to date, which is a problem at the moment. I feel more lines of defence are needed. And as they should already know if they have done their research, they would have discovered that this only works for some of the commercial virus scanners. My method works for all of them. For example Sophos cannot find them until they are opened on the desktop. Their web pages openly admit it. A lot of MailScanner users have Sophos as their main (or lone) scanner, I have to come up with a solution that works for all of them, not just the ones using particular scanners. >-lindsay > >Desai, Jason wrote: >>Hello. >>I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and >>ClamAV. I have had some of the latest Bagle viruses in password protected >>zip files get through. I know that various virus scanners are having >>trouble detecting these. I had one of these emails get quarantined because >>the attachment name was Message.zip. When testing to see if the virus would >>get caught yet I found something interesting with ClamAV. >>If I scan the attachment itself (Message.zip) clam reports it as clean. But >>if I scan the queue files (from Exim) clam finds the virus! Here is the >>output of a scan with the queue files and attachment in the same directory: >># /opt/MailScanner/lib/clamav-wrapper . >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- >>00-H: OK >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- >>00-D: Worm.Bagle.F-zippwd-3 FOUND >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: >>OK >>----------- SCAN SUMMARY ----------- >>Known viruses: 20372 >>Scanned directories: 1 >>Scanned files: 3 >>Infected files: 1 >>Data scanned: 0.03 Mb >>I/O buffer size: 131072 bytes >>Time: 0.325 sec (0 m 0 s) >># >>So I assume that MailScanner unpacks the attachment and just scans that. >>Does it make sense to allow the virus scanners to scan the queue files as >>well? >>Jason -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vosburgh at DALSEMI.COM Wed Mar 3 22:22:53 2004 From: vosburgh at DALSEMI.COM (David Vosburgh) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <40465ABD.9050209@dalsemi.com> Dave's List Addy wrote: >On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > >>For those of you who want to try to catch these with SpamAssassin, I >>think the following should work: >> >>body BAGLE_PASSWORD /password.*[0-9]{4,}/i >>describe BAGLE_PASSWORD Password.*numbers >>score BAGLE_PASSWORD 6.5 >> >>If anyone has a better suggestion, let us know! >> >> > >Has anyone found this to work? We can't upgrade as of yet to the latest MS >since we did a apt-get install :( Will know better next time :) > I tried it briefly but was getting more false positives than legitimate hits. The problem seemed to be primarily caused by phone numbers (specifically, the last four digits) included in the senders signature coming after "password". That ".*" is pretty aggressive ;-). >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net > > > -- Dave Vosburgh From mikes at HARTWELLCORP.COM Wed Mar 3 22:31:19 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D20@hart-exchange.hartwellcorp.com> Urmmmm... at the moment it contains LANG="en_US" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" After I made the recommended change earlier today. Unfortunately, I don't remember if I made that change before or after. If it will help troubleshoot I'll try switching back to clamavmodule again. Julian Field wrote: > What does your /etc/sysconfig/i18n file contain? > > At 21:51 03/03/2004, you wrote: >> Julian, >> >> I don't know if it is relevant but I tried switching from clamav to >> clamavmodule and within an hour my problems had returned. I had to >> switch back after running into horrible slowness issues. -- Michael St. Laurent Hartwell Corporation From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 22:30:25 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <40465ABD.9050209@dalsemi.com> References: <40465ABD.9050209@dalsemi.com> Message-ID: <1078353024.13811.379.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 17:22, David Vosburgh a ?crit : > Dave's List Addy wrote: > > >On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > > > > > >>For those of you who want to try to catch these with SpamAssassin, I > >>think the following should work: > >> > >>body BAGLE_PASSWORD /password.*[0-9]{4,}/i > >>describe BAGLE_PASSWORD Password.*numbers > >>score BAGLE_PASSWORD 6.5 > >> > >>If anyone has a better suggestion, let us know! > >> > >> > > > >Has anyone found this to work? We can't upgrade as of yet to the latest MS > >since we did a apt-get install :( Will know better next time :) > > > I tried it briefly but was getting more false positives than legitimate > hits. The problem seemed to be primarily caused by phone numbers > (specifically, the last four digits) included in the senders signature > coming after "password". That ".*" is pretty aggressive ;-). Agreed. That's why I have the following: describe UDES_VIRUS01 Bagle virus full UDES_VIRUS01 /^(archive\s+)?password((\s+for\s+archive)?:|\s+--)\s+\d{5}/i score UDES_VIRUS01 100 describe UDES_VIRUS02 Bagle virus full UDES_VIRUS02 /^Attached\s+file.*protected\s+with.* Password\s+is\s+\d{5}\./i score UDES_VIRUS02 100 describe UDES_VIRUS03 Bagle virus full UDES_VIRUS03 /^For\s+security\s+purposes.*password\s+protected\.\s+Password\s+is\s+\"\d{5}\"\./i score UDES_VIRUS03 100 describe UDES_VIRUS04 Bagle virus full UDES_VIRUS04 /^In\s+order\s+to\s+read.*following\s+password:\s+\d{5}\./i score UDES_VIRUS04 100 describe UDES_VIRUS05 Bagle virus full UDES_VIRUS05 /^\d{5}\s+--\s+archive\s+password/i score UDES_VIRUS05 100 describe UDES_VIRUS06 Bagle virus full UDES_VIRUS06 /^\.\.btw,\s+\"\d{5}\"\s+is\s+a\s+password\s+for\s+archive/i score UDES_VIRUS06 100 I've created them from the messages I received and quarantined. So far, my SA rules didn't register anything 8-) Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From lindsay at PA.NET Wed Mar 3 22:32:54 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <1078352069.690.118.camel@bach.kevinspicer.co.uk> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> Message-ID: <40465D16.6030506@pa.net> Kevin Spicer wrote: > On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: > >>amavisd was patched to fix all of this mess by making the original email >>available in the 'parts' directory. If mailscanner dropped the original >>email in to be scanned, the virus scanner may be able to do the hard work. >>-lindsay >> > > On the other hand the virus scanner will attempt to unpack the parts > too. I use three virus scanners so that means the original email would > get unpacked 4 times. If some virus scanners can see viruses by seeing the message as a whole rather then in parts, it would be nice to come up with something to let them try. Maybe it could be an option setting in MailScanner.conf to include or not include the original message when virus scanning. > > We're already unzipping things 4 times now! Do you happen to use /dev/shm? If not, it may make the email explosions less painful. -lindsay > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From Matthew.Day at BUCKINGHAM.AC.UK Wed Mar 3 22:43:25 2004 From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day) Date: Thu Jan 12 21:22:59 2006 Subject: bagle SpamAssassin rule [SCANNED] Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D57BCA@GILA> Dustin Baer wrote: > It works for me. I had to increase the score, since BAYES_00 was > basically erasing the 6.5 I gave it. David Vosburgh wrote: >I tried it briefly but was getting more false positives than legitimate >hits. The problem seemed to be primarily caused by phone numbers >(specifically, the last four digits) included in the senders signature >coming after "password". That ".*" is pretty aggressive ;-). Taking these on-board; the following seems to be working for us: body BAGLE_PASSWORD /pass.{0,15}[0-9]{4,}/i describe BAGLE_PASSWORD Looks like Bagle virus score BAGLE_PASSWORD 11 Matthew Day University of Buckingham From mailscanner at ecs.soton.ac.uk Wed Mar 3 22:50:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:59 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <40465D16.6030506@pa.net> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> <40465D16.6030506@pa.net> Message-ID: <6.0.1.1.2.20040303224850.03a09bc0@imap.ecs.soton.ac.uk> At 22:32 03/03/2004, you wrote: >Kevin Spicer wrote: >>On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: >> >>>amavisd was patched to fix all of this mess by making the original email >>>available in the 'parts' directory. If mailscanner dropped the original >>>email in to be scanned, the virus scanner may be able to do the hard work. >>>-lindsay >> >>On the other hand the virus scanner will attempt to unpack the parts >>too. I use three virus scanners so that means the original email would >>get unpacked 4 times. > > >If some virus scanners can see viruses by seeing the message as a whole >rather then in parts, it would be nice to come up with something to let >them try. Maybe it could be an option setting in MailScanner.conf to >include or not include the original message when virus scanning. That will involve yet more I/O, but I'll definitely consider it. >>We're already unzipping things 4 times now! > >Do you happen to use /dev/shm? If not, it may make the email explosions >less painful. Most people already use tmpfs or BSD softupdates. Using /dev/shm itself is not necessary, it's tmpfs you are trying to get. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From marco at MUW.EDU Wed Mar 3 22:37:46 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:59 2006 Subject: Food for thought In-Reply-To: <404646EC.1000001@ucgbook.com> References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> Message-ID: <1078353466.40465e3aaeb73@webmail.MUW.Edu> I agree to some extent that the key to defeating virus-writers lies within the hands of our users. However, some of the techniques used can trick even the most technical savvy of us. For example, my boss got his computer infected with a spayware from one site that he visited. The site displayed an Ad that looked just like a windows message (I had to really stare at it for a while). Users do not breathe and eat this stuff like we do. If they knew what we know, they would certinly be a bit more cautious. We all make mistakes, but it seems that computer mistakes nowadays are very costly. Therefore, I do *not* trust users and I want to have defenses in place because users will make mistakes and will open an attachment that they shouldn't. Kevin Spicer pointed out great points on some predictions of future viruses. I think it is wise to consider such scenarios and prepare for them rather than upgrade MailScanner, go about our business, and wait till another crisis occur. I am considering Kevin's approach to Web filtering. Spyware *is* emerging to be one of the major threats. Who knows, maybe one day MailScanner will evolve to become a filter for not only SMTP traffic but also for HTTP traffic. Marco From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 23:00:18 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:59 2006 Subject: Food for thought [SCANNED] In-Reply-To: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> Message-ID: On 3/3/04 3:15 PM, "Mike McMullen" wrote: > Somehow FedEx would be sued for wrongful death. Sadly you are right. Even if the news and police told people about the "Bad" FedEX package, someone in the juror system would side with the fool. Ack! I watch way to much Law & Order :) -- Thanks!! David Thurman List Only at Web Presence Group Net From kevins at BMRB.CO.UK Wed Mar 3 23:01:52 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:59 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <40465D16.6030506@pa.net> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> <40465D16.6030506@pa.net> Message-ID: <1078354913.690.123.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 22:32, Lindsay Snider wrote: > > > > We're already unzipping things 4 times now! > > Do you happen to use /dev/shm? If not, it may make the email explosions > less painful. Yes, if you mean tmpfs. Its as much th CPU and the I/O I'm worried about since unzipping requires a fair bit of both. My machine is reaching its safe limit (copes okay day to day but got a bit behind with the first MyDoom explosion). I need to spend some time giving it a little TLC, tweak the kernel - that sort of thing. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Wed Mar 3 23:07:35 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( Message-ID: <40466537.5020603@eatathome.com.au> What should i do to rectify or prevent this? Nothing leave it to MS? Load avergae is stuck on 7 and almost nothing is wworking on this machine, even ssh commands have a 10sec delay. Will deleting the offending email be the entire solution? Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, size=3477, nrcpt=1 (queue active) Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from adl0133.systems.sa.gov.au[143.216.236.20] Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: to=, relay=none, delay=0, status=deferred (deferred transport) Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for clamav Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 12 of 20 Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner clamavmodule timed out! Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner clamavmodule timed out! Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of Service attack is in message A086133CDD Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need updating Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of Service attack detected! Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 13 of 20 Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: Host not found Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still being delivered Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 14 of 20 Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 15 of 20 From steve.swaney at FSL.COM Wed Mar 3 23:39:21 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <40466537.5020603@eatathome.com.au> Message-ID: <20040303233922.24C6B21C29A@mail.fsl.com> I'm top posting so this won't get lost. This was written by one of our clients to handle a really severe Joe-job. His name shall be revealed if he let's me, but I don't know if he wants the credit for breaking RFC 1123 (this certainly does). This deletes any incoming email that has a return address of "<>". BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the Left hand side from the right hand side rules and comments. The have been lost in the email transmission. You' know if you've missed a tab because sendmail will croak when you try and start it. I can't verify that this works but he insisted it saved his axx. He was so upset by the attack he stayed up for 30 hours straight and learned to write sendmail.cf files from scratch. No Small feat. Possible some sendmail guru whose not battling the bagel will be kind enough to put the hack into a sendmail.mc format. ------------------ snip ----------------------------- ###################################################################### ###################################################################### ##### ##### REWRITING RULES ##### ###################################################################### ###################################################################### #Added by XXX to handle joe job on 020404 HSubject: $>Check_Subject1 D{MPat}Returned SCheck_Subject1 R${MPat} $* $#discard ###################################################################### ### check_mail -- check SMTP `MAIL FROM:' command argument ###################################################################### SLocal_check_mail Scheck_mail R$* $: $1 $| $>"Local_check_mail" $1 R$* $| $#$* $#$2 R$* $| $* $@ $>"Basic_check_mail" $1 SBasic_check_mail # check for deferred delivery mode R$* $: < $&{deliveryMode} > $1 R< d > $* $@ deferred R< $* > $* $: $2 # authenticated? R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL R$* $| $#$+ $#$2 R$* $| $* $: $1 #modified by XXX to handle joe job on 020404 Note: org line above #R<> $@ we MUST accept <> (RFC 1123) R<> $@ $#discard we MUST accept <> (RFC 1123) R$+ $: $1 R<$+> $: <@> <$1> R$+ $: <@> <$1> R$* $: $&{daemon_flags} $| $1 R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > R$* u $* $| <@> < $* > $: < $3 > R$* $| $* $: $2 # handle case of @localhost on address ------------------ snip ----------------------------- Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 6:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: DOS attacked :( > > What should i do to rectify or prevent this? Nothing leave it to MS? > > Load avergae is stuck on 7 and almost nothing is wworking on this > machine, even ssh commands have a 10sec delay. > > Will deleting the offending email be the entire solution? > > > Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, > size=3477, nrcpt=1 (queue active) > Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from > adl0133.systems.sa.gov.au[143.216.236.20] > Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: > to=, relay=none, delay=0, status=deferred > (deferred transport) > Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed > Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for > clamav > Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 12 of 20 > Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner > clamavmodule timed out! > Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner > clamavmodule timed out! > Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of > Service attack is in message A086133CDD > Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need > updating > Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of > Service attack detected! > Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 13 of 20 > Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: > hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: > Host not found > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still > being delivered > Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 14 of 20 > Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 15 of 20 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From pete at eatathome.com.au Thu Mar 4 00:05:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <20040303233922.24C6B21C29A@mail.fsl.com> References: <20040303233922.24C6B21C29A@mail.fsl.com> Message-ID: <404672C1.4010508@eatathome.com.au> Stephen Swaney wrote: >I'm top posting so this won't get lost. This was written by one of our >clients to handle a really severe Joe-job. His name shall be revealed if he >let's me, but I don't know if he wants the credit for breaking RFC 1123 >(this certainly does). This deletes any incoming email that has a return >address of "<>". > >BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >Left hand side from the right hand side rules and comments. The have been >lost in the email transmission. You' know if you've missed a tab because >sendmail will croak when you try and start it. > >I can't verify that this works but he insisted it saved his axx. He was so >upset by the attack he stayed up for 30 hours straight and learned to write >sendmail.cf files from scratch. No Small feat. > >Possible some sendmail guru whose not battling the bagel will be kind enough >to put the hack into a sendmail.mc format. > >------------------ snip ----------------------------- >###################################################################### >###################################################################### >##### >##### REWRITING RULES >##### >###################################################################### >###################################################################### >#Added by XXX to handle joe job on 020404 > >HSubject: $>Check_Subject1 >D{MPat}Returned >SCheck_Subject1 >R${MPat} $* $#discard > > >###################################################################### >### check_mail -- check SMTP `MAIL FROM:' command argument >###################################################################### > >SLocal_check_mail >Scheck_mail >R$* $: $1 $| $>"Local_check_mail" $1 >R$* $| $#$* $#$2 >R$* $| $* $@ $>"Basic_check_mail" $1 > >SBasic_check_mail ># check for deferred delivery mode >R$* $: < $&{deliveryMode} > $1 >R< d > $* $@ deferred >R< $* > $* $: $2 > ># authenticated? >R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >R$* $| $#$+ $#$2 >R$* $| $* $: $1 > >#modified by XXX to handle joe job on 020404 Note: org line above >#R<> $@ we MUST accept <> (RFC 1123) >R<> $@ $#discard we MUST accept <> (RFC 1123) >R$+ $: $1 >R<$+> $: <@> <$1> >R$+ $: <@> <$1> >R$* $: $&{daemon_flags} $| $1 >R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >R$* u $* $| <@> < $* > $: < $3 > >R$* $| $* $: $2 ># handle case of @localhost on address >------------------ snip ----------------------------- > > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 6:08 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: DOS attacked :( >> >>What should i do to rectify or prevent this? Nothing leave it to MS? >> >>Load avergae is stuck on 7 and almost nothing is wworking on this >>machine, even ssh commands have a 10sec delay. >> >>Will deleting the offending email be the entire solution? >> >> >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>size=3477, nrcpt=1 (queue active) >>Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>adl0133.systems.sa.gov.au[143.216.236.20] >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>to=, relay=none, delay=0, status=deferred >>(deferred transport) >>Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>clamav >>Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 12 of 20 >>Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>clamavmodule timed out! >>Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>clamavmodule timed out! >>Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>Service attack is in message A086133CDD >>Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>updating >>Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>Service attack detected! >>Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 13 of 20 >>Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>Host not found >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>being delivered >>Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 14 of 20 >>Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 15 of 20 >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >> >>Fortress Systems Ltd. >>www.fsl.com >> >> >> > > > >-- >This message has been scanned for viruses and >dangerous content by Fortress Secure Mail Gateway >and was found to be clean. > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working perfectly until this morning, even after upgrade yesterday and added DCC and pyzor, although pyzor never worked and i didnt get a change to look at it yet. I have tried changing the accellerated scanning mode to 40 (i assume this means when the queue is 40+ deep it will accellerate the scanning mode? Can some one tell me how to use postfix to display the amount of messages in the queue from command line, or any other usefull postfix commands? I did mailq -v but this disaplays nothing. The latest change i made was to clamavmodule from regular clamav, tried changing it back but no luck. attached is my debug, nothing seems really obviously broken? Attached also is a log sample, complete, from immedietly after a service MailScanner restart Its getting worse and all i see is 100+ messages in the queue, changed the batch mode to only do 10 at once but stikll all i get in the maillog is Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was killed, consecutive failure 8 of 20 thanks in advance for ANY help i can get on this, its a big problem and its getting worse by the minute :( -------------- next part -------------- debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: Score set 1 chosen. debug: Initialising learner debug: is Net::DNS::Resolver available? yes debug: trying (3) microsoft.com... debug: looking up MX for 'microsoft.com' debug: MX for 'microsoft.com' exists? 1 debug: MX lookup of microsoft.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin debug: executable for pyzor was found at /usr/bin/pyzor debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=35931 Fuz1=235142 Fuz2=235801 debug: leaving helper-app run mode debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME debug: received-header: parsed as [ ip=203.55.179.230 rdns=chedns02.simplot.com.au helo=chedns.simnetad.simplot.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'from' 203.55.179.230 is near to first 'by' debug: received-header: relay 203.55.179.230 trusted? yes debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: rohan.hughes@simplot.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.286 debug: running uri tests; score so far=0.286 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.286 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: KKaddatz@mteliza.com.au debug: DNS MX records found: 2 debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=0.286 debug: is spam? score=0.286 required=5 tests=HTML_MESSAGE,NO_REAL_NAME debug: received-header: parsed as [ ip=138.217.224.22 rdns=CPE-138-217-224-22.wa.bigpond.net.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 138.217.224.22 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: ben.martin@wanews.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.285 debug: running uri tests; score so far=0.285 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.285 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 debug: leaving helper-app run mode debug: all '*To' addrs: emp@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=bigpond.net.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'bigpond.net.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=6.241 debug: is spam? score=6.241 required=5 tests=MSGID_FROM_MTA_SHORT,NO_REAL_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=144.136.10.124 rdns=CPE-144-136-10-124.vic.bigpond.net.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 144.136.10.124 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: sales@rarreg.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.285 debug: running uri tests; score so far=0.285 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.285 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=13 Fuz2=217 debug: leaving helper-app run mode debug: all '*To' addrs: jjennings@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=bigpond.net.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'bigpond.net.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=6.241 debug: is spam? score=8.225 required=5 tests=MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=210.86.15.147 rdns=mta204-rme.xtra.co.nz helo=mta204-rme.xtra.co.nz by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=210.86.15.141 rdns=mta1-rme.xtra.co.nz helo= by=mta204-rme.xtra.co.nz ident= ] debug: received-header: parsed as [ ip=219.89.124.118 rdns=worthyxp05 helo= by=mta1-rme.xtra.co.nz ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 210.86.15.147 trusted? no debug: received-header: relay 210.86.15.141 trusted? no debug: received-header: relay 219.89.124.118 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: worthynz@xtra.co.nz debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.7 debug: running uri tests; score so far=0.7 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.7 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=3 Fuz1=3 Fuz2=3 debug: leaving helper-app run mode debug: all '*To' addrs: JScott@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=xtra.co.nz helo=xtra.co.nz by=mteliza.com.au debug: forged-HELO: from=xtra.co.nz helo= by=xtra.co.nz debug: forged-HELO: from=worthyxp05 helo= by=xtra.co.nz debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0.7 debug: is spam? score=0.961 required=5 tests=HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_UNKNOWN,HTML_FONT_BIG,HTML_MESSAGE,HTML_TAG_EXISTS_TBODY,LINES_OF_YELLING,LINES_OF_YELLING_2,UPPERCASE_25_50 debug: received-header: parsed as [ ip=210.193.192.21 rdns=mail.archergroup.com.au helo=melex01.archergroup.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 210.193.192.21 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: mmorgan@archergroup.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.171 debug: running uri tests; score so far=0.171 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.171 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: gcocks@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=archergroup.com.au helo=archergroup.com.au by=mteliza.com.au debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=0.171 debug: is spam? score=0.171 required=5 tests=EXCUSE_16 debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '209.182.98.114' debug: PTR for '209.182.98.114': 'la-209-182-98-114' debug: received-header: parsed as [ ip=209.182.98.114 rdns=la-209-182-98-114 helo=mail.symlog.com by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=24.94.11.195 rdns=bob helo= by=mail.symlog.com ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 209.182.98.114 trusted? no debug: received-header: relay 24.94.11.195 trusted? no debug: all '*From' addrs: bob@symlog.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.575 debug: running uri tests; score so far=0.575 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.575 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: KMorley@mteliza.com.au CSykes@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=la-209-182-98-114 helo=symlog.com by=mteliza.com.au debug: forged-HELO: from=bob helo= by=symlog.com debug: RBL: success for 17 of 17 queries debug: running meta tests; score so far=0.675 debug: is spam? score=0.675 required=5 tests=HTML_40_50,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,RCVD_IN_SORBS debug: received-header: parsed as [ ip=211.29.105.109 rdns=winax12-109.dialup.optusnet.com.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 211.29.105.109 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: jbdgwvi6825023@aol.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=3.94 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=3.94 debug: running uri tests; score so far=3.94 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=3.94 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 debug: leaving helper-app run mode debug: all '*To' addrs: 3dfrobinson@mteliza.com.au debug: DNS MX records found: 4 debug: forged-HELO: from=optusnet.com.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'optusnet.com.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=9.896 debug: is spam? score=11.88 required=5 tests=ADDR_NUMS_AT_BIGSITE,FROM_ENDS_IN_NUMS,FROM_WEBMAIL_END_NUMS6,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=137.157.8.253 rdns=tachyon.gw.ansto.gov.au helo=tachyon.gw.ansto.gov.au by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=137.157.13.219 rdns=hadron.ansto.gov.au helo= by=tachyon.gw.ansto.gov.au ident= ] debug: received-header: parsed as [ ip=137.157.58.208 rdns=paradise.ansto.gov.au helo=paradise.ansto.gov.au by=hadron.ansto.gov.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 137.157.8.253 trusted? no debug: received-header: relay 137.157.13.219 trusted? no debug: received-header: relay 137.157.58.208 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: hhx@ansto.gov.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: JGuillot@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=ansto.gov.au helo=ansto.gov.au by=mteliza.com.au debug: forged-HELO: from=ansto.gov.au helo= by=ansto.gov.au debug: forged-HELO: from=ansto.gov.au helo=ansto.gov.au by=ansto.gov.au debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '199.40.206.2' debug: PTR for '199.40.206.2': '' debug: received-header: parsed as [ ip=199.40.206.2 rdns=199.40.206.2 helo=gateway5a.dhl.com by=mail01.mteliza.com.au ident= ] debug: received-header: ignoring localhost handover debug: IP is reserved, not looking up PTR debug: received-header: parsed as [ ip=10.192.8.73 rdns=10.192.8.73 helo=viruswall by=atlas.syd-co.au.dhl.com ident= ] debug: IP is reserved, not looking up PTR debug: received-header: parsed as [ ip=10.192.23.88 rdns=10.192.23.88 helo=Unknown by=viruswall ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 199.40.206.2 trusted? no debug: received-header: relay 10.192.8.73 trusted? no debug: received-header: relay 10.192.23.88 trusted? no debug: all '*From' addrs: michelle.dagamapinto@dhl.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=2.155 debug: running uri tests; score so far=2.155 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=2.155 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: cdagamap@mteliza.com.au mariebeatrice@rediffmail.com frank_calderone@cathaypacific.com gina@acpworldwide.com.au michael.da.gama.pinto@au.pwcglobal.com monishamendes@aol.com paulita_dgp@hotmail.com Audrey_Pinto@mcgraw-hill.com debug: DNS MX records found: 4 debug: forged-HELO: from=199.40.206.2 helo=dhl.com by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'dhl.com' != '199.40.206.2' debug: forged-HELO: from=10.192.8.73 helo=viruswall by=dhl.com debug: forged-HELO: mismatch on from: '199.40.206.2' != 'dhl.com' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=2.155 debug: is spam? score=2.318 required=5 tests=EXCUSE_16,HTML_50_60,HTML_MESSAGE,J_CHICKENPOX_12,J_CHICKENPOX_36,J_CHICKENPOX_56,MIME_BOUND_NEXTPART debug: received-header: parsed as [ ip=144.140.71.11 rdns=gizmo01ps.bigpond.com helo=gizmo01ps.bigpond.com by=mail01.mteliza.com.au ident= ] debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '144.135.25.78' debug: PTR for '144.135.25.78': 'psmam04.bigpond.com' debug: received-header: parsed as [ ip=144.135.25.78 rdns=psmam04.bigpond.com helo=psmam04.bigpond.com by=gizmo01ps.bigpond.com ident= ] debug: looking up PTR record for '138.217.40.190' debug: PTR for '138.217.40.190': 'CPE-138-217-40-190.vic.bigpond.net.au' debug: received-header: parsed as [ ip=138.217.40.190 rdns=CPE-138-217-40-190.vic.bigpond.net.au helo=cpe-138-217-40-190.vic.bigpond.net.au by=psmam04.bigpond.com!MAM ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 144.140.71.11 trusted? no debug: received-header: relay 144.135.25.78 trusted? no debug: received-header: relay 138.217.40.190 trusted? no debug: all '*From' addrs: jlassoc@bigpond.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.575 debug: running uri tests; score so far=0.575 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.575 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=3 Fuz1=3 Fuz2=3 debug: leaving helper-app run mode debug: all '*To' addrs: FRobinson@mteliza.com.au TMandler@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=bigpond.com helo=bigpond.com by=mteliza.com.au debug: forged-HELO: from=bigpond.com helo=bigpond.com by=bigpond.com debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0.675 debug: is spam? score=0.675 required=5 tests=HTML_40_50,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,RCVD_IN_SORBS Stopping now as you are debugging me. -------------- next part -------------- Mar 4 11:09:36 mail01 postfix/smtpd[4624]: disconnect from strangecosmos.com[209.50.251.60] Mar 4 11:09:37 mail01 MailScanner[4657]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 11:09:38 mail01 MailScanner[4657]: Config: calling custom init function MailWatchLogging Mar 4 11:09:39 mail01 MailScanner[4657]: Initialising database connection Mar 4 11:09:39 mail01 MailScanner[4657]: Finished initialising database connection Mar 4 11:09:41 mail01 MailScanner[4622]: Using locktype = flock Mar 4 11:09:43 mail01 MailScanner[4622]: New Batch: Found 119 messages waiting Mar 4 11:09:43 mail01 MailScanner[4622]: New Batch: Scanning 10 messages, 740375 bytes Mar 4 11:09:43 mail01 MailScanner[4622]: Spam Checks: Starting Mar 4 11:09:47 mail01 MailScanner[4670]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 11:09:48 mail01 MailScanner[4670]: Config: calling custom init function MailWatchLogging Mar 4 11:09:49 mail01 MailScanner[4670]: Initialising database connection Mar 4 11:09:49 mail01 MailScanner[4670]: Finished initialising database connection Mar 4 11:09:54 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:09:54 mail01 postfix/smtpd[4624]: 3E96633E13: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:09:57 mail01 MailScanner[4641]: Using locktype = flock Mar 4 11:09:56 mail01 postfix/cleanup[4626]: 3E96633E13: message-id=<20040304000954.3E96633E13@mail01.mteliza.com.au> Mar 4 11:09:57 mail01 MailScanner[4641]: New Batch: Found 119 messages waiting Mar 4 11:09:57 mail01 MailScanner[4641]: New Batch: Scanning 10 messages, 119970 bytes Mar 4 11:09:57 mail01 MailScanner[4641]: Spam Checks: Starting Mar 4 11:09:57 mail01 postfix/qmgr[4497]: 3E96633E13: from=, size=1019, nrcpt=1 (queue active) Mar 4 11:09:57 mail01 postfix/qmgr[4497]: 3E96633E13: to=, relay=none, delay=3, status=deferred (deferred transport) Mar 4 11:09:58 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:04 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:05 mail01 postfix/smtpd[4624]: 0420833E11: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/cleanup[4626]: 0420833E11: message-id=<20040304001005.0420833E11@mail01.mteliza.com.au> Mar 4 11:10:13 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/smtpd[4701]: 8508933E10: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:14 mail01 postfix/qmgr[4497]: 0420833E11: from=, size=1003, nrcpt=1 (queue active) Mar 4 11:10:16 mail01 postfix/qmgr[4497]: 0420833E11: to=<10@mteliza.com.au>, relay=none, delay=10, status=deferred (deferred transport) Mar 4 11:10:19 mail01 postfix/cleanup[4626]: 8508933E10: message-id=<20040304001013.8508933E10@mail01.mteliza.com.au> Mar 4 11:10:21 mail01 postfix/qmgr[4497]: 8508933E10: from=, size=1016, nrcpt=1 (queue active) Mar 4 11:10:21 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:21 mail01 postfix/qmgr[4497]: 8508933E10: to=, relay=none, delay=8, status=deferred (deferred transport) Mar 4 11:10:29 mail01 MailScanner[4657]: Using locktype = flock Mar 4 11:10:29 mail01 postfix/smtpd[4624]: connect from CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:30 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:31 mail01 postfix/smtpd[4624]: 6D13C33E12: client=CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:34 mail01 MailScanner[4657]: New Batch: Found 122 messages waiting Mar 4 11:10:34 mail01 MailScanner[4657]: New Batch: Scanning 10 messages, 206807 bytes Mar 4 11:10:34 mail01 MailScanner[4657]: Spam Checks: Starting Mar 4 11:10:37 mail01 MailScanner[4641]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:40 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:42 mail01 postfix/cleanup[4626]: 6D13C33E12: message-id=<20040304001031.6D13C33E12@mail01.mteliza.com.au> Mar 4 11:10:42 mail01 postfix/qmgr[4497]: 6D13C33E12: from=, size=1011, nrcpt=1 (queue active) Mar 4 11:10:42 mail01 postfix/qmgr[4497]: 6D13C33E12: to=, relay=none, delay=11, status=deferred (deferred transport) Mar 4 11:10:43 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:44 mail01 postfix/smtpd[4624]: disconnect from CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:54 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:54 mail01 postfix/smtpd[4701]: 8A80533E17: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:58 mail01 MailScanner[4670]: Using locktype = flock Mar 4 11:10:58 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:58 mail01 MailScanner[4670]: New Batch: Found 123 messages waiting Mar 4 11:10:58 mail01 MailScanner[4670]: New Batch: Scanning 10 messages, 81945 bytes Mar 4 11:10:59 mail01 MailScanner[4670]: Spam Checks: Starting Mar 4 11:10:59 mail01 postfix/cleanup[4626]: 8A80533E17: message-id=<20040304001054.8A80533E17@mail01.mteliza.com.au> Mar 4 11:10:59 mail01 postfix/smtpd[4624]: 2C5A533E18: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:59 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:59 mail01 postfix/qmgr[4497]: 8A80533E17: from=, size=1015, nrcpt=1 (queue active) Mar 4 11:10:59 mail01 postfix/qmgr[4497]: 8A80533E17: to=, relay=none, delay=5, status=deferred (deferred transport) Mar 4 11:11:06 mail01 postfix/smtpd[4701]: warning: 200.232.207.120: hostname 200-232-207-120.dsl.telesp.net.br verification failed: Host not found Mar 4 11:11:06 mail01 postfix/smtpd[4701]: connect from unknown[200.232.207.120] Mar 4 11:11:08 mail01 postfix/smtpd[4853]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:08 mail01 postfix/smtpd[4701]: D381A33E19: client=unknown[200.232.207.120] Mar 4 11:11:09 mail01 postfix/smtpd[4853]: 46C5733E1B: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:09 mail01 postfix/cleanup[4626]: 2C5A533E18: message-id=<20040304001059.2C5A533E18@mail01.mteliza.com.au> Mar 4 11:11:10 mail01 postfix/qmgr[4497]: 2C5A533E18: from=<20728@c4m01.postdirect.com>, size=1013, nrcpt=1 (queue active) Mar 4 11:11:10 mail01 postfix/qmgr[4497]: 2C5A533E18: to=, relay=none, delay=11, status=deferred (deferred transport) Mar 4 11:11:11 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:12 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:13 mail01 postfix/smtpd[4624]: 117BB33E16: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:13 mail01 postfix/cleanup[4836]: D381A33E19: message-id= Mar 4 11:11:14 mail01 postfix/qmgr[4497]: D381A33E19: from=, size=5600, nrcpt=1 (queue active) Mar 4 11:11:14 mail01 MailScanner[4657]: Message 3E96633E13 from 150.101.123.85 (m_tannahill@bigpond.com) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:14 mail01 postfix/qmgr[4497]: D381A33E19: to=, relay=none, delay=6, status=deferred (deferred transport) Mar 4 11:11:15 mail01 postfix/cleanup[4858]: 46C5733E1B: message-id=<20040304001109.46C5733E1B@mail01.mteliza.com.au> Mar 4 11:11:16 mail01 postfix/smtpd[4701]: disconnect from unknown[200.232.207.120] Mar 4 11:11:16 mail01 postfix/qmgr[4497]: 46C5733E1B: from=, size=1009, nrcpt=1 (queue active) Mar 4 11:11:16 mail01 postfix/smtpd[4853]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:16 mail01 postfix/qmgr[4497]: 46C5733E1B: to=, relay=none, delay=7, status=deferred (deferred transport) Mar 4 11:11:17 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:17 mail01 postfix/smtpd[4701]: 6983133E1C: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:19 mail01 postfix/cleanup[4626]: 117BB33E16: message-id=<20040304001113.117BB33E16@mail01.mteliza.com.au> Mar 4 11:11:19 mail01 MailScanner[4657]: Message 8508933E10 from 150.101.123.85 (fremdgp@ozemail.com.au) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:19 mail01 postfix/qmgr[4497]: 117BB33E16: from=, size=1025, nrcpt=1 (queue active) Mar 4 11:11:19 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:19 mail01 postfix/qmgr[4497]: 117BB33E16: to=, relay=none, delay=6, status=deferred (deferred transport) Mar 4 11:11:21 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:22 mail01 postfix/smtpd[4853]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:22 mail01 postfix/smtpd[4853]: 6D0A233E1E: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:22 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:25 mail01 postfix/cleanup[4858]: 6D0A233E1E: message-id=<20040304001122.6D0A233E1E@mail01.mteliza.com.au> Mar 4 11:11:28 mail01 postfix/cleanup[4836]: 6983133E1C: message-id=<20040304001117.6983133E1C@mail01.mteliza.com.au> Mar 4 11:11:29 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6D0A233E1E: from=<317@au.eyi.com>, size=1025, nrcpt=1 (queue active) Mar 4 11:11:29 mail01 postfix/smtpd[4853]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6D0A233E1E: to=, relay=none, delay=7, status=deferred (deferred transport) Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6983133E1C: from=, size=1031, nrcpt=1 (queue active) Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6983133E1C: to=, relay=none, delay=12, status=deferred (deferred transport) Mar 4 11:11:30 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:31 mail01 MailScanner[4657]: Message 93A4F33D14 from 67.83.169.199 (ssadler_zo@draware.dk) to mteliza.com.au is spam, SpamAssassin (score=8.248, required 5, HTML_30_40 0.81, HTML_MESSAGE 0.00, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10) Mar 4 11:11:36 mail01 MailScanner[4641]: Message 5021C33DFB from 150.101.123.85 (barbara_carr@t-online.de) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:36 mail01 postfix/smtpd[4624]: warning: 209.216.97.71: hostname smtp216.tam10.com verification failed: Host not found Mar 4 11:11:36 mail01 postfix/smtpd[4624]: connect from unknown[209.216.97.71] Mar 4 11:11:37 mail01 postfix/smtpd[4624]: 2521A33E1A: client=unknown[209.216.97.71] Mar 4 11:11:37 mail01 MailScanner[4670]: Message 962ED33E0E from 150.101.123.85 (566@syd02.aimnsw.com.au) to mteliza.com.au is spam, SpamAssassin (score=12.932, required 5, FROM_ALL_NUMS 1.16, FROM_ENDS_IN_NUMS 0.87, FROM_STARTS_WITH_NUMS 1.57, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_DNS_FOR_FROM 1.10, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:39 mail01 postfix/cleanup[4626]: 2521A33E1A: message-id=<20040304001137.2521A33E1A@mail01.mteliza.com.au> Mar 4 11:11:40 mail01 postfix/qmgr[4497]: 2521A33E1A: from=, size=4273, nrcpt=1 (queue active) Mar 4 11:11:40 mail01 postfix/qmgr[4497]: 2521A33E1A: to=, relay=none, delay=3, status=deferred (deferred transport) Mar 4 11:11:40 mail01 postfix/smtpd[4624]: disconnect from unknown[209.216.97.71] Mar 4 11:11:44 mail01 postfix/smtpd[4701]: connect from level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:44 mail01 postfix/smtpd[4701]: D3BD033E1D: client=level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:46 mail01 postfix/cleanup[4858]: D3BD033E1D: message-id=<20040304001144.D3BD033E1D@mail01.mteliza.com.au> Mar 4 11:11:46 mail01 postfix/qmgr[4497]: D3BD033E1D: from=, size=1024, nrcpt=1 (queue active) Mar 4 11:11:46 mail01 postfix/smtpd[4701]: disconnect from level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:46 mail01 postfix/qmgr[4497]: D3BD033E1D: to=, relay=none, delay=2, status=deferred (deferred transport) Mar 4 11:11:54 mail01 MailScanner[4641]: Message 54EF233CEC from 202.126.109.6 (lawriedrew@optusnet.com.au) to mteliza.com.au is spam, SpamAssassin (score=5.579, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83) Mar 4 11:11:58 mail01 postfix/smtpd[4853]: connect from unknown[203.55.54.254] Mar 4 11:11:58 mail01 postfix/smtpd[4853]: 8441733E1F: client=unknown[203.55.54.254] Mar 4 11:11:58 mail01 postfix/cleanup[4836]: 8441733E1F: message-id=<200403040000.i24006UC000752@HylaFAX> Mar 4 11:12:00 mail01 postfix/qmgr[4497]: 8441733E1F: from=, size=129573, nrcpt=1 (queue active) Mar 4 11:12:00 mail01 postfix/smtpd[4853]: disconnect from unknown[203.55.54.254] Mar 4 11:12:00 mail01 postfix/qmgr[4497]: 8441733E1F: to=, relay=none, delay=2, status=deferred (deferred transport) Mar 4 11:12:05 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:06 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:10 mail01 MailScanner[4670]: Message 90E8D33D05 from 144.137.47.17 (3@mta08ps.p) to mteliza.com.au is spam, SpamAssassin (score=10.489, required 5, FROM_ALL_NUMS 1.16, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_DNS_FOR_FROM 1.10, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:12:11 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:47 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 4 11:12:48 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 4 11:12:50 mail01 MailScanner[4657]: Message 97DD833D3D from 202.53.34.134 (chiltons@netspace.net.au) to mteliza.com.au is spam, SpamAssassin (score=5.579, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83) Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Checks: Found 4 spam messages Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 3E96633E13 actions are store Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 8508933E10 actions are store Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 93A4F33D14 actions are store Mar 4 11:12:50 mail01 MailScanner[4670]: Message 6D13C33E12 from 144.137.52.32 (blossompalmiter@velnet.com) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:12:51 mail01 MailScanner[4657]: Spam Actions: message 97DD833D3D actions are store Mar 4 11:12:52 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 From kevins at BMRB.CO.UK Thu Mar 4 00:32:27 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <1078360347.11239.146.camel@bach.kevinspicer.co.uk> Is update_virus_scanners running? If for some reason a scanner update hangs MailScanner will stop processing mail. If this is the case please post which scanner is the problem so that timeout code can be added to its wrapper script. Is Spamassasin trying to use pyzor? Make sure its not if it isn't working properly. Maybe turn SA off for a while to catch up? Or just turn off all SA's network checks. Maybe the bayes database is causing a problem, try turning off bayes (turn off the bayes auto rebuild in MailScanner too if your version has it). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mark at TIPPINGMAR.COM Thu Mar 4 00:36:29 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> Message-ID: <4046098D.24598.6AD4D29@localhost> On 4 Mar 2004 at 11:05, Pete wrote: > Stephen Swaney wrote: > > >I'm top posting so this won't get lost. This was written by one of our > >clients to handle a really severe Joe-job. His name shall be revealed if he > >let's me, but I don't know if he wants the credit for breaking RFC 1123 > >(this certainly does). This deletes any incoming email that has a return > >address of "<>". > > > >BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the > >Left hand side from the right hand side rules and comments. The have been > >lost in the email transmission. You' know if you've missed a tab because > >sendmail will croak when you try and start it. > > > >I can't verify that this works but he insisted it saved his axx. He was so > >upset by the attack he stayed up for 30 hours straight and learned to write > >sendmail.cf files from scratch. No Small feat. > > > >Possible some sendmail guru whose not battling the bagel will be kind enough > >to put the hack into a sendmail.mc format. > > > >------------------ snip ----------------------------- > >###################################################################### > >###################################################################### > >##### > >##### REWRITING RULES > >##### > >###################################################################### > >###################################################################### > >#Added by XXX to handle joe job on 020404 > > > >HSubject: $>Check_Subject1 > >D{MPat}Returned > >SCheck_Subject1 > >R${MPat} $* $#discard > > > > > >###################################################################### > >### check_mail -- check SMTP `MAIL FROM:' command argument > >###################################################################### > > > >SLocal_check_mail > >Scheck_mail > >R$* $: $1 $| $>"Local_check_mail" $1 > >R$* $| $#$* $#$2 > >R$* $| $* $@ $>"Basic_check_mail" $1 > > > >SBasic_check_mail > ># check for deferred delivery mode > >R$* $: < $&{deliveryMode} > $1 > >R< d > $* $@ deferred > >R< $* > $* $: $2 > > > ># authenticated? > >R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL > >R$* $| $#$+ $#$2 > >R$* $| $* $: $1 > > > >#modified by XXX to handle joe job on 020404 Note: org line above > >#R<> $@ we MUST accept <> (RFC 1123) > >R<> $@ $#discard we MUST accept <> (RFC 1123) > >R$+ $: $1 > >R<$+> $: <@> <$1> > >R$+ $: <@> <$1> > >R$* $: $&{daemon_flags} $| $1 > >R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > > >R$* u $* $| <@> < $* > $: < $3 > > >R$* $| $* $: $2 > ># handle case of @localhost on address > >------------------ snip ----------------------------- > > > > > >Steve > > > >Stephen Swaney > >President > >Fortress Systems Ltd. > >Steve.Swaney@FSL.com > > > > > > > > > >>-----Original Message----- > >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 6:08 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: DOS attacked :( > >> > >>What should i do to rectify or prevent this? Nothing leave it to MS? > >> > >>Load avergae is stuck on 7 and almost nothing is wworking on this > >>machine, even ssh commands have a 10sec delay. > >> > >>Will deleting the offending email be the entire solution? > >> > >> > >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, > >>size=3477, nrcpt=1 (queue active) > >>Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from > >>adl0133.systems.sa.gov.au[143.216.236.20] > >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: > >>to=, relay=none, delay=0, status=deferred > >>(deferred transport) > >>Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed > >>Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for > >>clamav > >>Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 12 of 20 > >>Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner > >>clamavmodule timed out! > >>Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner > >>clamavmodule timed out! > >>Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of > >>Service attack is in message A086133CDD > >>Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need > >>updating > >>Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of > >>Service attack detected! > >>Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 13 of 20 > >>Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: > >>hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: > >>Host not found > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still > >>being delivered > >>Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 14 of 20 > >>Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 15 of 20 > >> > >>-- > >>This message has been scanned for viruses and > >>dangerous content by MailScanner, and is > >>believed to be clean. > >> > >>Fortress Systems Ltd. > >>www.fsl.com > >> > >> > >> > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by Fortress Secure Mail Gateway > >and was found to be clean. > > > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > > > > > > > > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > Your problem is the SpamAssassin timeouts. You could disable SpamAssassin in your MailScanner.conf until your machine catches up, or you could debug the timeouts. Here is a suggested method from a recent posting by Julian Field: Kill all the MailScanner processes (some of them will take several seconds to die, let them get on with it). Edit /etc/MailScanner/MailScanner.conf. Set Debug = yes Set Debug SpamAssassin = yes Wait until you have a few messages collected in /var/spool/mqueue.in. Then run "check_MailScanner". It should spew output about SpamAssassin, during which it will hopefully pause, waiting for something to happen. The output when it pauses should hopefully give you some clue about why it is timing out. It will run 1 batch of messages and then quit. -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From pete at eatathome.com.au Thu Mar 4 01:09:37 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <1078360347.11239.146.camel@bach.kevinspicer.co.uk> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> <1078360347.11239.146.camel@bach.kevinspicer.co.uk> Message-ID: <404681D1.2040902@eatathome.com.au> Kevin Spicer wrote: >Is update_virus_scanners running? If for some reason a scanner update >hangs MailScanner will stop processing mail. If this is the case please >post which scanner is the problem so that timeout code can be added to >its wrapper script. > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't >working properly. > >Maybe turn SA off for a while to catch up? Or just turn off all SA's >network checks. > >Maybe the bayes database is causing a problem, try turning off bayes >(turn off the bayes auto rebuild in MailScanner too if your version has >it). > > > First thing i did was turn off bayes. Yes virus update scaner is running, although i did see some deferred for 600secs messages, but recently i did see it had updated. I have only updated tpo clamavmodule this morning, previously was just clamav. I have already added Use_pyzor 0 since i couldnt get it to work (is it a matter of install and then restart MS?) I turned did skip rbls and this made a huge difference in reducing the queue size. I have now turned them back on. I have the leatest stable release, and now i have turned off auto rebuild too. Seems like the queue gets reduced, then something becomes broken again and then queue grows and this repeats - have had never had a message stuck before, not even one - today there were 120, this went down to 40 when i made the changes suggested above, then sa timeouts and back up 100. I dont really want to turn off SA, I want to stop spam. SO i will persevere for the rest of the day trying to get this workiing again. Thanks for your help. From rich at MAIL.WVNET.EDU Thu Mar 4 01:35:41 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:00 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> Message-ID: <404687ED.7020904@mail.wvnet.edu> Julian Field wrote: > At 13:49 03/03/2004, you wrote: > >> Julian Field wrote: >> >>> Download as usual from www.mailscanner.info. >>> >>> Please report any problems! >> >> >> Ok, something is still no right. I have... >> >> Allow Password-Protected Archives = no >> >> and >> >> Maximum Archive Depth = 0 (I also tried -1) >> >> When Maximum Archive Depth is set to -1 or 0 it will deliver a password >> protected zip file even though I have Allow Password-Protected Archives >> set to "no". If I have Maximum Archive Depth set to 3 then the >> protected zip is not delivered as expected but internal zip checking is >> done which is what I want to disable. I hope I'm not misinterpreting >> how this should work. > > > You can't currently check the contents of the zip files without unpacking > them. Unpacking them causes the other checks to be run on their members. > > So now I have changed it: > setting the options as you have given it above will now just test the > first > level of zip files to see if their members are encrypted at all. It won't > actually extract them. Because it doesn't extract them it can't do any > more > levels of nesting. > > BTW "All-Viruses" now includes "Zip-Password" in the silent viruses > list. > I tested it this afternoon and moved it into production a little while ago. Everything is working great. Regular zip files are allowed again and the password protected zips are now banned. The complaints have stopped... life is good. You did it again Julian. Your contributions are outstanding. K-12, Higher-Ed, and state government in WVa all get enormous benefit from what you do. Thank you. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From raymond at PROLOCATION.NET Thu Mar 4 01:57:46 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? Message-ID: Hi! Revision history for Perl extension Mail::ClamAV. 0.06 Thu Feb 12 08:11:38 AM 2004 - added INC for include paths, LIBS does not work for includes - updated README 0.06 Thu Feb 12 08:04:27 AM 2004 - added back accidentally removed code which removes the require code from ClamAV.pm. Reported by Julian Field Bye, Raymond. From pete at eatathome.com.au Thu Mar 4 02:05:24 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? In-Reply-To: References: Message-ID: <40468EE4.8060705@eatathome.com.au> Raymond Dijkxhoorn wrote: >Hi! > >Revision history for Perl extension Mail::ClamAV. > >0.06 Thu Feb 12 08:11:38 AM 2004 > - added INC for include paths, LIBS does not work for includes > - updated README > >0.06 Thu Feb 12 08:04:27 AM 2004 > - added back accidentally removed code which removes the require > code from ClamAV.pm. > Reported by Julian Field > >Bye, >Raymond. > > >. > > > Does this mean we should be doing an install Mail::ClamAV in cpan to update this? I installed 5 hours ago, up to date enough? From steve.swaney at FSL.COM Thu Mar 4 02:11:54 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <404681D1.2040902@eatathome.com.au> Message-ID: <20040304021154.488EF21C29A@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 8:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > Kevin Spicer wrote: > > >Is update_virus_scanners running? If for some reason a scanner update > >hangs MailScanner will stop processing mail. If this is the case please > >post which scanner is the problem so that timeout code can be added to > >its wrapper script. > > > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't > >working properly. > > > >Maybe turn SA off for a while to catch up? Or just turn off all SA's > >network checks. > > > >Maybe the bayes database is causing a problem, try turning off bayes > >(turn off the bayes auto rebuild in MailScanner too if your version has > >it). > > > > > > > First thing i did was turn off bayes. > Yes virus update scaner is running, although i did see some deferred for > 600secs messages, This is normal with the latest versions of MailScanner. Julian added a delay so we wouldn't all hit the ClamAV servers at the top of the hour. You might want to change the delay in your update_virus_scanners so we don't all hit the servers at 600 seconds after the hour. > but recently i did see it had updated. I have only > updated tpo clamavmodule this morning, previously was just clamav. > I have already added Use_pyzor 0 since i couldnt get it to work (is it a > matter of install and then restart MS?) Form your earlier post: debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' There is something wrong with your Pyzor installation. You can't open /usr/bin/Pyzor. Leave use_pyzor 0 Set in your spam.assassin.prefs.conf until you get this sorted out. > I turned did skip rbls and this made a huge difference in reducing the > queue size. I have now turned them back on. This is telling you something. When you turn off SpamAssassin network checks, things improve. When you turn them on things get worse. You are having a problem running network checks. Try running: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint and see if you can see or feel any delays. Also from your debug output: debug: Razor2 is not available leave use_razor2 0 off until you get this sorted out. Often this is caused by not following the Install instructions, i.e. running razor-admin -create razor-admin -register After the install. Go to the razor web site and read the installation documents. > I have the leatest stable release, and now i have turned off auto > rebuild too. >From looking at your debug output you're not trying to use Bayes at this point. > Seems like the queue gets reduced, then something becomes broken again > and then queue grows and this repeats - have had never had a message > stuck before, not even one - today there were 120, this went down to 40 > when i made the changes suggested above, then sa timeouts and back up 100. They are not stuck, they're just delayed. We have some ISP customer's whose incoming queues fluctuate for 2 to 700 message waiting depending on the time of day and spam loads. > I don't really want to turn off SA, I want to stop spam. SO i will > persevere for the rest of the day trying to get this workiing again. > Thanks for your help. > You'll still stop spam with the network checks off - just not as much. SpamAssassin weighs scores differently if network checks are off so it's not as bad as it seems. And finally 1. What versions of MailScanner and SpamAssassin were you running before the upgrade 2. What hardware - processor, disks and memory are you using? 3. What is your daily email volume? Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From raymond at PROLOCATION.NET Thu Mar 4 02:29:26 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? In-Reply-To: <40468EE4.8060705@eatathome.com.au> Message-ID: Hi! > >0.06 Thu Feb 12 08:11:38 AM 2004 > > - added INC for include paths, LIBS does not work for includes > > - updated README > > > >0.06 Thu Feb 12 08:04:27 AM 2004 > > - added back accidentally removed code which removes the require > > code from ClamAV.pm. > > Reported by Julian Field > Does this mean we should be doing an install Mail::ClamAV in cpan to > update this? > > I installed 5 hours ago, up to date enough? You most likely have that version running now. Its working it seems :) Mar 4 03:28:24 vmx10 MailScanner[3921]: INFECTED:: Worm.SomeFool.Gen-1:: ./i242SGsl003912/your_picture.pif Mar 4 03:28:24 vmx10 MailScanner[3921]: Virus Scanning: ClamAV Module found 1 infections Mar 4 03:28:24 vmx10 MailScanner[3805]: Virus and Content Scanning: Starting Mar 4 03:28:24 vmx10 MailScanner[3921]: /var/spool/MailScanner/incoming/3921/i242SGsl003912/your_picture.pif Infection: W32/Netsky.D@mm Bye, Raymond. From pete at eatathome.com.au Thu Mar 4 02:32:42 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <20040304021154.488EF21C29A@mail.fsl.com> References: <20040304021154.488EF21C29A@mail.fsl.com> Message-ID: <4046954A.8010000@eatathome.com.au> Stephen Swaney wrote: >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 8:10 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >>Kevin Spicer wrote: >> >> >> >>>Is update_virus_scanners running? If for some reason a scanner update >>>hangs MailScanner will stop processing mail. If this is the case please >>>post which scanner is the problem so that timeout code can be added to >>>its wrapper script. >>> >>>Is Spamassasin trying to use pyzor? Make sure its not if it isn't >>>working properly. >>> >>>Maybe turn SA off for a while to catch up? Or just turn off all SA's >>>network checks. >>> >>>Maybe the bayes database is causing a problem, try turning off bayes >>>(turn off the bayes auto rebuild in MailScanner too if your version has >>>it). >>> >>> >>> >>First thing i did was turn off bayes. >>Yes virus update scaner is running, although i did see some deferred for >>600secs messages, >> >> > >This is normal with the latest versions of MailScanner. Julian added a delay >so we wouldn't all hit the ClamAV servers at the top of the hour. You might >want to change the delay in your update_virus_scanners so we don't all hit >the servers at 600 seconds after the hour. > > Will change that now. Thanks. >>but recently i did see it had updated. I have only >>updated tpo clamavmodule this morning, previously was just clamav. >>I have already added Use_pyzor 0 since i couldnt get it to work (is it a >>matter of install and then restart MS?) >> >> > >Form your earlier post: > >debug: Pyzor is available: /usr/bin/pyzor >debug: entering helper-app run mode >debug: Pyzor: got response: /usr/bin/python2: can't open file >'/usr/bin/pyzor' > >There is something wrong with your Pyzor installation. You can't open >/usr/bin/Pyzor. Leave > >use_pyzor 0 > >Set in your spam.assassin.prefs.conf until you get this sorted out. > > Yep, have left this on since i first tried to install pyzor, that output appears in the debug anyway, i havent tried to install razor2 yet as i stopp installed stuff when i didnt get pyzor doing, dcc weas working fine, but disabled it when these troubles started and will off for the time being. All 3 entries exist in spa,.assassin.prefs.conf usepzyor 0, razor and dcc. >>I turned did skip rbls and this made a huge difference in reducing the >>queue size. I have now turned them back on. >> >> > >This is telling you something. When you turn off SpamAssassin network >checks, things improve. When you turn them on things get worse. You are >having a problem running network checks. Try running: > >spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > >and see if you can see or feel any delays. > >Also from your debug output: >debug: Razor2 is not available > >leave use_razor2 0 > >off until you get this sorted out. Often this is caused by not following the >Install instructions, i.e. running > >razor-admin -create >razor-admin -register > >After the install. Go to the razor web site and read the installation >documents. > > > >>I have the leatest stable release, and now i have turned off auto >>rebuild too. >> >> > >>From looking at your debug output you're not trying to use Bayes at this >point. > > > >>Seems like the queue gets reduced, then something becomes broken again >>and then queue grows and this repeats - have had never had a message >>stuck before, not even one - today there were 120, this went down to 40 >>when i made the changes suggested above, then sa timeouts and back up 100. >> >> > >They are not stuck, they're just delayed. We have some ISP customer's whose >incoming queues fluctuate for 2 to 700 message waiting depending on the time >of day and spam loads. > > I mentioned this because prior to upgrading i never ever had any messages delayed in the queue, now i have a 100 all the time. >>I don't really want to turn off SA, I want to stop spam. SO i will >>persevere for the rest of the day trying to get this workiing again. >>Thanks for your help. >> >> >> > >You'll still stop spam with the network checks off - just not as much. >SpamAssassin weighs scores differently if network checks are off so it's not >as bad as it seems. > >And finally > >1. What versions of MailScanner and SpamAssassin were you running before the >upgrade >2. What hardware - processor, disks and memory are you using? >3. What is your daily email volume? > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > RH9, untouched or upgraded since original installation. I started with MS4.24-5, postfix 2.16, sa2.60, clamav .60, mailwatch 3.b upgraded to MS 4.27.7, postfix is unchanged and untouched, sa 2.63 (from source), clamav .67, mailwatch .4>.51 Its a dual P200 (thats two hundred)NEC server, many GB os spare HDD space and 512mb RAM. This machine ran perfectly with the original versions i installed. We get around 2000 messages per day on this machine. I have been hassling for better hardware now that i have proven this works (the plan was to prove it work without spending any cash) but company has merged and now boss wont approve new hardware, he advises if i need new hardware, must use a P2 400 PC, which i am not willing to try with. With this low mail volume i rarely see anymore than %50 CPU usage on either cpu. I was just thinking Julian says to use perl SA, but i had already installed from source originally so thought it was best to upgrade this way, could this be the killer, i need to remove and install with cpan? Or install from cpan and leave the source install alone? >-- >This message has been scanned for viruses and >dangerous content by Fortress Secure Mail Gateway >and was found to be clean. > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > wow - thanks for taking the time to help me, much appreciated. From list at souil.com Thu Mar 4 03:09:03 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:00 2006 Subject: Spamassassin (RPM) install path In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <2004341193.688863@bensil> Dear All, My Spamassassin installed as the RPM and also as the perl module(Mail::SpamAssassin). So how should i fill the "SpamAssassin Install Prefix" in the MailScanner.conf ? From ugob at CAMO-ROUTE.COM Thu Mar 4 03:11:09 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:00 2006 Subject: Spamassassin (RPM) install path Message-ID: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Ben [mailto:list@souil.com] >Envoy? : 3 mars, 2004 22:09 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Spamassassin (RPM) install path > > >Dear All, > >My Spamassassin installed as the RPM and also as the perl >module(Mail::SpamAssassin). So how should i fill the >"SpamAssassin Install Prefix" in the MailScanner.conf ? Just remove the rpm. Test in debug. Reinstall from cpan or source if necessary. > From rcooper at DWFORD.COM Thu Mar 4 03:31:06 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <4046954A.8010000@eatathome.com.au> Message-ID: Sorry to top post, but Are you sure that Net::CIDR is installed ( I think that requirement came after your original install version), and are you using a local caching name server? Slow downs in the network test arena are many time caused by resolver problems. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 9:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Stephen Swaney wrote: > > >>-----Original Message----- > >>From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 8:10 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: DOS attacked :( > >> > >>Kevin Spicer wrote: > >> > >> > >> > >>>Is update_virus_scanners running? If for some > reason a scanner update > >>>hangs MailScanner will stop processing mail. If > this is the case please > >>>post which scanner is the problem so that timeout > code can be added to > >>>its wrapper script. > >>> > >>>Is Spamassasin trying to use pyzor? Make sure its > not if it isn't > >>>working properly. > >>> > >>>Maybe turn SA off for a while to catch up? Or just > turn off all SA's > >>>network checks. > >>> > >>>Maybe the bayes database is causing a problem, try > turning off bayes > >>>(turn off the bayes auto rebuild in MailScanner too > if your version has > >>>it). > >>> > >>> > >>> > >>First thing i did was turn off bayes. > >>Yes virus update scaner is running, although i did > see some deferred for > >>600secs messages, > >> > >> > > > >This is normal with the latest versions of > MailScanner. Julian added a delay > >so we wouldn't all hit the ClamAV servers at the top > of the hour. You might > >want to change the delay in your > update_virus_scanners so we don't all hit > >the servers at 600 seconds after the hour. > > > > > Will change that now. Thanks. > > >>but recently i did see it had updated. I have only > >>updated tpo clamavmodule this morning, previously > was just clamav. > >>I have already added Use_pyzor 0 since i couldnt get > it to work (is it a > >>matter of install and then restart MS?) > >> > >> > > > >Form your earlier post: > > > >debug: Pyzor is available: /usr/bin/pyzor > >debug: entering helper-app run mode > >debug: Pyzor: got response: /usr/bin/python2: can't open file > >'/usr/bin/pyzor' > > > >There is something wrong with your Pyzor > installation. You can't open > >/usr/bin/Pyzor. Leave > > > >use_pyzor 0 > > > >Set in your spam.assassin.prefs.conf until you get > this sorted out. > > > > > Yep, have left this on since i first tried to install > pyzor, that output > appears in the debug anyway, i havent tried to install > razor2 yet as i > stopp installed stuff when i didnt get pyzor doing, > dcc weas working > fine, but disabled it when these troubles started and > will off for the > time being. All 3 entries exist in > spa,.assassin.prefs.conf usepzyor > 0, razor and dcc. > > >>I turned did skip rbls and this made a huge > difference in reducing the > >>queue size. I have now turned them back on. > >> > >> > > > >This is telling you something. When you turn off > SpamAssassin network > >checks, things improve. When you turn them on things > get worse. You are > >having a problem running network checks. Try running: > > > >spamassassin -D -p > /etc/MailScanner/spam.assassin.prefs.conf --lint > > > >and see if you can see or feel any delays. > > > >Also from your debug output: > >debug: Razor2 is not available > > > >leave use_razor2 0 > > > >off until you get this sorted out. Often this is > caused by not following the > >Install instructions, i.e. running > > > >razor-admin -create > >razor-admin -register > > > >After the install. Go to the razor web site and read > the installation > >documents. > > > > > > > >>I have the leatest stable release, and now i have > turned off auto > >>rebuild too. > >> > >> > > > >>From looking at your debug output you're not trying > to use Bayes at this > >point. > > > > > > > >>Seems like the queue gets reduced, then something > becomes broken again > >>and then queue grows and this repeats - have had > never had a message > >>stuck before, not even one - today there were 120, > this went down to 40 > >>when i made the changes suggested above, then sa > timeouts and back up 100. > >> > >> > > > >They are not stuck, they're just delayed. We have > some ISP customer's whose > >incoming queues fluctuate for 2 to 700 message > waiting depending on the time > >of day and spam loads. > > > > > I mentioned this because prior to upgrading i never > ever had any > messages delayed in the queue, now i have a 100 all the time. > > >>I don't really want to turn off SA, I want to stop > spam. SO i will > >>persevere for the rest of the day trying to get this > workiing again. > >>Thanks for your help. > >> > >> > >> > > > >You'll still stop spam with the network checks off - > just not as much. > >SpamAssassin weighs scores differently if network > checks are off so it's not > >as bad as it seems. > > > >And finally > > > >1. What versions of MailScanner and SpamAssassin were > you running before the > >upgrade > >2. What hardware - processor, disks and memory are you using? > >3. What is your daily email volume? > > > >Steve > > > >Stephen Swaney > >President > >Fortress Systems Ltd. > >Steve.Swaney@FSL.com > > > > > > > > > RH9, untouched or upgraded since original installation. > I started with MS4.24-5, postfix 2.16, sa2.60, clamav > .60, mailwatch 3.b > upgraded to > MS 4.27.7, postfix is unchanged and untouched, sa 2.63 > (from source), > clamav .67, mailwatch .4>.51 > > Its a dual P200 (thats two hundred)NEC server, many GB > os spare HDD > space and 512mb RAM. This machine ran perfectly with > the original > versions i installed. We get around 2000 messages per > day on this machine. > > I have been hassling for better hardware now that i > have proven this > works (the plan was to prove it work without spending > any cash) but > company has merged and now boss wont approve new > hardware, he advises if > i need new hardware, must use a P2 400 PC, which i am > not willing to try > with. With this low mail volume i rarely see anymore > than %50 CPU usage > on either cpu. > > I was just thinking Julian says to use perl SA, but i > had already > installed from source originally so thought it was > best to upgrade this > way, could this be the killer, i need to remove and > install with cpan? > Or install from cpan and leave the source install alone? > > >-- > >This message has been scanned for viruses and > >dangerous content by Fortress Secure Mail Gateway > >and was found to be clean. > > > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > > > > > > > > wow - thanks for taking the time to help me, much appreciated. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 4 03:33:17 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... Message-ID: <4046A37D.6090400@USherbrooke.ca> Hello all, Our security officer contacted McAfee to let them know about our detection problems with password-protected zip files. Here is their answer: The reason this is happening is because the archive file when sent is encrypted as a password protected file. In order for the desktop/server products to detect these virus's the end-user would need to launch the .ZIP, manually enter in the password and at that point when the EXE is written to the local disk a detection would occur. The Perimeter products and Stinger scan at a top level in which these detection's are taking place because of a generic detection from the signature of the archive itself. The command line scanner is not able to open the file without firt providing the password. In other words, they say it is a technical problem that prevents their command-line utility to detect password-protected zip files, but they also say that their small cleaning program (Stinger) and their email scanning software are able to detect them! Looks like they want to restrict this capability to some of their products... a very bad decision!!! Denis From pete at eatathome.com.au Thu Mar 4 04:29:05 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <4046B091.3010900@eatathome.com.au> Rick Cooper wrote: >Sorry to top post, but > >Are you sure that Net::CIDR is installed ( I think that >requirement came after your original install version), and are >you using a local caching name server? Slow downs in the network >test arena are many time caused by resolver problems. > > > > Have not got internal DNS, all external, and net::cidr is installed/updated with rpm mailscanner installation. But this got me thinking, i tried to ping all the servers listed in spam.lists.conf and i cannot resolve any, me think its is not good. Although i can ping almost any other domain name i can think of, but not any of the spamlist ones. I can ping the dcc#.dcc-servers.net found when doing cdcc info. CPAN shell doesnt work cos it cannot resolve the perl sites. I have changed nothing regarding DNS or networks. I assume this is the cause/symptom of my problems? Having spamassassin off is a nightmare and we are getting heaps of spam. From mhewryk at SYMCOR.COM Thu Mar 4 05:29:31 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:23:01 2006 Subject: Need a help to understand viruses.to.delete.rules Message-ID: Hi, I probably don't understand what the 'Silent Viruses' option supposed to do. My goal is to make the MailScanner to stop sending people (recipients) the notification about the infected emails. To achieve that I listed all possible viruses under 'Silent Viruses' option in the MailScanner.conf file. Silent Viruses = HTML-IFrame All-Viruses Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Netsky Bagle MyDoom Is the above correct or I should make a list similary to: Netsky.b Netsky.c Netsky.d Netsky.f etc... I can see some people list all the possibilities of viruses' names. /?/ My solution to list all names under 'Silent Viruses' option doesn't work, people gets notified and all viruses are logged in the maillog file. Should I try with the rules file? What is the difference between listing the virues' names under the MailScanner.conf file and the rules file? This is my second option which I have not tested yet. Silent Viruses = /etc/MailScanner/rules/viruses.to.delete.rules Virus: Netsky no Virus: Bagle no Virus: MyDoom no Virus: NoVarg no Virus: SCO no Virus: Dumaru no Virus: Holar no Virus: Klez no Virus: Mimail no Virus: Swen no Virus: Valla no Virus: Bugbear no Virus: default yes Thanks, Magda From josh at iconz.org Thu Mar 4 05:55:21 2004 From: josh at iconz.org (Josh) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner Message-ID: <20040304055524.EB30E6A65A@mail.netspace.net.au> Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/7c3a35ba/attachment.html From james at grayonline.id.au Thu Mar 4 06:01:32 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:23:01 2006 Subject: ANN: Custom SpamAssassin Rules Message-ID: <200403041701.15024.james@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I've done a major over-haul of the custom rules to remove hundreds of redundant Perl regex matches. Like why the hell was I using ".*\/?\.?" or "\.?.*" when ".*" would match EXACTLY the same text? Anyway, if you've used my rules before you may want to grab the latest version I uploaded a few minutes ago - they made a measurable improvement in my mail gateway's performance over the previous rule sets :) http://files.grayonline.id.au/ Any feedback is welcome. Cheers, James - -- Fortune cookies says: The whole intent of Perl 5's module system was to encourage the growth of Perl culture rather than the Perl core. -- Larry Wall in <199705101952.MAA00756@wall.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFARsY8wBHpdJO7b9ERAoSGAJsGdycUv4nLk2BDcAECoCkdbr53bQCfUltR D+mKIJtxhRzw5fpK6432q58= =DI3q -----END PGP SIGNATURE----- From josh at ICONZ.ORG Thu Mar 4 05:55:21 2004 From: josh at ICONZ.ORG (Josh) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner Message-ID: <20040304055524.EB30E6A65A@mail.netspace.net.au> Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/7c3a35ba/attachment-0001.html From SJCJonker at SJC.NL Thu Mar 4 06:26:16 2004 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner In-Reply-To: <20040304055524.EB30E6A65A@mail.netspace.net.au> References: <20040304055524.EB30E6A65A@mail.netspace.net.au> Message-ID: <4046CC08.7000809@SJC.nl> Josh, As mentioned on several places the newest version of mailscanner requires Archive::Zip cpan module and it dependencies. Josh said the following on 04-03-04 06:55: > Hi I?m new to the list, > > > > Having a bit of trouble with the following > > > > Starting MailScanner... > > Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner > /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 > /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.6.1/i386-linux > /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm > line 46. > > BEGIN failed--compilation aborted at > > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > > Compilation failed in require at /usr/sbin/MailScanner line 52. > > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > > > > > Line 46 in Message.pm is: > > use Archive::Zip qv( :ERROR_CODES ); > > > > Line 52 in Mailscanner is: > > Use Mailscanner: :Message; > > I couldn?t find anything in the FAQ about configuring the > /usr/sbin/Mailscanner file or the > /usr/lib/Mailscanner/Mailscanner/Message.pm file. > > > > I am using redhat 7.3 current version of Mailscanner and Sophos > > > > Sorry if this is newbie stuff but this is my first look at mailscanner > and I need to get up and running asap, any help guys?? > > > > e-mail me or I?m on icq: 89616901 and msn josh@roshtechnq.com.au > > > > thanks in advance, > -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker From christo at IT4AFRICA.CO.ZA Thu Mar 4 07:18:43 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release Message-ID: <009801c401b8$ee7b3a40$660210ac@christoxp> When I try to install the latest release of MS I must install Archive::Zip first. OK here is the problem. I'm running RH9. I do the following. perl -MCPAN -e shell install Archive::Zip And I get the following errors Removing previously used /root/.cpan/build/Archive-Zip-1.09 CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz Checking if your kit is complete... Looks good Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip Makefile:88: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible I checked to see where my pod2man is and it is there which pod2man /usr/bin/pod2man I need to urgently upgrade to be able to block only encrypted zip files for we get lots of zip files from customers. Any help appreciated -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/052f029c/attachment.html From P.G.M.Peters at utwente.nl Thu Mar 4 07:26:13 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 In-Reply-To: <026e01c4014c$8fb8c610$85b8fea9@Laptop> References: <026e01c4014c$8fb8c610$85b8fea9@Laptop> Message-ID: On Wed, 3 Mar 2004 18:23:00 -0000, you wrote: >I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed >OK but when I try and restart it I get the following error:- > > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: You need to install Archive::Zip from CPAN. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From cslyon at NETSVCS.COM Thu Mar 4 07:33:15 2004 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release Message-ID: Give this a try: LANG=C perl -MCPAN -e shell install Archive::Zip That should work if you are using RH9 with the defaults LANG, en_US.UTF-8. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: Wednesday, March 03, 2004 11:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Unable to install latest release When I try to install the latest release of MS I must install Archive::Zip first. ? OK here is the problem. I'm running RH9. I do the following. perl -MCPAN -e shell install Archive::Zip ? And I get the following errors ? Removing previously used /root/.cpan/build/Archive-Zip-1.09 ? ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz ? Checking if your kit is complete... Looks good ? Warning: I could not locate your pod2man program. Please make sure, ???????? your pod2man program is in your PATH before you execute 'make' ? Writing Makefile for Archive::Zip Makefile:88: *** missing separator.? Stop. ? /usr/bin/make? -- NOT OK Running make test ? Can't test without successful make Running make install ? make had returned bad status, install seems impossible ? I checked to see where my pod2man is and it is there which pod2man /usr/bin/pod2man I need to urgently upgrade to be able to block only encrypted zip files for we get lots of zip files from customers. ? Any help appreciated From christo at IT4AFRICA.CO.ZA Thu Mar 4 07:39:14 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release {Virus Scanned} In-Reply-To: Message-ID: <00a201c401bb$cb1f3a30$660210ac@christoxp> Thanx That sorted the problem. How would I fix the LANG=C thing. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > Sent: 04 March 2004 09:33 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Unable to install latest release {Virus Scanned} > > > Give this a try: > > LANG=C perl -MCPAN -e shell > install Archive::Zip > > That should work if you are using RH9 with the defaults LANG, > en_US.UTF-8. > > > > > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: Wednesday, March 03, 2004 11:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Unable to install latest release > > When I try to install the latest release of MS I must install > Archive::Zip first. > ? > OK here is the problem. I'm running RH9. I do the following. > perl -MCPAN -e shell install Archive::Zip > ? > And I get the following errors > ? > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > ? > ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > ? > Checking if your kit is complete... > Looks good > ? > Warning: I could not locate your pod2man program. Please make sure, > ???????? your pod2man program is in your PATH before you > execute 'make' > ? > Writing Makefile for Archive::Zip > Makefile:88: *** missing separator.? Stop. > ? /usr/bin/make? -- NOT OK > Running make test > ? Can't test without successful make > Running make install > ? make had returned bad status, install seems impossible > ? > I checked to see where my pod2man is and it is there > which pod2man > /usr/bin/pod2man > I need to urgently upgrade to be able to block only encrypted > zip files for we get lots of zip files from customers. > ? > Any help appreciated > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From P.G.M.Peters at utwente.nl Thu Mar 4 07:37:36 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:01 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <40465ABD.9050209@dalsemi.com> References: <40465ABD.9050209@dalsemi.com> Message-ID: <24nd40pvv7a2d9mjbdhhrql2u3fdhm21em@4ax.com> On Wed, 3 Mar 2004 16:22:53 -0600, you wrote: >I tried it briefly but was getting more false positives than legitimate >hits. The problem seemed to be primarily caused by phone numbers >(specifically, the last four digits) included in the senders signature >coming after "password". That ".*" is pretty aggressive ;-). I have had some false positives from security mailing lists where people discussed this thing. And they offcourse included samples of the messages. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From leduc at CTS.COM Thu Mar 4 07:34:10 2004 From: leduc at CTS.COM (Gene & Mary LeDuc) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release In-Reply-To: <009801c401b8$ee7b3a40$660210ac@christoxp> References: <009801c401b8$ee7b3a40$660210ac@christoxp> Message-ID: <4046DBF2.4010409@cts.com> I ran into the same problem on RH 8 this afternoon. In /etc/sysconfig/i18n find the LANG= line: LANG="en_US.UTF-8" and remove the '.UTF-8': LANG="en_US" and that should do it (apparently the ".UTF-8" breaks things). Don't even think about asking me why, I don't have a clue. Someone else on this list probably knows and may even tell us. Regards, Gene Christo Bezuidenhout wrote: > When I try to install the latest release of MS I must install > Archive::Zip first. > > OK here is the problem. I'm running RH9. I do the following. > perl -MCPAN -e shell > install Archive::Zip > > And I get the following errors > > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > > CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > > Checking if your kit is complete... > Looks good > > Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' > > Writing Makefile for Archive::Zip > Makefile:88: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > I checked to see where my pod2man is and it is there > which pod2man > /usr/bin/pod2man > I need to urgently upgrade to be able to block only encrypted zip files > for we get lots of zip files from customers. > > Any help appreciated From cslyon at NETSVCS.COM Thu Mar 4 07:55:24 2004 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release {Virus Scanned} Message-ID: > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: Wednesday, March 03, 2004 11:39 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Unable to install latest release {Virus Scanned} > > Thanx That sorted the problem. How would I fix the LANG=C thing. You were able to install without any problems? How to fix it: Check out this FAQ. http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/121.html I don't know that you want to do it system wide or not! That is your call because I don't know your setup or what is running on the machine, nor do I care :) You can google.com/linux "LANG=C on RH9" for information on how to fix it. > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > > Sent: 04 March 2004 09:33 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Unable to install latest release {Virus Scanned} > > > > > > Give this a try: > > > > LANG=C perl -MCPAN -e shell > > install Archive::Zip > > > > That should work if you are using RH9 with the defaults LANG, > > en_US.UTF-8. > > > > > > > > > > -----Original Message----- > > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > > Sent: Wednesday, March 03, 2004 11:19 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Unable to install latest release > > > > When I try to install the latest release of MS I must install > > Archive::Zip first. > > > > OK here is the problem. I'm running RH9. I do the following. > > perl -MCPAN -e shell install Archive::Zip > > > > And I get the following errors > > > > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > > > > ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > > > > Checking if your kit is complete... > > Looks good > > > > Warning: I could not locate your pod2man program. Please make sure, > > ???????? your pod2man program is in your PATH before you > > execute 'make' > > > > Writing Makefile for Archive::Zip > > Makefile:88: *** missing separator.? Stop. > > ? /usr/bin/make? -- NOT OK > > Running make test > > ? Can't test without successful make > > Running make install > > ? make had returned bad status, install seems impossible > > > > I checked to see where my pod2man is and it is there > > which pod2man > > /usr/bin/pod2man > > I need to urgently upgrade to be able to block only encrypted > > zip files for we get lots of zip files from customers. > > > > Any help appreciated > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > Mailscanner thanks IT For Africa for their support. > > > > From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:00:24 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 and speed issues.. In-Reply-To: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> Message-ID: <4046F028.409@solid-state-logic.com> Julian Good Morning. Ok installed Compress::Zlib and speed 'seems' to be better - will let you know after more than 3 minutes of running! Still no luck getting clamavmodule to work though, only seems to work on debug mode and not live...will investigate further after coffee... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Fixed in the next release. > I have also added the Compress::Zlib and Archive::Zip modules to the RPM > distributions and to the Perl module installation docs on the website. > Getting closer to a stable release... > > At 20:43 03/03/2004, you wrote: > >> Hi >> >> I have just install 4.28-4.1 on 2 MS servers and the first MS server >> marked Bagle zip files as virus and Dangerous. >> The second MS server found the Password-protected archive and put it >> into quarantine BUT didn't marked as virus and Dangerous!! >> And put this in the maillog: >> "Disinfection: Rescan found only 0 viruses" >> >> the first MS server has "Deliver Disinfected Files = no" >> the second "Deliver Disinfected Files = yes" >> >> When I change second MS server to "Deliver Disinfected Files = no" the >> Password-protected archive was marked as virus and Dangerous. >> >> /Jan Elmqvist Nielsen > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:08:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release In-Reply-To: <4046DBF2.4010409@cts.com> References: <009801c401b8$ee7b3a40$660210ac@christoxp> <4046DBF2.4010409@cts.com> Message-ID: <4046F1FD.7060305@solid-state-logic.com> I'll have a look where this is set in FreeBSD stable, see if it makes any difference to clamavmodule - doesn't seem to be set on my shell enviroment.... Had problems with my Mandrake desktop on this for Mozilla 1.6 and acrobat reader. ended up poping in little LANG=.... in the scripts themselves so I didn't break anything else. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Gene & Mary LeDuc wrote: > I ran into the same problem on RH 8 this afternoon. > > In /etc/sysconfig/i18n find the LANG= line: > LANG="en_US.UTF-8" > and remove the '.UTF-8': > LANG="en_US" > > and that should do it (apparently the ".UTF-8" breaks things). Don't > even think about asking me why, I don't have a clue. Someone else on > this list probably knows and may even tell us. > > Regards, > Gene > > Christo Bezuidenhout wrote: > >> When I try to install the latest release of MS I must install >> Archive::Zip first. >> >> OK here is the problem. I'm running RH9. I do the following. >> perl -MCPAN -e shell >> install Archive::Zip >> >> And I get the following errors >> >> Removing previously used /root/.cpan/build/Archive-Zip-1.09 >> >> CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz >> >> Checking if your kit is complete... >> Looks good >> >> Warning: I could not locate your pod2man program. Please make sure, >> your pod2man program is in your PATH before you execute 'make' >> >> Writing Makefile for Archive::Zip >> Makefile:88: *** missing separator. Stop. >> /usr/bin/make -- NOT OK >> Running make test >> Can't test without successful make >> Running make install >> make had returned bad status, install seems impossible >> >> I checked to see where my pod2man is and it is there >> which pod2man >> /usr/bin/pod2man >> I need to urgently upgrade to be able to block only encrypted zip files >> for we get lots of zip files from customers. >> >> Any help appreciated ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rabellino at DI.UNITO.IT Thu Mar 4 09:04:38 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:23:01 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> <40461B27.3050204@di.unito.it> <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <4046F126.8070007@di.unito.it> Denis Beauchemin wrote: > Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : > >>Denis Beauchemin wrote: >> >>>Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : >>> >>> >>>>Many infected password-protected zip files passed through our McAfee AV >>>>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>>>midnight. >>>>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >>>> >>>> >>>>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>>>handled the unzipping and so forth, and MailScanner interpreted the >>>>>response, I'm looking for confirmation, I'm running an older version of >>>>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's >>>>>necessary. >>> >>> >>>I've taken a look at the Bagle.j detected so far and none were in a zip >>>file (all were plain pif files). >>> >>>So I'd say 4332 is definitely not catching any password-protected Bagle! >>> >>>Denis >> >>As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a >>virus encrypted in 999999 different forms ? (the password is 6 integer digits) > > > Sergio, > > They can't unzip the file but they can compare its size and some > checksum they computed on infected zip files. > But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used.... The only solution is to ban the zip encrypted files . -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From raymond at PROLOCATION.NET Thu Mar 4 09:17:23 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 and speed issues.. In-Reply-To: <4046F028.409@solid-state-logic.com> Message-ID: Hi! > Still no luck getting clamavmodule to work though, only seems to work on > debug mode and not live...will investigate further after coffee... Did you upgrade to the latest perl module version like i posted last night ? Switched back to clamlib on all my boxes, works fine. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:26:30 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: Clamavmodule (was 4.28-4.1 and speed issues..) In-Reply-To: References: Message-ID: <4046F646.2030108@solid-state-logic.com> Raymond yeah - installed 0.06 from CPAN, just seems to hang somewhere initialising the thing - ie staight after the Savi message and my virus sscanners are 'sophossavi clamavmodule' in that order. running ClamAV 0.67 as well so I'm sure where to look right now.. odd that it runs fine in debug mode, and alot quicker too, just makes me wonder if the problems aren't related??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Raymond Dijkxhoorn wrote: > Hi! > > >>Still no luck getting clamavmodule to work though, only seems to work on >>debug mode and not live...will investigate further after coffee... > > > Did you upgrade to the latest perl module version like i posted last night ? > Switched back to clamlib on all my boxes, works fine. > > Bye, > Raymond ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From john at TRADOC.FR Thu Mar 4 09:30:10 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive Message-ID: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> Just upgraded to 4.28.4, and minutes later a Bagle shows up. > Subject: E-mail account disabling warning. > Report: Message contained password-protected archive How about prefixing the report text with "MailScanner:", for consistency with other virus reports - and to show that MS itself is the bees' knees! John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From Peter.Bates at LSHTM.AC.UK Thu Mar 4 09:12:40 2004 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:23:01 2006 Subject: Quick fix for encrypted zip problem? Message-ID: Hello all... I know this is a rather *hot* topic for discussion at the moment, but I was just glancing at part of MailScanner, or rather SweepViruses.pm SweepViruses.pm: if ($line =~ /\s\sNot scanned \(encrypted\)/ || ... obviously it's an evil hack, but seeing as my system (either Sophos with SAVI or something else) is reporting these zip files as 'encrypted', is there any way the check above can be changed quickly to assume that such a file *is* infected? ... oh, and thanks to 'shrek-m' on the list for a solution using a ruleset and filename rules, but my users still weren't happy... ho-hum. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From kfliong at WOFS.COM Thu Mar 4 10:09:46 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:23:01 2006 Subject: changing spamassassin points configuration Message-ID: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> So in other word, I just have to let the user stop getting some mails (eventhough some might be important) while waiting for SA to learn that the sender is not sending spams? At 05:20 AM 3/4/2004, you wrote: >Julian Field wrote: > >>Stuff that isn't spam. >> >>At 11:41 03/03/2004, you wrote: >> >>>err...what's "ham"? >>> >>>At 07:09 PM 3/3/2004, you wrote: >>> >>>>kfliong wrote: >>>> >>>>>Hi, >>>>> >>>>>I have this email which is not spam but have a score of 5.642 which is >>>>>high >>>>>as default of more than 5 is considered spam. >>>>> >>>>>Can I know how I can reduce the score? >>>>> >>>>>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>>>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE >>>>>0.10, >>>>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A >>>>>0.20) >>>>> >>>>>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>>>2.30....where can i get more details on what those score means? Does >>>>>mailscanner uses a different config file for controlling spamassassin? >>>>> >>>>>thanks in advance >>>>> >>>>> >>>>>thanks >>>>ISnt this a situation for learning as ham? I am NO expert, but if you >>>>have no other method maybe turn on archiving till you get a copy of >>>>this >>>>message, then sa-learn it as ham?: >>> >>> >>>thanks >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >Since i think Julian's comment is confirmation - this is the sort of >thing that using Bayesian Learning (Bayes) with spama assassin will fix. > >I am not well versed enought o try and explain it, so have a search >through the list archives, or google, its works plenty good with >mailscanner and spam assassin. thanks From rggarcia at IMGAME.NET Thu Mar 4 10:18:07 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:23:01 2006 Subject: redhat advance server + postfix + mailscanner Message-ID: Hello, Why is it when i try to put an # on ( smtp inet n - y - - smtpd ) under /etc/postfix/master.cf, i get this error The TCP/IP connection was unexpectedly terminated by the server. (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number 0x800ccc0f I successfully installed MailScanner and my postfix runs without error message when i put the # back. Here is the links for all the instructions ive just followed http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml Any help is much appreciated. - Ross From Matthew.Day at BUCKINGHAM.AC.UK Thu Mar 4 10:24:13 2004 From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D57BCF@GILA> > In other words, they say it is a technical problem that > prevents their command-line utility to detect > password-protected zip files, but they also say that their > small cleaning program (Stinger) and their email scanning > software are able to detect them! This ties in with what we're seeing; GroupShield for Exchange spots the virus but Virus Scan for Linux doesn't. IMHO McAfee are shooting themselves in the foot here, they've just given us another reason to switch when the license comes up for renewal. As if the pop-up ads on their virus info pages weren't reason enough - when you're in the midst of a virus outbreak you don't want to have to fight through popups to get at the info you need. Matthew Day University of Buckingham From danielk at AVALONPUB.COM Thu Mar 4 10:25:22 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:23:01 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> References: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> Message-ID: <40470412.5080101@avalonpub.com> kfliong wrote: > So in other word, I just have to let the user stop getting some mails > (eventhough some might be important) while waiting for SA to learn > that the > sender is not sending spams? > If you have a copy of the email you can teach it to SA by using the command "sa-learn". See "man sa-learn" or the list archives for more info. In summary, have a copy of the mail as either a single file with the headers and body or a bunch of them in a mbox style mailbox and run the command (as the same user that MS runs as): sa-learn --ham filename Daniel From dot at DOTAT.AT Thu Mar 4 10:26:02 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... In-Reply-To: Message-ID: Denis Beauchemin wrote: > >In other words, they say it is a technical problem that prevents their >command-line utility to detect password-protected zip files, but they >also say that their small cleaning program (Stinger) and their email >scanning software are able to detect them! The extra.dat files from the webimmune site enable the command-line scanner to identify them too. >Looks like they want to restrict this capability to some of their >products... a very bad decision!!! Aaargh. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTH 4 OR 5 GRADUALLY DECREASING 1 OR 2 AND BECOMING VARIABLE. RAIN FOR A TIME. GOOD DECREASING MODERATE IN RAIN. SLIGHT TO MODERATE BUILDING MODERATE, LATER DECAYING SLIGHT. From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:35:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive In-Reply-To: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> References: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> Message-ID: <6.0.1.1.2.20040304103527.03bdde20@imap.ecs.soton.ac.uk> At 09:30 04/03/2004, you wrote: >Just upgraded to 4.28.4, and minutes later a Bagle shows up. > > > Subject: E-mail account disabling warning. > > Report: Message contained password-protected archive > >How about prefixing the report text with "MailScanner:", for consistency >with other virus reports - and to show that MS itself is the bees' >knees! Good idea. I have moved the report strings into languages.conf so they can be translated too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:39:02 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Calling all translators Message-ID: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Hi folks! It's translation time again. I would like you all to translate these strings into your language of choice. They are used when unreadable or protected archives and zip files are found. Message contained archive which could not be read Message contained password-protected archive Many thanks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:08:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Need a help to understand viruses.to.delete.rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304100734.03b3e078@imap.ecs.soton.ac.uk> At 05:29 04/03/2004, you wrote: >Hi, >I probably don't understand what the 'Silent Viruses' option supposed to do. > >My goal is to make the MailScanner to stop sending people (recipients) the >notification about the infected emails. To achieve that I listed all >possible viruses under 'Silent Viruses' option in the MailScanner.conf file. > >Silent Viruses = HTML-IFrame All-Viruses Klez Yaha-E Bugbear Braid-A >WinEvar Palyh Sobig Fizzer Netsky Bagle MyDoom That would work for those named viruses. >Is the above correct or I should make a list similary to: Netsky.b Netsky.c >Netsky.d Netsky.f etc... I can see some people list all the possibilities >of viruses' names. /?/ You don't need to. Just set Silent Viruses = All-Viruses and it will stop notifications for any of them, assuming you have a recent enough version of MailScanner. Check the comments above the Silent Viruses setting, it should mention this. >My solution to list all names under 'Silent Viruses' option doesn't work, >people gets notified and all viruses are logged in the maillog file. > > >Should I try with the rules file? What is the difference between listing >the virues' names under the MailScanner.conf file and the rules file? > >This is my second option which I have not tested yet. >Silent Viruses = /etc/MailScanner/rules/viruses.to.delete.rules > >Virus: Netsky no >Virus: Bagle no >Virus: MyDoom no >Virus: NoVarg no >Virus: SCO no >Virus: Dumaru no >Virus: Holar no >Virus: Klez no >Virus: Mimail no >Virus: Swen no >Virus: Valla no >Virus: Bugbear no >Virus: default yes > > >Thanks, >Magda -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:05:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <20040304021154.488EF21C29A@mail.fsl.com> References: <404681D1.2040902@eatathome.com.au> <20040304021154.488EF21C29A@mail.fsl.com> Message-ID: <6.0.1.1.2.20040304100442.03dfad08@imap.ecs.soton.ac.uk> At 02:11 04/03/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Pete > > Sent: Wednesday, March 03, 2004 8:10 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: DOS attacked :( > > > > Kevin Spicer wrote: > > > > >Is update_virus_scanners running? If for some reason a scanner update > > >hangs MailScanner will stop processing mail. If this is the case please > > >post which scanner is the problem so that timeout code can be added to > > >its wrapper script. > > > > > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't > > >working properly. > > > > > >Maybe turn SA off for a while to catch up? Or just turn off all SA's > > >network checks. > > > > > >Maybe the bayes database is causing a problem, try turning off bayes > > >(turn off the bayes auto rebuild in MailScanner too if your version has > > >it). > > > > > > > > > > > First thing i did was turn off bayes. > > Yes virus update scaner is running, although i did see some deferred for > > 600secs messages, > >This is normal with the latest versions of MailScanner. Julian added a delay >so we wouldn't all hit the ClamAV servers at the top of the hour. You might >want to change the delay in your update_virus_scanners so we don't all hit >the servers at 600 seconds after the hour. It delays the cron job by a random amount up to 600 seconds, not just 600 seconds every time. If you check the syslog message you will find it says this: "Delaying cron job up to 600 seconds" -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:06:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Spamassassin (RPM) install path In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20040304100603.04026860@imap.ecs.soton.ac.uk> At 03:11 04/03/2004, you wrote: > >-----Message d'origine----- > >De : Ben [mailto:list@souil.com] > >Envoy? : 3 mars, 2004 22:09 > >? : MAILSCANNER@JISCMAIL.AC.UK > >Objet : Spamassassin (RPM) install path > > > > > >Dear All, > > > >My Spamassassin installed as the RPM and also as the perl > >module(Mail::SpamAssassin). So how should i fill the > >"SpamAssassin Install Prefix" in the MailScanner.conf ? Leave it blank. >Just remove the rpm. Test in debug. Reinstall from cpan or source if >necessary. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 10:43:17 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B12@pascal.priv.bmrb.co.uk> Julian Field wrote: > Good idea. I have moved the report strings into > languages.conf so they can > be translated too. Quick point, before this makes it into 'stable' I had to edit the reports to remove references to ~ change the name or put in a zip to avoid this constraint. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Thu Mar 4 11:05:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <40470D62.1090700@eatathome.com.au> Pete wrote: > Stephen Swaney wrote: > >> I'm top posting so this won't get lost. This was written by one of our >> clients to handle a really severe Joe-job. His name shall be revealed >> if he >> let's me, but I don't know if he wants the credit for breaking RFC 1123 >> (this certainly does). This deletes any incoming email that has a return >> address of "<>". >> >> BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >> Left hand side from the right hand side rules and comments. The have >> been >> lost in the email transmission. You' know if you've missed a tab because >> sendmail will croak when you try and start it. >> >> I can't verify that this works but he insisted it saved his axx. He >> was so >> upset by the attack he stayed up for 30 hours straight and learned to >> write >> sendmail.cf files from scratch. No Small feat. >> >> Possible some sendmail guru whose not battling the bagel will be kind >> enough >> to put the hack into a sendmail.mc format. >> >> ------------------ snip ----------------------------- >> ###################################################################### >> ###################################################################### >> ##### >> ##### REWRITING RULES >> ##### >> ###################################################################### >> ###################################################################### >> #Added by XXX to handle joe job on 020404 >> >> HSubject: $>Check_Subject1 >> D{MPat}Returned >> SCheck_Subject1 >> R${MPat} $* $#discard >> >> >> ###################################################################### >> ### check_mail -- check SMTP `MAIL FROM:' command argument >> ###################################################################### >> >> SLocal_check_mail >> Scheck_mail >> R$* $: $1 $| $>"Local_check_mail" $1 >> R$* $| $#$* $#$2 >> R$* $| $* $@ $>"Basic_check_mail" $1 >> >> SBasic_check_mail >> # check for deferred delivery mode >> R$* $: < $&{deliveryMode} > $1 >> R< d > $* $@ deferred >> R< $* > $* $: $2 >> >> # authenticated? >> R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >> R$* $| $#$+ $#$2 >> R$* $| $* $: $1 >> >> #modified by XXX to handle joe job on 020404 Note: org line above >> #R<> $@ we MUST accept <> (RFC 1123) >> R<> $@ $#discard we MUST accept <> (RFC 1123) >> R$+ $: $1 >> R<$+> $: <@> <$1> >> R$+ $: <@> <$1> >> R$* $: $&{daemon_flags} $| $1 >> R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >> R$* u $* $| <@> < $* > $: < $3 > >> R$* $| $* $: $2 >> # handle case of @localhost on address >> ------------------ snip ----------------------------- >> >> >> Steve >> >> Stephen Swaney >> President >> Fortress Systems Ltd. >> Steve.Swaney@FSL.com >> >> >> >> >>> -----Original Message----- >>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>> Behalf Of Pete >>> Sent: Wednesday, March 03, 2004 6:08 PM >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: DOS attacked :( >>> >>> What should i do to rectify or prevent this? Nothing leave it to MS? >>> >>> Load avergae is stuck on 7 and almost nothing is wworking on this >>> machine, even ssh commands have a 10sec delay. >>> >>> Will deleting the offending email be the entire solution? >>> >>> >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>> size=3477, nrcpt=1 (queue active) >>> Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>> adl0133.systems.sa.gov.au[143.216.236.20] >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>> to=, relay=none, delay=0, status=deferred >>> (deferred transport) >>> Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>> Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>> clamav >>> Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 12 of 20 >>> Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>> Service attack is in message A086133CDD >>> Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>> updating >>> Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>> Service attack detected! >>> Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 13 of 20 >>> Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>> Host not found >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>> being delivered >>> Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 14 of 20 >>> Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 15 of 20 >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> Fortress Systems Ltd. >>> www.fsl.com >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by Fortress Secure Mail Gateway >> and was found to be clean. >> >> Fortress Systems Ltd. - http://www.fsl.com >> >> >> >> >> >> > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the > maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > I am convinced this isnt entirely a spamassassin problem,. have had SA switched off for 6+ hours now and still see messages having to be requeued (this happens when they are too old i believe?) an the queue building up to 10, at least its not 100, but its a slow time of day here (evening). Anyone got any suggestions on this problem, it doesnt appear as though its going away by itself as i absolutely cannot have spamassassin running or no messages are ever scanned. Is it possible/necessary to uninstall the SA source install and install from cpan, would this help? If not, how do i downgrade? I would like to go back to my original versions that worked, its a long weekend end here after tomorrow and i cant leave it for 3 days not scanning any spam. :( Appreciate any suggestions or pointers to get this resolved, am really getting desperate. From pete at eatathome.com.au Thu Mar 4 11:05:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <40470D62.1090700@eatathome.com.au> Pete wrote: > Stephen Swaney wrote: > >> I'm top posting so this won't get lost. This was written by one of our >> clients to handle a really severe Joe-job. His name shall be revealed >> if he >> let's me, but I don't know if he wants the credit for breaking RFC 1123 >> (this certainly does). This deletes any incoming email that has a return >> address of "<>". >> >> BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >> Left hand side from the right hand side rules and comments. The have >> been >> lost in the email transmission. You' know if you've missed a tab because >> sendmail will croak when you try and start it. >> >> I can't verify that this works but he insisted it saved his axx. He >> was so >> upset by the attack he stayed up for 30 hours straight and learned to >> write >> sendmail.cf files from scratch. No Small feat. >> >> Possible some sendmail guru whose not battling the bagel will be kind >> enough >> to put the hack into a sendmail.mc format. >> >> ------------------ snip ----------------------------- >> ###################################################################### >> ###################################################################### >> ##### >> ##### REWRITING RULES >> ##### >> ###################################################################### >> ###################################################################### >> #Added by XXX to handle joe job on 020404 >> >> HSubject: $>Check_Subject1 >> D{MPat}Returned >> SCheck_Subject1 >> R${MPat} $* $#discard >> >> >> ###################################################################### >> ### check_mail -- check SMTP `MAIL FROM:' command argument >> ###################################################################### >> >> SLocal_check_mail >> Scheck_mail >> R$* $: $1 $| $>"Local_check_mail" $1 >> R$* $| $#$* $#$2 >> R$* $| $* $@ $>"Basic_check_mail" $1 >> >> SBasic_check_mail >> # check for deferred delivery mode >> R$* $: < $&{deliveryMode} > $1 >> R< d > $* $@ deferred >> R< $* > $* $: $2 >> >> # authenticated? >> R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >> R$* $| $#$+ $#$2 >> R$* $| $* $: $1 >> >> #modified by XXX to handle joe job on 020404 Note: org line above >> #R<> $@ we MUST accept <> (RFC 1123) >> R<> $@ $#discard we MUST accept <> (RFC 1123) >> R$+ $: $1 >> R<$+> $: <@> <$1> >> R$+ $: <@> <$1> >> R$* $: $&{daemon_flags} $| $1 >> R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >> R$* u $* $| <@> < $* > $: < $3 > >> R$* $| $* $: $2 >> # handle case of @localhost on address >> ------------------ snip ----------------------------- >> >> >> Steve >> >> Stephen Swaney >> President >> Fortress Systems Ltd. >> Steve.Swaney@FSL.com >> >> >> >> >>> -----Original Message----- >>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>> Behalf Of Pete >>> Sent: Wednesday, March 03, 2004 6:08 PM >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: DOS attacked :( >>> >>> What should i do to rectify or prevent this? Nothing leave it to MS? >>> >>> Load avergae is stuck on 7 and almost nothing is wworking on this >>> machine, even ssh commands have a 10sec delay. >>> >>> Will deleting the offending email be the entire solution? >>> >>> >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>> size=3477, nrcpt=1 (queue active) >>> Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>> adl0133.systems.sa.gov.au[143.216.236.20] >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>> to=, relay=none, delay=0, status=deferred >>> (deferred transport) >>> Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>> Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>> clamav >>> Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 12 of 20 >>> Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>> Service attack is in message A086133CDD >>> Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>> updating >>> Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>> Service attack detected! >>> Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 13 of 20 >>> Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>> Host not found >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>> being delivered >>> Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 14 of 20 >>> Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 15 of 20 >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> Fortress Systems Ltd. >>> www.fsl.com >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by Fortress Secure Mail Gateway >> and was found to be clean. >> >> Fortress Systems Ltd. - http://www.fsl.com >> >> >> >> >> >> > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the > maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > I am convinced this isnt entirely a spamassassin problem,. have had SA switched off for 6+ hours now and still see messages having to be requeued (this happens when they are too old i believe?) an the queue building up to 10, at least its not 100, but its a slow time of day here (evening). Anyone got any suggestions on this problem, it doesnt appear as though its going away by itself as i absolutely cannot have spamassassin running or no messages are ever scanned. Is it possible/necessary to uninstall the SA source install and install from cpan, would this help? If not, how do i downgrade? I would like to go back to my original versions that worked, its a long weekend end here after tomorrow and i cant leave it for 3 days not scanning any spam. :( Appreciate any suggestions or pointers to get this resolved, am really getting desperate. From miguelk at konsultex.com.br Thu Mar 4 11:07:45 2004 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <20040304110341.M98332@konsultex.com.br> Julian; Portuguese = A menssagem contem um anexo comprimido que n?o pode ser lido. A menssagem contem um anexo comprimido protegido com senha. Spanish = El mensaje contiene un anexo comprimido que no se puede leer. El mensaje contiene un anexo comprimido protegido con clave. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thu, 4 Mar 2004 10:39:02 +0000 Subject: Calling all translators > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From P.G.M.Peters at utwente.nl Thu Mar 4 11:13:25 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators (dutch) In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Mar 2004 10:39:02 +0000, you wrote: >It's translation time again. I would like you all to translate these >strings into your language of choice. They are used when unreadable or >protected archives and zip files are found. > > Message contained archive which could not be read Het bericht bevat een archief dat niet gelezen kan worden. > Message contained password-protected archive Het bericht bevat een archief dat met een wachtwoord is beveiligd. Julian, I saw a couple of new report-files which aren't translated yet to all languages. Need them too? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From pete at eatathome.com.au Thu Mar 4 11:26:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471250.1080407@eatathome.com.au> So you're sure thats all i have to do, no messing about and trying to learn bind? If i have to learn to drive Bind i am not going to bother, but its its a matter of just starting it up, am happy to try, even will try right now. Other thing i wanted to know was whether an upgrade to 4.28.8-4 would be the shot? Or stick with latest stable? >Sorry, I thought you said you installed from source. > >Have you thought about enabling named (/etc/init.d/named start) >on your box, the default would be just a caching name server but >it would resolve from root servers without using the external DNS >servers as the default and set your /etc/resolv.conf to something >like > >options ndots:1 >nameserver 127.0.0.1 >nameserver current.ns.1.address >nameserver current.ns2.address >multi on > >then /etc/init.d/network restart > >You may well see a noticeable improvement with RBLS and such that >require a lot of DNS lookups. If it helps just add/enable with >chkconfig > > > > > > From wkuiters at FREE.FR Thu Mar 4 11:25:28 2004 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <20040304112528.GB2055@bragann> On Thu, Mar 04, 2004 at 10:39:02AM +0000, Julian Field wrote: > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read (Dutch) "Bericht bevatte een bestand wat niet gelezen kon worden" > Message contained password-protected archive (Dutch) "Bericht bevatte een met wachtwoord beschermd bestand" > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From pete at eatathome.com.au Thu Mar 4 11:26:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471250.1080407@eatathome.com.au> So you're sure thats all i have to do, no messing about and trying to learn bind? If i have to learn to drive Bind i am not going to bother, but its its a matter of just starting it up, am happy to try, even will try right now. Other thing i wanted to know was whether an upgrade to 4.28.8-4 would be the shot? Or stick with latest stable? >Sorry, I thought you said you installed from source. > >Have you thought about enabling named (/etc/init.d/named start) >on your box, the default would be just a caching name server but >it would resolve from root servers without using the external DNS >servers as the default and set your /etc/resolv.conf to something >like > >options ndots:1 >nameserver 127.0.0.1 >nameserver current.ns.1.address >nameserver current.ns2.address >multi on > >then /etc/init.d/network restart > >You may well see a noticeable improvement with RBLS and such that >require a lot of DNS lookups. If it helps just add/enable with >chkconfig > > > > > > From rcooper at DWFORD.COM Thu Mar 4 11:26:25 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <4046B091.3010900@eatathome.com.au> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 11:29 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Rick Cooper wrote: > > >Sorry to top post, but > > > >Are you sure that Net::CIDR is installed ( I think that > >requirement came after your original install version), and are > >you using a local caching name server? Slow downs in > the network > >test arena are many time caused by resolver problems. > > > > > > > > > Have not got internal DNS, all external, and net::cidr is > installed/updated with rpm mailscanner installation. > > But this got me thinking, i tried to ping all the > servers listed in > spam.lists.conf and i cannot resolve any, me think its > is not good. > Although i can ping almost any other domain name i can > think of, but not > any of the spamlist ones. I can ping the > dcc#.dcc-servers.net found when > doing cdcc info. > > CPAN shell doesnt work cos it cannot resolve the perl sites. > > I have changed nothing regarding DNS or networks. I > assume this is the > cause/symptom of my problems? > > Having spamassassin off is a nightmare and we are > getting heaps of spam. > > -- Run Makes you wonder if your ISP changed name servers on you, or you have a firewall problem. Change /etc/resolv.conf options ndots:1 nameserver 127.0.0.1 nameserver put current ns1 address here nameserver put current ns2 address here multi on then /etc/init.d/named start then /etc/init.d/network restart and try your test again. If your resolver isn't working you will have *very* slow network tests as you will be waiting for each outbound to timeout.. with a caching name server running you will see improvements in many things with your mail service. Rick From pete at eatathome.com.au Thu Mar 4 11:30:11 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: Unable to install latest release In-Reply-To: <4046F1FD.7060305@solid-state-logic.com> References: <009801c401b8$ee7b3a40$660210ac@christoxp> <4046DBF2.4010409@cts.com> <4046F1FD.7060305@solid-state-logic.com> Message-ID: <40471343.2000703@eatathome.com.au> Martin Hepworth wrote: > I'll have a look where this is set in FreeBSD stable, see if it makes > any difference to clamavmodule - doesn't seem to be set on my shell > enviroment.... > > Had problems with my Mandrake desktop on this for Mozilla 1.6 and > acrobat reader. ended up poping in little LANG=.... in the scripts > themselves so I didn't break anything else. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Gene & Mary LeDuc wrote: > >> I ran into the same problem on RH 8 this afternoon. >> >> In /etc/sysconfig/i18n find the LANG= line: >> LANG="en_US.UTF-8" >> and remove the '.UTF-8': >> LANG="en_US" >> >> and that should do it (apparently the ".UTF-8" breaks things). Don't >> even think about asking me why, I don't have a clue. Someone else on >> this list probably knows and may even tell us. >> >> Regards, >> Gene >> >> Christo Bezuidenhout wrote: >> >>> When I try to install the latest release of MS I must install >>> Archive::Zip first. >>> >>> OK here is the problem. I'm running RH9. I do the following. >>> perl -MCPAN -e shell >>> install Archive::Zip >>> >>> And I get the following errors >>> >>> Removing previously used /root/.cpan/build/Archive-Zip-1.09 >>> >>> CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz >>> >>> Checking if your kit is complete... >>> Looks good >>> >>> Warning: I could not locate your pod2man program. Please make sure, >>> your pod2man program is in your PATH before you execute 'make' >>> >>> Writing Makefile for Archive::Zip >>> Makefile:88: *** missing separator. Stop. >>> /usr/bin/make -- NOT OK >>> Running make test >>> Can't test without successful make >>> Running make install >>> make had returned bad status, install seems impossible >>> >>> I checked to see where my pod2man is and it is there >>> which pod2man >>> /usr/bin/pod2man >>> I need to urgently upgrade to be able to block only encrypted zip files >>> for we get lots of zip files from customers. >>> >>> Any help appreciated >> > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Unless i set LANG=C i cant compile loads of stuf on RH9, so now its the first thying i do, and now i learnt from a perl God (Julian) that its also important to remove the utf stuff, who knows why...the below works fine for me now, other have said LANG=en_US is good, but i dont knwo the difference, in regards to effect on the workings of perl or MS. LANG="C" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" ~ From rcooper at DWFORD.COM Thu Mar 4 11:33:42 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: trouble starting mailscanner In-Reply-To: <20040304055524.EB30E6A65A@mail.netspace.net.au> Message-ID: -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Josh Sent: Thursday, March 04, 2004 12:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: trouble starting mailscanner Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, [Rick Cooper] I believe running (one line no wrap): cpan -i Parse::RecDescent Inline::MakeMaker Net::CIDR IO::Stringy MIME::Base64 M/MA/MARKOV/MailTools-1.60.tar.gz File::Spec HTML::Tagset HTML::Parser MIME::Tools File::Temp DB_File Convert::TNEF Mail::ClamAV Archive::Zip Will get you about everything you need to get MailScanner running but you really should use the patched version of MIME::Tools from the MailScanner site http://www.sng.ecs.soton.ac.uk/mailscanner/files/modules/MIME-too ls-5.411-patched.tar.gz and this assumes you have cpan installed (can't imagine why it wouldn't be) Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/5b40d5bf/attachment.html From lists at DVD-GOETSCH.DE Thu Mar 4 11:43:20 2004 From: lists at DVD-GOETSCH.DE (sebastian ruchti) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: German= Die Nachricht enthielt ein Archiv, das nicht gelesen werden konnte Die Nachricht enthielt ein Passwort gesch?tztes Archiv resp.: Die Nachricht enthielt ein Passwort geschuetztes Archiv .sebastian > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, March 04, 2004 11:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Calling all translators > > > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at dwford.com Thu Mar 4 11:49:53 2004 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471250.1080407@eatathome.com.au> Message-ID: > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Thursday, March 04, 2004 6:26 AM > To: Rick Cooper; Julian Field; MailScanner mailing list > Subject: Re: DOS attacked :( > > > So you're sure thats all i have to do, no messing > about and trying to learn bind? If i have to learn to > drive Bind i am not going to bother, but its its a > matter of just starting it up, am happy to try, even > will try right now. > > Other thing i wanted to know was whether an upgrade to > 4.28.8-4 would be the shot? Or stick with latest stable? I would sort out your network problems before you go one more step, MailScanner has nothing to do with this if you cannot even manully ping a RBL host by name. It's been awhile since I used a bone stock redhat configuration and I have never bothered with RH.9 but I am sure the bone stock named config is only a caching server so it alows updates from none, listens on 127.0.0.1 only and allows access from 127.0.0.1 only. No need to do anything clever just resolve for the localhost only. Just do the items I described earlier and redo your manual rbl tests. If you can ping by name then try your MS tests again, I think you will be amazed. But once you get things sorted out don't forget to chkconfig --add named and chkconfig named on If you cannot resolve a host name nothing is going to work properly, I can't image how you are sending the mail? Have you looked at your outbound queue? > > > > >Sorry, I thought you said you installed from source. > > > >Have you thought about enabling named > (/etc/init.d/named start) > >on your box, the default would be just a caching name > server but > >it would resolve from root servers without using the > external DNS > >servers as the default and set your /etc/resolv.conf > to something > >like > > > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver current.ns.1.address > >nameserver current.ns2.address > >multi on > > > >then /etc/init.d/network restart > > > >You may well see a noticeable improvement with RBLS > and such that > >require a lot of DNS lookups. If it helps just add/enable with > >chkconfig > > > > > > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rcooper at DWFORD.COM Thu Mar 4 11:49:53 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471250.1080407@eatathome.com.au> Message-ID: > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Thursday, March 04, 2004 6:26 AM > To: Rick Cooper; Julian Field; MailScanner mailing list > Subject: Re: DOS attacked :( > > > So you're sure thats all i have to do, no messing > about and trying to learn bind? If i have to learn to > drive Bind i am not going to bother, but its its a > matter of just starting it up, am happy to try, even > will try right now. > > Other thing i wanted to know was whether an upgrade to > 4.28.8-4 would be the shot? Or stick with latest stable? I would sort out your network problems before you go one more step, MailScanner has nothing to do with this if you cannot even manully ping a RBL host by name. It's been awhile since I used a bone stock redhat configuration and I have never bothered with RH.9 but I am sure the bone stock named config is only a caching server so it alows updates from none, listens on 127.0.0.1 only and allows access from 127.0.0.1 only. No need to do anything clever just resolve for the localhost only. Just do the items I described earlier and redo your manual rbl tests. If you can ping by name then try your MS tests again, I think you will be amazed. But once you get things sorted out don't forget to chkconfig --add named and chkconfig named on If you cannot resolve a host name nothing is going to work properly, I can't image how you are sending the mail? Have you looked at your outbound queue? > > > > >Sorry, I thought you said you installed from source. > > > >Have you thought about enabling named > (/etc/init.d/named start) > >on your box, the default would be just a caching name > server but > >it would resolve from root servers without using the > external DNS > >servers as the default and set your /etc/resolv.conf > to something > >like > > > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver current.ns.1.address > >nameserver current.ns2.address > >multi on > > > >then /etc/init.d/network restart > > > >You may well see a noticeable improvement with RBLS > and such that > >require a lot of DNS lookups. If it helps just add/enable with > >chkconfig > > > > > > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From max.gaspari at MERCATONEUNO.IT Thu Mar 4 11:55:01 2004 From: max.gaspari at MERCATONEUNO.IT (Massimo Gaspari) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators Message-ID: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> English : "Message contained archive which could not be read" "Message contained password-protected archive" Italian: "Il messaggio contiene un archivio che non pu? essere letto" or "Il messaggio contiene un archivio che non ? stato possibile aprire" "Il messaggio contiene un archivio protetto da password" Bye -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 04, 2004 11:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Calling all translators Hi folks! It's translation time again. I would like you all to translate these strings into your language of choice. They are used when unreadable or protected archives and zip files are found. Message contained archive which could not be read Message contained password-protected archive Many thanks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Il messaggio e' stato controllato dal nostro "Sistema di Protezione". Evita comunque di aprire gli allegati se non strettamente necessario! Potrebbero compromettere il corretto funzionamento della tua postazione. Area.NET Mercatone UNO -- From pete at eatathome.com.au Thu Mar 4 11:56:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471964.2040504@eatathome.com.au> Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 11:29 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >> >>Rick Cooper wrote: >> >> >> >>>Sorry to top post, but >>> >>>Are you sure that Net::CIDR is installed ( I think that >>>requirement came after your original install version), and are >>>you using a local caching name server? Slow downs in >>> >>> >>the network >> >> >>>test arena are many time caused by resolver problems. >>> >>> >>> >>> >>> >>> >>Have not got internal DNS, all external, and net::cidr is >>installed/updated with rpm mailscanner installation. >> >>But this got me thinking, i tried to ping all the >>servers listed in >>spam.lists.conf and i cannot resolve any, me think its >>is not good. >>Although i can ping almost any other domain name i can >>think of, but not >>any of the spamlist ones. I can ping the >>dcc#.dcc-servers.net found when >>doing cdcc info. >> >>CPAN shell doesnt work cos it cannot resolve the perl sites. >> >>I have changed nothing regarding DNS or networks. I >>assume this is the >>cause/symptom of my problems? >> >>Having spamassassin off is a nightmare and we are >>getting heaps of spam. >> >>-- >> >> > >Run >Makes you wonder if your ISP changed name servers on you, or you >have a firewall problem. > >Change /etc/resolv.conf >options ndots:1 >nameserver 127.0.0.1 >nameserver put current ns1 address here >nameserver put current ns2 address here >multi on > >then /etc/init.d/named start >then /etc/init.d/network restart > >and try your test again. If your resolver isn't working you will >have *very* slow network tests as you will be waiting for each >outbound to timeout.. with a caching name server running you will >see improvements in many things with your mail service. > >Rick > > > Thanks. Enabled the named and changed the resolv and restart, turned on spamassassin and sent through some bagles and netskys and all was good, they were detected and and processed properly. (while writing this i noticed quite a few bagles-gen2 getting detected) Maybe a combination of the DOS attack message in the maillog (does this mean zip of death?), slow as network connection and therefore big hassles with RBLs, sa or ms runs MUCH slower than previous versions, probably due to all the extra message handling needed to combat these new nasties? Although just looking through the stats now, we dont have anywhere near (hundreds of times less) virus stats as when mydoom was going hard, and we dont anymore email volume in total than usual; and we detected half as spam as we did yeterdya (cos SA was off almost all day?), so i guess it was something to do with some of these nasties we havent previously seen? Boss has given permission to buy a cheapo 2nd hand old fashioned server, so hopefully will be able to double the specs on this and have some more luck with that... From rcooper at DWFORD.COM Thu Mar 4 11:58:10 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: Report text for password protected archive In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B12@pascal.priv.bmrb.co.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Spicer, Kevin > Sent: Thursday, March 04, 2004 5:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Report text for password protected archive > > > Julian Field wrote: > > Good idea. I have moved the report strings into > > languages.conf so they can > > be translated too. > > Quick point, before this makes it into 'stable' > > I had to edit the reports to remove references to ~ > change the name or put in a zip to avoid this constraint. I just changed it to: archive it in a zip file. If it's already in .zip form then it is has been named the same as a .zip file used by a virus/worm or it has been password protected. Our system does not allow password protected .zip files as they cannot be scanned for viruses or content. If this is the case you should change the name of the .zip file or remove the password protection which ever the case may be. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _______________________________________________________ > __________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please > contact the > sender and delete this message immediately. > Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From drew at THEMARSHALLS.CO.UK Thu Mar 4 12:00:55 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: <40471250.1080407@eatathome.com.au> Message-ID: <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> Rick Cooper said: >> -----Original Message----- >> From: Pete [mailto:pete@eatathome.com.au] >> Sent: Thursday, March 04, 2004 6:26 AM >> To: Rick Cooper; Julian Field; MailScanner mailing list >> Subject: Re: DOS attacked :( >> >> >> So you're sure thats all i have to do, no messing >> about and trying to learn bind? If i have to learn to >> drive Bind i am not going to bother, but its its a >> matter of just starting it up, am happy to try, even >> will try right now. >> >> Other thing i wanted to know was whether an upgrade to >> 4.28.8-4 would be the shot? Or stick with latest stable? > > I would sort out your network problems before you go one more > step, MailScanner has nothing to do with this if you cannot even > manully ping a RBL host by name. > > It's been awhile since I used a bone stock redhat configuration > and I have never bothered with RH.9 but I am sure the bone stock > named config is only a caching server so it alows updates from > none, listens on 127.0.0.1 only and allows access from 127.0.0.1 > only. No need to do anything clever just resolve for the > localhost only. This will also stop Postfix if you are using any of it's UCE features. Assuming you get some form of DNS running again, I would start just one Postfix process - the out going one (Postfix not postfix.in) as $ postfix -C /etc/postfix start and watch your logs, you should see any 'out going' (Scanned) queued mail be delivered, then start MailScanner and get MS to clear it's queue, ten re-start the postfix.in to allow more incoming. Heep an eye on the log files and the mail queue ($ mailq). That at least will tell you where the hold up occrs (If any where). > > Just do the items I described earlier and redo your manual rbl > tests. If you can ping by name then try your MS tests again, I > think you will be amazed. But once you get things sorted out > don't forget to chkconfig --add named and chkconfig named on > > If you cannot resolve a host name nothing is going to work > properly, I can't image how you are sending the mail? Have you > looked at your outbound queue? > >> >> >> >> >Sorry, I thought you said you installed from source. >> > >> >Have you thought about enabling named >> (/etc/init.d/named start) >> >on your box, the default would be just a caching name >> server but >> >it would resolve from root servers without using the >> external DNS >> >servers as the default and set your /etc/resolv.conf >> to something >> >like >> > >> >options ndots:1 >> >nameserver 127.0.0.1 >> >nameserver current.ns.1.address >> >nameserver current.ns2.address >> >multi on >> > >> >then /etc/init.d/network restart >> > >> >You may well see a noticeable improvement with RBLS >> and such that >> >require a lot of DNS lookups. If it helps just add/enable with >> >chkconfig >> > >> > >> > >> > >> > >> > >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Thu Mar 4 12:02:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercato neuno.it> References: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> Message-ID: <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> At 11:55 04/03/2004, you wrote: >English : > >"Message contained archive which could not be read" >"Message contained password-protected archive" > >Italian: > >"Il messaggio contiene un archivio che non pu? essere letto" or "Il >messaggio contiene un archivio che non ? stato possibile aprire" Which? Giving me 2 options, neither of which I can understand (never studied Italian) doesn't help me :-) >"Il messaggio contiene un archivio protetto da password" > > >Bye >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 04, 2004 11:39 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Calling all translators > > >Hi folks! > >It's translation time again. I would like you all to translate these >strings into your language of choice. They are used when unreadable or >protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > >Many thanks. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Il messaggio e' stato controllato dal nostro "Sistema di Protezione". >Evita comunque di aprire gli allegati se non strettamente necessario! >Potrebbero compromettere il corretto funzionamento della tua postazione. > >Area.NET Mercatone UNO >-- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DWFORD.COM Thu Mar 4 12:18:25 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471964.2040504@eatathome.com.au> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Thursday, March 04, 2004 6:56 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Rick Cooper wrote: > > >>-----Original Message----- > >>From: MailScanner mailing list > >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 11:29 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: DOS attacked :( > >> > >> > >>Rick Cooper wrote: > >> > >> > >> > >>>Sorry to top post, but > >>> > >>>Are you sure that Net::CIDR is installed ( I think that > >>>requirement came after your original install > version), and are > >>>you using a local caching name server? Slow downs in > >>> > >>> > >>the network > >> > >> > >>>test arena are many time caused by resolver problems. > >>> > >>> > >>> > >>> > >>> > >>> > >>Have not got internal DNS, all external, and net::cidr is > >>installed/updated with rpm mailscanner installation. > >> > >>But this got me thinking, i tried to ping all the > >>servers listed in > >>spam.lists.conf and i cannot resolve any, me think its > >>is not good. > >>Although i can ping almost any other domain name i can > >>think of, but not > >>any of the spamlist ones. I can ping the > >>dcc#.dcc-servers.net found when > >>doing cdcc info. > >> > >>CPAN shell doesnt work cos it cannot resolve the perl sites. > >> > >>I have changed nothing regarding DNS or networks. I > >>assume this is the > >>cause/symptom of my problems? > >> > >>Having spamassassin off is a nightmare and we are > >>getting heaps of spam. > >> > >>-- > >> > >> > > > >Run > >Makes you wonder if your ISP changed name servers on > you, or you > >have a firewall problem. > > > >Change /etc/resolv.conf > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver put current ns1 address here > >nameserver put current ns2 address here > >multi on > > > >then /etc/init.d/named start > >then /etc/init.d/network restart > > > >and try your test again. If your resolver isn't > working you will > >have *very* slow network tests as you will be waiting for each > >outbound to timeout.. with a caching name server > running you will > >see improvements in many things with your mail service. > > > >Rick > > > > > > > Thanks. > > Enabled the named and changed the resolv and restart, turned on > spamassassin and sent through some bagles and netskys > and all was good, > they were detected and and processed properly. (while > writing this i > noticed quite a few bagles-gen2 getting detected) > > Maybe a combination of the DOS attack message in the > maillog (does this > mean zip of death?), slow as network connection and > therefore big > hassles with RBLs, sa or ms runs MUCH slower than > previous versions, > probably due to all the extra message handling needed > to combat these > new nasties? > > Although just looking through the stats now, we dont > have anywhere near > (hundreds of times less) virus stats as when mydoom > was going hard, and > we dont anymore email volume in total than usual; and > we detected half > as spam as we did yeterdya (cos SA was off almost all > day?), so i guess > it was something to do with some of these nasties we > havent previously seen? Your welcome.. I think the DOS stuff you were seeing had to do with the network problems not ZipOfDeath problems. I assume you have SA backup and running, but I don't think I would say 100% solved as you still don't know why your ISP's name servers disappeared. Also, make sure you did the chkconfig things or the next reboot and your DNS goes away. Your not on a dynamic IP are you? I have seen this type of thing happen when a host on a dynamic IP (like cable) sets their IP static and the ISP does some network reconfigurations and suddenly the name servers don't work, network slows down because they are supposed to be on a different gateway (even though the current gw works), etc... That name server thing would make me nervous even if I don't use their name servers. Good luck. > > Boss has given permission to buy a cheapo 2nd hand old > fashioned server, > so hopefully will be able to double the specs on this > and have some more > luck with that... Ebay... there is always Ebay :-> From pete at eatathome.com.au Thu Mar 4 12:27:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> References: <40471250.1080407@eatathome.com.au> <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> Message-ID: <404720A8.7000104@eatathome.com.au> Drew Marshall wrote: >Rick Cooper said: > > >>>-----Original Message----- >>>From: Pete [mailto:pete@eatathome.com.au] >>>Sent: Thursday, March 04, 2004 6:26 AM >>>To: Rick Cooper; Julian Field; MailScanner mailing list >>>Subject: Re: DOS attacked :( >>> >>> >>>So you're sure thats all i have to do, no messing >>>about and trying to learn bind? If i have to learn to >>>drive Bind i am not going to bother, but its its a >>>matter of just starting it up, am happy to try, even >>>will try right now. >>> >>>Other thing i wanted to know was whether an upgrade to >>>4.28.8-4 would be the shot? Or stick with latest stable? >>> >>> >>I would sort out your network problems before you go one more >>step, MailScanner has nothing to do with this if you cannot even >>manully ping a RBL host by name. >> >>It's been awhile since I used a bone stock redhat configuration >>and I have never bothered with RH.9 but I am sure the bone stock >>named config is only a caching server so it alows updates from >>none, listens on 127.0.0.1 only and allows access from 127.0.0.1 >>only. No need to do anything clever just resolve for the >>localhost only. >> >> > >This will also stop Postfix if you are using any of it's UCE features. >Assuming you get some form of DNS running again, I would start just one >Postfix process - the out going one (Postfix not postfix.in) as $ postfix >-C /etc/postfix start and watch your logs, you should see any 'out going' >(Scanned) queued mail be delivered, then start MailScanner and get MS to >clear it's queue, ten re-start the postfix.in to allow more incoming. Heep >an eye on the log files and the mail queue ($ mailq). That at least will >tell you where the hold up occrs (If any where). > > > >>Just do the items I described earlier and redo your manual rbl >>tests. If you can ping by name then try your MS tests again, I >>think you will be amazed. But once you get things sorted out >>don't forget to chkconfig --add named and chkconfig named on >> >>If you cannot resolve a host name nothing is going to work >>properly, I can't image how you are sending the mail? Have you >>looked at your outbound queue? >> >> >> >>> >>> >>> >>>>Sorry, I thought you said you installed from source. >>>> >>>>Have you thought about enabling named >>>> >>>> >>>(/etc/init.d/named start) >>> >>> >>>>on your box, the default would be just a caching name >>>> >>>> >>>server but >>> >>> >>>>it would resolve from root servers without using the >>>> >>>> >>>external DNS >>> >>> >>>>servers as the default and set your /etc/resolv.conf >>>> >>>> >>>to something >>> >>> >>>>like >>>> >>>>options ndots:1 >>>>nameserver 127.0.0.1 >>>>nameserver current.ns.1.address >>>>nameserver current.ns2.address >>>>multi on >>>> >>>>then /etc/init.d/network restart >>>> >>>>You may well see a noticeable improvement with RBLS >>>> >>>> >>>and such that >>> >>> >>>>require a lot of DNS lookups. If it helps just add/enable with >>>>chkconfig >>>> >>>> >>>> >>>> >>>> >>>> This is getting really wierd, i tried with both caching nameserrver on and off and have tried with 6 or more different external DNS that seem to work ok when using on my XP machine. I get same result in the MS debug, although from the MS machine i can ping any amount of domain names, ones i have never tried to access before now and they work fine, but the RBLs always fail. Have attached the log while debugging and the output of the debug. -------------- next part -------------- [root@mail01 root]# taillog 0 Mar 4 23:24:10 mail01 MailScanner[26092]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 23:24:10 mail01 MailScanner[26092]: Config: calling custom init function MailWatchLogging Mar 4 23:24:10 mail01 MailScanner[26092]: Initialising database connection Mar 4 23:24:10 mail01 MailScanner[26092]: Finished initialising database connection Mar 4 23:25:05 mail01 MailScanner[26092]: lock.pl sees Config LockType = flock Mar 4 23:25:05 mail01 MailScanner[26092]: lock.pl sees have_module = 0 Mar 4 23:25:06 mail01 MailScanner[26092]: Using locktype = flock Mar 4 23:25:07 mail01 MailScanner[26092]: New Batch: Found 6 messages waiting Mar 4 23:25:07 mail01 MailScanner[26092]: New Batch: Scanning 1 messages, 38361 bytes Mar 4 23:25:07 mail01 MailScanner[26092]: Spam Checks: Starting Mar 4 23:25:46 mail01 MailScanner[26092]: SpamAssassin returned 0 Mar 4 23:25:47 mail01 MailScanner[26092]: Created attachment dirs for 1 messages Mar 4 23:25:47 mail01 MailScanner[26092]: Virus and Content Scanning: Starting Mar 4 23:25:47 mail01 MailScanner[26092]: Commencing scanning by clamav... Mar 4 23:25:53 mail01 MailScanner[26092]: /var/spool/MailScanner/incoming/26092/./8546833984/pic_regid.zip: Worm.SomeFool.Gen-1 FOUND Mar 4 23:25:53 mail01 MailScanner[26092]: Completed scanning by clamav Mar 4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: ClamAV found 1 infections Mar 4 23:25:53 mail01 MailScanner[26092]: Infected message 8546833984 came from 69.50.209.211 Mar 4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: Found 1 viruses Mar 4 23:25:53 mail01 MailScanner[26092]: Saved entire message to /var/spool/MailScanner/quarantine/20040304/8546833984 Mar 4 23:25:53 mail01 MailScanner[26092]: Saved infected "pic_regid.zip" to /var/spool/MailScanner/quarantine/20040304/8546833984 Mar 4 23:25:54 mail01 MailScanner[26092]: Requeue: 8546833984 to 081C0C1B7 Mar 4 23:25:54 mail01 MailScanner[26092]: About to deliver 1 messages -------------- next part -------------- Starting MailScanner... In Debugging mode, not forking... debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: Score set 1 chosen. debug: Initialising learner debug: is Net::DNS::Resolver available? yes debug: trying (3) amazon.com... debug: looking up MX for 'amazon.com' debug: MX for 'amazon.com' exists? 1 debug: MX lookup of amazon.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: debug: RBL: success for 0 of 1 queries debug: RBL: timeout for rfci-dsn after 40 seconds debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME debug: received-header: parsed as [ ip=69.50.209.211 rdns=nsurl.us helo=server.nsurl.us by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=203.217.40.138 rdns=m040-138.nv.iinet.net.au helo=eatathome.com.au by=server.nsurl.us ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 69.50.209.211 trusted? no debug: received-header: relay 203.217.40.138 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: pete@eatathome.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0.077 debug: running uri tests; score so far=0.077 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.077 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: prussell@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=nsurl.us helo=server.nsurl.us by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'server.nsurl.us' != 'nsurl.us' debug: forged-HELO: from=iinet.net.au helo=eatathome.com.au by=server.nsurl.us debug: forged-HELO: mismatch on HELO: 'eatathome.com.au' != 'iinet.net.au' debug: forged-HELO: mismatch on from: 'nsurl.us' != 'server.nsurl.us' debug: RBL: success for 0 of 17 queries debug: RBL: timeout for rfci-dsn after 40 seconds debug: RBL: timeout for opm after 40 seconds debug: RBL: timeout for njabl-notfirsthop,njabl after 40 seconds debug: RBL: timeout for opm after 40 seconds debug: RBL: timeout for sorbs after 40 seconds debug: RBL: timeout for sorbs,sorbs-notfirsthop after 40 seconds debug: RBL: timeout for njabl after 40 seconds debug: RBL: timeout for dsbl after 40 seconds debug: RBL: timeout for rfci after 40 seconds debug: RBL: timeout for bsp-untrusted after 40 seconds debug: RBL: timeout for sbl after 40 seconds debug: RBL: timeout for dsbl after 40 seconds debug: RBL: timeout for bsp-firsttrusted after 40 seconds debug: RBL: timeout for spamcop after 40 seconds debug: RBL: timeout for sbl after 40 seconds debug: RBL: timeout for rfci after 40 seconds debug: RBL: timeout for spamcop after 40 seconds debug: running meta tests; score so far=0.077 debug: is spam? score=0.077 required=5 tests=TW_YP From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 12:46:26 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5CC@jessica.herefordshire.gov.uk> Pete wrote: > Not on dyn IP, sa ISNT working with RBLs, this appears to be the cause > of all my woes, although i am not really sure, but it seems > that way. I > have posted already with my logs, but i notice i can ping spamcop.net > but NOT bl.spamcop.net as it appears in spam.lists.conf, this is the > same from XP machine, so assume its meant to be this way - but non the > less all the rbls fail every time whan run by SA. Are you running the latest version of Net::DNS ? perl -MCPAN -e install Net::DNS will install it. Also, on the subject of DNS, the IP address of one of the DNS root servers changed on January 29th. The definitive source of the list is ftp://ftp.rs.internic.net/domain/named.root. On some boxes it will be called named.cache or named.ca. Phil P.S. Net::DNS v0.45 and later is said to be twice as fast as earlier versions in handling DNS packets, so it is worthwhile upgrading it. --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From max.gaspari at MERCATONEUNO.IT Thu Mar 4 12:50:03 2004 From: max.gaspari at MERCATONEUNO.IT (Massimo Gaspari) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators Message-ID: <17747180E2329145AB61BC6AA3FDEAC943A260@MUS-SRV-020.mercatoneuno.it> "Message contained archive which could not be read" = "Il messaggio contiene un archivio che non pu? essere letto" Is better .. Sorry :-) Bye -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 04, 2004 1:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Calling all translators At 11:55 04/03/2004, you wrote: >English : > >"Message contained archive which could not be read" >"Message contained password-protected archive" > >Italian: > >"Il messaggio contiene un archivio che non pu? essere letto" or "Il >messaggio contiene un archivio che non ? stato possibile aprire" Which? Giving me 2 options, neither of which I can understand (never studied Italian) doesn't help me :-) From bg.mahesh at INDIAINFO.COM Thu Mar 4 13:04:29 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:23:02 2006 Subject: Emails in mqueue.in not being processed Message-ID: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> hi I installed Mailscanner+ClamAV+SpammAssassin on a RedHat Linux machine and it seemed to work fine [the test emails were delivered without any problem]. I installed the same on our production Mailserver (RedHat Linux). All incoming emails are in /var/spool/mqueue.in and have been there for a long time [30 minutes]. So far they haven't been delivered to the local user. Earlier I had SA running on this machine, I have deleted /etc/procmailrc now. Also, spamd is not running as before. The following entries in MailScanner.conf were changed by me, Virus Scanners = clamavmodule Use SpamAssassin = yes Always Include SpamAssassin Report = yes High Scoring Spam Actions = delete Log Speed = yes Log Spam = yes SpamAssassin Local Rules Dir = /etc/mail/spamassassin Delivery Method = queue I looked into /var/log/maillog /var/log/messages, I don't see any error messages. What could I be doing wrong? Also, what should be the permissions/ownership of /var/spool/clientmqueue regards, -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From drew at THEMARSHALLS.CO.UK Thu Mar 4 13:18:01 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script Message-ID: <2632.194.70.180.170.1078406281.squirrel@net.themarshalls.co.uk> All It looks like I have managed to get myself a little confused. It seems like Julian's update virus scanner script automatically runs as some form of automated 'cron' job. I assumed that I needed to run it from cron, so now have my av scanners updating extremely regularly (No excuse for not being up todate :-) but a little over the top!) If I remove it from cron, do I need to execute it as a boot script or will just starting MS do that for me? Sorry, I'm sure I could find out if I understood Perl (But hey, I struggle with regex!). Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 13:26:21 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> Drew Marshall wrote: > All > > It looks like I have managed to get myself a little confused. It seems > like Julian's update virus scanner script automatically runs as some > form of automated 'cron' job. I assumed that I needed to run it from > cron, so now have my av scanners updating extremely regularly (No > excuse for not being up todate :-) but a little over the top!) If I > remove it from cron, do I need to execute it as a boot script or will > just starting MS do that for me? > On an rpm distribution it just drops a file into /etc/cron.hourly. There should be a run-parts line in /etc/crontab which checks the cron.hourly directory hourly and runs the files within. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Thu Mar 4 13:28:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <20040304131259.456E821C29C@mail.fsl.com> References: <20040304131259.456E821C29C@mail.fsl.com> Message-ID: <40472F10.7010805@eatathome.com.au> Stephen Swaney wrote: >Pete, > >After reading through all of the emails a few questions: > >Did you install SpamAssassin from the rpm? >Are you trying to ping RBL servers to test DNS? >Have you changed any settings in /etc/sysconfig/i18n > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > > > > Mate, thanks for taking the time to read through it all, i know i post a lot. I did not, nor have i ever installed SA from the RPM on this machine - i did this during MS pilot stage and soon found it doesnt work, ever since i have used the source. Never installed from CPAN, cos i had already installed from source and didnt what the effect would be. I have tried to ping the RBLs listed in spam.lists.conf - if i ping bl.spamcop.net it doesnt work, ping spamcop.net and it works, i figured this is meant to be this way as i have tried on my machine and on online tracerts etc that certainly wouldnt be using same DNS as me. I can ping plenty of other stuff, stuf that i havent, nor would the server have have attempted to resolve before, HEAPS of domains i tried. I have only changed the Supported line, i did that that uesterday? (the other day) as advised by Julian. I just reversed it and rebooted, it didnt help. LANG="C" SUPPORTED="en_US:en" #LANG="en_US.UTF-8" #SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" From p.g.b.kruit at PL.HANZE.NL Thu Mar 4 13:18:34 2004 From: p.g.b.kruit at PL.HANZE.NL (Peter Kruit) Date: Thu Jan 12 21:23:02 2006 Subject: First MailScanner child freezes Message-ID: <003601c401eb$3285ac20$19ce2191@helo.hanze.nl> Hello, I'm currently testing MailScanner with Spamassassin for later implementation on our productions servers. To test MailScanner with a high volume of e-mail, I copied the mqueue directory from one of our productions servers which contained about 8000 e-mails. At first everything looked fine and all e-mail was processed. When I looked closer, however, I found out that MailScanner left 30 e-mails in the mqueue.in directory and left the same amount (with corresponding IDs) in the incoming directory of one of the children. Further investigation showed that I had one child more running then I should have (in MailScanner.conf I set Max Children to 5, normal would be to see 6 (1 parent + 5 children), but I had 7). After giving the parent process a TERM signal, this one child didn't die. The logfile told me the following: Mar 2 19:39:43 xx MailScanner[8100]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 2 19:39:47 xx MailScanner[8100]: Message i22AcqG11276 from 127.0.0.1 (mailer-daemon) to listmanager.smallcapmarketwatch.com is not spam, SpamAssassin (timed out) Mar 2 19:39:57 xx MailScanner[8100]: RBL Check timed out and was killed, consecutive failure 1 of 7 This was the last logging for this process. All other RBL and Spamassassin tests worked fine. In another test the same thing happened. The logfile entries: Mar 3 16:46:20 xx MailScanner[12779]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 3 16:46:21 xx MailScanner[12779]: Message i22FQc0T011912 from 145.222.138.19 (nrc-html-return-nbs@nrc.nl) to xx is not spam, SpamAssassin (timed out) Mar 3 16:46:31 xx MailScanner[12779]: RBL Check timed out and was killed, consecutive failure 1 of 7 In both tests 7770 e-mails were processed, except the 30 from the child that froze. Debug showed the following: Starting MailScanner... In Debugging mode, not forking... debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/opt/perl/share/spamassassin" for default rules dir debug: using "/etc/spamassassin" for site rules dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 182 ham(s) in Bayes DB < 200 debug: bayes: 20797 untie-ing debug: bayes: 20797 untie-ing db_toks debug: bayes: 20797 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 182 ham(s) in Bayes DB < 200 debug: bayes: 20797 untie-ing debug: bayes: 20797 untie-ing db_toks debug: bayes: 20797 untie-ing db_seen debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: DCCifd is not available: no r/w dccifd socket found. debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: all '*To' addrs: debug: is Net::DNS::Resolver available? yes debug: trying (3) yahoo.de... debug: looking up MX for 'yahoo.de' debug: MX for 'google.de' exists? 1 debug: MX lookup of google.de succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 <..> The last few lines were: debug: is Net::DNS::Resolver available? yes debug: DNS MX records found: 0 debug: DNS MX records found: 0 After this, MailScanner froze. I was wondering if this is due to the fact that I copied the mqueue from another server. All the tests I did delivering e-mail via the MTA processed without any problems. Thanks, Peter Kruit From pete at eatathome.com.au Thu Mar 4 12:32:43 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <404721EB.6010503@eatathome.com.au> Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Pete >>Sent: Thursday, March 04, 2004 6:56 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >> >>Rick Cooper wrote: >> >> >> >>>>-----Original Message----- >>>>From: MailScanner mailing list >>>>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>>Behalf Of Pete >>>>Sent: Wednesday, March 03, 2004 11:29 PM >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: DOS attacked :( >>>> >>>> >>>>Rick Cooper wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Sorry to top post, but >>>>> >>>>>Are you sure that Net::CIDR is installed ( I think that >>>>>requirement came after your original install >>>>> >>>>> >>version), and are >> >> >>>>>you using a local caching name server? Slow downs in >>>>> >>>>> >>>>> >>>>> >>>>the network >>>> >>>> >>>> >>>> >>>>>test arena are many time caused by resolver problems. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Have not got internal DNS, all external, and net::cidr is >>>>installed/updated with rpm mailscanner installation. >>>> >>>>But this got me thinking, i tried to ping all the >>>>servers listed in >>>>spam.lists.conf and i cannot resolve any, me think its >>>>is not good. >>>>Although i can ping almost any other domain name i can >>>>think of, but not >>>>any of the spamlist ones. I can ping the >>>>dcc#.dcc-servers.net found when >>>>doing cdcc info. >>>> >>>>CPAN shell doesnt work cos it cannot resolve the perl sites. >>>> >>>>I have changed nothing regarding DNS or networks. I >>>>assume this is the >>>>cause/symptom of my problems? >>>> >>>>Having spamassassin off is a nightmare and we are >>>>getting heaps of spam. >>>> >>>>-- >>>> >>>> >>>> >>>> >>>Run >>>Makes you wonder if your ISP changed name servers on >>> >>> >>you, or you >> >> >>>have a firewall problem. >>> >>>Change /etc/resolv.conf >>>options ndots:1 >>>nameserver 127.0.0.1 >>>nameserver put current ns1 address here >>>nameserver put current ns2 address here >>>multi on >>> >>>then /etc/init.d/named start >>>then /etc/init.d/network restart >>> >>>and try your test again. If your resolver isn't >>> >>> >>working you will >> >> >>>have *very* slow network tests as you will be waiting for each >>>outbound to timeout.. with a caching name server >>> >>> >>running you will >> >> >>>see improvements in many things with your mail service. >>> >>>Rick >>> >>> >>> >>> >>> >>Thanks. >> >>Enabled the named and changed the resolv and restart, turned on >>spamassassin and sent through some bagles and netskys >>and all was good, >>they were detected and and processed properly. (while >>writing this i >>noticed quite a few bagles-gen2 getting detected) >> >>Maybe a combination of the DOS attack message in the >>maillog (does this >>mean zip of death?), slow as network connection and >>therefore big >>hassles with RBLs, sa or ms runs MUCH slower than >>previous versions, >>probably due to all the extra message handling needed >>to combat these >>new nasties? >> >> Although just looking through the stats now, we dont >>have anywhere near >>(hundreds of times less) virus stats as when mydoom >>was going hard, and >>we dont anymore email volume in total than usual; and >>we detected half >>as spam as we did yeterdya (cos SA was off almost all >>day?), so i guess >>it was something to do with some of these nasties we >>havent previously seen? >> >> > >Your welcome.. I think the DOS stuff you were seeing had to do >with >the network problems not ZipOfDeath problems. I assume you have >SA >backup and running, but I don't think I would say 100% solved as >you still don't know why your ISP's name servers disappeared. >Also, >make sure you did the chkconfig things or the next reboot and >your >DNS goes away. Your not on a dynamic IP are you? I have seen this >type >of thing happen when a host on a dynamic IP (like cable) sets >their >IP static and the ISP does some network reconfigurations and >suddenly >the name servers don't work, network slows down because they are >supposed to be on a different gateway (even though the current gw >works), >etc... That name server thing would make me nervous even if I >don't use >their name servers. > >Good luck. > > > > > >>Boss has given permission to buy a cheapo 2nd hand old >>fashioned server, >>so hopefully will be able to double the specs on this >>and have some more >>luck with that... >> >> > >Ebay... there is always Ebay :-> > > > > > Not on dyn IP, sa ISNT working with RBLs, this appears to be the cause of all my woes, although i am not really sure, but it seems that way. I have posted already with my logs, but i notice i can ping spamcop.net but NOT bl.spamcop.net as it appears in spam.lists.conf, this is the same from XP machine, so assume its meant to be this way - but non the less all the rbls fail every time whan run by SA. From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:28:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:02 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> References: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040304132716.03ae2d18@imap.ecs.soton.ac.uk> At 13:04 04/03/2004, you wrote: >hi > >I installed Mailscanner+ClamAV+SpammAssassin on a RedHat Linux machine and >it seemed >to work fine [the test emails were delivered without any problem]. > >I installed the same on our production Mailserver (RedHat Linux). All >incoming emails >are in /var/spool/mqueue.in and have been there for a long time [30 minutes]. >So far they haven't been delivered to the local user. > >Earlier I had SA running on this machine, I have deleted /etc/procmailrc >now. Also, >spamd is not running as before. MailScanner doesn't use spamd, it does it faster than that. >The following entries in MailScanner.conf were changed by me, > > Virus Scanners = clamavmodule > Use SpamAssassin = yes > Always Include SpamAssassin Report = yes > High Scoring Spam Actions = delete > Log Speed = yes > Log Spam = yes > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > Delivery Method = queue > >I looked into /var/log/maillog /var/log/messages, I don't see any error >messages. >What could I be doing wrong? Set "Debug = yes" in your MailScanner.conf and run "check_MailScanner". That will probably tell you what is wrong. >Also, what should be the permissions/ownership of /var/spool/clientmqueue > >regards, > > >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Thu Mar 4 13:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> References: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 4 Mar 2004 12:02:39 +0000: > >"Il messaggio contiene un archivio che non può essere letto" or "Il > >messaggio contiene un archivio che non è stato possibile aprire" > > Which? Giving me 2 options, neither of which I can understand (never > studied Italian) doesn't help me :-) > It's the difference between "could not be read" and "was impossible to open", so I'd use the first one ;-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From jaearick at COLBY.EDU Thu Mar 4 13:42:26 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:23:02 2006 Subject: 4.28.x = more spam? Message-ID: Julian, This may be coincidence, but I've noticed a big uptick in spam to my personal mailbox since going to 4.28.x (4 now). I've done a "spamassassin -D --lint" and looked at the output; nothing unusual there. What would the equivalent by-hand SA command be for what MS does internally? Is "spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, or would there be more arguments? This deserves an entry in the FAQ. Jeff Earickson Colby College From drew at THEMARSHALLS.CO.UK Thu Mar 4 13:45:20 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> Message-ID: <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.co.uk> Spicer, Kevin said: > Drew Marshall wrote: >> All >> >> It looks like I have managed to get myself a little confused. It seems >> like Julian's update virus scanner script automatically runs as some >> form of automated 'cron' job. I assumed that I needed to run it from >> cron, so now have my av scanners updating extremely regularly (No >> excuse for not being up todate :-) but a little over the top!) If I >> remove it from cron, do I need to execute it as a boot script or will >> just starting MS do that for me? >> > On an rpm distribution it just drops a file into /etc/cron.hourly. There > should be a run-parts line in /etc/crontab which checks the cron.hourly > directory hourly and runs the files within. > It's not a problem getting it to run from cron but I set it to run at 39 minutes passed the hour and in the logs it shows that it runs then and at the top of each hour (Not as per cron, I haven't updated to the latest release yet, it's not in the BSD ports yet). I assumed that this was brought about by the script auto running following the cron job running initially. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From pete at eatathome.com.au Thu Mar 4 13:48:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <404733C0.7070503@eatathome.com.au> Jeff Earickson wrote: >Julian, > This may be coincidence, but I've noticed a big uptick >in spam to my personal mailbox since going to 4.28.x (4 now). >I've done a "spamassassin -D --lint" and looked at the output; >nothing unusual there. What would the equivalent by-hand >SA command be for what MS does internally? Is >"spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, >or would there be more arguments? This deserves an entry in >the FAQ. > >Jeff Earickson >Colby College > > >. > > > spamassassin -D --prefs-file=/etc/MailScanner/spam.assassin.prefs.conf --lint You can possibly do it other ways, but this is what i have picked up reading the list. Pete From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 13:48:19 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <404733A3.30306@solid-state-logic.com> Jeff spamassassin -D -C /path/to/spam.assassin.prefs.conf --lint the spam.assassin.prefs.conf should be in the same directory as the MailScanner.conf Worth checking the Bayes permissions so the DB is still readable by the user mentioned in MailScanner.conf. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jeff Earickson wrote: > Julian, > This may be coincidence, but I've noticed a big uptick > in spam to my personal mailbox since going to 4.28.x (4 now). > I've done a "spamassassin -D --lint" and looked at the output; > nothing unusual there. What would the equivalent by-hand > SA command be for what MS does internally? Is > "spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, > or would there be more arguments? This deserves an entry in > the FAQ. > > Jeff Earickson > Colby College ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jase at SENSIS.COM Thu Mar 4 13:54:17 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles Message-ID: > >If some virus scanners can see viruses by seeing the message as a whole > >rather then in parts, it would be nice to come up with something to let > >them try. Maybe it could be an option setting in MailScanner.conf to > >include or not include the original message when virus scanning. > > That will involve yet more I/O, but I'll definitely consider it. Could you please make this an option? You can keep it disabled by default. For those of us using McAfee, which seems like it won't be able to detect these, we could at least add ClamAV which will catch them if it scans the queue file. Thanks for your consideration. Jason From dean.plant at ROKE.CO.UK Thu Mar 4 13:53:18 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 Message-ID: Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. > I wish everything was rather quieter than it is right now. But you > folks need protection against the latest nasties, so I haven't much > option. > > I have corrected the problem with this morning's code where it wasn't > correctly handling messages that contained both a password-protected > zip and an unprotected zip. > > I have also added a check so that if you set the max nesting depth to > 0 but still ban password-protected zip files, then the attachments > are checked for password-protected zips without the other rules being > enforced on the contents of the zip files. It will only check the > first level of nesting though, as it obviously can't check a zip file > it has been asked not to unpack or create in the first place. Having upgraded to 4.28.4 password-protected zips are now blocked correctly but I am having a few problems as we also receive genuine files of this type. I have Silent Viruses = All-Viruses Non-Forging Viruses = Zip-Password But users are not notified of inbound password protected zips. With other blocked file types users are notified correctly. I also am unable to release any quarantined password protected zips from Mailwatch as it is marked as a virus and not a blocked file. Have I understood the Non-Forging setting correctly? Thanks Dean Plant -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 13:55:37 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Plant, Dean wrote: > I have > Silent Viruses = All-Viruses > Non-Forging Viruses = Zip-Password > > But users are not notified of inbound password protected zips. With > other blocked file types users are notified correctly. > > I also am unable to release any quarantined password protected zips > from Mailwatch as it is marked as a virus and not a blocked file. > > Have I understood the Non-Forging setting correctly? > That is what Julian suggested he might do for the next/ a future release however that is not the behaviour yet BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 13:57:39 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/1fde2869/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 14:03:46 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D2@jessica.herefordshire.gov.uk> The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/10c4d604/attachment.html From sysadmin at FLEETONE.COM Thu Mar 4 14:05:47 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner References: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> Message-ID: <089601c401f1$caa7fed0$45a610ac@fleetone.com> IMHO, f-prot. Their updates seems as fast as anyone else out there, and their prices were cheaper then most of the others when we looked into them. Rob From: Harnish, Joe To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 7:57 AM Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/3f93de0e/attachment.html From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:46:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304134446.03d5f6e8@imap.ecs.soton.ac.uk> As far as I am aware, I haven't changed any of the spam code recently, except for 1 minor change to what happens if SpamAssassin times out 20 times in a row. At 13:42 04/03/2004, you wrote: >Julian, > This may be coincidence, but I've noticed a big uptick >in spam to my personal mailbox since going to 4.28.x (4 now). >I've done a "spamassassin -D --lint" and looked at the output; >nothing unusual there. What would the equivalent by-hand >SA command be for what MS does internally? Is >"spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, >or would there be more arguments? Not sure, I never use the command-line script myself. But you need to tell SA about your spam.assassin.prefs.conf file (which looks rather like a user_prefs file). > This deserves an entry in >the FAQ. > >Jeff Earickson >Colby College -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Message-ID: <6.0.1.1.2.20040304140303.072b1aa0@imap.ecs.soton.ac.uk> At 13:55 04/03/2004, you wrote: >Plant, Dean wrote: > > I have > > Silent Viruses = All-Viruses > > Non-Forging Viruses = Zip-Password > > > > But users are not notified of inbound password protected zips. With > > other blocked file types users are notified correctly. > > > > I also am unable to release any quarantined password protected zips > > from Mailwatch as it is marked as a virus and not a blocked file. I guess it really should be a blocked file rather than a virus, you are right. I'll change that. > > > > Have I understood the Non-Forging setting correctly? > > >That is what Julian suggested he might do for the next/ a future release >however that is not the behaviour yet > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:47:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Update virus scanner script In-Reply-To: <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.c o.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040304134634.0415b578@imap.ecs.soton.ac.uk> At 13:45 04/03/2004, you wrote: >Spicer, Kevin said: > > Drew Marshall wrote: > >> All > >> > >> It looks like I have managed to get myself a little confused. It seems > >> like Julian's update virus scanner script automatically runs as some > >> form of automated 'cron' job. I assumed that I needed to run it from > >> cron, so now have my av scanners updating extremely regularly (No > >> excuse for not being up todate :-) but a little over the top!) If I > >> remove it from cron, do I need to execute it as a boot script or will > >> just starting MS do that for me? > >> > > On an rpm distribution it just drops a file into /etc/cron.hourly. There > > should be a run-parts line in /etc/crontab which checks the cron.hourly > > directory hourly and runs the files within. > > >It's not a problem getting it to run from cron but I set it to run at 39 >minutes passed the hour and in the logs it shows that it runs then and at >the top of each hour (Not as per cron, I haven't updated to the latest >release yet, it's not in the BSD ports yet). I assumed that this was >brought about by the script auto running following the cron job running >initially. My RPM distributions just put the script in /etc/cron.hourly so that the root crontab runs it once per hour. I can only assume that BSD might have a similar setup, and you also have put it in your root crontab as well. It doesn't "auto run", I'm not quite sure what you mean by that. > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > > > > >-- >In line with our policy, this message has >been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. >www.themarshalls.co.uk/policy -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:02:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304135816.03bb26f8@imap.ecs.soton.ac.uk> At 13:54 04/03/2004, you wrote: > > >If some virus scanners can see viruses by seeing the message as a whole > > >rather then in parts, it would be nice to come up with something to let > > >them try. Maybe it could be an option setting in MailScanner.conf to > > >include or not include the original message when virus scanning. > > > > That will involve yet more I/O, but I'll definitely consider it. > >Could you please make this an option? It's not as trivial to implement as it sounds, as MailScanner scans many messages at once and needs to be able to spot the difference between the message text and any similarly-named attachment. Whatever I decide to call the raw message text, someone will write a virus which contains a harmless attachment called the same thing to try to defeat me. I wonder how (or even if) the Amavis guys have solved this problem? I intend to do a stable release tomorrow and it certainly won't be in that. Too late to start implementing new features now. But I will think about ways of overcoming the problems, something will come to mind. Be warned it will make MailScanner go slower as more I/O will have to be done on the entire message. > You can keep it disabled by default. >For those of us using McAfee, which seems like it won't be able to detect >these, we could at least add ClamAV which will catch them if it scans the >queue file. Thanks for your consideration. > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rob at thehostmasters.com Thu Mar 4 14:09:14 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D2@jessica.herefordshire.gov.uk> Message-ID: <038e01c401f2$46d8e730$0d01a8c0@basement> I am installing ClamAV to work with MacAfee, but how do I tell Mailscanner to use it also? And which should I run first? Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:03 AM Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/d44d0cf2/attachment.html From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 14:08:42 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A07531A@BAMBI> Best on Fedora/RedHat Linux. I am adding ClamAV and keeping McAfee (because it is free with our contract) but I got approval to buy another commercial product to add to our solution. Thanks for the link to the dailydat. Joe _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Randal, Phil Sent: Thursday, March 04, 2004 9:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/a3346f19/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 14:11:40 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefordshire.gov.uk> One of our (savvy) users emailed me to say: >Im trying to send an email with zipped and renamed exe files Mailscanner intercepted and did say unto us: "Consider renaming the files or putting them into a "zip" file to avoid this constraint." The files were, of course, in a zip file. So, what do we need to do to that error message so that recipients of the reject message don't get completely confused? Suggestions? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mdlaney at MOREHOUSE.EDU Thu Mar 4 14:13:00 2004 From: mdlaney at MOREHOUSE.EDU (Matt Laney) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Message-ID: <20040304141300.GA15664@morehouse.edu> Spicer, Kevin responded to Plant, Dean... > > [DP] But users are not notified of inbound password protected zips. With > > other blocked file types users are notified correctly. > > > > I also am unable to release any quarantined password protected zips > > from Mailwatch as it is marked as a virus and not a blocked file. > > > > Have I understood the Non-Forging setting correctly? > > [KS] That is what Julian suggested he might do for the next/ a future > release however that is not the behaviour yet I haven't tried this, but might the desired behaviour be approximated by using filetype checking to pick out ZIP files of version 1.0 (see previous discussion about MIT, etc.)? My file command (version 4.07) shows the following on one bad and one OK ZIP: Text.zip: Zip archive data, at least v1.0 to extract fine.zip: Zip archive data, at least v2.0 to extract (The first one's the Bagle virus.) A quick scan through the magic file shows that the ZIP line is the only place "v1.0" appears as an isolated word. Could one make a filetype entry like this deny " v1.0 " No v1.0 ZIP archives, possible Bagle ditto in filetype.rules.conf and use filetype checking to get these? It doesn't sound efficient, but might it work? I'm not sure what else might use v1.0 ZIP archives, but the MIT guys seem to think that not much does. -Matt -- Matt Laney, mdlaney@morehouse.edu Director of Network Services Morehouse College; Atlanta, GA, USA From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 14:14:38 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B1D@pascal.priv.bmrb.co.uk> Julian Field wrote: >> Could you please make this an option? > > It's not as trivial to implement as it sounds, as MailScanner scans > many messages at once and needs to be able to spot the difference > between the message text and any similarly-named attachment. Whatever > I decide to call the raw message text, someone will write a virus > which contains a harmless attachment called the same thing to try to > defeat me. I wonder how (or even if) the Amavis guys have solved this > problem? How about .txt - that should be fairly difficult to predict. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 14:19:48 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A07531E@BAMBI> I believe you just put the av tools in a list in your config file and they run in order like: Virus Scanners = clamav mcafee I am planning on running clam first so I can see which ones aren't being picked up by Mcafee to send them to clamav so they can get updated. Joe _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Charles Sent: Thursday, March 04, 2004 9:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best Antivirus Scanner I am installing ClamAV to work with MacAfee, but how do I tell Mailscanner to use it also? And which should I run first? Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:03 AM Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/530c0997/attachment.html From gdoris at rogers.com Thu Mar 4 14:20:25 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:23:03 2006 Subject: changing spamassassin points configuration In-Reply-To: <40470412.5080101@avalonpub.com> References: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> <40470412.5080101@avalonpub.com> Message-ID: <55073.129.80.22.143.1078410025.squirrel@65.48.246.102> > kfliong wrote: > >> So in other word, I just have to let the user stop getting some mails >> (eventhough some might be important) while waiting for SA to learn >> that the >> sender is not sending spams? >> > If you have a copy of the email you can teach it to SA by using the > command "sa-learn". See "man sa-learn" or the list archives for more > info. In summary, have a copy of the mail as either a single file with > the headers and body or a bunch of them in a mbox style mailbox and run > the command (as the same user that MS runs as): > sa-learn --ham filename > > Daniel Also, you can download a file of spam from the SpamAssassin site and use it to train your bayes database. I did this originally as I have a low volume server and it was taking forever to get bayes trained. It's not the best way as you're teaching bayes from someone else's spam, but I figured spammers are an equal opportunity group and send their stuff to everyone! Once it's up and running it automagically trains itself on your specific spam from there on. Gerry From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:25:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040304142511.076aa488@imap.ecs.soton.ac.uk> At 14:11 04/03/2004, you wrote: >One of our (savvy) users emailed me to say: > > >Im trying to send an email with zipped and renamed exe files > >Mailscanner intercepted and did say unto us: > >"Consider renaming the files or putting them into a "zip" file to avoid >this constraint." > >The files were, of course, in a zip file. > >So, what do we need to do to that error message so that recipients of the >reject message don't get completely confused? > >Suggestions? How about you edit the report file if you don't like what it currently says? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:27:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <20040304141300.GA15664@morehouse.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> <20040304141300.GA15664@morehouse.edu> Message-ID: <6.0.1.1.2.20040304142558.076aa1f8@imap.ecs.soton.ac.uk> At 14:13 04/03/2004, you wrote: >Spicer, Kevin responded to Plant, Dean... > > > > [DP] But users are not notified of inbound password protected zips. With > > > other blocked file types users are notified correctly. > > > > > > I also am unable to release any quarantined password protected zips > > > from Mailwatch as it is marked as a virus and not a blocked file. > > > > > > Have I understood the Non-Forging setting correctly? > > > > [KS] That is what Julian suggested he might do for the next/ a future > > release however that is not the behaviour yet > >I haven't tried this, but might the desired behaviour be approximated >by using filetype checking to pick out ZIP files of version 1.0 (see >previous discussion about MIT, etc.)? My file command (version 4.07) >shows the following on one bad and one OK ZIP: > > Text.zip: Zip archive data, at least v1.0 to extract > fine.zip: Zip archive data, at least v2.0 to extract > >(The first one's the Bagle virus.) > >A quick scan through the magic file shows that the ZIP line is the only >place "v1.0" appears as an isolated word. That won't work once the virus writers go up to version 2 which they will as soon as they are being defeated by people testing only for version 1. >Could one make a filetype entry like this > > deny " v1.0 " No v1.0 ZIP archives, possible Bagle ditto > >in filetype.rules.conf and use filetype checking to get these? It doesn't >sound efficient, but might it work? It might work for now, but not for very long. Remember you are trying to hit a moving target. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Thu Mar 4 14:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:03 2006 Subject: DOS attacked :( In-Reply-To: <404721EB.6010503@eatathome.com.au> References: <404721EB.6010503@eatathome.com.au> Message-ID: Pete wrote on Thu, 4 Mar 2004 23:32:43 +1100: > Rick Cooper wrote: > >>Rick Cooper wrote: >>>>Rick Cooper wrote: Pete, is there a good reason why you quote and quote and quote and quote and quote? It makes your messages almost unreadable. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From maillists at CONACTIVE.COM Thu Mar 4 14:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:03 2006 Subject: Calling all translators In-Reply-To: References: Message-ID: Sebastian ruchti wrote on Thu, 4 Mar 2004 12:43:20 +0100: > Die Nachricht enthielt ein Archiv, das nicht gelesen werden konnte > Die Nachricht enthielt ein Passwort geschütztes Archiv > Julian, I'm wondering about the definition of "archive". Do most English-speaking users understand what an "archive" is meant to be? At least for the German version "Archiv" I doubt this is the case. Wouldn't it be better to talk about "compressed files", "compressed archive files" or "compressed files (archives)" or "archive (compressed file)", or so? Taking this into account I'd translate to German: Die Nachricht enthielt eine komprimierte Datei (Archiv), die nicht geöffnet werden konnte. Die Nachricht enthielt eine durch ein Paßwort geschützte, komprimierte Datei (Archiv). Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 14:30:44 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D4@jessica.herefordshire.gov.uk> I was just lost for words, Julian, it's been one of those weeks :-) Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 04 March 2004 14:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Now that we scan for executables in .zip files.... > > > At 14:11 04/03/2004, you wrote: > >One of our (savvy) users emailed me to say: > > > > >Im trying to send an email with zipped and renamed exe files > > > >Mailscanner intercepted and did say unto us: > > > >"Consider renaming the files or putting them into a "zip" > file to avoid > >this constraint." > > > >The files were, of course, in a zip file. > > > >So, what do we need to do to that error message so that > recipients of the > >reject message don't get completely confused? > > > >Suggestions? > > How about you edit the report file if you don't like what it > currently says? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:34:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D4@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D4@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040304143326.07271038@imap.ecs.soton.ac.uk> Sounds like you are having a bit of a week like mine then. I'll be glad when 4.28.5 stable is out of the door. This weekend is going to involve a lot of sleep! :-) At 14:30 04/03/2004, you wrote: >I was just lost for words, Julian, it's been one of those weeks :-) > >Cheers, > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 04 March 2004 14:26 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Now that we scan for executables in .zip files.... > > > > > > At 14:11 04/03/2004, you wrote: > > >One of our (savvy) users emailed me to say: > > > > > > >Im trying to send an email with zipped and renamed exe files > > > > > >Mailscanner intercepted and did say unto us: > > > > > >"Consider renaming the files or putting them into a "zip" > > file to avoid > > >this constraint." > > > > > >The files were, of course, in a zip file. > > > > > >So, what do we need to do to that error message so that > > recipients of the > > >reject message don't get completely confused? > > > > > >Suggestions? > > > > How about you edit the report file if you don't like what it > > currently says? > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 4 14:48:04 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:03 2006 Subject: Calling all translators (French) In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <1078411684.22219.5.camel@dbeauchemin.sti.usherbrooke.ca> Le jeu 04/03/2004 ? 05:39, Julian Field a ?crit : > Message contained archive which could not be read Le message contenait un fichier zip qui n'a pu ?tre lu > Message contained password-protected archive Le message contenait un fichier zip prot?g? par un mot de passe Is it OK to translate archive by "zip file"? If not, then use these: Le message contenait un fichier archive qui n'a pu ?tre lu Le message contenait un fichier archive prot?g? par un mot de passe Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From David.While at UCE.AC.UK Thu Mar 4 14:53:18 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV Message-ID: <107DE25EC0216C45AEF670016024245F7022@exchangea.staff.uce.ac.uk> Just had an email report of a virus from ClamAv detected as Worm.Bagle.Gen-zippwd which presumably is Clam detecting a password protected zip file containing Bagle ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/25d1e199/attachment.html From rgreen at TRAYERPRODUCTS.COM Thu Mar 4 14:53:49 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV/MailScanner-4.23-11 Message-ID: <404742FD.6050600@trayerproducts.com> Should ClamAV work with MailScanner-4.23-11 ? I haven't been able to get it working. I installed ClamAV, the latest version. I'm attempting to use the perl module version of it so I installed Parse::RecDescent, Inline, and Mail::ClamAV. I set the 'Virus Scanners = clamavmodule' in the configuration file and restarted. I sent a test zip file that has the NetSky virus and it got through. Any ideas? Thanks, Rod From nejc.skoberne at guest.arnes.si Thu Mar 4 14:58:02 2004 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:23:03 2006 Subject: Notify recipients = no? Message-ID: <1055379503.20040304155802@guest.arnes.si> Hi list, Is there any way to turn off sending any virii reports to recipients? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mailscanner at ecs.soton.ac.uk Thu Mar 4 15:04:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Notify recipients = no? In-Reply-To: <1055379503.20040304155802@guest.arnes.si> References: <1055379503.20040304155802@guest.arnes.si> Message-ID: <6.0.1.1.2.20040304150442.076b36d0@imap.ecs.soton.ac.uk> At 14:58 04/03/2004, you wrote: >Hi list, > >Is there any way to turn off sending any virii reports to recipients? Deliver Cleaned Messages = no >Thanks. > >-- >Nejc Skoberne >Grajska 5 >SI-5220 Tolmin >E-mail: nejc.skoberne@guest.arnes.si -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Thu Mar 4 15:12:05 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:03 2006 Subject: DOS attacked :( Message-ID: <54C38A0B814C8E438EF73FC76F36292741097C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Rick Cooper [mailto:rcooper@DWFORD.COM] >Envoy? : 4 mars, 2004 06:50 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: DOS attacked :( > > >> -----Original Message----- >> From: Pete [mailto:pete@eatathome.com.au] >> Sent: Thursday, March 04, 2004 6:26 AM >> To: Rick Cooper; Julian Field; MailScanner mailing list >> Subject: Re: DOS attacked :( >> >> >> So you're sure thats all i have to do, no messing >> about and trying to learn bind? If i have to learn to >> drive Bind i am not going to bother, but its its a >> matter of just starting it up, am happy to try, even >> will try right now. >> >> Other thing i wanted to know was whether an upgrade to >> 4.28.8-4 would be the shot? Or stick with latest stable? > >I would sort out your network problems before you go one more >step, MailScanner has nothing to do with this if you cannot even >manully ping a RBL host by name. > >It's been awhile since I used a bone stock redhat configuration >and I have never bothered with RH.9 but I am sure the bone stock >named config is only a caching server so it alows updates from >none, listens on 127.0.0.1 only and allows access from 127.0.0.1 >only. No need to do anything clever just resolve for the >localhost only. In fact it is the package named "caching-nameserver" > >Just do the items I described earlier and redo your manual rbl >tests. If you can ping by name then try your MS tests again, I >think you will be amazed. But once you get things sorted out >don't forget to chkconfig --add named and chkconfig named on > >If you cannot resolve a host name nothing is going to work >properly, I can't image how you are sending the mail? Have you >looked at your outbound queue? > >> >> >> >> >Sorry, I thought you said you installed from source. >> > >> >Have you thought about enabling named >> (/etc/init.d/named start) >> >on your box, the default would be just a caching name >> server but >> >it would resolve from root servers without using the >> external DNS >> >servers as the default and set your /etc/resolv.conf >> to something >> >like >> > >> >options ndots:1 >> >nameserver 127.0.0.1 >> >nameserver current.ns.1.address >> >nameserver current.ns2.address >> >multi on >> > >> >then /etc/init.d/network restart >> > >> >You may well see a noticeable improvement with RBLS >> and such that >> >require a lot of DNS lookups. If it helps just add/enable with >> >chkconfig >> > >> > >> > >> > >> > >> > >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 15:15:34 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D5@jessica.herefordshire.gov.uk> Worm.Bagle.Gen-zippwd Clam AV Module 04/03/04 14:05:44 1 W32/Bagle.h!pwdzip McAfee 04/03/04 14:05:44 1 Detected by both ClamAV and McAfee's dail dats. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of David While Sent: 04 March 2004 14:53 To: MAILSCANNER@JISCMAIL.AC.UK Subject: ClamAV Just had an email report of a virus from ClamAv detected as Worm.Bagle.Gen-zippwd which presumably is Clam detecting a password protected zip file containing Bagle ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/8a848a81/attachment.html From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Mar 4 15:08:02 2004 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:23:03 2006 Subject: W32/Bagle-Zip Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB6069@eqmail1.efni.vpn> Looks like Sophos is now matching against the passworded zip's for the Bagle strains: http://www.sophos.com/virusinfo/analyses/w32baglezip.html -Joshua From rob at thehostmasters.com Thu Mar 4 15:23:19 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV References: <107DE25EC0216C45AEF670016024245F7022@exchangea.staff.uce.ac.uk> Message-ID: <041801c401fc$a033eb40$0d01a8c0@basement> ClamAVVery nice! I just added ClamAV to mailscanner to work with Mcafee... and i go tthis I am happy now.... :) >Report: ClamAV: Attach.zip contains Worm.Bagle.Gen-zippwd Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: David While To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:53 AM Subject: ClamAV Just had an email report of a virus from ClamAv detected as Worm.Bagle.Gen-zippwd which presumably is Clam detecting a password protected zip file containing Bagle ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/63e98f49/attachment.html From drew at THEMARSHALLS.CO.UK Thu Mar 4 15:22:26 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <6.0.1.1.2.20040304135816.03bb26f8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304135816.03bb26f8@imap.ecs.soton.ac.uk> Message-ID: <28860.194.70.180.170.1078413746.squirrel@net.themarshalls.co.uk> Julian Field said: > At 13:54 04/03/2004, you wrote: >> > >If some virus scanners can see viruses by seeing the message as a >> whole >> > >rather then in parts, it would be nice to come up with something to >> let >> > >them try. Maybe it could be an option setting in MailScanner.conf to >> > >include or not include the original message when virus scanning. >> > >> > That will involve yet more I/O, but I'll definitely consider it. >> >>Could you please make this an option? > > It's not as trivial to implement as it sounds, as MailScanner scans many > messages at once and needs to be able to spot the difference between the > message text and any similarly-named attachment. Whatever I decide to call > the raw message text, someone will write a virus which contains a harmless > attachment called the same thing to try to defeat me. I wonder how (or > even > if) the Amavis guys have solved this problem? > > I intend to do a stable release tomorrow and it certainly won't be in > that. > Too late to start implementing new features now. But I will think about > ways of overcoming the problems, something will come to mind. Be warned it > will make MailScanner go slower as more I/O will have to be done on the > entire message. But not I guess for those of us using an MTA that only uses a single file, like Postfix. > >> You can keep it disabled by default. >>For those of us using McAfee, which seems like it won't be able to detect >>these, we could at least add ClamAV which will catch them if it scans the >>queue file. Thanks for your consideration. >> >>Jason > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Thu Mar 4 15:27:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <28860.194.70.180.170.1078413746.squirrel@net.themarshalls. co.uk> References: <6.0.1.1.2.20040304135816.03bb26f8@imap.ecs.soton.ac.uk> <28860.194.70.180.170.1078413746.squirrel@net.themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040304152716.07712190@imap.ecs.soton.ac.uk> At 15:22 04/03/2004, you wrote: >Julian Field said: > > At 13:54 04/03/2004, you wrote: > >> > >If some virus scanners can see viruses by seeing the message as a > >> whole > >> > >rather then in parts, it would be nice to come up with something to > >> let > >> > >them try. Maybe it could be an option setting in MailScanner.conf to > >> > >include or not include the original message when virus scanning. > >> > > >> > That will involve yet more I/O, but I'll definitely consider it. > >> > >>Could you please make this an option? > > > > It's not as trivial to implement as it sounds, as MailScanner scans many > > messages at once and needs to be able to spot the difference between the > > message text and any similarly-named attachment. Whatever I decide to call > > the raw message text, someone will write a virus which contains a harmless > > attachment called the same thing to try to defeat me. I wonder how (or > > even > > if) the Amavis guys have solved this problem? > > > > I intend to do a stable release tomorrow and it certainly won't be in > > that. > > Too late to start implementing new features now. But I will think about > > ways of overcoming the problems, something will come to mind. Be warned it > > will make MailScanner go slower as more I/O will have to be done on the > > entire message. > >But not I guess for those of us using an MTA that only uses a single file, >like Postfix. It still has to be copied, regardless of the number of files per message used by the MTA. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at DVD-GOETSCH.DE Thu Mar 4 15:18:48 2004 From: lists at DVD-GOETSCH.DE (sebastian ruchti) Date: Thu Jan 12 21:23:03 2006 Subject: Calling all translators In-Reply-To: Message-ID: Agreed concerning the "compressed file (archive)" issue. .sebastian P.S.: Is it "Passwort" or "Pa?wort"?? > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kai Schaetzl > Sent: Thursday, March 04, 2004 3:32 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Calling all translators > > > Sebastian ruchti wrote on Thu, 4 Mar 2004 12:43:20 +0100: > > > Die Nachricht enthielt ein Archiv, das nicht gelesen werden konnte > > Die Nachricht enthielt ein Passwort gesch?tztes Archiv > > > > Julian, I'm wondering about the definition of "archive". Do most > English-speaking users understand what an "archive" is meant to be? At > least for the German version "Archiv" I doubt this is the case. Wouldn't > it be better to talk about "compressed files", "compressed archive files" > or "compressed files (archives)" or "archive (compressed file)", or so? > > Taking this into account I'd translate to German: > > Die Nachricht enthielt eine komprimierte Datei (Archiv), die nicht > ge?ffnet werden konnte. > > Die Nachricht enthielt eine durch ein Pa?wort gesch?tzte, komprimierte > Datei (Archiv). > > > Kai > > -- > > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > IE-Center: http://ie5.de & http://msie.winware.org From ugob at CAMO-ROUTE.COM Thu Mar 4 15:41:51 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <54C38A0B814C8E438EF73FC76F36292741097D@mtlnt501fs.CAMOROUTE.COM> -----Message d'origine----- De : Harnish, Joe [mailto:jharnish@CI.GRAND-RAPIDS.MI.US] Envoy? : 4 mars, 2004 09:20 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: Best Antivirus Scanner I believe you just put the av tools in a list in your config file and they run in order like: Virus Scanners = clamav mcafee Exact I am planning on running clam first so I can see which ones aren't being picked up by Mcafee to send them to clamav so they can get updated. The order doesn't matter. All messages are scanned by all anti-virus. Joe From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Charles Sent: Thursday, March 04, 2004 9:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best Antivirus Scanner I am installing ClamAV to work with MacAfee, but how do I tell Mailscanner to use it also? And which should I run first? Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:03 AM Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe From m.sapsed at BANGOR.AC.UK Thu Mar 4 15:40:03 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:23:03 2006 Subject: Calling all translators (Welsh) Message-ID: <40474DD3.20009@bangor.ac.uk> Julian Field wrote: > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive Neges yn cynnwys archif na ellid ei darllen Neges yn cynnwys archif wedi?i diogelu ? chyfrinair Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From chris at FRACTALWEB.COM Thu Mar 4 15:59:22 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:23:03 2006 Subject: Notify recipients = no? In-Reply-To: <1055379503.20040304155802@guest.arnes.si> References: <1055379503.20040304155802@guest.arnes.si> Message-ID: <4047525A.8060600@fractalweb.com> Hi Nejc, The plural of "virus" is "viruses" not "virii". http://www.perl.com/language/misc/virus.html Cheers, Chris Nejc Skoberne wrote: >Hi list, > >Is there any way to turn off sending any virii reports to recipients? > >Thanks. > >-- >Nejc Skoberne >Grajska 5 >SI-5220 Tolmin >E-mail: nejc.skoberne@guest.arnes.si > > > From tomb at HAMSHACK.INFO Thu Mar 4 16:32:08 2004 From: tomb at HAMSHACK.INFO (hamshack.info) Date: Thu Jan 12 21:23:03 2006 Subject: bayes? Message-ID: I'm looking for a url and doc to download bayes for my rh 9 box. Thanks Tom From ryan at MARINOCRANE.COM Thu Mar 4 16:47:39 2004 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:23:03 2006 Subject: W32/Bagle-Zip In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB6069@eqmail1.efni.vpn> References: <75FEDC422E2309419A9303E7B18F206E04DB6069@eqmail1.efni.vpn> Message-ID: <40475DAB.1080508@marinocrane.com> Hirsh, Joshua wrote: >Looks like Sophos is now matching against the passworded zip's for the Bagle >strains: > >http://www.sophos.com/virusinfo/analyses/w32baglezip.html > >-Joshua > This baglezip ide was downloaded automatically, so I temporarily *allowed* .zip files to pass through MailScanner and sent a copy of Bagle-K through and Sophos still does not detect it. I'm not sure exactly what this definition is supposed to do thats different. Still waiting for the next stable release of MailScanner to be released before I upgrade. I have gone back to *denying* all .zip files for the time being. -Ryan Pitt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From danw at NORCOMCABLE.CA Thu Mar 4 16:46:13 2004 From: danw at NORCOMCABLE.CA (Dan Williamson) Date: Thu Jan 12 21:23:03 2006 Subject: W32/Bagle-Zip In-Reply-To: <40475DAB.1080508@marinocrane.com> Message-ID: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> ClamAV is getting them. I had .60 installed, it wasn't catching them, however after upgrading to .67 it is now catching them. I would suggest adding a second virus scanner if you can. regards, -dan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Pitt Sent: March 4, 2004 10:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: W32/Bagle-Zip Hirsh, Joshua wrote: >Looks like Sophos is now matching against the passworded zip's for the >Bagle >strains: > >http://www.sophos.com/virusinfo/analyses/w32baglezip.html > >-Joshua > This baglezip ide was downloaded automatically, so I temporarily *allowed* .zip files to pass through MailScanner and sent a copy of Bagle-K through and Sophos still does not detect it. I'm not sure exactly what this definition is supposed to do thats different. Still waiting for the next stable release of MailScanner to be released before I upgrade. I have gone back to *denying* all .zip files for the time being. -Ryan Pitt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at CAMO-ROUTE.COM Thu Mar 4 16:49:28 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:03 2006 Subject: bayes? Message-ID: <54C38A0B814C8E438EF73FC76F36292741097E@mtlnt501fs.CAMOROUTE.COM> it is included with spamassassin >-----Message d'origine----- >De : hamshack.info [mailto:tomb@HAMSHACK.INFO] >Envoy? : 4 mars, 2004 11:32 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : bayes? > > >I'm looking for a url and doc to download bayes for my rh 9 box. > >Thanks >Tom > From rcooper at DWFORD.COM Thu Mar 4 16:50:57 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:03 2006 Subject: Spam Forwarding Message-ID: I forward spam and high scoring spam to a special mail box to be checked for possible fps and then fed to bayes. Yesterday I started archiving mail to a special folder to use to automate the ham side of bayes learning. I was looking through what was in the ham folder from the first night and ever high scoring spam was in there? I saw only one normal spam but every single high scoring spam was archived. Is this the proper behavior? I have both spam actions set to delete aspecialbox@ourdomain.com and Archive Mail = anotherbox@ourdomain.com I can get around it by having the script that does the learning check the headers and remove the spam If I have to but I was hoping that only good mail would get archived. Rick Cooper From mike-sender-1ed4e7 at zanker.org Thu Mar 4 16:39:49 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:23:03 2006 Subject: DOS attacked :( In-Reply-To: References: <404721EB.6010503@eatathome.com.au> Message-ID: <365824781.1078418389@jemima.zanker.org> On 04 March 2004 15:31 +0100 Kai Schaetzl wrote: > Pete, is there a good reason why you quote and quote and quote and > quote and quote? It makes your messages almost unreadable. Thanks - I'm not the only one who gets irritated by inconsiderate excessive quoting, then. Why are lists populated by alleged e-mail administrators always the worst for e-mail netiquette? The SpamAssassin list is as bad if not worse. Mike. From rgreen at TRAYERPRODUCTS.COM Thu Mar 4 16:42:47 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV/MailScanner-4.23-11 In-Reply-To: <404742FD.6050600@trayerproducts.com> References: <404742FD.6050600@trayerproducts.com> Message-ID: <40475C87.4020604@trayerproducts.com> I installed the latest stable version of MailScanner and got clamav to work. I was apprehensive to update MS because I didn't know what to expect from the process. Didn't want to have any problems with a live server. Rodney Green wrote: > Should ClamAV work with MailScanner-4.23-11 ? I haven't been able to > get it working. I installed ClamAV, the latest version. I'm attempting > to use the perl module version of it so I installed Parse::RecDescent, > Inline, and Mail::ClamAV. I set the 'Virus Scanners = clamavmodule' in > the configuration file and restarted. I sent a test zip file that has > the NetSky virus and it got through. Any ideas? > > Thanks, > Rod > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From craig at WESTPRESS.COM Thu Mar 4 17:26:08 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:23:03 2006 Subject: bayes? In-Reply-To: References: Message-ID: >I'm looking for a url and doc to download bayes for my rh 9 box. Hey Tom, I too am using RH9 and I learned that you cannot use the standard RH9 rpm for SA if you want to use bayes. RH's rpm does not include SA-Learn (bayes). I had to download the current RPM's from the SA site (http://au.spamassassin.org), this included three RPM's; perl-Mail-SpamAssassin-2.63, SA itself - spamassasson-2.63, and SA tools (which includes SA-Learn) - spamassassin-tools-2.63. You will have to remove RH's SA RPM before you install these, but then you should be all set. Craig D. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From gercke at HNM.DE Thu Mar 4 17:26:12 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:23:03 2006 Subject: Bayes Message-ID: <404766B4.3060702@hnm.de> Hi all, i have a script, that every 4 hours catch mail from two accounts split them an then learn as spam / ham... Once per Day i rebuild my bayes engine with sa-learn --rebuild. Now when i go to Console and type: spamassassin -D --lint there are in the Lines of Bayes ... bayes: not available for scanning, only 67 spam(s) in Bayes DB < 200 But yesterday there where over 600 spams in. And this morning there are 68 spams in. Any idea? Daniel -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From mailscanner at ecs.soton.ac.uk Thu Mar 4 17:35:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Spam Forwarding In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304173444.038f30c0@imap.ecs.soton.ac.uk> At 16:50 04/03/2004, you wrote: >I forward spam and high scoring spam to a special mail box to be >checked for possible fps and then fed to bayes. Yesterday I >started archiving mail to a special folder to use to automate the >ham side of bayes learning. I was looking through what was in the >ham folder from the first night and ever high scoring spam was in >there? I saw only one normal spam but every single high scoring >spam was archived. > >Is this the proper behavior? I have both spam actions set to >delete aspecialbox@ourdomain.com > >and Archive Mail = anotherbox@ourdomain.com > >I can get around it by having the script that does the learning >check the headers and remove the spam If I have to but I was >hoping that only good mail would get archived. > > Rick Cooper It's a mail archive, it isn't a non-spam archive. You should use "non-spam actions" for doing that. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 17:41:48 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:03 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040304173801.A476421AF4D@ws5-6.us4.outblaze.com> References: <20040304173801.A476421AF4D@ws5-6.us4.outblaze.com> Message-ID: <40476A5C.80904@solid-state-logic.com> Having similar issues with clamavmodule at the moment, try using clamav on the -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 BG Mahesh wrote: >>>The following entries in MailScanner.conf were changed by me, >>> >>> Virus Scanners = clamavmodule >>> Use SpamAssassin = yes >>> Always Include SpamAssassin Report = yes >>> High Scoring Spam Actions = delete >>> Log Speed = yes >>> Log Spam = yes >>> SpamAssassin Local Rules Dir = /etc/mail/spamassassin >>> Delivery Method = queue >>> >>>I looked into /var/log/maillog /var/log/messages, I don't see any error >>>messages. >>>What could I be doing wrong? >> >>Set "Debug = yes" in your MailScanner.conf and run "check_MailScanner". >>That will probably tell you what is wrong. >> > > > The only line which I find could be a problem is: > > debug: DCCifd is not available: no r/w dccifd socket found. > > The detailed debug message is here...I don't find anything wrong here. Not sure why emails in mqueue.in are not being processed :-( > > debug: DCCifd is not available: no r/w dccifd socket found. > debug: all '*From' addrs: raboas2004@netscape.net > debug: all '*To' addrs: g.jalapathi@hyd.indiainfo.com films.feedback@team.indiainfo.com > debug: DNS MX records found: 4 > debug: forged-HELO: from=speed.planet.nl helo=netscape520.com by=indiainfo.com > debug: forged-HELO: mismatch on HELO: 'netscape520.com' != 'speed.planet.nl' > debug: running meta tests; score so far=6.14 > debug: auto-learn? ham=0.1, spam=12, body-hits=1.908, head-hits=4.232 > debug: auto-learn: currently using scoreset 1. no need to recompute. > debug: auto-learn? no: inside auto-learn thresholds > debug: is spam? score=7.703 required=5 tests=FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MIME_BOUND_MANY_HEX,NIGERIAN_BODY1,SUBJ_ALL_CAPS,UNCLAIMED_MONEY > debug: bayes: 21316 tie-ing to DB file R/O /root/.spamassassin/bayes_toks > debug: bayes: 21316 tie-ing to DB file R/O /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 2 > debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < 200 > debug: bayes: 21316 untie-ing > debug: bayes: 21316 untie-ing db_toks > debug: bayes: 21316 untie-ing db_seen > debug: received-header: parsed as [ ip=209.66.67.196 rdns=m6.lagnernow.com helo=m6.lagnernow.com by=blr.indiainfo.com ident= ] > debug: received-header: 'by' blr.indiainfo.com has public IP 203.200.50.237 > debug: received-header: relay 209.66.67.196 trusted? no > debug: running header regexp tests; score so far=0 > debug: running body-text per-line regexp tests; score so far=0 > debug: running raw-body-text per-line regexp tests; score so far=4.608 > debug: running uri tests; score so far=4.608 > debug: uri tests: Done uriRE > debug: running full-text regexp tests; score so far=4.608 > debug: DCCifd is not available: no r/w dccifd socket found. > debug: all '*From' addrs: Lagnernow@the.lagnernow.com > debug: all '*To' addrs: j.chan@team.indiainfo.com > debug: is Net::DNS::Resolver available? yes > debug: DNS MX records found: 1 > debug: forged-HELO: from=lagnernow.com helo=lagnernow.com by=indiainfo.com > debug: running meta tests; score so far=7.918 > debug: auto-learn? ham=0.1, spam=12, body-hits=4.608, head-hits=3.31 > debug: auto-learn: currently using scoreset 1. no need to recompute. > debug: auto-learn? no: inside auto-learn thresholds > debug: is spam? score=7.918 required=5 tests=BANG_GUARANTEE,CLICK_BELOW,COMPLETELY_FREE,GUARANTEED_100_PERCENT,HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_LINK_CLICK_HERE,HTML_MESSAGE,HTML_TITLE_UNTITLED,HTML_WEB_BUGS,MSGID_FROM_MTA_SHORT > debug: bayes: 21318 tie-ing to DB file R/O /root/.spamassassin/bayes_toks > debug: bayes: 21318 tie-ing to DB file R/O /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 2 > debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < 200 > debug: bayes: 21318 untie-ing > debug: bayes: 21318 untie-ing db_toks > debug: bayes: 21318 untie-ing db_seen > debug: received-header: parsed as [ ip=209.196.53.79 rdns=raza-web3-admin-o.custom.dellhost.com helo=razweb3.razacomm.com by=blr.indiainfo.com ident= ] > debug: received-header: 'by' blr.indiainfo.com has public IP 203.200.50.237 > debug: received-header: relay 209.196.53.79 trusted? no > debug: running header regexp tests; score so far=0 > debug: running body-text per-line regexp tests; score so far=0 > debug: running raw-body-text per-line regexp tests; score so far=0 > debug: running uri tests; score so far=0 > debug: uri tests: Done uriRE > debug: running full-text regexp tests; score so far=0 > debug: DCCifd is not available: no r/w dccifd socket found. > debug: all '*From' addrs: mina@razacomm.com > debug: all '*To' addrs: srinath.iyer@team.indiainfo.com > debug: is Net::DNS::Resolver available? yes > debug: DNS MX records found: 1 > debug: forged-HELO: from=dellhost.com helo=razacomm.com by=indiainfo.com > debug: forged-HELO: mismatch on HELO: 'razacomm.com' != 'dellhost.com' > debug: running meta tests; score so far=0 > debug: auto-learn? ham=0.1, spam=12, body-hits=0, head-hits=0 > debug: auto-learn: currently using scoreset 1. no need to recompute. > debug: auto-learn? yes, ham (0 < 0.1) > debug: Learning Ham > debug: uri tests: Done uriRE > debug: lock: 21318 created /root/.spamassassin/bayes.lock.blr.indiainfo.com.21318 > debug: lock: 21318 trying to get lock on /root/.spamassassin/bayes with 0 retries > debug: lock: 21318 link to /root/.spamassassin/bayes.lock: link ok > debug: bayes: 21318 tie-ing to DB file R/W /root/.spamassassin/bayes_toks > debug: bayes: 21318 tie-ing to DB file R/W /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 2 > debug: tokenize: header tokens for *p = "" > debug: tokenize: header tokens for *m = " 200403041204 AA329056476 razweb3 razacomm com " > debug: tokenize: header tokens for Mime-Version = "1.0" > debug: tokenize: header tokens for *c = "/plain; charset=us-ascii" > debug: tokenize: header tokens for *F = "U*mina D*razacomm.com D*com" > debug: tokenize: header tokens for *R = "U*mina D*razacomm.com D*com" > debug: tokenize: header tokens for To = "U*srinath.iyer D*team.indiainfo.com D*indiainfo.com D*com" > debug: tokenize: header tokens for *x = "" > debug: tokenize: header tokens for *r = " razweb3.razacomm.com (raza-web3-admin-o.custom.dellhost.com [209.196.53]) by blr.indiainfo.com (8.12.10/8.12.10) ; " > debug: bayes: Learned '200403041204.AA329056476@razweb3.razacomm.com' > debug: bayes: 21318 untie-ing > debug: bayes: 21318 untie-ing db_toks > debug: bayes: 21318 untie-ing db_seen > debug: bayes: files locked, now unlocking lock > debug: unlock: 21318 unlink /root/.spamassassin/bayes.lock > debug: bayes: 21318 untie-ing > debug: is spam? score=0 required=5 tests= > Stopping now as you are debugging me. > > > > -- > B.G. Mahesh > bg.mahesh@indiainfo.com > http://www.indiainfo.com/ > > -- > ______________________________________________ > IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com > Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! > > Powered by Outblaze ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From vboulytchev at COINFOTECH.COM Thu Mar 4 17:49:33 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:03 2006 Subject: Upgrading Mailscanner Message-ID: Ladies and Gents, I see that MailScanner is installed , via rpm -qa | grep mailscanner. The RPM that is in the system is mailscanner-4.24-5. Certainly I am weary of just running your install.sh scripts. All I want to do is upgrade to the new version... What is the default step of doing so..... I see the noarch rpm included, nowever I would like to hear from you. THANKS! Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4355 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/c9abe9e5/smime.bin From m.sapsed at BANGOR.AC.UK Thu Mar 4 17:59:55 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:23:03 2006 Subject: W32/Bagle-Zip References: <75FEDC422E2309419A9303E7B18F206E04DB6069@eqmail1.efni.vpn> <40475DAB.1080508@marinocrane.com> Message-ID: <40476E9B.8000008@bangor.ac.uk> Ryan Pitt wrote: > Hirsh, Joshua wrote: >> Looks like Sophos is now matching against the passworded zip's for the >> Bagle >> strains: >> >> http://www.sophos.com/virusinfo/analyses/w32baglezip.html > > This baglezip ide was downloaded automatically, so I temporarily > *allowed* .zip files to pass through MailScanner and sent a copy of > Bagle-K through and Sophos still does not detect it. > I'm not sure exactly what this definition is supposed to do thats > different. This is certainly catching a number of messages for us. I understand that this matches the encrypted zip files for Bagles H-K as opposed to the decrypted contents. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dpowell at LSSI.NET Thu Mar 4 18:00:19 2004 From: dpowell at LSSI.NET (Darrin) Date: Thu Jan 12 21:23:03 2006 Subject: Win32/Bagle.gen.zip Message-ID: <1078423219.26485.351.camel@powell> Does anyone know where I can find the Win32/Bagle.gen.zip "k" virus, to test with? Thanks -- Darrin Powell LSSi Corp (919) 466-6803 www.lssi.net/~dpowell From nathan at TCPNETWORKS.NET Thu Mar 4 18:05:22 2004 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:23:04 2006 Subject: eTrust - Lagging Virus Definitions Message-ID: Just a heads up for eTrust users... While this is indicative of other AntiVirus vendors recently, they finally got around to releasing definitions for W32/Beagle.J and variants). These things were blowing right past my system. I finally blocked zip files altogether until I've had a chance to upgrade to the latest release. Maybe my expectations are too high, but this is inexcusable. I saw the first virus of this type enter my system on Mon 03/01/04. It took Computer Associates just about four days to release definitions that would detect it. A sorry state of affairs. ==== This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates From michele at BLACKNIGHTSOLUTIONS.COM Thu Mar 4 18:06:31 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:23:04 2006 Subject: Win32/Bagle.gen.zip In-Reply-To: <1078423219.26485.351.camel@powell> Message-ID: If you ask nicely we can all send you samples :))) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Darrin > Sent: 04 March 2004 18:00 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Win32/Bagle.gen.zip > > > Does anyone know where I can find the Win32/Bagle.gen.zip "k" virus, to > test with? > > > > > Thanks > -- > Darrin Powell > LSSi Corp > (919) 466-6803 > www.lssi.net/~dpowell > -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information From sysadmin at FLEETONE.COM Thu Mar 4 18:08:00 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:23:04 2006 Subject: eTrust - Lagging Virus Definitions References: Message-ID: <0a9301c40213$a16065e0$45a610ac@fleetone.com> We moved away from CA long ago for the reasons you just ran into. They always seemed to be at least 1 step behind everyone else. Rob ----- Original Message ----- From: "Nathan Johanson" To: Sent: Thursday, March 04, 2004 12:05 PM Subject: eTrust - Lagging Virus Definitions Just a heads up for eTrust users... While this is indicative of other AntiVirus vendors recently, they finally got around to releasing definitions for W32/Beagle.J and variants). These things were blowing right past my system. I finally blocked zip files altogether until I've had a chance to upgrade to the latest release. Maybe my expectations are too high, but this is inexcusable. I saw the first virus of this type enter my system on Mon 03/01/04. It took Computer Associates just about four days to release definitions that would detect it. A sorry state of affairs. ==== This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates This is to notify you of the results of your submission, issue number 298013. With regards to the file "Mandy.zip" submitted by you on 04 Mar 18:21:00 (Australian Eastern Standard Time), we have added cure instructions for Win32/Bagle.ZIP.Worm to the signature files for the InoculateIT engine. The PkWare Zip Archive file "Mandy.zip" has been determined to be malicious. The file has been identified as ZIP.Bagle worm. Aliases reported by other AV products are listed here: (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) (W32.Beagle.F@mm) CA antivirus products address this malware as follows: ------------------------------------------------------ eTrust Antivirus 6.x/v7 (Vet Engine) Engine Update version Last Update 11.4.0 11.4.8187 04 Mar eTrust Antivirus 6.x/v7 (InoculateIT Engine) Engine Update version Last Update 23.64.0 23.64.29 05 Mar Inoculan/InoculateIT 4.x Engine Update version Last Update 46.0* 46.29* 05 Mar * Limited ability to cure infections, i.e. cleaning Windows registry. CA will be dropping support for this product, please read http://support.ca.com/techbases/ilnt/ino_drop.html This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number 298013 in "Plain Text" email format to virus@ca.com. Users of Microsoft Outlook/Outlook Express can configure the outgoing email format in the Tools|Options...|Send|Mail Sending Format... menu. To improve your security we recommend sending email in "Plain Text" format only. . If you would like to comment on the quality of this automated service, please send email to virtue.feedback@ca.com. eTrust Global Antivirus Research Team Computer Associates From dustin.baer at IHS.COM Thu Mar 4 18:08:14 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:23:04 2006 Subject: bagle SpamAssassin rule [SCANNED] References: <40465ABD.9050209@dalsemi.com> Message-ID: <4047708E.CF5494B7@ihs.com> David Vosburgh wrote: > > Dave's List Addy wrote: > > >On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > > > > > >>For those of you who want to try to catch these with SpamAssassin, I > >>think the following should work: > >> > >>body BAGLE_PASSWORD /password.*[0-9]{4,}/i > >>describe BAGLE_PASSWORD Password.*numbers > >>score BAGLE_PASSWORD 6.5 > >> > >>If anyone has a better suggestion, let us know! > >> > >> > > > >Has anyone found this to work? We can't upgrade as of yet to the latest MS > >since we did a apt-get install :( Will know better next time :) > > > I tried it briefly but was getting more false positives than legitimate > hits. The problem seemed to be primarily caused by phone numbers > (specifically, the last four digits) included in the senders signature > coming after "password". That ".*" is pretty aggressive ;-). Yeah, it SUCKS! I removed it this morning. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From victor at PIXELMAGICFX.COM Thu Mar 4 18:33:55 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments Message-ID: <40477693.5030300@pixelmagicfx.com> With Panda and F-secure, a Bagel virus got through as a zip file. Panda catches it no problem as long as the -CMP switch is active. Where in MailScanner can I add the switch to do this? I opened the panda-wrapper perl script, and think I know of ONE place at the end of the $commando line, but it seems like there is a better place to put arguments. Thanks Vic From denis at CROOMBS.ORG Thu Mar 4 18:28:35 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:23:04 2006 Subject: Latest BETA and Redhat 9.0 Message-ID: <010901c40216$8255be90$85b8fea9@Laptop> Are there any problems with the latest beta and Redhat 9.0 (upgrade from 4.7x) If so please advise how to install without a problem. Thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From peter at UCGBOOK.COM Thu Mar 4 18:31:10 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Swedish) In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <404775EE.1050902@ucgbook.com> Julian Field wrote: > Message contained archive which could not be read Meddelandet inneh?ll ett arkiv som inte kunde l?sas > Message contained password-protected archive Meddelandet inneh?ll ett l?senordsskyddat arkiv -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From jscott at INFOCONEX.COM Thu Mar 4 18:33:05 2004 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:23:04 2006 Subject: W32/Bagle-Zip References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> Message-ID: <026901c40217$2233f3f0$0269a8c0@home> I just upgraded my Clamav from .60 to .67 and I see in the logs it is being detected now. However it appears that mailscanner is ignoring it and delivering the message anyway? Mar 4 10:22:44 ruth MailScanner[11534]: /home/spool/MailScanner/incoming/11534/./KAA11543/TextFile.zip: Worm.Bagle.Gen-zippwd FOUND Mar 4 10:22:44 ruth MailScanner[11534]: Virus Scanning: ClamAV found 1 infections Mar 4 10:22:44 ruth MailScanner[11534]: Virus Scanning: Found 1 viruses Mar 4 10:22:45 ruth MailScanner[11534]: Uninfected: Delivered 1 messages I sent the test message and it came right through with no problems. I have mailscanner setup to not deliver disenfected messages. So I should have gotten an attachment indicating it had been removed. No such luck. I am temporarily blocking ZIP files till I can find a fix. I am running F-PROT and CLAMAV. F-Prot is not detecting at all. Jim ----- Original Message ----- From: "Dan Williamson" To: Sent: Thursday, March 04, 2004 8:46 AM Subject: Re: W32/Bagle-Zip > ClamAV is getting them. > I had .60 installed, it wasn't catching them, however after upgrading to .67 > it is now catching them. > > I would suggest adding a second virus scanner if you can. > > regards, > -dan > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Ryan Pitt > Sent: March 4, 2004 10:48 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: W32/Bagle-Zip > > Hirsh, Joshua wrote: > > >Looks like Sophos is now matching against the passworded zip's for the > >Bagle > >strains: > > > >http://www.sophos.com/virusinfo/analyses/w32baglezip.html > > > >-Joshua > > > > This baglezip ide was downloaded automatically, so I temporarily > *allowed* .zip files to pass through MailScanner and sent a copy of Bagle-K > through and Sophos still does not detect it. > I'm not sure exactly what this definition is supposed to do thats different. > Still waiting for the next stable release of MailScanner to be released > before I upgrade. > I have gone back to *denying* all .zip files for the time being. > > -Ryan Pitt > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From mailscanner at ecs.soton.ac.uk Thu Mar 4 18:33:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: Upgrading Mailscanner In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304183234.03956720@imap.ecs.soton.ac.uk> Just run the install.sh script again. Read the instructions at the end carefully and run "upgrade_MailScannner_conf". It will print instructions on how to use it. Just type the commands it tells you to. At 17:49 04/03/2004, you wrote: > >Ladies and Gents, > I see that MailScanner is installed , via rpm -qa | grep >mailscanner. The RPM that is in the system is mailscanner-4.24-5. >Certainly I am weary of just running your install.sh scripts. All I want to >do is upgrade to the new version... What is the default step of doing >so..... I see the noarch rpm included, nowever I would like to hear from >you. > >THANKS! > >Vasiliy Boulytchev >Colorado Information Technologies, Inc. >http://www.coinfotech.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 18:36:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments In-Reply-To: <40477693.5030300@pixelmagicfx.com> References: <40477693.5030300@pixelmagicfx.com> Message-ID: <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> What does the -CMP switch do? There is a big table at the top of SweepViruses.pm which defines all the command line options passed to every scanner's -wrapper script. It's pretty obvious where to add it if you decide that is what is needed. If you can tell me exactly what -CMP does, I will consider adding it to future versions. At 18:33 04/03/2004, you wrote: >With Panda and F-secure, a Bagel virus got through as a zip file. >Panda catches it no problem as long as the -CMP switch is active. >Where in MailScanner can I add the switch to do this? I opened the >panda-wrapper perl script, and think I know of ONE place at the end of >the $commando line, but it seems like there is a better place to put >arguments. > >Thanks >Vic -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 18:37:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: Latest BETA and Redhat 9.0 In-Reply-To: <010901c40216$8255be90$85b8fea9@Laptop> References: <010901c40216$8255be90$85b8fea9@Laptop> Message-ID: <6.0.1.1.2.20040304183650.03b61c20@imap.ecs.soton.ac.uk> I am about to release a stable version so you might want to wait for that. At 18:28 04/03/2004, you wrote: >Are there any problems with the latest beta and Redhat 9.0 (upgrade from >4.7x) >If so please advise how to install without a problem. > >Thanks > >Denis > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Marvin the E-Mail scanner -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 18:39:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: W32/Bagle-Zip In-Reply-To: <026901c40217$2233f3f0$0269a8c0@home> References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> <026901c40217$2233f3f0$0269a8c0@home> Message-ID: <6.0.1.1.2.20040304183838.0399db28@imap.ecs.soton.ac.uk> You almost certainly have your "Incoming Work Directory" set wrong. The path set in there must be the absolute path to the directory, not a path that follows any links. Yours should be set to /home/spool/MailScanner/incoming and I expect you have something like /var/spool/MailScanner/incoming. At 18:33 04/03/2004, you wrote: >I just upgraded my Clamav from .60 to .67 and I see in the logs it is being >detected now. However it appears that mailscanner is ignoring it and >delivering the message anyway? > >Mar 4 10:22:44 ruth MailScanner[11534]: >/home/spool/MailScanner/incoming/11534/./KAA11543/TextFile.zip: >Worm.Bagle.Gen-zippwd FOUND >Mar 4 10:22:44 ruth MailScanner[11534]: Virus Scanning: ClamAV found 1 >infections >Mar 4 10:22:44 ruth MailScanner[11534]: Virus Scanning: Found 1 viruses >Mar 4 10:22:45 ruth MailScanner[11534]: Uninfected: Delivered 1 messages > >I sent the test message and it came right through with no problems. I have >mailscanner setup to not deliver disenfected messages. So I should have >gotten an attachment indicating it had been removed. No such luck. I am >temporarily blocking ZIP files till I can find a fix. > >I am running F-PROT and CLAMAV. F-Prot is not detecting at all. > >Jim > >----- Original Message ----- >From: "Dan Williamson" >To: >Sent: Thursday, March 04, 2004 8:46 AM >Subject: Re: W32/Bagle-Zip > > > > ClamAV is getting them. > > I had .60 installed, it wasn't catching them, however after upgrading to >.67 > > it is now catching them. > > > > I would suggest adding a second virus scanner if you can. > > > > regards, > > -dan > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf > > Of Ryan Pitt > > Sent: March 4, 2004 10:48 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: W32/Bagle-Zip > > > > Hirsh, Joshua wrote: > > > > >Looks like Sophos is now matching against the passworded zip's for the > > >Bagle > > >strains: > > > > > >http://www.sophos.com/virusinfo/analyses/w32baglezip.html > > > > > >-Joshua > > > > > > > This baglezip ide was downloaded automatically, so I temporarily > > *allowed* .zip files to pass through MailScanner and sent a copy of >Bagle-K > > through and Sophos still does not detect it. > > I'm not sure exactly what this definition is supposed to do thats >different. > > Still waiting for the next stable release of MailScanner to be released > > before I upgrade. > > I have gone back to *denying* all .zip files for the time being. > > > > -Ryan Pitt > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From gdoris at rogers.com Thu Mar 4 18:44:03 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:23:04 2006 Subject: bayes? In-Reply-To: References: Message-ID: <47144.129.80.22.143.1078425843.squirrel@65.48.246.102> >>I'm looking for a url and doc to download bayes for my rh 9 box. > > Hey Tom, > > I too am using RH9 and I learned that you cannot use the standard RH9 > rpm for SA if you want to use bayes. RH's rpm does not include > SA-Learn (bayes). I had to download the current RPM's from the SA > site (http://au.spamassassin.org), this included three RPM's; > perl-Mail-SpamAssassin-2.63, SA itself - spamassasson-2.63, and SA > tools (which includes SA-Learn) - spamassassin-tools-2.63. > > You will have to remove RH's SA RPM before you install these, but > then you should be all set. > > Craig D. The experience of many on this list is that the SA rpm's do not always play well with MailScanner. You are much better off installing from the tarball or CPAN. You may get away with it but others have had problems. Gerry From victor at PIXELMAGICFX.COM Thu Mar 4 18:56:28 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> Message-ID: <40477BDC.1080709@pixelmagicfx.com> Thanks, Julian! Below are all of the switches for pavcl. While the unoptioned pavcl will miss the new zipped bagel, the -CMP option catches it no problem. Vic Possible parameters: -NBR Does not allow interrupting the program with Ctrl-C -CLV Remove the viruses found. -DEL Delete infected files. -REN Rename infected files. -SAV Saves the parameters to a file for its use the next time it is run -NSB Do not scan nested subdirectories. -HEU Activate heuristic detection method. -CMP Search for viruses into compressed files. -NSO Deactivate sounds. -NOR Do not generate a result file. -AEX Scan all files, independently of their extension. -AUT Scan without user intervention. -MBR Scan boot sectors -TSR Run in resident mode -ULR Finish resident mode -ESP Change to SPANISH language. -ENG Change to ENGLISH language. -HELP Show this help screens From mailscanner at ecs.soton.ac.uk Thu Mar 4 18:50:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments In-Reply-To: <40477BDC.1080709@pixelmagicfx.com> References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> <40477BDC.1080709@pixelmagicfx.com> Message-ID: <6.0.1.1.2.20040304184928.03b62d90@imap.ecs.soton.ac.uk> The -CMP option is already passed to the panda-wrapper script. The current settings are this: CommonOptions => '-AEX -CMP -AUT -NSO -ESP', DisinfectOptions => '-CLV', ScanOptions => '-HEU', At 18:56 04/03/2004, you wrote: >Thanks, Julian! Below are all of the switches for pavcl. While the >unoptioned pavcl will miss the new zipped bagel, the -CMP option >catches it no problem. > >Vic > > > > >Possible parameters: > -NBR Does not allow interrupting the program with Ctrl-C > -CLV Remove the viruses found. > -DEL Delete infected files. > -REN Rename infected files. > -SAV Saves the parameters to a file for its use the next time it is run > -NSB Do not scan nested subdirectories. > -HEU Activate heuristic detection method. > -CMP Search for viruses into compressed files. > -NSO Deactivate sounds. > -NOR Do not generate a result file. > -AEX Scan all files, independently of their extension. > -AUT Scan without user intervention. > -MBR Scan boot sectors > -TSR Run in resident mode > -ULR Finish resident mode > -ESP Change to SPANISH language. > -ENG Change to ENGLISH language. > -HELP Show this help screens -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From victor at PIXELMAGICFX.COM Thu Mar 4 19:04:29 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> Message-ID: <40477DBD.2050206@pixelmagicfx.com> Julian Field wrote: > > What does the -CMP switch do? > There is a big table at the top of SweepViruses.pm which defines all the > command line options passed to every scanner's -wrapper script. It's > pretty > obvious where to add it if you decide that is what is needed. > > If you can tell me exactly what -CMP does, I will consider adding it to > future versions. Actually, it was alrady there under the "CommonOptions" field. :( For some reason it didn't catch the viruses, but when I ran it in command line mode over the Accounts directory, it caught them all. Perhaps I should put it in the "ScanOptions" field or build it directly into the panda wrapper script. Vic From mailscanner at ecs.soton.ac.uk Thu Mar 4 19:01:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments In-Reply-To: <40477DBD.2050206@pixelmagicfx.com> References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> <40477DBD.2050206@pixelmagicfx.com> Message-ID: <6.0.1.1.2.20040304190116.03b5f8c8@imap.ecs.soton.ac.uk> At 19:04 04/03/2004, you wrote: >Julian Field wrote: > >> >>What does the -CMP switch do? >>There is a big table at the top of SweepViruses.pm which defines all the >>command line options passed to every scanner's -wrapper script. It's >>pretty >>obvious where to add it if you decide that is what is needed. >> >>If you can tell me exactly what -CMP does, I will consider adding it to >>future versions. > >Actually, it was alrady there under the "CommonOptions" field. :( >For some reason it didn't catch the viruses, but when I ran it in >command line mode over the Accounts directory, it caught them all. >Perhaps I should put it in the "ScanOptions" field or build it directly >into the panda wrapper script. Beware that panda-wrapper is written in Spanish :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rgreen at TRAYERPRODUCTS.COM Thu Mar 4 18:59:20 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:23:04 2006 Subject: F-Prot Message-ID: <40477C88.1050401@trayerproducts.com> Hello. Which version of F-Prot are people using with MailScanner? Are you using the version specified for Linux mail servers or are you using the Linux workstation version? Thanks, Rod From mailscanner at ecs.soton.ac.uk Thu Mar 4 19:06:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: F-Prot In-Reply-To: <40477C88.1050401@trayerproducts.com> References: <40477C88.1050401@trayerproducts.com> Message-ID: <6.0.1.1.2.20040304190521.02c38b70@imap.ecs.soton.ac.uk> It's just the command-line scanner that you need. Their licence is amazingly vague and doesn't define what a file server or a mail server are. Technically, any of the versions will work. But to keep the company afloat you might want to buy one of the more expensive versions. At 18:59 04/03/2004, you wrote: >Hello. Which version of F-Prot are people using with MailScanner? Are >you using the version specified for Linux mail servers or are you using >the Linux workstation version? > >Thanks, >Rod -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jscott at INFOCONEX.COM Thu Mar 4 19:10:54 2004 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:23:04 2006 Subject: W32/Bagle-Zip References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> <026901c40217$2233f3f0$0269a8c0@home> <6.0.1.1.2.20040304183838.0399db28@imap.ecs.soton.ac.uk> Message-ID: <034801c4021c$6ab7b260$0269a8c0@home> > You almost certainly have your "Incoming Work Directory" set wrong. The > path set in there must be the absolute path to the directory, not a path > that follows any links. Yours should be set to > /home/spool/MailScanner/incoming > and I expect you have something like > /var/spool/MailScanner/incoming. > Thank You. That was exactly what the problem was. I put in place your suggestion and now the virus is being properly removed. Thanks Julian. Jim From jscott at INFOCONEX.COM Thu Mar 4 19:13:42 2004 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:23:04 2006 Subject: Upgrading mailscanner Message-ID: <036501c4021c$cec9d490$0269a8c0@home> What is the best way to upgrade mailscanner from a previous version that was installed using the tar version? Don't want to have to reconfigure all my reports, config etc... Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/8ea944f7/attachment.html From maillists at CONACTIVE.COM Thu Mar 4 19:31:59 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators In-Reply-To: References: Message-ID: Sebastian ruchti wrote on Thu, 4 Mar 2004 16:18:48 +0100: > P.S.: Is it "Passwort" or "Pa?wort"?? > Oh, didn't even recognize that I changed that. According to the Duden http://www.xipolis.net/1dc7075c3edfbc08bedf5ea993f3e6ecd/suche/trefferlist e.php?suchbegriff[AND]=Pa%DFwort&suchbegriff[OR]=&suchbegriff[NOT]=&modus= title&level=125&treffer_pro_seite=10&suche=duden&werke[]=felix yours with the "ss" is probably the more correct one for "new" German Syntax. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From newslists at PESSIMISTS.NET Thu Mar 4 19:39:35 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:23:04 2006 Subject: F-Prot In-Reply-To: <40477C88.1050401@trayerproducts.com> References: <40477C88.1050401@trayerproducts.com> Message-ID: <1078429175.3963.28.camel@andy.pessimists.net> On Thu, 2004-03-04 at 13:59, Rodney Green wrote: > Hello. Which version of F-Prot are people using with MailScanner? Are > you using the version specified for Linux mail servers or are you using > the Linux workstation version? > > Thanks, > Rod This is my "conversation with F-Prot on this very issue about a month ago: I am thinking of using the command line scanner of your antivirus product with the program Mailscanner (www.mailscanner.info). What is your license policy for this, as your product will only be scanning files and not interacting with the mail process? F-Prot's response: Dear Andy. Thank you for your mail and your interest in our software. In this case you would require a Mail Server license. A File Server license is suitable for file sharing (e.g., Samba), application, print, web and FTP servers, i.e., computers that provide network services other than mail services. However, if the computer provides mail services, e.g. is an in-coming or out-going mail server, then a Mail Server license would be required. A Mail Server license is suitable for mail servers, for either in-coming or out-going mail, protecting the users against e-mail viruses and worms. The Mail Server version is licensed per user. We refer to a user as each physical user that F-Prot Antivirus will protect in one way or another against virus transmission via e-mail. The license fee applies to users across different domains. For price information on F-Prot Antivirus for Linux/F-Prot Antivirus for BSD please access the following links or contact us again for a price quote: http://www.f-prot.com/products/prices/price_unix_ms.html I have included a part of our end user license agreement here below that refers to the scope of each Linux/BSD license type: 1.3. F-Prot Antivirus for Linux/BSD Mail Servers version: License applies only to mail servers, mail relays and mail gateways, i.e., computers that provide mail services to a network, for either in-coming or out-going e-mail. 1.4. F-Prot Antivirus for Linux/BSD File Servers version: License applies only to file, print and application servers, i.e., computers that provide network services other than mail services. 1.5. F-Prot Antivirus for Linux/BSD Workstations version: License applies only to one single workstation and any files stored locally. If the workstation provides network services then a File Server or Mail Server license is required. Please do not hesitate to contact us if you need any further information. Best regards, Kristin Hardardottir F-Prot Antivirus Sales Department sales@f-prot.com http://www.f-prot.com Tel: +354-540-7400 Fax: +354-540-7401 Frisk Software International Postholf 7180 IS-127 Reykjavik Iceland Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From victor at PIXELMAGICFX.COM Thu Mar 4 19:51:44 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> <40477DBD.2050206@pixelmagicfx.com> <6.0.1.1.2.20040304190116.03b5f8c8@imap.ecs.soton.ac.uk> Message-ID: <404788D0.5060708@pixelmagicfx.com> Julian Field wrote: > > Beware that panda-wrapper is written in Spanish :-) > -- Yeah, I remembered that. :) The line I modified was the "my $commando" line: sub busca_virus { my $archivo = $_[0]; my $comando = "$pavcl '$archivo' @ARGV -CMP -AUT -HEU -CLV -NSO -AEX 2>&1 "; # print TEMP $comando."\n\n"; Vic From rgreen at TRAYERPRODUCTS.COM Thu Mar 4 19:45:26 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:23:04 2006 Subject: F-Prot In-Reply-To: <1078429175.3963.28.camel@andy.pessimists.net> References: <40477C88.1050401@trayerproducts.com> <1078429175.3963.28.camel@andy.pessimists.net> Message-ID: <40478756.9040202@trayerproducts.com> I hate how software companies charge per user for an application that only runs on the server. Andy Sutton wrote: >On Thu, 2004-03-04 at 13:59, Rodney Green wrote: > > >>Hello. Which version of F-Prot are people using with MailScanner? Are >>you using the version specified for Linux mail servers or are you using >>the Linux workstation version? >> >>Thanks, >>Rod >> >> > >This is my "conversation with F-Prot on this very issue about a month >ago: > >I am thinking of using the command line scanner of your antivirus >product with the program Mailscanner (www.mailscanner.info). What is >your license policy for this, as your product will only be scanning >files and not interacting with the mail process? > >F-Prot's response: > >Dear Andy. > >Thank you for your mail and your interest in our software. > >In this case you would require a Mail Server license. > >A File Server license is suitable for file sharing (e.g., Samba), >application, print, web and FTP servers, i.e., computers that provide >network services other than mail services. However, if the computer >provides mail services, e.g. is an in-coming or out-going mail server, >then a Mail Server license would be required. > >A Mail Server license is suitable for mail servers, for either in-coming >or out-going mail, protecting the users against e-mail viruses and >worms. The Mail Server version is licensed per user. We refer to a user >as each physical user that F-Prot Antivirus will protect in one way or >another against virus transmission via e-mail. The license fee applies >to users across different domains. > >For price information on F-Prot Antivirus for Linux/F-Prot Antivirus for >BSD please access the following links or contact us again for a price >quote: > >http://www.f-prot.com/products/prices/price_unix_ms.html > >I have included a part of our end user license agreement here below that >refers to the scope of each Linux/BSD license type: > >1.3. F-Prot Antivirus for Linux/BSD Mail Servers version: License >applies only to mail servers, mail relays and mail gateways, i.e., >computers that provide mail services to a network, for either >in-coming or out-going e-mail. > >1.4. F-Prot Antivirus for Linux/BSD File Servers version: License >applies only to file, print and application servers, i.e., computers >that provide network services other than mail services. > >1.5. F-Prot Antivirus for Linux/BSD Workstations version: License >applies only to one single workstation and any files stored >locally. If the workstation provides network services then a File >Server or Mail Server license is required. > >Please do not hesitate to contact us if you need any further >information. > >Best regards, >Kristin Hardardottir >F-Prot Antivirus Sales Department > >sales@f-prot.com >http://www.f-prot.com >Tel: +354-540-7400 >Fax: +354-540-7401 > >Frisk Software International >Postholf 7180 >IS-127 Reykjavik >Iceland > >Andy > >"I figure if I survive this thing... I can just about do anything I >want. If I don't survive, I don't have to pay taxes anymore. So it's a >win-win situation." Brian Walker, Project RUSH - X Prize Competitor > > > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From newslists at PESSIMISTS.NET Thu Mar 4 19:59:26 2004 From: newslists at PESSIMISTS.NET (Andy Sutton) Date: Thu Jan 12 21:23:04 2006 Subject: F-Prot In-Reply-To: <40478756.9040202@trayerproducts.com> References: <40477C88.1050401@trayerproducts.com> <1078429175.3963.28.camel@andy.pessimists.net> <40478756.9040202@trayerproducts.com> Message-ID: <1078430365.3963.35.camel@andy.pessimists.net> On Thu, 2004-03-04 at 14:45, Rodney Green wrote: > I hate how software companies charge per user for an application that > only runs on the server. > What I love is that every UNIX compatible system I've ever worked on was also a mail server to some degree. Therefore according to their license position, the only box out there that should be running the file server license is windows. Pure foolishness. Andy "I figure if I survive this thing... I can just about do anything I want. If I don't survive, I don't have to pay taxes anymore. So it's a win-win situation." Brian Walker, Project RUSH - X Prize Competitor From cslyon at NETSVCS.COM Thu Mar 4 20:10:16 2004 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:23:04 2006 Subject: Emails in mqueue.in not being processed Message-ID: > -----Original Message----- > From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > Sent: Thursday, March 04, 2004 9:42 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Emails in mqueue.in not being processed > > Having similar issues with clamavmodule at the moment, try using clamav > on the You might want to check to see if you have the Mail-ClamAV module installed. Run this: perl -e "use Mail::ClamAV;" If you get an error, you need to install it. If you don't get anything, you are good. Also, try doing a ps aux to see if MailScanner is running. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > BG Mahesh wrote: > >>>The following entries in MailScanner.conf were changed by me, > >>> > >>> Virus Scanners = clamavmodule > >>> Use SpamAssassin = yes > >>> Always Include SpamAssassin Report = yes > >>> High Scoring Spam Actions = delete > >>> Log Speed = yes > >>> Log Spam = yes > >>> SpamAssassin Local Rules Dir = /etc/mail/spamassassin > >>> Delivery Method = queue > >>> > >>>I looked into /var/log/maillog /var/log/messages, I don't see any error > >>>messages. > >>>What could I be doing wrong? > >> > >>Set "Debug = yes" in your MailScanner.conf and run "check_MailScanner". > >>That will probably tell you what is wrong. > >> > > > > > > The only line which I find could be a problem is: > > > > debug: DCCifd is not available: no r/w dccifd socket found. > > > > The detailed debug message is here...I don't find anything wrong here. > Not sure why emails in mqueue.in are not being processed :-( > > > > debug: DCCifd is not available: no r/w dccifd socket found. > > debug: all '*From' addrs: raboas2004@netscape.net > > debug: all '*To' addrs: g.jalapathi@hyd.indiainfo.com > films.feedback@team.indiainfo.com > > debug: DNS MX records found: 4 > > debug: forged-HELO: from=speed.planet.nl helo=netscape520.com > by=indiainfo.com > > debug: forged-HELO: mismatch on HELO: 'netscape520.com' != > 'speed.planet.nl' > > debug: running meta tests; score so far=6.14 > > debug: auto-learn? ham=0.1, spam=12, body-hits=1.908, head-hits=4.232 > > debug: auto-learn: currently using scoreset 1. no need to recompute. > > debug: auto-learn? no: inside auto-learn thresholds > > debug: is spam? score=7.703 required=5 > tests=FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MIME_BOUND_MANY_HEX,NIGERIAN_BO DY > 1,SUBJ_ALL_CAPS,UNCLAIMED_MONEY > > debug: bayes: 21316 tie-ing to DB file R/O > /root/.spamassassin/bayes_toks > > debug: bayes: 21316 tie-ing to DB file R/O > /root/.spamassassin/bayes_seen > > debug: bayes: found bayes db version 2 > > debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < > 200 > > debug: bayes: 21316 untie-ing > > debug: bayes: 21316 untie-ing db_toks > > debug: bayes: 21316 untie-ing db_seen > > debug: received-header: parsed as [ ip=209.66.67.196 > rdns=m6.lagnernow.com helo=m6.lagnernow.com by=blr.indiainfo.com ident= ] > > debug: received-header: 'by' blr.indiainfo.com has public IP > 203.200.50.237 > > debug: received-header: relay 209.66.67.196 trusted? no > > debug: running header regexp tests; score so far=0 > > debug: running body-text per-line regexp tests; score so far=0 > > debug: running raw-body-text per-line regexp tests; score so far=4.608 > > debug: running uri tests; score so far=4.608 > > debug: uri tests: Done uriRE > > debug: running full-text regexp tests; score so far=4.608 > > debug: DCCifd is not available: no r/w dccifd socket found. > > debug: all '*From' addrs: Lagnernow@the.lagnernow.com > > debug: all '*To' addrs: j.chan@team.indiainfo.com > > debug: is Net::DNS::Resolver available? yes > > debug: DNS MX records found: 1 > > debug: forged-HELO: from=lagnernow.com helo=lagnernow.com > by=indiainfo.com > > debug: running meta tests; score so far=7.918 > > debug: auto-learn? ham=0.1, spam=12, body-hits=4.608, head-hits=3.31 > > debug: auto-learn: currently using scoreset 1. no need to recompute. > > debug: auto-learn? no: inside auto-learn thresholds > > debug: is spam? score=7.918 required=5 > tests=BANG_GUARANTEE,CLICK_BELOW,COMPLETELY_FREE,GUARANTEED_100_PERCENT, HT > ML_50_60,HTML_FONTCOLOR_BLUE,HTML_LINK_CLICK_HERE,HTML_MESSAGE,HTML_TITL E_ > UNTITLED,HTML_WEB_BUGS,MSGID_FROM_MTA_SHORT > > debug: bayes: 21318 tie-ing to DB file R/O > /root/.spamassassin/bayes_toks > > debug: bayes: 21318 tie-ing to DB file R/O > /root/.spamassassin/bayes_seen > > debug: bayes: found bayes db version 2 > > debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < > 200 > > debug: bayes: 21318 untie-ing > > debug: bayes: 21318 untie-ing db_toks > > debug: bayes: 21318 untie-ing db_seen > > debug: received-header: parsed as [ ip=209.196.53.79 rdns=raza-web3- > admin-o.custom.dellhost.com helo=razweb3.razacomm.com by=blr.indiainfo.com > ident= ] > > debug: received-header: 'by' blr.indiainfo.com has public IP > 203.200.50.237 > > debug: received-header: relay 209.196.53.79 trusted? no > > debug: running header regexp tests; score so far=0 > > debug: running body-text per-line regexp tests; score so far=0 > > debug: running raw-body-text per-line regexp tests; score so far=0 > > debug: running uri tests; score so far=0 > > debug: uri tests: Done uriRE > > debug: running full-text regexp tests; score so far=0 > > debug: DCCifd is not available: no r/w dccifd socket found. > > debug: all '*From' addrs: mina@razacomm.com > > debug: all '*To' addrs: srinath.iyer@team.indiainfo.com > > debug: is Net::DNS::Resolver available? yes > > debug: DNS MX records found: 1 > > debug: forged-HELO: from=dellhost.com helo=razacomm.com by=indiainfo.com > > debug: forged-HELO: mismatch on HELO: 'razacomm.com' != 'dellhost.com' > > debug: running meta tests; score so far=0 > > debug: auto-learn? ham=0.1, spam=12, body-hits=0, head-hits=0 > > debug: auto-learn: currently using scoreset 1. no need to recompute. > > debug: auto-learn? yes, ham (0 < 0.1) > > debug: Learning Ham > > debug: uri tests: Done uriRE > > debug: lock: 21318 created > /root/.spamassassin/bayes.lock.blr.indiainfo.com.21318 > > debug: lock: 21318 trying to get lock on /root/.spamassassin/bayes with > 0 retries > > debug: lock: 21318 link to /root/.spamassassin/bayes.lock: link ok > > debug: bayes: 21318 tie-ing to DB file R/W > /root/.spamassassin/bayes_toks > > debug: bayes: 21318 tie-ing to DB file R/W > /root/.spamassassin/bayes_seen > > debug: bayes: found bayes db version 2 > > debug: tokenize: header tokens for *p = "" > > debug: tokenize: header tokens for *m = " 200403041204 AA329056476 > razweb3 razacomm com " > > debug: tokenize: header tokens for Mime-Version = "1.0" > > debug: tokenize: header tokens for *c = "/plain; charset=us-ascii" > > debug: tokenize: header tokens for *F = "U*mina D*razacomm.com D*com" > > debug: tokenize: header tokens for *R = "U*mina D*razacomm.com D*com" > > debug: tokenize: header tokens for To = "U*srinath.iyer > D*team.indiainfo.com D*indiainfo.com D*com" > > debug: tokenize: header tokens for *x = "" > > debug: tokenize: header tokens for *r = " razweb3.razacomm.com (raza- > web3-admin-o.custom.dellhost.com [209.196.53]) by blr.indiainfo.com > (8.12.10/8.12.10) ; " > > debug: bayes: Learned '200403041204.AA329056476@razweb3.razacomm.com' > > debug: bayes: 21318 untie-ing > > debug: bayes: 21318 untie-ing db_toks > > debug: bayes: 21318 untie-ing db_seen > > debug: bayes: files locked, now unlocking lock > > debug: unlock: 21318 unlink /root/.spamassassin/bayes.lock > > debug: bayes: 21318 untie-ing > > debug: is spam? score=0 required=5 tests= > > Stopping now as you are debugging me. > > > > > > > > -- > > B.G. Mahesh > > bg.mahesh@indiainfo.com > > http://www.indiainfo.com/ > > > > -- > > ______________________________________________ > > IndiaInfo Mail - the free e-mail service with a difference! > www.indiainfo.com > > Check out our value-added Premium features, such as an extra 20MB for > mail storage, POP3, e-mail forwarding, and ads-free mailboxes! > > > > Powered by Outblaze > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From cparker at SWATGEAR.COM Thu Mar 4 20:36:46 2004 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B8704@ati-ex-01.ati.local> Martin Sapsed on Thursday, March 04, 2004 7:40 AM said: > > Message contained archive which could not be read > > > > Message contained password-protected archive > > Neges yn cynnwys archif na ellid ei darllen > > Neges yn cynnwys archif wedi'i diogelu ? chyfrinair excuse my ignorance.. but welsh? that's from wales right? but i thought they spoke english there? From cparker at SWATGEAR.COM Thu Mar 4 20:39:26 2004 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> Chris W. Parker <> on Thursday, March 04, 2004 12:37 PM said: > Martin Sapsed > on Thursday, March 04, 2004 7:40 AM said: > >> > Message contained archive which could not be read > >> > Message contained password-protected archive >> >> Neges yn cynnwys archif na ellid ei darllen >> >> Neges yn cynnwys archif wedi'i diogelu ? chyfrinair > > excuse my ignorance.. but welsh? that's from wales right? but i > thought they spoke english there? whoops.. i meant to not send that email.. but now that i have. let me continue it... and how does wales and england and all those countries fit into the united kingdom? is blair the head of the united kingdom or just england? chris. From dpowell at LSSI.NET Thu Mar 4 20:44:27 2004 From: dpowell at LSSI.NET (Darrin) Date: Thu Jan 12 21:23:04 2006 Subject: sweep options Message-ID: <1078433067.26485.371.camel@powell> What options does MailScanner use when running sweep? I am trying to verify that we are protected from the Bagle virus and I get the following error when running sweep [root@www:/var/spool/MailScanner/quarantine/20040304/i24HvEX08731]# /usr/local/Sophos/bin/sweep -sc -f -all -rec ss -archive -loopback * SWEEP virus detection utility Version 3.79, March 2004 [Linux/Intel] Includes detection for 88247 viruses, trojans and worms Copyright (c) 1989,2004 Sophos Plc, www.sophos.com System time 03:41:52 PM, System date 04 March 2004 Command line qualifiers are: -sc -f -all -rec -archive -loopback Full Sweeping Password protected file Readme.zip/xvyeuqpex.exe 2 files swept in 6 seconds. 1 error was encountered. No viruses were discovered. 1 encrypted file was not checked. End of Sweep. Thanks in advance -- Darrin Powell LSSi Corp (919) 466-6803 www.lssi.net/~dpowell From mkbowman at neo.rr.com Thu Mar 4 20:47:09 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) References: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> Message-ID: <000c01c40229$dfd83620$8266a8c0@MKBOWMAN2> Welsh is a form of Gaelic still spoken in Wales but English is their first language. I think only a few hundred can't speak English in North Wales. Yeah Blair is the PM for the UK and not a very good one at that. ----- Original Message ----- From: "Chris W. Parker" To: Sent: Thursday, March 04, 2004 3:39 PM Subject: Re: Calling all translators (Welsh) > Chris W. Parker <> > on Thursday, March 04, 2004 12:37 PM said: > > > Martin Sapsed > > on Thursday, March 04, 2004 7:40 AM said: > > > >> > Message contained archive which could not be read > > >> > Message contained password-protected archive > >> > >> Neges yn cynnwys archif na ellid ei darllen > >> > >> Neges yn cynnwys archif wedi'i diogelu ? chyfrinair > > > > excuse my ignorance.. but welsh? that's from wales right? but i > > thought they spoke english there? > > whoops.. i meant to not send that email.. but now that i have. let me continue it... > > and how does wales and england and all those countries fit into the united kingdom? is blair the head of the united kingdom or just england? > > > > chris. > From mailscanner at ecs.soton.ac.uk Thu Mar 4 20:37:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments In-Reply-To: <404788D0.5060708@pixelmagicfx.com> References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> <40477DBD.2050206@pixelmagicfx.com> <6.0.1.1.2.20040304190116.03b5f8c8@imap.ecs.soton.ac.uk> <404788D0.5060708@pixelmagicfx.com> Message-ID: <6.0.1.1.2.20040304203706.03b40a18@imap.ecs.soton.ac.uk> I have made the change to the distribution as it can't do any harm and apparently helped you. At 19:51 04/03/2004, you wrote: >Julian Field wrote: > >> >>Beware that panda-wrapper is written in Spanish :-) >>-- > >Yeah, I remembered that. :) > >The line I modified was the "my $commando" line: > >sub busca_virus { > > my $archivo = $_[0]; > > my $comando = "$pavcl '$archivo' @ARGV -CMP -AUT -HEU -CLV -NSO -AEX >2>&1 "; ># print TEMP $comando."\n\n"; > >Vic -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 20:33:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: Upgrading mailscanner In-Reply-To: <036501c4021c$cec9d490$0269a8c0@home> References: <036501c4021c$cec9d490$0269a8c0@home> Message-ID: <6.0.1.1.2.20040304203017.039b4430@imap.ecs.soton.ac.uk> At 19:13 04/03/2004, you wrote: >What is the best way to upgrade mailscanner from a previous version that >was installed using the tar version? > >Don't want to have to reconfigure all my reports, config etc... Install the new version in a directory that is numbered with the version, eg. /opt/MailScanner-4.27-14 or whatever. Copy over all your old reports to the new one, with the exception of languages.conf which you will have to diff the old one against the new one. Use upgrade_MailScanner_conf to upgrade the MailScanner.conf file. Copy over most of the rest of the files. Sorry it is such a manual job. :-( I need to do some work on this when I get a chance. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 20:53:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: sweep options In-Reply-To: <1078433067.26485.371.camel@powell> References: <1078433067.26485.371.camel@powell> Message-ID: <6.0.1.1.2.20040304205205.0394c910@imap.ecs.soton.ac.uk> At 20:44 04/03/2004, you wrote: >What options does MailScanner use when running sweep? CommonOptions => '-sc -f -all -rec -ss -archive -loopback ' . '--no-follow-symlinks --no-reset-atime -TNEF', DisinfectOptions => '-di', ScanOptions => '', > I am trying to >verify that we are protected from the Bagle virus and I get the >following error when running sweep Please ensure you install Sophos using my Sophos.install script as instructed in the docs, and not Sophos's own installation script. >[root@www:/var/spool/MailScanner/quarantine/20040304/i24HvEX08731]# >/usr/local/Sophos/bin/sweep -sc -f -all -rec ss -archive -loopback >* >SWEEP virus detection utility >Version 3.79, March 2004 [Linux/Intel] >Includes detection for 88247 viruses, trojans and worms >Copyright (c) 1989,2004 Sophos Plc, www.sophos.com > >System time 03:41:52 PM, System date 04 March 2004 >Command line qualifiers are: -sc -f -all -rec -archive -loopback > >Full Sweeping > >Password protected file Readme.zip/xvyeuqpex.exe > >2 files swept in 6 seconds. >1 error was encountered. >No viruses were discovered. >1 encrypted file was not checked. >End of Sweep. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 20:51:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local > References: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> Message-ID: <6.0.1.1.2.20040304204341.03b96cb8@imap.ecs.soton.ac.uk> At 20:39 04/03/2004, you wrote: >Chris W. Parker <> > on Thursday, March 04, 2004 12:37 PM said: > > > Martin Sapsed > > on Thursday, March 04, 2004 7:40 AM said: > > > >> > Message contained archive which could not be read > > >> > Message contained password-protected archive > >> > >> Neges yn cynnwys archif na ellid ei darllen > >> > >> Neges yn cynnwys archif wedi'i diogelu ? chyfrinair > > > > excuse my ignorance.. but welsh? that's from wales right? but i > > thought they spoke english there? > >whoops.. i meant to not send that email.. but now that i have. let me >continue it... > >and how does wales and england and all those countries fit into the united >kingdom? is blair the head of the united kingdom or just england? Tony Blair is the Prime Minister (political head of the government). The Queen is the monarch. The United Kingdom is made up of England, Wales, Scotland and Northern Ireland. Welsh, having come close to dying out in the past, is experiencing a strong revival and is now taught in most schools in Wales. As an example, all road signs in Wales are either in both English and Welsh, or just Welsh. The Scottish and the Irish traditionally spoke Gaelic (2 different versions) though this has now largely died out except on the more remote islands. I walked into a pub on the Outer Hebrides off the NW coast of Scotland a few years ago and everyone in the pub turned round to see me walk in and switched to Gaelic half way through their sentences. Great welcome that was :-( Other languages used to be spoken as well, such as Cornish in Cornwall, a county in the SW of England, though that has pretty much died out now. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From brett at PROSOLUTIONSINC.COM Thu Mar 4 20:53:10 2004 From: brett at PROSOLUTIONSINC.COM (Brett) Date: Thu Jan 12 21:23:04 2006 Subject: disable spam check for a single domain Message-ID: is there a way to disable a spam check for a single domain while still having it do AV check I am currently doing a whitelist per user per domain from CustomConfig.pm Thanks All Brett From mailscanner at ecs.soton.ac.uk Thu Mar 4 21:01:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: disable spam check for a single domain In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> At 20:53 04/03/2004, you wrote: >is there a way to disable a spam check for a single domain >while still having it do AV check I am currently doing a whitelist >per user per domain from CustomConfig.pm Use a ruleset. In MailScanner.conf set Spam Checks = /etc/MailScanner/rules/spam.check.rules In spam.check.rules put this To: domain.com no FromOrTo: default yes where domain.com should be substituted for the domain that doesn't want spam checks. See /etc/MailScanner/rules/* for more info. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Thu Mar 4 20:58:12 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) In-Reply-To: <000c01c40229$dfd83620$8266a8c0@MKBOWMAN2> References: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> <000c01c40229$dfd83620$8266a8c0@MKBOWMAN2> Message-ID: <1078433896.16713.13.camel@bach.kevinspicer.co.uk> On Thu, 2004-03-04 at 20:47, Matthew K Bowman wrote: > Welsh is a form of Gaelic still spoken in Wales but English is their first > language. I think only a few hundred can't speak English in North Wales. > You're now wondering why we need a Welsh translation if theres only a couple of hundred people don't speak English? The answer is fairly simple - regulations! Government bodies etc. are required to be able to communicate with Welsh speakers in Welsh. If you visit Wales you'll find that all the road signs are dual language too. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin_Miller at CI.JUNEAU.AK.US Thu Mar 4 21:04:40 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:23:04 2006 Subject: Best Antivirus Scanner Message-ID: <08146035CA49D6119A36009027AC822A0549E3D4@CITY-EXCH-NTS> -----Original Message----- >With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. I'm running clam and f-prot on one box, clam and f-secure on another. I bought f-prot when it was just $300. A month later they went to the per user licensing scheme so shopped around for a differetn vender. I ended up going to f-secure because they cut me a deal, letting me license per server, rather than per user. Guess they figured they could make a sale for a smaller amount or they could watch me buy from someone else. One think I like about f-secure is they use both the f-prot and the Kaspersky engines/databases for scanning, thus I get two for the price of one. Might see if they'll dicker w/you too... ...Kevin From kevins at BMRB.CO.UK Thu Mar 4 21:05:05 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) In-Reply-To: <6.0.1.1.2.20040304204341.03b96cb8@imap.ecs.soton.ac.uk> References: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> <6.0.1.1.2.20040304204341.03b96cb8@imap.ecs.soton.ac.uk> Message-ID: <1078434305.16687.20.camel@bach.kevinspicer.co.uk> On Thu, 2004-03-04 at 20:51, Julian Field wrote: > Tony Blair is the Prime Minister (political head of the government). The > Queen is the monarch. The United Kingdom is made up of England, Wales, > Scotland and Northern Ireland. Interestingly the union flag (aka union jack) is a combination of the flags of St George (representing England), St Andrew (for Scotland) and St. Patrick (for Ireland). Wales isn't represented in the flag as it was already a principality of England at the time of the union between England and Scotland (James II If I remember correctly) > Other languages used to be spoken as well, such as Cornish in Cornwall, a > county in the SW of England, though that has pretty much died out now. I remember reading a while ago that Cornish has been undergoing something of a revival of late. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From brett at PROSOLUTIONSINC.COM Thu Mar 4 21:05:49 2004 From: brett at PROSOLUTIONSINC.COM (Brett) Date: Thu Jan 12 21:23:04 2006 Subject: disable spam check for a single domain In-Reply-To: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> Message-ID: Awesome it's a Big Help thanks again Julian!!!! Brett -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Thursday, March 04, 2004 4:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: disable spam check for a single domain At 20:53 04/03/2004, you wrote: >is there a way to disable a spam check for a single domain >while still having it do AV check I am currently doing a whitelist >per user per domain from CustomConfig.pm Use a ruleset. In MailScanner.conf set Spam Checks = /etc/MailScanner/rules/spam.check.rules In spam.check.rules put this To: domain.com no FromOrTo: default yes where domain.com should be substituted for the domain that doesn't want spam checks. See /etc/MailScanner/rules/* for more info. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shawkris at HOTMAIL.COM Thu Mar 4 21:08:56 2004 From: shawkris at HOTMAIL.COM (Kristian Shaw) Date: Thu Jan 12 21:23:04 2006 Subject: MCP and Spam actions Message-ID: Hi, I've currently got a problem with MCP on my server - it seems to drop messages with a certain combination of MCP and Spam settings. My spam actions are: To: default attachment deliver and my MCP actions are: MCP Actions = forward xxx@xxx.co.uk High Scoring MCP Actions = forward xxx@xxx.co.uk It seems to be that when a message is both MCP *and* spam the message goes into a black hole. However, messages that are either MCP or Spam are delivered as expected with the actions above. Any suggestions? Kris. From jaearick at COLBY.EDU Thu Mar 4 21:37:21 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:23:04 2006 Subject: how to kill base64 emails? Message-ID: Gang, I've noticed lately that a lot of spam is base64 encoded, and I've also noticed: X-MIME-Autoconverted: from base64 to 8bit... in my mail headers lately (4.28 era). What is this about? This may relates to my howl about an uptick in spam with 4.28 that I had this morning. Maybe due to recent changes in the MIME code? Is there a quick way in MailScanner to mark base64 encoded messages as spam? Is this a bright idea to do, if I can? Jeff Earickson Colby College From victor at PIXELMAGICFX.COM Thu Mar 4 21:49:49 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:04 2006 Subject: best place to add arguments References: <40477693.5030300@pixelmagicfx.com> <6.0.1.1.2.20040304183527.03a3fe78@imap.ecs.soton.ac.uk> <40477DBD.2050206@pixelmagicfx.com> <6.0.1.1.2.20040304190116.03b5f8c8@imap.ecs.soton.ac.uk> <404788D0.5060708@pixelmagicfx.com> <6.0.1.1.2.20040304203706.03b40a18@imap.ecs.soton.ac.uk> Message-ID: <4047A47D.8090002@pixelmagicfx.com> Julian Field wrote: > > I have made the change to the distribution as it can't do any harm and > apparently helped you. I'm not exactly sure it helped. My perl programming is not advanced at all, and I'm not sure if the syntaxt there is proper. :/ Vic From g.pentland at SOTON.AC.UK Thu Mar 4 21:46:27 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:23:04 2006 Subject: Spam: Re: # SENDMAIL_RELAY Question Message-ID: This is M4... when you do the make it will add this (slightly altered) into the cf. You shouldn't ever modify the cf file by hand. What this will do is force the box with this code to send all mail that *would* be selected as local (and use the local delivery agent) the to host you specify. It also does some address rewriting. If you're not familiar with this kind of stuff then I suggest you read the o'reilly book on sendmail. Before you make this live ensure you have thoroughly tested it and it does do what you expect and want. Sendmail -bt (and optionally some other flags) puts sendmail into test mode. /parse user@domain.com will run that address through the rules and it'll tell you what it will do. Hope that helps. -----Original Message----- From: Daniel Gercke [mailto:gercke@HNM.DE] Sent: 03 March 2004 15:01 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam: Re: # SENDMAIL_RELAY Question Sorry i?m not very familiar with sendmail config. Where should i add this (sendmail.m4 or sendmail.cf) When i add this, will the machine called mailscanner relay the mails or must i add all domains to /etc/mail/relay-domains ? Pentland G. schrieb: > Try this... > > LOCAL_CONFIG > # If email is bound to the local domain, what will do local delivery for us? > dnl > D{DefaultLocalDeliveryHost}YOURHOST.DOMAIN.COM > > LOCAL_RULE_0 > # Allocate a slot for the domain name > R$+ $: < > $1 > # Addresses qualified with the local machine name - unqualify them > R< > $+ < @ $j . > $: < > $1 > # Addresses qualified with a local domain - unqualify them > R< > $+ < @ $=w . > $: < > $1 > # Anything else on the qualification is non-local so return and parse normally > R< > $* @ $* $@ $1 @ $2 > # Anything unqualified qualify with the local domain > R< > $+ $: < $M > $1 > # Now send these local emails to the default local delivery servers > R< $+ > $+ $#esmtp $@ ${DefaultLocalDeliveryHost} $: $2 < @ $1 . > > > Hope that helps. > > -----Original Message----- > From: Daniel Gercke [mailto:gercke@HNM.DE] > Sent: Wed 3/3/2004 11:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: # SENDMAIL_RELAY Question > > > > Hello, > > i have a problem. im running a mailserver with a lot of domains and > users. now i hav setup another server with mailscanner. now for some > domains i want incoming mails will go through mailscanner and > mailscanner should relay this to the old mailserver. > for mail coming for world this works fine. but wenn a lokal domain form > mailserver sends to another lokal account this mail wouldn?t send > through mailscanner this mail will localy delivered. > Now my question: > What would happen if i add SENDMAIL_RELAY="mailscanner" to > sendmailconfig of mailserver ? Will there be a mailloop between these > machines? > > > > > > -- > Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > MailScanner dankt transtec fur die freundliche Unterstutzung. > > > From mailscanner at ecs.soton.ac.uk Thu Mar 4 21:49:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:04 2006 Subject: how to kill base64 emails? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304214845.03bb0028@imap.ecs.soton.ac.uk> At 21:37 04/03/2004, you wrote: >Gang, > I've noticed lately that a lot of spam is base64 encoded, >and I've also noticed: > >X-MIME-Autoconverted: from base64 to 8bit... > >in my mail headers lately (4.28 era). What is this about? >This may relates to my howl about an uptick in spam with 4.28 >that I had this morning. Maybe due to recent changes in >the MIME code? I haven't changed anything related to this. The base64 to 8bit conversion is done by your MTA. >Is there a quick way in MailScanner to mark base64 encoded >messages as spam? Is this a bright idea to do, if I can? Attachments are base64 encoded, so this isn't such a great idea :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From cparker at SWATGEAR.COM Thu Mar 4 21:53:22 2004 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:23:04 2006 Subject: Calling all translators (Welsh) Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE44791D@ati-ex-01.ati.local> Julian Field on Thursday, March 04, 2004 12:51 PM said: > Tony Blair is the Prime Minister (political head of the government). > The Queen is the monarch. The United Kingdom is made up of England, > Wales, Scotland and Northern Ireland. [snip] > Other languages used to be spoken as well, such as Cornish in > Cornwall, a county in the SW of England, though that has pretty much > died out now. wow. this is all very interesting. i'm somewhat of an expert on the uk... actually wait.. that's not true at all, i just made that up. :) i've been to england once (i enjoyed it very much btw) and while there i went to ireland also. although i don't quite remember where....... nice place too. my girlfriend lived there (england, birmingham) for about 9 months as a student. she loved it and would like to go back and live there. she's a big fan of public transportation for some reason. myself on the other hand, i enjoy cars very much. so do cornish, welsh, and the two gaelic languages all sound very different or are they like the difference between portugeuse and spanish (which i understand to be similar...). chris. From mailscanner at ETILIZEPAK.COM Fri Mar 5 03:37:14 2004 From: mailscanner at ETILIZEPAK.COM (Mail Scanner Mailinglist user) Date: Thu Jan 12 21:23:04 2006 Subject: To allow HTML, Forms in emails Message-ID: <20040305033023.M45774@etilizepak.com> Hi all, I am running MailScanner version 4.23-11. I am using the default configuration with the clamav antivirus. I want to allow the HTML Messages or HTML Forms in my emails, what should I comment in the configuration file to achieve this. Sincerely, shasan From JEN at AH.DK Fri Mar 5 08:38:41 2004 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:23:04 2006 Subject: Svar: Calling all translators - DANISH Message-ID: Post meddelsen indeholdt en pakket fil, der ikke kunne l?ses Post meddelsen indeholdt en pakket fil, der er beskyttet af password >>> mailscanner@ECS.SOTON.AC.UK 04-03-2004 11:39:02 >>> Hi folks! It's translation time again. I would like you all to translate these strings into your language of choice. They are used when unreadable or protected archives and zip files are found. Message contained archive which could not be read Message contained password-protected archive Many thanks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bg.mahesh at INDIAINFO.COM Thu Mar 4 17:38:00 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:23:04 2006 Subject: Emails in mqueue.in not being processed Message-ID: <20040304173801.A476421AF4D@ws5-6.us4.outblaze.com> > > >The following entries in MailScanner.conf were changed by me, > > > > Virus Scanners = clamavmodule > > Use SpamAssassin = yes > > Always Include SpamAssassin Report = yes > > High Scoring Spam Actions = delete > > Log Speed = yes > > Log Spam = yes > > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > > Delivery Method = queue > > > >I looked into /var/log/maillog /var/log/messages, I don't see any error > >messages. > >What could I be doing wrong? > > Set "Debug = yes" in your MailScanner.conf and run "check_MailScanner". > That will probably tell you what is wrong. > The only line which I find could be a problem is: debug: DCCifd is not available: no r/w dccifd socket found. The detailed debug message is here...I don't find anything wrong here. Not sure why emails in mqueue.in are not being processed :-( debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*From' addrs: raboas2004@netscape.net debug: all '*To' addrs: g.jalapathi@hyd.indiainfo.com films.feedback@team.indiainfo.com debug: DNS MX records found: 4 debug: forged-HELO: from=speed.planet.nl helo=netscape520.com by=indiainfo.com debug: forged-HELO: mismatch on HELO: 'netscape520.com' != 'speed.planet.nl' debug: running meta tests; score so far=6.14 debug: auto-learn? ham=0.1, spam=12, body-hits=1.908, head-hits=4.232 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? no: inside auto-learn thresholds debug: is spam? score=7.703 required=5 tests=FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MIME_BOUND_MANY_HEX,NIGERIAN_BODY1,SUBJ_ALL_CAPS,UNCLAIMED_MONEY debug: bayes: 21316 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 21316 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < 200 debug: bayes: 21316 untie-ing debug: bayes: 21316 untie-ing db_toks debug: bayes: 21316 untie-ing db_seen debug: received-header: parsed as [ ip=209.66.67.196 rdns=m6.lagnernow.com helo=m6.lagnernow.com by=blr.indiainfo.com ident= ] debug: received-header: 'by' blr.indiainfo.com has public IP 203.200.50.237 debug: received-header: relay 209.66.67.196 trusted? no debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=4.608 debug: running uri tests; score so far=4.608 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=4.608 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*From' addrs: Lagnernow@the.lagnernow.com debug: all '*To' addrs: j.chan@team.indiainfo.com debug: is Net::DNS::Resolver available? yes debug: DNS MX records found: 1 debug: forged-HELO: from=lagnernow.com helo=lagnernow.com by=indiainfo.com debug: running meta tests; score so far=7.918 debug: auto-learn? ham=0.1, spam=12, body-hits=4.608, head-hits=3.31 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? no: inside auto-learn thresholds debug: is spam? score=7.918 required=5 tests=BANG_GUARANTEE,CLICK_BELOW,COMPLETELY_FREE,GUARANTEED_100_PERCENT,HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_LINK_CLICK_HERE,HTML_MESSAGE,HTML_TITLE_UNTITLED,HTML_WEB_BUGS,MSGID_FROM_MTA_SHORT debug: bayes: 21318 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 21318 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB < 200 debug: bayes: 21318 untie-ing debug: bayes: 21318 untie-ing db_toks debug: bayes: 21318 untie-ing db_seen debug: received-header: parsed as [ ip=209.196.53.79 rdns=raza-web3-admin-o.custom.dellhost.com helo=razweb3.razacomm.com by=blr.indiainfo.com ident= ] debug: received-header: 'by' blr.indiainfo.com has public IP 203.200.50.237 debug: received-header: relay 209.196.53.79 trusted? no debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*From' addrs: mina@razacomm.com debug: all '*To' addrs: srinath.iyer@team.indiainfo.com debug: is Net::DNS::Resolver available? yes debug: DNS MX records found: 1 debug: forged-HELO: from=dellhost.com helo=razacomm.com by=indiainfo.com debug: forged-HELO: mismatch on HELO: 'razacomm.com' != 'dellhost.com' debug: running meta tests; score so far=0 debug: auto-learn? ham=0.1, spam=12, body-hits=0, head-hits=0 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? yes, ham (0 < 0.1) debug: Learning Ham debug: uri tests: Done uriRE debug: lock: 21318 created /root/.spamassassin/bayes.lock.blr.indiainfo.com.21318 debug: lock: 21318 trying to get lock on /root/.spamassassin/bayes with 0 retries debug: lock: 21318 link to /root/.spamassassin/bayes.lock: link ok debug: bayes: 21318 tie-ing to DB file R/W /root/.spamassassin/bayes_toks debug: bayes: 21318 tie-ing to DB file R/W /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: tokenize: header tokens for *p = "" debug: tokenize: header tokens for *m = " 200403041204 AA329056476 razweb3 razacomm com " debug: tokenize: header tokens for Mime-Version = "1.0" debug: tokenize: header tokens for *c = "/plain; charset=us-ascii" debug: tokenize: header tokens for *F = "U*mina D*razacomm.com D*com" debug: tokenize: header tokens for *R = "U*mina D*razacomm.com D*com" debug: tokenize: header tokens for To = "U*srinath.iyer D*team.indiainfo.com D*indiainfo.com D*com" debug: tokenize: header tokens for *x = "" debug: tokenize: header tokens for *r = " razweb3.razacomm.com (raza-web3-admin-o.custom.dellhost.com [209.196.53]) by blr.indiainfo.com (8.12.10/8.12.10) ; " debug: bayes: Learned '200403041204.AA329056476@razweb3.razacomm.com' debug: bayes: 21318 untie-ing debug: bayes: 21318 untie-ing db_toks debug: bayes: 21318 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 21318 unlink /root/.spamassassin/bayes.lock debug: bayes: 21318 untie-ing debug: is spam? score=0 required=5 tests= Stopping now as you are debugging me. -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From kevins at BMRB.CO.UK Thu Mar 4 22:27:17 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:05 2006 Subject: Calling all translators (Welsh) In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE44791D@ati-ex-01.ati.local> References: <001BD19C96E6E64E8750D72C2EA0ECEE44791D@ati-ex-01.ati.local> Message-ID: <1078439237.16687.30.camel@bach.kevinspicer.co.uk> On Thu, 2004-03-04 at 21:53, Chris W. Parker wrote: > so do cornish, welsh, and the two gaelic languages all sound very > different or are they like the difference between portugeuse and spanish > (which i understand to be similar...). > Cornish is quite closely related to Welsh which in turn is more distantly related to Scots and Irish Gaelic. Welsh is also related to Breton (spoken in West Brittany (part of France)). These are all celtic languages. But I'm sounding like an expert when really all I am is a sysadmin whose fiancee is from Wales (hence visits sometimes) and spends too much time on Google! Interesting as this is I suggest we stop now since we have gone well off-topic! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rzewnickie at RFA.ORG Thu Mar 4 22:45:54 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:23:05 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <6.0.1.1.2.20040303170607.03a23ab8@imap.ecs.soton.ac.uk> References: <4046071D.7040602@trayerproducts.com> <6.0.1.1.2.20040303170607.03a23ab8@imap.ecs.soton.ac.uk> Message-ID: <20040304224553.GD9707@rfa.org> with postfix you can also use postdrop. postdrop < path_to_queuefile On a split mta postfix/postfix.in setup this will send the message via the outgoing postfix bypassing mailscanner. -Eric Rz. On Wed, Mar 03, 2004 at 05:06:40PM +0000, Julian Field wrote: > At 16:26 03/03/2004, you wrote: > >I recently enabled > >"Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. > >How do I send the queued message on to the intended recipient? > > Drop the files into /var/spool/mqueue. The next queue run will pick them up > and deliver them. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mikes at HARTWELLCORP.COM Thu Mar 4 23:00:53 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:05 2006 Subject: Upgrading Mailscanner Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D32@hart-exchange.hartwellcorp.com> Boulytchev, Vasiliy wrote: > Ladies and Gents, > I see that MailScanner is installed , via rpm -qa | grep > mailscanner. The RPM that is in the system is mailscanner-4.24-5. > Certainly I am weary of just running your install.sh scripts. All I > want to do is upgrade to the new version... What is the default step > of doing so..... I see the noarch rpm included, nowever I would like > to hear from you. Why are you "weary" of it... it's one of the best I've ever seen for Unix. It checks to make sure all your Perl modules are in order before upgrading the RPM for you. Once the install is complete you can run the "upgrade_MailScanner_conf" script to finish everything off by upgrading your configuration file. -- Michael St. Laurent Hartwell Corporation From jrudd at UCSC.EDU Thu Mar 4 23:03:01 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:05 2006 Subject: Symlinks or no Symlinks (was: Re: W32/Bagle-Zip) References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> <026901c40217$2233f3f0$0269a8c0@home> <6.0.1.1.2.20040304183838.0399db28@imap.ecs.soton.ac.uk> Message-ID: <4047B5A5.4CE3E99C@ucsc.edu> Julian Field wrote: > > You almost certainly have your "Incoming Work Directory" set wrong. The > path set in there must be the absolute path to the directory, not a path > that follows any links. Yours should be set to > /home/spool/MailScanner/incoming > and I expect you have something like > /var/spool/MailScanner/incoming. > I see you say that every so often, and I wonder what the deal is on this one. For one, I use symlinks to my MailScanner work area because I have to (due to some local configuration issues), and yet I have no problems with doing so. I don't see any leaks, errors, etc. MailScanner seems to actually function fine with that situation. So, why must it be the absolute path? What is it that you think will break/happen if it's not the absolute path? And, since it's perl, and perl can break open symlinks to see where they go, why not have some routine find the real path if it's that important, allowing the runtime environment to be absolute while also allowing the system administration model to be flexible? (actually, since it's a directory, you don't even need to use that symlink property, you can just run an external script that chdir's to that directory, spits out where it really is, and then have mailscanner use that output as its incoming directory location) (and, are there likely to be problems that I'm just not seeing in my results? invisible gotchas and such? it really seems like "it works even though Julian says it wont", which DOES make me wonder about future support for it, but for now it works) From mikes at HARTWELLCORP.COM Thu Mar 4 23:18:48 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D34@hart-exchange.hartwellcorp.com> Christopher Lyon wrote: > You might want to check to see if you have the Mail-ClamAV module > installed. > > Run this: perl -e "use Mail::ClamAV;" > > If you get an error, you need to install it. If you don't get > anything, you are good. Hmmm... *I* don't have Mail::ClamAV installed. I'm on a Red Hat 9 system. Should I be installing an RPM for it? -- Michael St. Laurent Hartwell Corporation From raymond at PROLOCATION.NET Thu Mar 4 23:21:15 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D34@hart-exchange.hartwellcorp.com> Message-ID: Hi! > > Run this: perl -e "use Mail::ClamAV;" > > > > If you get an error, you need to install it. If you don't get > > anything, you are good. > > Hmmm... *I* don't have Mail::ClamAV installed. I'm on a Red Hat 9 system. > Should I be installing an RPM for it? Perl -MCPAN -e shell install Mail::ClamAV This is mentioned more then once, please look in the archives and F.A.Q. also. Bye, Raymond. From mikes at HARTWELLCORP.COM Thu Mar 4 23:23:33 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:05 2006 Subject: Still not sure I understand proper use of Bayes Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D35@hart-exchange.hartwellcorp.com> Okay, the Bayes engine here is still not doing anything because even though I've got 230 spam messages for it to process, it complains that it has less than 200 *ham* messages. I've only been moving things into the "ham" folder that were incorrectly marked as spam. Is there something I'm not understanding about how this is supposed to work? -- Michael St. Laurent Hartwell Corporation From ugob at CAMO-ROUTE.COM Thu Mar 4 23:32:27 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:05 2006 Subject: Still not sure I understand proper use of Bayes Message-ID: <54C38A0B814C8E438EF73FC76F36292741097F@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] >Envoy? : 4 mars, 2004 18:24 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Still not sure I understand proper use of Bayes > > >Okay, the Bayes engine here is still not doing anything >because even though >I've got 230 spam messages for it to process, it complains >that it has less >than 200 *ham* messages. This means that it hasn't seen 200 non-spam messages yet. It your installation recent? > >I've only been moving things into the "ham" folder that were >incorrectly >marked as spam. What folder? Is there something I'm not understanding >about how this is >supposed to work? > >-- >Michael St. Laurent >Hartwell Corporation > From mikes at HARTWELLCORP.COM Thu Mar 4 23:50:25 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:05 2006 Subject: Still not sure I understand proper use of Bayes Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D38@hart-exchange.hartwellcorp.com> >> Okay, the Bayes engine here is still not doing anything because even >> though I've got 230 spam messages for it to process, it complains >> that it has less than 200 *ham* messages. > > This means that it hasn't seen 200 non-spam messages yet. It your > installation recent? I installed about three weeks ago. >> I've only been moving things into the "ham" folder that were >> incorrectly marked as spam. > > What folder? Sorry, I forgot to explain that. I created two folders on our IMAP server. One called "Spam" and one called "NotSpam". Each night I've got a process that downloads the messages in those folders and submits them to sa-learn. -- Michael St. Laurent Hartwell Corporation From jrudd at UCSC.EDU Thu Mar 4 23:50:31 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:05 2006 Subject: Still not sure I understand proper use of Bayes References: <91A5926EFF44D3118B1200104B7276EB02C56D35@hart-exchange.hartwellcorp.com> Message-ID: <4047C0C7.D0463F6E@ucsc.edu> "Michael St. Laurent" wrote: > > I've only been moving things into the "ham" folder that were incorrectly > marked as spam. Is there something I'm not understanding about how this is > supposed to work? > Ham is not just "things that were marked as spam but shouldn't have been". Ham is "all things that are not spam". When you're doing on-going adjustments (correcting mistakes), just sending it your new "false positives" (as you indicated) is ok. But for the initial training, what you really ought to do is find a folder of yours, from various sources, on various subjects, that are all messages you consider to be "definitely not spam". Submit those messages as ham. The more the better (though, I think SA has a functional maximum before it starts to forget earlier submissions, but I'm not sure if that's based upon age of submissions or number of sumissions). From rggarcia at IMGAME.NET Fri Mar 5 00:18:11 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:23:05 2006 Subject: fatal: the Postfix mail system is already running Message-ID: Im totally lost in here could somebody help me ? I have running postfix and ived just installed Mailscanner with the procedure on this links http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml, how come when i executed this command : Start the incoming Postfix postfix -c /etc/postfix.in start Start the outgoing Postfix postfix -c /etc/postfix start Start MailScanner check_MailScanner I have this error logs " Mar 5 08:21:51 mail postfix/postfix-script: fatal: the Postfix mail system is already running" it seems that "postfix -c /etc/postfix start" already run with the previous command? Any help is much appreciated. -Ross From rcooper at DWFORD.COM Fri Mar 5 01:03:36 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:05 2006 Subject: Spam Forwarding In-Reply-To: <6.0.1.1.2.20040304173444.038f30c0@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, March 04, 2004 12:35 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam Forwarding > > > At 16:50 04/03/2004, you wrote: > >I forward spam and high scoring spam to a special > mail box to be > >checked for possible fps and then fed to bayes. Yesterday I > >started archiving mail to a special folder to use to > automate the > >ham side of bayes learning. I was looking through > what was in the > >ham folder from the first night and ever high scoring > spam was in > >there? I saw only one normal spam but every single > high scoring > >spam was archived. > > > >Is this the proper behavior? I have both spam actions set to > >delete aspecialbox@ourdomain.com > > > >and Archive Mail = anotherbox@ourdomain.com > > > >I can get around it by having the script that does > the learning > >check the headers and remove the spam If I have to but I was > >hoping that only good mail would get archived. > > > > Rick Cooper > > It's a mail archive, it isn't a non-spam archive. You > should use "non-spam > actions" for doing that. > -- IaMsOwETADIT! You know, I thought forward was *not* one of the non spam actions... Ack! Sorry. From ugob at CAMO-ROUTE.COM Fri Mar 5 01:22:31 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:05 2006 Subject: Still not sure I understand proper use of Bayes Message-ID: <54C38A0B814C8E438EF73FC76F362927410980@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Michael St. Laurent [mailto:mikes@HARTWELLCORP.COM] >Envoy? : 4 mars, 2004 18:50 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Still not sure I understand proper use of Bayes > > >>> Okay, the Bayes engine here is still not doing anything because even >>> though I've got 230 spam messages for it to process, it complains >>> that it has less than 200 *ham* messages. >> >> This means that it hasn't seen 200 non-spam messages yet. It your >> installation recent? > >I installed about three weeks ago. > >>> I've only been moving things into the "ham" folder that were >>> incorrectly marked as spam. >> >> What folder? > >Sorry, I forgot to explain that. I created two folders on our >IMAP server. >One called "Spam" and one called "NotSpam". Each night I've >got a process >that downloads the messages in those folders and submits them >to sa-learn. > Ok, but do you think your system should have seen more than 200 non-spam messages already? >-- >Michael St. Laurent >Hartwell Corporation > From gib at TMISNET.COM Fri Mar 5 01:12:37 2004 From: gib at TMISNET.COM (Gib Gilbertson Jr.) Date: Thu Jan 12 21:23:05 2006 Subject: Best Antivirus Scanner In-Reply-To: <089601c401f1$caa7fed0$45a610ac@fleetone.com> References: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> <089601c401f1$caa7fed0$45a610ac@fleetone.com> Message-ID: <6.0.1.1.2.20040305110502.02b98370@mail.tmisnet.com> Hi. Looking at f-prot for BSD, which version is neede for MailScanner? Work station, file server, or Mailserver version? Thanks gib At 08:05 AM 3/4/2004 -0600, you wrote: >"urn:schemas-microsoft-com:office:office" xmlns:w = >"urn:schemas-microsoft-com:office:word"> > >IMHO, f-prot. Their updates seems as fast as anyone else out there, and >their prices were cheaper then most of the others when we looked into them. > > > >Rob > > >From: Harnish, Joe >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Thursday, March 04, 2004 7:57 AM >Subject: Best Antivirus Scanner > >All, > > > >With recent issues with McAfee Antivirus, was wondering what AV tool you >think is the best and why. > > > >Thanks > > > >Joe Gib Gilbertson Jr. Tierramiga Info Systems 619-287-8647 Support http://www.tmisnet.com San Diego's "Friendly ISP" From pete at eatathome.com.au Fri Mar 5 01:26:57 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:05 2006 Subject: Win32/Bagle.gen.zip In-Reply-To: <1078423219.26485.351.camel@powell> References: <1078423219.26485.351.camel@powell> Message-ID: <4047D761.3060705@eatathome.com.au> Darrin wrote: >Does anyone know where I can find the Win32/Bagle.gen.zip "k" virus, to >test with? > > > > >Thanks >-- >Darrin Powell >LSSi Corp >(919) 466-6803 >www.lssi.net/~dpowell > > > > > send me an email and i will reply with it, i dont want to send an unsolicited virus. From pete at eatathome.com.au Fri Mar 5 01:44:02 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:05 2006 Subject: DOS Attack :( Resolved Message-ID: <4047DB62.5080809@eatathome.com.au> Thanks you KINDLY to those who took the time to read my many posts, that i now realize were poorly formatted and made it difficult for the kind souls of this list to assist me. My apologies, and thanks. The problem, as suggested by more than one person was our firewall. Our firewall is a watchguard firebox that is managed by our IT guy in another campus, he is no networking guru, he made a change and for reasons he cannot explain, my mailservers acquired buggered up DNS access. I had checked with him 3 times yesterday to get him to double check that i had DNS access, he assured me i did. This morning i asked him to make a rule to allow any in/out traffic to mail servers while i tested and they instantly began working, he fixed from there. Still even after 'rectification' RBLs fail intermittently, but mail does get processed, but very slowly. He has explicitly given access to these server to the following ports, anything we have we dont need to run MS and SA, or anything extra we should have turned on?. (i plan to turn on dcc, pyzor and razor2 after this mess is sorted) Outbound tcp 7 udp 6277 udp 24441 tcp 2703 tcp 53 udp 53 tcp 25 + inbound tcp 80 + inbound tcp 445 udp 445 From pete at eatathome.com.au Fri Mar 5 02:37:10 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:05 2006 Subject: fatal: the Postfix mail system is already running In-Reply-To: References: Message-ID: <4047E7D6.5040603@eatathome.com.au> Rosaldo Garcia wrote: >Im totally lost in here could somebody help me ? I have running postfix and >ived just installed Mailscanner with the procedure on this links >http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml, how come >when i executed this command : > Start the incoming Postfix > postfix -c /etc/postfix.in start > Start the outgoing Postfix > postfix -c /etc/postfix start > Start MailScanner > check_MailScanner > >I have this error logs " Mar 5 08:21:51 mail postfix/postfix-script: fatal: >the Postfix mail system is already running" > >it seems that "postfix -c /etc/postfix start" already run with the previous >command? > > >Any help is much appreciated. > > >-Ross > > > > Which OS are you running? If its red hat simply do #service MailScanner start|restart|reload|stop From stefanzman at yahoo.com Fri Mar 5 02:53:21 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:23:05 2006 Subject: F-Prot In-Reply-To: <6.0.1.1.2.20040304190521.02c38b70@imap.ecs.soton.ac.uk> Message-ID: <20040305025321.40322.qmail@web41313.mail.yahoo.com> This is an excellent point. While it is possible to use workstation versions with MailScanner, giving LINUX-centric AV vendors less than $50 for each server does not bode well for their longevity in an ultra-competitive environment. We need a few of them to hang around... --- Julian Field wrote: > It's just the command-line scanner that you need. > Their licence is > amazingly vague and doesn't define what a file > server or a mail server are. > Technically, any of the versions will work. But to > keep the company afloat > you might want to buy one of the more expensive > versions. > > At 18:59 04/03/2004, you wrote: > >Hello. Which version of F-Prot are people using > with MailScanner? Are > >you using the version specified for Linux mail > servers or are you using > >the Linux workstation version? > > > >Thanks, > >Rod > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their > support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 > 5947 1415 B654 __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From stefanzman at yahoo.com Fri Mar 5 02:56:56 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:23:05 2006 Subject: eTrust - Lagging Virus Definitions In-Reply-To: Message-ID: <20040305025656.37789.qmail@web41314.mail.yahoo.com> Have a look at this article: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3316511 --- Nathan Johanson wrote: > Just a heads up for eTrust users... While this is > indicative of other > AntiVirus vendors recently, they finally got around > to releasing > definitions for W32/Beagle.J and variants). These > things were blowing > right past my system. I finally blocked zip files > altogether until I've > had a chance to upgrade to the latest release. > > Maybe my expectations are too high, but this is > inexcusable. I saw the > first virus of this type enter my system on Mon > 03/01/04. It took > Computer Associates just about four days to release > definitions that > would detect it. A sorry state of affairs. > > ==== > > > This is to notify you of the results of your > submission, issue number > 298013. > > With regards to the file "Mandy.zip" submitted by > you on 04 Mar > 18:21:00 (Australian Eastern Standard Time), we have > added cure > instructions for Win32/Bagle.ZIP.Worm to the > signature files for the > InoculateIT engine. > > The PkWare Zip Archive file "Mandy.zip" has been > determined to be > malicious. The file has been identified as ZIP.Bagle > worm. > > Aliases reported by other AV products are listed > here: > (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) > (W32.Beagle.F@mm) > > CA antivirus products address this malware as > follows: > ------------------------------------------------------ > > eTrust Antivirus 6.x/v7 (Vet Engine) > Engine Update version Last > Update > 11.4.0 11.4.8187 04 > Mar > > eTrust Antivirus 6.x/v7 (InoculateIT Engine) > Engine Update version Last > Update > 23.64.0 23.64.29 05 > Mar > > Inoculan/InoculateIT 4.x > Engine Update version Last > Update > 46.0* 46.29* 05 > Mar > * Limited ability to cure infections, i.e. > cleaning Windows > registry. CA will be dropping support for this > product, please read > > http://support.ca.com/techbases/ilnt/ino_drop.html > > > This automated scanning service "Virtue" complements > our regular > technical support service. It is not a replacement > for it. If the > automatic responses you receive are incomplete or > irrelevant to your > query, a technician will contact you. If you have > further queries, > please submit them with reference number 298013 in > "Plain Text" email > format to virus@ca.com. > Users of Microsoft Outlook/Outlook Express can > configure the outgoing > email format in the > Tools|Options...|Send|Mail Sending Format... > menu. To improve your security we recommend sending > email in "Plain > Text" format only. . > > If you would like to comment on the quality of this > automated service, > please send email to virtue.feedback@ca.com. > > eTrust Global Antivirus Research Team > Computer Associates > > This is to notify you of the results of your > submission, issue number > 298013. > > With regards to the file "Mandy.zip" submitted by > you on 04 Mar > 18:21:00 (Australian Eastern Standard Time), we have > added cure > instructions for Win32/Bagle.ZIP.Worm to the > signature files for the > InoculateIT engine. > > The PkWare Zip Archive file "Mandy.zip" has been > determined to be > malicious. The file has been identified as ZIP.Bagle > worm. > > Aliases reported by other AV products are listed > here: > (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) > (W32.Beagle.F@mm) > > CA antivirus products address this malware as > follows: > ------------------------------------------------------ > > eTrust Antivirus 6.x/v7 (Vet Engine) > Engine Update version Last > Update > 11.4.0 11.4.8187 04 > Mar > > eTrust Antivirus 6.x/v7 (InoculateIT Engine) > Engine Update version Last > Update > 23.64.0 23.64.29 05 > Mar > > Inoculan/InoculateIT 4.x > Engine Update version Last > Update > 46.0* 46.29* 05 > Mar > * Limited ability to cure infections, i.e. > cleaning Windows > registry. CA will be dropping support for this > product, please read > > http://support.ca.com/techbases/ilnt/ino_drop.html > > > This automated scanning service "Virtue" complements > our regular > technical support service. It is not a replacement > for it. If the > automatic responses you receive are incomplete or > irrelevant to your > query, a technician will contact you. If you have > further queries, > please submit them with reference number 298013 in > "Plain Text" email > format to virus@ca.com. > Users of Microsoft Outlook/Outlook Express can > configure the outgoing > email format in the > Tools|Options...|Send|Mail Sending Format... > menu. To improve your security we recommend sending > email in "Plain > Text" format only. . > > If you would like to comment on the quality of this > automated service, > please send email to virtue.feedback@ca.com. > > eTrust Global Antivirus Research Team > Computer Associates This is to notify you of the > results of your > submission, issue number > 298013. > > With regards to the file "Mandy.zip" submitted by > you on 04 Mar > 18:21:00 (Australian Eastern Standard Time), we have > added cure > instructions for Win32/Bagle.ZIP.Worm to the > signature files for the > InoculateIT engine. > > The PkWare Zip Archive file "Mandy.zip" has been > determined to be > malicious. The file has been identified as ZIP.Bagle > worm. > > Aliases reported by other AV products are listed > here: > (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip) > (W32.Beagle.F@mm) > > CA antivirus products address this malware as > follows: > ------------------------------------------------------ > > eTrust Antivirus 6.x/v7 (Vet Engine) > === message truncated === __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From stefanzman at yahoo.com Fri Mar 5 03:06:25 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:23:05 2006 Subject: Best Antivirus Scanner In-Reply-To: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> Message-ID: <20040305030625.69308.qmail@web41303.mail.yahoo.com> Kaspersky works well and provides fast updates. They did well with the password-protected zips: http://www.kaspersky.com/news.html?id=146100010 Pretty smart folks... --- "Harnish, Joe" wrote: > All, > > > > With recent issues with McAfee Antivirus, was > wondering what AV tool you > think is the best and why. > > > > Thanks > > > > Joe > > __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From bg.mahesh at INDIAINFO.COM Fri Mar 5 03:42:05 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed Message-ID: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> ----- Original Message ----- From: Raymond Dijkxhoorn > > Perl -MCPAN -e shell > install Mail::ClamAV > > This is mentioned more then once, please look in the archives and F.A.Q. > also. In my case I do have Mail::ClamAV % perlmodver Mail::ClamAV Mail::ClamAV : 0.06 How come the emails in mqueue.in are not being processed :-( -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From list at souil.com Fri Mar 5 04:07:55 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:05 2006 Subject: No subject Message-ID: <20043512755.857363@bensil> Dear Julian, But i am previously use the Windows MDAEMON mail server with internal integrated spamassassin engine. Two things that i don't see in MS are: 1. spam sore can be placed in the subject. 2. spam rules description can be placed beside the rules name in the mail headers. For the first point, people with lots of spams can easily filter out some high score that are not yet qualified for the settings in the mail gateway. For the 2nd point, my customers want to be more clear about how the rules are running and sometimes can make more suggestions for tuning the spamassassin. Since i am running with many different domains and different users. They all want different settings. How is this 2 possibility to be added to MS ? That would be great! Example: ---------------- Subject: ***SPAM*** Score/Req: 09.73/05.00 lackluster carroll X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) X-Spam-Report: * 1.5 MORTGAGE_PITCH BODY: Looks like mortgage pitch * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain * 3.0 SUSPICIOUS_RECIPS Similar addresses in recipient list * 4.3 SORTED_RECIPS Recipient list is sorted by address X-Spam-Status: Yes, hits=9.7 required=5.0 tests=BIZ_TLD,HTML_MESSAGE, MIME_HTML_ONLY,MORTGAGE_PITCH,SORTED_RECIPS,SUSPICIOUS_RECIPS autolearn=no version=2.63 X-Spam-Level: ********* X-Spam-Processed: xxxxxxxxxxnet, Fri, 05 Mar 2004 12:05:32 +0800 ------------------------------------------- >Date: Thu, 1 May 2003 16:53:52 +0100 >Sender: MailScanner mailing list >From: Julian Field >Not sure if this has been addressed before, but I was wondering is it >possible to put the spamassassin score in the subject line of tagged >e-mail? > >e.g. > >{SPAM? email score=4.1}... >No it isn't I'm afraid. But the "SpamScore" header lets you indicate the >spam score in a way that can be filtered automatically by email applications From pete at eatathome.com.au Fri Mar 5 04:22:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:05 2006 Subject: Upgrading Mailscanner In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D32@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D32@hart-exchange.hartwellcorp.com> Message-ID: <40480098.6030501@eatathome.com.au> Michael St. Laurent wrote: >Boulytchev, Vasiliy wrote: > > >>Ladies and Gents, >> I see that MailScanner is installed , via rpm -qa | grep >>mailscanner. The RPM that is in the system is mailscanner-4.24-5. >>Certainly I am weary of just running your install.sh scripts. All I >>want to do is upgrade to the new version... What is the default step >>of doing so..... I see the noarch rpm included, nowever I would like >>to hear from you. >> >> > >Why are you "weary" of it... it's one of the best I've ever seen for Unix. >It checks to make sure all your Perl modules are in order before upgrading >the RPM for you. Once the install is complete you can run the >"upgrade_MailScanner_conf" script to finish everything off by upgrading your >configuration file. > >-- >Michael St. Laurent >Hartwell Corporation > > > > > Its as simple as they say, i did it from the same version as you and it worked fine. Further down the list i notice Julian says a new version is due out 'soon' whihc could mean within days, may be worth waiting for that one? From list at souil.com Fri Mar 5 04:42:58 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:05 2006 Subject: W32/Bagle-Zip, sophos cannot update ? In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB6069@eqmail1.efni.vpn> Message-ID: <200435124258.247970@bensil> But i don't see the Mailscanner update my sophos. Sophos Information Product version : 3.78 Eng ine version : 2.18 Released : 02 February 2004 Total viruses (with IDEs) : 87557 The latest IDE detects: 03 March 2004, 10:25:29 mydoom-g.ide IDE Loaded I am using sophossavi clamavmodule but in the maillog, i only see the MS update the clam, not the sophos in auto-update. Anything i can check or test? On Thu, 4 Mar 2004 10:08:02 -0500, Hirsh, Joshua wrote: >?Looks like Sophos is now matching against the passworded zip's for >?the Bagle strains: > >?http://www.sophos.com/virusinfo/analyses/w32baglezip.html > > >?-Joshua From list at souil.com Fri Mar 5 04:50:17 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:05 2006 Subject: sweep options In-Reply-To: <6.0.1.1.2.20040304205205.0394c910@imap.ecs.soton.ac.uk> Message-ID: <200435125017.939929@bensil> On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: > >> I am trying to >> verify that we are protected from the Bagle virus and I get the >> following error when running sweep >> > > Please ensure you install Sophos using my Sophos.install script as > instructed in the docs, and not Sophos's own installation script. > You mean this doc? http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml From ugob at CAMO-ROUTE.COM Fri Mar 5 04:52:08 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:05 2006 Subject: To allow HTML, Forms in emails Message-ID: <54C38A0B814C8E438EF73FC76F362927410981@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Mail Scanner Mailinglist user [mailto:mailscanner@ETILIZEPAK.COM] >Envoy? : 4 mars, 2004 22:37 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : To allow HTML, Forms in emails > > >Hi all, > >I am running MailScanner version 4.23-11. I am using the >default configuration >with the clamav antivirus. I want to allow the HTML Messages >or HTML Forms in >my emails, what should I comment in the configuration file to >achieve this. > Search for "Allow" in MailScanner.conf and put yes to whatever you like. >Sincerely, > >shasan > From linux at MOSTERT.NOM.ZA Fri Mar 5 06:03:31 2004 From: linux at MOSTERT.NOM.ZA (Mozzi) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> References: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> Message-ID: <200403050803.31802.linux@mostert.nom.za> I seem to have the same problem. I just disabled clamav and I am just using f-prot currently and still it seems as though my messages aren't getting processed : ------------------------------------------------------- New Batch: Found 3124 messages waiting Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 messages, 16145460 bytes New Batch: Found 3152 messages waiting Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 messages, 14979600 bytes ------------------------------------------------------- And it just becomes more and more. I run Red-Hat 7.3 MailScanner 4.27.7-1 ClamAV version 0.67-1 F-PROT ANTIVIRUS Program version: 4.3.5 Engine version: 3.14.8 I tried installing the clamv perl module but I get errorrs Mozzi On Friday 05 March 2004 05:42, BG Mahesh wrote: > ----- Original Message ----- > From: Raymond Dijkxhoorn > > > Perl -MCPAN -e shell > > install Mail::ClamAV > > > > This is mentioned more then once, please look in the archives and F.A.Q. > > also. > > In my case I do have Mail::ClamAV > > % perlmodver Mail::ClamAV > Mail::ClamAV : 0.06 > > How come the emails in mqueue.in are not being processed :-( > > > -- > B.G. Mahesh > bg.mahesh@indiainfo.com > http://www.indiainfo.com/ > > -- > ______________________________________________ > IndiaInfo Mail - the free e-mail service with a difference! > www.indiainfo.com Check out our value-added Premium features, such as an > extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free > mailboxes! > > Powered by Outblaze > > > ************************************************************ > Scanned by @lantic IS Virus Control Service > This message was scanned for viruses and dangerous content. > @lantic Internet Services (Pty) Ltd. - http://www.lantic.net > eScan for Windows-based PCs - http://www.escan.co.za > > If you have received a message marked in the subject line > as [SPAM] please note that according to our MailScanner, > this message has all the attributes of Unsolicited > Commercial Email (UCE). If the message has however been > marked incorrectly, please send a query to abuse@lantic.net > ************************************************************ From linux at MOSTERT.NOM.ZA Fri Mar 5 06:22:33 2004 From: linux at MOSTERT.NOM.ZA (Mozzi) Date: Thu Jan 12 21:23:05 2006 Subject: Help needed Message-ID: <200403050822.33039.linux@mostert.nom.za> Hi all I am in a spot of trouble here if anyone can help please contact me on msn stefaans@lantic.net Mozzi From yg at EWAN.COM.ER Fri Mar 5 06:39:08 2004 From: yg at EWAN.COM.ER (Yohannes Gebrehiwet) Date: Thu Jan 12 21:23:05 2006 Subject: QMAIL Support In-Reply-To: <200403050803.31802.linux@mostert.nom.za> References: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> <200403050803.31802.linux@mostert.nom.za> Message-ID: <6.0.1.1.0.20040305093638.01ef3660@mail.eol.com.er> Dear All, The change logs for sometime now (since 4.27.x) have been talking about QMAIL Support. Does this mean MailScanner will work with the QMAIL MTA? If so, has anybody tried it? And where do we get the qmail_queue.zip file that is mentioned in the change logs? Any help would be much appreciated. Regards, Yohannes Gebrehiwet, Operations Director, Ewan Technology Solutions Inc., Saba Building, 2nd Floor, Warsay Street, Asmara, ERITREA. Tel: +291 1 183040 Fax: +291 1 183042 From kevins at BMRB.CO.UK Fri Mar 5 07:45:18 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:05 2006 Subject: Calling all translators (Welsh) In-Reply-To: <216000312.1078429302@[192.168.1.103]> References: <216000312.1078429302@[192.168.1.103]> Message-ID: <1078472718.16713.36.camel@bach.kevinspicer.co.uk> On Fri, 2004-03-05 at 00:41, Brett Rabideau wrote: >I'm coming into the middle of this conversation, You certainly are - this was just an extension of Julians thread asking for translations of two strings to various languages. Martin Sapsed had already replied with the translation, but that led to a question about Welsh vs. English. No-one needs anything translated (well, except Julian, but he got his), we were just chatting (in a completely off-topic way!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Mar 5 07:54:42 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:05 2006 Subject: sweep options In-Reply-To: <200435125017.939929@bensil> References: <200435125017.939929@bensil> Message-ID: <1078473283.16687.40.camel@bach.kevinspicer.co.uk> On Fri, 2004-03-05 at 04:50, Ben wrote: > On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: > > Please ensure you install Sophos using my Sophos.install script as > > instructed in the docs, and not Sophos's own installation script. > > > > You mean this doc? > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml No, thats to install the SAVI module (which is well worth it - but you still need a Sophos installation. Completely uninstall Sophos (by removing the files etc. it drops in) Unzip/untar the sophos package run Sophos.install as root (this should be in your PATH) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Fri Mar 5 07:58:08 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> Message-ID: Hi! > > Perl -MCPAN -e shell > > install Mail::ClamAV > > > > This is mentioned more then once, please look in the archives and F.A.Q. > > also. > > > In my case I do have Mail::ClamAV > > % perlmodver Mail::ClamAV > Mail::ClamAV : 0.06 > > How come the emails in mqueue.in are not being processed :-( You also have the normal Clam package installed, besided the Mail::ClamAV stuff ? Without logs or anything this is just a shot in the dark, you have to provide a little more info. Bye, Raymond. From raymond at PROLOCATION.NET Fri Mar 5 08:03:10 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <200403050803.31802.linux@mostert.nom.za> Message-ID: Hi! > I seem to have the same problem. > I just disabled clamav and I am just using f-prot currently and still it seems > as though my messages aren't getting processed : > > ------------------------------------------------------- > New Batch: Found 3124 messages waiting > Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 > messages, 16145460 bytes > New Batch: Found 3152 messages waiting > Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 > messages, 14979600 bytes > ------------------------------------------------------- You might consider cutting down your batch size to 30 or 50, that will help you i think also... Bye, Raymond. From kevins at BMRB.CO.UK Fri Mar 5 08:05:03 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:05 2006 Subject: Calling all translators (Welsh) In-Reply-To: <1078472718.16713.36.camel@bach.kevinspicer.co.uk> References: <216000312.1078429302@[192.168.1.103]> <1078472718.16713.36.camel@bach.kevinspicer.co.uk> Message-ID: <1078473904.16687.48.camel@bach.kevinspicer.co.uk> Sorry, that message should have been off-list. I snipped most of the message I was replying to, so please don't take it out of context. Apologies to Brett. On Fri, 2004-03-05 at 07:45, Kevin Spicer wrote: > On Fri, 2004-03-05 at 00:41, Brett Rabideau wrote: > >I'm coming into the middle of this conversation, BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From david at PLATFORMHOSTING.COM Fri Mar 5 08:06:15 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:23:05 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <200403050803.31802.linux@mostert.nom.za> Message-ID: <200403050806.i2586FY28130@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mozzi > Sent: Friday, 5 March 2004 5:04 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Emails in mqueue.in not being processed > > I seem to have the same problem. > I just disabled clamav and I am just using f-prot currently and still it > seems > as though my messages aren't getting processed : > > ------------------------------------------------------- > New Batch: Found 3124 messages waiting > Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 > messages, 16145460 bytes > New Batch: Found 3152 messages waiting > Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 > messages, 14979600 bytes > ------------------------------------------------------- > > And it just becomes more and more. > I run Red-Hat 7.3 > MailScanner 4.27.7-1 > ClamAV version 0.67-1 > F-PROT ANTIVIRUS > Program version: 4.3.5 > Engine version: 3.14.8 What is the hardware spec of your box? That is a heck of a large batch size. Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From Q.G.Campbell at NEWCASTLE.AC.UK Fri Mar 5 08:25:26 2004 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:23:05 2006 Subject: Apparent MessageLabs disclaimer Message-ID: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> >-----Original Message----- >From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >Sent: 03 March 2004 19:28 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: 4.28.4, works great! > > [snip] >Just another point that made me smile today, I happened to notice that >on the bottom of an automated signature from a company that pays $$$ to >Messagelabs they were stating: 'This message has been scanned by >Messagelabs for viruses, it should be noted that we can not scan >encrypted or password protected messages'. Looks like even the mighty >Messagelabs have not worked a fix yet!! > Drew I have been looking on the MessageLab site for confirmation of this but can find no acknowledgment from them that they are unable to deal with password-protected/encrypted archives in attachments. Can you provide further information and a copy of the disclaimer you received? Thanks Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), University of Newcastle, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From list at souil.com Fri Mar 5 08:31:14 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:05 2006 Subject: sweep options In-Reply-To: <1078473283.16687.40.camel@bach.kevinspicer.co.uk> Message-ID: <200435163114.859109@bensil> On Fri, 5 Mar 2004 07:54:42 +0000, Kevin Spicer wrote: >?On Fri, 2004-03-05 at 04:50, Ben wrote: >>?On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: >>>?Please ensure you install Sophos using my Sophos.install script >>>?as instructed in the docs, and not Sophos's own installation >>>?script. >>?You mean this doc? >>?http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml >?Completely uninstall Sophos (by removing the files etc. it drops >?in) Unzip/untar the sophos package >?run Sophos.install as root (this should be in your PATH) But Julian said "my Sophos.install script".... From Kevin.Spicer at BMRB.CO.UK Fri Mar 5 08:34:37 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:05 2006 Subject: sweep options Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B21@pascal.priv.bmrb.co.uk> Ben wrote: > On Fri, 5 Mar 2004 07:54:42 +0000, Kevin Spicer wrote: > >> ?On Fri, 2004-03-05 at 04:50, Ben wrote: >>> ?On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: >>>> ?Please ensure you install Sophos using my Sophos.install script >>>> ?as instructed in the docs, and not Sophos's own installation >>>> ?script. >>> ?You mean this doc? >>> ?http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml >> ?Completely uninstall Sophos (by removing the files etc. it drops >> ?in) Unzip/untar the sophos package >> ?run Sophos.install as root (this should be in your PATH) > > But Julian said "my Sophos.install script".... Yes, but his Sophos.install script is installed when you install his MailScanner script etc. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From stefaans at POP.CO.ZA Fri Mar 5 08:47:18 2004 From: stefaans at POP.CO.ZA (Stefaans Mostert) Date: Thu Jan 12 21:23:05 2006 Subject: Processing mail Message-ID: <200403050847.i258lI01030187@newpop.posix.co.za> Hi all I subscribed again from another mail address so I can actually get my mail ;-) I will repost a message I send earlier that I really need an answer on so please bear with me and acceppt my apologies in advance, I know it is considdered bad netiquette I just disabled clamav and I am just using f-prot currently and still it seems as though my messages aren't getting processed : ------------------------------------------------------- New Batch: Found 3124 messages waiting Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 messages, 16145460 bytes New Batch: Found 3152 messages waiting Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 messages, 14979600 bytes ------------------------------------------------------- And it just becomes more and more. I run Red-Hat 7.3 MailScanner 4.27.7-1 ClamAV version 0.67-1 F-PROT ANTIVIRUS Program version: 4.3.5 Engine version: 3.14.8 I tried installing the clamv perl module but I get errorrs Since sending the origional mail the que has grown: Mar 5 10:45:26 ais-mail01 MailScanner[24881]: New Batch: Found 24900 messages waiting See my problem ? If I get a temp licence for kaspersky will it precess faster? Any other ideas? Stefaans From raymond at PROLOCATION.NET Fri Mar 5 09:00:19 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:05 2006 Subject: Processing mail In-Reply-To: <200403050847.i258lI01030187@newpop.posix.co.za> Message-ID: Hi! > I will repost a message I send earlier that I really need an answer on so > please bear with me and acceppt my apologies in advance, I know it is > considdered bad netiquette > > I just disabled clamav and I am just using f-prot currently and still it > seems > as though my messages aren't getting processed : > > ------------------------------------------------------- > New Batch: Found 3124 messages waiting > Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 > messages, 16145460 bytes > New Batch: Found 3152 messages waiting > Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 > messages, 14979600 bytes > ------------------------------------------------------- First make your batch size smaller. You can mail me private for some hands also. Bye, Raymond. From JLM939 at HOTMAIL.COM Fri Mar 5 09:09:59 2004 From: JLM939 at HOTMAIL.COM (Justin) Date: Thu Jan 12 21:23:05 2006 Subject: Upgrading Mailscanner In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D32@hart-exchange.hartwellcorp.com> Message-ID: > Boulytchev, Vasiliy wrote: >> Ladies and Gents, >> I see that MailScanner is installed , via rpm -qa | grep >> mailscanner. The RPM that is in the system is mailscanner-4.24-5. >> Certainly I am weary of just running your install.sh scripts. All I >> want to do is upgrade to the new version... What is the default step >> of doing so..... I see the noarch rpm included, nowever I would like >> to hear from you. > > Why are you "weary" of it... it's one of the best I've ever seen for Unix. > It checks to make sure all your Perl modules are in order before upgrading > the RPM for you. Once the install is complete you can run the > "upgrade_MailScanner_conf" script to finish everything off by upgrading your > configuration file. Cut the guy a break. I'm pretty sure he meant "wary" and not "weary." And he is right to be wary of such things, particularly if it's not precisely clear what the install script is going to do. It may be fine to just blindly run it in MailScanner's case, but not always so with every install.sh script you come across. He was probably just trying to be prudent. From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:08:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: sweep options In-Reply-To: <200435125017.939929@bensil> References: <6.0.1.1.2.20040304205205.0394c910@imap.ecs.soton.ac.uk> <200435125017.939929@bensil> Message-ID: <6.0.1.1.2.20040305090712.03f80030@imap.ecs.soton.ac.uk> At 04:50 05/03/2004, you wrote: >On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: > > > > >> I am trying to > >> verify that we are protected from the Bagle virus and I get the > >> following error when running sweep > >> > > > > Please ensure you install Sophos using my Sophos.install script as > > instructed in the docs, and not Sophos's own installation script. > > > >You mean this doc? > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml No, that is for installing the Sophos SAVI module. I meant the section from, for example, the "Installing using the Linux RPM package" page which clearly says this: Sophos The second job is to install the Sophos anti-virus package. Assuming you have this on CD, or have downloaded it from Sophos' web site, login as root if you haven't already done so and change into the directory in which you have a copy of it. This should either contain a file called "linux.intel.libc6.tar.Z" or a directory "sav-install". Run the command /usr/sbin/Sophos.install and Sophos will be installed in /usr/local/Sophos for you. It will also attempt to update your copy of Sophos to use all the latest virus identity (.IDE) files from the Sophos web site. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 08:53:50 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: To allow HTML, Forms in emails In-Reply-To: <20040305033023.M45774@etilizepak.com> References: <20040305033023.M45774@etilizepak.com> Message-ID: <6.0.1.1.2.20040305085317.036d1e50@imap.ecs.soton.ac.uk> Please read the docs in MailScanner.conf. There is an "Allow Form Tags" setting which you could have found simply by searching the file for "form". At 03:37 05/03/2004, you wrote: >Hi all, > >I am running MailScanner version 4.23-11. I am using the default configuration >with the clamav antivirus. I want to allow the HTML Messages or HTML Forms in >my emails, what should I comment in the configuration file to achieve this. > >Sincerely, > >shasan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 08:57:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: Symlinks or no Symlinks (was: Re: W32/Bagle-Zip) In-Reply-To: <4047B5A5.4CE3E99C@ucsc.edu> References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> <026901c40217$2233f3f0$0269a8c0@home> <6.0.1.1.2.20040304183838.0399db28@imap.ecs.soton.ac.uk> <4047B5A5.4CE3E99C@ucsc.edu> Message-ID: <6.0.1.1.2.20040305085535.03dd3468@imap.ecs.soton.ac.uk> At 23:03 04/03/2004, you wrote: >Julian Field wrote: > > > > You almost certainly have your "Incoming Work Directory" set wrong. The > > path set in there must be the absolute path to the directory, not a path > > that follows any links. Yours should be set to > > /home/spool/MailScanner/incoming > > and I expect you have something like > > /var/spool/MailScanner/incoming. > > > >I see you say that every so often, and I wonder what the deal is on this >one. > >For one, I use symlinks to my MailScanner work area because I have to >(due to some local configuration issues), and yet I have no problems >with doing so. I don't see any leaks, errors, etc. MailScanner seems >to actually function fine with that situation. > > >So, why must it be the absolute path? What is it that you think will >break/happen if it's not the absolute path? And, since it's perl, and >perl can break open symlinks to see where they go, why not have some >routine find the real path if it's that important, allowing the runtime >environment to be absolute while also allowing the system administration >model to be flexible? The output of some virus scanners (notably McAfee for an example) contains the full path to the files it scanned, not just the relative path from where you are doing the scan. The path the generate often includes the real full path not just what the shell considers to be the current directory. So to match it in the output, MailScanner has to know the absolute path it is looking for. >(and, are there likely to be problems that I'm just not seeing in my >results? invisible gotchas and such? it really seems like "it works >even though Julian says it wont", which DOES make me wonder about future >support for it, but for now it works) It matters for some virus scanners and not others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:06:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: No subject In-Reply-To: <20043512755.857363@bensil> References: <20043512755.857363@bensil> Message-ID: <6.0.1.1.2.20040305090254.03fb5218@imap.ecs.soton.ac.uk> At 04:07 05/03/2004, you wrote: >Dear Julian, > >But i am previously use the Windows MDAEMON mail server with internal >integrated spamassassin engine. Two things that i don't see in MS are: >1. spam sore can be placed in the subject. Yes it can. From MailScanner.conf: # This is the text to add to the start of the subject if the # "Spam Modify Subject" option is set. # The exact string "_SCORE_" will be replaced by the numeric # SpamAssassin score. # This can also be the filename of a ruleset. Spam Subject Text = {Spam? _SCORE_} >2. spam rules description can be placed beside the rules name in the mail >headers. Most people don't want this amount of detail (or the loss of speed that results from modifying every message body), so I chose to only include the rule names and scores, and not the long descriptions. >For the first point, people with lots of spams can easily filter out some >high score that are not yet qualified for the settings in the mail gateway. > >For the 2nd point, my customers want to be more clear about how the rules >are running and sometimes can make more suggestions for tuning the >spamassassin. Since i am running with many different domains and different >users. They all want different settings. You can specify different settings for any arbitrary groups of domains or users as you choose. See the docs about rulesets. >How is this 2 possibility to be added to MS ? That would be great! > >Example: >---------------- >Subject: ***SPAM*** Score/Req: 09.73/05.00 lackluster carroll > >X-Spam-Flag: YES >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) >X-Spam-Report: > * 1.5 MORTGAGE_PITCH BODY: Looks like mortgage pitch > * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain > * 3.0 SUSPICIOUS_RECIPS Similar addresses in recipient list > * 4.3 SORTED_RECIPS Recipient list is sorted by address >X-Spam-Status: Yes, hits=9.7 required=5.0 tests=BIZ_TLD,HTML_MESSAGE, > MIME_HTML_ONLY,MORTGAGE_PITCH,SORTED_RECIPS,SUSPICIOUS_RECIPS > autolearn=no version=2.63 >X-Spam-Level: ********* >X-Spam-Processed: xxxxxxxxxxnet, Fri, 05 Mar 2004 12:05:32 +0800 > >------------------------------------------- > > > > >Date: Thu, 1 May 2003 16:53:52 +0100 > >Sender: MailScanner mailing list > >From: Julian Field > >Not sure if this has been addressed before, but I was wondering is it > >possible to put the spamassassin score in the subject line of tagged > >e-mail? > > > >e.g. > > > >{SPAM? email score=4.1}... > > >No it isn't I'm afraid. But the "SpamScore" header lets you indicate the > >spam score in a way that can be filtered automatically by email applications -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:09:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: QMAIL Support In-Reply-To: <6.0.1.1.0.20040305093638.01ef3660@mail.eol.com.er> References: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> <200403050803.31802.linux@mostert.nom.za> <6.0.1.1.0.20040305093638.01ef3660@mail.eol.com.er> Message-ID: <6.0.1.1.2.20040305090926.03f7fb10@imap.ecs.soton.ac.uk> At 06:39 05/03/2004, you wrote: >Dear All, > >The change logs for sometime now (since 4.27.x) have been talking about >QMAIL Support. Does this mean MailScanner will work with the QMAIL >MTA? Yes. > If so, has anybody tried it? Yes. > And where do we get the qmail_queue.zip >file that is mentioned in the change logs? Contact the folks at opencomputing.sourceforge.net. >Any help would be much appreciated. > >Regards, > >Yohannes Gebrehiwet, >Operations Director, >Ewan Technology Solutions Inc., >Saba Building, 2nd Floor, >Warsay Street, >Asmara, ERITREA. >Tel: +291 1 183040 >Fax: +291 1 183042 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:00:03 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:05 2006 Subject: Best Antivirus Scanner In-Reply-To: <6.0.1.1.2.20040305110502.02b98370@mail.tmisnet.com> References: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> <089601c401f1$caa7fed0$45a610ac@fleetone.com> <6.0.1.1.2.20040305110502.02b98370@mail.tmisnet.com> Message-ID: <6.0.1.1.2.20040305085916.03fb5738@imap.ecs.soton.ac.uk> Technically, any of them. According to their sales people (and they might have improved the wording of their licence too) the Mailserver version. At 01:12 05/03/2004, you wrote: >Hi. > >Looking at f-prot for BSD, which version is neede for MailScanner? Work >station, file server, or Mailserver version? > >Thanks > >gib > > > >At 08:05 AM 3/4/2004 -0600, you wrote: >>"urn:schemas-microsoft-com:office:office" xmlns:w = >>"urn:schemas-microsoft-com:office:word"> >> >>IMHO, f-prot. Their updates seems as fast as anyone else out there, and >>their prices were cheaper then most of the others when we looked into them. >> >> >> >>Rob >> >> >>From: Harnish, Joe >>To: MAILSCANNER@JISCMAIL.AC.UK >>Sent: Thursday, March 04, 2004 7:57 AM >>Subject: Best Antivirus Scanner >> >>All, >> >> >> >>With recent issues with McAfee Antivirus, was wondering what AV tool you >>think is the best and why. >> >> >> >>Thanks >> >> >> >>Joe > > > Gib Gilbertson Jr. > Tierramiga Info Systems > 619-287-8647 Support > http://www.tmisnet.com > San Diego's "Friendly ISP" -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Fri Mar 5 09:14:07 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:05 2006 Subject: Apparent MessageLabs disclaimer In-Reply-To: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> Message-ID: <404844DF.5080602@solid-state-logic.com> Quentin Given that they use most, if not all of the commercial scanners it doesn't surprise me. Probably just covering themselves as they can't guarentee to scan this stuff. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Quentin Campbell wrote: >>-----Original Message----- >>From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >>Sent: 03 March 2004 19:28 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: 4.28.4, works great! >> >> > > [snip] > >>Just another point that made me smile today, I happened to notice that >>on the bottom of an automated signature from a company that pays $$$ to >>Messagelabs they were stating: 'This message has been scanned by >>Messagelabs for viruses, it should be noted that we can not scan >>encrypted or password protected messages'. Looks like even the mighty >>Messagelabs have not worked a fix yet!! >> > > > Drew > > I have been looking on the MessageLab site for confirmation of this but > can find no acknowledgment from them that they are unable to deal with > password-protected/encrypted archives in attachments. > > Can you provide further information and a copy of the disclaimer you > received? > > Thanks > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > University of Newcastle, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > "Any opinion expressed above is mine. The University can get its own." > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Fri Mar 5 09:15:18 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:06 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: References: Message-ID: <40484526.2070405@solid-state-logic.com> Chris works fine when I run in debug mode, but not in 'real' mode.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Christopher Lyon wrote: >>-----Original Message----- >>From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] >>Sent: Thursday, March 04, 2004 9:42 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Emails in mqueue.in not being processed >> >>Having similar issues with clamavmodule at the moment, try using > > clamav > >>on the > > > You might want to check to see if you have the Mail-ClamAV module > installed. > > Run this: perl -e "use Mail::ClamAV;" > > If you get an error, you need to install it. If you don't get anything, > you are good. > > Also, try doing a ps aux to see if MailScanner is running. > > > >> >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >>BG Mahesh wrote: >> >>>>>The following entries in MailScanner.conf were changed by me, >>>>> >>>>>Virus Scanners = clamavmodule >>>>>Use SpamAssassin = yes >>>>>Always Include SpamAssassin Report = yes >>>>>High Scoring Spam Actions = delete >>>>>Log Speed = yes >>>>>Log Spam = yes >>>>>SpamAssassin Local Rules Dir = /etc/mail/spamassassin >>>>>Delivery Method = queue >>>>> >>>>>I looked into /var/log/maillog /var/log/messages, I don't see any > > error > >>>>>messages. >>>>>What could I be doing wrong? >>>> >>>>Set "Debug = yes" in your MailScanner.conf and run > > "check_MailScanner". > >>>>That will probably tell you what is wrong. >>>> >>> >>> >>>The only line which I find could be a problem is: >>> >>>debug: DCCifd is not available: no r/w dccifd socket found. >>> >>>The detailed debug message is here...I don't find anything wrong > > here. > >>Not sure why emails in mqueue.in are not being processed :-( >> >>>debug: DCCifd is not available: no r/w dccifd socket found. >>>debug: all '*From' addrs: raboas2004@netscape.net >>>debug: all '*To' addrs: g.jalapathi@hyd.indiainfo.com >> >>films.feedback@team.indiainfo.com >> >>>debug: DNS MX records found: 4 >>>debug: forged-HELO: from=speed.planet.nl helo=netscape520.com >> >>by=indiainfo.com >> >>>debug: forged-HELO: mismatch on HELO: 'netscape520.com' != >> >>'speed.planet.nl' >> >>>debug: running meta tests; score so far=6.14 >>>debug: auto-learn? ham=0.1, spam=12, body-hits=1.908, > > head-hits=4.232 > >>>debug: auto-learn: currently using scoreset 1. no need to > > recompute. > >>>debug: auto-learn? no: inside auto-learn thresholds >>>debug: is spam? score=7.703 required=5 >> > tests=FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MIME_BOUND_MANY_HEX,NIGERIAN_BO > DY > >>1,SUBJ_ALL_CAPS,UNCLAIMED_MONEY >> >>>debug: bayes: 21316 tie-ing to DB file R/O >> >>/root/.spamassassin/bayes_toks >> >>>debug: bayes: 21316 tie-ing to DB file R/O >> >>/root/.spamassassin/bayes_seen >> >>>debug: bayes: found bayes db version 2 >>>debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB > > < > >>200 >> >>>debug: bayes: 21316 untie-ing >>>debug: bayes: 21316 untie-ing db_toks >>>debug: bayes: 21316 untie-ing db_seen >>>debug: received-header: parsed as [ ip=209.66.67.196 >> >>rdns=m6.lagnernow.com helo=m6.lagnernow.com by=blr.indiainfo.com > > ident= ] > >>>debug: received-header: 'by' blr.indiainfo.com has public IP >> >>203.200.50.237 >> >>>debug: received-header: relay 209.66.67.196 trusted? no >>>debug: running header regexp tests; score so far=0 >>>debug: running body-text per-line regexp tests; score so far=0 >>>debug: running raw-body-text per-line regexp tests; score so > > far=4.608 > >>>debug: running uri tests; score so far=4.608 >>>debug: uri tests: Done uriRE >>>debug: running full-text regexp tests; score so far=4.608 >>>debug: DCCifd is not available: no r/w dccifd socket found. >>>debug: all '*From' addrs: Lagnernow@the.lagnernow.com >>>debug: all '*To' addrs: j.chan@team.indiainfo.com >>>debug: is Net::DNS::Resolver available? yes >>>debug: DNS MX records found: 1 >>>debug: forged-HELO: from=lagnernow.com helo=lagnernow.com >> >>by=indiainfo.com >> >>>debug: running meta tests; score so far=7.918 >>>debug: auto-learn? ham=0.1, spam=12, body-hits=4.608, head-hits=3.31 >>>debug: auto-learn: currently using scoreset 1. no need to > > recompute. > >>>debug: auto-learn? no: inside auto-learn thresholds >>>debug: is spam? score=7.918 required=5 >> > tests=BANG_GUARANTEE,CLICK_BELOW,COMPLETELY_FREE,GUARANTEED_100_PERCENT, > HT > > ML_50_60,HTML_FONTCOLOR_BLUE,HTML_LINK_CLICK_HERE,HTML_MESSAGE,HTML_TITL > E_ > >>UNTITLED,HTML_WEB_BUGS,MSGID_FROM_MTA_SHORT >> >>>debug: bayes: 21318 tie-ing to DB file R/O >> >>/root/.spamassassin/bayes_toks >> >>>debug: bayes: 21318 tie-ing to DB file R/O >> >>/root/.spamassassin/bayes_seen >> >>>debug: bayes: found bayes db version 2 >>>debug: bayes: Not available for scanning, only 2 spam(s) in Bayes DB > > < > >>200 >> >>>debug: bayes: 21318 untie-ing >>>debug: bayes: 21318 untie-ing db_toks >>>debug: bayes: 21318 untie-ing db_seen >>>debug: received-header: parsed as [ ip=209.196.53.79 rdns=raza-web3- >> >>admin-o.custom.dellhost.com helo=razweb3.razacomm.com > > by=blr.indiainfo.com > >>ident= ] >> >>>debug: received-header: 'by' blr.indiainfo.com has public IP >> >>203.200.50.237 >> >>>debug: received-header: relay 209.196.53.79 trusted? no >>>debug: running header regexp tests; score so far=0 >>>debug: running body-text per-line regexp tests; score so far=0 >>>debug: running raw-body-text per-line regexp tests; score so far=0 >>>debug: running uri tests; score so far=0 >>>debug: uri tests: Done uriRE >>>debug: running full-text regexp tests; score so far=0 >>>debug: DCCifd is not available: no r/w dccifd socket found. >>>debug: all '*From' addrs: mina@razacomm.com >>>debug: all '*To' addrs: srinath.iyer@team.indiainfo.com >>>debug: is Net::DNS::Resolver available? yes >>>debug: DNS MX records found: 1 >>>debug: forged-HELO: from=dellhost.com helo=razacomm.com > > by=indiainfo.com > >>>debug: forged-HELO: mismatch on HELO: 'razacomm.com' != > > 'dellhost.com' > >>>debug: running meta tests; score so far=0 >>>debug: auto-learn? ham=0.1, spam=12, body-hits=0, head-hits=0 >>>debug: auto-learn: currently using scoreset 1. no need to > > recompute. > >>>debug: auto-learn? yes, ham (0 < 0.1) >>>debug: Learning Ham >>>debug: uri tests: Done uriRE >>>debug: lock: 21318 created >> >>/root/.spamassassin/bayes.lock.blr.indiainfo.com.21318 >> >>>debug: lock: 21318 trying to get lock on /root/.spamassassin/bayes > > with > >>0 retries >> >>>debug: lock: 21318 link to /root/.spamassassin/bayes.lock: link ok >>>debug: bayes: 21318 tie-ing to DB file R/W >> >>/root/.spamassassin/bayes_toks >> >>>debug: bayes: 21318 tie-ing to DB file R/W >> >>/root/.spamassassin/bayes_seen >> >>>debug: bayes: found bayes db version 2 >>>debug: tokenize: header tokens for *p = "" >>>debug: tokenize: header tokens for *m = " 200403041204 AA329056476 >> >>razweb3 razacomm com " >> >>>debug: tokenize: header tokens for Mime-Version = "1.0" >>>debug: tokenize: header tokens for *c = "/plain; charset=us-ascii" >>>debug: tokenize: header tokens for *F = "U*mina D*razacomm.com > > D*com" > >>>debug: tokenize: header tokens for *R = "U*mina D*razacomm.com > > D*com" > >>>debug: tokenize: header tokens for To = "U*srinath.iyer >> >>D*team.indiainfo.com D*indiainfo.com D*com" >> >>>debug: tokenize: header tokens for *x = "" >>>debug: tokenize: header tokens for *r = " razweb3.razacomm.com > > (raza- > >>web3-admin-o.custom.dellhost.com [209.196.53]) by blr.indiainfo.com >>(8.12.10/8.12.10) ; " >> >>>debug: bayes: Learned > > '200403041204.AA329056476@razweb3.razacomm.com' > >>>debug: bayes: 21318 untie-ing >>>debug: bayes: 21318 untie-ing db_toks >>>debug: bayes: 21318 untie-ing db_seen >>>debug: bayes: files locked, now unlocking lock >>>debug: unlock: 21318 unlink /root/.spamassassin/bayes.lock >>>debug: bayes: 21318 untie-ing >>>debug: is spam? score=0 required=5 tests= >>>Stopping now as you are debugging me. >>> >>> >>> >>>-- >>>B.G. Mahesh >>>bg.mahesh@indiainfo.com >>>http://www.indiainfo.com/ >>> >>>-- >>>______________________________________________ >>>IndiaInfo Mail - the free e-mail service with a difference! >> >>www.indiainfo.com >> >>>Check out our value-added Premium features, such as an extra 20MB > > for > >>mail storage, POP3, e-mail forwarding, and ads-free mailboxes! >> >>>Powered by Outblaze >> >> >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************* > > * ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:24:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: sweep options In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B21@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B21@pascal.priv.bmrb.co.uk> Message-ID: <6.0.1.1.2.20040305092304.03fa4688@imap.ecs.soton.ac.uk> At 08:34 05/03/2004, you wrote: >Ben wrote: > > On Fri, 5 Mar 2004 07:54:42 +0000, Kevin Spicer wrote: > > > >> On Fri, 2004-03-05 at 04:50, Ben wrote: > >>> On Thu, 4 Mar 2004 20:53:21 +0000, Julian Field wrote: > >>>> Please ensure you install Sophos using my Sophos.install script > >>>> as instructed in the docs, and not Sophos's own installation > >>>> script. > >>> You mean this doc? > >>> http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml > >> Completely uninstall Sophos (by removing the files etc. it drops > >> in) Unzip/untar the sophos package > >> run Sophos.install as root (this should be in your PATH) > > > > But Julian said "my Sophos.install script".... > >Yes, but his Sophos.install script is installed when you install his >MailScanner script etc. The Sophos.install script should now have a darned good go at uncompressing the Sophos distribution before un-taring it. It tries to run uncompress then gunzip then /usr/local/bin/gunzip on it. Only if they all fail will you have to uncompress it yourself. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 09:25:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: Apparent MessageLabs disclaimer In-Reply-To: <404844DF.5080602@solid-state-logic.com> References: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> <404844DF.5080602@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040305092437.03fb5d38@imap.ecs.soton.ac.uk> They use McAfee, one other commercial one which changes every now and then, and their own in-house "Skeptic" scanner. And all their spam detection is based around SpamAssassin. At 09:14 05/03/2004, you wrote: >Quentin > >Given that they use most, if not all of the commercial scanners it >doesn't surprise me. Probably just covering themselves as they can't >guarentee to scan this stuff. > > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Quentin Campbell wrote: >>>-----Original Message----- >>>From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >>>Sent: 03 March 2004 19:28 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: 4.28.4, works great! >> >>[snip] >> >>>Just another point that made me smile today, I happened to notice that >>>on the bottom of an automated signature from a company that pays $$$ to >>>Messagelabs they were stating: 'This message has been scanned by >>>Messagelabs for viruses, it should be noted that we can not scan >>>encrypted or password protected messages'. Looks like even the mighty >>>Messagelabs have not worked a fix yet!! >> >> >>Drew >> >>I have been looking on the MessageLab site for confirmation of this but >>can find no acknowledgment from them that they are unable to deal with >>password-protected/encrypted archives in attachments. >> >>Can you provide further information and a copy of the disclaimer you >>received? >> >>Thanks >> >>Quentin >>--- >>PHONE: +44 191 222 8209 Information Systems and Services (ISS), >> University of Newcastle, >> Newcastle upon Tyne, >>FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >>------------------------------------------------------------------------ >>"Any opinion expressed above is mine. The University can get its own." > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From JLM939 at HOTMAIL.COM Fri Mar 5 09:40:10 2004 From: JLM939 at HOTMAIL.COM (Justin) Date: Thu Jan 12 21:23:06 2006 Subject: Calling all translators (Japanese) In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read $B05=L$7$?E:IU%U%!%$%k$OFI$a$^$;$s$G$7$?!# (B > Message contained password-protected archive $B05=L$7$?E:IU%U%!%$%k$O0E9f2=$5$l$F$$$^$9!# (B Hope this helps. :) Justin From drew at THEMARSHALLS.CO.UK Fri Mar 5 09:43:29 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:06 2006 Subject: Apparent MessageLabs disclaimer In-Reply-To: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> Message-ID: <14682.194.70.180.170.1078479809.squirrel@net.themarshalls.co.uk> -- Quentin Campbell said: >>-----Original Message----- >>From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >>Sent: 03 March 2004 19:28 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: 4.28.4, works great! >> >> > [snip] >>Just another point that made me smile today, I happened to notice that >>on the bottom of an automated signature from a company that pays $$$ to >>Messagelabs they were stating: 'This message has been scanned by >>Messagelabs for viruses, it should be noted that we can not scan >>encrypted or password protected messages'. Looks like even the mighty >>Messagelabs have not worked a fix yet!! >> > > Drew > > I have been looking on the MessageLab site for confirmation of this but > can find no acknowledgment from them that they are unable to deal with > password-protected/encrypted archives in attachments. > > Can you provide further information and a copy of the disclaimer you > received? > > Thanks > > Quentin Quentin Please see attached. I'm afraid it was given to me by my MD in printed format, which I have scanned, well actually via my fax to email gateway, as the scanner's just died :-( , and attached the disclaimer (Sorry the rest of the message was quite sensitve!). The message was sent via BT using the BT's 'partnership' agreement with Messagelabs (Just means that the customer pays twice, once for Messagelabs and once for BT's margin!) Hope this helps Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- A non-text attachment was scrubbed... Name: B0035262.TIF Type: application/octet-stream Size: 15627 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040305/ae0c51aa/B0035262.obj From dee at ASYOUNEED.COM Fri Mar 5 09:46:53 2004 From: dee at ASYOUNEED.COM (Dee Lowndes) Date: Thu Jan 12 21:23:06 2006 Subject: Porn ruleset In-Reply-To: <6.0.1.1.2.20040305092437.03fb5d38@imap.ecs.soton.ac.uk> Message-ID: <000b01c40296$ca3027c0$0201a8c0@lappy> Hi all, I am getting some porn spam coming through anyone got a good ruleset for this? Dee From martinh at SOLID-STATE-LOGIC.COM Fri Mar 5 09:50:42 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:06 2006 Subject: Processing mail In-Reply-To: <200403050847.i258lI01030187@newpop.posix.co.za> References: <200403050847.i258lI01030187@newpop.posix.co.za> Message-ID: <40484D72.1030209@solid-state-logic.com> Stefans reduce the batch size down to 20 - 250 is very very big... what errors do you get on installing the Mail::Clamav perl module? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Stefaans Mostert wrote: > Hi all > > I subscribed again from another mail address so I can actually get my mail > ;-) > I will repost a message I send earlier that I really need an answer on so > please bear with me and acceppt my apologies in advance, I know it is > considdered bad netiquette > > I just disabled clamav and I am just using f-prot currently and still it > seems > as though my messages aren't getting processed : > > ------------------------------------------------------- > New Batch: Found 3124 messages waiting > Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 > messages, 16145460 bytes > New Batch: Found 3152 messages waiting > Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 > messages, 14979600 bytes > ------------------------------------------------------- > > And it just becomes more and more. > I run Red-Hat 7.3 > MailScanner 4.27.7-1 > ClamAV version 0.67-1 > F-PROT ANTIVIRUS > Program version: 4.3.5 > Engine version: 3.14.8 > > I tried installing the clamv perl module but I get errorrs > Since sending the origional mail the que has grown: > Mar 5 10:45:26 ais-mail01 MailScanner[24881]: New Batch: Found 24900 > messages waiting > > See my problem ? > > If I get a temp licence for kaspersky will it precess faster? Any other > ideas? > > > Stefaans ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From drew at THEMARSHALLS.CO.UK Fri Mar 5 09:51:24 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:06 2006 Subject: Apparent MessageLabs disclaimer In-Reply-To: <404844DF.5080602@solid-state-logic.com> References: <74BC2BBF06470148911E64E2B48FE139A39D62@pinewood.ncl.ac.uk> <404844DF.5080602@solid-state-logic.com> Message-ID: <15239.194.70.180.170.1078480284.squirrel@net.themarshalls.co.uk> I've attached a copy for the records. It was actually processed via BT's partnership with Messagelabs as can be seen. Sorry is a graphic but I was passed the message in printed form by one of my directors (Who doesn't quite live in a paperless society!). Sorry I had to obscure the rest, as it was quite sensitive ;-) and yes, my scanner has broken so it's from my fax to email server. Drew Martin Hepworth said: > Quentin > > Given that they use most, if not all of the commercial scanners it > doesn't surprise me. Probably just covering themselves as they can't > guarentee to scan this stuff. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Quentin Campbell wrote: >>>-----Original Message----- >>>From: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] >>>Sent: 03 March 2004 19:28 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: 4.28.4, works great! >>> >>> >> >> [snip] >> >>>Just another point that made me smile today, I happened to notice that >>>on the bottom of an automated signature from a company that pays $$$ to >>>Messagelabs they were stating: 'This message has been scanned by >>>Messagelabs for viruses, it should be noted that we can not scan >>>encrypted or password protected messages'. Looks like even the mighty >>>Messagelabs have not worked a fix yet!! >>> >> >> >> Drew >> >> I have been looking on the MessageLab site for confirmation of this but >> can find no acknowledgment from them that they are unable to deal with >> password-protected/encrypted archives in attachments. >> >> Can you provide further information and a copy of the disclaimer you >> received? >> >> Thanks >> >> Quentin >> --- >> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >> University of Newcastle, >> Newcastle upon Tyne, >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >> ------------------------------------------------------------------------ >> "Any opinion expressed above is mine. The University can get its own." >> > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- A non-text attachment was scrubbed... Name: B0035262.TIF Type: application/octet-stream Size: 15627 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040305/3994c4ba/B0035262.obj From m.sapsed at BANGOR.AC.UK Fri Mar 5 09:59:21 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:23:06 2006 Subject: Calling all translators (Welsh) References: <001BD19C96E6E64E8750D72C2EA0ECEE2B8705@ati-ex-01.ati.local> <000c01c40229$dfd83620$8266a8c0@MKBOWMAN2> <1078433896.16713.13.camel@bach.kevinspicer.co.uk> Message-ID: <40484F79.4030002@bangor.ac.uk> Didn't I get a surprise this morning finding that my translations had sparked a thread!!! Sorry I'm a bit late joining in but I usually get a life in the evenings! ;-) Kevin Spicer wrote: > On Thu, 2004-03-04 at 20:47, Matthew K Bowman wrote: > >>Welsh is a form of Gaelic still spoken in Wales but English is their first >>language. Sorry - you're wrong there. There is a substantial proportion of the population of Gwynedd for whom Welsh is their first language, and while most can get by in English, they much prefer to use Welsh. > I think only a few hundred can't speak English in North Wales. I'm not sure of the numbers. I certainly recall being shown around a house we were interested in buying by the lady of the house who had considerable difficulty remembering the English for various aspects of the house - cooker was one I think. > You're now wondering why we need a Welsh translation if theres only a > couple of hundred people don't speak English? The answer is fairly > simple - regulations! Government bodies etc. are required to be able to > communicate with Welsh speakers in Welsh. If you visit Wales you'll > find that all the road signs are dual language too. The University of Wales, Bangor in North West Wales (where I work) has an official bilingual policy. All official documents must be produced in both languages. Hence, when we adopted MailScanner we produced bilingual versions of all the reports etc - they're in the cy+en folder if you're interested. Students at the University have the right to submit assignments in English or Welsh as they choose and a number of the courses are taught using the Welsh language. The majority of schools in Gwynedd (the county occupying the North west corner of Wales) operate primarily in Welsh. The local council is also fully bilingual as is the Anglican church. Even mighty Microsoft are producing Welsh language packs for Windows XP and Office 2003 in response to the growing availability of Welsh in Open source packages. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Fri Mar 5 10:04:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: ANNOUNCE: Stable 4.28.5 released Message-ID: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> Well, the problems have settled down, and most of the AV vendors can now spot the password-protected zip files, though it has taken them so considerable time to do so. However, the next time around this is all going to be a problem again. So here is the stable release that will detect and block password-protected zip files for you. It also unpacks them (down to a configurable maximum nesting depth) and allows you to run filename and file content checks on the files in the archive, so the old "put it in a zip and it won't be checked" is no longer true. Also, renaming executables won't get round it either, if you are using the file content checking abilities. Download it as usual from www.mailscanner.info. Note for people upgrading: ===================== you will need to run the "./install.sh" script as 2 new Perl modules need to be installed (Compress::Zlib and Archive::Zip for those interested in such things). The full Changelog is here: * New Features and Improvements * - It will now unpack zip archives up to the nesting depth set by the "Maximum Zip Archive Depth" setting so that virus scanning and filename checking can be done on files within zip archives. NOTE: This has not been very well tested yet, I hope to do something rather better in future. NOTE: You will need to install the "Archive::Zip" Perl module yourself before this version will run. - It will now detect password-protected zip files, which is controlled by the option "Allow Password-Protected Archives". The default is to block them. - Have now rewritten most of the password-protected zip handling code. There is a new keyword allowed in the Silent-Viruses list which is "Zip-Password". This will stop password-protected zip files being notified to the senders. Please add this to your Silent Viruses list. Now should only remove the infected part of the message and leave the rest intact when it sees a zip file it doesn't like. - Setting the maximum archive nesting depth to 0 while banning password- protected zip files will result in the attachments being checked to ensure they are not password-protected, while not enforcing any other file rules on the contents. - Improved the MIME decoder speed a little bit. - The keyword "Zip-Password" can be added to the list of Non-Forging Viruses so that it over-rides the "All-Viruses" setting in the list of Silent Viruses. - The Compress::Zlib and Archive::Zip Perl modules are now installed as part of the RPM distributions. - Reports about password-protected archives and unreadable archives can now be customised and translated. - More logging added to ClamAV autoupdate script. - Timeout protection added to Symantec CSS autoupdate script. - Sophos.install script now has a much better try at uncompressing the .Z archive you download from Sophos. * Fixes * - Fixed problems with messages containing both password-protected zip files and unprotected zip files. - Won't reject .tar.gz and .tgz files it can't unpack. - Password-protected zip files can no longer be "disinfected", just "cleaned". - Password-protected zip files now tagged as dangerous content and not a virus. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 10:09:45 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:23:06 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200403051009.i25A9j45025303@seer.ecs.soton.ac.uk> New Guestbook-Entry from John MailScaner rulezzzzzzzzzz))))))))))))) From mailscanner at SMITS.CO.UK Fri Mar 5 10:52:54 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:23:06 2006 Subject: McAfee PROBLEM !!! (solved) Message-ID: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip. This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now. Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning. Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rabellino Sergio Posted At: 04 March 2004 09:05 Posted To: MailScanner Conversation: McAfee PROBLEM !!! (solved) Subject: Re: McAfee PROBLEM !!! (solved) Denis Beauchemin wrote: > Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : > >>Denis Beauchemin wrote: >> >>>Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : >>> >>> >>>>Many infected password-protected zip files passed through our McAfee >>>>AV (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>>>midnight. >>>>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >>>> >>>> >>>>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>>>handled the unzipping and so forth, and MailScanner interpreted the >>>>>response, I'm looking for confirmation, I'm running an older >>>>>version of MailScanner (4.25-14 I believe), I hate to upgrade >>>>>unless it's necessary. >>> >>> >>>I've taken a look at the Bagle.j detected so far and none were in a >>>zip file (all were plain pif files). >>> >>>So I'd say 4332 is definitely not catching any password-protected Bagle! >>> >>>Denis >> >>As Bagle encrypt the virus itself in the zip with a random password, >>how can McAfee (or any other antivirus) catch a virus encrypted in >>999999 different forms ? (the password is 6 integer digits) > > > Sergio, > > They can't unzip the file but they can compare its size and some > checksum they computed on infected zip files. > But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used.... The only solution is to ban the zip encrypted files . -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From shrek-m at GMX.DE Fri Mar 5 11:01:34 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> Message-ID: <40485E0E.8080101@gmx.de> Julian Field wrote: > [...] NOTE: You will need to install the "Archive::Zip" Perl module > yourself > before this version will run. > [...] > - The Compress::Zlib and Archive::Zip Perl modules are now installed > as part > of the RPM distributions. is it possible to provide a working archive::zip ? ( yes i know, i could install via # perl -MCPAN -e shell "install Archive::Zip" ) # cat /etc/fedora-release ; rhn-applet-tui Fedora Core release 1 (Yarrow) Ignoring No package updates are needed. # ./install.sh error while compilation archive::zip always reproducable # rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm [........] inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/src/redhat/BUILD/Archive-Zip-1.09/blib/lib/Archive/Zip.pm line 24. BEGIN failed--compilation aborted at /usr/src/redhat/BUILD/Archive-Zip-1.09/blib/lib/Archive/Zip.pm line 24. Compilation failed in require at t/testUpdate.t line 11. BEGIN failed--compilation aborted at t/testUpdate.t line 11. t/testUpdate........dubious Test returned status 2 (wstat 512, 0x200) FAILED--5 test scripts could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 Fehler: Bad exit status from /var/tmp/rpm-tmp.91618 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.91618 (%build) # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 [...] /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] -- shrek-m From mike-sender-1ed4e7 at zanker.org Fri Mar 5 10:52:12 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:23:06 2006 Subject: Porn ruleset In-Reply-To: <000b01c40296$ca3027c0$0201a8c0@lappy> References: <000b01c40296$ca3027c0$0201a8c0@lappy> Message-ID: <853276921.1078483932@mallard.open.ac.uk> On 05 March 2004 09:46 +0000 Dee Lowndes wrote: > I am getting some porn spam coming through anyone got a good > ruleset for this? Please don't start a new thread by replying to someone else's message - it breaks threading for those MUAs which support it. This is not a MailScanner issue - you should direct such queries to the SpamAssassin users mailing list. Mike. From rabellino at DI.UNITO.IT Fri Mar 5 11:09:14 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:23:06 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> Message-ID: <40485FDA.9080104@di.unito.it> MailScanner wrote: > MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip. > I didn't know this, obviously the heuristics used in the password search can be override by a quoting of the password (as an example...) > This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now. > Or simply return an error if the zip could not be scanned inside ? > Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning. > > Bart... Sure. you're right! > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rabellino Sergio > Posted At: 04 March 2004 09:05 > Posted To: MailScanner > Conversation: McAfee PROBLEM !!! (solved) > Subject: Re: McAfee PROBLEM !!! (solved) > > > Denis Beauchemin wrote: > >>Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : >> >> >>>Denis Beauchemin wrote: >>> >>> >>>>Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : >>>> >>>> >>>> >>>>>Many infected password-protected zip files passed through our McAfee >>>>>AV (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>>>>midnight. >>>>>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >>>>> >>>>> >>>>> >>>>>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>>>>handled the unzipping and so forth, and MailScanner interpreted the >>>>>>response, I'm looking for confirmation, I'm running an older >>>>>>version of MailScanner (4.25-14 I believe), I hate to upgrade >>>>>>unless it's necessary. >>>> >>>> >>>>I've taken a look at the Bagle.j detected so far and none were in a >>>>zip file (all were plain pif files). >>>> >>>>So I'd say 4332 is definitely not catching any password-protected Bagle! >>>> >>>>Denis >>> >>>As Bagle encrypt the virus itself in the zip with a random password, >>>how can McAfee (or any other antivirus) catch a virus encrypted in >>>999999 different forms ? (the password is 6 integer digits) >> >> >>Sergio, >> >>They can't unzip the file but they can compare its size and some >>checksum they computed on infected zip files. >> > > But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used.... > > The only solution is to ban the zip encrypted files . > -- > Dott. Sergio Rabellino > > Technical Staff > Department of Computer Science > University of Torino (Italy) > > http://www.di.unito.it/~rabser > Tel. +39-0116706701 > Fax. +39-011751603 > -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From eja at URBAKKEN.DK Fri Mar 5 10:53:14 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 Message-ID: Hi. I just did set up the MailScanner-4.28.5-1, but it would not run ok according to the messages below: # service MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] >From root@urbakken.dk Fri Mar 5 11:04:10 2004 Return-Path: Delivered-To: admin@urbakken.dk Received: by gateway.urbakken.dk (Postfix, from userid 0) id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) From: root@urbakken.dk (Cron Daemon) To: admin@urbakken.dk Subject: Cron run-parts /etc/cron.hourly X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) /etc/cron.hourly/check_MailScanner: Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5. 8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_per l/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Messa ge.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. -- Med venlig hilsen - Best regards Erik Jakobsen - eja@urbakken.dk From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:13:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40485E0E.8080101@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> Message-ID: <6.0.1.1.2.20040305111346.03b5e968@imap.ecs.soton.ac.uk> What does your /etc/sysconfig/i18n file say? At 11:01 05/03/2004, you wrote: >Julian Field wrote: > >>[...] NOTE: You will need to install the "Archive::Zip" Perl module >>yourself >> before this version will run. >>[...] >>- The Compress::Zlib and Archive::Zip Perl modules are now installed >>as part >> of the RPM distributions. > > >is it possible to provide a working archive::zip ? >( yes i know, i could install via ># perl -MCPAN -e shell "install Archive::Zip" ) > > ># cat /etc/fedora-release ; rhn-applet-tui >Fedora Core release 1 (Yarrow) >Ignoring >No package updates are needed. > > > ># ./install.sh >error while compilation archive::zip > >always reproducable > > ># rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm >[........] >inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 >/usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 >/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at >/usr/src/redhat/BUILD/Archive-Zip-1.09/blib/lib/Archive/Zip.pm line 24. >BEGIN failed--compilation aborted at >/usr/src/redhat/BUILD/Archive-Zip-1.09/blib/lib/Archive/Zip.pm line 24. >Compilation failed in require at t/testUpdate.t line 11. >BEGIN failed--compilation aborted at t/testUpdate.t line 11. >t/testUpdate........dubious > Test returned status 2 (wstat 512, 0x200) >FAILED--5 test scripts could be run, alas--no output ever seen >make: *** [test_dynamic] Error 2 >Fehler: Bad exit status from /var/tmp/rpm-tmp.91618 (%build) > > >RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.91618 (%build) > > > > ># service MailScanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi >/usr/lib/MailScanner/5.8.3 >[...] >/usr/lib/MailScanner/5.8.3/i386-linux-thread-multi >/usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi >/usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 >/usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at >/usr/lib/MailScanner/MailScanner/Message.pm line 46. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Message.pm line 46. >Compilation failed in require at /usr/sbin/MailScanner line 52. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > > > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:17:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305111704.03b5baa0@imap.ecs.soton.ac.uk> Did you run the install.sh script? At 10:53 05/03/2004, you wrote: >Hi. > >I just did set up the MailScanner-4.28.5-1, but it would not run ok >according to the messages below: > > ># service MailScanner start >Starting MailScanner daemons: > incoming postfix: [ OK ] > outgoing postfix: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >contains: /usr/lib/MailScanner >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >/usr/lib/MailScanner) >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >BEGIN failed--compilation aborted >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >Compilation failed in require at /usr/sbin/MailScanner line 52. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > > >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >Return-Path: >Delivered-To: admin@urbakken.dk >Received: by gateway.urbakken.dk (Postfix, from userid 0) > id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >From: root@urbakken.dk (Cron Daemon) >To: admin@urbakken.dk >Subject: Cron run-parts /etc/cron.hourly >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >X-Cron-Env: >Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >/etc/cron.hourly/check_MailScanner: > >Starting MailScanner... >Can't locate Archive/Zip.pm in @INC (@INC >contains: /usr/lib/MailScanner >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >/usr/lib/perl5/site_perl/5. >8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >/usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/vendor_per >l/5.8.0 /usr/lib/perl5/vendor_perl >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >/usr/lib/MailScanner) >at /usr/lib/MailScanner/MailScanner/Messa >ge.pm line 46. >BEGIN failed--compilation aborted >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >Compilation failed in require at /usr/sbin/MailScanner line 52. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > > >-- >Med venlig hilsen - Best regards >Erik Jakobsen - eja@urbakken.dk -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Fri Mar 5 11:15:34 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40485E0E.8080101@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> Message-ID: <40486156.7060206@gmx.de> shrek-m@gmx.de wrote: > # service MailScanner start > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 > [...] > /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] with mailscanner 4.27.7-1 all is ok # cd /path/to/oldMailscanner/ # rpm -Uvh --oldpackage mailscanner-4.27.7-1.noarch.rpm # mv MailScanner.conf-4.27.7-1-vorupdate MailScanner.conf # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] # service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] -- shrek-m From prandal at HEREFORDSHIRE.GOV.UK Fri Mar 5 11:17:30 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:06 2006 Subject: Upgrading mailscanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D8@jessica.herefordshire.gov.uk> > Install the new version in a directory that is numbered with > the version, > eg. /opt/MailScanner-4.27-14 or whatever. Copy over all your > old reports to > the new one, with the exception of languages.conf which you > will have to > diff the old one against the new one. > > Use upgrade_MailScanner_conf to upgrade the MailScanner.conf > file. Copy > over most of the rest of the files. > > Sorry it is such a manual job. :-( > I need to do some work on this when I get a chance. > -- > Julian Field Julian, MailScanner is one of the easiest bits of software to upgrade. upgrade_mailscanner_conf kindly tells us which files may need manual attention. When I upgraded to 4.28.5 from 4.28.4 the following files needed manual attention /etc/MailScanner/reports/en/languages.conf /usr/lib/MailScanner/MailScanner/CustomConfig.pm A quick invocation of "diff" finds what's changed and makes the update easy. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:19:23 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40486156.7060206@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> Message-ID: <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> Did you run the ./install.sh like the installation guides tell you to? At 11:15 05/03/2004, you wrote: >shrek-m@gmx.de wrote: > >># service MailScanner start >>Starting MailScanner daemons: >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >>contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi >>/usr/lib/MailScanner/5.8.3 >>[...] >>/usr/lib/MailScanner/5.8.3/i386-linux-thread-multi >>/usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi >>/usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 >>/usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at >>/usr/lib/MailScanner/MailScanner/Message.pm line 46. >>BEGIN failed--compilation aborted at >>/usr/lib/MailScanner/MailScanner/Message.pm line 46. >>Compilation failed in require at /usr/sbin/MailScanner line 52. >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> [ OK ] > > >with mailscanner 4.27.7-1 all is ok > ># cd /path/to/oldMailscanner/ ># rpm -Uvh --oldpackage mailscanner-4.27.7-1.noarch.rpm ># mv MailScanner.conf-4.27.7-1-vorupdate MailScanner.conf > ># service MailScanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] > ># service MailScanner status >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Fri Mar 5 11:24:20 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field wrote: >Did you run the install.sh script? Yes I did. >At 10:53 05/03/2004, you wrote: >>Hi. >> >>I just did set up the MailScanner-4.28.5-1, but it would not run ok >>according to the messages below: >> >> >># service MailScanner start >>Starting MailScanner daemons: >> incoming postfix: [ OK ] >> outgoing postfix: [ OK ] >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >>contains: /usr/lib/MailScanner >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >>/usr/lib/MailScanner) >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>BEGIN failed--compilation aborted >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>Compilation failed in require at /usr/sbin/MailScanner line 52. >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> [ OK ] >> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >>Return-Path: >>Delivered-To: admin@urbakken.dk >>Received: by gateway.urbakken.dk (Postfix, from userid 0) >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >>From: root@urbakken.dk (Cron Daemon) >>To: admin@urbakken.dk >>Subject: Cron run-parts /etc/cron.hourly >>X-Cron-Env: >>X-Cron-Env: >>X-Cron-Env: >>X-Cron-Env: >>X-Cron-Env: >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >>/etc/cron.hourly/check_MailScanner: >> >>Starting MailScanner... >>Can't locate Archive/Zip.pm in @INC (@INC >>contains: /usr/lib/MailScanner >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >>/usr/lib/perl5/site_perl/5. >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >>/usr/lib/perl5/site_perl >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >>/usr/lib/perl5/vendor_per >>l/5.8.0 /usr/lib/perl5/vendor_perl >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >>/usr/lib/MailScanner) >>at /usr/lib/MailScanner/MailScanner/Messa >>ge.pm line 46. >>BEGIN failed--compilation aborted >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>Compilation failed in require at /usr/sbin/MailScanner line 52. >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> >> >> >>-- >>Med venlig hilsen - Best regards >>Erik Jakobsen - eja@urbakken.dk > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:25:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305112345.03b5e820@imap.ecs.soton.ac.uk> At 11:24 05/03/2004, you wrote: >On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field > wrote: > > >Did you run the install.sh script? > >Yes I did. In which case what happened with it tried to build and install Archive::Zip? And what does this say: find /usr/lib/perl5 -type f -name Zip.pm -print and rpm -q perl-Archive-Zip and rpm -ql perl-Archive-Zip > >At 10:53 05/03/2004, you wrote: > >>Hi. > >> > >>I just did set up the MailScanner-4.28.5-1, but it would not run ok > >>according to the messages below: > >> > >> > >># service MailScanner start > >>Starting MailScanner daemons: > >> incoming postfix: [ OK ] > >> outgoing postfix: [ OK ] > >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > >>contains: /usr/lib/MailScanner > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>/usr/lib/MailScanner) > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>BEGIN failed--compilation aborted > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> [ OK ] > >> > >> > >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 > >>Return-Path: > >>Delivered-To: admin@urbakken.dk > >>Received: by gateway.urbakken.dk (Postfix, from userid 0) > >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >>From: root@urbakken.dk (Cron Daemon) > >>To: admin@urbakken.dk > >>Subject: Cron run-parts /etc/cron.hourly > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> > >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >> > >>/etc/cron.hourly/check_MailScanner: > >> > >>Starting MailScanner... > >>Can't locate Archive/Zip.pm in @INC (@INC > >>contains: /usr/lib/MailScanner > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>/usr/lib/perl5/site_perl/5. > >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > >>/usr/lib/perl5/site_perl > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/vendor_per > >>l/5.8.0 /usr/lib/perl5/vendor_perl > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>/usr/lib/MailScanner) > >>at /usr/lib/MailScanner/MailScanner/Messa > >>ge.pm line 46. > >>BEGIN failed--compilation aborted > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> > >> > >> > >>-- > >>Med venlig hilsen - Best regards > >>Erik Jakobsen - eja@urbakken.dk > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martin.norberg at SKEKRAFT.SE Fri Mar 5 11:24:36 2004 From: martin.norberg at SKEKRAFT.SE (Martin Norberg) Date: Thu Jan 12 21:23:06 2006 Subject: BayesStore Message-ID: <57807C70FEEBD211AD0F0008C728BDB202D6EC06@epost1.skekraft.se> I would like a hint from anyone about what i?m doing wrong. When i run mailscanner in debug mode i get the following error message. # Failed to run BAYES_20 SpamAssassin test, skipping: # (No write permission to sdbm file at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm line # 933. Best regards / Martin ---- MailScanner p? Skellefte? Kraft har kontrollerat om det finns virus eller annat skadligt inneh?ll i meddelandet. From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:42:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: BayesStore In-Reply-To: <57807C70FEEBD211AD0F0008C728BDB202D6EC06@epost1.skekraft.s e> References: <57807C70FEEBD211AD0F0008C728BDB202D6EC06@epost1.skekraft.se> Message-ID: <6.0.1.1.2.20040305114151.03b61548@imap.ecs.soton.ac.uk> At 11:24 05/03/2004, you wrote: >I would like a hint from anyone about what i?m doing wrong. >When i run mailscanner in debug mode i get the following error message. > ># Failed to run BAYES_20 SpamAssassin test, skipping: ># (No write permission to sdbm file at >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm line # >933. Are you running MailScanner as something other than root (you probably are if you are using Exim or Postfix). You need to ensure that user can write to the bayes database files. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Fri Mar 5 11:46:31 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field wrote: >At 11:24 05/03/2004, you wrote: >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field >> wrote: >> >> >Did you run the install.sh script? >> >>Yes I did. > >In which case what happened with it tried to build and install Archive::Zip? I am not quite sure what you mean Julian. I am not sure when it installed the Archive::Zip. >And what does this say: >find /usr/lib/perl5 -type f -name Zip.pm -print It said nothing. >and >rpm -q perl-Archive-Zip # rpm -q perl-Archive-Zip package perl-Archive-Zip is not installed >and >rpm -ql perl-Archive-Zip > # rpm -ql perl-Archive-Zip package perl-Archive-Zip is not installed > >> >At 10:53 05/03/2004, you wrote: >> >>Hi. >> >> >> >>I just did set up the MailScanner-4.28.5-1, but it would not run ok >> >>according to the messages below: >> >> >> >> >> >># service MailScanner start >> >>Starting MailScanner daemons: >> >> incoming postfix: [ OK ] >> >> outgoing postfix: [ OK ] >> >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >> >>contains: /usr/lib/MailScanner >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >>/usr/lib/MailScanner) >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>BEGIN failed--compilation aborted >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> >> [ OK ] >> >> >> >> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >> >>Return-Path: >> >>Delivered-To: admin@urbakken.dk >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >>From: root@urbakken.dk (Cron Daemon) >> >>To: admin@urbakken.dk >> >>Subject: Cron run-parts /etc/cron.hourly >> >>X-Cron-Env: >> >>X-Cron-Env: >> >>X-Cron-Env: >> >>X-Cron-Env: >> >>X-Cron-Env: >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >> >> >>/etc/cron.hourly/check_MailScanner: >> >> >> >>Starting MailScanner... >> >>Can't locate Archive/Zip.pm in @INC (@INC >> >>contains: /usr/lib/MailScanner >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >>/usr/lib/perl5/site_perl/5. >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >> >>/usr/lib/perl5/site_perl >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >>/usr/lib/perl5/vendor_per >> >>l/5.8.0 /usr/lib/perl5/vendor_perl >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >>/usr/lib/MailScanner) >> >>at /usr/lib/MailScanner/MailScanner/Messa >> >>ge.pm line 46. >> >>BEGIN failed--compilation aborted >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> >> >> >> >> >> >> >>-- >> >>Med venlig hilsen - Best regards >> >>Erik Jakobsen - eja@urbakken.dk >> > >> >-- >> >Julian Field >> >www.MailScanner.info >> >MailScanner thanks transtec Computers for their support >> > >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rvitoria at ci.ucp.pt Fri Mar 5 11:39:46 2004 From: rvitoria at ci.ucp.pt (=?iso-8859-1?Q?Rui_Vit=F3ria?=) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: <6.0.1.1.2.20040305112345.03b5e820@imap.ecs.soton.ac.uk> Message-ID: <200403051142.i25BgH200639@fagote.ci.ucp.pt> I `ve same problem. But I see two errors in installation. Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-1.noarch.rpm. Maybe it did not build correctly? Missing file /usr/src/redhat/RPMS/noarch/perl-Compress-Zlib-1.33-1.noarch.rpm. Maybe it did not build correctly? What can I do? Rui -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: sexta-feira, 5 de Mar?o de 2004 11:26 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner-4.28.5-1 At 11:24 05/03/2004, you wrote: >On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field > wrote: > > >Did you run the install.sh script? > >Yes I did. In which case what happened with it tried to build and install Archive::Zip? And what does this say: find /usr/lib/perl5 -type f -name Zip.pm -print and rpm -q perl-Archive-Zip and rpm -ql perl-Archive-Zip > >At 10:53 05/03/2004, you wrote: > >>Hi. > >> > >>I just did set up the MailScanner-4.28.5-1, but it would not run ok > >>according to the messages below: > >> > >> > >># service MailScanner start > >>Starting MailScanner daemons: > >> incoming postfix: [ OK ] > >> outgoing postfix: [ OK ] > >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > >>contains: /usr/lib/MailScanner > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>/usr/lib/MailScanner) > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>BEGIN failed--compilation aborted > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> [ OK ] > >> > >> > >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 > >>Return-Path: > >>Delivered-To: admin@urbakken.dk > >>Received: by gateway.urbakken.dk (Postfix, from userid 0) > >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >>From: root@urbakken.dk (Cron Daemon) > >>To: admin@urbakken.dk > >>Subject: Cron run-parts /etc/cron.hourly > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>X-Cron-Env: > >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> > >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >> > >>/etc/cron.hourly/check_MailScanner: > >> > >>Starting MailScanner... > >>Can't locate Archive/Zip.pm in @INC (@INC > >>contains: /usr/lib/MailScanner > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>/usr/lib/perl5/site_perl/5. > >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > >>/usr/lib/perl5/site_perl > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>/usr/lib/perl5/vendor_per > >>l/5.8.0 /usr/lib/perl5/vendor_perl > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>/usr/lib/MailScanner) > >>at /usr/lib/MailScanner/MailScanner/Messa > >>ge.pm line 46. > >>BEGIN failed--compilation aborted > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> > >> > >> > >>-- > >>Med venlig hilsen - Best regards > >>Erik Jakobsen - eja@urbakken.dk > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:48:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: <200403051142.i25BgH200639@fagote.ci.ucp.pt> References: <6.0.1.1.2.20040305112345.03b5e820@imap.ecs.soton.ac.uk> <200403051142.i25BgH200639@fagote.ci.ucp.pt> Message-ID: <6.0.1.1.2.20040305114720.03946e90@imap.ecs.soton.ac.uk> At 11:39 05/03/2004, you wrote: >I `ve same problem. > >But I see two errors in installation. > >Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-1.noarch.rpm. >Maybe it did not build correctly? Can you send me all the output of install.sh so I can see what is happening? ./install.sh >/tmp/install.output 2>&1 should do it. Obviously something is failing in the build of this RPM and I need to find out what, quickly. >Missing file >/usr/src/redhat/RPMS/noarch/perl-Compress-Zlib-1.33-1.noarch.rpm. >Maybe it did not build correctly? > > >What can I do? > >Rui > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: sexta-feira, 5 de Mar?o de 2004 11:26 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner-4.28.5-1 > >At 11:24 05/03/2004, you wrote: > >On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field > > wrote: > > > > >Did you run the install.sh script? > > > >Yes I did. > >In which case what happened with it tried to build and install Archive::Zip? >And what does this say: >find /usr/lib/perl5 -type f -name Zip.pm -print >and >rpm -q perl-Archive-Zip >and >rpm -ql perl-Archive-Zip > > > > > >At 10:53 05/03/2004, you wrote: > > >>Hi. > > >> > > >>I just did set up the MailScanner-4.28.5-1, but it would not run ok > > >>according to the messages below: > > >> > > >> > > >># service MailScanner start > > >>Starting MailScanner daemons: > > >> incoming postfix: [ OK ] > > >> outgoing postfix: [ OK ] > > >> MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > > >>contains: /usr/lib/MailScanner > > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > > >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > > >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > > >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > > >>/usr/lib/MailScanner) > > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > > >>BEGIN failed--compilation aborted > > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > >> [ OK ] > > >> > > >> > > >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 > > >>Return-Path: > > >>Delivered-To: admin@urbakken.dk > > >>Received: by gateway.urbakken.dk (Postfix, from userid 0) > > >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) > > >>From: root@urbakken.dk (Cron Daemon) > > >>To: admin@urbakken.dk > > >>Subject: Cron run-parts /etc/cron.hourly > > >>X-Cron-Env: > > >>X-Cron-Env: > > >>X-Cron-Env: > > >>X-Cron-Env: > > >>X-Cron-Env: > > >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> > > >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > > >> > > >>/etc/cron.hourly/check_MailScanner: > > >> > > >>Starting MailScanner... > > >>Can't locate Archive/Zip.pm in @INC (@INC > > >>contains: /usr/lib/MailScanner > > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > > >>/usr/lib/perl5/site_perl/5. > > >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > > >>/usr/lib/perl5/site_perl > > >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > > >>/usr/lib/perl5/vendor_per > > >>l/5.8.0 /usr/lib/perl5/vendor_perl > > >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > > >>/usr/lib/MailScanner) > > >>at /usr/lib/MailScanner/MailScanner/Messa > > >>ge.pm line 46. > > >>BEGIN failed--compilation aborted > > >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > > >>Compilation failed in require at /usr/sbin/MailScanner line 52. > > >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > >> > > >> > > >> > > >>-- > > >>Med venlig hilsen - Best regards > > >>Erik Jakobsen - eja@urbakken.dk > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >MailScanner thanks transtec Computers for their support > > > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 11:51:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305114855.03b5fe60@imap.ecs.soton.ac.uk> Okay, in that case rpm -Uvh perl-Compress-Zlib*src.rpm rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > /tmp/rpmbuildoutput 2>&1 and send me all the output from that rpmbuild command which should be in /tmp/rpmbuildoutput. At 11:46 05/03/2004, you wrote: >On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field > wrote: > > >At 11:24 05/03/2004, you wrote: > >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field > >> wrote: > >> > >> >Did you run the install.sh script? > >> > >>Yes I did. > > > >In which case what happened with it tried to build and install >Archive::Zip? > >I am not quite sure what you mean Julian. I am not sure when >it installed the Archive::Zip. > > >And what does this say: > >find /usr/lib/perl5 -type f -name Zip.pm -print > >It said nothing. > > >and > >rpm -q perl-Archive-Zip > ># rpm -q perl-Archive-Zip >package perl-Archive-Zip is not installed > > >and > >rpm -ql perl-Archive-Zip > > ># rpm -ql perl-Archive-Zip >package perl-Archive-Zip is not installed > > > > >> >At 10:53 05/03/2004, you wrote: > >> >>Hi. > >> >> > >> >>I just did set up the MailScanner-4.28.5-1, but it would not run ok > >> >>according to the messages below: > >> >> > >> >> > >> >># service MailScanner start > >> >>Starting MailScanner daemons: > >> >> incoming postfix: [ OK ] > >> >> outgoing postfix: [ OK ] > >> >> MailScanner: Can't locate Archive/Zip.pm in @INC >(@INC > >> >>contains: /usr/lib/MailScanner > >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >> >>/usr/lib/MailScanner) > >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >> >>BEGIN failed--compilation aborted > >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> >> [ OK ] > >> >> > >> >> > >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 > >> >>Return-Path: > >> >>Delivered-To: admin@urbakken.dk > >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) > >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >> >>From: root@urbakken.dk (Cron Daemon) > >> >>To: admin@urbakken.dk > >> >>Subject: Cron run-parts /etc/cron.hourly > >> >>X-Cron-Env: > >> >>X-Cron-Env: > >> >>X-Cron-Env: > >> >>X-Cron-Env: > >> >>X-Cron-Env: > >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> > >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >> >> > >> >>/etc/cron.hourly/check_MailScanner: > >> >> > >> >>Starting MailScanner... > >> >>Can't locate Archive/Zip.pm in @INC (@INC > >> >>contains: /usr/lib/MailScanner > >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >> >>/usr/lib/perl5/site_perl/5. > >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > >> >>/usr/lib/perl5/site_perl > >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >> >>/usr/lib/perl5/vendor_per > >> >>l/5.8.0 /usr/lib/perl5/vendor_perl > >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >> >>/usr/lib/MailScanner) > >> >>at /usr/lib/MailScanner/MailScanner/Messa > >> >>ge.pm line 46. > >> >>BEGIN failed--compilation aborted > >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > >> >> > >> >> > >> >> > >> >>-- > >> >>Med venlig hilsen - Best regards > >> >>Erik Jakobsen - eja@urbakken.dk > >> > > >> >-- > >> >Julian Field > >> >www.MailScanner.info > >> >MailScanner thanks transtec Computers for their support > >> > > >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Fri Mar 5 12:00:34 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> Message-ID: <40486BE2.6000006@gmx.de> Julian Field wrote: > Did you run the ./install.sh like the installation guides tell you to? yes. i18n changed to # cat /etc/sysconfig/i18n ##LANG="de_DE.UTF-8" ##SUPPORTED="de_DE.UTF-8:de_DE:de" #LANG="de_DE" #SUPPORTED="de_DE:de" LANG="C" SUPPORTED="C" SYSFONT="latarcyrheb-sun16" and reboot! no luck :-( it seems that perl-Compress-Zlib was not installed via install.sh perl-Archiv-Zip requires perl-Compress-Zip # rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm [...] Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-debuginfo-1.33-1.i386.rpm Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.48726 + umask 022 + cd /usr/src/redhat/BUILD + cd Compress-Zlib-1.33 + rm -rf /var/tmp/perl-Compress-Zlib-1.33-1-root + exit 0 Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.48726 + umask 022 + cd /usr/src/redhat/BUILD + rm -rf Compress-Zlib-1.33 + exit 0 # rpm -qa | grep -i compress # rpm -qa | grep -i zlib zlib-devel-1.2.0.7-2 zlib-1.2.0.7-2 # rpm -ivh /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm Preparing... ########################################### [100%] 1:perl-Compress-Zlib ########################################### [100%] # rpm -qa | grep -i compress perl-Compress-Zlib-1.33-1 # rpm -qa | grep -i compress # rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-debuginfo-1.09-1.i386.rpm Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.83163 + umask 022 + cd /usr/src/redhat/BUILD + cd Archive-Zip-1.09 + rm -rf /var/tmp/perl-Archive-Zip-1.09-1-root + exit 0 Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.83163 + umask 022 + cd /usr/src/redhat/BUILD + rm -rf Archive-Zip-1.09 + exit 0 # rpm -qa | grep -i archiv # rpm -ivh /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm Preparing... ########################################### [100%] 1:perl-Archive-Zip ########################################### [100%] # rpm -qa | grep -i archiv perl-Archive-Zip-1.09-1 ./install.sh is running once again wait a few minute for the result :-) -- shrek-m From mailscanner at ecs.soton.ac.uk Fri Mar 5 12:27:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40486BE2.6000006@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> <40486BE2.6000006@gmx.de> Message-ID: <6.0.1.1.2.20040305122431.039dc800@imap.ecs.soton.ac.uk> Edit the install.sh script and change these lines Compress::Zlib Compress-Zlib 1.33 1 noarch Archive::Zip Archive-Zip 1.09 1 noarch to these lines Compress::Zlib Compress-Zlib 1.33 1 i386 Archive::Zip Archive-Zip 1.09 1 i386 I am just about to release -2 which should solve this problem properly. At 12:00 05/03/2004, you wrote: >Julian Field wrote: > >>Did you run the ./install.sh like the installation guides tell you to? > > >yes. > >i18n changed to ># cat /etc/sysconfig/i18n ##LANG="de_DE.UTF-8" >##SUPPORTED="de_DE.UTF-8:de_DE:de" >#LANG="de_DE" >#SUPPORTED="de_DE:de" >LANG="C" >SUPPORTED="C" >SYSFONT="latarcyrheb-sun16" > >and reboot! >no luck :-( > > >it seems that perl-Compress-Zlib was not installed via install.sh >perl-Archiv-Zip requires perl-Compress-Zip > > > ># rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm >[...] >Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >Wrote: >/usr/src/redhat/RPMS/i386/perl-Compress-Zlib-debuginfo-1.33-1.i386.rpm >Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >+ umask 022 >+ cd /usr/src/redhat/BUILD >+ cd Compress-Zlib-1.33 >+ rm -rf /var/tmp/perl-Compress-Zlib-1.33-1-root >+ exit 0 >Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >+ umask 022 >+ cd /usr/src/redhat/BUILD >+ rm -rf Compress-Zlib-1.33 >+ exit 0 > > ># rpm -qa | grep -i compress ># rpm -qa | grep -i zlib >zlib-devel-1.2.0.7-2 >zlib-1.2.0.7-2 > ># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >Preparing... ########################################### >[100%] > 1:perl-Compress-Zlib ########################################### >[100%] ># rpm -qa | grep -i compress >perl-Compress-Zlib-1.33-1 > > ># rpm -qa | grep -i compress > ># rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm >Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-debuginfo-1.09-1.i386.rpm >Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >+ umask 022 >+ cd /usr/src/redhat/BUILD >+ cd Archive-Zip-1.09 >+ rm -rf /var/tmp/perl-Archive-Zip-1.09-1-root >+ exit 0 >Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >+ umask 022 >+ cd /usr/src/redhat/BUILD >+ rm -rf Archive-Zip-1.09 >+ exit 0 > > ># rpm -qa | grep -i archiv ># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >Preparing... ########################################### >[100%] > 1:perl-Archive-Zip ########################################### >[100%] ># rpm -qa | grep -i archiv >perl-Archive-Zip-1.09-1 > > > >./install.sh >is running once again >wait a few minute for the result :-) > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martin.norberg at SKEKRAFT.SE Fri Mar 5 12:45:51 2004 From: martin.norberg at SKEKRAFT.SE (Martin Norberg) Date: Thu Jan 12 21:23:06 2006 Subject: BayesStore Message-ID: <57807C70FEEBD211AD0F0008C728BDB202D6EC0B@epost1.skekraft.se> I can?t find the problem. Postfix is owner to the folder /var/spool/MailScanner/spamassassin an the bayes* files in it. Best regards / Martin > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 5 mars 2004 12:43 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: BayesStore > > At 11:24 05/03/2004, you wrote: > >I would like a hint from anyone about what i?m doing wrong. > >When i run mailscanner in debug mode i get the following > error message. > > > ># Failed to run BAYES_20 SpamAssassin test, skipping: > ># (No write permission to sdbm file at > >/usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm > >line # 933. > > Are you running MailScanner as something other than root (you > probably are if you are using Exim or Postfix). You need to > ensure that user can write to the bayes database files. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > ---- > MailScanner p? Skellefte? Kraft har kontrollerat om det finns > virus eller annat skadligt inneh?ll i meddelandet. > > ---- MailScanner p? Skellefte? Kraft har kontrollerat om det finns virus eller annat skadligt inneh?ll i meddelandet. From mailscanner at ecs.soton.ac.uk Fri Mar 5 12:52:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <6.0.1.1.2.20040305122431.039dc800@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> <40486BE2.6000006@gmx.de> <6.0.1.1.2.20040305122431.039dc800@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040305125152.03f17340@imap.ecs.soton.ac.uk> Have just released 4.28.5-2 to fix this problem. Minor build error, nothing too major :-) At 12:27 05/03/2004, you wrote: >Edit the install.sh script and change these lines >Compress::Zlib Compress-Zlib 1.33 1 noarch >Archive::Zip Archive-Zip 1.09 1 noarch >to these lines >Compress::Zlib Compress-Zlib 1.33 1 i386 >Archive::Zip Archive-Zip 1.09 1 i386 > >I am just about to release -2 which should solve this problem properly. > >At 12:00 05/03/2004, you wrote: >>Julian Field wrote: >> >>>Did you run the ./install.sh like the installation guides tell you to? >> >> >>yes. >> >>i18n changed to >># cat /etc/sysconfig/i18n ##LANG="de_DE.UTF-8" >>##SUPPORTED="de_DE.UTF-8:de_DE:de" >>#LANG="de_DE" >>#SUPPORTED="de_DE:de" >>LANG="C" >>SUPPORTED="C" >>SYSFONT="latarcyrheb-sun16" >> >>and reboot! >>no luck :-( >> >> >>it seems that perl-Compress-Zlib was not installed via install.sh >>perl-Archiv-Zip requires perl-Compress-Zip >> >> >> >># rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm >>[...] >>Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >>Wrote: >>/usr/src/redhat/RPMS/i386/perl-Compress-Zlib-debuginfo-1.33-1.i386.rpm >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ cd Compress-Zlib-1.33 >>+ rm -rf /var/tmp/perl-Compress-Zlib-1.33-1-root >>+ exit 0 >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ rm -rf Compress-Zlib-1.33 >>+ exit 0 >> >> >># rpm -qa | grep -i compress >># rpm -qa | grep -i zlib >>zlib-devel-1.2.0.7-2 >>zlib-1.2.0.7-2 >> >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >>Preparing... ########################################### >>[100%] >> 1:perl-Compress-Zlib ########################################### >>[100%] >># rpm -qa | grep -i compress >>perl-Compress-Zlib-1.33-1 >> >> >># rpm -qa | grep -i compress >> >># rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm >>Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >>Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-debuginfo-1.09-1.i386.rpm >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ cd Archive-Zip-1.09 >>+ rm -rf /var/tmp/perl-Archive-Zip-1.09-1-root >>+ exit 0 >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ rm -rf Archive-Zip-1.09 >>+ exit 0 >> >> >># rpm -qa | grep -i archiv >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >>Preparing... ########################################### >>[100%] >> 1:perl-Archive-Zip ########################################### >>[100%] >># rpm -qa | grep -i archiv >>perl-Archive-Zip-1.09-1 >> >> >> >>./install.sh >>is running once again >>wait a few minute for the result :-) >> >>-- >>shrek-m > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From drew at THEMARSHALLS.CO.UK Fri Mar 5 12:59:00 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:06 2006 Subject: BayesStore In-Reply-To: <57807C70FEEBD211AD0F0008C728BDB202D6EC0B@epost1.skekraft.se> References: <57807C70FEEBD211AD0F0008C728BDB202D6EC0B@epost1.skekraft.se> Message-ID: <25143.194.70.180.170.1078491540.squirrel@net.themarshalls.co.uk> Martin Norberg said: > I can?t find the problem. > Postfix is owner to the folder /var/spool/MailScanner/spamassassin an the > bayes* files in it. > Who is MailScanner running as? What are the permissions of the *contents* of /var/spool/MailScanner/spamassassin? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From redjar at REDJAR.ORG Fri Mar 5 13:10:58 2004 From: redjar at REDJAR.ORG (Jared) Date: Thu Jan 12 21:23:06 2006 Subject: F-Prot Response Message-ID: <8B1C61C0-6EA6-11D8-905F-000393DB639A@redjar.org> This list moves so fast, that I'm not sure if someone already posted this, but I just got a response from frisk/f-prot in regards to dealing with password protected zip files. Here it is: ---------------------------------- Hello and thank you for your mail. Later today we will release a new version of all F-Prot Antivirus products for UNIX based platforms. These newest versions are our response to the multiple outbreaks of recent days and provide improved scanning of encrypted executables and password protected ZIP archives. The improved scanning technique provided in these versions allows F-Prot Antivirus to better detect potentially damaging executables hidden in these archives and flag them as such. In addition, scanning of all archives, whether password protected or not, is now a default setting in these versions. This setting can be changed by users and network administrators. More information on modifying these settings can be found in the F-Prot Antivirus for UNIX man pages (f-prot.1 and f-protd). These changes may result in a small number of false positives if legitimate executables of a certain length are sent within password protected ZIP archives. However, we recommend that users of F-Prot Antivirus for Linux, BSD, Solaris SPARC, Solaris x86, AIX on IBM pSeries and Linux on IBM zSeries systems update their programs to these newest versions as soon as it is released. Best regards, Kolbrun Valbergsdottir F-Prot Antivirus Tech Support ---------------------------------- From shrek-m at GMX.DE Fri Mar 5 13:12:26 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <6.0.1.1.2.20040305125152.03f17340@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> <40486BE2.6000006@gmx.de> <6.0.1.1.2.20040305122431.039dc800@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040305125152.03f17340@imap.ecs.soton.ac.uk> Message-ID: <40487CBA.4030105@gmx.de> Julian Field wrote: > Have just released 4.28.5-2 to fix this problem. > Minor build error, nothing too major :-) > > At 12:27 05/03/2004, you wrote: > >> Edit the install.sh script and change these lines >> Compress::Zlib Compress-Zlib 1.33 1 noarch >> Archive::Zip Archive-Zip 1.09 1 noarch >> to these lines >> Compress::Zlib Compress-Zlib 1.33 1 i386 >> Archive::Zip Archive-Zip 1.09 1 i386 >> >> I am just about to release -2 which should solve this problem properly. > i can see it now too:-) >>> # rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm >>> [...] >>> Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >>> [...]# rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm >>> Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >> can happen, thanks :-) -- shrek-m From lists at DVD-GOETSCH.DE Fri Mar 5 13:15:41 2004 From: lists at DVD-GOETSCH.DE (sebastian ruchti) Date: Thu Jan 12 21:23:06 2006 Subject: Stable 4.28.5 won't start postfix In-Reply-To: Message-ID: sorry, my fault - I didn't check /etc/sysconfig/MailScanner, but thought the MTA setting would be taken from /etc/MailScanner/MailScanner.conf .sebastian > -----Original Message----- > From: sebastian ruchti [mailto:lists@dvd-goetsch.de] > Sent: Friday, March 05, 2004 2:13 PM > To: MailScanner mailing list > Subject: Stable 4.28.5 won't start postfix > > > Just installed the latest stable release and now I'm > experienceing the following problems on SuSe 8.2 / postfix. > > Although the MTA is set to postfix, the start script > (rcMailScanner start) is trying to start sendmail, which it > obviously can't start - therefore the mailsystem can't get up. > > Any ideas, what I could have done from or if there was a bug that > made its way in there concerning postfix?! > > .sebastian From lists at DVD-GOETSCH.DE Fri Mar 5 13:12:33 2004 From: lists at DVD-GOETSCH.DE (sebastian ruchti) Date: Thu Jan 12 21:23:06 2006 Subject: Stable 4.28.5 won't start postfix In-Reply-To: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> Message-ID: Just installed the latest stable release and now I'm experienceing the following problems on SuSe 8.2 / postfix. Although the MTA is set to postfix, the start script (rcMailScanner start) is trying to start sendmail, which it obviously can't start - therefore the mailsystem can't get up. Any ideas, what I could have done from or if there was a bug that made its way in there concerning postfix?! .sebastian From dean.plant at ROKE.CO.UK Fri Mar 5 13:27:31 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:06 2006 Subject: F-prot update Message-ID: I guess the f-prot update will mean more changes to MailScanner Output of scan: Virus scanning report - 5 March 2004 @ 13:24 F-PROT ANTIVIRUS Program version: 4.4.0 Engine version: 3.14.10 VIRUS SIGNATURE FILES SIGN.DEF created 4 March 2004 SIGN2.DEF created 4 March 2004 MACRO.DEF created 1 March 2004 Search: ./Letter.zip ./message Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /var/spool/MailScanner/quarantine/20040305/i25Cn7ID025173/Letter.zip->lkqwqx j.scr could be a security risk /var/spool/MailScanner/quarantine/20040305/i25Cn7ID025173/message->lkqwqxj.s cr could be a security risk Results of virus scanning: Files: 2 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 0 Suspicious: 2 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From rvitoria at ci.ucp.pt Fri Mar 5 13:34:56 2004 From: rvitoria at ci.ucp.pt (=?iso-8859-1?Q?Rui_Vit=F3ria?=) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <6.0.1.1.2.20040305125152.03f17340@imap.ecs.soton.ac.uk> Message-ID: <200403051337.i25DbRK10270@fagote.ci.ucp.pt> Julian it's normal the installation skipped this test in module "perl-Compress-Zlib" PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/01version.........ok t/02zlib............ok t/03examples........ok t/04encoding........skipped: Encode is not available t/05gzsetp..........ok t/06gzdopen.........ok All tests successful, 1 test skipped. Rui -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: sexta-feira, 5 de Mar?o de 2004 12:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) Have just released 4.28.5-2 to fix this problem. Minor build error, nothing too major :-) At 12:27 05/03/2004, you wrote: >Edit the install.sh script and change these lines >Compress::Zlib Compress-Zlib 1.33 1 noarch >Archive::Zip Archive-Zip 1.09 1 noarch >to these lines >Compress::Zlib Compress-Zlib 1.33 1 i386 >Archive::Zip Archive-Zip 1.09 1 i386 > >I am just about to release -2 which should solve this problem properly. > >At 12:00 05/03/2004, you wrote: >>Julian Field wrote: >> >>>Did you run the ./install.sh like the installation guides tell you to? >> >> >>yes. >> >>i18n changed to >># cat /etc/sysconfig/i18n ##LANG="de_DE.UTF-8" >>##SUPPORTED="de_DE.UTF-8:de_DE:de" >>#LANG="de_DE" >>#SUPPORTED="de_DE:de" >>LANG="C" >>SUPPORTED="C" >>SYSFONT="latarcyrheb-sun16" >> >>and reboot! >>no luck :-( >> >> >>it seems that perl-Compress-Zlib was not installed via install.sh >>perl-Archiv-Zip requires perl-Compress-Zip >> >> >> >># rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm >>[...] >>Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >>Wrote: >>/usr/src/redhat/RPMS/i386/perl-Compress-Zlib-debuginfo-1.33-1.i386.rpm >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ cd Compress-Zlib-1.33 >>+ rm -rf /var/tmp/perl-Compress-Zlib-1.33-1-root >>+ exit 0 >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.48726 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ rm -rf Compress-Zlib-1.33 >>+ exit 0 >> >> >># rpm -qa | grep -i compress >># rpm -qa | grep -i zlib >>zlib-devel-1.2.0.7-2 >>zlib-1.2.0.7-2 >> >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm >>Preparing... ########################################### >>[100%] >> 1:perl-Compress-Zlib ########################################### >>[100%] >># rpm -qa | grep -i compress >>perl-Compress-Zlib-1.33-1 >> >> >># rpm -qa | grep -i compress >> >># rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm >>Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >>Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-debuginfo-1.09-1.i386.rpm >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ cd Archive-Zip-1.09 >>+ rm -rf /var/tmp/perl-Archive-Zip-1.09-1-root >>+ exit 0 >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.83163 >>+ umask 022 >>+ cd /usr/src/redhat/BUILD >>+ rm -rf Archive-Zip-1.09 >>+ exit 0 >> >> >># rpm -qa | grep -i archiv >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm >>Preparing... ########################################### >>[100%] >> 1:perl-Archive-Zip ########################################### >>[100%] >># rpm -qa | grep -i archiv >>perl-Archive-Zip-1.09-1 >> >> >> >>./install.sh >>is running once again >>wait a few minute for the result :-) >> >>-- >>shrek-m > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Fri Mar 5 12:29:02 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 11:51:21 +0000, Julian Field wrote: >Okay, in that case > >rpm -Uvh perl-Compress-Zlib*src.rpm >rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > >/tmp/rpmbuildoutput 2>&1 >and send me all the output from that rpmbuild command which should be in >/tmp/rpmbuildoutput. Here's the very minor outputs: # find /usr/lib/perl5 -type f -name Zip.pm -print # rpm -q perl-Archive-Zip package perl-Archive-Zip is not installed # rpm -ql perl-Archive-Zip package perl-Archive-Zip is not installed # cd .. # cd .. # rpm -Uvh perl-Compress-Zlib*src.rpm error: File not found by glob: perl-Compress-Zlib*src.rpm ]# rpm -Uvh perl-Compress-Zlib*src.rpm error: File not found by glob: perl-Compress-Zlib*src.rpm # rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > -bash: syntax error near unexpected token `newline' # rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such file or directory # cd /tmp/ tmp]# ls -l total 92 srw-rw-rw- 1 nobody nobody 0 Mar 5 11:57 alertd.socket -rw-r--r-- 1 clamav clamav 13615 Mar 5 13:11 ClamAV.update.log drwx------ 2 root root 4096 Mar 5 11:53 mc-root -rw------- 1 webconfig webconfig 278 Feb 27 11:23 sess_06ca4df1302448fe96c241a0b381127c -rw------- 1 apache apache 56 Mar 5 11:15 sess_1028032d166506d3a0ffb5b96a22161b -rw------- 1 apache apache 771 Mar 5 11:15 sess_2ba650ce96aaa13cb6d1a2ba60cc7d94 -rw------- 1 webconfig webconfig 278 Feb 28 07:44 sess_33f3c74f948482e032ce27418b59d65d -rw------- 1 webconfig webconfig 278 Mar 3 19:20 sess_39066f939b28078169775adec2fb6505 -rw------- 1 webconfig webconfig 254 Mar 5 10:01 sess_6b8cefc3513079ee61c01cb08881dee0 -rw------- 1 webconfig webconfig 278 Feb 24 17:53 sess_96dff97bdca0f1ce2c5c9d9941763523 -rw------- 1 webconfig webconfig 254 Mar 5 10:46 sess_97678a29785061b99909902b336528a7 -rw------- 1 apache apache 1013 Mar 5 11:15 sess_a0bf663bb800a596b5741043fc4c4ef5 -rw------- 1 webconfig webconfig 254 Mar 2 11:10 sess_ae5ca69e6501391e22828696b46e1c12 -rw------- 1 webconfig webconfig 278 Feb 24 20:01 sess_bc8673afbd435730756d3d5f4e71b2ba -rw------- 1 webconfig webconfig 254 Mar 5 11:14 sess_c57c29de8ce40656be8de8fa202085f9 -rw------- 1 webconfig webconfig 278 Mar 5 11:15 sess_c850310420598b6a054354aec42d0a54 -rw------- 1 webconfig webconfig 254 Feb 27 10:19 sess_caf531de5510947e03f856b741085f0e -rw------- 1 webconfig webconfig 278 Feb 27 20:12 sess_cf7fb00505e03b32c89af09e0f0ae92d -rw------- 1 webconfig webconfig 254 Mar 2 14:40 sess_dba7495b702976a71f4fba5b0be951e2 -rw------- 1 webconfig webconfig 0 Feb 24 17:39 sess_e572c69511c89c67348a1ddf30cc7d17 -rw------- 1 webconfig webconfig 254 Mar 5 11:58 sess_e81eadfaf34c08853621c780e80d4992 -rw------- 1 webconfig webconfig 254 Mar 5 11:35 sess_f26c866cabfe16a2028df0119ea98a21 >At 11:46 05/03/2004, you wrote: >>On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field >> wrote: >> >> >At 11:24 05/03/2004, you wrote: >> >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field >> >> wrote: >> >> >> >> >Did you run the install.sh script? >> >> >> >>Yes I did. >> > >> >In which case what happened with it tried to build and install >>Archive::Zip? >> >>I am not quite sure what you mean Julian. I am not sure when >>it installed the Archive::Zip. >> >> >And what does this say: >> >find /usr/lib/perl5 -type f -name Zip.pm -print >> >>It said nothing. >> >> >and >> >rpm -q perl-Archive-Zip >> >># rpm -q perl-Archive-Zip >>package perl-Archive-Zip is not installed >> >> >and >> >rpm -ql perl-Archive-Zip >> > >># rpm -ql perl-Archive-Zip >>package perl-Archive-Zip is not installed >> >> > >> >> >At 10:53 05/03/2004, you wrote: >> >> >>Hi. >> >> >> >> >> >>I just did set up the MailScanner-4.28.5-1, but it would not run ok >> >> >>according to the messages below: >> >> >> >> >> >> >> >> >># service MailScanner start >> >> >>Starting MailScanner daemons: >> >> >> incoming postfix: [ OK ] >> >> >> outgoing postfix: [ OK ] >> >> >> MailScanner: Can't locate Archive/Zip.pm in @INC >>(@INC >> >> >>contains: /usr/lib/MailScanner >> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >> >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >> >>/usr/lib/MailScanner) >> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >> >>BEGIN failed--compilation aborted >> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> >> >> [ OK ] >> >> >> >> >> >> >> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >> >> >>Return-Path: >> >> >>Delivered-To: admin@urbakken.dk >> >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) >> >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >> >>From: root@urbakken.dk (Cron Daemon) >> >> >>To: admin@urbakken.dk >> >> >>Subject: Cron run-parts /etc/cron.hourly >> >> >>X-Cron-Env: >> >> >>X-Cron-Env: >> >> >>X-Cron-Env: >> >> >>X-Cron-Env: >> >> >>X-Cron-Env: >> >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >> >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >> >> >> >> >>/etc/cron.hourly/check_MailScanner: >> >> >> >> >> >>Starting MailScanner... >> >> >>Can't locate Archive/Zip.pm in @INC (@INC >> >> >>contains: /usr/lib/MailScanner >> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >> >>/usr/lib/perl5/site_perl/5. >> >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >> >> >>/usr/lib/perl5/site_perl >> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >> >>/usr/lib/perl5/vendor_per >> >> >>l/5.8.0 /usr/lib/perl5/vendor_perl >> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >> >>/usr/lib/MailScanner) >> >> >>at /usr/lib/MailScanner/MailScanner/Messa >> >> >>ge.pm line 46. >> >> >>BEGIN failed--compilation aborted >> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. >> >> >> >> >> >> >> >> >> >> >> >>-- >> >> >>Med venlig hilsen - Best regards >> >> >>Erik Jakobsen - eja@urbakken.dk >> >> > >> >> >-- >> >> >Julian Field >> >> >www.MailScanner.info >> >> >MailScanner thanks transtec Computers for their support >> >> > >> >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > >> >-- >> >Julian Field >> >www.MailScanner.info >> >MailScanner thanks transtec Computers for their support >> > >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at MASONC.COM Fri Mar 5 12:34:31 2004 From: lists at MASONC.COM (Chris Mason) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40486BE2.6000006@gmx.de> Message-ID: <001101c402ae$3555b170$0600a8c0@poseiden> I tried to compile in Redhat 9 box: My i18n is LANG="en_US" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" ./install.sh ... BEGIN failed--compilation aborted at /usr/src/redhat/BUILD/Archive-Zip-1.09/blib/lib/Archive/Zip.pm line 24. ... Chris Mason masonc@masonc.com Box 340, The Valley, Anguilla, British West Indies Tel. (264) 497-5670 - Cell: (264) 235-5670 Fax: (264) 497-8463 - US Fax (815)301-9759 Yahoo IM: netconcepts_anguilla@yahoo.com From shrek-m at GMX.DE Fri Mar 5 12:35:23 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <40486BE2.6000006@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> <40486BE2.6000006@gmx.de> Message-ID: <4048740B.4000604@gmx.de> shrek-m@gmx.de wrote: > Julian Field wrote: > >> Did you run the ./install.sh like the installation guides tell you to? > all is ok now and my i18n is back to # cat /etc/sysconfig/i18n LANG="de_DE.UTF-8" SUPPORTED="de_DE.UTF-8:de_DE:de" #LANG="de_DE" #SUPPORTED="de_DE:de" #LANG="C" #SUPPORTED="C" SYSFONT="latarcyrheb-sun16 and reboot. mailscanner 4.28.5-1 is working. what happenend? ./install.sh was not able to install perl_Compress-Zlib before perl_Archive-Zip ? why? i18n utf-8 ? resolution ? in ./install.sh LANG=C ? building the packages and installing manually perl-Compress-Zlib and perl-Archive-Zip was ok, LANG=C in i18n. my fault, i had not tried ./install.sh after modifiing i18n :-( -- shrek-m From mailscanner at ecs.soton.ac.uk Fri Mar 5 13:44:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: F-prot update In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305134258.03f17e10@imap.ecs.soton.ac.uk> At 13:27 05/03/2004, you wrote: >I guess the f-prot update will mean more changes to MailScanner I'm not going to rush out a new release for that, as MailScanner now performs filename checks on the contents of Zip files anyway, even if they are password-protected. So it doesn't really give you very much extra value when used within MailScanner. >Output of scan: > >Virus scanning report - 5 March 2004 @ 13:24 > >F-PROT ANTIVIRUS >Program version: 4.4.0 >Engine version: 3.14.10 > >VIRUS SIGNATURE FILES >SIGN.DEF created 4 March 2004 >SIGN2.DEF created 4 March 2004 >MACRO.DEF created 1 March 2004 > >Search: ./Letter.zip ./message >Action: Report only >Files: "Dumb" scan of all files >Switches: -ARCHIVE -PACKED -SERVER > >/var/spool/MailScanner/quarantine/20040305/i25Cn7ID025173/Letter.zip->lkqwqx >j.scr could be a security risk >/var/spool/MailScanner/quarantine/20040305/i25Cn7ID025173/message->lkqwqxj.s >cr could be a security risk > >Results of virus scanning: > >Files: 2 >MBRs: 0 >Boot sectors: 0 >Objects scanned: 3 >Infected: 0 >Suspicious: 2 >Disinfected: 0 >Deleted: 0 >Renamed: 0 > >Time: 0:00 > >-- >Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, >Berkshire. RG12 8FZ > >The information contained in this e-mail and any attachments is >confidential to >Roke Manor Research Ltd and must not be passed to any third party without >permission. This communication is for information only and shall not create or >change any contractual relationship. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 13:41:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <200403051337.i25DbRK10270@fagote.ci.ucp.pt> References: <6.0.1.1.2.20040305125152.03f17340@imap.ecs.soton.ac.uk> <200403051337.i25DbRK10270@fagote.ci.ucp.pt> Message-ID: <6.0.1.1.2.20040305134102.039554e8@imap.ecs.soton.ac.uk> At 13:34 05/03/2004, you wrote: >Julian it's normal the installation skipped this test in module >"perl-Compress-Zlib" > > >PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" >"test_harness(0, 'blib/lib', 'blib/arch')" t/*.t >t/01version.........ok >t/02zlib............ok >t/03examples........ok >t/04encoding........skipped: Encode is not available Yes, perfectly normal, don't worry. It's some code the author hasn't got around to writing yet. >t/05gzsetp..........ok >t/06gzdopen.........ok >All tests successful, 1 test skipped. > >Rui > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: sexta-feira, 5 de Mar?o de 2004 12:52 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: archive::zip error while compilation (was Re: ANNOUNCE: Stable >4.28.5 released) > >Have just released 4.28.5-2 to fix this problem. >Minor build error, nothing too major :-) > >At 12:27 05/03/2004, you wrote: > >Edit the install.sh script and change these lines > >Compress::Zlib Compress-Zlib 1.33 1 noarch > >Archive::Zip Archive-Zip 1.09 1 noarch > >to these lines > >Compress::Zlib Compress-Zlib 1.33 1 i386 > >Archive::Zip Archive-Zip 1.09 1 i386 > > > >I am just about to release -2 which should solve this problem properly. > > > >At 12:00 05/03/2004, you wrote: > >>Julian Field wrote: > >> > >>>Did you run the ./install.sh like the installation guides tell you to? > >> > >> > >>yes. > >> > >>i18n changed to > >># cat /etc/sysconfig/i18n ##LANG="de_DE.UTF-8" > >>##SUPPORTED="de_DE.UTF-8:de_DE:de" > >>#LANG="de_DE" > >>#SUPPORTED="de_DE:de" > >>LANG="C" > >>SUPPORTED="C" > >>SYSFONT="latarcyrheb-sun16" > >> > >>and reboot! > >>no luck :-( > >> > >> > >>it seems that perl-Compress-Zlib was not installed via install.sh > >>perl-Archiv-Zip requires perl-Compress-Zip > >> > >> > >> > >># rpmbuild --rebuild perl-Compress-Zlib-1.33-1.src.rpm > >>[...] > >>Wrote: /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm > >>Wrote: > >>/usr/src/redhat/RPMS/i386/perl-Compress-Zlib-debuginfo-1.33-1.i386.rpm > >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.48726 > >>+ umask 022 > >>+ cd /usr/src/redhat/BUILD > >>+ cd Compress-Zlib-1.33 > >>+ rm -rf /var/tmp/perl-Compress-Zlib-1.33-1-root > >>+ exit 0 > >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.48726 > >>+ umask 022 > >>+ cd /usr/src/redhat/BUILD > >>+ rm -rf Compress-Zlib-1.33 > >>+ exit 0 > >> > >> > >># rpm -qa | grep -i compress > >># rpm -qa | grep -i zlib > >>zlib-devel-1.2.0.7-2 > >>zlib-1.2.0.7-2 > >> > >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.33-1.i386.rpm > >>Preparing... ########################################### > >>[100%] > >> 1:perl-Compress-Zlib ########################################### > >>[100%] > >># rpm -qa | grep -i compress > >>perl-Compress-Zlib-1.33-1 > >> > >> > >># rpm -qa | grep -i compress > >> > >># rpmbuild --rebuild perl-Archive-Zip-1.09-1.src.rpm > >>Wrote: /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm > >>Wrote: >/usr/src/redhat/RPMS/i386/perl-Archive-Zip-debuginfo-1.09-1.i386.rpm > >>Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.83163 > >>+ umask 022 > >>+ cd /usr/src/redhat/BUILD > >>+ cd Archive-Zip-1.09 > >>+ rm -rf /var/tmp/perl-Archive-Zip-1.09-1-root > >>+ exit 0 > >>Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.83163 > >>+ umask 022 > >>+ cd /usr/src/redhat/BUILD > >>+ rm -rf Archive-Zip-1.09 > >>+ exit 0 > >> > >> > >># rpm -qa | grep -i archiv > >># rpm -ivh /usr/src/redhat/RPMS/i386/perl-Archive-Zip-1.09-1.i386.rpm > >>Preparing... ########################################### > >>[100%] > >> 1:perl-Archive-Zip ########################################### > >>[100%] > >># rpm -qa | grep -i archiv > >>perl-Archive-Zip-1.09-1 > >> > >> > >> > >>./install.sh > >>is running once again > >>wait a few minute for the result :-) > >> > >>-- > >>shrek-m > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 13:54:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:06 2006 Subject: archive::zip error while compilation (was Re: ANNOUNCE: Stable 4.28.5 released) In-Reply-To: <4048740B.4000604@gmx.de> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <40485E0E.8080101@gmx.de> <40486156.7060206@gmx.de> <6.0.1.1.2.20040305111908.03afe670@imap.ecs.soton.ac.uk> <40486BE2.6000006@gmx.de> <4048740B.4000604@gmx.de> Message-ID: <6.0.1.1.2.20040305135403.0362d6e0@imap.ecs.soton.ac.uk> I mucked up the packaging slightly in 4.28.5-1. It was building an i386 RPM when it should have built a noarch RPM. All sorted out with 4.28.5-2. At 12:35 05/03/2004, you wrote: >shrek-m@gmx.de wrote: > >>Julian Field wrote: >> >>>Did you run the ./install.sh like the installation guides tell you to? > >all is ok now and my i18n is back to > ># cat /etc/sysconfig/i18n >LANG="de_DE.UTF-8" >SUPPORTED="de_DE.UTF-8:de_DE:de" >#LANG="de_DE" >#SUPPORTED="de_DE:de" >#LANG="C" >#SUPPORTED="C" >SYSFONT="latarcyrheb-sun16 > >and reboot. > >mailscanner 4.28.5-1 is working. > >what happenend? >./install.sh >was not able to install perl_Compress-Zlib before perl_Archive-Zip ? > >why? >i18n utf-8 ? >resolution ? >in ./install.sh LANG=C ? > >building the packages and installing manually perl-Compress-Zlib and >perl-Archive-Zip was ok, >LANG=C in i18n. > >my fault, i had not tried ./install.sh after modifiing i18n :-( > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Fri Mar 5 14:16:08 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:06 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 12:29:02 +0000, Erik Jakobsen wrote: Maybe a bit more correct: # rpm -Uvh perl-Compress-Zlib*src.rpm error: File not found by glob: perl-Compress-Zlib*src.rpm # rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such file or directory # less /tmp/rpmbuildoutput /tmp/rpmbuildoutput: No such file or directory >On Fri, 5 Mar 2004 11:51:21 +0000, Julian Field > wrote: > >>Okay, in that case >> >>rpm -Uvh perl-Compress-Zlib*src.rpm >>rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > >>/tmp/rpmbuildoutput 2>&1 >>and send me all the output from that rpmbuild command which should be in >>/tmp/rpmbuildoutput. > >Here's the very minor outputs: > ># find /usr/lib/perl5 -type f -name Zip.pm -print ># rpm -q perl-Archive-Zip >package perl-Archive-Zip is not installed ># rpm -ql perl-Archive-Zip >package perl-Archive-Zip is not installed ># cd .. ># cd .. ># rpm -Uvh perl-Compress-Zlib*src.rpm >error: File not found by glob: perl-Compress-Zlib*src.rpm >]# rpm -Uvh perl-Compress-Zlib*src.rpm >error: File not found by glob: perl-Compress-Zlib*src.rpm ># rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > >-bash: syntax error near unexpected token `newline' ># rpmbuild >-ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 >error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such >file or directory ># cd /tmp/ > tmp]# ls -l >total 92 >srw-rw-rw- 1 nobody nobody 0 Mar 5 11:57 alertd.socket >-rw-r--r-- 1 clamav clamav 13615 Mar 5 13:11 ClamAV.update.log >drwx------ 2 root root 4096 Mar 5 11:53 mc-root >-rw------- 1 webconfig webconfig 278 Feb 27 11:23 >sess_06ca4df1302448fe96c241a0b381127c >-rw------- 1 apache apache 56 Mar 5 11:15 >sess_1028032d166506d3a0ffb5b96a22161b >-rw------- 1 apache apache 771 Mar 5 11:15 >sess_2ba650ce96aaa13cb6d1a2ba60cc7d94 >-rw------- 1 webconfig webconfig 278 Feb 28 07:44 >sess_33f3c74f948482e032ce27418b59d65d >-rw------- 1 webconfig webconfig 278 Mar 3 19:20 >sess_39066f939b28078169775adec2fb6505 >-rw------- 1 webconfig webconfig 254 Mar 5 10:01 >sess_6b8cefc3513079ee61c01cb08881dee0 >-rw------- 1 webconfig webconfig 278 Feb 24 17:53 >sess_96dff97bdca0f1ce2c5c9d9941763523 >-rw------- 1 webconfig webconfig 254 Mar 5 10:46 >sess_97678a29785061b99909902b336528a7 >-rw------- 1 apache apache 1013 Mar 5 11:15 >sess_a0bf663bb800a596b5741043fc4c4ef5 >-rw------- 1 webconfig webconfig 254 Mar 2 11:10 >sess_ae5ca69e6501391e22828696b46e1c12 >-rw------- 1 webconfig webconfig 278 Feb 24 20:01 >sess_bc8673afbd435730756d3d5f4e71b2ba >-rw------- 1 webconfig webconfig 254 Mar 5 11:14 >sess_c57c29de8ce40656be8de8fa202085f9 >-rw------- 1 webconfig webconfig 278 Mar 5 11:15 >sess_c850310420598b6a054354aec42d0a54 >-rw------- 1 webconfig webconfig 254 Feb 27 10:19 >sess_caf531de5510947e03f856b741085f0e >-rw------- 1 webconfig webconfig 278 Feb 27 20:12 >sess_cf7fb00505e03b32c89af09e0f0ae92d >-rw------- 1 webconfig webconfig 254 Mar 2 14:40 >sess_dba7495b702976a71f4fba5b0be951e2 >-rw------- 1 webconfig webconfig 0 Feb 24 17:39 >sess_e572c69511c89c67348a1ddf30cc7d17 >-rw------- 1 webconfig webconfig 254 Mar 5 11:58 >sess_e81eadfaf34c08853621c780e80d4992 >-rw------- 1 webconfig webconfig 254 Mar 5 11:35 >sess_f26c866cabfe16a2028df0119ea98a21 > > > > >>At 11:46 05/03/2004, you wrote: >>>On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field >>> wrote: >>> >>> >At 11:24 05/03/2004, you wrote: >>> >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field >>> >> wrote: >>> >> >>> >> >Did you run the install.sh script? >>> >> >>> >>Yes I did. >>> > >>> >In which case what happened with it tried to build and install >>>Archive::Zip? >>> >>>I am not quite sure what you mean Julian. I am not sure when >>>it installed the Archive::Zip. >>> >>> >And what does this say: >>> >find /usr/lib/perl5 -type f -name Zip.pm -print >>> >>>It said nothing. >>> >>> >and >>> >rpm -q perl-Archive-Zip >>> >>># rpm -q perl-Archive-Zip >>>package perl-Archive-Zip is not installed >>> >>> >and >>> >rpm -ql perl-Archive-Zip >>> > >>># rpm -ql perl-Archive-Zip >>>package perl-Archive-Zip is not installed >>> >>> > >>> >> >At 10:53 05/03/2004, you wrote: >>> >> >>Hi. >>> >> >> >>> >> >>I just did set up the MailScanner-4.28.5-1, but it would not run >ok >>> >> >>according to the messages below: >>> >> >> >>> >> >> >>> >> >># service MailScanner start >>> >> >>Starting MailScanner daemons: >>> >> >> incoming postfix: >[ OK ] >>> >> >> outgoing postfix: >[ OK ] >>> >> >> MailScanner: Can't locate Archive/Zip.pm in @INC >>>(@INC >>> >> >>contains: /usr/lib/MailScanner >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >>> >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >>> >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >>> >> >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >>> >> >>/usr/lib/MailScanner) >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>> >> >>BEGIN failed--compilation aborted >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line >52. >>> >> >> >[ OK ] >>> >> >> >>> >> >> >>> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >>> >> >>Return-Path: >>> >> >>Delivered-To: admin@urbakken.dk >>> >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) >>> >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >>> >> >>From: root@urbakken.dk (Cron Daemon) >>> >> >>To: admin@urbakken.dk >>> >> >>Subject: Cron run-parts /etc/cron.hourly >>> >> >>X-Cron-Env: >>> >> >>X-Cron-Env: >>> >> >>X-Cron-Env: >>> >> >>X-Cron-Env: >>> >> >>X-Cron-Env: >>> >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >>> >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) >>> >> >> >>> >> >>/etc/cron.hourly/check_MailScanner: >>> >> >> >>> >> >>Starting MailScanner... >>> >> >>Can't locate Archive/Zip.pm in @INC (@INC >>> >> >>contains: /usr/lib/MailScanner >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >>> >> >>/usr/lib/perl5/site_perl/5. >>> >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >>> >> >>/usr/lib/perl5/site_perl >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >>> >> >>/usr/lib/perl5/vendor_per >>> >> >>l/5.8.0 /usr/lib/perl5/vendor_perl >>> >> >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >>> >> >>/usr/lib/MailScanner) >>> >> >>at /usr/lib/MailScanner/MailScanner/Messa >>> >> >>ge.pm line 46. >>> >> >>BEGIN failed--compilation aborted >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line >52. >>> >> >> >>> >> >> >>> >> >> >>> >> >>-- >>> >> >>Med venlig hilsen - Best regards >>> >> >>Erik Jakobsen - eja@urbakken.dk >>> >> > >>> >> >-- >>> >> >Julian Field >>> >> >www.MailScanner.info >>> >> >MailScanner thanks transtec Computers for their support >>> >> > >>> >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> > >>> >-- >>> >Julian Field >>> >www.MailScanner.info >>> >MailScanner thanks transtec Computers for their support >>> > >>> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 14:18:59 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305141852.04196188@imap.ecs.soton.ac.uk> All fixed in 4.28.5-2. At 14:16 05/03/2004, you wrote: >On Fri, 5 Mar 2004 12:29:02 +0000, Erik Jakobsen wrote: > >Maybe a bit more correct: > ># rpm -Uvh perl-Compress-Zlib*src.rpm >error: File not found by glob: perl-Compress-Zlib*src.rpm ># rpmbuild >-ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 >error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such >file or directory ># less /tmp/rpmbuildoutput >/tmp/rpmbuildoutput: No such file or directory > > > > > >On Fri, 5 Mar 2004 11:51:21 +0000, Julian Field > > wrote: > > > >>Okay, in that case > >> > >>rpm -Uvh perl-Compress-Zlib*src.rpm > >>rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > > >>/tmp/rpmbuildoutput 2>&1 > >>and send me all the output from that rpmbuild command which should be in > >>/tmp/rpmbuildoutput. > > > >Here's the very minor outputs: > > > ># find /usr/lib/perl5 -type f -name Zip.pm -print > ># rpm -q perl-Archive-Zip > >package perl-Archive-Zip is not installed > ># rpm -ql perl-Archive-Zip > >package perl-Archive-Zip is not installed > ># cd .. > ># cd .. > ># rpm -Uvh perl-Compress-Zlib*src.rpm > >error: File not found by glob: perl-Compress-Zlib*src.rpm > >]# rpm -Uvh perl-Compress-Zlib*src.rpm > >error: File not found by glob: perl-Compress-Zlib*src.rpm > ># rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > > >-bash: syntax error near unexpected token `newline' > ># rpmbuild > >-ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 > >error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such > >file or directory > ># cd /tmp/ > > tmp]# ls -l > >total 92 > >srw-rw-rw- 1 nobody nobody 0 Mar 5 11:57 alertd.socket > >-rw-r--r-- 1 clamav clamav 13615 Mar 5 13:11 ClamAV.update.log > >drwx------ 2 root root 4096 Mar 5 11:53 mc-root > >-rw------- 1 webconfig webconfig 278 Feb 27 11:23 > >sess_06ca4df1302448fe96c241a0b381127c > >-rw------- 1 apache apache 56 Mar 5 11:15 > >sess_1028032d166506d3a0ffb5b96a22161b > >-rw------- 1 apache apache 771 Mar 5 11:15 > >sess_2ba650ce96aaa13cb6d1a2ba60cc7d94 > >-rw------- 1 webconfig webconfig 278 Feb 28 07:44 > >sess_33f3c74f948482e032ce27418b59d65d > >-rw------- 1 webconfig webconfig 278 Mar 3 19:20 > >sess_39066f939b28078169775adec2fb6505 > >-rw------- 1 webconfig webconfig 254 Mar 5 10:01 > >sess_6b8cefc3513079ee61c01cb08881dee0 > >-rw------- 1 webconfig webconfig 278 Feb 24 17:53 > >sess_96dff97bdca0f1ce2c5c9d9941763523 > >-rw------- 1 webconfig webconfig 254 Mar 5 10:46 > >sess_97678a29785061b99909902b336528a7 > >-rw------- 1 apache apache 1013 Mar 5 11:15 > >sess_a0bf663bb800a596b5741043fc4c4ef5 > >-rw------- 1 webconfig webconfig 254 Mar 2 11:10 > >sess_ae5ca69e6501391e22828696b46e1c12 > >-rw------- 1 webconfig webconfig 278 Feb 24 20:01 > >sess_bc8673afbd435730756d3d5f4e71b2ba > >-rw------- 1 webconfig webconfig 254 Mar 5 11:14 > >sess_c57c29de8ce40656be8de8fa202085f9 > >-rw------- 1 webconfig webconfig 278 Mar 5 11:15 > >sess_c850310420598b6a054354aec42d0a54 > >-rw------- 1 webconfig webconfig 254 Feb 27 10:19 > >sess_caf531de5510947e03f856b741085f0e > >-rw------- 1 webconfig webconfig 278 Feb 27 20:12 > >sess_cf7fb00505e03b32c89af09e0f0ae92d > >-rw------- 1 webconfig webconfig 254 Mar 2 14:40 > >sess_dba7495b702976a71f4fba5b0be951e2 > >-rw------- 1 webconfig webconfig 0 Feb 24 17:39 > >sess_e572c69511c89c67348a1ddf30cc7d17 > >-rw------- 1 webconfig webconfig 254 Mar 5 11:58 > >sess_e81eadfaf34c08853621c780e80d4992 > >-rw------- 1 webconfig webconfig 254 Mar 5 11:35 > >sess_f26c866cabfe16a2028df0119ea98a21 > > > > > > > > > >>At 11:46 05/03/2004, you wrote: > >>>On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field > >>> wrote: > >>> > >>> >At 11:24 05/03/2004, you wrote: > >>> >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field > >>> >> wrote: > >>> >> > >>> >> >Did you run the install.sh script? > >>> >> > >>> >>Yes I did. > >>> > > >>> >In which case what happened with it tried to build and install > >>>Archive::Zip? > >>> > >>>I am not quite sure what you mean Julian. I am not sure when > >>>it installed the Archive::Zip. > >>> > >>> >And what does this say: > >>> >find /usr/lib/perl5 -type f -name Zip.pm -print > >>> > >>>It said nothing. > >>> > >>> >and > >>> >rpm -q perl-Archive-Zip > >>> > >>># rpm -q perl-Archive-Zip > >>>package perl-Archive-Zip is not installed > >>> > >>> >and > >>> >rpm -ql perl-Archive-Zip > >>> > > >>># rpm -ql perl-Archive-Zip > >>>package perl-Archive-Zip is not installed > >>> > >>> > > >>> >> >At 10:53 05/03/2004, you wrote: > >>> >> >>Hi. > >>> >> >> > >>> >> >>I just did set up the MailScanner-4.28.5-1, but it would not run > >ok > >>> >> >>according to the messages below: > >>> >> >> > >>> >> >> > >>> >> >># service MailScanner start > >>> >> >>Starting MailScanner daemons: > >>> >> >> incoming postfix: > >[ OK ] > >>> >> >> outgoing postfix: > >[ OK ] > >>> >> >> MailScanner: Can't locate Archive/Zip.pm in @INC > >>>(@INC > >>> >> >>contains: /usr/lib/MailScanner > >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>> >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > >>> >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > >>> >> > >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>> >> >>/usr/lib/MailScanner) > >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>> >> >>BEGIN failed--compilation aborted > >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line > >52. > >>> >> >> > >[ OK ] > >>> >> >> > >>> >> >> > >>> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 > >>> >> >>Return-Path: > >>> >> >>Delivered-To: admin@urbakken.dk > >>> >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) > >>> >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >>> >> >>From: root@urbakken.dk (Cron Daemon) > >>> >> >>To: admin@urbakken.dk > >>> >> >>Subject: Cron run-parts /etc/cron.hourly > >>> >> >>X-Cron-Env: > >>> >> >>X-Cron-Env: > >>> >> >>X-Cron-Env: > >>> >> >>X-Cron-Env: > >>> >> >>X-Cron-Env: > >>> >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> > >>> >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) > >>> >> >> > >>> >> >>/etc/cron.hourly/check_MailScanner: > >>> >> >> > >>> >> >>Starting MailScanner... > >>> >> >>Can't locate Archive/Zip.pm in @INC (@INC > >>> >> >>contains: /usr/lib/MailScanner > >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > >>> >> >>/usr/lib/perl5/site_perl/5. > >>> >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > >>> >> >>/usr/lib/perl5/site_perl > >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > >>> >> >>/usr/lib/perl5/vendor_per > >>> >> >>l/5.8.0 /usr/lib/perl5/vendor_perl > >>> >> > >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > >>> >> >>/usr/lib/MailScanner) > >>> >> >>at /usr/lib/MailScanner/MailScanner/Messa > >>> >> >>ge.pm line 46. > >>> >> >>BEGIN failed--compilation aborted > >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. > >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line > >52. > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >>-- > >>> >> >>Med venlig hilsen - Best regards > >>> >> >>Erik Jakobsen - eja@urbakken.dk > >>> >> > > >>> >> >-- > >>> >> >Julian Field > >>> >> >www.MailScanner.info > >>> >> >MailScanner thanks transtec Computers for their support > >>> >> > > >>> >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>> > > >>> >-- > >>> >Julian Field > >>> >www.MailScanner.info > >>> >MailScanner thanks transtec Computers for their support > >>> > > >>> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From eja at URBAKKEN.DK Fri Mar 5 14:25:36 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 14:18:59 +0000, Julian Field wrote: >All fixed in 4.28.5-2. Fine Jules, and thank you. >At 14:16 05/03/2004, you wrote: >>On Fri, 5 Mar 2004 12:29:02 +0000, Erik Jakobsen wrote: >> >>Maybe a bit more correct: >> >># rpm -Uvh perl-Compress-Zlib*src.rpm >>error: File not found by glob: perl-Compress-Zlib*src.rpm >># rpmbuild >>-ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 >>error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such >>file or directory >># less /tmp/rpmbuildoutput >>/tmp/rpmbuildoutput: No such file or directory >> >> >> >> >> >On Fri, 5 Mar 2004 11:51:21 +0000, Julian Field >> > wrote: >> > >> >>Okay, in that case >> >> >> >>rpm -Uvh perl-Compress-Zlib*src.rpm >> >>rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > >> >>/tmp/rpmbuildoutput 2>&1 >> >>and send me all the output from that rpmbuild command which should be in >> >>/tmp/rpmbuildoutput. >> > >> >Here's the very minor outputs: >> > >> ># find /usr/lib/perl5 -type f -name Zip.pm -print >> ># rpm -q perl-Archive-Zip >> >package perl-Archive-Zip is not installed >> ># rpm -ql perl-Archive-Zip >> >package perl-Archive-Zip is not installed >> ># cd .. >> ># cd .. >> ># rpm -Uvh perl-Compress-Zlib*src.rpm >> >error: File not found by glob: perl-Compress-Zlib*src.rpm >> >]# rpm -Uvh perl-Compress-Zlib*src.rpm >> >error: File not found by glob: perl-Compress-Zlib*src.rpm >> ># rpmbuild -ba /usr/src/redhat/SPECS/perl-Compress-Zlib* > >> >-bash: syntax error near unexpected token `newline' >> ># rpmbuild >> >-ba /usr/src/redhat/SPECS/perl-Compress-Zlib* /tmp/rpmbuildoutput 2>&1 >> >error: failed to stat /usr/src/redhat/SPECS/perl-Compress-Zlib*: No such >> >file or directory >> ># cd /tmp/ >> > tmp]# ls -l >> >total 92 >> >srw-rw-rw- 1 nobody nobody 0 Mar 5 11:57 alertd.socket >> >-rw-r--r-- 1 clamav clamav 13615 Mar 5 13:11 ClamAV.update.log >> >drwx------ 2 root root 4096 Mar 5 11:53 mc-root >> >-rw------- 1 webconfig webconfig 278 Feb 27 11:23 >> >sess_06ca4df1302448fe96c241a0b381127c >> >-rw------- 1 apache apache 56 Mar 5 11:15 >> >sess_1028032d166506d3a0ffb5b96a22161b >> >-rw------- 1 apache apache 771 Mar 5 11:15 >> >sess_2ba650ce96aaa13cb6d1a2ba60cc7d94 >> >-rw------- 1 webconfig webconfig 278 Feb 28 07:44 >> >sess_33f3c74f948482e032ce27418b59d65d >> >-rw------- 1 webconfig webconfig 278 Mar 3 19:20 >> >sess_39066f939b28078169775adec2fb6505 >> >-rw------- 1 webconfig webconfig 254 Mar 5 10:01 >> >sess_6b8cefc3513079ee61c01cb08881dee0 >> >-rw------- 1 webconfig webconfig 278 Feb 24 17:53 >> >sess_96dff97bdca0f1ce2c5c9d9941763523 >> >-rw------- 1 webconfig webconfig 254 Mar 5 10:46 >> >sess_97678a29785061b99909902b336528a7 >> >-rw------- 1 apache apache 1013 Mar 5 11:15 >> >sess_a0bf663bb800a596b5741043fc4c4ef5 >> >-rw------- 1 webconfig webconfig 254 Mar 2 11:10 >> >sess_ae5ca69e6501391e22828696b46e1c12 >> >-rw------- 1 webconfig webconfig 278 Feb 24 20:01 >> >sess_bc8673afbd435730756d3d5f4e71b2ba >> >-rw------- 1 webconfig webconfig 254 Mar 5 11:14 >> >sess_c57c29de8ce40656be8de8fa202085f9 >> >-rw------- 1 webconfig webconfig 278 Mar 5 11:15 >> >sess_c850310420598b6a054354aec42d0a54 >> >-rw------- 1 webconfig webconfig 254 Feb 27 10:19 >> >sess_caf531de5510947e03f856b741085f0e >> >-rw------- 1 webconfig webconfig 278 Feb 27 20:12 >> >sess_cf7fb00505e03b32c89af09e0f0ae92d >> >-rw------- 1 webconfig webconfig 254 Mar 2 14:40 >> >sess_dba7495b702976a71f4fba5b0be951e2 >> >-rw------- 1 webconfig webconfig 0 Feb 24 17:39 >> >sess_e572c69511c89c67348a1ddf30cc7d17 >> >-rw------- 1 webconfig webconfig 254 Mar 5 11:58 >> >sess_e81eadfaf34c08853621c780e80d4992 >> >-rw------- 1 webconfig webconfig 254 Mar 5 11:35 >> >sess_f26c866cabfe16a2028df0119ea98a21 >> > >> > >> > >> > >> >>At 11:46 05/03/2004, you wrote: >> >>>On Fri, 5 Mar 2004 11:25:36 +0000, Julian Field >> >>> wrote: >> >>> >> >>> >At 11:24 05/03/2004, you wrote: >> >>> >>On Fri, 5 Mar 2004 11:17:15 +0000, Julian Field >> >>> >> wrote: >> >>> >> >> >>> >> >Did you run the install.sh script? >> >>> >> >> >>> >>Yes I did. >> >>> > >> >>> >In which case what happened with it tried to build and install >> >>>Archive::Zip? >> >>> >> >>>I am not quite sure what you mean Julian. I am not sure when >> >>>it installed the Archive::Zip. >> >>> >> >>> >And what does this say: >> >>> >find /usr/lib/perl5 -type f -name Zip.pm -print >> >>> >> >>>It said nothing. >> >>> >> >>> >and >> >>> >rpm -q perl-Archive-Zip >> >>> >> >>># rpm -q perl-Archive-Zip >> >>>package perl-Archive-Zip is not installed >> >>> >> >>> >and >> >>> >rpm -ql perl-Archive-Zip >> >>> > >> >>># rpm -ql perl-Archive-Zip >> >>>package perl-Archive-Zip is not installed >> >>> >> >>> > >> >>> >> >At 10:53 05/03/2004, you wrote: >> >>> >> >>Hi. >> >>> >> >> >> >>> >> >>I just did set up the MailScanner-4.28.5-1, but it would not run >> >ok >> >>> >> >>according to the messages below: >> >>> >> >> >> >>> >> >> >> >>> >> >># service MailScanner start >> >>> >> >>Starting MailScanner daemons: >> >>> >> >> incoming postfix: >> >[ OK ] >> >>> >> >> outgoing postfix: >> >[ OK ] >> >>> >> >> MailScanner: Can't locate Archive/Zip.pm in @INC >> >>>(@INC >> >>> >> >>contains: /usr/lib/MailScanner >> >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >>> >> >>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >> >>> >> >>/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >> >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >> >>> >> >> >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >>> >> >>/usr/lib/MailScanner) >> >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>> >> >>BEGIN failed--compilation aborted >> >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line >> >52. >> >>> >> >> >> >[ OK ] >> >>> >> >> >> >>> >> >> >> >>> >> >> >From root@urbakken.dk Fri Mar 5 11:04:10 2004 >> >>> >> >>Return-Path: >> >>> >> >>Delivered-To: admin@urbakken.dk >> >>> >> >>Received: by gateway.urbakken.dk (Postfix, from userid 0) >> >>> >> >> id AE78D23F35; Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >>> >> >>From: root@urbakken.dk (Cron Daemon) >> >>> >> >>To: admin@urbakken.dk >> >>> >> >>Subject: Cron run-parts /etc/cron.hourly >> >>> >> >>X-Cron-Env: >> >>> >> >>X-Cron-Env: >> >>> >> >>X-Cron-Env: >> >>> >> >>X-Cron-Env: >> >>> >> >>X-Cron-Env: >> >>> >> >>Message-Id: <20040305100410.AE78D23F35@gateway.urbakken.dk> >> >>> >> >>Date: Fri, 5 Mar 2004 05:04:10 -0500 (EST) >> >>> >> >> >> >>> >> >>/etc/cron.hourly/check_MailScanner: >> >>> >> >> >> >>> >> >>Starting MailScanner... >> >>> >> >>Can't locate Archive/Zip.pm in @INC (@INC >> >>> >> >>contains: /usr/lib/MailScanner >> >>> >> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >> >>> >> >>/usr/lib/perl5/site_perl/5. >> >>> >> >>8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 >> >>> >> >>/usr/lib/perl5/site_perl >> >>> >> >>/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >> >>> >> >>/usr/lib/perl5/vendor_per >> >>> >> >>l/5.8.0 /usr/lib/perl5/vendor_perl >> >>> >> >> >>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >> >>> >> >>/usr/lib/MailScanner) >> >>> >> >>at /usr/lib/MailScanner/MailScanner/Messa >> >>> >> >>ge.pm line 46. >> >>> >> >>BEGIN failed--compilation aborted >> >>> >> >>at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >> >>> >> >>Compilation failed in require at /usr/sbin/MailScanner line 52. >> >>> >> >>BEGIN failed--compilation aborted at /usr/sbin/MailScanner line >> >52. >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >>-- >> >>> >> >>Med venlig hilsen - Best regards >> >>> >> >>Erik Jakobsen - eja@urbakken.dk >> >>> >> > >> >>> >> >-- >> >>> >> >Julian Field >> >>> >> >www.MailScanner.info >> >>> >> >MailScanner thanks transtec Computers for their support >> >>> >> > >> >>> >> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>> > >> >>> >-- >> >>> >Julian Field >> >>> >www.MailScanner.info >> >>> >MailScanner thanks transtec Computers for their support >> >>> > >> >>> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >>-- >> >>Julian Field >> >>www.MailScanner.info >> >>MailScanner thanks transtec Computers for their support >> >> >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkbowman at neo.rr.com Fri Mar 5 14:49:20 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Bizarre Install Problem Message-ID: <000701c402c1$0dc62690$8266a8c0@MKBOWMAN2> Hello, I was able to update to 4.28.5-2 on one Redhat 9 box. I then copied the rpm.tar to another Redhat 9 box and having run install.sh it gives RPM build errors: Bad exit status from /var/tmp/rpm-tmp.46484 (%build) Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. Maybe it did not build correctly? Any ideas as to the cause and how to fix? Thank you Matthew K Bowman Systems Administrator Universal Digital Communications From eja at URBAKKEN.DK Fri Mar 5 14:52:45 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: # rpm -q mailscanner mailscanner-4.28.5-2 From scs at uwb.edu.pl Fri Mar 5 14:18:53 2004 From: scs at uwb.edu.pl (Grzegorz Staleñczyk) Date: Thu Jan 12 21:23:07 2006 Subject: ClamAV + MS + Solaris=problem!!!! Message-ID: <206073382.20040305151853@uwb.edu.pl> Hey There! I've got a problem with viri on attachments in e-mails! when I scan file.zip by hand clamscan find virus, but e-mail with this infected files in atachment can go (IT IS NOT STOPED!) It's run on Solaris 8, Clam AntiVirus Scanner 0.67 , MailScanner 4.26.8 ----------log--------------------------------------- [dask@mail ~]$/usr/local/bin/clamscan freaky.zip freaky.zip: Worm.SomeFool.B.2 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 20366 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 10.594 sec (0 m 10 s) Mar 3 14:53:55 mail MailScanner[11494]: /export/home2/mail/incoming/11494/./i23Dps113333/portmoney.zip: Worm.SomeFool.B FOUND Mar 3 14:53:56 mail MailScanner[11494]: Virus Scanning: ClamAV found 1 infections Mar 3 14:53:56 mail MailScanner[11494]: Virus Scanning: Found 1 viruses Mar 3 14:53:59 mail MailScanner[11494]: Filetype Checks: Allowing i23Dps113333 portmoney.zip Mar 3 14:54:00 mail MailScanner[11494]: Virus Scanning completed at 934 bytes per second Mar 3 14:54:01 mail MailScanner[11517]: Virus Scanning completed at 86 bytes per second Next I install Mailscanner + ClamAv + Sendmail the same versions on on my second mail serverto taste it (Linux Slackware), and Mar 3 20:52:59 dask-xp MailScanner[16052]: Saved entire message to /var/spool/quarantine/20040303/i23Jqixu016730 Mar 3 20:52:59 dask-xp MailScanner[16052]: Saved infected "freaky.zip" to /var/spool/quarantine/20040303/i23Jqixu016730 Mar 3 20:52:59 dask-xp MailScanner[16052]: Cleaned: Delivered 1 cleaned messages ^^^^^^^^^ On my first mail serever (Solaris) with the same versions Clam and MS was: Mar 3 21:35:18 mail MailScanner[21453]: New Batch: Scanning 1 messages, 75503 bytes Mar 3 21:35:19 mail MailScanner[21453]: MCP Checks completed at 75503 bytes per second Mar 3 21:35:19 mail MailScanner[21453]: Spam Checks: Starting Mar 3 21:35:28 mail MailScanner[21453]: Spam Checks completed at 8389 bytes per second Mar 3 21:35:29 mail MailScanner[21453]: Virus and Content Scanning: Starting Mar 3 21:37:05 mail MailScanner [21453]: /export/home2/mail/incoming/21453/./i23KTFD21834/freaky.zip: Worm.SomeFool.Gen-2 FOUND Mar 3 21:37:08 mail MailScanner[21453]: Virus Scanning: ClamAV found 1 infections Mar 3 21:37:08 mail MailScanner[21453]: Virus Scanning: Found 1 viruses Mar 3 21:37:10 mail MailScanner[21453]: Filename Checks: Allowing i23KTFD21834msg-21453-3.txt Mar 3 21:37:10 mail MailScanner[21453]: Filename Checks: Allowing i23KTFD21834freaky.zip ^^^^^^^^ Mar 3 21:37:11 mail MailScanner[21453]: Filetype Checks: Allowing i23KTFD21834msg-21453-3.txt Mar 3 21:37:11 mail MailScanner[21453]: Filetype Checks: Allowing i23KTFD21834freaky.zip Mar 3 21:37:12 mail MailScanner[21453]: Virus Scanning completed at 75 bytes per second Why it is? Why server "dask-xp - Linux" stop mail with attachment "freaky.zip" , and "mail -Solaris" server not stop it! Configurations are the same! Thank for your help -- Pozdrawiam. Mi?ego dnia. ____________________________________________________________________________ Grzesiek scss@poczta.of.pl lub scs@uwb.edu.pl From eja at URBAKKEN.DK Fri Mar 5 14:43:33 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 14:18:59 +0000, Julian Field wrote: >All fixed in 4.28.5-2. Sorry, but something is still not working :-): Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip + make 'OPTIMIZE=-O2 -g -march=i386 -mcpu=i686' Makefile:87: *** missing separator. Stop. error: Bad exit status from /var/tmp/rpm-tmp.45804 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.45804 (%build) Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. Maybe it did not build correctly? Installing tnef decoder Preparing... ########################################### [100%] package tnef-1.1.4-sizelimit1 is already installed Now to install MailScanner itself. Preparing... ########################################### [100%] 1:mailscanner ########################################### [100%] error reading information on service sendmail: No such file or directory To activate MailScanner run the following commands: service sendmail stop chkconfig sendmail off chkconfig --level 2345 MailScanner on service MailScanner start To upgrade your MailScanner.conf file automatically, run upgrade_MailScanner_conf [root@gateway MailScanner-4.28.5-2]# cd /etc/MailScanner/ [root@gateway MailScanner]# upgrade_MailScanner_conf Usage: RPM === If you are using the RPM distributions then try this: cd /etc/MailScanner upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new mv MailScanner.conf MailScanner.old mv MailScanner.new MailScanner.conf TAR === If you are using the tar distribution so that the old version is in /opt/MailScanner and the new one is in /opt/MailScanner.new then: cd /opt/MailScanner.new/etc ../bin/upgrade_MailScanner_conf /opt/MailScanner/etc/MailScanner.conf /opt/MailScanner.new/etc/MailScanner.conf > MailScanner.new mv MailScanner.conf MailScanner.old mv MailScanner.new MailScanner.conf NOTE ==== To keep your old comments in your original file, add "--keep-comments" to the command line. Note that this will mean you don't get to find out any extra new values you might be able to use in existing "improved" configuration options. [root@gateway MailScanner]# upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new Summary ------- Read 190 settings from old MailScanner.conf Used 190 settings from old MailScanner.conf Used 0 default settings from new MailScanner.conf.rpmnew Notes ----- I would advise you to check on any parameters which are different between the default new conf file and the conf file you just created, so that you find any parameters whose default values have changed. If you ran this with a command like this upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new then you should do diff MailScanner.conf.rpmnew MailScanner.new and check for any differences in values you have not changed yourself. Once you have checked that MailScanner.new contains what you want, you can then save your old one and move the new one into place, using commands like these: mv -f MailScanner.conf MailScanner.old mv -f MailScanner.new MailScanner.conf [root@gateway MailScanner]# mv -f MailScanner.conf MailScanner.old [root@gateway MailScanner]# mv -f MailScanner.new MailScanner.conf [root@gateway MailScanner]# service MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] incoming postfix: [ OK ] outgoing postfix: [ OK ] Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] [root@gateway MailScanner]# service MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] From mailscanner at ecs.soton.ac.uk Fri Mar 5 14:55:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040305145430.041b0b28@imap.ecs.soton.ac.uk> That is usually cause by the /etc/sysconfig/i18n file. Remove any mention of UTF8 from there and try it again. At 14:43 05/03/2004, you wrote: >On Fri, 5 Mar 2004 14:18:59 +0000, Julian Field > wrote: > > >All fixed in 4.28.5-2. > >Sorry, but something is still not working :-): > >Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' > >Writing Makefile for Archive::Zip >+ make 'OPTIMIZE=-O2 -g -march=i386 -mcpu=i686' >Makefile:87: *** missing separator. Stop. >error: Bad exit status from /var/tmp/rpm-tmp.45804 (%build) > > >RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.45804 (%build) > > > >Missing >file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. >Maybe it did not build correctly? > > >Installing tnef decoder > >Preparing... ########################################### >[100%] > package tnef-1.1.4-sizelimit1 is already installed > >Now to install MailScanner itself. > >Preparing... ########################################### >[100%] > 1:mailscanner ########################################### >[100%] >error reading information on service sendmail: No such file or directory > >To activate MailScanner run the following commands: > >service sendmail stop >chkconfig sendmail off >chkconfig --level 2345 MailScanner on >service MailScanner start > >To upgrade your MailScanner.conf file automatically, run > upgrade_MailScanner_conf >[root@gateway MailScanner-4.28.5-2]# cd /etc/MailScanner/ >[root@gateway MailScanner]# upgrade_MailScanner_conf >Usage: > >RPM >=== >If you are using the RPM distributions then try this: > >cd /etc/MailScanner >upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.new >mv MailScanner.conf MailScanner.old >mv MailScanner.new MailScanner.conf > >TAR >=== >If you are using the tar distribution so that the old version is in >/opt/MailScanner and the new one is in /opt/MailScanner.new then: > >cd /opt/MailScanner.new/etc >../bin/upgrade_MailScanner_conf /opt/MailScanner/etc/MailScanner.conf >/opt/MailScanner.new/etc/MailScanner.conf > > MailScanner.new >mv MailScanner.conf MailScanner.old >mv MailScanner.new MailScanner.conf > >NOTE >==== >To keep your old comments in your original file, add "--keep-comments" >to the command line. Note that this will mean you don't get to find >out any extra new values you might be able to use in existing "improved" >configuration options. > >[root@gateway MailScanner]# upgrade_MailScanner_conf MailScanner.conf >MailScanner.conf.rpmnew > MailScanner.new > >Summary >------- >Read 190 settings from old MailScanner.conf >Used 190 settings from old MailScanner.conf >Used 0 default settings from new MailScanner.conf.rpmnew > >Notes >----- >I would advise you to check on any parameters which are different between >the default new conf file and the conf file you just created, so that you >find any parameters whose default values have changed. >If you ran this with a command like this > upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.new >then you should do > diff MailScanner.conf.rpmnew MailScanner.new >and check for any differences in values you have not changed yourself. > > >Once you have checked that MailScanner.new contains what >you want, you can then save your old one and move the new >one into place, using commands like these: > mv -f MailScanner.conf MailScanner.old > mv -f MailScanner.new MailScanner.conf >[root@gateway MailScanner]# mv -f MailScanner.conf MailScanner.old >[root@gateway MailScanner]# mv -f MailScanner.new MailScanner.conf >[root@gateway MailScanner]# service MailScanner restart >Shutting down MailScanner daemons: > MailScanner: [FAILED] > incoming postfix: [ OK ] > outgoing postfix: [ OK ] >Starting MailScanner daemons: > incoming postfix: [ OK ] > outgoing postfix: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >contains: /usr/lib/MailScanner >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >/usr/lib/MailScanner) >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >BEGIN failed--compilation aborted >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >Compilation failed in require at /usr/sbin/MailScanner line 52. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] >[root@gateway MailScanner]# service MailScanner start >Starting MailScanner daemons: > incoming postfix: [ OK ] > outgoing postfix: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC >contains: /usr/lib/MailScanner >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl >/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . >/usr/lib/MailScanner) >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >BEGIN failed--compilation aborted >at /usr/lib/MailScanner/MailScanner/Message.pm line 46. >Compilation failed in require at /usr/sbin/MailScanner line 52. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at TRADOC.FR Fri Mar 5 11:53:38 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:23:07 2006 Subject: ANNOUNCE: Stable 4.28.5 released In-Reply-To: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> Message-ID: On Fri, 5 Mar 2004 10:04:31 +0000, Julian Field wrote: > Note for people upgrading: > ===================== > you will need to run the "./install.sh" script as 2 new Perl modules need > to be installed (Compress::Zlib and Archive::Zip for those interested in > such things). What's the best course of action if we've already installed these from CPAN (e.g. for 4.28.4)? Just let the install.sh do its stuff, or uninstall from CPAN first? John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From dean.plant at ROKE.CO.UK Fri Mar 5 11:58:15 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:07 2006 Subject: ANNOUNCE: Stable 4.28.5 released Message-ID: John Wilcock wrote: > On Fri, 5 Mar 2004 10:04:31 +0000, Julian Field wrote: >> Note for people upgrading: >> ===================== >> you will need to run the "./install.sh" script as 2 new Perl modules >> need to be installed (Compress::Zlib and Archive::Zip for those >> interested in such things). > > What's the best course of action if we've already installed these from > CPAN (e.g. for 4.28.4)? Just let the install.sh do its stuff, or > uninstall from CPAN first? > > John. I had already installed the perl modules when upgrading to 4.28.4 ./install.sh with 4.28.5 worked fine for me. Dean -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Denis.Beauchemin at USHERBROOKE.CA Fri Mar 5 15:00:09 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:07 2006 Subject: MS 4.28.5 Message-ID: <1078498809.22219.38.camel@dbeauchemin.sti.usherbrooke.ca> Julian, I'm not sure about the following: # Another word that can be put in this list is the special keyword # Zip-Password : inserting this will cause senders to be warned about # password-protected zip files, when they are not allowed. # This will over-ride the All-Viruses setting in the list # of "Silent Viruses" above. # Non-Forging Viruses = O97M/ W97M/ If I put Zip-Password in there, does that mean that all senders of password-protected zip files (including virus infected emails) will be notified about this? If so I don't think it is a good idea to use the Zip-Password here... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From listonly at WEBPRESENCEGROUP.NET Fri Mar 5 15:01:29 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:23:07 2006 Subject: Spam: Re: # SENDMAIL_RELAY Question [SCANNED] In-Reply-To: Message-ID: On 3/4/04 3:46 PM, "Pentland G." wrote: > What this will do is force the box with this code to send all mail that > *would* be selected as local (and use the local delivery agent) the to host > you specify. > > It also does some address rewriting. > > If you're not familiar with this kind of stuff then I suggest you read the > o'reilly book on sendmail. Also installing webmin can be a great help if you are a little timid about writing to some files. We use it a lot to run certain things in sendmail, knowing by just looking we are not hurting or changing anything until we are sure, plus I always felt a GUI interface, be it like webmin or Golive for the web, you still learn the code and workings as long as you look at the source once you have completed the GUI stuff. Eventually you leave the GUI behind. Training Wheels for Geeks :) Just my 2 ? -- Thanks!! David Thurman List Only at Web Presence Group Net From mkbowman at neo.rr.com Fri Mar 5 15:14:39 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Bizarre Install Problem References: <000701c402c1$0dc62690$8266a8c0@MKBOWMAN2> <6.0.1.1.2.20040305145721.04023ba0@imap.ecs.soton.ac.uk> Message-ID: <000701c402c4$971cd030$8266a8c0@MKBOWMAN2> Julian, I am 100% positive I downloaded 5-2 as it works on one server and not the other. I even used scp to copy the source rpm's over from the working version. Further errors: perl -MCPAN -e shell "install Archive::Zip" Can't locate CPAN.pm in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .). BEGIN failed--compilation aborted. Hmm I don't have a CPAN.pm on this machine - ideas on how to resolve that? Thank you ----- Original Message ----- From: "Julian Field" To: "Matthew K Bowman" Sent: Friday, March 05, 2004 9:58 AM Subject: Re: Bizarre Install Problem > At 14:49 05/03/2004, you wrote: > >Hello, > > > >I was able to update to 4.28.5-2 on one Redhat 9 box. I then copied the > >rpm.tar to another Redhat 9 box and having run install.sh it gives > > > >RPM build errors: > > Bad exit status from /var/tmp/rpm-tmp.46484 (%build) > > > >Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. > >Maybe it did not build correctly? > > > >Any ideas as to the cause and how to fix? > > That output error is a sign that it is 4.28.5-1 and not -2. > Recheck what you did. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mkbowman at neo.rr.com Fri Mar 5 15:14:39 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Bizarre Install Problem References: <000701c402c1$0dc62690$8266a8c0@MKBOWMAN2> <6.0.1.1.2.20040305145721.04023ba0@imap.ecs.soton.ac.uk> Message-ID: <000701c402c4$971cd030$8266a8c0@MKBOWMAN2> Julian, I am 100% positive I downloaded 5-2 as it works on one server and not the other. I even used scp to copy the source rpm's over from the working version. Further errors: perl -MCPAN -e shell "install Archive::Zip" Can't locate CPAN.pm in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .). BEGIN failed--compilation aborted. Hmm I don't have a CPAN.pm on this machine - ideas on how to resolve that? Thank you ----- Original Message ----- From: "Julian Field" To: "Matthew K Bowman" Sent: Friday, March 05, 2004 9:58 AM Subject: Re: Bizarre Install Problem > At 14:49 05/03/2004, you wrote: > >Hello, > > > >I was able to update to 4.28.5-2 on one Redhat 9 box. I then copied the > >rpm.tar to another Redhat 9 box and having run install.sh it gives > > > >RPM build errors: > > Bad exit status from /var/tmp/rpm-tmp.46484 (%build) > > > >Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. > >Maybe it did not build correctly? > > > >Any ideas as to the cause and how to fix? > > That output error is a sign that it is 4.28.5-1 and not -2. > Recheck what you did. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From eja at URBAKKEN.DK Fri Mar 5 15:18:26 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 14:55:14 +0000, Julian Field wrote: >That is usually cause by the /etc/sysconfig/i18n file. >Remove any mention of UTF8 from there and try it again. The content of the i18n file is now: SYSFONT="latarcyrheb-sun16 Unfortunately it did not helped much. Checking if your kit is complete... Looks good Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip + make 'OPTIMIZE=-O2 -g -march=i386 -mcpu=i686' Makefile:87: *** missing separator. Stop. error: Bad exit status from /var/tmp/rpm-tmp.95589 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.95589 (%build) Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. Maybe it did not build correctly? Installing tnef decoder Preparing... ########################################### [100%] package tnef-1.1.4-sizelimit1 is already installed Now to install MailScanner itself. Preparing... ########################################### [100%] package mailscanner-4.28.5-2 is already installed [root@gateway MailScanner-4.28.5-2]# service MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] [root@gateway MailScanner-4.28.5-2]# cd /etc/MailScanner/ [root@gateway MailScanner]# upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new Summary ------- Read 190 settings from old MailScanner.conf Used 190 settings from old MailScanner.conf Used 0 default settings from new MailScanner.conf.rpmnew Notes ----- I would advise you to check on any parameters which are different between the default new conf file and the conf file you just created, so that you find any parameters whose default values have changed. If you ran this with a command like this upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new then you should do diff MailScanner.conf.rpmnew MailScanner.new and check for any differences in values you have not changed yourself. Once you have checked that MailScanner.new contains what you want, you can then save your old one and move the new one into place, using commands like these: mv -f MailScanner.conf MailScanner.old mv -f MailScanner.new MailScanner.conf [root@gateway MailScanner]# mv -f MailScanner.conf MailScanner.old [root@gateway MailScanner]# mv -f MailScanner.new MailScanner.con [root@gateway MailScanner]# service MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 /Erik From jrudd at UCSC.EDU Fri Mar 5 15:30:30 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:07 2006 Subject: ANNOUNCE: Stable 4.28.5 released In-Reply-To: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> Message-ID: <08EC33F0-6EBA-11D8-B24D-003065F939FE@ucsc.edu> On Mar 5, 2004, at 2:04 AM, Julian Field wrote: > so the old "put it in a zip and it won't be > checked" is no longer true. Same for tar files and other supported archive formats? From tomb at hamshack.info Fri Mar 5 15:33:24 2004 From: tomb at hamshack.info (hamshack.info) Date: Thu Jan 12 21:23:07 2006 Subject: bayes? Message-ID: Thank for all your help i installed from rpm's. it look ok if i have problems i will build from source Thanks again Tom From mkbowman at neo.rr.com Fri Mar 5 15:33:30 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Bizarre Install Problem References: <000701c402c1$0dc62690$8266a8c0@MKBOWMAN2> <6.0.1.1.2.20040305145721.04023ba0@imap.ecs.soton.ac.uk> Message-ID: <000301c402c7$362af970$8266a8c0@MKBOWMAN2> /me not having a successful day now I get this: cpan> install Archive::Zip Running install for module Archive::Zip Running make for N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz CPAN: Digest::MD5 loaded ok CPAN: Compress::Zlib loaded ok Checksum for /root/.cpan/sources/authors/id/N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz ok Scanning cache /root/.cpan/build for sizes Archive-Zip-1.09/ Archive-Zip-1.09/t/ Archive-Zip-1.09/t/testex.t Archive-Zip-1.09/t/testUpdate.t Archive-Zip-1.09/t/testMemberRead.t Archive-Zip-1.09/t/testTree.t Archive-Zip-1.09/t/test.t Archive-Zip-1.09/t/common.pl Archive-Zip-1.09/Changes Archive-Zip-1.09/examples/ Archive-Zip-1.09/examples/mfh.pl Archive-Zip-1.09/examples/updateZip.pl Archive-Zip-1.09/examples/unzipAll.pl Archive-Zip-1.09/examples/extract.pl Archive-Zip-1.09/examples/readScalar.pl Archive-Zip-1.09/examples/copy.pl Archive-Zip-1.09/examples/zip.pl Archive-Zip-1.09/examples/zipGrep.pl Archive-Zip-1.09/examples/calcSizes.pl Archive-Zip-1.09/examples/ziprecent.pl Archive-Zip-1.09/examples/zipcheck.pl Archive-Zip-1.09/examples/updateTree.pl Archive-Zip-1.09/examples/writeScalar.pl Archive-Zip-1.09/examples/selfex.pl Archive-Zip-1.09/examples/zipinfo.pl Archive-Zip-1.09/examples/ziptest.pl Archive-Zip-1.09/examples/mailZip.pl Archive-Zip-1.09/examples/writeScalar2.pl Archive-Zip-1.09/docs/ Archive-Zip-1.09/docs/Archive-Zip.pdf Archive-Zip-1.09/docs/appnote.iz Archive-Zip-1.09/docs/Appnote.txt Archive-Zip-1.09/docs/ideas.txt Archive-Zip-1.09/docs/Archive-Zip.ps Archive-Zip-1.09/MANIFEST Archive-Zip-1.09/TODO Archive-Zip-1.09/crc32 Archive-Zip-1.09/META.yml Archive-Zip-1.09/lib/ Archive-Zip-1.09/lib/Archive/ Archive-Zip-1.09/lib/Archive/Zip/ Archive-Zip-1.09/lib/Archive/Zip/BufferedFileHandle.pm Archive-Zip-1.09/lib/Archive/Zip/MockFileHandle.pm Archive-Zip-1.09/lib/Archive/Zip/MemberRead.pm Archive-Zip-1.09/lib/Archive/Zip/Tree.pm Archive-Zip-1.09/lib/Archive/Zip/FAQ.pod Archive-Zip-1.09/lib/Archive/Zip.pod Archive-Zip-1.09/lib/Archive/Zip.pm Archive-Zip-1.09/INSTALL Archive-Zip-1.09/Makefile.PL Archive-Zip-1.09/README Removing previously used /root/.cpan/build/Archive-Zip-1.09 CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz Checking if your kit is complete... Looks good Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip Makefile:88: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible ----- Original Message ----- From: "Julian Field" To: "Matthew K Bowman" Sent: Friday, March 05, 2004 9:58 AM Subject: Re: Bizarre Install Problem > At 14:49 05/03/2004, you wrote: > >Hello, > > > >I was able to update to 4.28.5-2 on one Redhat 9 box. I then copied the > >rpm.tar to another Redhat 9 box and having run install.sh it gives > > > >RPM build errors: > > Bad exit status from /var/tmp/rpm-tmp.46484 (%build) > > > >Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. > >Maybe it did not build correctly? > > > >Any ideas as to the cause and how to fix? > > That output error is a sign that it is 4.28.5-1 and not -2. > Recheck what you did. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mkbowman at neo.rr.com Fri Mar 5 15:33:30 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Bizarre Install Problem References: <000701c402c1$0dc62690$8266a8c0@MKBOWMAN2> <6.0.1.1.2.20040305145721.04023ba0@imap.ecs.soton.ac.uk> Message-ID: <000301c402c7$362af970$8266a8c0@MKBOWMAN2> /me not having a successful day now I get this: cpan> install Archive::Zip Running install for module Archive::Zip Running make for N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz CPAN: Digest::MD5 loaded ok CPAN: Compress::Zlib loaded ok Checksum for /root/.cpan/sources/authors/id/N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz ok Scanning cache /root/.cpan/build for sizes Archive-Zip-1.09/ Archive-Zip-1.09/t/ Archive-Zip-1.09/t/testex.t Archive-Zip-1.09/t/testUpdate.t Archive-Zip-1.09/t/testMemberRead.t Archive-Zip-1.09/t/testTree.t Archive-Zip-1.09/t/test.t Archive-Zip-1.09/t/common.pl Archive-Zip-1.09/Changes Archive-Zip-1.09/examples/ Archive-Zip-1.09/examples/mfh.pl Archive-Zip-1.09/examples/updateZip.pl Archive-Zip-1.09/examples/unzipAll.pl Archive-Zip-1.09/examples/extract.pl Archive-Zip-1.09/examples/readScalar.pl Archive-Zip-1.09/examples/copy.pl Archive-Zip-1.09/examples/zip.pl Archive-Zip-1.09/examples/zipGrep.pl Archive-Zip-1.09/examples/calcSizes.pl Archive-Zip-1.09/examples/ziprecent.pl Archive-Zip-1.09/examples/zipcheck.pl Archive-Zip-1.09/examples/updateTree.pl Archive-Zip-1.09/examples/writeScalar.pl Archive-Zip-1.09/examples/selfex.pl Archive-Zip-1.09/examples/zipinfo.pl Archive-Zip-1.09/examples/ziptest.pl Archive-Zip-1.09/examples/mailZip.pl Archive-Zip-1.09/examples/writeScalar2.pl Archive-Zip-1.09/docs/ Archive-Zip-1.09/docs/Archive-Zip.pdf Archive-Zip-1.09/docs/appnote.iz Archive-Zip-1.09/docs/Appnote.txt Archive-Zip-1.09/docs/ideas.txt Archive-Zip-1.09/docs/Archive-Zip.ps Archive-Zip-1.09/MANIFEST Archive-Zip-1.09/TODO Archive-Zip-1.09/crc32 Archive-Zip-1.09/META.yml Archive-Zip-1.09/lib/ Archive-Zip-1.09/lib/Archive/ Archive-Zip-1.09/lib/Archive/Zip/ Archive-Zip-1.09/lib/Archive/Zip/BufferedFileHandle.pm Archive-Zip-1.09/lib/Archive/Zip/MockFileHandle.pm Archive-Zip-1.09/lib/Archive/Zip/MemberRead.pm Archive-Zip-1.09/lib/Archive/Zip/Tree.pm Archive-Zip-1.09/lib/Archive/Zip/FAQ.pod Archive-Zip-1.09/lib/Archive/Zip.pod Archive-Zip-1.09/lib/Archive/Zip.pm Archive-Zip-1.09/INSTALL Archive-Zip-1.09/Makefile.PL Archive-Zip-1.09/README Removing previously used /root/.cpan/build/Archive-Zip-1.09 CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz Checking if your kit is complete... Looks good Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip Makefile:88: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible ----- Original Message ----- From: "Julian Field" To: "Matthew K Bowman" Sent: Friday, March 05, 2004 9:58 AM Subject: Re: Bizarre Install Problem > At 14:49 05/03/2004, you wrote: > >Hello, > > > >I was able to update to 4.28.5-2 on one Redhat 9 box. I then copied the > >rpm.tar to another Redhat 9 box and having run install.sh it gives > > > >RPM build errors: > > Bad exit status from /var/tmp/rpm-tmp.46484 (%build) > > > >Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.09-2.noarch.rpm. > >Maybe it did not build correctly? > > > >Any ideas as to the cause and how to fix? > > That output error is a sign that it is 4.28.5-1 and not -2. > Recheck what you did. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From martin.norberg at SKEKRAFT.SE Fri Mar 5 15:44:22 2004 From: martin.norberg at SKEKRAFT.SE (Martin Norberg) Date: Thu Jan 12 21:23:07 2006 Subject: SV: BayesStore Message-ID: <57807C70FEEBD211AD0F0008C728BDB202D6EC1E@epost1.skekraft.se> The permissions are as follows. drwxrwxrwx 2 postfix postfix 4096 Mar 5 16:38 ./ drwxrwxrwx 5 root root 4096 Sep 2 2003 ../ -rw-rw-rw- 1 postfix postfix 3430245886 Mar 5 16:42 bayes_journal -rw-rw-rw- 1 postfix postfix 1908887 Dec 7 20:52 bayes_seen -rw-rw-rw- 1 postfix postfix 4096 Mar 5 16:27 bayes_seen.dir -rw-rw-rw- 1 postfix postfix 8226816 Mar 5 16:38 bayes_seen.pag -rw-rw-rw- 1 postfix postfix 22810640 Dec 7 20:52 bayes_toks -rw-rw-rw- 1 postfix postfix 4096 Mar 5 16:36 bayes_toks.dir -rw-rw-rw- 1 postfix postfix 33481728 Mar 5 16:38 bayes_toks.pag / Martin > -----Ursprungligt meddelande----- > Fr?n: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] > Skickat: den 5 mars 2004 13:59 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: BayesStore > > Martin Norberg said: > > I can?t find the problem. > > Postfix is owner to the folder > /var/spool/MailScanner/spamassassin an > > the > > bayes* files in it. > > > Who is MailScanner running as? > What are the permissions of the *contents* of > /var/spool/MailScanner/spamassassin? > > Drew > > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by MailScanner, and is believed > to be clean. > www.themarshalls.co.uk/policy > > ---- > MailScanner p? Skellefte? Kraft har kontrollerat om det finns > virus eller annat skadligt inneh?ll i meddelandet. > > ---- MailScanner p? Skellefte? Kraft har kontrollerat om det finns virus eller annat skadligt inneh?ll i meddelandet. From shrek-m at GMX.DE Fri Mar 5 15:46:15 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: References: Message-ID: <4048A0C7.7050301@gmx.de> Erik Jakobsen wrote: >Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' > > # echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin # which pod2man /usr/bin/pod2man # rpm -qf `which pod2man` perl-5.8.3-10 -- shrek-m From mkbowman at neo.rr.com Fri Mar 5 15:45:37 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Perl - CPAN Error - need help Message-ID: <000701c402c8$eac0b8b0$8266a8c0@MKBOWMAN2> Redhat 9 Perl 5.8.0 [root@mrburns downloads]# perl -MCPAN -e shell "install Archive::Zip" Undefined value assigned to typeglob at (eval 13) line 15, line 11. Warning [/etc/inputrc line 11]: Invalid variable `mark-symlinked-directories' cpan shell -- CPAN exploration and modules installation (v1.61) ReadLine support enabled This is after reinstalling the Perl and CPAN rpms. I can't upgrade or start the original MailScanner at the moment. Any help would be appreciated. Thank you From eja at URBAKKEN.DK Fri Mar 5 15:53:47 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 16:46:15 +0100, shrek-m@gmx.de wrote: >Erik Jakobsen wrote: Thanks for your reply. My results are further down the lines. >>Warning: I could not locate your pod2man program. Please make sure, >> your pod2man program is in your PATH before you execute 'make' >> >> > > ># echo $PATH >/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin > ># which pod2man >/usr/bin/pod2man > ># rpm -qf `which pod2man` >perl-5.8.3-10 > >-- >shrek-m # echo $PATH /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin # which pod2man /usr/bin/pod2man # rpm -qf `which pod2man` perl-5.8.0-88.3 From steve.swaney at FSL.COM Fri Mar 5 15:54:42 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: Message-ID: <20040305155442.6B50921C2AA@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Erik Jakobsen > Sent: Friday, March 05, 2004 10:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-4.28.5-1 > > On Fri, 5 Mar 2004 14:55:14 +0000, Julian Field > wrote: > > >That is usually cause by the /etc/sysconfig/i18n file. > >Remove any mention of UTF8 from there and try it again. > > The content of the i18n file is now: > > SYSFONT="latarcyrheb-sun16 > The content of the i18n file should be: LANG="en_US" SUPPORTED="en_US:en" SYSFONT="lat0-sun16" SYSFONTACM="iso01" > Unfortunately it did not helped much. This will help. Also do: export LANG="en_US" In the shell before trying to use CPAN Steve -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From eja at URBAKKEN.DK Fri Mar 5 16:13:10 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 10:54:42 -0500, Stephen Swaney wrote: >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >> Behalf Of Erik Jakobsen >> Sent: Friday, March 05, 2004 10:18 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: MailScanner-4.28.5-1 >> >> On Fri, 5 Mar 2004 14:55:14 +0000, Julian Field >> wrote: >> >> >That is usually cause by the /etc/sysconfig/i18n file. >> >Remove any mention of UTF8 from there and try it again. >> >> The content of the i18n file is now: >> >> SYSFONT="latarcyrheb-sun16 >> Hi Steve, and thanks for your help. >The content of the i18n file should be: > >LANG="en_US" >SUPPORTED="en_US:en" >SYSFONT="lat0-sun16" >SYSFONTACM="iso01" It has been done now. >> Unfortunately it did not helped much. > >This will help. Ok fine. >Also do: > > export LANG="en_US" > >In the shell before trying to use CPAN Do you mean: # export LANG="en_US" >From the prompt ? >Steve > > > > >-- >This message has been scanned for viruses and >dangerous content by Fortress Secure Mail Gateway >and was found to be clean. > >Fortress Systems Ltd. - http://www.fsl.com Erik From apostolus at BLUEYONDER.CO.UK Fri Mar 5 15:47:49 2004 From: apostolus at BLUEYONDER.CO.UK (apostolus) Date: Thu Jan 12 21:23:07 2006 Subject: {scanned by martin dominic} mailscanner 4.14-9 Message-ID: Hi there I've been running SuSE 7.2 happily now for a couple of years with mailscanner 4.14-9 doing everythign i need it to do with f-prot virus checking and spamassassin chiiping in to.. I've read some posts that imtimate I wold need to upgrade me OS before upgrading Mailscanner. If this is true, what would be the primary benefits for so doing.. many thanks apost -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks Transtec Computers for their support. From redjar at REDJAR.ORG Fri Mar 5 16:18:26 2004 From: redjar at REDJAR.ORG (Jared) Date: Thu Jan 12 21:23:07 2006 Subject: 4.28-5 woody deb package? Message-ID: I was curious whether anyone was planning on creating a woody/stable deb package for Mailscanner 4.28-5. I've been using the Spamassassin and Mailscanner backports from inutility.net. I contacted the maintainer of those unofficial packages yesterday to see if he had any plans of creating new packages, but I have not heard from him. Thanks, -jared From steve.swaney at FSL.COM Fri Mar 5 16:17:18 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: Message-ID: <20040305161718.D7BC121C2A9@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Erik Jakobsen > Sent: Friday, March 05, 2004 11:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-4.28.5-1 > >The content of the i18n file should be: > > > >LANG="en_US" > >SUPPORTED="en_US:en" > >SYSFONT="lat0-sun16" > >SYSFONTACM="iso01" > > It has been done now. > > >> Unfortunately it did not helped much. > > > >This will help. > > Ok fine. > > >Also do: > > > > export LANG="en_US" Yes Steve Steve Swaney Fortress Systems Ltd. -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From Denis.Beauchemin at USHERBROOKE.CA Fri Mar 5 16:17:50 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:07 2006 Subject: 4.28.5-2 and zip files Message-ID: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> Hi Julian, I am testing the latest and greatest and found the following in my maillog after sending myself a password-protected zip file: Cannot match against destination IP address when resolving configuration option "allowpasszips" Is this a normal message or did I make a mistake somewhere? I have: Allow Password-Protected Archives = %rules-dir%/pwd.archives.rules and pwd.archives.rules contains (x.y are really numbers in my file): FromOrTo: 132.210.x.y yes FromOrTo: Default no Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From ka at PACIFIC.NET Fri Mar 5 16:23:58 2004 From: ka at PACIFIC.NET (Ken Anderson (Pacific Internet)) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner Log Spam = yes not logging SA spam scoring. Message-ID: <4048A99E.5040006@pacific.net> Somewhere between upgrading to 4.27.6-1 and downgrading back to MailScanner-4.26.5 due to performance issues, I've lost logging of spam from MailScanner. "Log Spam = yes" seems to be broken on one server. We have 2 MS boxes, both with identical MailScanner.conf files, OS (redhat 7.3) and syslog.conf settings. One is logging spam, but one isn't. SA/MS are both working fine. Anyone seen logging of spam break like this before? Any clues where to start? Thanks, Ken A Pacific.Net From mkbowman at neo.rr.com Fri Mar 5 16:24:21 2004 From: mkbowman at neo.rr.com (Matthew K Bowman) Date: Thu Jan 12 21:23:07 2006 Subject: Perl - CPAN Error - need help References: <20040305154732.M84605@tnonc.com> Message-ID: <000301c402ce$53efcec0$8266a8c0@MKBOWMAN2> Er its looking for Zlib 1.4 :( ----- Original Message ----- From: "Mike Osborne" To: Sent: Friday, March 05, 2004 11:51 AM Subject: Perl - CPAN Error - need help > You could download it manually and install the module. I also needed > Compress::Zlib for Archive::Zip to work. I checked the dependencies at > search.cpan.org and saw it was needed and I did not have it. > > Archive::Zip download > http://search.cpan.org/~nedkonz/Archive-Zip-1.09/ > > Compress::Zlib download > http://search.cpan.org/~pmqs/Compress-Zlib-1.33/ > > > Archive::zip page with dependencies at bottom of page > http://search.cpan.org/~nedkonz/Archive-Zip-1.09/lib/Archive/Zip.pod > > > I hope this helps. > > Mike Osborne > IS Director > From jburzenski at AMERICANHM.COM Fri Mar 5 16:34:41 2004 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:23:07 2006 Subject: Upgrade Oddity Message-ID: <9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> Hello All, I recently upgraded from MS 4.22-5 to 4.26.8-1. I have very similar to default configuration and accepted the defaults for all of the new options available. I have noticed (via mailscanner-mrtg graphs) a significant load increase coming in drastic spikes during the day. The intervals aren't that regular but they do appear to be almost hourly. Typicaly the load value will hover between 0 and 1. But, now, during the day I can see it create a peak over the course of 40 minutes to an hour that hits consistently around 5. The only significant process I am running hourly is mailscanner-mrtg (version 0.05). I am running 2 dns load balanced servers, both dual 2.4g xeons with 2.5GB memory processing somewhere around 100K messages per day each. Here are my stats for cpu/mem right off msmrtg. BOX 1 Max CPU Utilization: 30.0 percent Average CPU Utilization: 6.0 percent Current CPU Utilization: 11.0 percent Max memory including cache: 2552.0 Megabytes Average memory including cache: 2452.0 Megabytes Current memory including cache: 2529.0 Megabytes Max memory excluding cache: 932.0 Megabytes Average memory excluding cache: 853.0 Megabytes Current memory excluding cache: 894.0 Megabytes BOX 2 Max CPU Utilization: 35.0 percent Average CPU Utilization: 5.0 percent Current CPU Utilization: 19.0 percent Max memory including cache: 2563.0 Megabytes Average memory including cache: 2454.0 Megabytes Current memory including cache: 2489.0 Megabytes Max memory excluding cache: 891.0 Megabytes Average memory excluding cache: 784.0 Megabytes Current memory excluding cache: 779.0 Megabytes Does anyone have any ideas as to what might be causing the load average spikes? I am not suffereing from performance issues but I was hoping to be able to scale these boxes a little further and this limits my options a bit. Thanks in advance. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040305/49b213fb/attachment.html From mailscanner at ecs.soton.ac.uk Fri Mar 5 15:22:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: MS 4.28.5 In-Reply-To: <1078498809.22219.38.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078498809.22219.38.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20040305152231.03629a38@imap.ecs.soton.ac.uk> At 15:00 05/03/2004, you wrote: >Julian, > >I'm not sure about the following: > ># Another word that can be put in this list is the special keyword ># Zip-Password : inserting this will cause senders to be warned about ># password-protected zip files, when they are not allowed. ># This will over-ride the All-Viruses setting in the list ># of "Silent Viruses" above. ># >Non-Forging Viruses = O97M/ W97M/ > >If I put Zip-Password in there, does that mean that all senders of >password-protected zip files (including virus infected emails) will be >notified about this? Yes. >If so I don't think it is a good idea to use the Zip-Password here... So don't put it in then :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 16:24:59 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: 4.28.5-2 and zip files In-Reply-To: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> At 16:17 05/03/2004, you wrote: >Hi Julian, > >I am testing the latest and greatest and found the following in my >maillog after sending myself a password-protected zip file: >Cannot match against destination IP address when resolving configuration >option "allowpasszips" > >Is this a normal message or did I make a mistake somewhere? > >I have: >Allow Password-Protected Archives = %rules-dir%/pwd.archives.rules > >and pwd.archives.rules contains (x.y are really numbers in my file): >FromOrTo: 132.210.x.y yes You can't match a "To" address that is an IP number as you don't know the destination IP address until after you have delivered the message. You can only use "From" with IP addresses. >FromOrTo: Default no > >Thanks again! > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 16:17:52 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: ANNOUNCE: Stable 4.28.5 released In-Reply-To: <08EC33F0-6EBA-11D8-B24D-003065F939FE@ucsc.edu> References: <6.0.1.1.2.20040305095455.03facd88@imap.ecs.soton.ac.uk> <08EC33F0-6EBA-11D8-B24D-003065F939FE@ucsc.edu> Message-ID: <6.0.1.1.2.20040305161739.03afaf58@imap.ecs.soton.ac.uk> At 15:30 05/03/2004, you wrote: >On Mar 5, 2004, at 2:04 AM, Julian Field wrote: > >>so the old "put it in a zip and it won't be >>checked" is no longer true. > >Same for tar files and other supported archive formats? No. Bung it in a tar file and it should be fine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Mar 5 16:18:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:07 2006 Subject: SV: BayesStore In-Reply-To: <57807C70FEEBD211AD0F0008C728BDB202D6EC1E@epost1.skekraft.s e> References: <57807C70FEEBD211AD0F0008C728BDB202D6EC1E@epost1.skekraft.se> Message-ID: <6.0.1.1.2.20040305161848.03af9520@imap.ecs.soton.ac.uk> Delete the .dir and .pag files. At 15:44 05/03/2004, you wrote: >The permissions are as follows. > >drwxrwxrwx 2 postfix postfix 4096 Mar 5 16:38 ./ >drwxrwxrwx 5 root root 4096 Sep 2 2003 ../ >-rw-rw-rw- 1 postfix postfix 3430245886 Mar 5 16:42 bayes_journal >-rw-rw-rw- 1 postfix postfix 1908887 Dec 7 20:52 bayes_seen >-rw-rw-rw- 1 postfix postfix 4096 Mar 5 16:27 bayes_seen.dir >-rw-rw-rw- 1 postfix postfix 8226816 Mar 5 16:38 bayes_seen.pag >-rw-rw-rw- 1 postfix postfix 22810640 Dec 7 20:52 bayes_toks >-rw-rw-rw- 1 postfix postfix 4096 Mar 5 16:36 bayes_toks.dir >-rw-rw-rw- 1 postfix postfix 33481728 Mar 5 16:38 bayes_toks.pag > >/ Martin > > > -----Ursprungligt meddelande----- > > Fr?n: Drew Marshall [mailto:drew@THEMARSHALLS.CO.UK] > > Skickat: den 5 mars 2004 13:59 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: Re: BayesStore > > > > Martin Norberg said: > > > I can?t find the problem. > > > Postfix is owner to the folder > > /var/spool/MailScanner/spamassassin an > > > the > > > bayes* files in it. > > > > > Who is MailScanner running as? > > What are the permissions of the *contents* of > > /var/spool/MailScanner/spamassassin? > > > > Drew > > > > > > -- > > In line with our policy, this message has been scanned for > > viruses and dangerous content by MailScanner, and is believed > > to be clean. > > www.themarshalls.co.uk/policy > > > > ---- > > MailScanner p? Skellefte? Kraft har kontrollerat om det finns > > virus eller annat skadligt inneh?ll i meddelandet. > > > > > >---- >MailScanner p? Skellefte? Kraft har kontrollerat om det >finns virus eller annat skadligt inneh?ll i meddelandet. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DWFORD.COM Fri Mar 5 16:53:16 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: <4048A0C7.7050301@gmx.de> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of shrek-m@gmx.de > Sent: Friday, March 05, 2004 10:46 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-4.28.5-1 > > > Erik Jakobsen wrote: > > >Warning: I could not locate your pod2man program. > Please make sure, > > your pod2man program is in your PATH before > you execute 'make' > > > > > This is a known issue with RH9 run the following command before installing unset LANG I believe setting LANG to "C" is supposed to work as well > > # echo $PATH > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/u > sr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/b > in:/root/bin > > # which pod2man > /usr/bin/pod2man > > # rpm -qf `which pod2man` > perl-5.8.3-10 > > -- > shrek-m > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From michele at BLACKNIGHTSOLUTIONS.COM Fri Mar 5 16:45:05 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:23:07 2006 Subject: Happy Birthday to SPAM! Message-ID: http://news.netcraft.com/archives/2004/03/05/spams_tenth_birthday_today.html Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information From Kevin.Spicer at BMRB.CO.UK Fri Mar 5 16:45:52 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:07 2006 Subject: Upgrade Oddity Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B2E@pascal.priv.bmrb.co.uk> Jason Burzenski wrote: > The only > significant process I am running hourly is mailscanner-mrtg (version > 0.05). You definately should upgrade that if you are having load troubles. MailScanner-MRTG v5 is much more inefficient than more recent versions (versions prior to 0.06 parse the entire mail log three times every 5 minutes - recent versions pick up where the last run left off, and only parse it once). Kevin (maintainer MailScanner-MRTG) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lfarkas at BPPIAC.HU Fri Mar 5 17:13:32 2004 From: lfarkas at BPPIAC.HU (Farkas Levente) Date: Thu Jan 12 21:23:07 2006 Subject: why mailscanner is better? Message-ID: <4048B53C.2000307@bppiac.hu> hi, what is the difference between I use Kaspersky and SpamAssassin on our mail gateway and if I use mailscanner? would it be better for me? thanks in advance. -- Levente "Si vis pacem para bellum!" From eja at URBAKKEN.DK Fri Mar 5 17:29:41 2004 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 Message-ID: On Fri, 5 Mar 2004 11:53:16 -0500, Rick Cooper wrote: >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf Of shrek-m@gmx.de >> Sent: Friday, March 05, 2004 10:46 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: MailScanner-4.28.5-1 >> >> >> Erik Jakobsen wrote: >> >> >Warning: I could not locate your pod2man program. >> Please make sure, >> > your pod2man program is in your PATH before >> you execute 'make' >> > >> > >> > >This is a known issue with RH9 run the following command before >installing > unset LANG >I believe setting LANG to "C" is supposed to work as well Well that I just got aware of now when you write it, but maybe these errors are due to this ?. Mar 5 18:27:44 gateway ipop3d[30630]: pop3 service init from 192.168.1.168 Mar 5 18:27:44 gateway ipop3d[30630]: Login user=eja host=[192.168.1.168] nmsgs=0/0 Mar 5 18:27:44 gateway ipop3d[30631]: pop3 service init from 192.168.1.168 Mar 5 18:27:44 gateway ipop3d[30630]: Logout user=eja host=[192.168.1.168] nmsgs=0 ndele=0 Mar 5 18:27:44 gateway ipop3d[30631]: Login user=erik host=[192.168.1.168] nmsgs=0/0 Mar 5 18:27:44 gateway ipop3d[30631]: Logout user=erik host=[192.168.1.168] nmsgs=0 ndele=0 Mar 5 18:27:46 gateway MailScanner[30632]: MailScanner E-Mail Virus Scanner version 4.28.5 starting... Mar 5 18:27:46 gateway MailScanner[30632]: Could not read directory /var/spool/mqueue Mar 5 18:27:46 gateway MailScanner[30632]: Error in configuration file line 104, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) Mar 5 18:27:56 gateway MailScanner[30633]: MailScanner E-Mail Virus Scanner version 4.28.5 starting... Mar 5 18:27:56 gateway MailScanner[30633]: Could not read directory /var/spool/mqueue Mar 5 18:27:56 gateway MailScanner[30633]: Error in configuration file line 104, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) Mar 5 18:28:06 gateway MailScanner[30634]: MailScanner E-Mail Virus Scanner version 4.28.5 starting... Mar 5 18:28:06 gateway MailScanner[30634]: Could not read directory /var/spool/mqueue Mar 5 18:28:06 gateway MailScanner[30634]: Error in configuration file line 104, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) Mar 5 18:28:16 gateway MailScanner[30635]: MailScanner E-Mail Virus Scanner version 4.28.5 starting... Mar 5 18:28:16 gateway MailScanner[30635]: Could not read directory /var/spool/mqueue Mar 5 18:28:16 gateway MailScanner[30635]: Error in configuration file line 104, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) Mar 5 18:28:26 gateway MailScanner[30636]: MailScanner E-Mail Virus Scanner version 4.28.5 starting... Mar 5 18:28:26 gateway MailScanner[30636]: Could not read directory /var/spool/mqueue Mar 5 18:28:26 gateway MailScanner[30636]: Error in configuration file line 104, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) I do not understand the above, as MailScanner has worked here since long time. What could be the reason ?. /Erik >> >> # echo $PATH >> /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/u >> sr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/b >> in:/root/bin >> >> # which pod2man >> /usr/bin/pod2man >> >> # rpm -qf `which pod2man` >> perl-5.8.3-10 >> >> -- >> shrek-m >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> From steve.swaney at FSL.COM Fri Mar 5 17:38:53 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner-4.28.5-1 In-Reply-To: Message-ID: <20040305173853.ABF5821C14E@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Erik Jakobsen > Sent: Friday, March 05, 2004 12:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner-4.28.5-1 > > On Fri, 5 Mar 2004 11:53:16 -0500, Rick Cooper wrote: > > >> -----Original Message----- > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >> Behalf Of shrek-m@gmx.de > >> Sent: Friday, March 05, 2004 10:46 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: MailScanner-4.28.5-1 > >> > >> > >> Erik Jakobsen wrote: > >> > >> >Warning: I could not locate your pod2man program. > >> Please make sure, > >> > your pod2man program is in your PATH before > >> you execute 'make' > >> > > >> > > >> > > > >This is a known issue with RH9 run the following command before > >installing > > unset LANG > >I believe setting LANG to "C" is supposed to work as well > > Well that I just got aware of now when you write it, but maybe these > errors are due to this ?. > > Mar 5 18:28:16 gateway MailScanner[30635]: MailScanner E-Mail Virus > Scanner version 4.28.5 starting... > Mar 5 18:28:16 gateway MailScanner[30635]: Could not read > directory /var/spool/mqueue > Mar 5 18:28:16 gateway MailScanner[30635]: Error in configuration file > line 104, directory /var/spool/mqueue for outqueuedir does not exist (or > is not readable) This is telling you that the directory /var/spool/mqueue does not exist or is not readable by the effective user ID of your email program :) Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From ka at PACIFIC.NET Fri Mar 5 17:49:45 2004 From: ka at PACIFIC.NET (Ken Anderson (Pacific Internet)) Date: Thu Jan 12 21:23:07 2006 Subject: Upgrade Oddity In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> References: <9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> Message-ID: <4048BDB9.8060203@pacific.net> We process about 3x the amount of mail on a similar machine, and are unable to run 4.26.8-1. Changes in Message.pm, particularly in it's expansion of message parts make it slower than previous versions. It's much better at detecting viruses hidden in poorly formed mime parts, so it's a problem I'm hoping for a solution to as well. You should be able to run 4.26.5 okay though, and that's a worthwhile upgrade too! Ken A Pacific.Net Jason Burzenski wrote: > Hello All, > > I recently upgraded from MS 4.22-5 to 4.26.8-1. I have very similar to > default configuration and accepted the defaults for all of the new options > available. > > I have noticed (via mailscanner-mrtg graphs) a significant load increase > coming in drastic spikes during the day. The intervals aren't that regular > but they do appear to be almost hourly. Typicaly the load value will hover > between 0 and 1. But, now, during the day I can see it create a peak over > the course of 40 minutes to an hour that hits consistently around 5. The > only significant process I am running hourly is mailscanner-mrtg (version > 0.05). > > I am running 2 dns load balanced servers, both dual 2.4g xeons with 2.5GB > memory processing somewhere around 100K messages per day each. Here are my > stats for cpu/mem right off msmrtg. > > BOX 1 > > Max CPU Utilization: 30.0 percent Average CPU Utilization: 6.0 > percent Current CPU Utilization: 11.0 percent > Max memory including cache: 2552.0 Megabytes Average memory > including cache: 2452.0 Megabytes Current memory including cache: > 2529.0 Megabytes > Max memory excluding cache: 932.0 Megabytes Average memory > excluding cache: 853.0 Megabytes Current memory excluding cache: > 894.0 Megabytes > > BOX 2 > > Max CPU Utilization: 35.0 percent Average CPU Utilization: 5.0 > percent Current CPU Utilization: 19.0 percent > Max memory including cache: 2563.0 Megabytes Average memory > including cache: 2454.0 Megabytes Current memory including cache: > 2489.0 Megabytes > Max memory excluding cache: 891.0 Megabytes Average memory > excluding cache: 784.0 Megabytes Current memory excluding cache: > 779.0 Megabytes > > Does anyone have any ideas as to what might be causing the load average > spikes? I am not suffereing from performance issues but I was hoping to be > able to scale these boxes a little further and this limits my options a bit. > > > Thanks in advance. > > Jason > From victor at PIXELMAGICFX.COM Fri Mar 5 18:08:39 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:07 2006 Subject: BAGELS! Message-ID: <4048C227.1040101@pixelmagicfx.com> F-secure is currently not stopping the moreinfo.zip file containing the W32bagel virus. It can't do this with command line or in MailScanner. Panda, while it is capbale of stopping the virus in command line, doesn't actually work in MailScanner. Does anyone actually have Panda working with Mailscanner that can give me some advice? I can't find any logs that state how mailscanner works or doesn't work with Panda. thanks Vic . From victor at PIXELMAGICFX.COM Fri Mar 5 18:20:56 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:23:07 2006 Subject: BAGELS! References: <4048C227.1040101@pixelmagicfx.com> Message-ID: <4048C508.5050201@pixelmagicfx.com> Currently, I'm running 4.24.5 on a Red Hat 8.0 system. I know 4.28 has options to block password protected zip files, however, I'm trying to make the virus scanners do their job. If I can't get around that, I'll likely just upgrade. Vic Victor DiMichina wrote: > F-secure is currently not stopping the moreinfo.zip file containing the > W32bagel virus. It can't do this with command line or in MailScanner. > Panda, while it is capbale of stopping the virus in command line, > doesn't actually work in MailScanner. Does anyone actually have Panda > working with Mailscanner that can give me some advice? I can't find any > logs that state how mailscanner works or doesn't work with Panda. > > thanks > Vic > . From miguelk at KONSULTEX.COM.BR Fri Mar 5 18:16:19 2004 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:23:07 2006 Subject: why mailscanner is better? References: <4048B53C.2000307@bppiac.hu> Message-ID: <4048C3F3.9050207@konsultex.com.br> Farkas; On benefit I particularly like is that on top of Kaspersky I can put other virus scanners, especially Clam. Miguel Farkas Levente wrote: > hi, > what is the difference between I use Kaspersky and SpamAssassin on our > mail gateway and if I use mailscanner? > would it be better for me? > thanks in advance. > > -- > Levente "Si vis pacem para bellum!" > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Denis.Beauchemin at USHERBROOKE.CA Fri Mar 5 18:17:24 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:07 2006 Subject: 4.28.5-2 and zip files In-Reply-To: <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> References: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> Message-ID: <1078510644.22219.82.camel@dbeauchemin.sti.usherbrooke.ca> Le ven 05/03/2004 ? 11:24, Julian Field a ?crit : > At 16:17 05/03/2004, you wrote: > >Hi Julian, > > > >I am testing the latest and greatest and found the following in my > >maillog after sending myself a password-protected zip file: > >Cannot match against destination IP address when resolving configuration > >option "allowpasszips" > > > >Is this a normal message or did I make a mistake somewhere? > > > >I have: > >Allow Password-Protected Archives = %rules-dir%/pwd.archives.rules > > > >and pwd.archives.rules contains (x.y are really numbers in my file): > >FromOrTo: 132.210.x.y yes > > You can't match a "To" address that is an IP number as you don't know the > destination IP address until after you have delivered the message. You can > only use "From" with IP addresses. I keep forgetting about this... Thanks. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Denis.Beauchemin at USHERBROOKE.CA Fri Mar 5 18:32:24 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:07 2006 Subject: Small problems with 4.28.5-2 Message-ID: <1078511544.22219.93.camel@dbeauchemin.sti.usherbrooke.ca> Julian, I have been testing this release a bit more and I found the following problems: - it doesn't sign the message if a filename check kicks in (I discovered this using a zip file but it does the same with a plain exe); maybe this is a design decision? - on the inline sig subject: I can't put accented characters in there because I can't trust the message charset to display them OK (I think the only solution would be to put the sig in an attachment) - the whole zip file is quarantined if it contains an offending file name; I thought you just removed the offending part from the zip file... That's it for now. Nothing to prevent me from going in production though. Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jrudd at UCSC.EDU Fri Mar 5 18:34:45 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:07 2006 Subject: 4.28.5-2 and zip files In-Reply-To: <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> References: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> Message-ID: On Mar 5, 2004, at 8:24 AM, Julian Field wrote: >> >> FromOrTo: 132.210.x.y yes > > You can't match a "To" address that is an IP number as you don't know > the destination IP address until after you have delivered the message. > You can only use "From" with IP addresses. > As a point of clarification (I've had this question for a while, and just seems to fit now), when you match from on an IP address, it's not actually related to the From address (as in, a DNS lookup of the email address), it's the MTA's relay (the $_ in sendmail-ese) right? Which leads me to another question: does mailscanner loose anything if the $_ only has the IP address and not the hostname? From jrudd at UCSC.EDU Fri Mar 5 18:37:38 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:07 2006 Subject: Upgrade Oddity In-Reply-To: <4048BDB9.8060203@pacific.net> References: <9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> <4048BDB9.8060203@pacific.net> Message-ID: <2D63C1DA-6ED4-11D8-B24D-003065F939FE@ucsc.edu> On Mar 5, 2004, at 9:49 AM, Ken Anderson (Pacific Internet) wrote: > We process about 3x the amount of mail on a similar machine, and are > unable to run 4.26.8-1. Changes in Message.pm, particularly in it's > expansion of message parts make it slower than previous versions. It's > much better at detecting viruses hidden in poorly formed mime parts, so > it's a problem I'm hoping for a solution to as well. Does it help if you set the maximum archive depth to 0, or are you not talking about expansion of archives, but expansion of something else? From Denis.Beauchemin at USHERBROOKE.CA Fri Mar 5 18:38:44 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:07 2006 Subject: Small problems with 4.28.5-2 In-Reply-To: <1078511544.22219.93.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078511544.22219.93.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1078511924.22219.99.camel@dbeauchemin.sti.usherbrooke.ca> I forgot to mention that when sender.filename.report.txt is being used for zip file warnings it has a double diagnostic: R?sultats de l'antivirus: MailScanner: Les fichiers ?.EXE? sont trop souvent infect?s par des virus (kawa-rappel.exe) Analyse: MailScanner: Les fichiers ?.EXE? sont trop souvent infect?s par des virus (kawa-rappel.exe) The file contains: R?sultats de l'antivirus: $report I only see a single line if there is no zip file involved. Denis PS: "Analyse" is my translation for "Report". Le ven 05/03/2004 ? 13:32, Denis Beauchemin a ?crit : > Julian, > > I have been testing this release a bit more and I found the following > problems: > > - it doesn't sign the message if a filename check kicks in (I discovered > this using a zip file but it does the same with a plain exe); maybe this > is a design decision? > > - on the inline sig subject: I can't put accented characters in there > because I can't trust the message charset to display them OK (I think > the only solution would be to put the sig in an attachment) > > - the whole zip file is quarantined if it contains an offending file > name; I thought you just removed the offending part from the zip file... > > That's it for now. Nothing to prevent me from going in production > though. > > Thanks! > > Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From campbell at CNPAPERS.COM Fri Mar 5 19:01:57 2004 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:23:07 2006 Subject: Blacklist entry question Message-ID: <004501c402e4$551735c0$4c01a8c0@cnpapers.net> I find that the blacklist (spam.blacklist.rules) is one of the most effective solutions for efficiency using MailScanner. I have two small questions about the blacklist and its entries. Since I don't get any SA scores from blacklisted entries, can I assume that this (blacklisting) is one of the first things performed by MS, and that by using it, it eliminates email faster. I get mail from xxx1.yyy, xxx2.yyy and xxx3.yyy. I want to blacklist it. Do I need to add 3 entries, or can I use something like xxx[1-3].yyy? Thanks so much for this beautiful piece of software and any time anyone can supply to this question. Steve Campbell campbell@cnpapers.com Charleston Newspapers From ka at PACIFIC.NET Fri Mar 5 19:06:57 2004 From: ka at PACIFIC.NET (Ken Anderson (Pacific Internet)) Date: Thu Jan 12 21:23:07 2006 Subject: splitting messages/duplicate messages - was Re: Upgrade Oddity - Message-ID: <4048CFD1.9060106@pacific.net> References: <9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> <4048BDB9.8060203@pacific.net> <2D63C1DA-6ED4-11D8-B24D-003065F939FE@ucsc.edu> In-Reply-To: <2D63C1DA-6ED4-11D8-B24D-003065F939FE@ucsc.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.38 I was referring to the explosion of message parts, not archives. I'd like to see a setting for max part explosion too, or something like that, though I'm not sure exactly how all the code in Message.pm works, so it's a bit unclear to me if that's possible or a good idea. Our problem is compounded by the fact that we split recipients in sendmail, so if a message comes in with 10 recipients, it's split into 10 messages. If it also contains 5 poorly formed mime parts, MailScanner 4.26.7+ will split it up again. So we end up passing 5 parts of 1 message to SpamAssassin 10 times = 50x. :-( It would be nice if there was a way for SA to checksum a message, store it's SA score and apply that score to subsequent duplicate copies that pass through SA within a limited amount of time. This would help with dictionary attacks too. Anyone working on such a thing? Does it make sense? Thanks, Ken A. Pacific.Net John Rudd wrote: > On Mar 5, 2004, at 9:49 AM, Ken Anderson (Pacific Internet) wrote: > >> We process about 3x the amount of mail on a similar machine, and are >> unable to run 4.26.8-1. Changes in Message.pm, particularly in it's >> expansion of message parts make it slower than previous versions. It's >> much better at detecting viruses hidden in poorly formed mime parts, so >> it's a problem I'm hoping for a solution to as well. > > > Does it help if you set the maximum archive depth to 0, or are you not > talking about expansion of archives, but expansion of something else? > > From spamtrap71892316634 at ANIME.NET Fri Mar 5 19:12:47 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:07 2006 Subject: F-prot update In-Reply-To: <6.0.1.1.2.20040305134258.03f17e10@imap.ecs.soton.ac.uk> Message-ID: On Fri, 5 Mar 2004, Julian Field wrote: > At 13:27 05/03/2004, you wrote: > >I guess the f-prot update will mean more changes to MailScanner > I'm not going to rush out a new release for that, as MailScanner now > performs filename checks on the contents of Zip files anyway, even if they > are password-protected. > So it doesn't really give you very much extra value when used within > MailScanner. f-prot doesnt actually unzip the file and check it, it just adds new heuristics for filename size and extension. It would be nice if mailscanner could deal with password protected archives by extracting the password from the mail body... -Dan From ihuff at MAILGATE.PETERLI.COM Fri Mar 5 19:30:24 2004 From: ihuff at MAILGATE.PETERLI.COM (Isaac Huff) Date: Thu Jan 12 21:23:07 2006 Subject: notification feature suggestion Message-ID: <20040305193024.GA16036@mailgate.peterli.com> Hi, In dealing with the current virus outbreak, I've been thinking about a feature that I really miss from my old days with Amavis-ng. I currently have MailScanner sending notices to the system administrator (Send Notices = yes) every time it finds a virus, which is helpful in my case. What I miss from Amavis is that the notification doesn't say what actually happened to the message - e.g. "QUARANTINED and NOT DELIVERED", or "DELIVERED TO xxxxx@example.com", or "DELETED", or "CLEANED and DELIVERED", etc. With the many possibilities for rulesets affecting what happens to a message, it can be confusing to see "file.exe contains worm.something" but not know whether the message was delivered, not delivered, quarantined, attachment file.exe removed, etc. In other words - what MailScanner did to the message. Currently there's no way that I know of to get this information. Am I missing something, or could this feature be added? Thanks. From gercke at HNM.DE Fri Mar 5 19:49:12 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:23:07 2006 Subject: MCP Problem Message-ID: <4048D9B8.2090209@hnm.de> Hello, i have installed MCP Checker. These Checker works fine, but didn?t mark any message as Spam or will made any changes to Subject or so on. Need Help. How can i mark these messages in the subject? Thank you all. Here is one forwared Message, that you can see MCP is working: -------- Original-Nachricht -------- From: - Fri Mar 05 20:33:21 2004 X-UIDL: 3fd6d57a000039da X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from mailgate5.cinetic.de (mailgate5.cinetic.de [217.72.192.165]) by hnm.de (8.11.6/8.11.6) with ESMTP id i25JSsM02376 for ; Fri, 5 Mar 2004 20:28:54 +0100 Received: from web.de (fmomail02.dlan.cinetic.de [172.20.1.46]) by mailgate5.cinetic.de (8.11.6p2/8.11.2/SuSE Linux 8.11.0-0.4) with SMTP id i25JSoQ17250 for gercke@hnm.de; Fri, 5 Mar 2004 20:28:50 +0100 Date: Fri, 5 Mar 2004 20:28:50 +0100 Message-Id: <200403051928.i25JSoQ17250@mailgate5.cinetic.de> MIME-Version: 1.0 From: Daniel Gercke To: gercke@hnm.de Subject: Vigara Precedence: fm-user Organization: http://freemail.web.de/ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-HNM-MailScanner-Information: Um mehr Informationen zu erhalten kontaktieren Sie hostmaster@hnm.de X-HNM-MailScanner: Found to be clean X-MailScanner-MCPCheck: MCP, MCP-Checker (Wertung=7.495, benoetigt 1, BODY_VIAGRA_TYPO 7.50) X-HNM-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=4.7, benoetigt 5, HTML_70_80 0.10, HTML_IMAGE_ONLY_02 2.24, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10, RCVD_IN_BL_SPAMCOP_NET 2.25) X-HNM-MailScanner-SpamScore: ssss X-MailScanner-From: ****** Status: -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From hermit921 at YAHOO.COM Fri Mar 5 19:56:42 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:23:07 2006 Subject: Log spam = yes In-Reply-To: <4043B35B.3E1D45AC@ucsc.edu> References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> <4043B35B.3E1D45AC@ucsc.edu> Message-ID: <6.0.0.22.2.20040305115417.01ef9968@pop.mail.yahoo.com> I am thinking about turning on spam logging (Log Spam = yes) but I am curious about two things. 1. How much load does this actually adds to the system? 2. How many lines per message does this add, and what do the added lines look like? hermit921 From peter at UCGBOOK.COM Fri Mar 5 20:30:24 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:07 2006 Subject: Blacklist entry question In-Reply-To: <004501c402e4$551735c0$4c01a8c0@cnpapers.net> References: <004501c402e4$551735c0$4c01a8c0@cnpapers.net> Message-ID: <4048E360.1050301@ucgbook.com> Stephe Campbell wrote: > Since I don't get any SA scores from blacklisted entries, can I assume that > this (blacklisting) is one of the first things performed by MS, and that by > using it, it eliminates email faster. If you have "log spam = yes" then it has to go through SA even if it's white- or blacklisted so you will not gain any speed then. > I get mail from xxx1.yyy, xxx2.yyy and xxx3.yyy. I want to blacklist it. Do > I need to add 3 entries, or can I use something like xxx[1-3].yyy? I think this will work: From: /xxx[123]\.yyy/ yes -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Fri Mar 5 20:36:18 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:07 2006 Subject: Log spam = yes In-Reply-To: <6.0.0.22.2.20040305115417.01ef9968@pop.mail.yahoo.com> References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> <4043B35B.3E1D45AC@ucsc.edu> <6.0.0.22.2.20040305115417.01ef9968@pop.mail.yahoo.com> Message-ID: <4048E4C2.2010302@ucgbook.com> hermit921 wrote: > I am thinking about turning on spam logging (Log Spam = yes) but I am > curious about two things. > > 1. How much load does this actually adds to the system? Not much. A normal message running through MS generates at least ten lines of log, adding one more is not gonna kill your system. SA itself is very resource intensive (CPU and net especially) so if your system can handle that it shouldn't have any problems adding a little more IO. > 2. How many lines per message does this add, and what do the added lines > look like? One per message, looks like this: Mar 5 21:25:30 kleenex MailScanner[25285]: Message i25KPP7u027731 from xxx.xxx.xxx.xxx (rate_drop_alert@optionalhelp.com) to xxx.xxx is spam, SpamAssassin (score=8.705, required 4, BAYES_99 5.40, HTML_60_70 0.11, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10, HTML_TITLE_EMPTY 0.12, HTTP_WITH_EMAIL_IN_URL 0.20, MANY_EXCLAMATIONS 0.83, MIME_HTML_NO_CHARSET 0.56, RCVD_IN_SBL 1.11) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From stahl at soest.hawaii.edu Fri Mar 5 21:21:05 2004 From: stahl at soest.hawaii.edu (No Name) Date: Thu Jan 12 21:23:07 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 Message-ID: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> Hi everyone, I have MailScanner 4.26-1 running on 4 mail servers. All servers are Sun Workstations with 3 of them running Solaris 8 and the main server running Solaris 9. I wanted to upgrade to MailScanner 4.28.5-2 that was released in the last day but before doing that I decided to upgrade my Spamassassin. I was running SpamAssassin 2.61 on the Solaris 9 machine with perl 5.6.1 and upgraded this morning to 2.63. I downloaded the tar file and did the make and make install from there Now... 1) spamd is running (I don't know why) It never ran before entries from the syslog say.. Mar 5 08:00:52 leka spamd[29851]: server started on port 48373/tcp (running version 2.63) Mar 5 08:00:53 leka spamd[29851]: connection from localhost [127.0.0.1] at port 62945 Mar 5 08:00:53 leka spamd[29862]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 08:00:53 leka spamd[29862]: processing message <78w08.t365th3y6x7h@yahoo.com> for root:60001. Mar 5 08:00:53 leka spamd[29862]: identified spam (16.3/5.0) for root:60001 in 0.3 seconds, 1617 bytes. Mar 5 08:00:53 leka spamd[29851]: server killed by SIGTERM, shutting down Mar 5 08:01:01 leka spamd[29866]: server started on port 48373/tcp (running version 2.63) Mar 5 08:01:02 leka spamd[29866]: connection from localhost [127.0.0.1] at port 62949 Mar 5 08:01:02 leka spamd[29874]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 08:01:02 leka spamd[29874]: checking message <9PS291LhupY> for root:60001. Mar 5 08:01:02 leka spamd[29866]: server killed by SIGTERM, shutting down Mar 5 08:01:02 leka spamd[29874]: identified spam (14.2/5.0) for root:60001 in 0.2 seconds, 1544 bytes. Mar 5 08:01:03 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 5 08:01:04 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 5 08:01:05 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 5 08:01:06 leka spamc[29878]: [ID 473657 mail.error] connection attempt to spamd aborted after 3 retries Mar 5 08:01:13 leka spamd[29890]: server started on port 48373/tcp (running version 2.63) Mar 5 08:01:13 leka spamd[29890]: connection from localhost [127.0.0.1] at port 62956 Mar 5 08:01:13 leka spamd[29900]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. ...etc,etc,etc. 2) I have no bayes databases that I can find anywhere 3) I found in the install log that the rules were installed in /usr/perl5/5.6.1/share/spamassassin So I editted the MailScanner.conf file and changed the location to that, stopped and restarted MailScanner and now it doesn't look like spamd/spamc are running. Did I go wrong in the make of Spamassassin? Can I uninstall it? I don't know how to uninstall a perl module. Don't want to upgrade to the new MailScanner until I know this is working. I haven't had any problems in the past. Aloha, Sharon *=============================================================* | UH/SOEST-Research Computer Fac vox: (808) 956-2616 | | 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | | Honolulu, Hi 96822 fax: (808) 956-5154 | *=============================================================* From jrudd at UCSC.EDU Fri Mar 5 21:17:16 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:07 2006 Subject: Symlinks or no Symlinks (was: Re: W32/Bagle-Zip) References: <200403041646.i24GkDLi031216@lynx.norcomcable.ca> <026901c40217$2233f3f0$0269a8c0@home> <6.0.1.1.2.20040304183838.0399db28@imap.ecs.soton.ac.uk> <4047B5A5.4CE3E99C@ucsc.edu> <6.0.1.1.2.20040305085535.03dd3468@imap.ecs.soton.ac.uk> Message-ID: <4048EE5C.4823192F@ucsc.edu> Julian Field wrote: > > At 23:03 04/03/2004, you wrote: > > > >So, why must it be the absolute path? What is it that you think will > >break/happen if it's not the absolute path? > > The output of some virus scanners (notably McAfee for an example) Ah, so the fact that we use sophos here is probably the reason symlinks aren't a problem for us. Good to know. Thanks, John From maillists at CONACTIVE.COM Fri Mar 5 21:31:45 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:07 2006 Subject: MCP Problem In-Reply-To: <4048D9B8.2090209@hnm.de> References: <4048D9B8.2090209@hnm.de> Message-ID: Daniel Gercke wrote on Fri, 5 Mar 2004 20:49:12 +0100: > i have installed MCP Checker. These Checker works fine, but didn´t mark > any message as Spam or will made any changes to Subject or so on. > I can't help you with the main problem, but why do you want to spamcheck twice? It looks like you put some spam checking rules of your own for the MCP check instead of doing this all in one SA sweep. As always I strongly urge to read the SA documentation and go to the SA mailing list and unleash it's full capabilities before you try to reinvent the wheel a second time with MS and ask here :-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From JLM939 at HOTMAIL.COM Fri Mar 5 22:08:25 2004 From: JLM939 at HOTMAIL.COM (Justin) Date: Thu Jan 12 21:23:07 2006 Subject: Calling all translators (Japanese, UTF-8) Message-ID: Okay, last time. Forgot to force UTF-8 on the last one. Sorry! ======= > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read ?????????????????????? > Message contained password-protected archive ??????????????????????? The charset encoding used in the previous message I sent appears to have been mangled in transit. Using UTF-8 this time. Also tweaked the text itself a bit. Replace previous strings with this version. Justin From chris at FRACTALWEB.COM Fri Mar 5 22:13:15 2004 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> Message-ID: <4048FB7B.10308@fractalweb.com> Bart, This is a very interesting idea. I'm not sure how much extra overhead this would cause for MailScanner though. It's almost like you'd have to spawn a separate process to attempt to decrypt the zip...and somehow pass all the words to try. I'll follow this thread to see what other ideas people come up with. Cheers, Chris MailScanner wrote: >MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip. > >This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now. > >Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning. > >Bart... > > From JLM939 at HOTMAIL.COM Fri Mar 5 22:06:50 2004 From: JLM939 at HOTMAIL.COM (Justin) Date: Thu Jan 12 21:23:08 2006 Subject: Calling all translators (Japanese, UTF-8) Message-ID: > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read $B%a%C%;!<%8$NE:IU%U%!%$%k$O3+$1$^$;$s$G$7$?!# (B > Message contained password-protected archive $B%a%C%;!<%8$NE:IU%U%!%$%k$O0E9f2=$5$l$F$$$^$9!# (B The charset encoding used in the previous message I sent appears to have been mangled in transit. Using UTF-8 this time. Also tweaked the text itself a bit. Replace previous strings with this version. Justin From mikes at HARTWELLCORP.COM Fri Mar 5 23:19:59 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:08 2006 Subject: Upgrading Mailscanner Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D46@hart-exchange.hartwellcorp.com> Justin wrote: > Cut the guy a break. I'm pretty sure he meant "wary" and not "weary." I guess I should have put smileys around my message. I certainly didn't mean for it to sound as if I were busting his chops or anything. ;-) -- Michael St. Laurent Hartwell Corporation From linux at MOSTERT.NOM.ZA Fri Mar 5 05:53:12 2004 From: linux at MOSTERT.NOM.ZA (Mozzi) Date: Thu Jan 12 21:23:08 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> References: <20040305034205.37EDF4160BD@ws5-2.us4.outblaze.com> Message-ID: <200403050753.12250.linux@mostert.nom.za> I seem to have the same problem. I just disabled clamav and I am just using f-prot currently and still it seems as though my messages aren't getting processed : ------------------------------------------------------- New Batch: Found 3124 messages waiting Mar 5 07:48:34 ais-mail01 MailScanner[9482]: New Batch: Scanning 250 messages, 16145460 bytes New Batch: Found 3152 messages waiting Mar 5 07:48:45 ais-mail01 MailScanner[9805]: New Batch: Scanning 250 messages, 14979600 bytes ------------------------------------------------------- And it just becomes more and more. I run Red-Hat 7.3 MailScanner 4.27.7-1 ClamAV version 0.67-1 F-PROT ANTIVIRUS Program version: 4.3.5 Engine version: 3.14.8 I tried installing the clamv perl module but I get errorrs Mozzi On Friday 05 March 2004 05:42, BG Mahesh wrote: > ----- Original Message ----- > From: Raymond Dijkxhoorn > > > Perl -MCPAN -e shell > > install Mail::ClamAV > > > > This is mentioned more then once, please look in the archives and F.A.Q. > > also. > > In my case I do have Mail::ClamAV > > % perlmodver Mail::ClamAV > Mail::ClamAV : 0.06 > > How come the emails in mqueue.in are not being processed :-( > > > -- > B.G. Mahesh > bg.mahesh@indiainfo.com > http://www.indiainfo.com/ > > -- > ______________________________________________ > IndiaInfo Mail - the free e-mail service with a difference! > www.indiainfo.com Check out our value-added Premium features, such as an > extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free > mailboxes! > > Powered by Outblaze > > > ************************************************************ > Scanned by @lantic IS Virus Control Service > This message was scanned for viruses and dangerous content. > @lantic Internet Services (Pty) Ltd. - http://www.lantic.net > eScan for Windows-based PCs - http://www.escan.co.za > > If you have received a message marked in the subject line > as [SPAM] please note that according to our MailScanner, > this message has all the attributes of Unsolicited > Commercial Email (UCE). If the message has however been > marked incorrectly, please send a query to abuse@lantic.net > ************************************************************ ************************************************************ Scanned by @lantic IS Virus Control Service This message was scanned for viruses and dangerous content. @lantic Internet Services (Pty) Ltd. - http://www.lantic.net eScan for Windows-based PCs - http://www.escan.co.za If you have received a message marked in the subject line as [SPAM] please note that according to our MailScanner, this message has all the attributes of Unsolicited Commercial Email (UCE). If the message has however been marked incorrectly, please send a query to abuse@lantic.net ************************************************************ From jwilliams at COURTESYMORTGAGE.COM Sat Mar 6 00:06:03 2004 From: jwilliams at COURTESYMORTGAGE.COM (Jason Williams) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner In-Reply-To: <6.0.0.22.0.20040227101006.030114d8@xanadu.evi-inc.com> References: <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com> <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com> Message-ID: <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> Hello everyone, I appreciate the replies. I'm trying to make a decision now on what I want to use. >Drawbacks: > Mailscanner - double queuing means extra disk IO. Unable to do >SMTP rejects. > > Mimedefang - Scans mail as-it-comes, so inbound rate limited by >scan rate. Hmm. Interesting. Where as I really dont see any problem, I see a matter of personal preference. >Both tools are quite versatile and flexible and most things that one can do >the other can do just as well. > >Mimedefang's configuration is literally done with a fragment of perl code. >This means you're limited pretty much only by your perl coding ability. I understand that. If someone is not well versed in Perl, you could be 'lacking' in your ability to take full advantage of MIMEDefang. On the other hand, it could be incentive to learn Perl better. :) >MailScanner's configuration is limited to the options in the >MailScanner.conf. This makes the syntax much simpler, particularly if you >don't already know perl. There's methods of making most options into "rule >lists" of various sorts, but it's not quite as flexible as writing in perl >code. I installed Mailscanner and found all of the files that you can edit. There are indeed a lot of options. Options are good. >I've never heard of anyone using either MailScanner or Mimedefang have any >stability/reliability problems except misconfiguration or under-powered >servers. Not to say it hasn't happened, but it's never been anything that >caused enough commotion to catch my eye. That is understandable. Most problems are probably user end problems. The decision comes down to what I want to do. I'm going to use a Mail gateway for our company that will sit on our DMZ. It will scan all incoming mail for viruses and spam and take action accordingly. Would this pose any problems? For instance, is there any way I can set up Mailscanner to have a list of valid users to receive email for in attempts to block out some of the spam crud? How well does MS work as a mail gateway? Any known problems? What about the outgoing mail part? I appreciate it. Jason From ugob at CAMO-ROUTE.COM Sat Mar 6 00:30:52 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:08 2006 Subject: Small problems with 4.28.5-2 Message-ID: <54C38A0B814C8E438EF73FC76F362927410983@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] >Envoy? : 5 mars, 2004 13:39 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Small problems with 4.28.5-2 > > >I forgot to mention that when sender.filename.report.txt is being used >for zip file warnings it has a double diagnostic: > R?sultats de l'antivirus: > MailScanner: Les fichiers ?.EXE? sont trop souvent infect?s >par des virus (kawa-rappel.exe) > Analyse: MailScanner: Les fichiers ?.EXE? sont trop souvent >infect?s par des virus (kawa-rappel.exe) > >The file contains: > R?sultats de l'antivirus: > $report > >I only see a single line if there is no zip file involved. > >Denis >PS: "Analyse" is my translation for "Report". Are you that you don't have one line that says that is a .exe extension (filename rule) and the other says that says that it is an executable file (filetype rule), and that you have the same text for the? A sample of what I received gives that: Report: ClamAV: naked1.zip contains Worm.SomeFool.Gen-1 ClamAV: naked1.scr contains Worm.SomeFool.Gen-1 MailScanner: Windows Screensavers are often used to hide viruses (naked1.scr) No programs allowed (naked1.scr) From peter at UCGBOOK.COM Sat Mar 6 00:31:22 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner In-Reply-To: <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> References: <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com> <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com> <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> Message-ID: <40491BDA.7010205@ucgbook.com> Jason Williams wrote: > I'm going to use a Mail gateway for our company that will sit on our DMZ. > It will scan all incoming mail for viruses and spam and take action > accordingly. This is what most of us use MS for. ;-) > Would this pose any problems? For instance, is there any way I can set up > Mailscanner to have a list of valid users to receive email for in attempts > to block out some of the spam crud? That's really the task of your MTA. I know Sendmail supports LDAP lookups but I think there's beta code for something similar in MS also. Some people on this list extract all addresses from Exchange and export it to a file Sendmail can check. There's all kinds of setups but you should start more basic and build on it. > How well does MS work as a mail gateway? Any known problems? What about the > outgoing mail part? I don't use MS as a gateway, I have it between my DMZ gateways and the Exchange battery but most here run MS on their gateways. It's really the MTA that is the gateway, MS doesn't care where it is placed and it doesn't touch the config of your MTA. I would recommend setting up a test system and send mail from it to a Yahoo account. That way you can test all settings and stuff. That's what I did. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From hywel at BURRIS.ORG.UK Sat Mar 6 00:42:47 2004 From: hywel at BURRIS.ORG.UK (Hywel Burris) Date: Thu Jan 12 21:23:08 2006 Subject: No subject In-Reply-To: <6.0.1.1.2.20040305090254.03fb5218@imap.ecs.soton.ac.uk> Message-ID: <200403060042.i260gn9a019728@mail.burris.org.uk> I am in discussions with alt-n at the moment as they are letting bounced viruses in to us, being the spoofed recipient! Mdaemon is a good product as a MTA but its no where near the quality of MailScanner for virus / spam detection...I am hoping to swap to mailscanner soon as I have been using it for a smaller organisation for a year now. Julian any idea when the commercial product may be available?...I am asking this I can see it being a sticking point with the company I am working for :( -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: 05 March 2004 09:06 To: MAILSCANNER@JISCMAIL.AC.UK Subject: At 04:07 05/03/2004, you wrote: >Dear Julian, > >But i am previously use the Windows MDAEMON mail server with internal >integrated spamassassin engine. Two things that i don't see in MS are: >1. spam sore can be placed in the subject. Yes it can. From MailScanner.conf: # This is the text to add to the start of the subject if the # "Spam Modify Subject" option is set. # The exact string "_SCORE_" will be replaced by the numeric # SpamAssassin score. # This can also be the filename of a ruleset. Spam Subject Text = {Spam? _SCORE_} >2. spam rules description can be placed beside the rules name in the mail >headers. Most people don't want this amount of detail (or the loss of speed that results from modifying every message body), so I chose to only include the rule names and scores, and not the long descriptions. >For the first point, people with lots of spams can easily filter out some >high score that are not yet qualified for the settings in the mail gateway. > >For the 2nd point, my customers want to be more clear about how the rules >are running and sometimes can make more suggestions for tuning the >spamassassin. Since i am running with many different domains and different >users. They all want different settings. You can specify different settings for any arbitrary groups of domains or users as you choose. See the docs about rulesets. >How is this 2 possibility to be added to MS ? That would be great! > >Example: >---------------- >Subject: ***SPAM*** Score/Req: 09.73/05.00 lackluster carroll > >X-Spam-Flag: YES >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) >X-Spam-Report: > * 1.5 MORTGAGE_PITCH BODY: Looks like mortgage pitch > * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain > * 3.0 SUSPICIOUS_RECIPS Similar addresses in recipient list > * 4.3 SORTED_RECIPS Recipient list is sorted by address >X-Spam-Status: Yes, hits=9.7 required=5.0 tests=BIZ_TLD,HTML_MESSAGE, > MIME_HTML_ONLY,MORTGAGE_PITCH,SORTED_RECIPS,SUSPICIOUS_RECIPS > autolearn=no version=2.63 >X-Spam-Level: ********* >X-Spam-Processed: xxxxxxxxxxnet, Fri, 05 Mar 2004 12:05:32 +0800 > >------------------------------------------- > > > > >Date: Thu, 1 May 2003 16:53:52 +0100 > >Sender: MailScanner mailing list > >From: Julian Field > >Not sure if this has been addressed before, but I was wondering is it > >possible to put the spamassassin score in the subject line of tagged > >e-mail? > > > >e.g. > > > >{SPAM? email score=4.1}... > > >No it isn't I'm afraid. But the "SpamScore" header lets you indicate the > >spam score in a way that can be filtered automatically by email applications -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Sat Mar 6 00:45:59 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> Message-ID: <40491F47.7060001@eatathome.com.au> No Name wrote: >Hi everyone, > I have MailScanner 4.26-1 running on 4 mail servers. All servers > are Sun Workstations with 3 of them running Solaris 8 and the main > server running Solaris 9. > > I wanted to upgrade to MailScanner 4.28.5-2 that was released in > the last day but before doing that I decided to upgrade my Spamassassin. > > I was running SpamAssassin 2.61 on the Solaris 9 machine > with perl 5.6.1 and upgraded this morning to 2.63. > I downloaded the tar file and did the make and make install from > there > > Now... > 1) spamd is running (I don't know why) It never ran before > entries from the syslog say.. > >Mar 5 08:00:52 leka spamd[29851]: server started on port 48373/tcp (running >version 2.63) >Mar 5 08:00:53 leka spamd[29851]: connection from localhost [127.0.0.1] at port >62945 >Mar 5 08:00:53 leka spamd[29862]: Still running as root: user not specified >with -u, not found, or set to root. Fall back to nobody. >Mar 5 08:00:53 leka spamd[29862]: processing message ><78w08.t365th3y6x7h@yahoo.com> for root:60001. >Mar 5 08:00:53 leka spamd[29862]: identified spam (16.3/5.0) for root:60001 in >0.3 seconds, 1617 bytes. >Mar 5 08:00:53 leka spamd[29851]: server killed by SIGTERM, shutting down >Mar 5 08:01:01 leka spamd[29866]: server started on port 48373/tcp (running >version 2.63) >Mar 5 08:01:02 leka spamd[29866]: connection from localhost [127.0.0.1] at port >62949 >Mar 5 08:01:02 leka spamd[29874]: Still running as root: user not specified >with -u, not found, or set to root. Fall back to nobody. >Mar 5 08:01:02 leka spamd[29874]: checking message <9PS291LhupY> for >root:60001. >Mar 5 08:01:02 leka spamd[29866]: server killed by SIGTERM, shutting down >Mar 5 08:01:02 leka spamd[29874]: identified spam (14.2/5.0) for root:60001 in >0.2 seconds, 1544 bytes. >Mar 5 08:01:03 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused >Mar 5 08:01:04 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused >Mar 5 08:01:05 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused >Mar 5 08:01:06 leka spamc[29878]: [ID 473657 mail.error] connection attempt to >spamd aborted after 3 retries >Mar 5 08:01:13 leka spamd[29890]: server started on port 48373/tcp (running >version 2.63) >Mar 5 08:01:13 leka spamd[29890]: connection from localhost [127.0.0.1] at port >62956 >Mar 5 08:01:13 leka spamd[29900]: Still running as root: user not specified >with -u, not found, or set to root. Fall back to nobody. >...etc,etc,etc. > > > 2) I have no bayes databases that I can find anywhere > 3) I found in the install log that the rules were installed > in /usr/perl5/5.6.1/share/spamassassin > So I editted the MailScanner.conf file and changed the > location to that, stopped and restarted MailScanner and > now it doesn't look like spamd/spamc are running. > > Did I go wrong in the make of Spamassassin? Can I uninstall it? > I don't know how to uninstall a perl module. > Don't want to upgrade to the new MailScanner until I know this is > working. I haven't had any problems in the past. > >Aloha, Sharon > >*=============================================================* >| UH/SOEST-Research Computer Fac vox: (808) 956-2616 | >| 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | >| Honolulu, Hi 96822 fax: (808) 956-5154 | >*=============================================================* > > > > > I recently upgraded from 2.6 to 2.63 and i noticed (after reading this) that spamd is running too - i had 2.6 running, downloaded the source for 2.63 did perl Makefile/PL, make, make install - thats it. I have RH9 [root@mail01 root]# perl -V Summary of my perl5 (revision 5.0 version 8 subversion 0) root 7456 0.0 0.0 23600 4 ? S Mar05 0:12 /usr/bin/perl -T -w ../spamd/spamd -x -D -p 48373 -C log/test_rules_copy --siteconfigpath log/localrules.tmp -L -m1 root 16404 0.0 0.1 1496 452 pts/0 S 11:47 0:00 grep -i spam Since i have had a battle keeping this machine scanning mail lately, i will wait to hear from more people before i make any changes - but should this process be running? Is there something i should disable? [root@mail01 root]# cat /var/log/maillog | grep -i spamd Mar 5 01:40:27 mail01 spamc[6955]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 5 01:40:28 mail01 spamc[6955]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 5 01:40:29 mail01 spamc[6955]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 5 01:40:30 mail01 spamc[6955]: connection attempt to spamd aborted after 3 retries Mar 5 01:40:51 mail01 spamd[6990]: server started on port 48373/tcp (running version 2.63) Mar 5 01:40:53 mail01 spamd[6990]: connection from localhost.localdomain [127.0.0.1] at port 32797 Mar 5 01:40:53 mail01 spamd[7168]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:40:54 mail01 spamd[7168]: processing message <78w08.t365th3y6x7h@yahoo.com> for root:99. Mar 5 01:40:54 mail01 spamd[7168]: identified spam (16.3/5.0) for root:99 in 0.9 seconds, 1617 bytes. Mar 5 01:40:54 mail01 spamd[6990]: server killed by SIGTERM, shutting down Mar 5 01:41:09 mail01 spamd[7177]: server started on port 48373/tcp (running version 2.63) Mar 5 01:41:11 mail01 spamd[7177]: connection from localhost.localdomain [127.0.0.1] at port 32798 Mar 5 01:41:11 mail01 spamd[7208]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:41:12 mail01 spamd[7208]: checking message <9PS291LhupY> for root:99. Mar 5 01:41:12 mail01 spamd[7208]: identified spam (14.2/5.0) for root:99 in 1.0 seconds, 1544 bytes. Mar 5 01:41:13 mail01 spamd[7177]: server killed by SIGTERM, shutting down Mar 5 01:41:14 mail01 spamc[7210]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 5 01:41:15 mail01 spamc[7210]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 5 01:41:16 mail01 spamc[7210]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 5 01:41:17 mail01 spamc[7210]: connection attempt to spamd aborted after 3 retries Mar 5 01:41:32 mail01 spamd[7213]: server started on port 48373/tcp (running version 2.63) Mar 5 01:41:33 mail01 spamd[7213]: connection from localhost.localdomain [127.0.0.1] at port 32802 Mar 5 01:41:34 mail01 spamd[7222]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:41:34 mail01 spamd[7222]: checking message <9PS291LhupY> for root:99. Mar 5 01:41:34 mail01 spamd[7222]: identified spam (14.2/5.0) for root:99 in 0.8 seconds, 1544 bytes. Mar 5 01:41:34 mail01 spamd[7213]: server killed by SIGTERM, shutting down Mar 5 01:41:35 mail01 spamc[7250]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 5 01:41:36 mail01 spamc[7250]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 5 01:41:37 mail01 spamc[7250]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 5 01:41:38 mail01 spamc[7250]: connection attempt to spamd aborted after 3 retries Mar 5 01:41:52 mail01 spamd[7272]: server started on port 48373/tcp (running version 2.63) Mar 5 01:41:54 mail01 spamd[7272]: connection from localhost.localdomain [127.0.0.1] at port 32806 Mar 5 01:41:54 mail01 spamd[7349]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:41:55 mail01 spamd[7349]: processing message <9PS291LhupY> for root:99. Mar 5 01:41:55 mail01 spamd[7349]: identified spam (14.2/5.0) for root:99 in 0.9 seconds, 1544 bytes. Mar 5 01:41:55 mail01 spamd[7272]: server killed by SIGTERM, shutting down Mar 5 01:42:10 mail01 spamd[7361]: server started on port 48373/tcp (running version 2.63) Mar 5 01:42:13 mail01 spamd[7361]: connection from localhost.localdomain [127.0.0.1] at port 32807 Mar 5 01:42:13 mail01 spamd[7401]: Using default config for testuser: log/virtualconfig/testuser/user_prefs Mar 5 01:42:13 mail01 spamd[7401]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:42:13 mail01 spamd[7401]: processing message <78w08.t365th3y6x7h@yahoo.com> for testuser:99. Mar 5 01:42:14 mail01 spamd[7401]: identified spam (17.3/5.0) for testuser:99 in 1.3 seconds, 1588 bytes. Mar 5 01:42:14 mail01 spamd[7361]: server killed by SIGTERM, shutting down Mar 5 01:42:28 mail01 spamd[7413]: server started on port 48373/tcp (running version 2.63) Mar 5 01:42:32 mail01 spamd[7413]: server hit by SIGHUP, restarting Mar 5 01:42:45 mail01 spamd[7413]: server started on port 48373/tcp (running version 2.63) Mar 5 01:42:45 mail01 spamd[7413]: connection from localhost.localdomain [127.0.0.1] at port 32808 Mar 5 01:42:45 mail01 spamd[7453]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Mar 5 01:42:45 mail01 spamd[7453]: processing message for root:99. Mar 5 01:42:45 mail01 spamd[7453]: identified spam (1000.0/5.0) for root:99 in 0.6 seconds, 387 bytes. Mar 5 01:42:46 mail01 spamd[7413]: server killed by SIGTERM, shutting down Mar 5 01:43:00 mail01 spamd[7456]: server started on port 48373/tcp (running version 2.63) From ugob at CAMO-ROUTE.COM Sat Mar 6 00:47:13 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner Message-ID: <54C38A0B814C8E438EF73FC76F362927410984@mtlnt501fs.CAMOROUTE.COM> > >I'm going to use a Mail gateway for our company that will sit >on our DMZ. >It will scan all incoming mail for viruses and spam and take action >accordingly. >Would this pose any problems? For instance, is there any way I >can set up >Mailscanner to have a list of valid users to receive email for >in attempts >to block out some of the spam crud? What do you mean, a kind of honeypot? A whitelist? A blacklist? I think it can do what you need. And if you have a great suggestion, Julian usually implement it in a timely fashion. For example, because of the new viruses, he changed the code to make MailScanner go into zip files and block password-protected zip files. This is in the new version, and, of course, configurable. Personnaly, in my sendmail's access file, I refuse mail for sales@mydomain. This way, I doesn't even get to mailscanner. (of course, sales@mydomain is not a valid adress where I work, we don't sell anything. > >How well does MS work as a mail gateway? Very well. It think most of us use it as a gateway. At first, I was just looking to prevent acces to my exchange machine from the internet. I got virus filtering and spam control at the same time! >Any known problems? There are some problems, but Julian alwasys solve them really, really quickly. I think MailScanner is very reliable for everyone here. We all got a few config problems at the beginning, but once you understand the program's working and config options, it is a piece of cake. Of course, following what is happening on this mailing list helps you prevent situations like "ah, I needed that for the new version?". But as I said, bugs are fixed very quickly. The only thing is to make sure you have proper hardware to support it. But, a dual xeon server can filter 1.5 Million of messages per day, it is not expensive. I un-retired an old PII-233 server to run MailScanner. >What about the >outgoing mail part? No more problems there. Usually less problem, in fact, since we usually use rules that makes less filtering for outgoing messages (filename, filetype, spam whitelist) > >I appreciate it. hth > >Jason > Ugo From ugob at CAMO-ROUTE.COM Sat Mar 6 00:50:15 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:08 2006 Subject: No subject Message-ID: <54C38A0B814C8E438EF73FC76F362927410985@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Hywel Burris [mailto:hywel@BURRIS.ORG.UK] >Envoy? : 5 mars, 2004 19:43 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : > > >I am in discussions with alt-n at the moment as they are >letting bounced >viruses in to us, being the spoofed recipient! Mdaemon is a >good product as >a MTA but its no where near the quality of MailScanner for virus / spam >detection...I am hoping to swap to mailscanner soon as I have >been using it >for a smaller organisation for a year now. > >Julian any idea when the commercial product may be >available?...I am asking >this I can see it being a sticking point with the company I am >working for >:( See fortress systems: www.fsl.com They sell professional support for MailScanner. The president is on this list as well. > >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: 05 March 2004 09:06 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: > >At 04:07 05/03/2004, you wrote: >>Dear Julian, >> >>But i am previously use the Windows MDAEMON mail server with internal >>integrated spamassassin engine. Two things that i don't see in MS are: >>1. spam sore can be placed in the subject. > >Yes it can. From MailScanner.conf: ># This is the text to add to the start of the subject if the ># "Spam Modify Subject" option is set. ># The exact string "_SCORE_" will be replaced by the numeric ># SpamAssassin score. ># This can also be the filename of a ruleset. >Spam Subject Text = {Spam? _SCORE_} > >>2. spam rules description can be placed beside the rules name >in the mail >>headers. > >Most people don't want this amount of detail (or the loss of speed that >results from modifying every message body), so I chose to only >include the >rule names and scores, and not the long descriptions. > >>For the first point, people with lots of spams can easily >filter out some >>high score that are not yet qualified for the settings in the >mail gateway. >> >>For the 2nd point, my customers want to be more clear about >how the rules >>are running and sometimes can make more suggestions for tuning the >>spamassassin. Since i am running with many different domains >and different >>users. They all want different settings. > >You can specify different settings for any arbitrary groups of >domains or >users as you choose. See the docs about rulesets. > > >>How is this 2 possibility to be added to MS ? That would be great! >> >>Example: >>---------------- >>Subject: ***SPAM*** Score/Req: 09.73/05.00 lackluster carroll >> >>X-Spam-Flag: YES >>X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) >>X-Spam-Report: >> * 1.5 MORTGAGE_PITCH BODY: Looks like mortgage pitch >> * 0.1 MIME_HTML_ONLY BODY: Message only has >text/html MIME parts >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 0.8 BIZ_TLD URI: Contains a URL in the BIZ >top-level domain >> * 3.0 SUSPICIOUS_RECIPS Similar addresses in recipient list >> * 4.3 SORTED_RECIPS Recipient list is sorted by address >>X-Spam-Status: Yes, hits=9.7 required=5.0 tests=BIZ_TLD,HTML_MESSAGE, >> MIME_HTML_ONLY,MORTGAGE_PITCH,SORTED_RECIPS,SUSPICIOUS_RECIPS >> autolearn=no version=2.63 >>X-Spam-Level: ********* >>X-Spam-Processed: xxxxxxxxxxnet, Fri, 05 Mar 2004 12:05:32 +0800 >> >>------------------------------------------- >> >> >> >> >Date: Thu, 1 May 2003 16:53:52 +0100 >> >Sender: MailScanner mailing list >> >From: Julian Field >> >Not sure if this has been addressed before, but I was >wondering is it >> >possible to put the spamassassin score in the subject line of tagged >> >e-mail? >> > >> >e.g. >> > >> >{SPAM? email score=4.1}... >> >> >No it isn't I'm afraid. But the "SpamScore" header lets you >indicate the >> >spam score in a way that can be filtered automatically by email >applications > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mikes at HARTWELLCORP.COM Sat Mar 6 00:57:45 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:23:08 2006 Subject: perl error when installing Mail::ClamAV Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D47@hart-exchange.hartwellcorp.com> When I try to use CPAN to install the Mail:ClamAV module I am getting the following error: Can't locate Inline/MakeMaker.pm in @INC I tried using the Update-MakeMaker script but to no avail. -- Michael St. Laurent Hartwell Corporation From pete at eatathome.com.au Sat Mar 6 01:12:42 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: perl error when installing Mail::ClamAV In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D47@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D47@hart-exchange.hartwellcorp.com> Message-ID: <4049258A.5020202@eatathome.com.au> Michael St. Laurent wrote: >When I try to use CPAN to install the Mail:ClamAV module I am getting the >following error: > >Can't locate Inline/MakeMaker.pm in @INC > >I tried using the Update-MakeMaker script but to no avail. > >-- >Michael St. Laurent >Hartwell Corporation > > > > > Have you tried installing via cpan? #perl -MCPAN -e shell cpan>install Inline::MakeMaker From danielk at AVALONPUB.COM Sat Mar 6 01:50:36 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:23:08 2006 Subject: Maximum Archive Depth documentation (don't set it to -1) Message-ID: <40492E6C.7090501@avalonpub.com> I followed the "conversation" between Julian and Richard Lynch regarding not allowing password protected zips, but also not checking zips with the filename rules (the setup I'm aiming for). It was mentioned that setting the Maximum Archive Depth to 0 or -1 would disable the filename checks, but still block password protected zips. Ummm, don't set it to -1. That caused all mail to be rejected as dangerous content (and set off a nasty loop because of the admin notification emails also getting rejected). 0 seems to work as designed. Perhaps the comments in MailScanner.conf could be updated to reflect this configuration option so that people know what to do. # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. # To disable this feature set this to 0. Maximum Archive Depth = 0 Daniel From rich at MAIL.WVNET.EDU Sat Mar 6 02:19:08 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:08 2006 Subject: Maximum Archive Depth documentation (don't set it to -1) In-Reply-To: <40492E6C.7090501@avalonpub.com> References: <40492E6C.7090501@avalonpub.com> Message-ID: <4049351C.7090404@mail.wvnet.edu> Daniel Kleinsinger wrote: > I followed the "conversation" between Julian and Richard Lynch regarding > not allowing password protected zips, but also not checking zips with > the filename rules (the setup I'm aiming for). It was mentioned that > setting the Maximum Archive Depth to 0 or -1 would disable the filename > checks, but still block password protected zips. Ummm, don't set it to > -1. That caused all mail to be rejected as dangerous content (and set > off a nasty loop because of the admin notification emails also getting > rejected). 0 seems to work as designed. > > Perhaps the comments in MailScanner.conf could be updated to reflect > this configuration option so that people know what to do. > # The maximum depth to which zip archives will be unpacked, to allow for > # checking filenames and filetypes within zip archives. > # To disable this feature set this to 0. > Maximum Archive Depth = 0 > > Daniel FWIW, in a followup Julian did specifically state to set the option to 0 to disable internal file checks not -1. Quoting Julian... >I have also added a check so that if you set the max nesting depth to 0 but >still ban password-protected zip files, then the attachments are checked >for password-protected zips without the other rules being enforced on the >contents of the zip files. It will only check the first level of nesting >though, as it obviously can't check a zip file it has been asked not to >unpack or create in the first place. The comment you suggest wouldn't hurt though. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From Denis.Beauchemin at USHERBROOKE.CA Sat Mar 6 04:14:25 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:08 2006 Subject: Small problems with 4.28.5-2 In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410983@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410983@mtlnt501fs.CAMOROUTE.COM> Message-ID: <40495021.9040905@USherbrooke.ca> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] >>Envoy? : 5 mars, 2004 13:39 >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Re: Small problems with 4.28.5-2 >> >> >>I forgot to mention that when sender.filename.report.txt is being used >>for zip file warnings it has a double diagnostic: >> R?sultats de l'antivirus: >> MailScanner: Les fichiers ?.EXE? sont trop souvent infect?s >>par des virus (kawa-rappel.exe) >> Analyse: MailScanner: Les fichiers ?.EXE? sont trop souvent >>infect?s par des virus (kawa-rappel.exe) >> >>The file contains: >> R?sultats de l'antivirus: >> $report >> >>I only see a single line if there is no zip file involved. >> >>Denis >>PS: "Analyse" is my translation for "Report". >> >> > > >Are you that you don't have one line that says that is a .exe extension (filename rule) and the other says that says that it is an executable file (filetype rule), and that you have the same text for the? > >A sample of what I received gives that: > > Report: ClamAV: naked1.zip contains Worm.SomeFool.Gen-1 > ClamAV: naked1.scr contains Worm.SomeFool.Gen-1 > MailScanner: Windows Screensavers are often used to hide viruses (naked1.scr) > No programs allowed (naked1.scr) > > > Ugo, No, I don't use filetype tests... just filename ones. Denis From pete at eatathome.com.au Sat Mar 6 05:24:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <40491F47.7060001@eatathome.com.au> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> Message-ID: <404960A0.8080308@eatathome.com.au> I guess then its just a matter of removing the spamassassin script in /etc/init.d/ and the K30spamassassin in /etc/rc3.d ? > > > From apostolus at BLUEYONDER.CO.UK Sat Mar 6 08:40:44 2004 From: apostolus at BLUEYONDER.CO.UK (No Name) Date: Thu Jan 12 21:23:08 2006 Subject: mailscanner 4.14-9 UPGRADE ASSISTANCE PLEASE Message-ID: <200403060840.i268ei010176@server.martindominic.com> > Hi there > > I've been running SuSE 7.2 happily now for a couple of years with > mailscanner 4.14-9 doing everythign i need it to do with f-prot virus > checking and spamassassin chiiping in to.. I've read some posts that > imtimate I wold need to upgrade me OS before upgrading Mailscanner. If > this > is true, what would be the primary benefits for so doing.. > > many thanks > apost > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > Mailscanner thanks Transtec Computers for their support. From pete at eatathome.com.au Sat Mar 6 09:27:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: mailscanner 4.14-9 UPGRADE ASSISTANCE PLEASE In-Reply-To: <200403060840.i268ei010176@server.martindominic.com> References: <200403060840.i268ei010176@server.martindominic.com> Message-ID: <4049996A.3010400@eatathome.com.au> No Name wrote: >>Hi there >> >>I've been running SuSE 7.2 happily now for a couple of years with >>mailscanner 4.14-9 doing everythign i need it to do with f-prot virus >>checking and spamassassin chiiping in to.. I've read some posts that >>imtimate I wold need to upgrade me OS before upgrading Mailscanner. If >>this >>is true, what would be the primary benefits for so doing.. >> >>many thanks >>apost >> >> >>-- >>This message has been scanned for viruses and dangerous >>content by MailScanner, and is believed to be clean. >>Mailscanner thanks Transtec Computers for their support. >> Doesnt MS upgrade the componants it uses? Maybe the MTA and perl version being important as well? Be careful if your current volumes/setup is already at the processing limits for your hardware, upgrading to latest release MAY max your machine out. From lele at PROFIM.FLORIDA.IT Sat Mar 6 09:45:46 2004 From: lele at PROFIM.FLORIDA.IT (Emanuele Salvador) Date: Thu Jan 12 21:23:08 2006 Subject: F-secure-wrapper not working Message-ID: <0B92E136-6F53-11D8-ABE4-003065B74B5E@profim.florida.it> I recently upgraded MS to 4.28.5-2 and I'm running F-Secure 4.15, along with McAfee. It seems that f-secure-wrapper is not working since I cannot see the tags "Report: F-Secure: " on infected messages. Running the wrapper from command line gives a /bin/fsav: No such file or directory. The old wrapper, from cmd line, gives the version of fsav. When run from MS, it gives: Either you've found a bug in MailScanner's F-Secure output parser, or F-Secure output format has changed! Any help or suggestion greatly appreciated. Thanks, Emanuele Salvador "The stars are matter, we're matter. But it doesn't matter." - Don Van Vliet - -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2373 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040306/9d66cb70/smime.bin From mailscanner at ecs.soton.ac.uk Sat Mar 6 09:46:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: Small problems with 4.28.5-2 In-Reply-To: <1078511544.22219.93.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078511544.22219.93.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20040306094427.03ad0008@imap.ecs.soton.ac.uk> At 18:32 05/03/2004, you wrote: >Julian, > >I have been testing this release a bit more and I found the following >problems: > >- it doesn't sign the message if a filename check kicks in (I discovered >this using a zip file but it does the same with a plain exe); maybe this >is a design decision? Behaviour by design. The option is called "Sign Clean Messages" and won't sign messages which have been modified by MailScanner. You don't want to send out a "This message is known to be clean" on the bottom of a message which contained a virus. >- on the inline sig subject: I can't put accented characters in there >because I can't trust the message charset to display them OK (I think >the only solution would be to put the sig in an attachment) You should be able to put all the encoding strings into the subject. You can't put them in the subject unless you correctly encode them. >- the whole zip file is quarantined if it contains an offending file >name; I thought you just removed the offending part from the zip file... No, I don't modify the zip file. That is seriously hard work and not worth the effort. >That's it for now. Nothing to prevent me from going in production >though. Good! :) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Sat Mar 6 10:37:03 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner In-Reply-To: <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> References: <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com> <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com> <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> Message-ID: <1078569426.2329.8.camel@bach.kevinspicer.co.uk> On Sat, 2004-03-06 at 00:06, Jason Williams wrote: > Would this pose any problems? For instance, is there any way I can set up > Mailscanner to have a list of valid users to receive email for in attempts > to block out some of the spam crud? Yes, theres a number of ways - for one see my FAQ entry http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/270.html (It relates to exchange, but the sendmail part and general principles could easily be adapted for other setups. > How well does MS work as a mail gateway? Very well indeed > Any known problems? If you understand and accept the limitation of the two queue approach vs milter then pretty much all problems are fixed by Julian almost as soon as they are reported. The responsiveness of the developer is one of MailScanners strongest points. > What about the > outgoing mail part? MailScanner doesn't really distinguish between incoming and outgoing mail (its just mail passing through), if you want to make a distiction then you use the powerful rulesets feature to achieve it. I initially thought this was a problem (when we moved from MS 3 to MS 4) but with hindsight I realise just how much more powerful the new approach is. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at MANGO.ZW Sat Mar 6 11:33:15 2004 From: mailscanner at MANGO.ZW (Jim Holland) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner In-Reply-To: <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> Message-ID: Hi On Fri, 5 Mar 2004, Jason Williams wrote: > >Drawbacks: > > Mailscanner - double queuing means extra disk IO. Unable to do > >SMTP rejects. I thought that this was going to be a major drawback, as we have previously been using a dnsbl that blocked at the SMTP level and I liked the fact that it meant the spammers were told we were a no-go area. However the effect of that was not to make them go away, but just to try harder - they would try sending the same message from numerous different servers. So the disadvantage in wasting bandwidth by accepting spam is partially overcome by the advantage that the spammers don't make numerous attempts to send the same message in order to try to force it through. The fact that spam is quarantined also offers the benefit that a more aggressive level of blocking can be used knowing that the recipients can still ask for mail to be released if genuine mail has been blocked. This does assume that there is a system of notification to users - we do this with a single daily compilation of blocked messages. Finally - there is nothing to stop you continuing to block at the SMTP level using the facilities of your MTA (eg the access file if you use sendmail). Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:08:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: splitting messages/duplicate messages - was Re: Upgrade Oddity - In-Reply-To: <4048CFD1.9060106@pacific.net> References: <4048CFD1.9060106@pacific.net> Message-ID: <6.0.1.1.2.20040306110750.03d4c330@imap.ecs.soton.ac.uk> Some good ideas in there... At 19:06 05/03/2004, you wrote: >References: ><9BDD6D4AD0795C46974D7D46C17883B809FC3C13@ahm_exchange2.americanhm.com> ><4048BDB9.8060203@pacific.net> <2D63C1DA-6ED4-11D8-B24D-003065F939FE@ucsc.edu> >In-Reply-To: <2D63C1DA-6ED4-11D8-B24D-003065F939FE@ucsc.edu> >Content-Type: text/plain; charset=us-ascii; format=flowed >Content-Transfer-Encoding: 7bit >X-Scanned-By: MIMEDefang 2.38 > > >I was referring to the explosion of message parts, not archives. > >I'd like to see a setting for max part explosion too, or something like >that, though I'm not sure exactly how all the code in Message.pm works, >so it's a bit unclear to me if that's possible or a good idea. > >Our problem is compounded by the fact that we split recipients in >sendmail, so if a message comes in with 10 recipients, it's split into >10 messages. If it also contains 5 poorly formed mime parts, MailScanner >4.26.7+ will split it up again. So we end up passing 5 parts of 1 >message to SpamAssassin 10 times = 50x. :-( > >It would be nice if there was a way for SA to checksum a message, store >it's SA score and apply that score to subsequent duplicate copies that >pass through SA within a limited amount of time. This would help with >dictionary attacks too. > >Anyone working on such a thing? >Does it make sense? >Thanks, > >Ken A. >Pacific.Net > > >John Rudd wrote: > > > On Mar 5, 2004, at 9:49 AM, Ken Anderson (Pacific Internet) wrote: > > > >> We process about 3x the amount of mail on a similar machine, and are > >> unable to run 4.26.8-1. Changes in Message.pm, particularly in it's > >> expansion of message parts make it slower than previous versions. It's > >> much better at detecting viruses hidden in poorly formed mime parts, so > >> it's a problem I'm hoping for a solution to as well. > > > > > > Does it help if you set the maximum archive depth to 0, or are you not > > talking about expansion of archives, but expansion of something else? > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:31:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: Maximum Archive Depth documentation (don't set it to -1) In-Reply-To: <40492E6C.7090501@avalonpub.com> References: <40492E6C.7090501@avalonpub.com> Message-ID: <6.0.1.1.2.20040306113118.039f33c8@imap.ecs.soton.ac.uk> Added for the next release. Thanks for that. At 01:50 06/03/2004, you wrote: >I followed the "conversation" between Julian and Richard Lynch regarding >not allowing password protected zips, but also not checking zips with >the filename rules (the setup I'm aiming for). It was mentioned that >setting the Maximum Archive Depth to 0 or -1 would disable the filename >checks, but still block password protected zips. Ummm, don't set it to >-1. That caused all mail to be rejected as dangerous content (and set >off a nasty loop because of the admin notification emails also getting >rejected). 0 seems to work as designed. > >Perhaps the comments in MailScanner.conf could be updated to reflect >this configuration option so that people know what to do. ># The maximum depth to which zip archives will be unpacked, to allow for ># checking filenames and filetypes within zip archives. ># To disable this feature set this to 0. >Maximum Archive Depth = 0 > >Daniel -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:16:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: Calling all translators (Japanese, UTF-8) In-Reply-To: References: Message-ID: <6.0.1.1.2.20040306111546.03aea950@imap.ecs.soton.ac.uk> Is there a chance you could translate all the report files and languages.conf into Japanese for me please? Always keen to support more languages! Thanks. At 22:08 05/03/2004, you wrote: >Okay, last time. Forgot to force UTF-8 on the last one. Sorry! > >======= > > > It's translation time again. I would like you all to translate these > > strings into your language of choice. They are used when unreadable or > > protected archives and zip files are found. > > > > Message contained archive which could not be read > >?????????????????????????????????????????????????????????????????? > > > Message contained password-protected archive > >????????????????????????????????????????????????????????????????????? > >The charset encoding used in the previous message I sent appears to have >been mangled in transit. Using UTF-8 this time. Also tweaked the text itself >a bit. Replace previous strings with this version. > >Justin -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:25:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: No subject In-Reply-To: <200403060042.i260gn9a019728@mail.burris.org.uk> References: <6.0.1.1.2.20040305090254.03fb5218@imap.ecs.soton.ac.uk> <200403060042.i260gn9a019728@mail.burris.org.uk> Message-ID: <6.0.1.1.2.20040306112456.039f5398@imap.ecs.soton.ac.uk> At 00:42 06/03/2004, you wrote: >I am in discussions with alt-n at the moment as they are letting bounced >viruses in to us, being the spoofed recipient! Mdaemon is a good product as >a MTA but its no where near the quality of MailScanner for virus / spam >detection...I am hoping to swap to mailscanner soon as I have been using it >for a smaller organisation for a year now. > >Julian any idea when the commercial product may be available?... Within the next month or so. Contact Steve.Swaney@fsl.com for more information. >I am asking >this I can see it being a sticking point with the company I am working for >:( > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: 05 March 2004 09:06 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: > >At 04:07 05/03/2004, you wrote: > >Dear Julian, > > > >But i am previously use the Windows MDAEMON mail server with internal > >integrated spamassassin engine. Two things that i don't see in MS are: > >1. spam sore can be placed in the subject. > >Yes it can. From MailScanner.conf: ># This is the text to add to the start of the subject if the ># "Spam Modify Subject" option is set. ># The exact string "_SCORE_" will be replaced by the numeric ># SpamAssassin score. ># This can also be the filename of a ruleset. >Spam Subject Text = {Spam? _SCORE_} > > >2. spam rules description can be placed beside the rules name in the mail > >headers. > >Most people don't want this amount of detail (or the loss of speed that >results from modifying every message body), so I chose to only include the >rule names and scores, and not the long descriptions. > > >For the first point, people with lots of spams can easily filter out some > >high score that are not yet qualified for the settings in the mail gateway. > > > >For the 2nd point, my customers want to be more clear about how the rules > >are running and sometimes can make more suggestions for tuning the > >spamassassin. Since i am running with many different domains and different > >users. They all want different settings. > >You can specify different settings for any arbitrary groups of domains or >users as you choose. See the docs about rulesets. > > > >How is this 2 possibility to be added to MS ? That would be great! > > > >Example: > >---------------- > >Subject: ***SPAM*** Score/Req: 09.73/05.00 lackluster carroll > > > >X-Spam-Flag: YES > >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) > >X-Spam-Report: > > * 1.5 MORTGAGE_PITCH BODY: Looks like mortgage pitch > > * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > > * 0.0 HTML_MESSAGE BODY: HTML included in message > > * 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain > > * 3.0 SUSPICIOUS_RECIPS Similar addresses in recipient list > > * 4.3 SORTED_RECIPS Recipient list is sorted by address > >X-Spam-Status: Yes, hits=9.7 required=5.0 tests=BIZ_TLD,HTML_MESSAGE, > > MIME_HTML_ONLY,MORTGAGE_PITCH,SORTED_RECIPS,SUSPICIOUS_RECIPS > > autolearn=no version=2.63 > >X-Spam-Level: ********* > >X-Spam-Processed: xxxxxxxxxxnet, Fri, 05 Mar 2004 12:05:32 +0800 > > > >------------------------------------------- > > > > > > > > >Date: Thu, 1 May 2003 16:53:52 +0100 > > >Sender: MailScanner mailing list > > >From: Julian Field > > >Not sure if this has been addressed before, but I was wondering is it > > >possible to put the spamassassin score in the subject line of tagged > > >e-mail? > > > > > >e.g. > > > > > >{SPAM? email score=4.1}... > > > > >No it isn't I'm afraid. But the "SpamScore" header lets you indicate the > > >spam score in a way that can be filtered automatically by email >applications > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:28:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <40491F47.7060001@eatathome.com.au> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> Message-ID: <6.0.1.1.2.20040306112608.03b1ddf0@imap.ecs.soton.ac.uk> MailScanner doesn't use spamd at all, it does it faster than that. However, it looks like something in your mail setup is calling spamc. You need to find and stop that first. Grep all your sendmail and procmail files for "spamc" and stop it being called. Then kill off spamd and stop it from being restarted when your system boots. At 00:45 06/03/2004, you wrote: >No Name wrote: > >>Hi everyone, >> I have MailScanner 4.26-1 running on 4 mail servers. All servers >> are Sun Workstations with 3 of them running Solaris 8 and the main >> server running Solaris 9. >> >> I wanted to upgrade to MailScanner 4.28.5-2 that was released in >> the last day but before doing that I decided to upgrade my Spamassassin. >> >> I was running SpamAssassin 2.61 on the Solaris 9 machine >> with perl 5.6.1 and upgraded this morning to 2.63. >> I downloaded the tar file and did the make and make install from >> there >> >> Now... >> 1) spamd is running (I don't know why) It never ran before >> entries from the syslog say.. >> >>Mar 5 08:00:52 leka spamd[29851]: server started on port 48373/tcp (running >>version 2.63) >>Mar 5 08:00:53 leka spamd[29851]: connection from localhost [127.0.0.1] >>at port >>62945 >>Mar 5 08:00:53 leka spamd[29862]: Still running as root: user not specified >>with -u, not found, or set to root. Fall back to nobody. >>Mar 5 08:00:53 leka spamd[29862]: processing message >><78w08.t365th3y6x7h@yahoo.com> for root:60001. >>Mar 5 08:00:53 leka spamd[29862]: identified spam (16.3/5.0) for >>root:60001 in >>0.3 seconds, 1617 bytes. >>Mar 5 08:00:53 leka spamd[29851]: server killed by SIGTERM, shutting down >>Mar 5 08:01:01 leka spamd[29866]: server started on port 48373/tcp (running >>version 2.63) >>Mar 5 08:01:02 leka spamd[29866]: connection from localhost [127.0.0.1] >>at port >>62949 >>Mar 5 08:01:02 leka spamd[29874]: Still running as root: user not specified >>with -u, not found, or set to root. Fall back to nobody. >>Mar 5 08:01:02 leka spamd[29874]: checking message <9PS291LhupY> for >>root:60001. >>Mar 5 08:01:02 leka spamd[29866]: server killed by SIGTERM, shutting down >>Mar 5 08:01:02 leka spamd[29874]: identified spam (14.2/5.0) for >>root:60001 in >>0.2 seconds, 1544 bytes. >>Mar 5 08:01:03 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >>spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused >>Mar 5 08:01:04 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >>spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused >>Mar 5 08:01:05 leka spamc[29878]: [ID 990649 mail.error] connect(AF_INET) to >>spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused >>Mar 5 08:01:06 leka spamc[29878]: [ID 473657 mail.error] connection >>attempt to >>spamd aborted after 3 retries >>Mar 5 08:01:13 leka spamd[29890]: server started on port 48373/tcp (running >>version 2.63) >>Mar 5 08:01:13 leka spamd[29890]: connection from localhost [127.0.0.1] >>at port >>62956 >>Mar 5 08:01:13 leka spamd[29900]: Still running as root: user not specified >>with -u, not found, or set to root. Fall back to nobody. >>...etc,etc,etc. >> >> >> 2) I have no bayes databases that I can find anywhere >> 3) I found in the install log that the rules were installed >> in /usr/perl5/5.6.1/share/spamassassin >> So I editted the MailScanner.conf file and changed the >> location to that, stopped and restarted MailScanner and >> now it doesn't look like spamd/spamc are running. >> >>Did I go wrong in the make of Spamassassin? Can I uninstall it? >>I don't know how to uninstall a perl module. >>Don't want to upgrade to the new MailScanner until I know this is >>working. I haven't had any problems in the past. >> >>Aloha, Sharon >> >>*=============================================================* >>| UH/SOEST-Research Computer Fac vox: (808) 956-2616 | >>| 1680 East West Rd- POST820 email: stahl@soest.hawaii.edu | >>| Honolulu, Hi 96822 fax: (808) 956-5154 | >>*=============================================================* >> >> >> >> >I recently upgraded from 2.6 to 2.63 and i noticed (after reading this) >that spamd is running too - i had 2.6 running, downloaded the source for >2.63 did perl Makefile/PL, make, make install - thats it. I have RH9 >[root@mail01 root]# perl -V >Summary of my perl5 (revision 5.0 version 8 subversion 0) > >root 7456 0.0 0.0 23600 4 ? S Mar05 0:12 >/usr/bin/perl -T -w ../spamd/spamd -x -D -p 48373 -C log/test_rules_copy >--siteconfigpath log/localrules.tmp -L -m1 >root 16404 0.0 0.1 1496 452 pts/0 S 11:47 0:00 grep -i spam > >Since i have had a battle keeping this machine scanning mail lately, i >will wait to hear from more people before i make any changes - but >should this process be running? Is there something i should disable? > >[root@mail01 root]# cat /var/log/maillog | grep -i spamd >Mar 5 01:40:27 mail01 spamc[6955]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#1 of 3): Connection refused >Mar 5 01:40:28 mail01 spamc[6955]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#2 of 3): Connection refused >Mar 5 01:40:29 mail01 spamc[6955]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#3 of 3): Connection refused >Mar 5 01:40:30 mail01 spamc[6955]: connection attempt to spamd aborted >after 3 retries >Mar 5 01:40:51 mail01 spamd[6990]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:40:53 mail01 spamd[6990]: connection from >localhost.localdomain [127.0.0.1] at port 32797 >Mar 5 01:40:53 mail01 spamd[7168]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:40:54 mail01 spamd[7168]: processing message ><78w08.t365th3y6x7h@yahoo.com> for root:99. >Mar 5 01:40:54 mail01 spamd[7168]: identified spam (16.3/5.0) for >root:99 in 0.9 seconds, 1617 bytes. >Mar 5 01:40:54 mail01 spamd[6990]: server killed by SIGTERM, shutting down >Mar 5 01:41:09 mail01 spamd[7177]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:41:11 mail01 spamd[7177]: connection from >localhost.localdomain [127.0.0.1] at port 32798 >Mar 5 01:41:11 mail01 spamd[7208]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:41:12 mail01 spamd[7208]: checking message <9PS291LhupY> for >root:99. >Mar 5 01:41:12 mail01 spamd[7208]: identified spam (14.2/5.0) for >root:99 in 1.0 seconds, 1544 bytes. >Mar 5 01:41:13 mail01 spamd[7177]: server killed by SIGTERM, shutting down >Mar 5 01:41:14 mail01 spamc[7210]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#1 of 3): Connection refused >Mar 5 01:41:15 mail01 spamc[7210]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#2 of 3): Connection refused >Mar 5 01:41:16 mail01 spamc[7210]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#3 of 3): Connection refused >Mar 5 01:41:17 mail01 spamc[7210]: connection attempt to spamd aborted >after 3 retries >Mar 5 01:41:32 mail01 spamd[7213]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:41:33 mail01 spamd[7213]: connection from >localhost.localdomain [127.0.0.1] at port 32802 >Mar 5 01:41:34 mail01 spamd[7222]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:41:34 mail01 spamd[7222]: checking message <9PS291LhupY> for >root:99. >Mar 5 01:41:34 mail01 spamd[7222]: identified spam (14.2/5.0) for >root:99 in 0.8 seconds, 1544 bytes. >Mar 5 01:41:34 mail01 spamd[7213]: server killed by SIGTERM, shutting down >Mar 5 01:41:35 mail01 spamc[7250]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#1 of 3): Connection refused >Mar 5 01:41:36 mail01 spamc[7250]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#2 of 3): Connection refused >Mar 5 01:41:37 mail01 spamc[7250]: connect(AF_INET) to spamd at >127.0.0.1 failed, retrying (#3 of 3): Connection refused >Mar 5 01:41:38 mail01 spamc[7250]: connection attempt to spamd aborted >after 3 retries >Mar 5 01:41:52 mail01 spamd[7272]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:41:54 mail01 spamd[7272]: connection from >localhost.localdomain [127.0.0.1] at port 32806 >Mar 5 01:41:54 mail01 spamd[7349]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:41:55 mail01 spamd[7349]: processing message <9PS291LhupY> for >root:99. >Mar 5 01:41:55 mail01 spamd[7349]: identified spam (14.2/5.0) for >root:99 in 0.9 seconds, 1544 bytes. >Mar 5 01:41:55 mail01 spamd[7272]: server killed by SIGTERM, shutting down >Mar 5 01:42:10 mail01 spamd[7361]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:42:13 mail01 spamd[7361]: connection from >localhost.localdomain [127.0.0.1] at port 32807 >Mar 5 01:42:13 mail01 spamd[7401]: Using default config for testuser: >log/virtualconfig/testuser/user_prefs >Mar 5 01:42:13 mail01 spamd[7401]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:42:13 mail01 spamd[7401]: processing message ><78w08.t365th3y6x7h@yahoo.com> for testuser:99. >Mar 5 01:42:14 mail01 spamd[7401]: identified spam (17.3/5.0) for >testuser:99 in 1.3 seconds, 1588 bytes. >Mar 5 01:42:14 mail01 spamd[7361]: server killed by SIGTERM, shutting down >Mar 5 01:42:28 mail01 spamd[7413]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:42:32 mail01 spamd[7413]: server hit by SIGHUP, restarting >Mar 5 01:42:45 mail01 spamd[7413]: server started on port 48373/tcp >(running version 2.63) >Mar 5 01:42:45 mail01 spamd[7413]: connection from >localhost.localdomain [127.0.0.1] at port 32808 >Mar 5 01:42:45 mail01 spamd[7453]: Still running as root: user not >specified with -u, not found, or set to root. Fall back to nobody. >Mar 5 01:42:45 mail01 spamd[7453]: processing message > for root:99. >Mar 5 01:42:45 mail01 spamd[7453]: identified spam (1000.0/5.0) for >root:99 in 0.6 seconds, 387 bytes. >Mar 5 01:42:46 mail01 spamd[7413]: server killed by SIGTERM, shutting down >Mar 5 01:43:00 mail01 spamd[7456]: server started on port 48373/tcp >(running version 2.63) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:06:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: Blacklist entry question In-Reply-To: <004501c402e4$551735c0$4c01a8c0@cnpapers.net> References: <004501c402e4$551735c0$4c01a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20040306110549.03d0bf80@imap.ecs.soton.ac.uk> At 19:01 05/03/2004, you wrote: >I find that the blacklist (spam.blacklist.rules) is one of the most >effective solutions for efficiency using MailScanner. I have two small >questions about the blacklist and its entries. > >Since I don't get any SA scores from blacklisted entries, can I assume that >this (blacklisting) is one of the first things performed by MS, and that by >using it, it eliminates email faster. It will stop it running any of the "Spam List" or SpamAssassin checks, unless you have told it to always include the spamassassin report. >I get mail from xxx1.yyy, xxx2.yyy and xxx3.yyy. I want to blacklist it. Do >I need to add 3 entries, or can I use something like xxx[1-3].yyy? Probably better to do /xxx[1-3]\.yyy/ >Thanks so much for this beautiful piece of software Glad you like it! > and any time anyone can >supply to this question. > >Steve Campbell >campbell@cnpapers.com >Charleston Newspapers -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:09:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: References: <6.0.1.1.2.20040305134258.03f17e10@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040306110818.03d0b920@imap.ecs.soton.ac.uk> At 19:12 05/03/2004, you wrote: >On Fri, 5 Mar 2004, Julian Field wrote: > > At 13:27 05/03/2004, you wrote: > > >I guess the f-prot update will mean more changes to MailScanner > > I'm not going to rush out a new release for that, as MailScanner now > > performs filename checks on the contents of Zip files anyway, even if they > > are password-protected. > > So it doesn't really give you very much extra value when used within > > MailScanner. > >f-prot doesnt actually unzip the file and check it, it just adds new >heuristics for filename size and extension. > >It would be nice if mailscanner could deal with password protected >archives by extracting the password from the mail body... That's a natural language parsing problem, which is incredibly difficult to do with any reliability. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:18:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <4048FB7B.10308@fractalweb.com> References: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> <4048FB7B.10308@fractalweb.com> Message-ID: <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> And then the virus writers counter it by adding "For extra security, I typed the password backwards". And then you have to try every word backwards as well. It's an arms race you can't possibly win, so there's no point fighting the battle. At 22:13 05/03/2004, you wrote: >Bart, > >This is a very interesting idea. I'm not sure how much extra overhead >this would cause for MailScanner though. It's almost like you'd have to >spawn a separate process to attempt to decrypt the zip...and somehow >pass all the words to try. > >I'll follow this thread to see what other ideas people come up with. > >Cheers, >Chris > >MailScanner wrote: > >>MS could check the body of the message and try all words within ten words >>of 'password' to unlock the encrypted zip file, plus all phrases in the >>filename of the attachment. E.g. phrases like 'The password for this zip >>file is abracadabra' or 'use abracadabra when prompted for a password' >>will allow it to crack the zip. >> >>This would expose the cleartext virus code which may still change, but AV >>software has been able to deal with morphing viruses for a while now. >> >>Even if the contents of the zip were benign, we could still >>block/quarantine the message as 'uselessly encrypted zip file' since the >>only point in sending a encrypted file and its key in the same message is >>to bypass automated scanning. >> >>Bart... >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:05:08 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: 4.28.5-2 and zip files In-Reply-To: References: <1078503470.22219.53.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20040305162413.039b4de0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040306110448.03a55478@imap.ecs.soton.ac.uk> At 18:34 05/03/2004, you wrote: >On Mar 5, 2004, at 8:24 AM, Julian Field wrote: >>> >>>FromOrTo: 132.210.x.y yes >> >>You can't match a "To" address that is an IP number as you don't know >>the destination IP address until after you have delivered the message. >>You can only use "From" with IP addresses. > >As a point of clarification (I've had this question for a while, and >just seems to fit now), when you match from on an IP address, it's not >actually related to the From address (as in, a DNS lookup of the email >address), it's the MTA's relay (the $_ in sendmail-ese) right? Correct. >Which leads me to another question: does mailscanner loose anything if >the $_ only has the IP address and not the hostname? No. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:24:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: Few general questions regarding MailScanner In-Reply-To: <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com > References: <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com > <5.2.1.1.0.20040225163716.02cda248@pop.courtesymortgage.com> <5.2.1.1.0.20040226134556.00a94c58@pop.courtesymortgage.com> <5.2.1.1.0.20040305155441.02b911d8@pop.courtesymortgage.com> Message-ID: <6.0.1.1.2.20040306112001.039c48f8@imap.ecs.soton.ac.uk> At 00:06 06/03/2004, you wrote: >Hello everyone, > >I appreciate the replies. I'm trying to make a decision now on what I want >to use. > >>Drawbacks: >> Mailscanner - double queuing means extra disk IO. Not true. With sendmail and Exim the message body files are moved between the queues using hard links and are not actually copied at all. No extra disk IO. >>Both tools are quite versatile and flexible and most things that one can do >>the other can do just as well. >> >>Mimedefang's configuration is literally done with a fragment of perl code. >>This means you're limited pretty much only by your perl coding ability. > >I understand that. If someone is not well versed in Perl, you could be >'lacking' in your ability to take full advantage of MIMEDefang. On the >other hand, it could be incentive to learn Perl better. :) In MailScanner, you only have to resort to writing any code if the ruleset system cannot already do exactly what you need. And hardly anyone has found a need to do this. >>MailScanner's configuration is limited to the options in the >>MailScanner.conf. This makes the syntax much simpler, particularly if you >>don't already know perl. There's methods of making most options into "rule >>lists" of various sorts, but it's not quite as flexible as writing in perl >>code. > >I installed Mailscanner and found all of the files that you can edit. There >are indeed a lot of options. Options are good. But you can arbitrarily complex rulesets for each option. And if a ruleset can't do what you want, you can just write a simple little "Custom Function" in Perl to calculate the value of the option for each message. So that's not actually true either. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:32:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <404960A0.8080308@eatathome.com.au> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> <404960A0.8080308@eatathome.com.au> Message-ID: <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> At 05:24 06/03/2004, you wrote: >I guess then its just a matter of removing the spamassassin script in >/etc/init.d/ and the K30spamassassin in /etc/rc3.d ? Yes, but make sure you have nothing calling spamc. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:11:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: notification feature suggestion In-Reply-To: <20040305193024.GA16036@mailgate.peterli.com> References: <20040305193024.GA16036@mailgate.peterli.com> Message-ID: <6.0.1.1.2.20040306110949.0398d8a0@imap.ecs.soton.ac.uk> I'll have a think about that next week. No promises. After last week I am trying to take it easy this weekend and not do too much. Fell asleep half-way through eating dinner last night, woke up with a mouthful of food. Get the feeling my brain is trying to tell me something :-) At 19:30 05/03/2004, you wrote: >Hi, > >In dealing with the current virus outbreak, I've been thinking about a >feature that I really miss from my old days with Amavis-ng. I currently >have MailScanner sending notices to the system administrator > (Send Notices = yes) >every time it finds a virus, which is helpful in my case. >What I miss from Amavis is that the notification doesn't say what >actually happened to the message - e.g. "QUARANTINED and NOT DELIVERED", >or "DELIVERED TO xxxxx@example.com", or "DELETED", or "CLEANED and >DELIVERED", etc. > >With the many possibilities for rulesets affecting what happens to a >message, it can be confusing to see "file.exe contains worm.something" >but not know whether the message was delivered, not delivered, quarantined, >attachment file.exe removed, etc. In other words - what MailScanner did >to the message. Currently there's no way that I know of to get this >information. Am I missing something, or could this feature be added? > >Thanks. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:35:45 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: F-secure-wrapper not working In-Reply-To: <0B92E136-6F53-11D8-ABE4-003065B74B5E@profim.florida.it> References: <0B92E136-6F53-11D8-ABE4-003065B74B5E@profim.florida.it> Message-ID: <6.0.1.1.2.20040306113327.03d48f78@imap.ecs.soton.ac.uk> The first command-line parameter to the -wrapper script is the installation directory of the virus scanner. Take a look in /etc/MailScanner/virus.scanners.conf and ensure it says the correct path for your installation of F-Secure. I would suspect that is what is wrong. Also make sure that there isn't an f-secure-wrapper.rpmnew as that will need to be renamed over the top of your current f-secure-wrapper file (in /usr/MailScanner/lib). This is all described at the top of the downloads page on the MailScanner web site. At 09:45 06/03/2004, you wrote: >I recently upgraded MS to 4.28.5-2 and I'm running F-Secure 4.15, along >with McAfee. >It seems that f-secure-wrapper is not working since I cannot see the >tags "Report: F-Secure: " on infected messages. >Running the wrapper from command line gives a /bin/fsav: No such file or >directory. >The old wrapper, from cmd line, gives the version of fsav. When run from >MS, it gives: Either you've found a bug in MailScanner's F-Secure output >parser, or F-Secure output format has changed! > >Any help or suggestion greatly appreciated. > >Thanks, >Emanuele Salvador > >"The stars are matter, we're matter. But it doesn't matter." > >- Don Van Vliet - > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 11:13:01 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: MCP Problem In-Reply-To: <4048D9B8.2090209@hnm.de> References: <4048D9B8.2090209@hnm.de> Message-ID: <6.0.1.1.2.20040306111220.03af3ae0@imap.ecs.soton.ac.uk> At 19:49 05/03/2004, you wrote: >Hello, > >i have installed MCP Checker. These Checker works fine, but didn?t mark >any message as Spam or will made any changes to Subject or so on. > >Need Help. How can i mark these messages in the subject? What are your MCP settings? MCP isn't designed to do minor things like tag the Subject: line, it's intended to do things like block the message entirely. >Thank you all. > > >Here is one forwared Message, that you can see MCP is working: > >-------- Original-Nachricht -------- >From: - Fri Mar 05 20:33:21 2004 >X-UIDL: 3fd6d57a000039da >X-Mozilla-Status: 0001 >X-Mozilla-Status2: 00000000 >Return-Path: >Received: from mailgate5.cinetic.de (mailgate5.cinetic.de >[217.72.192.165]) by hnm.de (8.11.6/8.11.6) with ESMTP id i25JSsM02376 >for ; Fri, 5 Mar 2004 20:28:54 +0100 >Received: from web.de (fmomail02.dlan.cinetic.de [172.20.1.46]) by >mailgate5.cinetic.de (8.11.6p2/8.11.2/SuSE Linux 8.11.0-0.4) with SMTP >id i25JSoQ17250 for gercke@hnm.de; Fri, 5 Mar 2004 20:28:50 +0100 >Date: Fri, 5 Mar 2004 20:28:50 +0100 >Message-Id: <200403051928.i25JSoQ17250@mailgate5.cinetic.de> >MIME-Version: 1.0 >From: Daniel Gercke >To: gercke@hnm.de >Subject: Vigara >Precedence: fm-user >Organization: http://freemail.web.de/ >Content-Type: text/html; charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >X-HNM-MailScanner-Information: Um mehr Informationen zu erhalten >kontaktieren Sie hostmaster@hnm.de >X-HNM-MailScanner: Found to be clean >X-MailScanner-MCPCheck: MCP, MCP-Checker (Wertung=7.495, benoetigt 1, >BODY_VIAGRA_TYPO 7.50) >X-HNM-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=4.7, >benoetigt 5, HTML_70_80 0.10, HTML_IMAGE_ONLY_02 2.24, HTML_MESSAGE >0.00, MIME_HTML_ONLY 0.10, RCVD_IN_BL_SPAMCOP_NET 2.25) >X-HNM-MailScanner-SpamScore: ssss >X-MailScanner-From: ****** >Status: > > > >-- >Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht >und ist - aktuelle Virenscanner vorausgesetzt - sauber. >MailScanner dankt transtec fur die freundliche Unterstutzung. > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From spamtrap71892316634 at ANIME.NET Sat Mar 6 11:43:03 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> Message-ID: On Sat, 6 Mar 2004, Julian Field wrote: > And then the virus writers counter it by adding "For extra security, I > typed the password backwards". And then you have to try every word > backwards as well. It's an arms race you can't possibly win, so there's > no point fighting the battle. Youve just argued mailscanner into oblivion then, because mailscanner is just an arms race too. -Dan From spamtrap71892316634 at ANIME.NET Sat Mar 6 11:44:39 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> Message-ID: On Sat, 6 Mar 2004, Julian Field wrote: > And then the virus writers counter it by adding "For extra security, I > typed the password backwards". And then you have to try every word > backwards as well. It's an arms race you can't possibly win, so there's no > point fighting the battle. I guess this means we shouldnt even bother trying to spamfilter either, since we will never win. -Dan From spamtrap71892316634 at ANIME.NET Sat Mar 6 11:48:23 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: <6.0.1.1.2.20040306110818.03d0b920@imap.ecs.soton.ac.uk> Message-ID: On Sat, 6 Mar 2004, Julian Field wrote: > At 19:12 05/03/2004, you wrote: > >On Fri, 5 Mar 2004, Julian Field wrote: > > > At 13:27 05/03/2004, you wrote: > > > >I guess the f-prot update will mean more changes to MailScanner > > > I'm not going to rush out a new release for that, as MailScanner now > > > performs filename checks on the contents of Zip files anyway, even if they > > > are password-protected. > > > So it doesn't really give you very much extra value when used within > > > MailScanner. > >f-prot doesnt actually unzip the file and check it, it just adds new > >heuristics for filename size and extension. > >It would be nice if mailscanner could deal with password protected > >archives by extracting the password from the mail body... > That's a natural language parsing problem, which is incredibly difficult to > do with any reliability. Except that all the known viruses so far use known static phrases. Theres a limit to how much phrases could be 'randomized' before they become incomprehensible to the intended target. Parsing static phrases for passwords would be useful right now, and for the short term future. Various virus filtering software does it already (mailscanner alas is one that does not). No, it isnt perfect forever but that doesnt make it completely useless or even impractical. -Dan From mailscanner at ecs.soton.ac.uk Sat Mar 6 12:15:24 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: References: <6.0.1.1.2.20040306110818.03d0b920@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040306121408.0395ee80@imap.ecs.soton.ac.uk> At 11:48 06/03/2004, you wrote: >On Sat, 6 Mar 2004, Julian Field wrote: > > At 19:12 05/03/2004, you wrote: > > >On Fri, 5 Mar 2004, Julian Field wrote: > > > > At 13:27 05/03/2004, you wrote: > > > > >I guess the f-prot update will mean more changes to MailScanner > > > > I'm not going to rush out a new release for that, as MailScanner now > > > > performs filename checks on the contents of Zip files anyway, even > if they > > > > are password-protected. > > > > So it doesn't really give you very much extra value when used within > > > > MailScanner. > > >f-prot doesnt actually unzip the file and check it, it just adds new > > >heuristics for filename size and extension. > > >It would be nice if mailscanner could deal with password protected > > >archives by extracting the password from the mail body... > > That's a natural language parsing problem, which is incredibly difficult to > > do with any reliability. > >Except that all the known viruses so far use known static phrases. Theres >a limit to how much phrases could be 'randomized' before they become >incomprehensible to the intended target. > >Parsing static phrases for passwords would be useful right now, and for >the short term future. Various virus filtering software does it already >(mailscanner alas is one that does not). No, it isnt perfect forever but >that doesnt make it completely useless or even impractical. The problem is that the virus writers can produced a hundred different strings every day. You have to start using an engine like SpamAssassin to try to find them, wherever you can have hundreds of rules and give each word a probability of being the password. Big problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Mar 6 12:13:57 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: References: <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040306121344.03a867e8@imap.ecs.soton.ac.uk> At 11:43 06/03/2004, you wrote: >On Sat, 6 Mar 2004, Julian Field wrote: > > And then the virus writers counter it by adding "For extra security, I > > typed the password backwards". And then you have to try every word > > backwards as well. It's an arms race you can't possibly win, so there's > > no point fighting the battle. > >Youve just argued mailscanner into oblivion then, because mailscanner is >just an arms race too. Indeed. Nothing is forever. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Sat Mar 6 12:19:23 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:23:08 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> References: <58696C94787F16468267F3509F115030983E@hermes.clumpton.homeip.net> <4048FB7B.10308@fractalweb.com> <6.0.1.1.2.20040306111718.03a7ec48@imap.ecs.soton.ac.uk> Message-ID: <4049C1CB.2010809@gmx.de> Julian Field wrote: > And then the virus writers counter it by adding "For extra security, I > typed the password backwards". And then you have to try every word > backwards as well. It's an arms race you can't possibly win, so > there's no > point fighting the battle. or: - type the password in one word: p a s s w o r d - take the first charachter of each line: pub all support support word order remenber delete - increasing the mail with garbage - ... -- shrek-m From rcooper at DWFORD.COM Sat Mar 6 12:26:40 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Dan Hollis > Sent: Saturday, March 06, 2004 6:48 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: F-prot update > > > On Sat, 6 Mar 2004, Julian Field wrote: > > At 19:12 05/03/2004, you wrote: > > >On Fri, 5 Mar 2004, Julian Field wrote: > > > > At 13:27 05/03/2004, you wrote: > > > > >I guess the f-prot update will mean more > changes to MailScanner > > > > I'm not going to rush out a new release for > that, as MailScanner now > > > > performs filename checks on the contents of Zip > files anyway, even if they > > > > are password-protected. > > > > So it doesn't really give you very much extra > value when used within > > > > MailScanner. > > >f-prot doesnt actually unzip the file and check it, > it just adds new > > >heuristics for filename size and extension. > > >It would be nice if mailscanner could deal with > password protected > > >archives by extracting the password from the mail body... > > That's a natural language parsing problem, which is > incredibly difficult to > > do with any reliability. > > Except that all the known viruses so far use known > static phrases. Theres > a limit to how much phrases could be 'randomized' > before they become > incomprehensible to the intended target. > > Parsing static phrases for passwords would be useful > right now, and for > the short term future. Various virus filtering > software does it already > (mailscanner alas is one that does not). No, it isnt > perfect forever but > that doesnt make it completely useless or even impractical. > It would take about a day for the virus authors to start embedding small .gif or .jpg inlines that are random sized with random passwords in random places with random nulls and padding. It would be difficult even for SA to catch something like that because the image/text ratio would be small, no static strings and a common element in ham. What then? ban all inline images? Then there is the old trick of having a readme type file in the archive that is not password protected and contains the password information so you have to look for that too. Not to mention resource usage. I feel for the ISPs who do not have control of their user policies (like no password protected zips) but there is a limit to how much MailScanner should try to do. Look at the problems some larger sites are having with resources since Julian made the mime parsing more robust, and now you have MS trying to find figure out how a virus author is trying to obfuscate a password. It's a question of how much is too much. MS is not the only player in the virus/spam game. I actually have seen little in terms of viruses because they are generally not very rfc compliant so they are stopped in the smtp session. When Netsky, Bagle, and MyDoom came around I saw/see little of the actual virus in my logs what I saw a huge increase in helo rejects because the host name was not FQDN ( a lot of names like SAM, or Bill, or SERVER), or no Message-Id, etc. The MTA can stop a lot of both spam and viruses if you just work on your access lists a bit (which is a very easy thing with exim's acls). Most of the viruses that actually make it past the RFC checks come from MTAs bouncing the full message back to the innocent user from whence they *think* it came. Julian is right on this. My 2 cents From pete at eatathome.com.au Sat Mar 6 12:28:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> <404960A0.8080308@eatathome.com.au> <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> Message-ID: <4049C3E5.9070601@eatathome.com.au> Julian Field wrote: > At 05:24 06/03/2004, you wrote: > >> I guess then its just a matter of removing the spamassassin script in >> /etc/init.d/ and the K30spamassassin in /etc/rc3.d ? > > > Yes, but make sure you have nothing calling spamc. Thanks, was nice to work something out for self for once :) Will this be something that will come often for others non guru users? Or is it tested for during MS installation, but i may have installed SA after i installed MS? Is it possible this would cause loads of problems if its running? From pete at eatathome.com.au Sat Mar 6 12:28:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:08 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> <404960A0.8080308@eatathome.com.au> <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> Message-ID: <4049C3E5.9070601@eatathome.com.au> Julian Field wrote: > At 05:24 06/03/2004, you wrote: > >> I guess then its just a matter of removing the spamassassin script in >> /etc/init.d/ and the K30spamassassin in /etc/rc3.d ? > > > Yes, but make sure you have nothing calling spamc. Thanks, was nice to work something out for self for once :) Will this be something that will come often for others non guru users? Or is it tested for during MS installation, but i may have installed SA after i installed MS? Is it possible this would cause loads of problems if its running? From spamtrap71892316634 at ANIME.NET Sat Mar 6 13:01:48 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: <6.0.1.1.2.20040306121408.0395ee80@imap.ecs.soton.ac.uk> Message-ID: On Sat, 6 Mar 2004, Julian Field wrote: > The problem is that the virus writers can produced a hundred different > strings every day. You have to start using an engine like SpamAssassin to > try to find them, wherever you can have hundreds of rules and give each > word a probability of being the password. Big problem. You can't get them all, so why bother getting any? An awfully fatalistic approach to filtering abuse. If everyone took this attitude toward filtering, there wouldnt be any spamassassin or mcafee or kapersky or clamav. Rather than being preoccupied with what hypothetical "might happen" tomorrow and giving up immediately before even starting -- why not focus on what we _can_ catch, right now, today, this very instant, that would generate positive results stemming the _current_ avalanche of abuse? Or am I the only one who sees benefits in effort to mitigate _current_ abuse? -Dan From peter at UCGBOOK.COM Sat Mar 6 13:02:12 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:08 2006 Subject: F-prot update In-Reply-To: References: Message-ID: <4049CBD4.3000108@ucgbook.com> Dan Hollis wrote: > Except that all the known viruses so far use known static phrases. Theres > a limit to how much phrases could be 'randomized' before they become > incomprehensible to the intended target. > > Parsing static phrases for passwords would be useful right now, and for > the short term future. Various virus filtering software does it already > (mailscanner alas is one that does not). No, it isnt perfect forever but > that doesnt make it completely useless or even impractical. Mail systems should keep mail flowing. Stopping to try to crack passwords would impair mail flow a lot. MailScanner shouldn't keep trying hard with anything that is meant to obstruct mail flow, it should just make quick decisions whether it's good or bad mail and get on with it. It's fine if it can quarantine this type of mail. Then you can run a cracker on the quarantined files trying to parse them for passwords and enter them, if you find the correct one you can reenter it in the queue. Judging from all the request about quarantined password protected zip I have received (0/zero) I wouldn't bother writing such a script since I can easily handle the load manually. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From spamtrap71892316634 at ANIME.NET Sat Mar 6 13:10:59 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: <4049CBD4.3000108@ucgbook.com> Message-ID: On Sat, 6 Mar 2004, Peter Bonivart wrote: > Judging from all the request about quarantined password protected zip I > have received (0/zero) I wouldn't bother writing such a script since I > can easily handle the load manually. Situation is slightly different at ISP with 100,000 customers. -Dan From garry at GLENDOWN.DE Sat Mar 6 13:18:52 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: References: Message-ID: <4049CFBC.2020404@glendown.de> Dan Hollis wrote: > On Sat, 6 Mar 2004, Peter Bonivart wrote: > >>Judging from all the request about quarantined password protected zip I >>have received (0/zero) I wouldn't bother writing such a script since I >>can easily handle the load manually. > > > Situation is slightly different at ISP with 100,000 customers. I posted a script a while back, PHP, for downloading any quarantined attachments ... small, no hassle for the admin, though of course the customers will need to make sure they know what they are doing when downloading the files ... -gg From spamtrap71892316634 at ANIME.NET Sat Mar 6 12:54:05 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: Message-ID: On Sat, 6 Mar 2004, Rick Cooper wrote: > virus in my logs what I saw a huge increase in helo rejects > because the host name was not FQDN such rejection are RFC violation. > ( a lot of names like SAM, or > Bill, or SERVER), or no Message-Id, etc. The MTA can stop a lot > of both spam and viruses if you just work on your access lists a your MTA is non RFC compliant in this case. -Dan From peter at UCGBOOK.COM Sat Mar 6 13:28:35 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: References: Message-ID: <4049D203.7060100@ucgbook.com> Dan Hollis wrote: > On Sat, 6 Mar 2004, Peter Bonivart wrote: > >>Mail systems should keep mail flowing. Stopping to try to crack >>passwords would impair mail flow a lot. > > More than say, the heuristics and checks done by virus scanners on files? > Or calls to spamassassin? Yes, of course because there's no telling when/if it finishes. >>MailScanner shouldn't keep trying hard with anything that is meant to >>obstruct mail flow, it should just make quick decisions whether it's >>good or bad mail and get on with it. > > Is a callout to a virus scanner and/or spamassassin "quick decision" > compared to trying 1 or 2 passwords on an encrypted zipfile? 1 or 2? People have already explained to you just a few of the variations that easily could be deployed. If you think that parsing for "Password: 12345" is enough you're really naive. > I really think you overstate the case of testing passwords on encrypted > zipfiles. I think you don't understand the basic concept of modularized design where each part does one task really well. As I suggested earlier, you can add the functionality you want, but it's not the job of MS. You just want it to be because it's convenient for you and you have no clue implementing a solution yourself. I'm out of this now. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From spamtrap71892316634 at ANIME.NET Sat Mar 6 13:15:36 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: <4049CBD4.3000108@ucgbook.com> Message-ID: On Sat, 6 Mar 2004, Peter Bonivart wrote: > Mail systems should keep mail flowing. Stopping to try to crack > passwords would impair mail flow a lot. More than say, the heuristics and checks done by virus scanners on files? Or calls to spamassassin? > MailScanner shouldn't keep trying hard with anything that is meant to > obstruct mail flow, it should just make quick decisions whether it's > good or bad mail and get on with it. Is a callout to a virus scanner and/or spamassassin "quick decision" compared to trying 1 or 2 passwords on an encrypted zipfile? I really think you overstate the case of testing passwords on encrypted zipfiles. -Dan From maillists at CONACTIVE.COM Sat Mar 6 13:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: References: Message-ID: Rick Cooper wrote on Sat, 6 Mar 2004 07:26:40 -0500: > It's a question of how much is too much. MS is not the only > player in the virus/spam game. I actually have seen little in > terms of viruses because they are generally not very rfc > compliant so they are stopped in the smtp session. When Netsky, > Bagle, and MyDoom came around I saw/see little of the actual > virus in my logs what I saw a huge increase in helo rejects > because the host name was not FQDN ( a lot of names like SAM, or > Bill, or SERVER), or no Message-Id, etc. The MTA can stop a lot > of both spam and viruses if you just work on your access lists a > bit (which is a very easy thing with exim's acls). > Indeed, with a little help from RBLs at MTA level, your own access list specializing in dialup/dynamic ranges and HELO checking you reject almost all worms (and a lot of spam as well) already at MTA level. At the moment we need to process only about 10-40% of the mail we get (depending on how active some mailing lists are :-) because all the rest is bounced. Almost no viruses seen. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From rcooper at DWFORD.COM Sat Mar 6 13:47:45 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Dan Hollis > Sent: Saturday, March 06, 2004 7:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: F-prot update > > > On Sat, 6 Mar 2004, Rick Cooper wrote: > > virus in my logs what I saw a huge increase in helo rejects > > because the host name was not FQDN > > such rejection are RFC violation. > > > ( a lot of names like SAM, or > > Bill, or SERVER), or no Message-Id, etc. The MTA can > stop a lot > > of both spam and viruses if you just work on your > access lists a > > your MTA is non RFC compliant in this case. > I realize rfcs state that you should not reject based on bogus (e)helo arguments, however they also state if you do not have a meaningful (fqdn) name you should use and address literal. I accept address literals I do not accept ehlo bill. I also have a program that uses exim's run expansion that will automatically add (for a dynamically defined time period) the connecting host to our iptables firewall rules. This of course means that host cannot send to postmaster, or from <> and that also breaks rfcs. As I said earlier I feel for ISPs because neither of these situations would be correct for them. Our corporate servers make every effort to be outbound compliant but inbound is based on our policies and when it comes to inbound connections in many cases I read SHOULD as MUST. When I add a host to the firewall because they (e)helo'd as a machine within one of our domains and they are not or they used our mail server's address as their ip literal or they have just attempted to deliver a virus I am breaking rfcs for sure but no MTA that was used for genuine mail purposes would do these things (when I add hosts sending a virus to the firewall I exclude bounces) but I have not, as of yet, found a case where I was rejecting a valid mail. For instance before adding the deny for FQDN I used a warn so I could look at what was being delivered by hosts that did not use FQDN or ip literal and the vast majority ended up dropped at the virus scanning stage, and what was left ended up spam. Outbound I follow the rfcs and inbound I expect the same, even if it means breaking an rfc that ignorantly requires you accept a mail connection from a host that is either badly configured or out right non compliant. Heck, how many people reject mail if the host is listed in a DUL? The ip literal portion of rfc2821 specifically states this applies to hosts with dynamic ip addresses or address without PTR records. That would implicitly imply that mail from hosts with dynamic ip addresses are certainly allowed and it is local policy that dictates they are dropped, which is fine by me even though I don't use DUL blocking my self. BTW: when I do reject based on something like (e)helo the reject message states the reason so the admin is aware of why and it can be corrected. Rick From mailscanner at ecs.soton.ac.uk Sat Mar 6 14:46:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:09 2006 Subject: MailScanner 4.26-1/ SpamAssassin2.63 In-Reply-To: <4049C3E5.9070601@eatathome.com.au> References: <200403052121.i25LL5Sh016532@leka.soest.hawaii.edu> <40491F47.7060001@eatathome.com.au> <404960A0.8080308@eatathome.com.au> <6.0.1.1.2.20040306113151.03a11e80@imap.ecs.soton.ac.uk> <4049C3E5.9070601@eatathome.com.au> Message-ID: <6.0.1.1.2.20040306144541.0395e508@imap.ecs.soton.ac.uk> At 12:28 06/03/2004, you wrote: >Julian Field wrote: > >>At 05:24 06/03/2004, you wrote: >> >>>I guess then its just a matter of removing the spamassassin script in >>>/etc/init.d/ and the K30spamassassin in /etc/rc3.d ? >> >> >>Yes, but make sure you have nothing calling spamc. > >Thanks, was nice to work something out for self for once :) >Will this be something that will come often for others non guru users? >Or is it tested for during MS installation, but i may have installed SA >after i installed MS? >Is it possible this would cause loads of problems if its running? Running spamd when you don't need to wastes a bit of swap but shouldn't waste anything else. It's not important as it should just sit there forever waiting for a connection, during which it is not doing anything. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rich at MAIL.WVNET.EDU Sat Mar 6 15:25:09 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: References: Message-ID: <4049ED55.6060107@mail.wvnet.edu> Dan Hollis wrote: >On Sat, 6 Mar 2004, Julian Field wrote: > > >>The problem is that the virus writers can produced a hundred different >>strings every day. You have to start using an engine like SpamAssassin to >>try to find them, wherever you can have hundreds of rules and give each >>word a probability of being the password. Big problem. >> >> > >You can't get them all, so why bother getting any? > >An awfully fatalistic approach to filtering abuse. If everyone took this >attitude toward filtering, there wouldnt be any spamassassin or mcafee or >kapersky or clamav. > >Rather than being preoccupied with what hypothetical "might happen" tomorrow >and giving up immediately before even starting -- why not focus on what we >_can_ catch, right now, today, this very instant, that would generate >positive results stemming the _current_ avalanche of abuse? > >Or am I the only one who sees benefits in effort to mitigate _current_ >abuse? > >-Dan > > It comes down to anticipated returns on investment. You think it's worth it, others (including myself) do not. We've put a permanent ban on password protected zip files here because their integrity cannot be assured -- that's not going to change. There are better ways of transmitting sensitive data. Playing games with sifting for passwords is a losing proposition and not worth the time or effort. Admittedly, it's a judgment call and one that you'll not likely find 100% agreement on but I, for one, agree with it. The argument -- why bother doing any virus scanning or spam filtering at all -- is unreasonable and over the top. The issue remains, is what you're specifically suggesting worth doing? My personal conclusion is no. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From mailscanner at ecs.soton.ac.uk Sat Mar 6 16:02:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate Message-ID: <6.0.1.1.2.20040306160036.03f7dea0@imap.ecs.soton.ac.uk> 4.28.5-2 seems to be shifting pretty fast. When I went home yesterday, it had averaged 1 download every 18 seconds all day. Quite a rate! Let us all hope (and pray as applicable) for a slightly quieter time next week. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From evertjan at VANRAMSELAAR.NL Sat Mar 6 16:06:54 2004 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate In-Reply-To: <6.0.1.1.2.20040306160036.03f7dea0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040306160036.03f7dea0@imap.ecs.soton.ac.uk> Message-ID: <4049F71E.9070506@vanramselaar.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field shared the following on 06-03-04 17:02: | 4.28.5-2 seems to be shifting pretty fast. When I went home yesterday, it | had averaged 1 download every 18 seconds all day. Quite a rate! Guilty as charged! I was one of those downloaders. :o) Installing it went smoothly. Great job again Julian! Although you are entitled to get some welldeserved rest, I sure hope you will keep up the good work! - -- ~ Evert Jan van Ramselaar ~ Van Ramselaar Info Tech Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. Key fingerprint = 4F2A 56C4 F9C3 FA36 3ED8 DEC8 B50C D425 1202 DA95 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFASfcetQzUJRIC2pURAu5uAJ4v/88PfsDMW5ljRAEg2IU1HHT0HACfZ2qa X2a6AwdNO8Ly7Ul3JpP76TM= =ZAKU -----END PGP SIGNATURE----- From rcooper at DWFORD.COM Sat Mar 6 16:14:25 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:09 2006 Subject: Just a thought Message-ID: Julian, In reference to that "escape any regex characters" thing I submitted that you added in the last release, it occurred to me that while that may be more efficient that multiple =~ lines it still has to be compiled for each line in the report you are reading and, given the speed concerns already present, it would be much faster if it were changed to: s/([\(\)\[\]\.\?\*\+\^"'@<>:])/\\$1/go; or better yet add: my $ea = qr/([\(\)\[\]\.\?\*\+\^"'@<>:])/; above the while( defined($line (or add it as global to be used in both places) and change the expression to: s/$ea/\\$1/g; Might look into compiling other static expressions used in looping functions to get a speed increase, and perhaps compiling globally available expressions to be used in recursive functions or for expressions that are repeated over and over within various places in the various modules.. Just a thought as it looks like a lot of the mime stuff use static regular expressions within looping structures and that should drop the overhead of compiling the expression through every iteration (if you are looking for some tweaks). -- Rick Cooper From mailscanner at ecs.soton.ac.uk Sat Mar 6 16:54:22 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:09 2006 Subject: Just a thought In-Reply-To: References: Message-ID: <6.0.1.1.2.20040306165327.03c440f8@imap.ecs.soton.ac.uk> I thought it only made a difference for regexps that include variables. I had hoped that regexps including only static texts would only be compiled once. Anything in the Perl docs to back either of our views? At 16:14 06/03/2004, you wrote: >Julian, > >In reference to that "escape any regex characters" thing I >submitted that you added in the last release, it occurred to me >that while that may be more efficient that multiple =~ lines it >still has to be compiled for each line in the report you are >reading and, given the speed concerns already present, it would >be much faster if it were changed to: > >s/([\(\)\[\]\.\?\*\+\^"'@<>:])/\\$1/go; > > or better yet add: >my $ea = qr/([\(\)\[\]\.\?\*\+\^"'@<>:])/; > >above the while( defined($line (or add it as global to be used in >both places) > >and change the expression to: >s/$ea/\\$1/g; > >Might look into compiling other static expressions used in >looping functions to get a speed increase, and perhaps compiling >globally available expressions to be used in recursive functions >or for expressions that are repeated over and over within various >places in the various modules.. Just a thought as it looks like a >lot of the mime stuff use static regular expressions within >looping structures and that should drop the overhead of compiling >the expression through every iteration (if you are looking for >some tweaks). > >-- >Rick Cooper -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sat Mar 6 17:03:21 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: <6.0.1.1.2.20040306110818.03d0b920@imap.ecs.soton.ac.uk> Message-ID: Hi! > >f-prot doesnt actually unzip the file and check it, it just adds new > >heuristics for filename size and extension. > > > >It would be nice if mailscanner could deal with password protected > >archives by extracting the password from the mail body... > > That's a natural language parsing problem, which is incredibly difficult to > do with any reliability. And besides that, there will be the same crap around as with spam. Stuff like P4ssword, p@ssword, i can see them comming up allready :) Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 6 17:09:36 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: Message-ID: Hi! > > The problem is that the virus writers can produced a hundred different > > strings every day. You have to start using an engine like SpamAssassin to > > try to find them, wherever you can have hundreds of rules and give each > > word a probability of being the password. Big problem. > > You can't get them all, so why bother getting any? > > Rather than being preoccupied with what hypothetical "might happen" tomorrow > and giving up immediately before even starting -- why not focus on what we > _can_ catch, right now, today, this very instant, that would generate > positive results stemming the _current_ avalanche of abuse? > > Or am I the only one who sees benefits in effort to mitigate _current_ > abuse? If you feel like writing this, go ahead, it would be easier to do this inside SpamAssassin if you ask me. Bye, Raymond. From kevins at BMRB.CO.UK Sat Mar 6 17:29:43 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:09 2006 Subject: Just a thought In-Reply-To: <6.0.1.1.2.20040306165327.03c440f8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040306165327.03c440f8@imap.ecs.soton.ac.uk> Message-ID: <1078594189.13951.8.camel@bach.kevinspicer.co.uk> On Sat, 2004-03-06 at 16:54, Julian Field wrote: > I thought it only made a difference for regexps that include variables. I > had hoped that regexps including only static texts would only be compiled > once. Anything in the Perl docs to back either of our views? > According to 'Programming Perl' the /o modifier prevents recompilation of the regular expression when it contains an interpolated variable (ref. p.148). So you are correct. There is a great section on optimisation techniques in that book. With its help I was able to optimise a program I wrote (which is responsible for mirroring certain types of files between a local disk and a remote ftp server) from taking a few minutes to taking a few seconds (this is probably a reflection on the poor quality of my original code as much as anything else!). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rcooper at DWFORD.COM Sat Mar 6 17:54:53 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:09 2006 Subject: Just a thought In-Reply-To: <6.0.1.1.2.20040306165327.03c440f8@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Saturday, March 06, 2004 11:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Just a thought > > > I thought it only made a difference for regexps that > include variables. I > had hoped that regexps including only static texts > would only be compiled > once. Anything in the Perl docs to back either of our views? I will look into it, it's been years since perl was a primary language for me and rusty is a kind term.. I was thinking you don't want to precompiled expressions with var reference where the value may change because it the change will be ignored, perhaps I inferred it would be good for static expressions. > > At 16:14 06/03/2004, you wrote: > >Julian, > > > >In reference to that "escape any regex characters" thing I > >submitted that you added in the last release, it > occurred to me > >that while that may be more efficient that multiple > =~ lines it > >still has to be compiled for each line in the report you are > >reading and, given the speed concerns already > present, it would > >be much faster if it were changed to: > > > >s/([\(\)\[\]\.\?\*\+\^"'@<>:])/\\$1/go; > > > > or better yet add: > >my $ea = qr/([\(\)\[\]\.\?\*\+\^"'@<>:])/; > > > >above the while( defined($line (or add it as global > to be used in > >both places) > > > >and change the expression to: > >s/$ea/\\$1/g; > > > >Might look into compiling other static expressions used in > >looping functions to get a speed increase, and > perhaps compiling > >globally available expressions to be used in > recursive functions > >or for expressions that are repeated over and over > within various > >places in the various modules.. Just a thought as it > looks like a > >lot of the mime stuff use static regular expressions within > >looping structures and that should drop the overhead > of compiling > >the expression through every iteration (if you are looking for > >some tweaks). > > > >-- > >Rick Cooper > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From kevins at BMRB.CO.UK Sat Mar 6 18:39:34 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:09 2006 Subject: Just a thought In-Reply-To: References: Message-ID: <1078598374.13949.22.camel@bach.kevinspicer.co.uk> On Sat, 2004-03-06 at 17:54, Rick Cooper wrote: > I was thinking you > don't want to precompiled expressions with var reference where > the value may change because it the change will be ignored, > perhaps I inferred it would be good for static expressions. > Its also interesting to look at the qr/ method of precomiling regexs where the variable interpolation may change but the resulting regex is needed more than once. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at SMITS.CO.UK Sat Mar 6 20:11:00 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:23:09 2006 Subject: McAfee PROBLEM !!! (solved) Message-ID: <58696C94787F16468267F3509F115030983F@hermes.clumpton.homeip.net> Zip attachments only make up 0.3% of our mail traffic by message count. Spending a bit more time on them would not significantly increase the overhead. Some filters may have higher percentages to chew through obviously, but in the tradition of MS's excellent tweakability, this would be an option, not mandatory. Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Yuzik Posted At: 05 March 2004 22:13 Posted To: MailScanner Conversation: McAfee PROBLEM !!! (solved) Subject: Re: McAfee PROBLEM !!! (solved) Bart, This is a very interesting idea. I'm not sure how much extra overhead this would cause for MailScanner though. It's almost like you'd have to spawn a separate process to attempt to decrypt the zip...and somehow pass all the words to try. I'll follow this thread to see what other ideas people come up with. Cheers, Chris MailScanner wrote: >MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip. > >This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now. > >Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning. > >Bart... > > From fadotek at ONEBOX.COM Sat Mar 6 20:22:45 2004 From: fadotek at ONEBOX.COM (Fadotek Solutions, LLC) Date: Thu Jan 12 21:23:09 2006 Subject: Remove Infected and Deliver Mail Message-ID: Hi all, Can someone point me to the combination of options that will deliver an infected email without the attachment? I thought the following should have worked but it didn't, it's delivering only the notice to the sysadmin. These are the options that I thought would do the trick: Deliver Disinfected Files = no Quarantine Infections = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes Deliver Cleaned Messages = yes Thanks, -Jeff From maillists at CONACTIVE.COM Sat Mar 6 21:31:34 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: References: Message-ID: Dan Hollis wrote on Sat, 6 Mar 2004 04:54:05 -0800: > such rejection are RFC violation. so what? if your mailer complies to RFC and uses a correct EHLO, the mailer has no problem to deliver, if the virus doesn't comply to RFC I can't help it. > > > ( a lot of names like SAM, or > > Bill, or SERVER), or no Message-Id, etc. The MTA can stop a lot > > of both spam and viruses if you just work on your access lists a > > your MTA is non RFC compliant in this case. > how does using an access list violate an RFC? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From pete at eatathome.com.au Sat Mar 6 21:57:11 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate In-Reply-To: <4049F71E.9070506@vanramselaar.nl> References: <6.0.1.1.2.20040306160036.03f7dea0@imap.ecs.soton.ac.uk> <4049F71E.9070506@vanramselaar.nl> Message-ID: <404A4937.7010600@eatathome.com.au> > Guilty as charged! I was one of those downloaders. :o) > Installing it went smoothly. Great job again Julian! > > Although you are entitled to get some welldeserved rest, I sure hope you > will keep up the good work! Have to agree with the above, entirely. Be nice if those who are running could post with a description on how its running for them? I havent upgraded yet but plan to on Tuesday. Specifically interested in how other feel about the speed of this release Vs 4.27 thanks Pete From spamtrap71892316634 at ANIME.NET Sat Mar 6 22:15:47 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: Message-ID: On Sat, 6 Mar 2004, Raymond Dijkxhoorn wrote: > > Or am I the only one who sees benefits in effort to mitigate _current_ > > abuse? > If you feel like writing this, go ahead, it would be easier to do this > inside SpamAssassin if you ask me. I've already an got external perl program doing this, it extracts the password from body of the mails with a simple regex. It works for all known variants of bagle right now. I just need to integrate it into MS now. Since my patch will never be integrated into MS, and I dont like the idea of playing catch-up with every new MS release, I can only request that Julian provide a modular way to plug scanning extension modules into MS. -Dan From jaearick at COLBY.EDU Sat Mar 6 22:21:49 2004 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate In-Reply-To: <404A4937.7010600@eatathome.com.au> References: <6.0.1.1.2.20040306160036.03f7dea0@imap.ecs.soton.ac.uk> <4049F71E.9070506@vanramselaar.nl> <404A4937.7010600@eatathome.com.au> Message-ID: Pete, Sheesh, who had time to run 4.27? I ran 4.26.8 until last Monday, then that day I installed 4.27.7 (ran two hours), 4.28.1 (maybe an hour), then 4.82.2 before the end of the day. I upgraded thruout last week, ending up with 4.28.5 (stable) by Friday morning. I have noticed no difference between the 4.28 series and 4.26.8 in terms of performance, no slowdowns or other problems. My setup: Solaris 9 (V1280), SA 2.63, perl 5.8.2, razor 2.36, sophos 3.79 (sophosavi), clam 0.76 (clammodule). As for my howl to the list last week about more spam with 4.28, I discovered on Friday that I had goofed up my "Spam List" declarations in a couple of versions of 4.28 relative to what I had in 4.26. Once I fixed that, the spam in my mailbox vanished again. Life is good, thanks to Julian. Jeff Earickson Colby College On Sun, 7 Mar 2004, Pete wrote: > Date: Sun, 7 Mar 2004 08:57:11 +1100 > From: Pete > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Download rate > > > Guilty as charged! I was one of those downloaders. :o) > > Installing it went smoothly. Great job again Julian! > > > > Although you are entitled to get some welldeserved rest, I sure hope you > > will keep up the good work! > > Have to agree with the above, entirely. > > Be nice if those who are running could post with a description on how > its running for them? I havent upgraded yet but plan to on Tuesday. > Specifically interested in how other feel about the speed of this > release Vs 4.27 > > thanks > Pete > From spamtrap71892316634 at ANIME.NET Sat Mar 6 22:24:10 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:23:09 2006 Subject: F-prot update In-Reply-To: <4049D203.7060100@ucgbook.com> Message-ID: On Sat, 6 Mar 2004, Peter Bonivart wrote: > You just want it to be because it's convenient for you and you have no > clue implementing a solution yourself. I've already implemented external perl program to do this. It was really quite simple with perl regex. It scans mails and extracts the password from all known bagle variants. Just need to integrate into MS now. It would be easier if MS had modular design to allow plugins, otherwise i'll be playing catch-up with each new version :-( -Dan From faq at mailscanner.info Sun Mar 7 00:28:01 2004 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:23:09 2006 Subject: Faq-O-Matic Error Log Message-ID: <200403070028.i270S1fa003571@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2004-03-02-05-41-40 2.717 error editPart 9946 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 7) 2004-03-03-18-52-02 2.717 error editPart 10429 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 7) 2004-03-05-05-15-34 2.717 error editPart 6547 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 7) 2004-03-06-07-45-57 2.717 error editPart 450 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 1; in item: 2) 2004-03-06-18-34-40 2.717 note submitPass 21373 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPass.pm line 163. 2004-03-06-18-34-59 2.717 note submitPass 21404 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPass.pm line 163. 2004-03-06-18-35-24 2.717 note submitPass 21679 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPass.pm line 163. 2004-03-06-18-37-43 2.717 note submitPass 22816 <(noID)> Perl warning: Use of uninitialized value in string eq at /usr/lib/perl5/site_perl/5.6.1/FAQ/OMatic/submitPass.pm line 163. 2004-03-06-19-28-35 2.717 error editPart 13943 <(noID)> Either someone has changed the answer or category you were editing since you received the editing form, or you submitted the same form twice.

Please [Return to the FAQ] and start again to make sure no changes are lost. Sorry for the inconvenience.

(Sequence number in form: 5; in item: 7) From pete at eatathome.com.au Sat Mar 6 22:54:44 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner Message-ID: <404A56B4.5060402@eatathome.com.au> I think i have successfully lobbied for a 'new' replacement server for MailScanner at work. we originally installed to prove it would work and re used ancient hardware we had lying around, 2xp200 NEC server, the newer releases of MS have meant this machine not longer cuts it, even for our 3k messages for day. So, we buy second had compaq proliant servers from a local vendor, with original 3 yr compaq onsite warranty. Additionally i am lobbying to re route our new parent companies mail via our mail scanner, so our volume may double/triple. they currently have NO protection, just 2 exchange 2000 servers in the DMZ with NAV, needless to say they have many days of no email at all. For 6k - 9k emails per day, running Clamav and etrust would something like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be enough horsepower? Alternately our vendor has a single Ml310 P2.8 /1GB Ram and scsi. will mailScanner benefit more from dual CPU or faster CPU considering the load i described above? Or would I be better off spend more on RAM? 1 GB seems like plenty of RAM to me, but then again i havent processed 9k emails before, and some of you have, so hopefully some one could advised on which hardware will benefit MS more? Additionally we may have access to an additional scanner license - would i be better off running 3 x virus scanners, clam, etrust and sophos/f-prot, or just run 2, clam and sophos/f-prot, especially considering my hardware limitations? Is there a massive difference in hardware requirement between processing 6k or 9k emails per day? thanks in advance to anyone who can offer suggestions From marco at MUW.EDU Sat Mar 6 23:36:30 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner Message-ID: <1078616190.404a607e6f3ba@webmail.MUW.Edu> Quoting Pete : > For 6k - 9k emails per day, running Clamav and etrust would something > like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either > suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be > enough horsepower? You should be fine for that load. 6k - 9k messags is a light load. I would get more RAM if I were you. It is cheap and DOES make a difference. Alternately our vendor has a single Ml310 P2.8 /1GB > Ram and scsi. will mailScanner benefit more from dual CPU or faster CPU > considering the load i described above? Or would I be better off spend > more on RAM? 1 GB seems like plenty of RAM to me, but then again i > havent processed 9k emails before, and some of you have, so hopefully > some one could advised on which hardware will benefit MS more? Get more RAM, if you can !!! > Additionally we may have access to an additional scanner license - would > i be better off running 3 x virus scanners, clam, etrust and > sophos/f-prot, or just run 2, clam and sophos/f-prot, especially > considering my hardware limitations? With 3 scanners, you are entering the paranoia stage :) Clam AV and another commrecial scanner should be fine. Don't forget that MailScanner is a scanner as well ... > Is there a massive difference in hardware requirement between processing > 6k or 9k emails per day? Are you considering turning on SpamAssassin and RBL checks? Good luck Marco From rich at MAIL.WVNET.EDU Sat Mar 6 23:47:01 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <1078616190.404a607e6f3ba@webmail.MUW.Edu> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> Message-ID: <404A62F5.1090807@mail.wvnet.edu> Marco Obaid wrote: >With 3 scanners, you are entering the paranoia stage :) >Clam AV and another commrecial scanner should be fine. >Don't forget that MailScanner is a scanner as well ... > > > This brings up something I've been wondering about. I'm currently running three scanners. It was my impression that the overhead was mostly in the decoding phase so adding additional scanners didn't really cost that much. Is that correct or am I mistaken? -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From pete at eatathome.com.au Sat Mar 6 23:50:24 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A62F5.1090807@mail.wvnet.edu> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <404A62F5.1090807@mail.wvnet.edu> Message-ID: <404A63C0.50205@eatathome.com.au> Richard Lynch wrote: > Marco Obaid wrote: > >> With 3 scanners, you are entering the paranoia stage :) >> Clam AV and another commrecial scanner should be fine. >> Don't forget that MailScanner is a scanner as well ... >> >> >> > This brings up something I've been wondering about. I'm currently > running three scanners. It was my impression that the overhead was > mostly in the decoding phase so adding additional scanners didn't really > cost that much. Is that correct or am I mistaken? > > -- > Richard E. Lynch > Systems Programming Manager > West Virginia Network (WVNET) > 837 Chestnut Ridge Road > Morgantown, WV 26505 > (304) 293-5192 x243 > > > which 3? Do you ever have any live virus instance beyond mailscanner ? Which 1 or 2 did you use before adding the third, did it appear to make a large difference in either performance, or detection rates? From mike at TC3NET.COM Sat Mar 6 23:45:06 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <1078616190.404a607e6f3ba@webmail.MUW.Edu> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> Message-ID: <1078616706.2857.39.camel@localhost.localdomain> I do 150,000 per day on my blades with a NFS mailstore, mqueue.in is on tmpfs, virus and spam checks, razor2, dcc, rbl checks enabled in spamassassin. Each of my mx's are p3-1200's/1GB Ram, they all run radius on them as well, and I have some screwy procmail rules for spamassassin that add to the load, which I could migrate to MailScanner (once I figure out how to get it to read spamassassin prefs properly). They handle this load fine, so I think a P3/800 w/scsi drive would be almost dead idle with a 3000 message per day load. Regards MIKE > Quoting Pete : > > > For 6k - 9k emails per day, running Clamav and etrust would something > > like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either > > suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be > > enough horsepower? > > You should be fine for that load. 6k - 9k messags is a light load. > I would get more RAM if I were you. It is cheap and DOES make a difference. > > Alternately our vendor has a single Ml310 P2.8 /1GB > > Ram and scsi. will mailScanner benefit more from dual CPU or faster CPU > > considering the load i described above? Or would I be better off spend > > more on RAM? 1 GB seems like plenty of RAM to me, but then again i > > havent processed 9k emails before, and some of you have, so hopefully > > some one could advised on which hardware will benefit MS more? > > Get more RAM, if you can !!! > > > Additionally we may have access to an additional scanner license - would > > i be better off running 3 x virus scanners, clam, etrust and > > sophos/f-prot, or just run 2, clam and sophos/f-prot, especially > > considering my hardware limitations? > > With 3 scanners, you are entering the paranoia stage :) > Clam AV and another commrecial scanner should be fine. > Don't forget that MailScanner is a scanner as well ... > > > Is there a massive difference in hardware requirement between processing > > 6k or 9k emails per day? > > Are you considering turning on SpamAssassin and RBL checks? > > > Good luck > Marco > From rich at MAIL.WVNET.EDU Sun Mar 7 00:11:45 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A63C0.50205@eatathome.com.au> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <404A62F5.1090807@mail.wvnet.edu> <404A63C0.50205@eatathome.com.au> Message-ID: <404A68C1.4030501@mail.wvnet.edu> Pete wrote: > Richard Lynch wrote: > >> This brings up something I've been wondering about. I'm currently >> running three scanners. It was my impression that the overhead was >> mostly in the decoding phase so adding additional scanners didn't really >> cost that much. Is that correct or am I mistaken? >> >> > which 3? Do you ever have any live virus instance beyond mailscanner ? > Which 1 or 2 did you use before adding the third, did it appear to make > a large difference in either performance, or detection rates? F-Prot, Mcafee, and ClamAV. The last one added was Mcafee. It turned out that we already had a site license for it so there was no additional outlay in cash, at least until the contract expires. I didn't really notice any degradation but there may have been. We process a good bit more mail now than we were at the time I added it. Generally, Mcafee never caught anything that the others missed. Sometimes F-prot was first with the updates and other times ClamAV was first. I'm certainly going to keep running those two. When the rash of protected zip viruses began Mcafee was catching some of them while the others weren't catching any of them. That's all been addressed now that Julian has added protected zip file rejection support. Given that, at one time or another, one of the three has caught something that the others did not I'm thinking maybe I need all three. On the other hand, the load on my boxes continues to go up and if it's real expensive in terms of performance I may decide to drop Mcafee. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From pete at eatathome.com.au Sun Mar 7 00:37:15 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <1078616706.2857.39.camel@localhost.localdomain> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <1078616706.2857.39.camel@localhost.localdomain> Message-ID: <404A6EBB.1030105@eatathome.com.au> Another question; Considering our small mail volume, how to do put a price on the savings for the company? Not in the cost of users processing spam themsevles, but in the sense that if we were to buy the next best thing, that was a commercial product with 'support', whats sort of cost savings are we talking about? Is a well configured and smoothly running open source MS/SA machine comparable to 10k or 100K commercial products? I just need to add it to my advice on the product we are supplying to management - i can find costs of products on the net, but i am not sure which product to compare MS to? Having asked that, i have yet to use a commercial product that is supported by the actual Author, on the same scale as open Source MS ... From peter at UCGBOOK.COM Sun Mar 7 00:37:44 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A56B4.5060402@eatathome.com.au> References: <404A56B4.5060402@eatathome.com.au> Message-ID: <404A6ED8.1070707@ucgbook.com> Pete wrote: > For 6k - 9k emails per day, running Clamav and etrust would something > like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either > suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be > enough horsepower? Alternately our vendor has a single Ml310 P2.8 /1GB > Ram and scsi. will mailScanner benefit more from dual CPU or faster CPU > considering the load i described above? Or would I be better off spend > more on RAM? 1 GB seems like plenty of RAM to me, but then again i > havent processed 9k emails before, and some of you have, so hopefully > some one could advised on which hardware will benefit MS more? I think the 2.8 would be faster (assuming the rest of the system is the same) since the clock speed difference is too much between these two systems, if it was closer I would go with the dual CPU. For your volume, 1 GB RAM will be enough. Unused RAM will not benefit you at all. Count around 30 MB per MS child and you will see that you will have plenty left for mounting the incoming work directory as a RAM drive. > Additionally we may have access to an additional scanner license - would > i be better off running 3 x virus scanners, clam, etrust and > sophos/f-prot, or just run 2, clam and sophos/f-prot, especially > considering my hardware limitations? In my experience, SA seems to use the system harder than the virus scanners, it's very CPU and net intensive. I only run one scanner (have more layers of protection later) but since the unpacking is done only once I can't imagine you losing that much adding a third scanner so if you can afford it, go for it. > Is there a massive difference in hardware requirement between processing > 6k or 9k emails per day? I think both those number would be considered low. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From ugob at CAMO-ROUTE.COM Sun Mar 7 01:44:56 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate Message-ID: <54C38A0B814C8E438EF73FC76F362927410987@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Pete [mailto:pete@eatathome.com.au] >Envoy? : 6 mars, 2004 16:57 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Download rate > > >> Guilty as charged! I was one of those downloaders. :o) >> Installing it went smoothly. Great job again Julian! >> >> Although you are entitled to get some welldeserved rest, I >sure hope you >> will keep up the good work! > >Have to agree with the above, entirely. > >Be nice if those who are running could post with a description on how >its running for them? I havent upgraded yet but plan to on Tuesday. >Specifically interested in how other feel about the speed of this >release Vs 4.27 I upgraded to 4.28.5-2 from 4.26.8-1 yesterday. I love the option to get into zip files to check filenames/types. I decided to block password-protected zips as well. No problems at all yet, but it is the weekend and my overall volume is low. But the performance-related graphs look the same. I'm running it on fedora Core-1, SA 2.36, DCC, Razor, Pyzor and ClamAV. MailWatch, mailscanner-mrtg and Vispan for reporting/management. I also run Symantec on Exchange. It dectected one W32.Beagle@mm!zip on 3/4/2004 8:43 PM, after having slipped through mailscanner and clamAV on the 3/2/2004 8:52 PM According to Symantec, W32.Beagle@mm!zip is a generic detection for password-protected zip file containing an executable of the Beagle family. Anyone knows when clamAV began detecting this virus? Just curious. The only other virus that came through since sept. 2003 is one W32.Netsky.C@mm. > >thanks >Pete > From res at AUSICS.NET Sun Mar 7 03:13:01 2004 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:23:09 2006 Subject: Perl - CPAN Error - need help In-Reply-To: <000701c402c8$eac0b8b0$8266a8c0@MKBOWMAN2> References: <000701c402c8$eac0b8b0$8266a8c0@MKBOWMAN2> Message-ID: Hi, On Fri, 5 Mar 2004, Matthew K Bowman wrote: > Redhat 9 > Perl 5.8.0 > > [root@mrburns downloads]# perl -MCPAN -e shell "install Archive::Zip" > Undefined value assigned to typeglob at (eval 13) line 15, line 11. > Warning [/etc/inputrc line 11]: > Invalid variable `mark-symlinked-directories' > > cpan shell -- CPAN exploration and modules installation (v1.61) > ReadLine support enabled had the same problem if u do it manually perl -MCPAN -e shell then at prompt enter install Archive::Zip it work, well at least here it did :) > > This is after reinstalling the Perl and CPAN rpms. > > I can't upgrade or start the original MailScanner at the moment. Any help > would be appreciated. > > Thank you > -- Regards, Res From bamcomp at YAHOO.COM Sun Mar 7 04:08:51 2004 From: bamcomp at YAHOO.COM (Brett Moss) Date: Thu Jan 12 21:23:09 2006 Subject: 4.28.5-2 and the zip of death Message-ID: <20040307040851.81416.qmail@web13801.mail.yahoo.com> hello, i am curious about the default setting in 4.28.5-2 for Maximum Archive Depth = 3 i tested the new version with the zip of death and the message took about 7 minutes to process while a message with Worm.Bagle.Gen-zippwd took a few seconds. the machine runs a p3 500 and 320M RAM redhat 8 clamav and mcafee do many zip files contain a virus a few layers down? am i safe to lower this 3 to 1 or 2? i'm a bit concerned about bringing a server to its knees with a coordinated zip of death mail attack. am i worried about nothing? thanks, brett __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From solace at GUILDSOLUTIONS.COM Sun Mar 7 04:17:50 2004 From: solace at GUILDSOLUTIONS.COM (Matt) Date: Thu Jan 12 21:23:09 2006 Subject: Ensim Pro 2.5 & virutal accounts In-Reply-To: <20040307040851.81416.qmail@web13801.mail.yahoo.com> References: <20040307040851.81416.qmail@web13801.mail.yahoo.com> Message-ID: <404AA26E.20005@guildsolutions.com> How would one go about disabling mailscanner (virus and spam) for a specfic domain? Thanks From pete at eatathome.com.au Sun Mar 7 04:45:47 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Ensim Pro 2.5 & virutal accounts In-Reply-To: <404AA26E.20005@guildsolutions.com> References: <20040307040851.81416.qmail@web13801.mail.yahoo.com> <404AA26E.20005@guildsolutions.com> Message-ID: <404AA8FB.1060709@eatathome.com.au> Matt wrote: > How would one go about disabling mailscanner (virus and spam) for a > specfic domain? > Thanks > Matt wrote: > How would one go about disabling mailscanner (virus and spam) for a > specfic domain? > Thanks > > > . > Create a file called something like /etc/MailScanner/rules/spam.rules make its contents something like From: Domain1 no From: Domain2 no FromOrTo: default yes In /etc/MailScanner/MailScanner.conf change the the line Spam Checks = yes to Spam Checks = /etc/MailScanner/rules/spam.rules then do (assuming you use Red Hat), if not do whatever you do to restart/reload the mailscanner service. #service MailScanner reload From pete at eatathome.com.au Sun Mar 7 04:48:03 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Ensim Pro 2.5 & virutal accounts In-Reply-To: <404AA8FB.1060709@eatathome.com.au> References: <20040307040851.81416.qmail@web13801.mail.yahoo.com> <404AA26E.20005@guildsolutions.com> <404AA8FB.1060709@eatathome.com.au> Message-ID: <404AA983.9080107@eatathome.com.au> Pete wrote: > Matt wrote: > >> How would one go about disabling mailscanner (virus and spam) for a >> specfic domain? >> Thanks >> > Matt wrote: > >> How would one go about disabling mailscanner (virus and spam) for a >> specfic domain? >> Thanks >> >> >> . >> > Create a file called something like > /etc/MailScanner/rules/spam.rules > > make its contents something like > > From: Domain1 no > From: Domain2 no > FromOrTo: default yes > > In /etc/MailScanner/MailScanner.conf change the the line > Spam Checks = yes > to > Spam Checks = /etc/MailScanner/rules/spam.rules > > then do (assuming you use Red Hat), if not do whatever you do to > restart/reload the mailscanner service. > #service MailScanner reload > > > Actually, i dont think this method with disable virus scanning just spam - but if you wish to disable both why not point the MX for the domain direct to its SMTP gateway? Not much point in mailscanner receiving this if you want to turn off all scanning? Is there? From pete at eatathome.com.au Sun Mar 7 04:59:03 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Download rate In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410988@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410988@mtlnt501fs.CAMOROUTE.COM> Message-ID: <404AAC17.5090508@eatathome.com.au> >Bleeding edge? To what I understand, it is not as much bleeding edge than what would have been RH 9.1 or RH 10. > >I started using mailscanner on rh9, on a test server. It was a pentium Pro 200, 64 MB RAM, so when I finally got a better machine (PII 233), i decided to install fedora to avoid the upgrade. RH 9's support ends in april. I'd rather have a machine with more recent packages (less tested) than not being able to path security holes easily. > >(Some people run MailScanner on Red Hat 7.3) http://lwn.net/Articles/62875/ >http://www.redhat.com/software/rhelorfedora/ > > This was my way of thinking too, which is why i asked after being advised against it. >IIRC, fedora's support is supposed to be (reasonably) unlimited (for security fixes). > > >Production machine, >23:20:10 up 22 days, 6:28, 2 users, load average: 0.46, 0.40, 0.45 > >Up since install. Very stable. I don't have a high volume though (200 messages/day). > >The only glitch since I use mailscanner was last weeks's Redhat perl rpm upgrade. But I know it affected RH9 as well. > >Some other people use fedora on servers with significant volume. > > > > Perl upgrade? I dont use any up2date type services, bit scared of upgrade occurring automatically that break things. I only upgrade componants when i specifically find i have a need to - which is probably bad practise, so official support/patch frequency hasnt, so far, been a very important factor for us. >New users? I only cover the 3 domains of our company. Mailscanner is only a gateway, no local accounts. It forwards mail to my Exchange server. > >Hope this helps. > >Ugo > > we too have 3 domains and our machine is only a gateway, forwarding to Domino. thanks for your response and opinions. Pete From RAGAN_DAVIS at COLSTATE.EDU Sun Mar 7 05:54:53 2004 From: RAGAN_DAVIS at COLSTATE.EDU (Mack) Date: Thu Jan 12 21:23:09 2006 Subject: mailscanner entries in sendmail logs too long? Message-ID: <404A72DC.17569.EDCD11@localhost> Hi, First, I'd like to offer major kudos to Julian for outstanding work!! I can't speak highly enough on how well MailScanner performs. My problem: I just discovered that occasionally the mailscanner entry in my sendmail logs seems to be incomplete. It seems to happen when the spamassassin report is really long. Here's an example (I replaced IP's, email addresses and domains with bogus values): Complete log entry: Mar 1 00:59:17 mailhost MailScanner[8501]: Message i215x5GP000623 from some.ip.some.where (someone@somedomain.com) to mydomain.com is spam, spamcop.net, spamhaus.org, SpamAssassin (score=4.738, required 4.2, CLICK_BELOW 0.00, HTML_LINK_PUSH_HERE 0.50, HTML_MESSAGE 0.00, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_SBL 1.27, RCVD_IN_SORBS 0.10, SUBJ_DOLLARS 0.62) Incomplete log entry: Mar 1 00:59:18 mailhost MailScanner[9064]: Message i215x3GP000622 from some.ip.some.where (someone@somedomain.com) to mydomain.com is spam, spamcop.net, njabl, SpamAssassin (score=42.668, required 4.2, BANG_EXERCISE 1.22, BANG_GUARANTEE 1.10, CLICK_BELOW_CAPS 0.57, DATE_SPAMWARE_Y2K 4.40, DCC_CHECK 1.81, FORGED_MUA_OUTLOOK 1.58, FORGED_OUTLOOK_HTML 1.10, FORGED_OUTLOOK_TAGS 1.10, FORGED_RCVD_NET_HELO 3.02, GUARANTEED_STUFF 1.17, HTML_60_70 0.10, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.10, HTML_FONT_INVISIBLE 0.45, HTML_MESSAGE 0.00, HTML_SHOUTING4 0.31, HTML_TABLE_THICK_BORD 0.70, IMPOTENCE 4.24, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.15, MONEY_BACK 4.30, PENIS_ENLARGE 1.10, PENIS_ENLARGE2 0.59, PYZOR_CHECK 0.32, RAZOR2_CF_RANGE_51_100 1.55, RAZOR2_CHECK 0.90, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_RELAY 1.31, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10, RCVD_IN_SORBS_MISC 1.10, SOME_BREAKTHROUGH 0.60 Notice....no ending paren on the incomplete log entry. I just upgraded to the beta version that included the password-protected archive checker (version 4.28.4-1) on 3/4/04. I did not notice this before, but then again I wasn't looking. I will sift thru some older logs and see if this behavior was present before the upgrade. Nevertheless, has anyone noticed this before? Is there something I can do to fix it? Thanks! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. From garry at GLENDOWN.DE Sun Mar 7 06:39:58 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <1078616190.404a607e6f3ba@webmail.MUW.Edu> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> Message-ID: <404AC3BE.9060102@glendown.de> Marco Obaid wrote: > Quoting Pete : > > >>For 6k - 9k emails per day, running Clamav and etrust would something >>like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either >>suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be >>enough horsepower? > > > You should be fine for that load. 6k - 9k messags is a light load. > I would get more RAM if I were you. It is cheap and DOES make a difference. > > Alternately our vendor has a single Ml310 P2.8 /1GB We are at the moment running a single Celeron 2.2GHz SuSE w/512MB RAM and 2x IDE drive with software RAID1 ... machine is usually in the range of .1-.2 load average ... running the current MailScanner w/ F-Prot and ClamAV ... (adding Clam added somewhere around .05-.1 to the load average). Currently, the machine is running spam&AV tests for something like 20-30k emails on weekdays ... -gg From pete at eatathome.com.au Sun Mar 7 07:19:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404AC3BE.9060102@glendown.de> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <404AC3BE.9060102@glendown.de> Message-ID: <404ACCF9.7050805@eatathome.com.au> > > We are at the moment running a single Celeron 2.2GHz SuSE w/512MB RAM > and 2x IDE drive with software RAID1 ... machine is usually in the range > of .1-.2 load average ... running the current MailScanner w/ F-Prot and > ClamAV ... (adding Clam added somewhere around .05-.1 to the load > average). Currently, the machine is running spam&AV tests for something > like 20-30k emails on weekdays ... > > -gg > Thanks this is very usefull info. with that kinda of load, things like MyDoom or some of the other recentl nasties had little impact on performance, mail was still scanned and routed in a timely manner? I think from searching the archive and reading here that i will go with the single faster CPU option, with loads of RAM. From garry at GLENDOWN.DE Sun Mar 7 07:31:20 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404ACCF9.7050805@eatathome.com.au> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <404AC3BE.9060102@glendown.de> <404ACCF9.7050805@eatathome.com.au> Message-ID: <404ACFC8.60108@glendown.de> Pete wrote: >> >> We are at the moment running a single Celeron 2.2GHz SuSE w/512MB RAM >> and 2x IDE drive with software RAID1 ... machine is usually in the range >> of .1-.2 load average ... running the current MailScanner w/ F-Prot and >> ClamAV ... (adding Clam added somewhere around .05-.1 to the load >> average). Currently, the machine is running spam&AV tests for something >> like 20-30k emails on weekdays ... >> >> -gg >> > Thanks this is very usefull info. > > with that kinda of load, things like MyDoom or some of the other recentl > nasties had little impact on performance, mail was still scanned and > routed in a timely manner? CPU utilization has been pushed near the 50% mark during the Netsky etc. floods the last couple days - still, no noticable delays in the actual delivery - no build-up in the number of in-queue files, no problems with the outgoing files ... Btw, we're usually putting a total of 500+MB of mails through the server per day ... -gg From pz at CHRIST-NET.SK Sun Mar 7 08:09:32 2004 From: pz at CHRIST-NET.SK (pz) Date: Thu Jan 12 21:23:09 2006 Subject: Spam rules does not work with postfix In-Reply-To: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> Message-ID: Hello, i m using Postfix and lattest mailscanner, but scanning rules (for spam check or spam assasin check) does not work. Mail was sent to address pz@virtdomain.sk rules: To: virtdomain.sk no To: mail.server.sk no FromOrTo: default yes NOT Accept, all mails to pz@virtdomain.sk are scanned Here is list from header of my email. X-Original-To: pz@virtdomain.sk Delivered-To: pz@mail.server.sk X-Mailscanner-To: pz@mail.server.sk, pz@rcc.sk Maybe will be better, when mailscanner accept X-Original-To address as To: address. Peter From pz at CHRIST-NET.SK Sun Mar 7 08:15:53 2004 From: pz at CHRIST-NET.SK (pz) Date: Thu Jan 12 21:23:09 2006 Subject: Spam rules does not work with postfix (corrected) In-Reply-To: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304205947.039b2240@imap.ecs.soton.ac.uk> Message-ID: Hello, i m using Postfix and lattest mailscanner, but scanning rules (for spam check or spam assasin check) does not work. Mail was sent to address pz@virtdomain.sk rules: To: virtdomain.sk no To: mail.server.sk no FromOrTo: default yes NOT Accept, all mails to pz@virtdomain.sk are scanned Here is list from header of my email. X-Original-To: pz@virtdomain.sk Delivered-To: pz@mail.server.sk X-Mailscanner-To: pz@mail.server.sk, pz@virtdomain.sk Maybe will be better, when mailscanner accept X-Original-To address as To: address. Peter From kevins at BMRB.CO.UK Sun Mar 7 11:19:31 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A56B4.5060402@eatathome.com.au> References: <404A56B4.5060402@eatathome.com.au> Message-ID: <1078658371.13951.58.camel@bach.kevinspicer.co.uk> On Sat, 2004-03-06 at 22:54, Pete wrote: > For 6k - 9k emails per day, running Clamav and etrust would something > like a Proliant ML370 2 x P3 800/1GB RAM and scsi HDD running either > suse or red hat 9 (my FreeBSd skills are not sufficient for this yet) be > enough horsepower? Alternately our vendor has a single Ml310 P2.8 /1GB > Ram and scsi. will mailScanner benefit more from dual CPU or faster CPU > considering the load i described above? Or would I be better off spend > more on RAM? 1 GB seems like plenty of RAM to me, but then again i > havent processed 9k emails before, and some of you have, so hopefully > some one could advised on which hardware will benefit MS more? > > Additionally we may have access to an additional scanner license - would > i be better off running 3 x virus scanners, clam, etrust and > sophos/f-prot, or just run 2, clam and sophos/f-prot, especially > considering my hardware limitations? In terms of scanners the more the merrier! The machine you have specified above won't even break a sweat with this kind of load, and would probably cope ok with double the load (thats important since at the height of the recent MyDoom outbreak my mail load nearly doubled - I imagine others had a similar experience) For reference the 6k-9k load is pretty much what I do, my setup is as follows.. Software: MailScanner (latest beta - haven't upgraded to latest stable yet) - work directory in tmpfs, using both filename and filetype rules SpamAssassin (latest) DCC Pyzor Razor Caching-Nameserver (just added) MailScanner-MRTG (guess that won't surprise anyone!) MailStats sendmail (using LDAP Routing feature [without LDAP!] to reject invalid recipients) 3 Scanners , SophosSAVI, ClamAV, Symantec Carrierscan Hardware: Compaq BL10e blade server (800MHz processor, 1G ram, 40G mini IDE hard drive, 100M ethernet [incoming over 2M E1] This copes well (although at the height of the MyDoom outbreak it was getting a little behind - since then I've added CarrierScan which would make it worse and the LDAP routing which would have really helped by getting rid of a lot of the invalid mail). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Mar 7 11:22:46 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:09 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A62F5.1090807@mail.wvnet.edu> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <404A62F5.1090807@mail.wvnet.edu> Message-ID: <1078658566.13949.62.camel@bach.kevinspicer.co.uk> On Sat, 2004-03-06 at 23:47, Richard Lynch wrote: > This brings up something I've been wondering about. I'm currently > running three scanners. It was my impression that the overhead was > mostly in the decoding phase so adding additional scanners didn't really > cost that much. Is that correct or am I mistaken? > I think that depends on the scanner to some extent. I just added Symantec Carrierscan (we have a site license so I thought why not!) and couldn't notice any change to the load / CPU. Presumably theres an I/O implication. but that doesn't seem to be causing me any problems. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From garry at GLENDOWN.DE Sun Mar 7 11:28:25 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:23:09 2006 Subject: Multiple scanner - why call more than one? In-Reply-To: <1078658371.13951.58.camel@bach.kevinspicer.co.uk> References: <404A56B4.5060402@eatathome.com.au> <1078658371.13951.58.camel@bach.kevinspicer.co.uk> Message-ID: <404B0759.2080202@glendown.de> I was just wondering - with multiple virus scanners installed and used, what's the point in calling the second one once a file is already identified as a virus? -gg From kevins at BMRB.CO.UK Sun Mar 7 11:30:28 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:09 2006 Subject: mailscanner entries in sendmail logs too long? In-Reply-To: <404A72DC.17569.EDCD11@localhost> References: <404A72DC.17569.EDCD11@localhost> Message-ID: <1078659028.13949.65.camel@bach.kevinspicer.co.uk> On Sun, 2004-03-07 at 05:54, Mack wrote: > My problem: I just discovered that occasionally the mailscanner entry in my > sendmail logs seems to be incomplete. It seems to happen when the spamassassin > report is really long. There is a maximum size for syslog packets of 1024 bytes, that is why you are seeing this behaviour. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Sun Mar 7 11:36:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:10 2006 Subject: Multiple scanner - why call more than one? In-Reply-To: <404B0759.2080202@glendown.de> References: <404A56B4.5060402@eatathome.com.au> <1078658371.13951.58.camel@bach.kevinspicer.co.uk> <404B0759.2080202@glendown.de> Message-ID: <6.0.1.1.2.20040307113341.03aaa2d0@imap.ecs.soton.ac.uk> At 11:28 07/03/2004, you wrote: >I was just wondering - with multiple virus scanners installed and used, >what's the point in calling the second one once a file is already >identified as a virus? The virus scanning is done in batches, so many messages are scanned at once when the system is under load. The speed difference between scanning, say, 20 and 21 message attachments is almost nil. So it would only make sense to skip the 2nd scanner if every attachment in every message in the batch was detected as a virus by the 1st scanner. Which is very unlikely. So, in summary, it wouldn't make a noticeable difference to the speed. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Sun Mar 7 11:36:11 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:23:10 2006 Subject: Multiple scanner - why call more than one? In-Reply-To: <404B0759.2080202@glendown.de> References: <404A56B4.5060402@eatathome.com.au> <1078658371.13951.58.camel@bach.kevinspicer.co.uk> <404B0759.2080202@glendown.de> Message-ID: <1078659371.13951.69.camel@bach.kevinspicer.co.uk> On Sun, 2004-03-07 at 11:28, Garry Glendown wrote: > I was just wondering - with multiple virus scanners installed and used, > what's the point in calling the second one once a file is already > identified as a virus? Because all messages (and files from them) in a batch are scanned together. By the time you've excluded the ones you've already picked up and called the scanner on individual files rather than the batch you've lost the performance gains several times over. Also its nice to see which scanners did or didn't catch the virus. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From peter at UCGBOOK.COM Sun Mar 7 11:37:19 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner In-Reply-To: <404A6EBB.1030105@eatathome.com.au> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <1078616706.2857.39.camel@localhost.localdomain> <404A6EBB.1030105@eatathome.com.au> Message-ID: <404B096F.5010700@ucgbook.com> Pete wrote: > Considering our small mail volume, how to do put a price on the savings > for the company? Not in the cost of users processing spam themsevles, > but in the sense that if we were to buy the next best thing, that was a > commercial product with 'support', whats sort of cost savings are we > talking about? Is a well configured and smoothly running open source > MS/SA machine comparable to 10k or 100K commercial products? I just > need to add it to my advice on the product we are supplying to > management - i can find costs of products on the net, but i am not sure > which product to compare MS to? Here are a couple: http://www.barracudanetworks.com/ http://www.gfi.com/ Barracuda is SpamAssassin based and has a nice GUI, it's not expensive either but except for SA they are shy about what technology they use. When it comes to GFI, you will need both MailEssentials and MailSecurity to cover what MS+SA+Clam does for free. Both sites have prices online. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From gib at TMISNET.COM Sun Mar 7 11:52:21 2004 From: gib at TMISNET.COM (Gib Gilbertson Jr.) Date: Thu Jan 12 21:23:10 2006 Subject: Mailstats In-Reply-To: <6.0.1.1.2.20040307113341.03aaa2d0@imap.ecs.soton.ac.uk> References: <404A56B4.5060402@eatathome.com.au> <1078658371.13951.58.camel@bach.kevinspicer.co.uk> <404B0759.2080202@glendown.de> <6.0.1.1.2.20040307113341.03aaa2d0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040307215035.02b94978@mail.tmisnet.com> Hi. Does anyone have a handy script that will give daily stats from sendmail logs? Checked through the mailing list and found a couple but they don't seem to give any output when ran against sendmail's maillog. Thanks gib Gib Gilbertson Jr. Tierramiga Info Systems 619-287-8647 Support http://www.tmisnet.com San Diego's "Friendly ISP" From pete at eatathome.com.au Sun Mar 7 13:11:11 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner In-Reply-To: <404B096F.5010700@ucgbook.com> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <1078616706.2857.39.camel@localhost.localdomain> <404A6EBB.1030105@eatathome.com.au> <404B096F.5010700@ucgbook.com> Message-ID: <404B1F6F.70506@eatathome.com.au> > > Here are a couple: > > http://www.barracudanetworks.com/ > http://www.gfi.com/ > > Barracuda is SpamAssassin based and has a nice GUI, it's not expensive > either but except for SA they are shy about what technology they use. > When it comes to GFI, you will need both MailEssentials and MailSecurity > to cover what MS+SA+Clam does for free. > > Both sites have prices online. > Ta for those tips - have you heard of a product call ed CA? That is specifically for mail filtering spam and viruses? I looked on www.ca.com and they dont seem to have a product like this? The IT manager from the company that now owns us spoke of it when i ofered him mailscanner - he said he was buying this really expensive filter software/support package called CA - i wanted to check it out, in the hope it didnt have as many features as MS, so i could 'sell' them our MS solution. From ugob at CAMO-ROUTE.COM Sun Mar 7 13:19:10 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner Message-ID: <54C38A0B814C8E438EF73FC76F36292741098B@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Pete [mailto:pete@eatathome.com.au] >Envoy? : 7 mars, 2004 08:11 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Server Spec for MailScanner > > >> >> Here are a couple: >> >> http://www.barracudanetworks.com/ >> http://www.gfi.com/ http://www.postini.com/ 's product once got a very good review. I suggest you read the review, you'll get other names. http://www.nwfusion.com/reviews/2003/0915spam.html >> >> Barracuda is SpamAssassin based and has a nice GUI, it's not >expensive >> either but except for SA they are shy about what technology they use. >> When it comes to GFI, you will need both MailEssentials and >MailSecurity >> to cover what MS+SA+Clam does for free. >> >> Both sites have prices online. >> >Ta for those tips - have you heard of a product call ed CA? That is >specifically for mail filtering spam and viruses? I looked on >www.ca.com >and they dont seem to have a product like this? > >The IT manager from the company that now owns us spoke of it when i >ofered him mailscanner - he said he was buying this really expensive >filter software/support package called CA - i wanted to check >it out, in >the hope it didnt have as many features as MS, so i could 'sell' them >our MS solution. > From pete at eatathome.com.au Sun Mar 7 13:22:33 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410989@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410989@mtlnt501fs.CAMOROUTE.COM> Message-ID: <404B2219.4070707@eatathome.com.au> Ugo Bellavance wrote: > >I think http://www.postini.com/ 's product had very good reviews. > > > I know its only pure gadjet factor but the world stat thing on that site is great, would be nice if MS had som form of sending the daily stats back to 'someone's' DB server and displayed something like that... also the spam cost calculator at http://www.barracudanetworks.com/spam_calc.php is good for the excercise i am doing, saving 40k US per year conservatively, according to that :) From peter at UCGBOOK.COM Sun Mar 7 13:42:10 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner In-Reply-To: <404B2219.4070707@eatathome.com.au> References: <54C38A0B814C8E438EF73FC76F362927410989@mtlnt501fs.CAMOROUTE.COM> <404B2219.4070707@eatathome.com.au> Message-ID: <404B26B2.8060200@ucgbook.com> Pete wrote: > also the spam cost calculator at > http://www.barracudanetworks.com/spam_calc.php is good for the excercise > i am doing, saving 40k US per year conservatively, according to that :) More heavy duty ones if you like statistics and scare tactics, now it's getting harder to get an actual price though: ;-) http://www.brightmail.com/ http://www.messagelabs.com/ -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Sun Mar 7 13:43:12 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:10 2006 Subject: Server Spec for MailScanner In-Reply-To: <404B1F6F.70506@eatathome.com.au> References: <1078616190.404a607e6f3ba@webmail.MUW.Edu> <1078616706.2857.39.camel@localhost.localdomain> <404A6EBB.1030105@eatathome.com.au> <404B096F.5010700@ucgbook.com> <404B1F6F.70506@eatathome.com.au> Message-ID: <404B26F0.2050704@ucgbook.com> Pete wrote: > Ta for those tips - have you heard of a product call ed CA? That is > specifically for mail filtering spam and viruses? I looked on www.ca.com > and they dont seem to have a product like this? CA has a product called eTrust Secure Content Manager, maybe that's what he's referring to..? Seems to be Windows only though, which means nice frontend and no backend. > The IT manager from the company that now owns us spoke of it when i > ofered him mailscanner - he said he was buying this really expensive > filter software/support package called CA - i wanted to check it out, in > the hope it didnt have as many features as MS, so i could 'sell' them > our MS solution. Get the PowerPoint that sold him (when it's managers it's always PowerPoint) and check it out. Usually it's a mix of bold exaggerations, lies and slandering of the competition. A tip for you - if they compare themselves to another product, then that's the one you want to check out no matter what they say about it. ;-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From brose at MED.WAYNE.EDU Sun Mar 7 15:51:40 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:23:10 2006 Subject: Mailscanner 4.28.5-2 and Unscanneabled Zips Message-ID: ThI think the Bagle/Beagle virus also has a bug in that it sends broken zip files not just password protected ones. I've seen some unscanneable zips. Can MailScanner next revision aplly the same rule to broken zips that it does for passord protected ones? -=Bobby From mailscanner at ecs.soton.ac.uk Sun Mar 7 16:04:35 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:10 2006 Subject: Mailscanner 4.28.5-2 and Unscanneabled Zips In-Reply-To: References: Message-ID: <6.0.1.1.2.20040307160420.03c4fe28@imap.ecs.soton.ac.uk> At 15:51 07/03/2004, you wrote: >ThI think the Bagle/Beagle virus also has a bug in that it sends broken >zip files not just password protected ones. I've seen some unscanneable >zips. Can MailScanner next revision aplly the same rule to broken zips >that it does for passord protected ones? But broken zips are harmless, so why stop them? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Sun Mar 7 16:17:37 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:23:10 2006 Subject: Mailscanner 4.28.5-2 and Unscanneabled Zips In-Reply-To: <6.0.1.1.2.20040307160420.03c4fe28@imap.ecs.soton.ac.uk> Message-ID: If they are harmless it seems like a waste of resources stopping them, unless I am missing something.... Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 07 March 2004 16:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mailscanner 4.28.5-2 and Unscanneabled Zips > > > At 15:51 07/03/2004, you wrote: > >ThI think the Bagle/Beagle virus also has a bug in that it sends broken > >zip files not just password protected ones. I've seen some unscanneable > >zips. Can MailScanner next revision aplly the same rule to broken zips > >that it does for passord protected ones? > > But broken zips are harmless, so why stop them? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information From mailscanner at ecs.soton.ac.uk Sun Mar 7 16:41:18 2004 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:23:10 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200403071641.i27GfIqk008165@seer.ecs.soton.ac.uk> New Guestbook-Entry from Chris Schanzle I\'\'m fairly new to running mailscanner, but I have coworkers that have been using it for years and they think you give - by far - the best support of any open-source project to date (and we use a bunch of \'\'em).



Make no doubt - you, Julian, are making big impact on the world. What could be better than to help millions of people?



I hope someday your software becomes obsolete (in that we don\'\'t have the massive spam and virus issues we have today).



THANK YOU!

From shawkris at HOTMAIL.COM Sun Mar 7 16:43:37 2004 From: shawkris at HOTMAIL.COM (Kristian Shaw) Date: Thu Jan 12 21:23:10 2006 Subject: MCP and Spam actions Message-ID: Hi, I've done a bit more investigation on this problem (with version 4.28.5-2) in debug mode and found this appears in the log when a message is *both* spam and MCP: Mar 7 16:15:17 mailscanner MailScanner[3722]: Spam Actions: message i27GF70K003708 actions are attachment Mar 7 16:15:17 mailscanner MailScanner[3722]: Created attachment dirs for 0 messages It seems that the 'deliver' part of the action is missing. If I change spam.actions.rules to just FromOrTo: default deliver I just see the following in the log: Mar 7 16:26:05 mailscanner MailScanner[4050]: Spam Actions: message i27GNwB2003994 actions are i.e. No actions at all. This is probably the reason messages go into a black hole. Any suggestions? Kris. From postmaster at mail.autopartswebsolutions.net Sun Mar 7 17:57:15 2004 From: postmaster at mail.autopartswebsolutions.net (MailScanner) Date: Thu Jan 12 21:23:10 2006 Subject: Unsolicited commercial email rejected Message-ID: <200403071757.i27HvFq20982@mail.autopartswebsolutions.net> Our UCE (spam) detectors have been triggered by a message you sent:- To: sales@autosportvolkswagenparts.com Subject: hi Date: Sun Mar 7 12:57:15 2004 This message has been rejected. The detector that triggered is SpamAssassin. The content of your message indicates that it is probably spam e-mail, which is why it has been rejected. We do not accept unsolicited commercial (spam) e-mail and actively work to stop it. If you are sending spam and continue to do so, your Internet Service Provider may be contacted and requested to close your account. If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Mar 7 17:35:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:10 2006 Subject: MCP and Spam actions In-Reply-To: References: Message-ID: <6.0.1.1.2.20040307173509.03d82de0@imap.ecs.soton.ac.uk> At 16:43 07/03/2004, you wrote: >Hi, > >I've done a bit more investigation on this problem (with version 4.28.5-2) >in debug mode and found this appears in the log when a message is *both* >spam and MCP: > >Mar 7 16:15:17 mailscanner MailScanner[3722]: Spam Actions: message >i27GF70K003708 actions are attachment If you want it to deliver, you have to ask it to. Use "attachment deliver". >Mar 7 16:15:17 mailscanner MailScanner[3722]: Created attachment dirs for >0 messages > >It seems that the 'deliver' part of the action is missing. >If I change spam.actions.rules to just > >FromOrTo: default deliver > >I just see the following in the log: > >Mar 7 16:26:05 mailscanner MailScanner[4050]: Spam Actions: message >i27GNwB2003994 actions are > >i.e. No actions at all. This is probably the reason messages go into a >black hole. Any suggestions? > >Kris. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevin1a at VARLOG.NET Sun Mar 7 17:41:49 2004 From: kevin1a at VARLOG.NET (Kevin Brouelette) Date: Thu Jan 12 21:23:10 2006 Subject: Mail server vs. mail relay Message-ID: <1078681309.11626.52.camel@athlon.kblan.com> Hello I'm running Mailscanner on a slackware linux servers and need some guidance. I have a mail server that the users get their mail from [IMAP] and it runs mailscanner which controls sendmail, ClamAV and SpamAssassin. Works great. My problem is on a different server with the same setup that is used as a mail-relay only to clean email and relay it to an Exchange server. Since I use sendmails 'mailertable' feature to relay the mail, Mailscanner calls ClamAV and calls sendmail but doesn't call Spamassassin for some reason. Without changing any of the setup I created a local user on that server and it works fine. Something changes the way mail is handled when the server is used as a mail-relay that I don't quite understand. I decided to use sendmail-milter for now. Now Mailscanner calls sendmail which [calls spamassassin via libmilter] and Mailscanner still calls ClamAV. This results in the mail getting tagged for spam in the headers just fine but it's not easily managed to have whitelists/blacklists etc. Should I be able to make this work without using libmilter so I can control everything with just mailscanners config file?? Any help is appreciated. TIA Kevin Brouelette From brose at MED.WAYNE.EDU Sun Mar 7 17:50:33 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:23:10 2006 Subject: Mailscanner 4.28.5-2 and Unscanneabled Zips Message-ID: Support calls and emails asking about them would be one reason and the second reason would be to prevent it from becoming a form of DOS attack. It's just a suggestion. I'd think it just be another Compress::Zip error code and it's take less resources to stop them than actually deliverying them. I have Symantec for Exchange running on our mailbox servers and it's taking care of the problem but I'm certain not everyone out there has the same setup that I do with MS watching the borders and Symantec watching internal mail. -=B -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Michele Neylon :: Blacknight Solutions Sent: Sunday, March 07, 2004 11:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner 4.28.5-2 and Unscanneabled Zips If they are harmless it seems like a waste of resources stopping them, unless I am missing something.... Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 07 March 2004 16:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mailscanner 4.28.5-2 and Unscanneabled Zips > > > At 15:51 07/03/2004, you wrote: > >ThI think the Bagle/Beagle virus also has a bug in that it sends > >broken zip files not just password protected ones. I've seen some > >unscanneable zips. Can MailScanner next revision aplly the same rule > >to broken zips that it does for passord protected ones? > > But broken zips are harmless, so why stop them? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz MailScanner > thanks transtec Computers for their support PGP footprint: EE81 D763 > 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information From ugob at CAMO-ROUTE.COM Sun Mar 7 17:52:17 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:10 2006 Subject: Mail server vs. mail relay Message-ID: <54C38A0B814C8E438EF73FC76F36292741098D@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Kevin Brouelette [mailto:kevin1a@VARLOG.NET] >Envoy? : 7 mars, 2004 12:42 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Mail server vs. mail relay > > >Hello > >I'm running Mailscanner on a slackware linux servers and need some >guidance. > >I have a mail server that the users get their mail from >[IMAP] and it runs mailscanner which controls sendmail, ClamAV and >SpamAssassin. Works great. > >My problem is on a different server with the same setup >that is used as a mail-relay only to clean email and relay >it to an Exchange server. > >Since I use sendmails 'mailertable' feature to relay the mail, >Mailscanner calls ClamAV and calls sendmail but doesn't call > Spamassassin for some reason. >Without changing any of the setup I created a local user on that >server and it works fine. Something changes the way mail is handled > when the server is used as a mail-relay that I don't quite understand. > >I decided to use sendmail-milter for now. Now Mailscanner >calls sendmail > which [calls spamassassin via libmilter] and Mailscanner still calls >ClamAV. > >This results in the mail getting tagged for spam in the headers just >fine but it's not easily managed to have whitelists/blacklists etc. > >Should I be able to make this work without using libmilter so I can > control everything with just mailscanners config file?? Yes you should. I have the same setup, MailScanner in front of an Exchange server. Virus scanning and SpamAssassin work perfectly. You should make sure you don't have a ruleset that disables spam checks or that you didn't whitelisted the world by mistake. Ugo > >Any help is appreciated. >TIA > >Kevin Brouelette > From kevin1a at VARLOG.NET Sun Mar 7 18:10:59 2004 From: kevin1a at VARLOG.NET (Kevin Brouelette) Date: Thu Jan 12 21:23:10 2006 Subject: Mail server vs. mail relay In-Reply-To: <54C38A0B814C8E438EF73FC76F36292741098D@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F36292741098D@mtlnt501fs.CAMOROUTE.COM> Message-ID: <1078683059.4792.3.camel@athlon.kblan.com> On Sun, 2004-03-07 at 09:52, Ugo Bellavance wrote: > >-----Message d'origine----- > >De : Kevin Brouelette [mailto:kevin1a@VARLOG.NET] > >Envoy? : 7 mars, 2004 12:42 > >? : MAILSCANNER@JISCMAIL.AC.UK > >Objet : Mail server vs. mail relay > > > > > >Hello > > > >I'm running Mailscanner on a slackware linux servers and need some > >guidance. > > > >I have a mail server that the users get their mail from > >[IMAP] and it runs mailscanner which controls sendmail, ClamAV and > >SpamAssassin. Works great. > > > >My problem is on a different server with the same setup > >that is used as a mail-relay only to clean email and relay > >it to an Exchange server. > > > >Since I use sendmails 'mailertable' feature to relay the mail, > >Mailscanner calls ClamAV and calls sendmail but doesn't call > > Spamassassin for some reason. > >Without changing any of the setup I created a local user on that > >server and it works fine. Something changes the way mail is handled > > when the server is used as a mail-relay that I don't quite understand. > > > >I decided to use sendmail-milter for now. Now Mailscanner > >calls sendmail > > which [calls spamassassin via libmilter] and Mailscanner still calls > >ClamAV. > > > >This results in the mail getting tagged for spam in the headers just > >fine but it's not easily managed to have whitelists/blacklists etc. > > > >Should I be able to make this work without using libmilter so I can > > control everything with just mailscanners config file?? > > Yes you should. I have the same setup, MailScanner in front of an Exchange server. Virus scanning and SpamAssassin work perfectly. > > You should make sure you don't have a ruleset that disables spam checks or that you didn't whitelisted the world by mistake. > > Ugo Hello I haven't setup anything special. It's near default conf file with just changes to enable clamav and spamassassin. Care to share your mailscanner.conf ? I'll post mine. Thanks Ugo Kevin -- -------------- next part -------------- # Main configuration file for the MailScanner E-Mail Virus Scanner # # It's good practice to check through configuration files to make sure # they fit with your system and your needs, whatever you expect them to # contain. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # # Note for Version 4.00 and above: # A lot of the settings can take a ruleset as well as just simple # values. These rulesets are files containing rules which are applied # to the current message to calculate the value of the configuration # option. The rules are checked in the order they appear in the ruleset. # # Note for Version 4.03 and above: # As well as rulesets, you can now include your own functions in # here. Look at the directory containing Config.pm and you will find # CustomConfig.pm. In here, you can add your own "value" function and # an Initvalue function to set up any global state you need such as # database connections. Then for a setting below, you can put: # Configuration Option = &ValueFunction # where "ValueFunction" is the name of the function you have # written in CustomConfig.pm. # # # Definition of variables which are substituted into definitions below # # Set the directory containing all the reports in the required language %report-dir% = /opt/MailScanner/etc/reports/en # Configuration directory containing this file %etc-dir% = /opt/MailScanner/etc # Rulesets directory containing your ".rules" files %rules-dir% = /opt/MailScanner/etc/rules # Enter a short identifying name for your organisation below, this is # used to make the X-MailScanner headers unique for your organisation. # Multiple servers within one site should use an identical value here # to avoid adding multiple redundant headers where mail has passed # through several servers within your organisation. %org-name% = yoursite # # System settings # --------------- # # How many MailScanner processes do you want to run at a time? # There is no point increasing this figure if your MailScanner server # is happily keeping up with your mail traffic. # If you are running on a server with more than 1 CPU, or you have a # high mail load (and/or slow DNS lookups) then you should see better # performance if you increase this figure. # If you are running on a small system with limited RAM, you should # note that each child takes just over 20MB. # # As a rough guide, try 5 children per CPU. But read the notes above. Max Children = 5 # User to run as (not normally used for sendmail) #Run As User = mail #Run As User = postfix Run As User = # Group to run as (not normally used for sendmail) #Run As Group = mail #Run As Group = postfix Run As Group = # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 5 # Set location of incoming mail queue # # This can be any one of # 1. A directory name # Example: /var/spool/mqueue.in # 2. A wildcard giving directory names # Example: /var/spool/mqueue.in/* # 3. The name of a file containing a list of directory names, # which can in turn contain wildcards. # Example: /opt/MailScanner/etc/mqueue.in.list.conf # Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /opt/MailScanner/var/MailScanner.pid # To avoid resource leaks, re-start periodically Restart Every = 14400 # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = sendmail # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/lib/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/lib/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/lib/sendmail # # Processing Incoming Mail # ------------------------ # # In every batch of virus-scanning, limit the maximum # a) number of unscanned messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of unscanned messages to deliver # d) total size of potentially infected messages to unpack and scan Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 5000 # The maximum number of attachments allowed in a message before it is # considered to be an error. Some email systems, if bouncing a message # between 2 addresses repeatedly, add information about each bounce as # an attachment, creating a message with thousands of attachments in just # a few minutes. This can slow down or even stop MailScanner as it uses # all available memory to unpack these thousands of attachments. # This can also be the filename of a ruleset. Maximum Attachments Per Message = 200 # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. #TNEF Expander = internal # This can also be the filename of a ruleset. TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = #/usr/bin/file # The maximum length of time the "file" command is allowed to run for 1 # batch of messages (in seconds) File Timeout = 20 # The maximum size, in bytes, of any message including the headers. # If this is set to zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = 0 # # Virus Scanning and Vulnerability Testing # ---------------------------------------- # # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # NOTE: This switch actually switches on/off all processing of the email # messages. If you just want to switch off actual virus scanning, # then set "Virus Scanners = none" instead. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = yes # Which Virus Scanning package to use: # sophos from www.sophos.com, or # sophossavi (also from www.sophos.com, using the SAVI perl module), or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky-4.5 from www.kaspersky.com, or # kaspersky from www.kaspersky.com, or # kavdaemonclient from www.kaspersky.com, or # etrust from http://www3.ca.com/Solutions/Product.asp?ID=156, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # nod32-1.99 from www.nod32.com, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com, or # panda from www.pandasoftware.com, or # rav from www.ravantivirus.com, or # antivir from www.antivir.de, or # clamav from clamav.elektrapro.com, or # trend from www.trendmicro.com, or # none (no virus scanning at all) # # Note for McAfee users: do not use any symlinks with McAfee at all. It is # very strange but may not detect all viruses when # started from a symlink or scanning a directory path # including symlinks. # # Note: If you want to use multiple virus scanners, then this should be a # space-separated list of virus scanners. For example: # Virus Scanners = sophos f-prot mcafee # # Note: Make sure that you check that the base installation directory in the # 3rd column of virus.scanners.conf matches the location you have # installed each of your virus scanners. The supplied # virus.scanners.conf file assumes the default installation locations # recommended by each of the virus scanner installation guides. # Virus Scanners = clamav # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # Less than 1% of viruses in the wild can be successfully disinfected, # as macro viruses are now a rare occurrence. So the default has been # changed to "no" as it gives a significant performance improvement. # # This can also be the filename of a ruleset. Deliver Disinfected Files = no # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 3 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. # # The default of "All-Viruses" means that no senders of viruses will be # notified (as the sender address is always forged these days anyway), # but anyone who sends a message that is blocked for other reasons will # still be notified. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame All-Viruses # Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient? # Setting this to "yes" is good because it shows management that MailScanner # is protecting them, but it is bad because they have to filter/delete all # the incoming virus warnings. # This can also be the filename of a ruleset. Still Deliver Silent Viruses = yes # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no # Should unencrypted messages be blocked? # This could be used to ensure all your users send messages outside your # company encrypted to avoid snooping of mail to your business partners. # This can be a ruleset so you can just check mail to certain users/domains. Block Unencrypted Messages = no # # Options specific to Sophos Anti-Virus # ------------------------------------- # # Anything on the next line that appears in brackets at the end of a line # of output from Sophos will cause the error/infection to be ignored. # Use of this option is dangerous, and should only be used if you are having # trouble with lots of corrupt PDF files, for example. # If you need to specify more than 1 string to find in the error message, # then put each string in quotes and separate them with a comma. # For example: #Allowed Sophos Error Messages = "corrupt", "format not supported" Allowed Sophos Error Messages = # The directory (or a link to it) containing all the Sophos *.ide files. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos IDE Dir = /usr/local/Sophos/ide # The directory (or a link to it) containing all the Sophos *.so libraries. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos Lib Dir = /usr/local/Sophos/lib # SophosSAVI only: monitor each of these files for changes in size to # detect when a Sophos update has happened. The date of the Sophos Lib Dir # is also monitored. # This is only used by the "sophossavi" virus scanner, not the "sophos" # scanner setting. Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip # # Removing/Logging dangerous or potentially offensive content # ----------------------------------------------------------- # # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no # Do you want to allow messages whose body is stored somewhere else on the # internet, which is downloaded separately by the user's email package? # There is no way to guarantee that the file fetched by the user's email # package is free from viruses, as MailScanner never sees it. # This feature is dangerous as it can allow viruses to be fetched from # other Internet sites by a user's email package. The user would just # think it was a normal email attachment and would have been scanned by # MailScanner. # It is only currently supported by Netscape 6 anyway, and the only people # who it are the IETF. So I would strongly advise leaving this switched off. # This can also be the filename of a ruleset. Allow External Message Bodies = no # Do you want to allow --xxxx name="accounts.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="myphoto.zip" ################################################################# This is really strange, cause on www.clamav.net a search within the Signature datebase found Dumaru.Y ?!?! Michael From linux at LEUTE.SERVER.DE Thu Mar 25 15:35:13 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:57 2006 Subject: Dumaru again Message-ID: <005801c4127e$c3faf680$85421851@hq> Hi, On my Spamscanner machine I got a copy of that Dumaru worm. With SCP i copied it to the machine where F-Prot and MailScanner runs and did a manual check with F-Prot: Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 --- But MailScanner hasn't detect it. I got a rule in MailScanner for Virus Scan: FromOrTo: @mydomain.de yes FromOrTo: default no The infected mail was sent to: MyDomain.de Could it be that writing of rules is case sensitive ? - Michael From David.While at UCE.AC.UK Thu Mar 25 15:36:53 2004 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:23:57 2006 Subject: OT: Vispan 1.2 Message-ID: <107DE25EC0216C45AEF670016024245F703C@exchangea.staff.uce.ac.uk> I have had several report of this not working so I am currently looking at the code to try and identify what has gone wrong!. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Alan Sent: 25 March 2004 15:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OT: Vispan 1.2 I reported this directly to David last week when I saw it (plus a few other bugs) in version 1.1 He has me email him some logs, and he then reported that the logs helped him fix the bug in version 1.2 Well, as you saw, the virus counter and graph are still not working in version 1.2 I emailed him about this, but he has not yet responded. -Alan From fredd at CI.ASPEN.CO.US Thu Mar 25 15:27:36 2004 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:23:57 2006 Subject: unsubscribe Message-ID: An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/16faaedf/attachment.html From t.d.lee at DURHAM.AC.UK Thu Mar 25 15:43:13 2004 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:23:57 2006 Subject: 4.29.5: Convert::BinHex bites In-Reply-To: References: <200403240000.i2O006M3003506@gaia.elec.ucl.ac.be> Message-ID: On Thu, 25 Mar 2004, Jeff Earickson wrote: > Please post your fix or a patch for this... > > Jeff Earickson > Colby College Also I would encourage contacting the author of Convert::BinHex so that he/she can fix the problem at source. Then not only do MS users benefit, but so do other (non-MS) users of the module. > > On Wed, 24 Mar 2004, Pascal Maes wrote: > > > Date: Wed, 24 Mar 2004 08:22:33 +0100 > > From: Pascal Maes > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: 4.29.5: Convert::BinHex bites > > > > >Date: Tue, 23 Mar 2004 12:55:17 -0500 > > >From: Jeff Earickson > > >Subject: 4.29.5: Convert::BinHex bites > > > > > >Julian, > > > > > > I am very dubious about Convert-BinHex-1.119. The README > > >says Alpha code, and the "make test" step fails miserably on > > >Solaris 9, perl 5.8.3: > > > > > >> gmake test > > >PERL_DL_NONLAZY=1 /usr/local/bin/perl "-MExtUtils::Command::MM" "-e" > > >"test_harness(0, 'blib/lib', 'blib/arch')" t/*.t > > >t/comp2bin....Can't locate package Exporter for @Checker::ISA at > > >t/comp2bin.t line 3. > > >Undefined subroutine &main::check called at t/comp2bin.t line 75. > > >t/comp2bin....dubious > > > Test returned status 255 (wstat 65280, 0xff00) > > >DIED. FAILED tests 1-9 > > > Failed 9/9 tests, 0.00% okay > > >Failed Test Stat Wstat Total Fail Failed List of Failed > > >------------------------------------------------------------------------------- > > >t/comp2bin.t 255 65280 9 18 200.00% 1-9 > > >Failed 1/1 test scripts, 0.00% okay. 9/9 subtests failed, 0.00% okay. > > > > > > I have modified the file t/comp2bin.t to include the "Checker" part in it > > and then I get : > > > > gaia:/<3>build/Convert-BinHex-1.119> make test > > PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" > > "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t > > t/comp2bin....ok > > All tests successful. > > Files=1, Tests=9, 1 wallclock secs ( 0.34 cusr + 0.11 csys = 0.45 CPU) > > `test' is up to date. > > > > Solaris 9, perl 5.8.2 > > > > -- > > -- Pascal -- > > -- > > > > -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From mailscanner at LAYLINE.DE Thu Mar 25 15:48:00 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:57 2006 Subject: Problem identifying DumaRu Virus In-Reply-To: <001401c4127c$fa2e00a0$85421851@hq> References: <20040325134602.28a99211@aurora> <001401c4127c$fa2e00a0$85421851@hq> Message-ID: <20040325164800.5618d639@aurora> am 25.03.2004 schrieb Muenz, Michael zum Thema ## Re: Problem identifying DumaRu Virus ## > Hi > > > I'm seeing a strange Problem when identifying the Worm Worm.Dumaru.Y. > > If I send the infamous "myphoto.zip" as an attachment I get this warning > > [amongst other scanner alarms] from clamav: > > My problem is, that Clamav AND F-Prot doesn't detect Dumaru.Y and Z ! > maybe your libclamav is buggy - try using --disable-archive: file /tmp/Mtw3afm /tmp/Mtw3afm: Zip archive data, at least v1.0 to extract clamscan /tmp/Mtw3afm: /tmp/Mtw3afm: Zip module failure. clamscan --disable-archive /tmp/Mtw3afm /tmp/Mtw3afm: Worm.Dumaru.Y FOUND I am using --disable-archive in my wrapper-scripts: /etc/MailScanner/wrapper/clamav-wrapper /usr /tmp/Mtw3afm /tmp/Mtw3afm: Worm.Dumaru.Y FOUND However, MailScanner cannot detect this Virus when it's hiting my server from the wild - an in the quarantine dirs I only find base64 .txt files (decode them with metamail an clamscan will detect). If I run the clamav-wrapper on the files in the quarantine dir nothing is detected. regards, Stephan > ################################################################# > From: "Elene" > To: > Subject: Important information for you. Read it immediately ! > MIME-Version: 1.0 > Content-Type: multipart/mixed;boundary="xxxx" > Message-Id: <20040325144225.5295C581CE@XXX> > Date: Thu, 25 Mar 2004 15:42:25 +0100 (CET) > X-Virus-Status: Found to be clean > X-Spam-Status: Yes, hits=14.1 tag1=3.0 tag2=5.6 kill=5.6 tests=BAYES_99, > DCC_CHECK, HTML_FONTCOLOR_UNKNOWN, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, > HTML_RELAYING_FRAME, MIME_HTML_NO_CHARSET, MIME_HTML_ONLY, > MIME_MISSING_BOUNDARY, MY_DSL, UPPERCASE_25_50 > X-Spam-Level: ************** > > --xxxx > Content-Type: text/html; > Content-Transfer-Encoding: 7bit > >

Hi !

> Here is my photo, that you asked for yesterday.
> --xxxx > > name="accounts.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="myphoto.zip" > > ################################################################# > > This is really strange, cause on www.clamav.net a search within the > Signature datebase found Dumaru.Y ?!?! > > Michael > > From mailscanner at ecs.soton.ac.uk Thu Mar 25 15:27:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:57 2006 Subject: ANNOUNCE: Beta version 4.29.6 released Message-ID: <6.0.1.1.2.20040325152023.0391ba48@imap.ecs.soton.ac.uk> I have just released 4.29.6. This is mostly to ensure that you all have the latest code, so that anyone with outstanding problems can try out this version to see if I have resolved the issue. The new additions to this release are: - Simplified logging of invalid message files. - Improved error messages relating to Custom Functions directory. - Rewrote Bayes database rebuilder to be able to capture its error messages. - Zip archives detection improved to work by content rather than filename. So the list looks pretty short, but there is always the possibility I have fixed bugs and forgotten to put them in the ChangeLog :-) Download as usual from www.mailscanner.info. Upgrading note: ============ Anyone upgrading from earlier than 4.29.4 will either need to run the "./install.sh" again or install the Convert::BinHex module. Note that if you install this module and are not using my RPM distributions of MailScanner, you will find the "make test" stage fails on most systems. The module does work, however, so install it anyway. If using CPAN you can "force install Convert::BinHex". If installing from source, just ignore the output of "make test" and do "make install". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 25 15:27:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:57 2006 Subject: ANNOUNCE: Beta version 4.29.6 released Message-ID: <6.0.1.1.2.20040325152023.0391ba48@imap.ecs.soton.ac.uk> I have just released 4.29.6. This is mostly to ensure that you all have the latest code, so that anyone with outstanding problems can try out this version to see if I have resolved the issue. The new additions to this release are: - Simplified logging of invalid message files. - Improved error messages relating to Custom Functions directory. - Rewrote Bayes database rebuilder to be able to capture its error messages. - Zip archives detection improved to work by content rather than filename. So the list looks pretty short, but there is always the possibility I have fixed bugs and forgotten to put them in the ChangeLog :-) Download as usual from www.mailscanner.info. Upgrading note: ============ Anyone upgrading from earlier than 4.29.4 will either need to run the "./install.sh" again or install the Convert::BinHex module. Note that if you install this module and are not using my RPM distributions of MailScanner, you will find the "make test" stage fails on most systems. The module does work, however, so install it anyway. If using CPAN you can "force install Convert::BinHex". If installing from source, just ignore the output of "make test" and do "make install". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From linux at LEUTE.SERVER.DE Thu Mar 25 15:54:05 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:57 2006 Subject: Problem identifying DumaRu Virus References: <20040325134602.28a99211@aurora><001401c4127c$fa2e00a0$85421851@hq> <20040325164800.5618d639@aurora> Message-ID: <001d01c41281$66eb6300$85421851@hq> Hi > maybe your libclamav is buggy - try using --disable-archive: nope, it's definitively a problem with MailScanner: clamscan --mbox test.mbx ----------- SCAN SUMMARY ----------- Known viruses: 20700 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 0.563 sec (0 m 0 s) pns:~# clamscan --mbox test.test test.mbx: Worm.Dumaru.Y FOUND The same with F-Prot. But MailScanner doesn't detect it. - Michael From vboulytchev at COINFOTECH.COM Thu Mar 25 16:05:58 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:57 2006 Subject: Server Crash Message-ID: Ladies and Gents, Hopefully everyone can participate on this discussion. One of our production servers keeps crashing on a random basis. We have eliminated the possibility of a hardware malfunction by moving the drives to an identical machine. We are positive that the software is compatible with this Dell Poweredge 2650. Current software configuration: mandrake 9.2 kernel v. 2.4.22-28mdkenterprise CommuniGate version 4.1.8 perl-5.8.1-0.RC4.3mdk glibc v. 2.3.2 MailScanner v. 4.28.6-1 cgp2ms and ms2cgp are of the older version. I still need to upgrade them. SpamAssassin v. 2.63 The most annoying thing, is that nothing is logged. Any input is appreciated! Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/94f71c6b/smime.bin From admin at mailscanner.info Thu Mar 25 16:15:16 2004 From: admin at mailscanner.info (admin@mailscanner.info) Date: Thu Jan 12 21:23:57 2006 Subject: swatch_service_subject_ahttp Message-ID: <200403251615.i2PGFG026767@mailscanner.biz> swatch_service_body_ahttp From mailscanner at ecs.soton.ac.uk Thu Mar 25 16:18:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:57 2006 Subject: Server Crash In-Reply-To: References: Message-ID: <6.0.1.1.2.20040325161742.0799e318@imap.ecs.soton.ac.uk> At 16:05 25/03/2004, you wrote: > >Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our >production servers keeps crashing on a random basis. "It crashes" is hardly a fault report. Please explain exactly what happens. > We have eliminated the >possibility of a hardware malfunction by moving the drives to an identical >machine. We are positive that the software is compatible with this Dell >Poweredge 2650. > Current software configuration: > > mandrake 9.2 > kernel v. 2.4.22-28mdkenterprise > CommuniGate version 4.1.8 > perl-5.8.1-0.RC4.3mdk > glibc v. 2.3.2 > MailScanner v. 4.28.6-1 > cgp2ms and ms2cgp are of the older version. I still need to >upgrade them. > SpamAssassin v. 2.63 > > The most annoying thing, is that nothing is logged. > >Any input is appreciated! > >Vasiliy Boulytchev >Colorado Information Technologies, Inc. >http://www.coinfotech.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 25 15:53:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:58 2006 Subject: Mail not being delivered In-Reply-To: References: <4061b2d3499085ee0b4eb57491162b56@mk> Message-ID: <6.0.1.1.2.20040325155257.07a352b0@imap.ecs.soton.ac.uk> At 15:22 25/03/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Ren? Berber > > Sent: Friday, March 19, 2004 9:02 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Mail not being delivered > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > Any messages in the log? (either syslog or messages, I don't know which on > > BSD) you should see both the sendmail and MS messages for any given e-mail > > received or sent. > >I haven't found anything unusual in the logs. I also checked the >configurations as you suggested and they are ok. I enabled debug in >MailScanner.conf and this is what I got: > > >Starting MailScanner... >In Debugging mode, not forking... >Segmentation fault > >At first I thought it was the spamassassin so I changed the "Use >Spamassassin to 'no'" but I still got a segmentation fault. > >Any ideas? You are hitting a bug in Perl. Upgrade your Perl to something more recent, then re-install MailScanner and all its requirements from scratch. > > > > Check your MailScanner.conf, specially the "Outgoing Queue Dir", any > > special ruleset? Check if sendmail's configuration was changed (or > > whatever mail server postfix, exim you're using). > > > > Post any questions. Regards. > > - -- > > Ren? Berber > > GnuPG ID : 0x5E2D25FE > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.3 (GNU/Linux) > > Comment: Using the GPG bundle for GNUMail.app > > > > iD8DBQFAW0PCgStEDF4tJf4RAr5WAJ4pXOUaxgD/EvkafDiKwJ+4GTnzmwCdEYdJ > > C88bsNkhgH0HkxDKsMzAxMo= > > =rYLr > > -----END PGP SIGNATURE----- > >Thanks for all your help. > >Regards, > >Annabel Maseko -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at LAYLINE.DE Thu Mar 25 16:27:38 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:58 2006 Subject: Dumaru again In-Reply-To: <005801c4127e$c3faf680$85421851@hq> References: <005801c4127e$c3faf680$85421851@hq> Message-ID: <20040325172738.747b1418@aurora> I have the same problem *without* a rule - Problem is, clamav and f-prot both can detect DumaRu Virus. But it's not detected when ist passes through MailScanner. So it's probably not a matter of case sensitive rules. regards, Stephan am 25.03.2004 schrieb Muenz, Michael zum Thema ## Dumaru again ## > Hi, > > On my Spamscanner machine I got a copy of that Dumaru worm. > With SCP i copied it to the machine where F-Prot and MailScanner > runs and did a manual check with F-Prot: > Results of virus scanning: > > Files: 1 > MBRs: 0 > Boot sectors: 0 > Objects scanned: 3 > Infected: 1 > Suspicious: 0 > Disinfected: 0 > Deleted: 0 > Renamed: 0 > > --- > > But MailScanner hasn't detect it. > I got a rule in MailScanner for Virus Scan: > FromOrTo: @mydomain.de yes > FromOrTo: default no > > The infected mail was sent to: > MyDomain.de > Could it be that writing of rules is case sensitive ? > > - Michael > > From cstone at HMS.COM Thu Mar 25 16:15:58 2004 From: cstone at HMS.COM (Chris Stone) Date: Thu Jan 12 21:23:58 2006 Subject: Dumaru again In-Reply-To: <005801c4127e$c3faf680$85421851@hq> Message-ID: <200403251619.i2PGJTxe027261@kili.jiscmail.ac.uk> Try changing in your rules file FromOrTo: @mydomain.de yes to: FromOrTo: *@mydomain.de yes -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Muenz, Michael Sent: Thursday, March 25, 2004 8:35 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Dumaru again Hi, On my Spamscanner machine I got a copy of that Dumaru worm. With SCP i copied it to the machine where F-Prot and MailScanner runs and did a manual check with F-Prot: Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 3 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 --- But MailScanner hasn't detect it. I got a rule in MailScanner for Virus Scan: FromOrTo: @mydomain.de yes FromOrTo: default no The infected mail was sent to: MyDomain.de Could it be that writing of rules is case sensitive ? - Michael From vboulytchev at COINFOTECH.COM Thu Mar 25 16:33:11 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: Well, server locks. No console/HD activity. Sorry about the vague explanation. THANKS! Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, March 25, 2004 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash At 16:05 25/03/2004, you wrote: > >Ladies and Gents, > Hopefully everyone can participate on this discussion. One of >our production servers keeps crashing on a random basis. "It crashes" is hardly a fault report. Please explain exactly what happens. > We have eliminated the >possibility of a hardware malfunction by moving the drives to an >identical machine. We are positive that the software is compatible >with this Dell Poweredge 2650. > Current software configuration: > > mandrake 9.2 > kernel v. 2.4.22-28mdkenterprise > CommuniGate version 4.1.8 > perl-5.8.1-0.RC4.3mdk > glibc v. 2.3.2 > MailScanner v. 4.28.6-1 > cgp2ms and ms2cgp are of the older version. I still >need to upgrade them. > SpamAssassin v. 2.63 > > The most annoying thing, is that nothing is logged. > >Any input is appreciated! > >Vasiliy Boulytchev >Colorado Information Technologies, Inc. >http://www.coinfotech.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/b3ebae33/smime.bin From linux at LEUTE.SERVER.DE Thu Mar 25 16:34:17 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:58 2006 Subject: Dumaru again References: <200403251619.i2PGJTxe027261@kili.jiscmail.ac.uk> Message-ID: <00da01c41287$047fdd30$85421851@hq> Hi, > Try changing in your rules file > > FromOrTo: @mydomain.de yes > > to: > > FromOrTo: *@mydomain.de yes I don't think this will work, cause MailScanner detects every kind of Netsky etc. also Dumaru.A, but not Y and Z I found in the header: ########################### name="accounts.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="myphoto.zip" ########################### The file names are not the same. And in Changelog of new Beta: - Zip archives detection improved to work by content rather than filename. Perhaps new beta will fix it ?!? I don't want to upgrade cause it's a production server. @Stephan: could you test it ? @Julian: Am I right with that ? - Michael From vboulytchev at COINFOTECH.COM Thu Mar 25 16:34:06 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/c4c70847/smime.bin From ka at PACIFIC.NET Thu Mar 25 16:35:31 2004 From: ka at PACIFIC.NET (Ken Anderson (Pacific Internet)) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: References: Message-ID: <40630A53.4000301@pacific.net> We run 2 2650s with MailScanner (scsi disks/hardware raid 1) On a couple of occassions over the last year we've seen 1 of them die with disk i/o errors on the console - nothing is logged. The machine recovers after a hard reboot, fsck says it's happy and it's back online again. Not good.. I suspect the disk or adaptec card is having some trouble keeping up with the i/o, but it's very random. Ken A Pacific.Net Boulytchev, Vasiliy wrote: > > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. We have eliminated the > possibility of a hardware malfunction by moving the drives to an identical > machine. We are positive that the software is compatible with this Dell > Poweredge 2650. > Current software configuration: > > mandrake 9.2 > kernel v. 2.4.22-28mdkenterprise > CommuniGate version 4.1.8 > perl-5.8.1-0.RC4.3mdk > glibc v. 2.3.2 > MailScanner v. 4.28.6-1 > cgp2ms and ms2cgp are of the older version. I still need to > upgrade them. > SpamAssassin v. 2.63 > > The most annoying thing, is that nothing is logged. > > Any input is appreciated! > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com From cstone at HMS.COM Thu Mar 25 16:40:32 2004 From: cstone at HMS.COM (Chris Stone) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: Message-ID: Had a similar problem this morning for the first time on a new server that has been running for a couple weeks now without issue. Console screen clean, syslog shows nothing. But checking the log entry timestamps at 00:41 this morning it all died. Could ping the server but that's it. Telneting to port 25 did make a connection, but no banner from sendmail. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Thu Mar 25 16:13:28 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649BEA@pascal.priv.bmrb.co.uk> Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From chris at TRUDEAU.ORG Thu Mar 25 16:12:55 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:23:58 2006 Subject: Sequence VIrus/SPAM References: <20040325134602.28a99211@aurora> <001401c4127c$fa2e00a0$85421851@hq> <20040325164800.5618d639@aurora> Message-ID: <0b1d01c41284$1591db80$b41a000a@ATLCPW13671> I know this discussion has been had in the past. I have been somewhat out of the loop relative to the message list, but my searches are finding nothing. When Sobig came out, the thread indicated that the cost (resources) to virus scan every message was too costly, when SPAM scanning could eliminate a good portion of these before even requiring the Virus Scan. Was this design issue ever re-visited? I'm just curious because with users that have a store rule with no deliver action are being required to review their SPAM quarantine within MailWatch, release it just to find it quarantined due to virus infection. THX CT From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 25 16:16:24 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:58 2006 Subject: Sequence VIrus/SPAM Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C643@jessica.herefordshire.gov.uk> I wrote a FAQ item about it: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/277.html Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Chris Trudeau > Sent: 25 March 2004 16:13 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sequence VIrus/SPAM > > > I know this discussion has been had in the past. I have been > somewhat out > of the loop relative to the message list, but my searches are finding > nothing. > > When Sobig came out, the thread indicated that the cost > (resources) to virus > scan every message was too costly, when SPAM scanning could > eliminate a good > portion of these before even requiring the Virus Scan. > > Was this design issue ever re-visited? I'm just curious > because with users > that have a store rule with no deliver action are being > required to review > their SPAM quarantine within MailWatch, release it just to find it > quarantined due to virus infection. > > THX > CT > From vboulytchev at COINFOTECH.COM Thu Mar 25 16:51:38 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: Aha! Im not the only one :))) What OS are you running? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Stone Sent: Thursday, March 25, 2004 9:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Had a similar problem this morning for the first time on a new server that has been running for a couple weeks now without issue. Console screen clean, syslog shows nothing. But checking the log entry timestamps at 00:41 this morning it all died. Could ping the server but that's it. Telneting to port 25 did make a connection, but no banner from sendmail. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/69f55a7c/smime.bin From vboulytchev at COINFOTECH.COM Thu Mar 25 16:52:39 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: HMMMMM, we have moved the drives to the same box = same problem.......... Are we thinking kernel version is just not compiled right for that adaptec raid controller? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ken Anderson (Pacific Internet) Sent: Thursday, March 25, 2004 9:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash We run 2 2650s with MailScanner (scsi disks/hardware raid 1) On a couple of occassions over the last year we've seen 1 of them die with disk i/o errors on the console - nothing is logged. The machine recovers after a hard reboot, fsck says it's happy and it's back online again. Not good.. I suspect the disk or adaptec card is having some trouble keeping up with the i/o, but it's very random. Ken A Pacific.Net Boulytchev, Vasiliy wrote: > > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of > our production servers keeps crashing on a random basis. We have > eliminated the possibility of a hardware malfunction by moving the > drives to an identical machine. We are positive that the software is > compatible with this Dell Poweredge 2650. > Current software configuration: > > mandrake 9.2 > kernel v. 2.4.22-28mdkenterprise > CommuniGate version 4.1.8 > perl-5.8.1-0.RC4.3mdk > glibc v. 2.3.2 > MailScanner v. 4.28.6-1 > cgp2ms and ms2cgp are of the older version. I still > need to upgrade them. > SpamAssassin v. 2.63 > > The most annoying thing, is that nothing is logged. > > Any input is appreciated! > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/8ae55552/smime.bin From rabellino at DI.UNITO.IT Thu Mar 25 16:53:32 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:23:58 2006 Subject: Dumaru again In-Reply-To: <00da01c41287$047fdd30$85421851@hq> References: <200403251619.i2PGJTxe027261@kili.jiscmail.ac.uk> <00da01c41287$047fdd30$85421851@hq> Message-ID: <40630E8C.1080301@di.unito.it> Muenz, Michael wrote: > Hi, > > >>Try changing in your rules file >> >>FromOrTo: @mydomain.de yes >> >>to: >> >>FromOrTo: *@mydomain.de yes > > > I don't think this will work, cause MailScanner detects > every kind of Netsky etc. also Dumaru.A, but not Y and Z > The following e-mail messages were found to have viruses in them: Sender: address@yandex.ru ... omissis Subject: Important information for you. Read it immediately ! MessageID: i2PFXZrj011919 Report: Found dangerous IFrame tag in HTML message Report: /i2PFXZrj011919/msg-23618-394.txt/myphoto.zip Found the W32/Dumaru.y@MM virus !!! Report: /i2PFXZrj011919/myphoto.zip Found the W32/Dumaru.y@MM virus !!! Report: /i2PFXZrj011919/myphoto.jpg .exe Found the W32/Dumaru.y@MM virus !!! Executable DOS/Windows programs are dangerous in email (myphoto.jpg .exe) Full headers are: ... omissis Mailscanner (4.29.5) with mcafee detects correctly Dumaru.y as you can see .... Probably it's your AV the problem. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From cstone at HMS.COM Thu Mar 25 16:54:12 2004 From: cstone at HMS.COM (Chris Stone) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: Message-ID: That one is running RedHat 9 - 2.4.20-30.9 smp kernel. What are you running? Have sendmail, MailScanner, MySQL and Apache running on the box. Apache is for the MailWatch interface and gets very little use (me only really), and MySQL only for the MailWatch hooks. So, other than that little bit, sendmail and MailScanner are really the only things doing anything on the box - which does have a pretty steady flow of messages, but not huge amounts - running about 5000/day at present. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Aha! Im not the only one :))) What OS are you running? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Stone Sent: Thursday, March 25, 2004 9:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Had a similar problem this morning for the first time on a new server that has been running for a couple weeks now without issue. Console screen clean, syslog shows nothing. But checking the log entry timestamps at 00:41 this morning it all died. Could ping the server but that's it. Telneting to port 25 did make a connection, but no banner from sendmail. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3091 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/55d7e6e4/smime.bin From jase at SENSIS.COM Thu Mar 25 17:01:48 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:23:58 2006 Subject: DCC Errors Message-ID: I've just upgraded to MailScanner 4.28.6 yesterday, and now I am seeing these entries in my logs: Mar 25 11:57:16 mail dccproc[11638]: DCC dcc.dcc-servers.net: ERROR /var/dcc/dcc_db changed from 0x7f18e000 to 0x7fffffff I don't think it's related to the MailScanner upgrade though - is anyone else seeing this? Jason From cstone at HMS.COM Thu Mar 25 17:00:12 2004 From: cstone at HMS.COM (Chris Stone) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash (OT?) In-Reply-To: Message-ID: Something else I just noticed is that mailscanner-mtrg is confused. Wasn't getting any stats since the reboot this morning and ran from command line and got: [root@smtp1 scripts]# /usr/local/mrtg-2/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg Rateup ERROR: /usr/local/mrtg-2/bin/rateup found that mail's log file time of 1080232808 was greater than now (1080231213) ERROR: Let's not do the time warp, again. Logfile unchanged. Rateup ERROR: /usr/local/mrtg-2/bin/rateup found that mailbytes's log file time of 1080232808 was greater than now (1080231214) ERROR: Let's not do the time warp, again. Logfile unchanged. Rateup ERROR: /usr/local/mrtg-2/bin/rateup found that spam's log file time of 1080232809 was greater than now (1080231214) ERROR: Let's not do the time warp, again. Logfile unchanged. .... But that date/time on the system is fine - synced with atmoic clock...... Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Aha! Im not the only one :))) What OS are you running? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Stone Sent: Thursday, March 25, 2004 9:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Had a similar problem this morning for the first time on a new server that has been running for a couple weeks now without issue. Console screen clean, syslog shows nothing. But checking the log entry timestamps at 00:41 this morning it all died. Could ping the server but that's it. Telneting to port 25 did make a connection, but no banner from sendmail. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3091 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/e8b410ea/smime.bin From vboulytchev at COINFOTECH.COM Thu Mar 25 17:03:47 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: This server is doing MASSIVE loads of mail. This server is really being worked by spam and virus filtering, and just large loads of email. I am thinking its more of a kernel/raid controller driver issue......... That's my thought. Maybe the enterprise kernel I am running, was not compiled with the right driver......... That just makes more sense, because people are reporting problems with MD 9.2, and saying that redhat is fine. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Stone Sent: Thursday, March 25, 2004 9:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash That one is running RedHat 9 - 2.4.20-30.9 smp kernel. What are you running? Have sendmail, MailScanner, MySQL and Apache running on the box. Apache is for the MailWatch interface and gets very little use (me only really), and MySQL only for the MailWatch hooks. So, other than that little bit, sendmail and MailScanner are really the only things doing anything on the box - which does have a pretty steady flow of messages, but not huge amounts - running about 5000/day at present. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Aha! Im not the only one :))) What OS are you running? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Stone Sent: Thursday, March 25, 2004 9:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Had a similar problem this morning for the first time on a new server that has been running for a couple weeks now without issue. Console screen clean, syslog shows nothing. But checking the log entry timestamps at 00:41 this morning it all died. Could ping the server but that's it. Telneting to port 25 did make a connection, but no banner from sendmail. Chris Stone High Mountain Software www.hms.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Boulytchev, Vasiliy Sent: Thursday, March 25, 2004 9:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash NO! Nothing on console/syslog :( Ho Hard Drive activity either. NICs are still going wild. Not able to communicate with the server period. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Thursday, March 25, 2004 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. Could you clarify what you mean by 'crashes'. Completely unresponsive? anything on the console? syslog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/f32e56a5/smime.bin From vboulytchev at COINFOTECH.COM Thu Mar 25 17:04:29 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: DCC Errors Message-ID: Definitely seeing this..... After getting the server crashing issue fixed, I will look into that. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Desai, Jason Sent: Thursday, March 25, 2004 10:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: DCC Errors I've just upgraded to MailScanner 4.28.6 yesterday, and now I am seeing these entries in my logs: Mar 25 11:57:16 mail dccproc[11638]: DCC dcc.dcc-servers.net: ERROR /var/dcc/dcc_db changed from 0x7f18e000 to 0x7fffffff I don't think it's related to the MailScanner upgrade though - is anyone else seeing this? Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/9cd013a8/smime.bin From dean.plant at ROKE.CO.UK Thu Mar 25 17:09:17 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. We have > eliminated the possibility of a hardware malfunction by moving the > drives to an identical machine. We are positive that the software is > compatible with this Dell Poweredge 2650. > Current software configuration: There were well reported problems with Red Hat & Dell 2650's running in dual processor mode. I would run with a single cpu and see if the problem persists. Not sure if it is the same problem but its worth a try. See http://forums.us.dell.com/supportforums/board?board.id=pes_linux There's lots of info about lockup's on 2650's. Dean -- Visit our website at www.roke.co.uk Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From vboulytchev at COINFOTECH.COM Thu Mar 25 17:14:11 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: Unfortunately we are only running a single CPU box......... Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Plant, Dean Sent: Thursday, March 25, 2004 10:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of > our production servers keeps crashing on a random basis. We have > eliminated the possibility of a hardware malfunction by moving the > drives to an identical machine. We are positive that the software is > compatible with this Dell Poweredge 2650. > Current software configuration: There were well reported problems with Red Hat & Dell 2650's running in dual processor mode. I would run with a single cpu and see if the problem persists. Not sure if it is the same problem but its worth a try. See http://forums.us.dell.com/supportforums/board?board.id=pes_linux There's lots of info about lockup's on 2650's. Dean -- Visit our website at www.roke.co.uk Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/1f50f660/smime.bin From cstone at HMS.COM Thu Mar 25 17:12:41 2004 From: cstone at HMS.COM (Chris Stone) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: Message-ID: <200403251716.i2PHGFY8024581@fili.jiscmail.ac.uk> Interesting - I am running on a dual processor 2650 and had not had any problems till now. Before making this a MailScanner machine, it was an shared Apache web server with about 100 domains on it running RedHat 7.3 with smp kernel. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Plant, Dean Sent: Thursday, March 25, 2004 10:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Boulytchev, Vasiliy wrote: > Ladies and Gents, > Hopefully everyone can participate on this discussion. One of our > production servers keeps crashing on a random basis. We have > eliminated the possibility of a hardware malfunction by moving the > drives to an identical machine. We are positive that the software is > compatible with this Dell Poweredge 2650. > Current software configuration: There were well reported problems with Red Hat & Dell 2650's running in dual processor mode. I would run with a single cpu and see if the problem persists. Not sure if it is the same problem but its worth a try. See http://forums.us.dell.com/supportforums/board?board.id=pes_linux There's lots of info about lockup's on 2650's. Dean -- Visit our website at www.roke.co.uk Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From dean.plant at ROKE.CO.UK Thu Mar 25 17:23:59 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: Chris Stone wrote: > Interesting - I am running on a dual processor 2650 and had not had > any problems till now. Before making this a MailScanner machine, it > was an shared Apache web server with about 100 domains on it running > RedHat 7.3 with smp kernel. > I have had lots of problems with Red Hat 7.3/8 SMP locking up in the past but with a fully patched machine and running with noapic in the boot loader, it now runs with no problems. Dean -- Visit our website at www.roke.co.uk Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From quinting at HSD.CA Thu Mar 25 17:22:12 2004 From: quinting at HSD.CA (Quintin Giesbrecht) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: <495B774E2F64F1408E6741B61445C8589E8BDB@mail.exchange.hsd15.ca> I am getting duplicate messages from this list...can someone tell me how to make it stop :) Thanks -----Original Message----- From: Plant, Dean [mailto:dean.plant@ROKE.CO.UK] Sent: March 25, 2004 11:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Chris Stone wrote: > Interesting - I am running on a dual processor 2650 and had not had > any problems till now. Before making this a MailScanner machine, it > was an shared Apache web server with about 100 domains on it running > RedHat 7.3 with smp kernel. > I have had lots of problems with Red Hat 7.3/8 SMP locking up in the past but with a fully patched machine and running with noapic in the boot loader, it now runs with no problems. Dean -- Visit our website at www.roke.co.uk Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 25 17:12:53 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C644@jessica.herefordshire.gov.uk> There have been several issues with the aacraid drivers. You might want to look at the archives of Dell's Linux on PowerEdge list: http://lists.us.dell.com/mailman/listinfo/linux-poweredge Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Boulytchev, Vasiliy > Sent: 25 March 2004 17:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > This server is doing MASSIVE loads of mail. This server is > really being > worked by spam and virus filtering, and just large loads of > email. I am > thinking its more of a kernel/raid controller driver > issue......... That's > my thought. Maybe the enterprise kernel I am running, was > not compiled with > the right driver......... That just makes more sense, > because people are > reporting problems with MD 9.2, and saying that redhat is fine. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > That one is running RedHat 9 - 2.4.20-30.9 smp kernel. What > are you running? > > Have sendmail, MailScanner, MySQL and Apache running on the > box. Apache is > for the MailWatch interface and gets very little use (me only > really), and > MySQL only for the MailWatch hooks. So, other than that > little bit, sendmail > and MailScanner are really the only things doing anything on > the box - which > does have a pretty steady flow of messages, but not huge > amounts - running > about 5000/day at present. > > > Chris Stone > High Mountain Software > www.hms.com > > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > Aha! Im not the only one :))) > > What OS are you running? > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Had a similar problem this morning for the first time on a > new server that > has been running for a couple weeks now without issue. > Console screen clean, > syslog shows nothing. But checking the log entry timestamps > at 00:41 this > morning it all died. Could ping the server but that's it. > Telneting to port > 25 did make a connection, but no banner from sendmail. > > > Chris Stone > High Mountain Software > www.hms.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > NO! Nothing on console/syslog :( > > Ho Hard Drive activity either. NICs are still going wild. > Not able to > communicate with the server period. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Spicer, Kevin > Sent: Thursday, March 25, 2004 9:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Boulytchev, Vasiliy wrote: > > Ladies and Gents, > > Hopefully everyone can participate on this discussion. One of > our > > production servers keeps crashing on a random basis. > > Could you clarify what you mean by 'crashes'. Completely > unresponsive? > anything on the console? syslog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may > contain confidential and/or privileged material. If you have > received this > in error, please contact the sender and delete this message > immediately. > Disclosure, copying or other action taken in respect of this > email or in > reliance on it is prohibited. BMRB International Limited accepts no > liability in relation to any personal emails, or content of > any email which > does not directly relate to our business. > From vboulytchev at COINFOTECH.COM Thu Mar 25 17:52:01 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: UPDATE::::: Just installed the SMP-p3 kernel from mandrake, latest one, will see if this fixes it. Will also post to dells email list. THANKS GUYS!!!!!!!!!!!!!!!!!!!!!!! Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Randal, Phil Sent: Thursday, March 25, 2004 10:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash There have been several issues with the aacraid drivers. You might want to look at the archives of Dell's Linux on PowerEdge list: http://lists.us.dell.com/mailman/listinfo/linux-poweredge Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Boulytchev, Vasiliy > Sent: 25 March 2004 17:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > This server is doing MASSIVE loads of mail. This server is really > being worked by spam and virus filtering, and just large loads of > email. I am thinking its more of a kernel/raid controller driver > issue......... That's my thought. Maybe the enterprise kernel I am > running, was not compiled with the right driver......... That just > makes more sense, because people are reporting problems with MD 9.2, > and saying that redhat is fine. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > That one is running RedHat 9 - 2.4.20-30.9 smp kernel. What > are you running? > > Have sendmail, MailScanner, MySQL and Apache running on the > box. Apache is > for the MailWatch interface and gets very little use (me only > really), and > MySQL only for the MailWatch hooks. So, other than that > little bit, sendmail > and MailScanner are really the only things doing anything on > the box - which > does have a pretty steady flow of messages, but not huge > amounts - running > about 5000/day at present. > > > Chris Stone > High Mountain Software > www.hms.com > > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > Aha! Im not the only one :))) > > What OS are you running? > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Had a similar problem this morning for the first time on a > new server that > has been running for a couple weeks now without issue. > Console screen clean, > syslog shows nothing. But checking the log entry timestamps > at 00:41 this > morning it all died. Could ping the server but that's it. > Telneting to port > 25 did make a connection, but no banner from sendmail. > > > Chris Stone > High Mountain Software > www.hms.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > NO! Nothing on console/syslog :( > > Ho Hard Drive activity either. NICs are still going wild. > Not able to > communicate with the server period. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Spicer, Kevin > Sent: Thursday, March 25, 2004 9:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Boulytchev, Vasiliy wrote: > > Ladies and Gents, > > Hopefully everyone can participate on this discussion. One of > our > > production servers keeps crashing on a random basis. > > Could you clarify what you mean by 'crashes'. Completely > unresponsive? > anything on the console? syslog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may > contain confidential and/or privileged material. If you have > received this > in error, please contact the sender and delete this message > immediately. > Disclosure, copying or other action taken in respect of this > email or in > reliance on it is prohibited. BMRB International Limited accepts no > liability in relation to any personal emails, or content of > any email which > does not directly relate to our business. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/e42c7158/smime.bin From lists at STHOMAS.NET Thu Mar 25 17:56:20 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: ; from cstone@HMS.COM on Thu, Mar 25, 2004 at 09:40:32AM -0700 References: Message-ID: <20040325095619.A19400@sthomas.net> I had two servers lock on me over the weekend. Nothing in the logs to indicate what the problem was. Couldn't login from the console, could ping but no network services responded. Had to hard-boot to get them running again. The only services/software that both of these machines run and that are open to the world are apache and bind. They both run mail, but one's using exim/mailscanner and the other's just using sendmail as the backup mx. I did a pretty thorough search for rootkits and such (my tripwire dbs are horribly out of date, I'm afraid) and didn't find any evidence of an intrusion on either machine. Since no other machines on our network were hosed, I chalked it up to a new apache or bind DOS attack and started hoping that a fix would be out soon. On Thu, Mar 25, 2004 at 09:40:32AM -0700, Chris Stone is rumored to have said: > > Had a similar problem this morning for the first time on a new server that > has been running for a couple weeks now without issue. Console screen clean, > syslog shows nothing. But checking the log entry timestamps at 00:41 this > morning it all died. Could ping the server but that's it. Telneting to port > 25 did make a connection, but no banner from sendmail. > > > Chris Stone > High Mountain Software > www.hms.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > NO! Nothing on console/syslog :( > > Ho Hard Drive activity either. NICs are still going wild. Not able to > communicate with the server period. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Spicer, Kevin > Sent: Thursday, March 25, 2004 9:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Boulytchev, Vasiliy wrote: > > Ladies and Gents, > > Hopefully everyone can participate on this discussion. One of > our > > production servers keeps crashing on a random basis. > > Could you clarify what you mean by 'crashes'. Completely unresponsive? > anything on the console? syslog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the recipient and may > contain confidential and/or privileged material. If you have received this > in error, please contact the sender and delete this message immediately. > Disclosure, copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited accepts no > liability in relation to any personal emails, or content of any email which > does not directly relate to our business. -- "I have read your book and much like it." - Moses Hadas (1900-1966) From vboulytchev at COINFOTECH.COM Thu Mar 25 17:58:17 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: What hardware/OS are you running? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Thomas Sent: Thursday, March 25, 2004 10:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash I had two servers lock on me over the weekend. Nothing in the logs to indicate what the problem was. Couldn't login from the console, could ping but no network services responded. Had to hard-boot to get them running again. The only services/software that both of these machines run and that are open to the world are apache and bind. They both run mail, but one's using exim/mailscanner and the other's just using sendmail as the backup mx. I did a pretty thorough search for rootkits and such (my tripwire dbs are horribly out of date, I'm afraid) and didn't find any evidence of an intrusion on either machine. Since no other machines on our network were hosed, I chalked it up to a new apache or bind DOS attack and started hoping that a fix would be out soon. On Thu, Mar 25, 2004 at 09:40:32AM -0700, Chris Stone is rumored to have said: > > Had a similar problem this morning for the first time on a new server > that has been running for a couple weeks now without issue. Console > screen clean, syslog shows nothing. But checking the log entry > timestamps at 00:41 this morning it all died. Could ping the server > but that's it. Telneting to port > 25 did make a connection, but no banner from sendmail. > > > Chris Stone > High Mountain Software > www.hms.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > NO! Nothing on console/syslog :( > > Ho Hard Drive activity either. NICs are still going wild. Not able to > communicate with the server period. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Spicer, Kevin > Sent: Thursday, March 25, 2004 9:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Boulytchev, Vasiliy wrote: > > Ladies and Gents, > > Hopefully everyone can participate on this discussion. One of > our > > production servers keeps crashing on a random basis. > > Could you clarify what you mean by 'crashes'. Completely unresponsive? > anything on the console? syslog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the recipient > and may contain confidential and/or privileged material. If you have > received this in error, please contact the sender and delete this message immediately. > Disclosure, copying or other action taken in respect of this email or > in reliance on it is prohibited. BMRB International Limited accepts > no liability in relation to any personal emails, or content of any > email which does not directly relate to our business. -- "I have read your book and much like it." - Moses Hadas (1900-1966) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/5177db42/smime.bin From lists at STHOMAS.NET Thu Mar 25 18:14:34 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: ; from vboulytchev@COINFOTECH.COM on Thu, Mar 25, 2004 at 10:58:17AM -0700 References: Message-ID: <20040325101434.B19400@sthomas.net> On Thu, Mar 25, 2004 at 10:58:17AM -0700, Boulytchev, Vasiliy is rumored to have said: > > What hardware/OS are you running? machine 1 (primary dns, primary mx, http [for webmail,mrtg]): Generic P-III 850 512M RAM Adaptec 78902 (rev 0) attached to external RAID5 array RHL 7.3 kernel 2.4.20-18.7 machine 2 (2ndary dns, backup mx, http): IBM dual p-pro 200 128M RAM Adaptec AHA-2940U/UW/D RHL 7.3 kernel 2.4.20-27.7smp -- "It is better to have a permanent income than to be fascinating." - Oscar Wilde (1854-1900) From jwilliams at COURTESYMORTGAGE.COM Thu Mar 25 18:28:50 2004 From: jwilliams at COURTESYMORTGAGE.COM (Jason Williams) Date: Thu Jan 12 21:23:58 2006 Subject: Trouble getting bayes DB to be recognized/work Message-ID: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> Hello everyone. I'm rolling out a new MS Mail gateway server for one of our branch offices here and i've run into a small problem. Note: FreeBSD 4.9 MailScanner 4.28-6 I've done all the initial configurations and everything is working well. I installed spamassassin via the port and then went to test it using the --lint option. Here is what happens: mailmg# spamassassin -D -p /usr/local/etc/MailScanner/spam.assassin.prefs.conf --lint debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/usr/local/share/spamassassin" for default rules dir debug: using "/usr/local/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/usr/local/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: bayes: no dbs present, cannot scan: /var/spool/spamassassin/bayes_toks debug: Score set 1 chosen. debug: Initialising learner debug: bayes: no dbs present, cannot scan: /var/spool/spamassassin/bayes_toks Can't scan the directory and im not sure why that is. I've setup the directory correctly, from what I can tell: mailmg# ls -lad /var/spool/spamassassin/ drwxr-xr-x 2 root daemon 512 Mar 25 10:21 /var/spool/spamassassin/ Anyone seen this before and know what the problem is? The last two times i've setup similar servers, I have not run into this problem. I appreciate the help Jas From raymond at PROLOCATION.NET Thu Mar 25 18:45:21 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash In-Reply-To: Message-ID: Hi! > Well, server locks. No console/HD activity. Sorry about the vague > explanation. This is a OS or hardware issue, you might want to check RAM for example. Bye, Raymond. From raymond at PROLOCATION.NET Thu Mar 25 18:47:13 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:58 2006 Subject: Dumaru again In-Reply-To: <00da01c41287$047fdd30$85421851@hq> Message-ID: Hi! > I don't think this will work, cause MailScanner detects > every kind of Netsky etc. also Dumaru.A, but not Y and Z > Perhaps new beta will fix it ?!? > I don't want to upgrade cause it's a production server. Uhm: Todays logs: 500 (first @ 00:07:58, last = 19:24:59) W32/Dumaru.Y@mm 509 (first @ 00:01:08, last = 19:24:02) W32/Dumaru.Z@mm Even the Dumaru.AA is now popping up: 252 (first @ 04:14:29, last = 19:28:53) W32/Dumaru.AA@mm Bye, Raymond. From Jamesp at MUSICREPORTS.COM Thu Mar 25 19:12:34 2004 From: Jamesp at MUSICREPORTS.COM (James D. Parra) Date: Thu Jan 12 21:23:58 2006 Subject: redirecting email from a specific address Message-ID: <9EC6A5A6B11DA843A551CC9AD9323FAC727C22@exchange.musicreports.com> Hello, Is there a way to redirect all e-mail coming from a particular address, for example "oneperson@onedomain.com", regardless of its intended recipients and send it to another specific address? Could this be done through MallScanner or sendmail? Thank you in advance. James From peter at UCGBOOK.COM Thu Mar 25 19:16:02 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:58 2006 Subject: Trouble getting bayes DB to be recognized/work In-Reply-To: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> References: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> Message-ID: <40632FF2.3030003@ucgbook.com> Jason Williams wrote: > debug: bayes: no dbs present, cannot scan: > /var/spool/spamassassin/bayes_toks Do you have that file? If the server is brand new there's no bayes files there yet. Run a mail through it and it should create the files. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25 From mspieth at NEOD.NET Thu Mar 25 19:18:46 2004 From: mspieth at NEOD.NET (Mark Spieth) Date: Thu Jan 12 21:23:58 2006 Subject: redirecting email from a specific address Message-ID: Yes first in your Mailscanner.conf file put: Archive Mail = %rules-dir%/forward.rule Then in your forward.rule file put From: User@domain.com user2@domain.com Replace user@domain.com with the incoming email address and the user2@domain.com with the email address the email should be forwarded to. Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] Sent: Thursday, March 25, 2004 2:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: redirecting email from a specific address Hello, Is there a way to redirect all e-mail coming from a particular address, for example "oneperson@onedomain.com", regardless of its intended recipients and send it to another specific address? Could this be done through MallScanner or sendmail? Thank you in advance. James From vboulytchev at COINFOTECH.COM Thu Mar 25 19:26:54 2004 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash Message-ID: THANKS GUYS!!!!!!! I just had to ask you, since I am using your software. I am convinced its OS/hardware related... Kernel vs raid controller most likely :( Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, March 25, 2004 11:45 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server Crash Hi! > Well, server locks. No console/HD activity. Sorry about the vague > explanation. This is a OS or hardware issue, you might want to check RAM for example. Bye, Raymond. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4357 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040325/14c54f09/smime.bin From peter at UCGBOOK.COM Thu Mar 25 19:51:24 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:23:58 2006 Subject: Illegal chars in subject causes missed tagging? Message-ID: <4063383C.6040201@ucgbook.com> I noticed today that I received spam that wasn't tagged and looked at the headers. As you can see it is spam and it has two subject headers, one is tagged and one is not. Outlook shows the last one, the one without the tag. SA triggered the SUBJ_ILLEGAL_CHARS test, could it be that the subject starts with a "-" that causes it to be doubled? Subject: {Spam?} - Vi har s?lt Kulan till Adecco Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=DD-MS-6e270ebbc2d52966675f From: "xxxxxxxxxxx.com" Subject: - Vi har s?lt Kulan till Adecco X-LiO-MailScanner-SpamCheck: spam, SpamAssassin (score=4.052, required 4, BAYES_00 -2.00, HTML_FONTCOLOR_RED 0.10, HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, MIME_MISSING_BOUNDARY 1.84, SUBJ_ILLEGAL_CHARS 3.91) ^^^^^^^^^^^^^^^^^^^^^^^ I cut out a couple of lines but the lines between the two subject headers are intact except for me scrambling the from contents. Any ideas? -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25 From tc at SHENANDOAH.K12.IN.US Thu Mar 25 20:21:38 2004 From: tc at SHENANDOAH.K12.IN.US (technical coordinator) Date: Thu Jan 12 21:23:58 2006 Subject: Failed Upgrade Message-ID: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D3@exchange.shenandoah.k12.in.us> Julian, I tried to upgrade my system two weeks ago and I got this error when I did check_MailScanner. Now I tried to install the newest version and it failed again the same way. I have since went back to version 4-25 and it seems to work. What am I missing? I built this on redhat 9 as a new install as a test and it work. Why can't I get it to work on redhat 8.0. Thanks Dale an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/li b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_p erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/ site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-t hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner /MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. From Jamesp at MUSICREPORTS.COM Thu Mar 25 20:22:46 2004 From: Jamesp at MUSICREPORTS.COM (James D. Parra) Date: Thu Jan 12 21:23:58 2006 Subject: redirecting email from a specific address Message-ID: <9EC6A5A6B11DA843A551CC9AD9323FAC727C24@exchange.musicreports.com> Thank you Mark. Did exactly as you wrote, however the e-mail is cc'd to the forwarding recipient, with both the original recipient and the forwarding recipient receiving the e-mail. What can I do to have only the forwarding recipient receive the e-mail and no one else? Again, thank you. James -----Original Message----- From: Mark Spieth [mailto:mspieth@NEOD.NET] Sent: Thursday, March 25, 2004 11:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: redirecting email from a specific address Yes first in your Mailscanner.conf file put: Archive Mail = %rules-dir%/forward.rule Then in your forward.rule file put From: User@domain.com user2@domain.com Replace user@domain.com with the incoming email address and the user2@domain.com with the email address the email should be forwarded to. Mark Spieth - Director of Internet Services Northeast Ohio Digital Inc. http://www.neod.net mspieth@neod.net 330-830-6551 CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the sender. The information contained in the attached materials is privileged and/or confidential and is intended only for the use of the above-named individual(s) or entity(ies). If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking of any action in reliance on the contents of the attached information is strictly prohibited. If you have received this transmission in error, please discard the information immediately -----Original Message----- From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] Sent: Thursday, March 25, 2004 2:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: redirecting email from a specific address Hello, Is there a way to redirect all e-mail coming from a particular address, for example "oneperson@onedomain.com", regardless of its intended recipients and send it to another specific address? Could this be done through MallScanner or sendmail? Thank you in advance. James From rpoe at PLATTESHERIFF.ORG Thu Mar 25 20:23:55 2004 From: rpoe at PLATTESHERIFF.ORG (Rob Poe) Date: Thu Jan 12 21:23:58 2006 Subject: Failed Upgrade Message-ID: Did Archive::Zip not get installed correctly? >>> tc@SHENANDOAH.K12.IN.US 3/25/2004 2:21:38 PM >>> Julian, I tried to upgrade my system two weeks ago and I got this error when I did check_MailScanner. Now I tried to install the newest version and it failed again the same way. I have since went back to version 4-25 and it seems to work. What am I missing? I built this on redhat 9 as a new install as a test and it work. Why can't I get it to work on redhat 8.0. Thanks Dale an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/li b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_p erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/ site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-t hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner /MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. From alex at nkpanama.com Thu Mar 25 20:24:09 2004 From: alex at nkpanama.com (Alex Neuman) Date: Thu Jan 12 21:23:58 2006 Subject: Failed Upgrade In-Reply-To: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D3@exchange.shenandoah.k12.in.us> Message-ID: You need to update your perl modules, most probably. Follow the instructions at http://www.sng.ecs.soton.ac.uk/mailscanner/install/perl.shtml and you should be OK, specially when you install Archive::Zip - the one that seems to be breaking. Good luck, Alex -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of technical coordinator Sent: Thursday, March 25, 2004 3:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Failed Upgrade Julian, I tried to upgrade my system two weeks ago and I got this error when I did check_MailScanner. Now I tried to install the newest version and it failed again the same way. I have since went back to version 4-25 and it seems to work. What am I missing? I built this on redhat 9 as a new install as a test and it work. Why can't I get it to work on redhat 8.0. Thanks Dale an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/li b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_p erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/ site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-t hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner /MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. From raymond at PROLOCATION.NET Thu Mar 25 20:28:19 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:58 2006 Subject: Failed Upgrade In-Reply-To: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D3@exchange.shenandoah.k12.in.us> Message-ID: Hi! > an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/li > b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_p > erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/ > site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl > 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-t > hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner > /MailScanner/Message.pm line 46. Search the archives, this is mentioned a zillion times the last weeks. (Quick tip: install Archive::Zip live the log tells!) Bye, Raymond. From tc at SHENANDOAH.K12.IN.US Thu Mar 25 20:29:08 2004 From: tc at SHENANDOAH.K12.IN.US (technical coordinator) Date: Thu Jan 12 21:23:58 2006 Subject: Failed Upgrade Message-ID: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D4@exchange.shenandoah.k12.in.us> How could I tell if it was installed properly. Nothing errored during install I will upgrade perl modules again. I thought I caught that. I'm on perl version 5.8 -----Original Message----- From: Rob Poe [mailto:rpoe@plattesheriff.org] Sent: Thu 3/25/2004 3:23 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Failed Upgrade Did Archive::Zip not get installed correctly? >>> tc@SHENANDOAH.K12.IN.US 3/25/2004 2:21:38 PM >>> Julian, I tried to upgrade my system two weeks ago and I got this error when I did check_MailScanner. Now I tried to install the newest version and it failed again the same way. I have since went back to version 4-25 and it seems to work. What am I missing? I built this on redhat 9 as a new install as a test and it work. Why can't I get it to work on redhat 8.0. Thanks Dale an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/li b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_p erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/ site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-t hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/lib/MailScanner /MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. From Kevin_Miller at CI.JUNEAU.AK.US Thu Mar 25 20:31:39 2004 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:23:58 2006 Subject: redirecting email from a specific address Message-ID: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> I've never done it, but look into the aliases file in sendmail (man aliases). That might do the trick... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] >Sent: Thursday, March 25, 2004 11:23 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: redirecting email from a specific address > > >Thank you Mark. > >Did exactly as you wrote, however the e-mail is cc'd to the forwarding >recipient, with both the original recipient and the forwarding >recipient >receiving the e-mail. What can I do to have only the >forwarding recipient >receive the e-mail and no one else? > >Again, thank you. > >James > > >-----Original Message----- >From: Mark Spieth [mailto:mspieth@NEOD.NET] >Sent: Thursday, March 25, 2004 11:19 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: redirecting email from a specific address > > >Yes first in your Mailscanner.conf file put: > >Archive Mail = %rules-dir%/forward.rule > >Then in your forward.rule file put From: User@domain.com >user2@domain.com > >Replace user@domain.com with the incoming email address and the >user2@domain.com with the email address the email should be forwarded >to. > >Mark Spieth - Director of Internet Services > >Northeast Ohio Digital Inc. > >http://www.neod.net > >mspieth@neod.net > >330-830-6551 > > > >CONFIDENTIALITY NOTICE: The materials attached hereto are confidential >and the property of the sender. The information contained in the >attached materials is privileged and/or confidential and is intended >only for the use of the above-named individual(s) or >entity(ies). If you >are not the intended recipient, be advised that any unauthorized >disclosure, copying, distribution or the taking of any action in >reliance on the contents of the attached information is strictly >prohibited. If you have received this transmission in error, please >discard the information immediately > > >-----Original Message----- >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] >Sent: Thursday, March 25, 2004 2:13 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: redirecting email from a specific address > >Hello, > >Is there a way to redirect all e-mail coming from a particular address, >for >example "oneperson@onedomain.com", regardless of its intended >recipients >and >send it to another specific address? Could this be done through >MallScanner >or sendmail? > >Thank you in advance. > >James > From rberber at LEGOSOFT.COM.MX Thu Mar 25 20:42:29 2004 From: rberber at LEGOSOFT.COM.MX (=?iso-8859-1?q?Ren=E9_Berber?=) Date: Thu Jan 12 21:23:58 2006 Subject: Mail not being delivered In-Reply-To: Message-ID: <5e445062d62a32da24013cb891cbda4d@mk> On 2004-03-25 09:22:15 -0600 Annabel Maseko wrote: [snip] > I haven't found anything unusual in the logs. I also checked the > configurations as you suggested and they are ok. I enabled debug in > MailScanner.conf and this is what I got: > > > Starting MailScanner... > In Debugging mode, not forking... > Segmentation fault > > At first I thought it was the spamassassin so I changed the "Use > Spamassassin to 'no'" but I still got a segmentation fault. > > Any ideas? Could be that a change in some library broke your perl installation. Try to run "perl -V", does it show the details or just doesn't run? If perl seems to work, and make sure MailScanner is using it (in Solaris 8 I have an old perl that came with the OS and a new one), try adding -w to the beginning of the MailScanner script. If perl doesn't work, use "ldd `which perl`" (those are acute accent marks, the left to right accent), this should show which library is not found. Keep us posted. -- Ren? Berber GnuPG ID : 0x5E2D25FE From mailscanner at ecs.soton.ac.uk Thu Mar 25 21:00:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:58 2006 Subject: redirecting email from a specific address In-Reply-To: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20040325205924.03c87e90@imap.ecs.soton.ac.uk> Use Non-Spam Actions with a ruleset to forward all their mail to a different address. However, redirecting their mail with an MTA alias might be easier... > >-----Original Message----- > >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] > >Sent: Thursday, March 25, 2004 11:23 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: redirecting email from a specific address > > > > > >Thank you Mark. > > > >Did exactly as you wrote, however the e-mail is cc'd to the forwarding > >recipient, with both the original recipient and the forwarding > >recipient > >receiving the e-mail. What can I do to have only the > >forwarding recipient > >receive the e-mail and no one else? > > > >Again, thank you. > > > >James > > > > > >-----Original Message----- > >From: Mark Spieth [mailto:mspieth@NEOD.NET] > >Sent: Thursday, March 25, 2004 11:19 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: redirecting email from a specific address > > > > > >Yes first in your Mailscanner.conf file put: > > > >Archive Mail = %rules-dir%/forward.rule > > > >Then in your forward.rule file put From: User@domain.com > >user2@domain.com > > > >Replace user@domain.com with the incoming email address and the > >user2@domain.com with the email address the email should be forwarded > >to. > > > >Mark Spieth - Director of Internet Services > > > >Northeast Ohio Digital Inc. > > > >http://www.neod.net > > > >mspieth@neod.net > > > >330-830-6551 > > > > > > > >CONFIDENTIALITY NOTICE: The materials attached hereto are confidential > >and the property of the sender. The information contained in the > >attached materials is privileged and/or confidential and is intended > >only for the use of the above-named individual(s) or > >entity(ies). If you > >are not the intended recipient, be advised that any unauthorized > >disclosure, copying, distribution or the taking of any action in > >reliance on the contents of the attached information is strictly > >prohibited. If you have received this transmission in error, please > >discard the information immediately > > > > > >-----Original Message----- > >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] > >Sent: Thursday, March 25, 2004 2:13 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: redirecting email from a specific address > > > >Hello, > > > >Is there a way to redirect all e-mail coming from a particular address, > >for > >example "oneperson@onedomain.com", regardless of its intended > >recipients > >and > >send it to another specific address? Could this be done through > >MallScanner > >or sendmail? > > > >Thank you in advance. > > > >James > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ELKNET.NET Thu Mar 25 20:11:35 2004 From: mailscanner at ELKNET.NET (Alan) Date: Thu Jan 12 21:23:58 2006 Subject: OT: Vispan 1.2 Message-ID: Thanks David! BTW, don't know if this helps or not, but the Message Delay graph is blank also... From wdwrn at FRIENDLYCITY.NET Thu Mar 25 21:16:06 2004 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:23:58 2006 Subject: Server Crash References: Message-ID: <002401c412ae$62d0d840$0201a8c0@jabbacom.net> I'm presuming you are using sendmail. If I overlooked which MTA you are using, please forgive. What are the size of your sendmail queues? I run a Fedora Mailserver (recently upgraded from RH9) with over 3000 accounts. My server handles fairly large loads as well. I was having the same problem where my server would completely lock up with nothing on the console or in syslog. It would ping but nothing else. I run MailScanner, Sendmail, Procmail, and TMDA (an open-source challenge-response anti-spam system, http://www.tmda.net ). In my case, I found that my sendmail outbound queue had grown to over 100,000 messages waiting to be delivered b/c TMDA was sending a challenge email to thousands of accounts that didn't exist mostly b/c of viruses and worms. I had to set up multiple outbound sendmail queues which fixed my problem. Before the rolling queues, my load was 27+ with lock ups. Now it remains around 0.63. Hope that helps. Walt Wyndroski ----- Original Message ----- From: "Boulytchev, Vasiliy" To: Sent: Thursday, March 25, 2004 12:03 PM Subject: Re: Server Crash > This server is doing MASSIVE loads of mail. This server is really being > worked by spam and virus filtering, and just large loads of email. I am > thinking its more of a kernel/raid controller driver issue......... That's > my thought. Maybe the enterprise kernel I am running, was not compiled with > the right driver......... That just makes more sense, because people are > reporting problems with MD 9.2, and saying that redhat is fine. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:54 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > That one is running RedHat 9 - 2.4.20-30.9 smp kernel. What are you running? > > Have sendmail, MailScanner, MySQL and Apache running on the box. Apache is > for the MailWatch interface and gets very little use (me only really), and > MySQL only for the MailWatch hooks. So, other than that little bit, sendmail > and MailScanner are really the only things doing anything on the box - which > does have a pretty steady flow of messages, but not huge amounts - running > about 5000/day at present. > > > Chris Stone > High Mountain Software > www.hms.com > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > Aha! Im not the only one :))) > > What OS are you running? > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Chris Stone > Sent: Thursday, March 25, 2004 9:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Had a similar problem this morning for the first time on a new server that > has been running for a couple weeks now without issue. Console screen clean, > syslog shows nothing. But checking the log entry timestamps at 00:41 this > morning it all died. Could ping the server but that's it. Telneting to port > 25 did make a connection, but no banner from sendmail. > > > Chris Stone > High Mountain Software > www.hms.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Boulytchev, Vasiliy > Sent: Thursday, March 25, 2004 9:34 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > NO! Nothing on console/syslog :( > > Ho Hard Drive activity either. NICs are still going wild. Not able to > communicate with the server period. > > > Vasiliy Boulytchev > Colorado Information Technologies, Inc. > http://www.coinfotech.com > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Spicer, Kevin > Sent: Thursday, March 25, 2004 9:13 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Server Crash > > > Boulytchev, Vasiliy wrote: > > Ladies and Gents, > > Hopefully everyone can participate on this discussion. One of > our > > production servers keeps crashing on a random basis. > > Could you clarify what you mean by 'crashes'. Completely unresponsive? > anything on the console? syslog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the recipient and may > contain confidential and/or privileged material. If you have received this > in error, please contact the sender and delete this message immediately. > Disclosure, copying or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited accepts no > liability in relation to any personal emails, or content of any email which > does not directly relate to our business. > From Jamesp at MUSICREPORTS.COM Thu Mar 25 21:20:52 2004 From: Jamesp at MUSICREPORTS.COM (James D. Parra) Date: Thu Jan 12 21:23:59 2006 Subject: redirecting email from a specific address Message-ID: <9EC6A5A6B11DA843A551CC9AD9323FAC727C25@exchange.musicreports.com> Looking at sendmail via Webmin and I am not sure how to set the alias to redirect external e-mail from an address to another. Could you point me to where I could find that? Thank you, James -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 25, 2004 1:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: redirecting email from a specific address Use Non-Spam Actions with a ruleset to forward all their mail to a different address. However, redirecting their mail with an MTA alias might be easier... > >-----Original Message----- > >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] > >Sent: Thursday, March 25, 2004 11:23 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: redirecting email from a specific address > > > > > >Thank you Mark. > > > >Did exactly as you wrote, however the e-mail is cc'd to the forwarding > >recipient, with both the original recipient and the forwarding > >recipient > >receiving the e-mail. What can I do to have only the > >forwarding recipient > >receive the e-mail and no one else? > > > >Again, thank you. > > > >James > > > > > >-----Original Message----- > >From: Mark Spieth [mailto:mspieth@NEOD.NET] > >Sent: Thursday, March 25, 2004 11:19 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: redirecting email from a specific address > > > > > >Yes first in your Mailscanner.conf file put: > > > >Archive Mail = %rules-dir%/forward.rule > > > >Then in your forward.rule file put From: User@domain.com > >user2@domain.com > > > >Replace user@domain.com with the incoming email address and the > >user2@domain.com with the email address the email should be forwarded > >to. > > > >Mark Spieth - Director of Internet Services > > > >Northeast Ohio Digital Inc. > > > >http://www.neod.net > > > >mspieth@neod.net > > > >330-830-6551 > > > > > > > >CONFIDENTIALITY NOTICE: The materials attached hereto are confidential > >and the property of the sender. The information contained in the > >attached materials is privileged and/or confidential and is intended > >only for the use of the above-named individual(s) or > >entity(ies). If you > >are not the intended recipient, be advised that any unauthorized > >disclosure, copying, distribution or the taking of any action in > >reliance on the contents of the attached information is strictly > >prohibited. If you have received this transmission in error, please > >discard the information immediately > > > > > >-----Original Message----- > >From: James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] > >Sent: Thursday, March 25, 2004 2:13 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: redirecting email from a specific address > > > >Hello, > > > >Is there a way to redirect all e-mail coming from a particular address, > >for > >example "oneperson@onedomain.com", regardless of its intended > >recipients > >and > >send it to another specific address? Could this be done through > >MallScanner > >or sendmail? > > > >Thank you in advance. > > > >James > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Thu Mar 25 21:21:42 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:59 2006 Subject: redirecting email from a specific address Message-ID: <54C38A0B814C8E438EF73FC76F362927410AD1@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : James D. Parra [mailto:Jamesp@MUSICREPORTS.COM] > Envoy? : 25 mars, 2004 16:21 > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: redirecting email from a specific address > > > Looking at sendmail via Webmin and I am not sure how to set > the alias to > redirect external e-mail from an address to another. Could > you point me to > where I could find that? I suggest you go directly edit the /etc/aliases file. It is sufficiently commented. Ugo > > Thank you, > > James > > From wdwrn at FRIENDLYCITY.NET Thu Mar 25 21:25:08 2004 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:23:59 2006 Subject: Feature Request References: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> <6.0.1.1.2.20040325205924.03c87e90@imap.ecs.soton.ac.uk> Message-ID: <004901c412af$a5aef560$0201a8c0@jabbacom.net> Julian, Is it possible for MailScanner to track how many emails have been sent from a particular client over a specified time period? If so, some method of clamping or notification would be needed. As spam-bots and trojans become more advanced, I am afraid they will query the machines wich they have infected for its outbound smtp server instead of the worm/virus creating/using it's own smtp server. What do you think? Walt Wyndroski From pete at eatathome.com.au Thu Mar 25 21:38:23 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:59 2006 Subject: Failed Upgrade In-Reply-To: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D4@exchange.shenandoah.k12.in.us> References: <2D42D2DC1BFD744C8047D6BB197FB4CD3744D4@exchange.shenandoah.k12.in.us> Message-ID: <4063514F.1020701@eatathome.com.au> > > What am I missing? > A web browser? Justa tip - btu the first thing i would do when i come accorss something like this, it to copy key parts of the error into google and see what comes up, i have 2 or 3 windows going and veryquickly, you get some cliue as to wahts missing, or where you can find your fix - start using this type of method and you will save yourself HOURS waiting for reapsonse of lists and boards. HTH Pete >I built this on redhat 9 as a new install as a > test and it work. Why can't I get it to work on redhat 8.0. > > Thanks > > Dale > > an't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner > /usr/li > b/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_p > erl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/ > site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl > 5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > /usr/lib/perl5/5.8.0/i386-linux-t > hread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at > /usr/lib/MailScanner > /MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm > line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > > > From mailscanner at ecs.soton.ac.uk Thu Mar 25 21:47:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:59 2006 Subject: Feature Request In-Reply-To: <004901c412af$a5aef560$0201a8c0@jabbacom.net> References: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> <6.0.1.1.2.20040325205924.03c87e90@imap.ecs.soton.ac.uk> <004901c412af$a5aef560$0201a8c0@jabbacom.net> Message-ID: <6.0.1.1.2.20040325214535.04072cd0@imap.ecs.soton.ac.uk> At 21:25 25/03/2004, you wrote: >Julian, > Is it possible for MailScanner to track how many emails have been sent >from a particular client over a specified time period? If so, some method of >clamping or notification would be needed. As spam-bots and trojans become >more advanced, I am afraid they will query the machines wich they have >infected for its outbound smtp server instead of the worm/virus >creating/using it's own smtp server. > >What do you think? Look in CustomConfig.pm for IPBlock and you will find all the rate-limiting code. It's all there, just needs switching on. Have a good read of the comments at the start of the IPBlock code. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wdwrn at FRIENDLYCITY.NET Thu Mar 25 21:53:13 2004 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:23:59 2006 Subject: Feature Request References: <08146035CA49D6119A36009027AC822A0549E486@CITY-EXCH-NTS> <6.0.1.1.2.20040325205924.03c87e90@imap.ecs.soton.ac.uk> <004901c412af$a5aef560$0201a8c0@jabbacom.net> <6.0.1.1.2.20040325214535.04072cd0@imap.ecs.soton.ac.uk> Message-ID: <006001c412b3$92619090$0201a8c0@jabbacom.net> Okay, thanks! I didn't realize you already had that in there. Walt Wyndroski ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 25, 2004 4:47 PM Subject: Re: Feature Request > At 21:25 25/03/2004, you wrote: > >Julian, > > Is it possible for MailScanner to track how many emails have been sent > >from a particular client over a specified time period? If so, some method of > >clamping or notification would be needed. As spam-bots and trojans become > >more advanced, I am afraid they will query the machines wich they have > >infected for its outbound smtp server instead of the worm/virus > >creating/using it's own smtp server. > > > >What do you think? > > Look in CustomConfig.pm for IPBlock and you will find all the rate-limiting > code. It's all there, just needs switching on. Have a good read of the > comments at the start of the IPBlock code. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From jwilliams at COURTESYMORTGAGE.COM Thu Mar 25 21:45:13 2004 From: jwilliams at COURTESYMORTGAGE.COM (Jason Williams) Date: Thu Jan 12 21:23:59 2006 Subject: Trouble getting bayes DB to be recognized/work In-Reply-To: <40632FF2.3030003@ucgbook.com> References: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> Message-ID: <5.2.1.1.0.20040325134448.00ae0830@pop.courtesymortgage.com> >Do you have that file? If the server is brand new there's no bayes files >there yet. Run a mail through it and it should create the files. That did the trick. Ran some email through it and it fixed itself. Thanks for the help. Jas From mark at TIPPINGMAR.COM Thu Mar 25 21:45:46 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:23:59 2006 Subject: Encrypted, delivered anyway In-Reply-To: <6.0.1.1.2.20040323115055.0727e008@imap.ecs.soton.ac.uk> Message-ID: <4062E28A.16275.43190F6@localhost> One of my users sent a password protected excel file to another one of my users. It was delivered even though Sophos complained about it. The log entries follow: Mar 24 13:51:59 gingham sendmail[22190]: i2OLpxP22190: from=, size=23029, class=0, nrcpts=1, msgid=<4061927E.9361.123071B@localhost>, proto=ESMTP, daemon=MTA, relay=Ath2100-1.tippingmar.com [192.168.254.53] Mar 24 13:52:06 gingham MailScanner[20574]: New Batch: Scanning 1 messages, 23484 bytes Mar 24 13:52:06 gingham MailScanner[20574]: Spam Checks: Starting Mar 24 13:52:06 gingham MailScanner[20574]: Virus and Content Scanning: Starting Mar 24 13:52:06 gingham MailScanner[20574]: ERROR:: File was encrypted (530):: . /i2OLpxP22190/secret.xls Mar 24 13:52:07 gingham MailScanner[20574]: Virus Scanning: SophosSAVI found 1 infections Mar 24 13:52:07 gingham MailScanner[20574]: Virus Scanning: Found 1 viruses Mar 24 13:52:07 gingham MailScanner[20574]: Uninfected: Delivered 1 messages Mar 24 13:52:07 gingham sendmail[22197]: i2OLpxP22190: to=, ctladdr= (517/517), delay=00:00:08, xdelay=00:00:00, mailer=local, pri=143029, dsn=2.0.0, stat=Sent So I'm wondering, now that we are protected against password-protected zip files, do we have to start worrying about password-protected Office files? After all, there could be a macro virus in that document. On a related note, see my post from Mar 23 entitled "Corrupted, delivered anyway." Is this just a problem with the SAVI method of running sophos? -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From rzewnickie at RFA.ORG Thu Mar 25 22:43:43 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:23:59 2006 Subject: Quarantine only non viruses Message-ID: <20040325224343.GL30857@rfa.org> I have: Quarantine Infections = %rules-dir%/infections.quarantine.rules with: # infections.quarantine.rules Virus: mydoom no Virus: netsky no Virus: default yes A while ago I asked about how to only quarantine non-viruses and Julian suggested this: Virus: /./ no Virus: default yes http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0401&L=mailscanner&D=0&I=-1&P=206444 I tried that today, but it also turns off quarantining files blocked only by filename rules. Since I sometimes might need to release such messages to users I'm trying to come up with some way around this. I want to only quarantine stuff that hits the filename checks or the HTML checks (or other non-virus checks I haven't thought of). This would save disk space. I never need to send on a mail containing a virus. It would also protect against accidentally postdrop'ing a virus when trying to release an HTML newsletter or some such mail to a user. Thanks in advance for any ideas. -Eric Rz. From mailscanner at LAYLINE.DE Fri Mar 26 08:15:59 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again In-Reply-To: <003201c41307$d127c5c0$85421851@hq> References: <003201c41307$d127c5c0$85421851@hq> Message-ID: <20040326091559.37f2e2e9@aurora> am 26.03.2004 schrieb Muenz, Michael zum Thema ## Re: Dumaru again ## > Hi, > > > Uhm: > > > > Todays logs: > > > > 500 (first @ 00:07:58, last = 19:24:59) W32/Dumaru.Y@mm > > 509 (first @ 00:01:08, last = 19:24:02) W32/Dumaru.Z@mm > > > > Even the Dumaru.AA is now popping up: > > > > 252 (first @ 04:14:29, last = 19:28:53) W32/Dumaru.AA@mm > > whats your "Archive-Zip" Version ? > I'm running Debian Woody with Archive-Zip 1.09. > F-Prot is detecting them. It must be a misconfig in MailScanner > or a problem with some perl mod's > > running on debian testing, libarchive-zip-perl is 1.05-1 ... however, everything works fine if I just attach the myphoto.zip (it's decoded correctly) - maybe a mime related issue? regards, Stephan From ugob at CAMO-ROUTE.COM Fri Mar 26 05:08:43 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? Message-ID: <54C38A0B814C8E438EF73FC76F362927410AD5@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Mike Kercher [mailto:mike@CAMAROSS.NET] >Envoy? : 25 mars, 2004 23:13 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: What causes this hit? > > >Allow IFrame Tags = yes >Log IFrame Tags = yes >Allow Form Tags = yes >Convert Dangerous HTML To Text = no >Convert HTML To Text = no > >I believe these to be the relevant settings from my >MailScanner.conf Did I >miss something?/ Maybe it is because of your "Log IFrame Tags" = yes? What happened to this message, finally? Ugo > >Mike > > >> -----Original Message----- >> From: MailScanner mailing list >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance >> Sent: Thursday, March 25, 2004 8:29 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: What causes this hit? >> >> >-----Message d'origine----- >> >De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 mars, 2004 >> >20:58 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : What causes this hit? >> > >> > >> >Report: MailScanner: Found a script in HTML message >> > >> >> Your HTML settings in MailScanner.conf? >> >> >Mike >> > >> > From mailscanner at LAYLINE.DE Fri Mar 26 07:16:21 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again In-Reply-To: References: <00da01c41287$047fdd30$85421851@hq> Message-ID: <20040326081621.280f5f77@aurora> am 25.03.2004 schrieb Raymond Dijkxhoorn zum Thema ## Re: Dumaru again ## > Hi! > > > I don't think this will work, cause MailScanner detects > > every kind of Netsky etc. also Dumaru.A, but not Y and Z > > > Perhaps new beta will fix it ?!? > > I don't want to upgrade cause it's a production server. > > Uhm: > > Todays logs: > > 500 (first @ 00:07:58, last = 19:24:59) W32/Dumaru.Y@mm > 509 (first @ 00:01:08, last = 19:24:02) W32/Dumaru.Z@mm > > Even the Dumaru.AA is now popping up: > > 252 (first @ 04:14:29, last = 19:28:53) W32/Dumaru.AA@mm > > Bye, > Raymond. > > my question would still be: What could I possibly be doing wrong, when clamav and the clamav-wrapper are able to detect Dumaru.Y (when working on myphoto.zip directly) but not when it's passed through Mailscanner - whatever Mailscanner parses the myphoto.zip attachment to - the clamav-wrapper will not detect it as a virus (at least in my setup / I use --disable-archive because libclamav has a few false positives otherwise). The Virus itself however is of course spotted by my other scanner (AntiVir), so yes, the virus is detected. But not by clamav invoked by Mailscanner. This is not a "not detected" issue but an issue with clamav and Mailscanner. clamav detects Dumaru, so does Mailscanner - but Mailscanner is configured to run with clamav and antivir and only antivir hits. If I attach just the myphoto.zip to a mail clamav AND antivir hit. If the Virus comes in from the wild ONLY antivir hits ... strange problem, I know. It's probably a matter of how the Virus is attached in the real viral message ... anyone any ideas on this? What could I possibly be doing wrong? regards, Stephan From pete at eatathome.com.au Fri Mar 26 04:46:52 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? In-Reply-To: <200403260409.i2Q49nJU027304@avwall.bladeware.com> References: <200403260409.i2Q49nJU027304@avwall.bladeware.com> Message-ID: <4063B5BC.8020709@eatathome.com.au> Mike Kercher wrote: >Allow IFrame Tags = yes >Log IFrame Tags = yes >Allow Form Tags = yes >Convert Dangerous HTML To Text = no >Convert HTML To Text = no > >I believe these to be the relevant settings from my MailScanner.conf Did I >miss something?/ > >Mike > > > > >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance >>Sent: Thursday, March 25, 2004 8:29 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: What causes this hit? >> >> >> >>>-----Message d'origine----- >>>De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 mars, 2004 >>>20:58 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : What causes this hit? >>> >>> >>>Report: MailScanner: Found a script in HTML message >>> >>> >>> >>Your HTML settings in MailScanner.conf? >> >> >> >>>Mike >>> >>> >>> > > > > > But didnt that rules used to say Found Iframe Exploit or something? I have been trying to work out how to let one of these through just now, just to release one from quyarantine to a user - grrr I followed this eventually, which kinda works, in that it releases a copy but also runs another capturted copy through mailwatch - weird. From mike at CAMAROSS.NET Fri Mar 26 06:44:29 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410AD5@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200403260641.i2Q6fGJU004590@avwall.bladeware.com> I get a virus notification. I have just turned the Iframe logging off. I'll have to watch and see if I get any more like this. Thanks! Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance > Sent: Thursday, March 25, 2004 11:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What causes this hit? > > >-----Message d'origine----- > >De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 mars, 2004 > >23:13 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: What causes > this hit? > > > > > >Allow IFrame Tags = yes > >Log IFrame Tags = yes > >Allow Form Tags = yes > >Convert Dangerous HTML To Text = no > >Convert HTML To Text = no > > > >I believe these to be the relevant settings from my > MailScanner.conf > >Did I miss something?/ > > Maybe it is because of your "Log IFrame Tags" = yes? > > What happened to this message, finally? > > Ugo > > > >Mike > > > > > >> -----Original Message----- > >> From: MailScanner mailing list > >> [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance > >> Sent: Thursday, March 25, 2004 8:29 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: What causes this hit? > >> > >> >-----Message d'origine----- > >> >De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 > mars, 2004 > >> >20:58 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : What causes this hit? > >> > > >> > > >> >Report: MailScanner: Found a script in HTML message > >> > > >> > >> Your HTML settings in MailScanner.conf? > >> > >> >Mike > >> > > >> > > > From linux at LEUTE.SERVER.DE Fri Mar 26 08:25:52 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again References: <003201c41307$d127c5c0$85421851@hq> <20040326091559.37f2e2e9@aurora> Message-ID: <011a01c4130b$f376be70$85421851@hq> > running on debian testing, libarchive-zip-perl is 1.05-1 ... however, everything > works fine if I just attach the myphoto.zip (it's decoded correctly) - maybe a > mime related issue? I haven't installed the patched version of MIME-tools. Now it's installed and Archive-Zip updated to 1.10. Perhaps this will fix it. If not I'll install newest beta. From P.G.M.Peters at utwente.nl Fri Mar 26 08:14:47 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:59 2006 Subject: Commercial Product In-Reply-To: <6.0.1.1.2.20040325095016.03fa2650@imap.ecs.soton.ac.uk> References: <538690D1C378D2118F1E00104B36893A0111E383@zeus> <6.0.1.1.2.20040325095016.03fa2650@imap.ecs.soton.ac.uk> Message-ID: On Thu, 25 Mar 2004 09:51:51 +0000, you wrote: >>Excellent response Andy! Think I'll file this away for the next time my >>bosses want to buy a toaster, or McAfee anti-spam for the desktops. > >McAfee anti-spam *is* SpamAssassin. But without the extra rule files you can download from everywhere. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Fri Mar 26 08:08:38 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:59 2006 Subject: Questions... In-Reply-To: <6.0.1.1.2.20040324183836.03caada8@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0020199C8@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0020199C8@pascal.priv.bmrb. co.uk> <6.0.1.1.2.20040324183836.03caada8@imap.ecs.soton.ac.uk> Message-ID: On Wed, 24 Mar 2004 18:39:15 +0000, you wrote: >>Anyway my point is that zip files could be spotted by looking at the first >>4 or 5 bytes of the file. > >This is now done and will be in the next release. So renaming ".zip" to >"_zip" and tricks like that will no longer work. So my advice to send password protected zip-files (for the people needing to) with a different extension will help me to a couple of new phone calls :-( And I am still not ready with finding a solutino for tgz files. Somehow the current version (4.29.3-1) seems to think tgz (and tar.gz) files are zips. But after unpacking something (f-prot?) can't handle the result and thinks it is to insecure to forward to the recipient. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From martinh at SOLID-STATE-LOGIC.COM Fri Mar 26 08:57:25 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:59 2006 Subject: Trouble getting bayes DB to be recognized/work In-Reply-To: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> References: <5.2.1.1.0.20040325102245.00b15d18@pop.courtesymortgage.com> Message-ID: <4063F075.5060004@solid-state-logic.com> Jason the bayes DB file be created once it's seen the first email that triggers learning (auto or manual). The Bayes engine won't kick in till its seen at least 200 each of spam and ham, so if you can get 200 examples of each and manually train it to give it a good kick start. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jason Williams wrote: > Hello everyone. > > I'm rolling out a new MS Mail gateway server for one of our branch offices > here and i've run into a small problem. > Note: FreeBSD 4.9 > MailScanner 4.28-6 > > I've done all the initial configurations and everything is working well. I > installed spamassassin via the port and then went to test it using the > --lint option. > > Here is what happens: > > mailmg# spamassassin -D -p > /usr/local/etc/MailScanner/spam.assassin.prefs.conf --lint > debug: Score set 0 chosen. > debug: running in taint mode? no > debug: ignore: using a test message to lint rules > debug: using "/usr/local/share/spamassassin" for default rules dir > debug: using "/usr/local/etc/mail/spamassassin" for site rules dir > debug: using "/root/.spamassassin" for user state dir > debug: using "/usr/local/etc/MailScanner/spam.assassin.prefs.conf" for user > prefs file > debug: bayes: no dbs present, cannot scan: > /var/spool/spamassassin/bayes_toks > debug: Score set 1 chosen. > debug: Initialising learner > debug: bayes: no dbs present, cannot scan: > /var/spool/spamassassin/bayes_toks > > Can't scan the directory and im not sure why that is. I've setup the > directory correctly, from what I can tell: > > mailmg# ls -lad /var/spool/spamassassin/ > drwxr-xr-x 2 root daemon 512 Mar 25 10:21 /var/spool/spamassassin/ > > Anyone seen this before and know what the problem is? > The last two times i've setup similar servers, I have not run into this > problem. > > I appreciate the help > > Jas -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From xcelent at WOL.NET.PK Fri Mar 26 08:55:40 2004 From: xcelent at WOL.NET.PK (xcelent) Date: Thu Jan 12 21:23:59 2006 Subject: Slient Virus In-Reply-To: <011a01c4130b$f376be70$85421851@hq> References: <003201c41307$d127c5c0$85421851@hq> <20040326091559.37f2e2e9@aurora> <011a01c4130b$f376be70$85421851@hq> Message-ID: <200403261355400996.0081F430@smtp.khi.wol.net.pk> does any1 have Slient viruses rulesset file ??? xecl From pete at eatathome.com.au Fri Mar 26 04:05:32 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:59 2006 Subject: Which FreeBSD version for MS? Message-ID: <4063AC0C.1000906@eatathome.com.au> I am about to run with BSD on my new server - p4 2.8/1536mb ram /scsi for our 1500 emails per day, :) I cant get linux installed and have wasted a half day trying. Which FreeBSD version is going to work best? I can easily get 5.2.1 installed ion this machine, 5.0 has some issues and i dont have a copy of 4.9 right now. Is 5.2.1 far too new to be running on the mail gateway ? PS: anyone got any experience with Linux or FreeBSD on Compaq, specifically ML310 ? 9 Care to message me off list so i can ask some OT questions? From Kevin.Spicer at BMRB.CO.UK Fri Mar 26 08:59:01 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649BF2@pascal.priv.bmrb.co.uk> Stephan Ilaender wrote: > am 25.03.2004 schrieb Raymond Dijkxhoorn zum Thema > ## Re: Dumaru again ## > >> Hi! >> >>> I don't think this will work, cause MailScanner detects >>> every kind of Netsky etc. also Dumaru.A, but not Y and Z >> >>> Perhaps new beta will fix it ?!? >>> I don't want to upgrade cause it's a production server. >> >> Uhm: >> >> Todays logs: >> >> 500 (first @ 00:07:58, last = 19:24:59) W32/Dumaru.Y@mm >> 509 (first @ 00:01:08, last = 19:24:02) W32/Dumaru.Z@mm >> >> Even the Dumaru.AA is now popping up: >> >> 252 (first @ 04:14:29, last = 19:28:53) W32/Dumaru.AA@mm >> >> Bye, >> Raymond. >> >> > > my question would still be: What could I possibly be doing wrong, > when clamav and the clamav-wrapper are able to detect Dumaru.Y (when > working on myphoto.zip directly) but not when it's passed through > Mailscanner - whatever Mailscanner parses the myphoto.zip attachment > to - the clamav-wrapper will not detect it as a virus (at least in my > setup / I use --disable-archive because libclamav has a few false > positives otherwise). If you are using disable-archive then clam won't look inside archives. Your other scanner is detecting it either because a) it is configured to unpack archives b) Its signatures are based on the zip file, rather than its contents. I suggest you turn disable-archive off, and when you get a false positive submit it to the clamav folks (through their web site) in order to get the signature corrected. They are usually very good at correcting these kind of things. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From linux at LEUTE.SERVER.DE Fri Mar 26 07:56:16 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again References: Message-ID: <003201c41307$d127c5c0$85421851@hq> Hi, > Uhm: > > Todays logs: > > 500 (first @ 00:07:58, last = 19:24:59) W32/Dumaru.Y@mm > 509 (first @ 00:01:08, last = 19:24:02) W32/Dumaru.Z@mm > > Even the Dumaru.AA is now popping up: > > 252 (first @ 04:14:29, last = 19:28:53) W32/Dumaru.AA@mm whats your "Archive-Zip" Version ? I'm running Debian Woody with Archive-Zip 1.09. F-Prot is detecting them. It must be a misconfig in MailScanner or a problem with some perl mod's From brian at kimnbrian.com Fri Mar 26 02:50:05 2004 From: brian at kimnbrian.com (Brian Fistler) Date: Thu Jan 12 21:23:59 2006 Subject: MailScanner & new postfix release In-Reply-To: <6.0.1.1.2.20040325094928.03fa28e0@imap.ecs.soton.ac.uk> References: <1080164878.6ijivzodjcao@mail.kimnbrian.com> <6.0.1.1.2.20040325094928.03fa28e0@imap.ecs.soton.ac.uk> Message-ID: <1080269405.2188.3.camel@brian-mdk.kimnbrian.com> On Thu, 2004-03-25 at 03:49, Julian Field wrote: > I worked on some Postfix fixes a few days ago. It's possible I haven't > published them yet. > This should solve new Postfix compatibility problems. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 4.29.6-1 release is still doing the same thing... Brian From mike at CAMAROSS.NET Fri Mar 26 01:57:49 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? Message-ID: <200403260154.i2Q1sZJU017018@avwall.bladeware.com> Report: MailScanner: Found a script in HTML message Mike From linux at LEUTE.SERVER.DE Fri Mar 26 09:27:27 2004 From: linux at LEUTE.SERVER.DE (Muenz, Michael) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru-Y MIME failure References: <5C0296D26910694BB9A9BBFC577E7AB001649BF2@pascal.priv.bmrb.co.uk> Message-ID: <013e01c41314$8e0d0c70$85421851@hq> Hi List, this is hopefully my last post. I found an article in this list: http://mharc.lists.openservices.ca/archives/html/mailscanner/2004-02/msg01288.html James Corell had the same problem and Julian posted a patched version of Message.pm. Is the patch already applied to 4.28.6-1 ? If not this shoul solve the prob ... Michael From martinh at SOLID-STATE-LOGIC.COM Fri Mar 26 08:55:31 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:59 2006 Subject: Which FreeBSD version for MS? In-Reply-To: <4063AC0C.1000906@eatathome.com.au> References: <4063AC0C.1000906@eatathome.com.au> Message-ID: <4063F003.70201@solid-state-logic.com> Pete 5.2.1 should be ok...been running at a few weeks with no hiccups on a test machine that will eventually become our new email server.. Currently running MailScanner on fbsd 4.8 myself, but only cos at the time the 5.x tree was a little too young for my liking even if it run quite a bit faster on the same hardware.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Pete wrote: > I am about to run with BSD on my new server - p4 2.8/1536mb ram /scsi > for our 1500 emails per day, :) > > I cant get linux installed and have wasted a half day trying. > > Which FreeBSD version is going to work best? I can easily get 5.2.1 > installed ion this machine, 5.0 has some issues and i dont have a copy > of 4.9 right now. > > Is 5.2.1 far too new to be running on the mail gateway ? > > > PS: anyone got any experience with Linux or FreeBSD on Compaq, > specifically ML310 ? 9 Care to message me off list so i can ask some OT > questions -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mike at CAMAROSS.NET Fri Mar 26 04:13:03 2004 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410AD2@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200403260409.i2Q49nJU027304@avwall.bladeware.com> Allow IFrame Tags = yes Log IFrame Tags = yes Allow Form Tags = yes Convert Dangerous HTML To Text = no Convert HTML To Text = no I believe these to be the relevant settings from my MailScanner.conf Did I miss something?/ Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance > Sent: Thursday, March 25, 2004 8:29 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: What causes this hit? > > >-----Message d'origine----- > >De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 mars, 2004 > >20:58 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : What causes this hit? > > > > > >Report: MailScanner: Found a script in HTML message > > > > Your HTML settings in MailScanner.conf? > > >Mike > > > From mailscanner at LAYLINE.DE Fri Mar 26 09:57:14 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649BF2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649BF2@pascal.priv.bmrb.co.uk> Message-ID: <20040326105714.3613246d@aurora> am 26.03.2004 schrieb Spicer, Kevin zum Thema ## Re: Dumaru again ## > If you are using disable-archive then clam won't look inside archives. Your > other scanner is detecting it either because a) it is configured to unpack > archives b) Its signatures are based on the zip file, rather than its > contents. I suggest you turn disable-archive off, and when you get a false > positive submit it to the clamav folks (through their web site) in order to > get the signature corrected. They are usually very good at correcting these > kind of things. > just a quick clarification here: --no-archive Disable archive support built in libclamav. this means internal support for zip is disabled - an archive will still be unpacked and scanned using the command line tools provided by the OS. As an example: file /tmp/Mtw3afm /tmp/Mtw3afm: Zip archive data, at least v1.0 to extract clamscan --no-archive /tmp/Mtw3afm /tmp/Mtw3afm: Worm.Dumaru.Y FOUND I think the clam team should probably rename this option to something like --no-builtin-archive-support or whatever. You can read more on this issue here: http://www.mail-archive.com/clamav-users@lists.sourceforge.net/msg02969.html I quote: "The way to get results of scanning of all files in a zip file is disabling built-in archive support in libclamav (--disable-archive) and enabling scanning with external unzip program (--unzip[=FULLPATH])." // note that --disable-archive has been renamed to --no-archive again, as I said - if I attach the myphoto.zip Dumaru *IS* detected ... regards, Stephan From drew at THEMARSHALLS.CO.UK Fri Mar 26 09:53:45 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:59 2006 Subject: Which FreeBSD version for MS? In-Reply-To: <4063AC0C.1000906@eatathome.com.au> References: <4063AC0C.1000906@eatathome.com.au> Message-ID: <43453.194.70.180.170.1080294825.squirrel@net.themarshalls.co.uk> Pete said: > I am about to run with BSD on my new server - p4 2.8/1536mb ram /scsi > for our 1500 emails per day, :) > > I cant get linux installed and have wasted a half day trying. > > Which FreeBSD version is going to work best? I can easily get 5.2.1 > installed ion this machine, 5.0 has some issues and i dont have a copy > of 4.9 right now. > > Is 5.2.1 far too new to be running on the mail gateway ? I wouldn't have said so. My server runs on 5.2.1 without problems. > > > PS: anyone got any experience with Linux or FreeBSD on Compaq, > specifically ML310 ? 9 Care to message me off list so i can ask some OT > questions? > Sorry, no :-( -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From annabel at ZAMNET.ZM Fri Mar 26 07:08:53 2004 From: annabel at ZAMNET.ZM (Annabel Maseko) Date: Thu Jan 12 21:23:59 2006 Subject: Mail not being delivered In-Reply-To: <6.0.1.1.2.20040325155257.07a352b0@imap.ecs.soton.ac.uk> Message-ID: Hi, > You are hitting a bug in Perl. Upgrade your Perl to something more recent, > then re-install MailScanner and all its requirements from scratch. > Ok. Will try that. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Thanks for your help. Annabel. From Kevin.Spicer at BMRB.CO.UK Fri Mar 26 10:08:09 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0020199CA@pascal.priv.bmrb.co.uk> Stephan Ilaender wrote: > am 26.03.2004 schrieb Spicer, Kevin zum Thema > just a quick clarification here: > > --no-archive > Disable archive support built in libclamav. > > this means internal support for zip is disabled - an archive will > still be unpacked and scanned using the command line tools provided > by the OS. As an example: Right, but if the external unpacker doesn't work, you aren't going to spot it. There is a good reason why the external unpacker might fail... When running as root clamav drops privileges to another user (usually user clamav, group clamav). Because MailScanner runs as root (with sendmail anyway) this can prevent external unpackers from working (as it tends to use /root/tmp for temp files). Julian kindly included my adapted clamav-wrapper in recent releases which addresses this issue. To make sure everything will work make sure you have the most recent wrapper script and follow the instructions in the comments in it (you need to change a couple of settings in MailScanner.conf). Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From annabel at ZAMNET.ZM Fri Mar 26 07:09:32 2004 From: annabel at ZAMNET.ZM (Annabel Maseko) Date: Thu Jan 12 21:23:59 2006 Subject: Mail not being delivered In-Reply-To: <5e445062d62a32da24013cb891cbda4d@mk> Message-ID: Hi, Sorry. This is a long one. > [snip] > Could be that a change in some library broke your perl installation. > > Try to run "perl -V", does it show the details or just doesn't run? > perl -V shows the details > If perl seems to work, and make sure MailScanner is using it (in Solaris 8 > I have an old perl that came with the OS and a new one), try adding -w to > the beginning of the MailScanner script. > This is what I get when I add -w to the beginning of the MailScanner script Starting MailScanner... Useless use of hash elem in void context at /usr/local/lib/MailScanner/MailScanner/Config.pm line 731. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1724. Unquoted string "hostname" may clash with future reserved word at /usr/local/lib /MailScanner/MailScanner/CustomConfig.pm line 299. "my" variable $LimitsH masks earlier declaration in same scope at /usr/local/lib /MailScanner/MailScanner/CustomConfig.pm line 760. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 786. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 802. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/MCPMessage.pm line 522. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 665. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 765. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2762. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2969. "my" variable $type masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 3168. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 3272. Subroutine add_part redefined at /usr/local/lib/MailScanner/MailScanner/Message.pm line 3724. Subroutine extract redefined at /usr/local/lib/MailScanner/MailScanner/Message.pm line 3752. Useless use of string in void context at /usr/local/lib/MailScanner/MailScanner/MCP.pm line 244. Statement unlikely to be reached at /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 280. (Maybe you meant system() when you said exec()?) Statement unlikely to be reached at /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 839. (Maybe you meant system() when you said exec()?) In Debugging mode, not forking... Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2300, chunk 169. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 190. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 191. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 192. Exiting subroutine via next at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1946, chunk 1. Exiting subroutine via next at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1946, chunk 2. Exiting subroutine via next at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1946, chunk 3. Exiting subroutine via next at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1946, chunk 4. Exiting subroutine via next at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1946, chunk 5. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 6. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 7. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 8. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 9. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 10. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 11. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 12. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 13. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 14. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 15. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 1922, chunk 16. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2300, chunk 308. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2300, chunk 315. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 337. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 338. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2517, chunk 339. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/WorkArea.pm line 88. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/WorkArea.pm line 97. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Quarantine.pm line 88. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/Quarantine.pm line 97. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/RBLs.pm line 129, chunk 32. Use of uninitialized value at /usr/local/lib/MailScanner/MailScanner/RBLs.pm line 129, chunk 32. Segmentation fault > If perl doesn't work, use "ldd `which perl`" (those are acute accent marks, > the left to right accent), this should show which library is not found. > # ldd `which perl` /usr/bin/perl: libperl.so.3 => /usr/lib/libperl.so.3 (0x28068000) libm.so.2 => /usr/lib/libm.so.2 (0x28100000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2811b000) libmd.so.2 => /usr/lib/libmd.so.2 (0x28134000) libc.so.4 => /usr/lib/libc.so.4 (0x2813d000) libutil.so.3 => /usr/lib/libutil.so.3 (0x281d6000) > Keep us posted. > -- > Ren? Berber Thank for your help. Annabel From ugob at CAMO-ROUTE.COM Fri Mar 26 02:28:52 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:59 2006 Subject: What causes this hit? Message-ID: <54C38A0B814C8E438EF73FC76F362927410AD2@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Mike Kercher [mailto:mike@CAMAROSS.NET] >Envoy? : 25 mars, 2004 20:58 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : What causes this hit? > > >Report: MailScanner: Found a script in HTML message > Your HTML settings in MailScanner.conf? >Mike > From postmaster at mail.unima.mg Fri Mar 26 10:19:00 2004 From: postmaster at mail.unima.mg (GNOSYS Antivirus MailScanner) Date: Thu Jan 12 21:23:59 2006 Subject: ALERTE: un virus a =?ISO-8859-1?Q?=E9t=E9?= =?ISO-8859-1?Q?_d=E9tect=E9?= dans votre courriel Message-ID: <200403261019.i2QAJ0ap025358@mail.unima.mg> Notre passerelle antivirus a détecté un virus dans le courriel que vous venez d'envoyer: À: qualite.besalampy@unima.mg Sujet: moin Date: Fri Mar 26 13:19:00 2004 Les pièces jointes infectées ne seront pas transmises au destinataire. Ce courriel est pour vous avertir que votre poste de travail est probablement infecté et il serait souhaitable de le faire vérifier. Résultats de l'antivirus: Sophos: >>> Virus 'W32/Netsky-C' found in file mydate.exe MailScanner: Executable DOS/Windows programs are dangerous in email (mydate.exe) Contactez postmaster pour plus d'informations. -- Gnosys MailScanner From mailscanner at LAYLINE.DE Fri Mar 26 10:22:15 2004 From: mailscanner at LAYLINE.DE (Stephan Ilaender) Date: Thu Jan 12 21:23:59 2006 Subject: Dumaru again In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0020199CA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0020199CA@pascal.priv.bmrb.co.uk> Message-ID: <20040326112215.504379df@aurora> am 26.03.2004 schrieb Spicer, Kevin zum Thema ## RE: Dumaru again ## > Stephan Ilaender wrote: > > am 26.03.2004 schrieb Spicer, Kevin zum Thema > > just a quick clarification here: > > > > --no-archive > > Disable archive support built in libclamav. > > > > this means internal support for zip is disabled - an archive will > > still be unpacked and scanned using the command line tools provided > > by the OS. As an example: > > Right, but if the external unpacker doesn't work, you aren't going to spot it. > There is a good reason why the external unpacker might fail... > > When running as root clamav drops privileges to another user (usually user > clamav, group clamav). Because MailScanner runs as root (with sendmail > anyway) this can prevent external unpackers from working (as it tends to use > /root/tmp for temp files). Julian kindly included my adapted clamav-wrapper > in recent releases which addresses this issue. To make sure everything will > work make sure you have the most recent wrapper script and follow the > instructions in the comments in it (you need to change a couple of settings in > MailScanner.conf). > right, i will have a go with the newest wrapper - but as stated before: simply attaching the virus does ring mailscanners bells - so it's not really a privilege matter. regards, Stephan From Kevin at MICA.NET Fri Mar 26 00:19:57 2004 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:23:59 2006 Subject: Content-Check whitelist? Message-ID: <8B699873CEBA3543926B467E768082320344F8@sol.hq.mica.net> I would like to completely whitelist a couple email addresses that I have. What I mean by "completely whitelist" is that I'd like MailScanner to not do any checks on email sent to these addresses, just pass it through. The reason I want to do this is I have a spam and ham learning address set up for people to send emails to the bayesian learner. Problem is, sometimes MailScanner finds a form in one of the attached messages, and then notifies the user of the dangerous content. I want to disable all mailscanner checks for these 2 addresses... I put them in the spam.whitelist rule file, but I'm still getting content messages back from MailScanner it seems: Our email content filters have been triggered by a message you sent:- To: notreallyspam@pluto.mica.net Subject: Date: Thu Mar 25 19:14:59 2004 This message has been rejected. The filters said this: Found a form in HTML message Report: Found a form in HTML message Report: Found a form in HTML message Report: Found a form in HTML message Report: Found a form in HTML message Report: Found a form in HTML message . How can I make MailScanner ignore my 2 learning addresses? Thx! k From jrudd at UCSC.EDU Fri Mar 26 00:05:24 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:23:59 2006 Subject: Feature Request (new header) Message-ID: <406373C4.9B9595FD@ucsc.edu> X-%org-name%-MailScanner-Filenames: which will be populated with the filenames of any attachments (including the ones put there by mailscanner) contained within the message. This will allow users to do their own "filename rules" in procmail (or whichever filtering mechanism they use). Similarly, a X-%org-name%-MailScanner-Filetypes: might be useful. John From jrudd at UCSC.EDU Fri Mar 26 00:11:35 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:24:00 2006 Subject: Feature Request (security issue) Message-ID: <40637537.A6820596@ucsc.edu> http://www.greymagic.com/security/advisories/gm005-mc/ This may already be covered by the new "html tags" feature, but I'm hoping that we can address this issue of blocking the tag (since I'm not allowed to address it by blocking Outlook). (I think there's also an issue about the tag having stuff in it) Is _all_ of this covered by the new html tags feature, and if not, this seems like an important issue to address. From ka at PACIFIC.NET Thu Mar 25 23:42:36 2004 From: ka at PACIFIC.NET (Ken Anderson (Pacific Internet)) Date: Thu Jan 12 21:24:00 2006 Subject: redirecting email from a specific address In-Reply-To: <9EC6A5A6B11DA843A551CC9AD9323FAC727C22@exchange.musicreports.com> References: <9EC6A5A6B11DA843A551CC9AD9323FAC727C22@exchange.musicreports.com> Message-ID: <40636E6C.5010702@pacific.net> Sendmail aliases only match recipients, not senders, so you'll need to use MailScanner. Ken Pacific.Net James D. Parra wrote: > Hello, > > Is there a way to redirect all e-mail coming from a particular address, for > example "oneperson@onedomain.com", regardless of its intended recipients and > send it to another specific address? Could this be done through MallScanner > or sendmail? > > Thank you in advance. > > James > > From ugob at CAMO-ROUTE.COM Fri Mar 26 04:59:41 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:24:00 2006 Subject: What causes this hit? Message-ID: <54C38A0B814C8E438EF73FC76F362927410AD3@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Pete [mailto:pete@eatathome.com.au] >Envoy? : 25 mars, 2004 23:47 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: What causes this hit? > > >Mike Kercher wrote: > >>Allow IFrame Tags = yes >>Log IFrame Tags = yes >>Allow Form Tags = yes >>Convert Dangerous HTML To Text = no >>Convert HTML To Text = no >> >>I believe these to be the relevant settings from my >MailScanner.conf Did I >>miss something?/ >> >>Mike >> >> >> >> >>>-----Original Message----- >>>From: MailScanner mailing list >>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ugo Bellavance >>>Sent: Thursday, March 25, 2004 8:29 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: What causes this hit? >>> >>> >>> >>>>-----Message d'origine----- >>>>De : Mike Kercher [mailto:mike@CAMAROSS.NET] Envoy? : 25 mars, 2004 >>>>20:58 ? : MAILSCANNER@JISCMAIL.AC.UK Objet : What causes this hit? >>>> >>>> >>>>Report: MailScanner: Found a script in HTML message >>>> >>>> >>>> >>>Your HTML settings in MailScanner.conf? >>> >>> >>> >>>>Mike >>>> >>>> >>>> >> >> >> >> >> >But didnt that rules used to say Found Iframe Exploit or something? > >I have been trying to work out how to let one of these through >just now, >just to release one from quyarantine to a user - grrr >I followed this eventually, which kinda works, in that it releases a >copy but also runs another capturted copy through mailwatch - weird. Pretty hard to deal with, since it is considered like a virus I think. Maybe better off using command-line to release it instead of MailWatch, since Mailwatch (I think) doesn't allow virus release. > From martyn at invictawiz.com Fri Mar 26 11:04:50 2004 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:24:00 2006 Subject: Which FreeBSD version for MS? In-Reply-To: <4063AC0C.1000906@eatathome.com.au> Message-ID: Does the word Overkill mean much to you..... :) For a production server, you should definitely be using 4.9, all versions of 5 are still recommended for testing only. I believe that some additions to 5-current are not guaranteed to make it into 5-stable so you may have problems upgrading later. On our primary MS we use the source version, but I have installed the FreeBSD port on others for other people. Use either, they are both fine. Martyn -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Pete Sent: 26 March 2004 04:06 To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] Which FreeBSD version for MS? I am about to run with BSD on my new server - p4 2.8/1536mb ram /scsi for our 1500 emails per day, :) I cant get linux installed and have wasted a half day trying. Which FreeBSD version is going to work best? I can easily get 5.2.1 installed ion this machine, 5.0 has some issues and i dont have a copy of 4.9 right now. Is 5.2.1 far too new to be running on the mail gateway ? PS: anyone got any experience with Linux or FreeBSD on Compaq, specifically ML310 ? 9 Care to message me off list so i can ask some OT questions? ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From chris at trudeau.org Thu Mar 25 23:57:49 2004 From: chris at trudeau.org (Chris Trudeau) Date: Thu Jan 12 21:24:00 2006 Subject: Sequence VIrus/SPAM In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C643@jessica.herefordshire.gov.uk> Message-ID: <1ba001c412c4$fb3bb260$23c8a8c0@serv> Exactly what I needed. This does the trick...and the cool thing is in MailWatch, now users can see that its VIRUS BEFORE releasing it. CT -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Randal, Phil Sent: Thursday, March 25, 2004 11:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sequence VIrus/SPAM I wrote a FAQ item about it: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/277.html Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Chris Trudeau > Sent: 25 March 2004 16:13 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sequence VIrus/SPAM > > > I know this discussion has been had in the past. I have been > somewhat out > of the loop relative to the message list, but my searches are finding > nothing. > > When Sobig came out, the thread indicated that the cost > (resources) to virus > scan every message was too costly, when SPAM scanning could > eliminate a good > portion of these before even requiring the Virus Scan. > > Was this design issue ever re-visited? I'm just curious > because with users > that have a store rule with no deliver action are being > required to review > their SPAM quarantine within MailWatch, release it just to find it > quarantined due to virus infection. > > THX > CT > From Kevin.Spicer at BMRB.CO.UK Fri Mar 26 11:07:57 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:24:00 2006 Subject: Microsoft Outlook Meeting Requests & Email Footer Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649BFB@pascal.priv.bmrb.co.uk> > David Hooton wrote: > >> Hi All, >> >> We have a customer who is going nuts because when MailScanner inserts >> the email footer it breaks Outlook Meeting Requests. Does anyone >> have a workaround other than removing the footer? David, if you're still looking for a solution to this I have a CustomConfig function that should help, please let me know if you'd like a copy. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Fri Mar 26 11:03:53 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:24:00 2006 Subject: What causes this hit? In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410AD2@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F362927410AD2@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20040326110312.06abe4d8@imap.ecs.soton.ac.uk> At 02:28 26/03/2004, you wrote: > >-----Message d'origine----- > >De : Mike Kercher [mailto:mike@CAMAROSS.NET] > >Envoy? : 25 mars, 2004 20:58 > >? : MAILSCANNER@JISCMAIL.AC.UK > >Objet : What causes this hit? > > > > > >Report: MailScanner: Found a script in HTML message > > Your MailScanner.conf is older than your running version of MailScanner. There is a switch # Do you want to allow