From list at souil.com Mon Mar 1 04:09:51 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:48 2006 Subject: Found to be clean? In-Reply-To: <40413673.5000302@themarshalls.co.uk> Message-ID: <20043112951.982958@bensil> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/1479c4aa/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Mon Mar 1 04:38:22 2004 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:22:48 2006 Subject: Found to be clean? In-Reply-To: <20043112951.982958@bensil> Message-ID: "Found to be clean" means it's not a virus. Your email generated the following header for me (lines of gunk cut): X-Camelot.Blacknight.ie-MailScanner: Found to be clean - your email message is neither a virus or banned file type X-Camelot.Blacknight.ie-MailScanner-SpamCheck: not spam - it's not spam If you compare to your own, you'll see that it is being tagged: X--MailScanner: Found to be clean - - not a virus X--MailScanner-SpamCheck: spam, SpamAssassin (score=24.001, -- clearly marked as spam required 5, HTML_MESSAGE 0.00, RM_bw_VIAGRA 3.00, RM_sl_ForeignChar 3.00, RM_swm_DrugsVo2 18.00) (By the way - HTML format emails are not nice on mailing lists) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ben Sent: 01 March 2004 04:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] Found to be clean? Dear All, Why am i still getting the "Found to be clean" msg when the score is over the required? X--MailScanner-Information: Please contact the ISP for more information X--MailScanner: Found to be clean X--MailScanner-SpamCheck: spam, SpamAssassin (score=24.001, required 5, HTML_MESSAGE 0.00, RM_bw_VIAGRA 3.00, RM_sl_ForeignChar 3.00, RM_swm_DrugsVo2 18.00) X--MailScanner-SpamScore: 24 From iain at LMP.CO.UK Mon Mar 1 06:30:46 2004 From: iain at LMP.CO.UK (Iain McWilliams) Date: Thu Jan 12 21:22:48 2006 Subject: Broken messge id cause spam to be ignored? Message-ID: <11918B7348E7F047B84803317DDDBD3002E88E@tom3.LMP.LOCAL> HI, Running Mailscanner with Postfix and spamassassin, everything working well but some spam appears to be slipping through the net. The strange thing is they all have the same broken message id. Could the spammers have found a loophole? Iain Microsoft Mail Internet Headers Version 2.0 Received: from mailgate.lmp.co.uk ([192.168.2.5]) by lmp.co.uk with Microsoft SMTPSVC(6.0.3790.0); Sun, 29 Feb 2004 11:38:39 +0000 Received: by mailgate.lmp.co.uk (Postfix) id 5A3DD2C39F; Sun, 29 Feb 2004 11:39:13 +0000 (GMT) Delivered-To: iain@lmp.co.uk Received: from m156.net81-67-249.noos.fr (m156.net81-67-249.noos.fr [81.67.249.156]) by mailgate.lmp.co.uk (Postfix) with SMTP id B70232C39F for ; Sun, 29 Feb 2004 11:39:10 +0000 (GMT) Received: from 120.27.83.222 by 81.67.249.156; Sun, 29 Feb 2004 14:41:34 +0300 Message-ID: References: <11918B7348E7F047B84803317DDDBD3002E88E@tom3.LMP.LOCAL> Message-ID: <4042DE9D.5060704@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Iain McWilliams wrote: | | | HI, | | | | Running Mailscanner with Postfix and spamassassin, everything working | well but some spam appears to be slipping through the net. The strange | thing is they all have the same broken message id. Could the spammers | have found a loophole? | | Just on a sidenote, but why does your MTA accept messages that have an obviously broken Message-ID ? Or is that not so obvious? - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQt6dPMoaMn4kKR4RA87KAJ9nOIUUv6JZK9GssfX3g/WFV1aEkwCcC0mC oTWk6su1CiV12BYMAO2FnyQ= =DIcg -----END PGP SIGNATURE----- From iain at LMP.CO.UK Mon Mar 1 07:23:56 2004 From: iain at LMP.CO.UK (Iain McWilliams) Date: Thu Jan 12 21:22:48 2006 Subject: Broken messge id cause spam to be ignored? Message-ID: <11918B7348E7F047B84803317DDDBD3002E88F@tom3.LMP.LOCAL> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David H?hn > Sent: 01 March 2004 06:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Broken messge id cause spam to be ignored? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Iain McWilliams wrote: > > | > | > | HI, > | > | > | > | Running Mailscanner with Postfix and spamassassin, everything working > | well but some spam appears to be slipping through the net. The strange > | thing is they all have the same broken message id. Could the spammers > | have found a loophole? > | > | > > > Just on a sidenote, but why does your MTA accept messages that have an > obviously broken Message-ID ? > Or is that not so obvious? No idea, I imagine it's trying to be helpful! :-) Regards, Iain From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 1 08:47:05 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:48 2006 Subject: New Feature Request: Delayed Attachment Delivery Message-ID: Hi, > In the meantime, why not install some more virus scanners? we > only use clamav on the mail filters an this has worked > perfectly lately against mydoom and firends, then on each > mail server we run another brand of AV scanner, one of them > always picks it up. This will not help. One of my customers has just been hit with NetSky.C even though we have clamav and two commercial scanners up and running. The few hours between detection and signature updates was enough... :-( Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 1 08:49:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <40425104.1010004@gmx.de> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> Message-ID: <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> At 20:52 29/02/2004, you wrote: >Kevin Spicer wrote: > >>Theres been some discussion on the clamav list recently about the >>frequency of clients pulling database updates from their servers. the >>most notable point was that several of the clam developers urged users >>to schedule their cron jobs at a random minute past the hour to try and >>get a better distribution of load on the servers. I guess similar >>problems also afflict users of commercial scanners. >> >>Several things stuck me. >>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>therefore we, as a community, are probably responsible for a >>substantially increased load at one point every hour. >>2) Everyone updating at the same time increases the possibility of >>individual updates failing due to bandwidth/ server issues >>3) Any problems with the virus database introduced immediately before >>the point we all update are likely to affect all of us before they get >>fixed >>4) We all have the same window of opportunity in our update cycles >>during which a new virus could propagate very quickly, at least if we >>all updated at different times we may stand a better chance of slowing >>the rate of spread. >> >>I therefore propose that update_virus_scanners be moved from >>/etc/cron.hourly to a file in /etc/cron.d and that the minute at which >>it is scheduled in that file be generated either at random or be the >>same as the minute at which the file was installed. Obviously this >>would involve generating the file as part of the install process. > >could it be possible to set this in update_virus_scanners with a random >value >i hope that this would not stop other scripts in cron.hourly. > > ># vi /usr/sbin/update_virus_scanners > >#!/bin/bash > >sleep 300 > >SCANNERSCONF=/etc/MailScanner/virus.scanners.conf >[...] > > > >or ># crontab -e -umailscanner-user This is the new cron job. Delays by up to 30 minutes if you change the "0" to "1800". I will leave the delay at 0 by default for now, to see if this causes any problems or complaints. I might change the default to 1800 in a future release. #!/bin/bash # Insert a random delay up to this value, to spread virus updates round # the clock. 1800 seconds = 30 minutes. # Set this to 0 to disable it. DELAY=0 [ -x /usr/sbin/update_virus_scanners ] || exit 0 if [ "x$DELAY" = "x0" ]; then : else logger -p mail.info -t update.virus.scanners Delaying cron job up to $DELAY seconds perl -e "sleep int(rand($DELAY));" fi exec /usr/sbin/update_virus_scanners exit 0 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 09:07:39 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:48 2006 Subject: SA 3.0 heads up.. Message-ID: <4042FD5B.2040908@solid-state-logic.com> All I guess Julian has already this message on the SA-talk list, but the SA API's are changing for version 3.0 If someone could put something on the web page about this it would be useful when SA 3.0 actually pops out...ie if you're using SpamAssassin V3.0 or later you'll need to have version x.y.z of MailScanner, or something similar... -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 09:19:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> <6.0.1.1.2.20040301083807.03e560a0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301091745.073f8920@imap.ecs.soton.ac.uk> At 08:49 01/03/2004, you wrote: >At 20:52 29/02/2004, you wrote: >>Kevin Spicer wrote: >> >>>Theres been some discussion on the clamav list recently about the >>>frequency of clients pulling database updates from their servers. the >>>most notable point was that several of the clam developers urged users >>>to schedule their cron jobs at a random minute past the hour to try and >>>get a better distribution of load on the servers. I guess similar >>>problems also afflict users of commercial scanners. >>> >>>Several things stuck me. >>>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>>therefore we, as a community, are probably responsible for a >>>substantially increased load at one point every hour. >>>2) Everyone updating at the same time increases the possibility of >>>individual updates failing due to bandwidth/ server issues >>>3) Any problems with the virus database introduced immediately before >>>the point we all update are likely to affect all of us before they get >>>fixed >>>4) We all have the same window of opportunity in our update cycles >>>during which a new virus could propagate very quickly, at least if we >>>all updated at different times we may stand a better chance of slowing >>>the rate of spread. >>> >>>I therefore propose that update_virus_scanners be moved from >>>/etc/cron.hourly to a file in /etc/cron.d and that the minute at which >>>it is scheduled in that file be generated either at random or be the >>>same as the minute at which the file was installed. Obviously this >>>would involve generating the file as part of the install process. >> >>could it be possible to set this in update_virus_scanners with a random >>value >>i hope that this would not stop other scripts in cron.hourly. >> >> >># vi /usr/sbin/update_virus_scanners >> >>#!/bin/bash >> >>sleep 300 >> >>SCANNERSCONF=/etc/MailScanner/virus.scanners.conf >>[...] >> >> >> >>or >># crontab -e -umailscanner-user > >This is the new cron job. Delays by up to 30 minutes if you change the "0" >to "1800". I will leave the delay at 0 by default for now, to see if this >causes any problems or complaints. I might change the default to 1800 in a >future release. 2nd thoughts. I am going to make the random delay 10 minutes for now as I still want people to basically get updates every hour. >#!/bin/bash > ># Insert a random delay up to this value, to spread virus updates round ># the clock. 1800 seconds = 30 minutes. ># Set this to 0 to disable it. >DELAY=0 > >[ -x /usr/sbin/update_virus_scanners ] || exit 0 >if [ "x$DELAY" = "x0" ]; then > : >else > logger -p mail.info -t update.virus.scanners Delaying cron job up to >$DELAY seconds > perl -e "sleep int(rand($DELAY));" >fi >exec /usr/sbin/update_virus_scanners >exit 0 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 09:31:05 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Julian Field wrote: > 2nd thoughts. I am going to make the random delay 10 minutes for now > as I still want people to basically get updates every hour. > I wonder whether just pulling the 'inode modification time' (ls -lc) of update_virus_scanners and using the minutes & seconds from that to create a delay would be acceptable. That way the update would be every hour, but at the same (semi-random) time every hour. I _think_ the inode modification time is the time of install, as opposed to the modification time (which would be the same for everyone who hadn't altered the file) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From P.G.M.Peters at utwente.nl Mon Mar 1 09:14:13 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:48 2006 Subject: Virus update times In-Reply-To: <40425104.1010004@gmx.de> References: <1078085680.19298.19.camel@bach.kevinspicer.co.uk> <40425104.1010004@gmx.de> Message-ID: On Sun, 29 Feb 2004 21:52:20 +0100, you wrote: >Kevin Spicer wrote: > >>Several things stuck me. >>1) Many (most?) MailScanner users use cron.hourly to schedule updates, >>therefore we, as a community, are probably responsible for a >>substantially increased load at one point every hour. > >could it be possible to set this in update_virus_scanners with a random >value >i hope that this would not stop other scripts in cron.hourly. > > ># vi /usr/sbin/update_virus_scanners > >#!/bin/bash > >sleep 300 I have seen some crontab scripts used for updating stuff having a random value as the parameter of sleep. Making it even random every time it runs. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Mar 1 10:02:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:48 2006 Subject: install problem 2nd try In-Reply-To: <000001c3ff73$69148420$0c00a8c0@instalari> References: <000001c3ff73$69148420$0c00a8c0@instalari> Message-ID: <6.0.1.1.2.20040301100126.0730fd80@imap.ecs.soton.ac.uk> Install Net::CIDR from CPAN and then try it again: perl -MCPAN -e 'install Net::CIDR' At 12:09 28/02/2004, you wrote: >Hi, > >I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.2 Linux. >During the intalation script I get errors like: Net/CIDR........needs >perl-base>=5.800. I have perl-base-5.8.1-RC4.3mdk. > > MailScanner: Can't locate Net/CIDR.pm in @INC (@INC > contains: /usr/lib/MailScanner > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Config.pm line 34. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Config.pm line 34. >Compilation failed in require at /usr/sbin/MailScanner line 42. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 42. > [ OK ] > >It is clear. the Net/CIDR.. does not instal because i have perl-base<5.800 >. But I have perl-base-5.8.1-RC4.3mdk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > >should I install an older version of MailScanner? > >pls Help me > >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:01:06 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: install problem 2nd try Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AD9@pascal.priv.bmrb.co.uk> Daniel Kostyal wrote: > Hi, > > I am trying to install MailScanner-4.26.8-1 on my Mandrake 9.2 Linux. > During the intalation script I get errors like: Net/CIDR........needs > perl-base>=5.800. I have perl-base-5.8.1-RC4.3mdk. > You need to do ./install.sh nodeps Mandrake and RedHat named their perl rpms differently - but a default install of perl on Mandrake provides all the necessary modules. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:05:31 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> See this http://www.sophos.co.uk/virusinfo/analyses/w32baglef.html This virus is spreading rapidly, we've seen it overnight (although not in its password protected form - but we had no way of spotting that so it may have got through). I'm now blocking zip files (making me not very popular this morning!). Time to start a discussion about ways to block password protected zip files? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 10:09:33 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <40430BDD.8050700@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | | Time to start a discussion about ways to block password protected zip files? | Does th euser have to enter a password? is the password written down inside the Mail ? Is it a random string? - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQwvcPMoaMn4kKR4RAwmkAKCVenGrC2izY0YqvNjiFoiICFirBACfRI0h lfwuApbYQH8pQJsXt/WdM18= =tal+ -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 10:15:00 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> [third hand answers vorrowed from a discussion on the clam list] David H?hn wrote: > Does th euser have to enter a password? Yes > is the password written down > inside the Mail ? Yes, uses a social engineering trick to get them to enter it >Is it a random string? > Seems to be a random number from the two examples quoted so far BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 10:22:00 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> Message-ID: <40430EC8.2080204@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | [third hand answers vorrowed from a discussion on the clam list] | David H?hn wrote: | | Yes, uses a social engineering trick to get them to enter it | In this case I think it is not a programs duty to protect the Users but the security officers. Which means they should be warned. I know that does not do the trick in all cases but a software solution neither does. | |>Is it a random string? |> | | | Seems to be a random number from the two examples quoted so far | Is it something that could be hanlded fairly easily by MCP ? If so, I think that is the way to go - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQw7HPMoaMn4kKR4RA7mTAJ9Wto+Hnny/CsqU50Nwe2SdHeTuOgCgipgZ FoPXQqiSrXrgR4quni5NMpY= =tjz2 -----END PGP SIGNATURE----- From shrek-m at GMX.DE Mon Mar 1 10:23:53 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <40430F39.6090005@gmx.de> Spicer, Kevin wrote: >See this >http://www.sophos.co.uk/virusinfo/analyses/w32baglef.html > From: Sophos Alert System Date: Mon, 01 Mar 2004 04:40:10 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-G http://www.sophos.co.uk/virusinfo/analyses/w32bagleg.html From: Sophos Alert System Date: Mon, 01 Mar 2004 00:34:32 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-F From: Sophos Alert System Date: Sat, 28 Feb 2004 22:56:47 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-D ... -- shrek-m From raymond at PROLOCATION.NET Mon Mar 1 10:25:37 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: install problem 2nd try In-Reply-To: <000001c3ff73$69148420$0c00a8c0@instalari> Message-ID: Hi! > It is clear. the Net/CIDR.. does not instal because i have > perl-base<5.800 . But I have > perl-base-5.8.1-RC4.3mdk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > should I install an older version of MailScanner? Cant you install that module via CPAN ? Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 10:27:45 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: Hi! > This virus is spreading rapidly, we've seen it overnight (although not > in its password protected form - but we had no way of spotting that so > it may have got through). Also in non protected zips... Its in our top10 of today: 4747 W32/Netsky.B@mm 1275 W32/Swen.A@mm 404 W32/Sober.C@mm 337 W32/Mydoom.A@mm 200 W32/Netsky.C@mm 126 W32/Bugbear.B@mm 96 W32/Bagle.F@mm 57 W32/Bagle.E@mm 49 W32/Mydoom.E@mm 19 W32/Mimail.J@mm Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 10:29:29 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: Message-ID: Hi! > Its in our top10 of today: > > 4747 W32/Netsky.B@mm > 1275 W32/Swen.A@mm > 404 W32/Sober.C@mm > 337 W32/Mydoom.A@mm > 200 W32/Netsky.C@mm > 126 W32/Bugbear.B@mm > 96 W32/Bagle.F@mm > 57 W32/Bagle.E@mm > 49 W32/Mydoom.E@mm > 19 W32/Mimail.J@mm The G one also just came in twice: 2 W32/Bagle.G@mm Bye, Raymond. From list at souil.com Mon Mar 1 10:32:19 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:49 2006 Subject: Get some spams to test the new installation Message-ID: <200431183219.526111@bensil> Dear All, How could i get some more spams and hams to test the acuuracy of my new installation of the MS? I have to make sure it works well before applying it to my server with about 100 domains on it. From dh at UPTIME.AT Mon Mar 1 10:38:38 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: Get some spams to test the new installation In-Reply-To: <200431183219.526111@bensil> References: <200431183219.526111@bensil> Message-ID: <404312AE.6020808@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ben wrote: | Dear All, | | How could i get some more spams and hams to test the acuuracy of my new installation of the MS? | I have to make sure it works well before applying it to my server with about 100 domains on it. In short, you do not. The accuracy of Spamassassin its bayes DB and your set up very much depends on the kind of Mail Flow you have and that will differ from domain to domain or if you see your installation as a whole, it will differ on the 100 domain than what you could actually ever test. The first few weeks of a new Installation will surely be a matter of fine tuning things to your needs, the large amount of general spam will be caught at once anyways - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQxKtPMoaMn4kKR4RAyTpAJ4sa7I/mkpd3EPBHEiQZhjb0pJzwACZAU0d IHtz3nq+NlIOWYwxhQl69/Q= =RsXG -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Mon Mar 1 11:43:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released Message-ID: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Morning all, I have just released MailScanner 4.27.7. This is a stable release. The big question, as usual, is "should I upgrade?" The biggest change for this release is a couple of improvements to the robustness of the MIME decoder, which finds attachments hidden in messages. These improvements are quite important, but they do cause MailScanner to run more slowly than it did. I am sorry but there is nothing I can do about that, I have worked hard to minimise the impact on speed. So if your MailScanner server is running at full speed just to keep up, then you should compare the merits of better attachment extraction against the possible impact on your hardware. Keep the previous version kicking around so you can downgrade again if necessary. If you want to install it with Qmail, then at the moment the best method is to look at http://opencomputing.sourceforge.net/. The ChangeLog for this version is here: * New Features and Improvements * - Made the MIME parser much more robust to find messages hidden in messages. - Also made it more robust against parsing errors by the virus scanners. - Improved robust MIME decoding speed slightly. - Added "Non-Forging Viruses" list which works the opposite way around to the "Silent Viruses" list. If a virus report contains any words in this list, then the silent status is over-ridden by this. The net result is that you can put All-Viruses in the silent viruses list, so that by default no warnings are sent to senders. But put markers for joke programs or macro viruses in this list and the senders will still be warned about them, as they are known not to forge the From address. - Added options to add new headers containing the envelope sender and/or envelope recipients addresses. The names of the headers are, of course, configurable. - Added "Enable Spam Bounce" ruleset for selectively switching on permission to bounce spam for your most important customers. - When lots of consecutive SpamAssassin timeouts occur, all network tests are now stopped, not just RBL checks. - Improved Linux init.d scripts so that postfix and postfix.in settings are used throughout the init.d script. - Much improved clamav-wrapper, courtesy of Kevin Spicer. - Improved logging output from Trend autoupdater. - Improved logging output from Trend parser. - Added comment about absolute path to Incoming Work Dir config option. - Added old and new queue ids for Postfix to make for easy message tracking. - Removed 2 confusing harmless log entries in Postfix queue discovery. - Brazilian Portuguese reports are now all translated. - Improved Welsh translation of recipient spam and mcp reports. - Replaced original Catalan reports with new ones, with correct directory name. - Added $subject to Subject: line in sample recipient.spam.report.txt to show it can be used. Should ideally get all other languages translated. - Added support for Qmail. You will need the contents of qmail/qmail-queue.zip. - Added support for Symantec CarrierScan virus scanner (css). - Improved Symantec scanning support, courtesy of Kevin Spicer. - Added support for F-Secure 4.52. - Added Exim d2mbox to distribution. - Added optional random delay to update_virus_scanners cron job so as not to overload virus update servers once per hour. * Fixes * - Fixed bug in "Rebuild Bayes Every" feature on Solaris. - Exim bug with empty Subject headers being corrupted fixed. - Fixed bug in directory reading in new MIME parser code. - Exim multiple ACLs now supported for SPF compatibility. - Corrected all signature separators to "-- " instead of "--". - Worked around Perl bug in inclusion of @ in report files. - Fixed silent/noisy detection code when noisy list is empty. - Changed default MTA to sendmail in SuSE /etc/sysconfig/MailScanner. - Fixed bug in minimum number of stars!=0 not always generating X-Spam-Score header. - Fixed small bug in Exim d2mbox script for very long headers. - Outstanding: Quarantining warning message bug - cannot reproduce on any OS. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From P.G.M.Peters at utwente.nl Mon Mar 1 11:50:50 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:49 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: References: Message-ID: On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: >Hi! > >> Its in our top10 of today: >> >> 4747 W32/Netsky.B@mm >> 1275 W32/Swen.A@mm >> 404 W32/Sober.C@mm >> 337 W32/Mydoom.A@mm >> 200 W32/Netsky.C@mm >> 126 W32/Bugbear.B@mm >> 96 W32/Bagle.F@mm >> 57 W32/Bagle.E@mm >> 49 W32/Mydoom.E@mm >> 19 W32/Mimail.J@mm > >The G one also just came in twice: > >2 W32/Bagle.G@mm We got 12 removed 12 W32/Bagle.E@mm 1 removed 10 W32/Bagle.F@mm 8 W32/Bagle.C@mm 4 removed 4 W32/Bagle.D@mm 9 removed 1 W32/Bagle.G@mm -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From christo at IT4AFRICA.CO.ZA Mon Mar 1 11:50:46 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. Message-ID: <00fd01c3ff83$6f171c10$660210ac@christoxp> I changed my setting in the filetype.rules.conf to deny archive files. I have restarted mailscanner but still archives are delivered. I'm running RH9 latest stable Mailscanner and SA Kind Regards, Christo Bezuidenhout E-Commerce Manager IT for Africa * Email Christo@it4africa.co.za " Web http://www.ag-industries.com ( Switchboard +27 12 665 9900 6 Fax +27 12 665 9911 H Address Lunar Place 1 Eddington Crescent Highveld Techno Park Centurion -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/b20d2703/attachment.html From steve.freegard at LBSLTD.CO.UK Mon Mar 1 11:51:46 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Hi List, I've just noticed that Clam is catching these: ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite but Sophos isn't picking them up at all. Is anyone else seeing these?? - looks like another example of the Clam guys beating Sophos with their definitions... Regards, Steve. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dh at UPTIME.AT Mon Mar 1 11:53:53 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Message-ID: <40432451.607@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: | - Corrected all signature separators to "-- " instead of "--". I assume you did this because you are not sending your messages as "format=flowed" and never plan to do so? Because "-- " would be incorrect then, as per out discussion :) - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQyRQPMoaMn4kKR4RAxRrAJ0TkZfxMf4eXU/MWlaQXRtOHYr9AQCeKku9 NYbqkDnJbfEf33mkXPxFSfs= =jqzT -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 11:55:46 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AE2@pascal.priv.bmrb.co.uk> > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of > the Clam guys > beating Sophos with their definitions... > Yes, we're seeing lots of them - being caught by Clam, missed by Sophos and Symantec BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 11:57:03 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Message-ID: <4043250F.6000800@solid-state-logic.com> Steve seen about 5 of these today - better let sophos know I guess.. and yes Sophos do seem to be slightly more tardy than usual recently..cf mydoom.A as well. Perhaps that nice new building they've got is slowing the process down somehow.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of the Clam guys > beating Sophos with their definitions... > > Regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dh at UPTIME.AT Mon Mar 1 11:58:25 2004 From: dh at UPTIME.AT (=?UTF-8?B?RGF2aWQgSMO2aG4=?=) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F04@neelix.lbsltd.co.uk> Message-ID: <40432561.2060403@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Steve Freegard wrote: | Hi List, | | I've just noticed that Clam is catching these: | | ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite | Yes, just had the same behaviour, 3 of them in a row even and Sophos not yelling. - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQyVhPMoaMn4kKR4RAxZLAJ4xQv04ls5Rh7Bb+XRo2f+w3RCVUwCeNaPu LF654iS9wcV3diFAajgolu8= =DVuH -----END PGP SIGNATURE----- From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 11:56:43 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C58B@jessica.herefordshire.gov.uk> McAfee detects it as W32/Netsky.c@MM. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Steve Freegard > Sent: 01 March 2004 11:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Viruses picked up by Clam and not Sophos > > > Hi List, > > I've just noticed that Clam is catching these: > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > but Sophos isn't picking them up at all. > > Is anyone else seeing these?? - looks like another example of > the Clam guys > beating Sophos with their definitions... > > Regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of > computer viruses. > From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 11:59:33 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Christo Bezuidenhout wrote: > I changed my setting in the filetype.rules.conf to deny archive > files. I have restarted mailscanner but still archives are delivered. > > I'm running RH9 latest stable Mailscanner and SA > Are you actually using the filetype rules - I think they are off by default. I've just blocked .zip in filename rules P.S. Please don't post in HTML P.P.S If your really must post in html please drop the animated signature - Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Mon Mar 1 12:05:40 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Message-ID: <40432714.6000806@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin wrote: | | | | BMRB International | http://www.bmrb.co.uk | +44 (0)20 8566 5000 | _________________________________________________________________ | This message (and any attachment) is intended only for the | recipient and may contain confidential and/or privileged | material. If you have received this in error, please contact the | sender and delete this message immediately. Disclosure, copying | or other action taken in respect of this email or in | reliance on it is prohibited. BMRB International Limited | accepts no liability in relation to any personal emails, or | content of any email which does not directly relate to our | business. Could you please drop this legally completely no sense making and in Europe completely useless signature then :) PS: I am just kidding, so please take this with a grain of salt and simply laugh about it :) - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQycUPMoaMn4kKR4RAxs8AJ4rhJ9hBGQeYAzjue07eilDX0evFQCgk9yM b5+Pcxo1TTublcxwbWtazxQ= =q7n0 -----END PGP SIGNATURE----- From steve.freegard at LBSLTD.CO.UK Mon Mar 1 12:10:30 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos Message-ID: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> Thanks for all the replies... It looks like Sophos released an IDE for Netsky-D during the last hour which was just picked up by update_virus_scanners, as it now seems to be catching this: SophosSAVI: document_word.pif was infected by W32/Netsky-D ClamAV Module: document_word.pif was infected: Worm.SomeFool.B-petite Cheers, Steve. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 01 March 2004 11:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Viruses picked up by Clam and not Sophos > > > McAfee detects it as W32/Netsky.c@MM. > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Steve Freegard > > Sent: 01 March 2004 11:52 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Viruses picked up by Clam and not Sophos > > > > > > Hi List, > > > > I've just noticed that Clam is catching these: > > > > ClamAV Module: document.pif was infected: Worm.SomeFool.B-petite > > > > but Sophos isn't picking them up at all. > > > > Is anyone else seeing these?? - looks like another example > of the Clam > > guys beating Sophos with their definitions... > > > > Regards, > > Steve. > > > > -- > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you have received this email in error > please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message has > been swept by > > MailScanner (www.mailscanner.info) for the presence of computer > > viruses. > > > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 12:13:54 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <40432902.8020101@solid-state-logic.com> All looks they've got it finally!!! -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Sophos Alert System Subject: Sophos Anti-Virus IDE alert: W32/Netsky-D Date: Mon, 01 Mar 2004 11:51:01 +0000 (GMT) Size: 2842 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/fc733e44/Netsky-D.mht From steve.freegard at LBSLTD.CO.UK Mon Mar 1 12:22:40 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> Hi Martin, This is pretty poor really isn't it - I've actually just changed my MailWatch set-up to use Clam as the primary scanner for reporting and I've added 'Worm' to silent viruses as there isn't an easy way to achieve this with Sophos (unlike McAfee with the @MM suffix). If things don't improve soon, McAfee will have a new customer when our contract with Sophos expires... Kind regards, Steve. > -----Original Message----- > From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > Sent: 01 March 2004 12:14 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > > > All > > looks they've got it finally!!! > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 12:27:56 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F08@neelix.lbsltd.co.uk> Message-ID: <40432C4C.8050107@solid-state-logic.com> Steve I note that it only seems to be slow at certain times. I wonder if one of the shifts is slow or not as strong as the others...Some of the guys on my LUG are sophos guys - I'll try and dig some dirt :-) So when did McAfee have the update out? They used to the pretty slow in the past themselves.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi Martin, > > This is pretty poor really isn't it - I've actually just changed my > MailWatch set-up to use Clam as the primary scanner for reporting and I've > added 'Worm' to silent viruses as there isn't an easy way to achieve this > with Sophos (unlike McAfee with the @MM suffix). > > If things don't improve soon, McAfee will have a new customer when our > contract with Sophos expires... > > Kind regards, > Steve. > > > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From christo at IT4AFRICA.CO.ZA Mon Mar 1 12:29:30 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AE3@pascal.priv.bmrb.co.uk> Message-ID: <010e01c3ff88$d94097b0$660210ac@christoxp> Yes we are using the filetype rules with great affect. It works fine for all other attachments. Sorry for the Animated Sig. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > Sent: 01 March 2004 02:00 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > Christo Bezuidenhout wrote: > > I changed my setting in the filetype.rules.conf to deny > archive files. > > I have restarted mailscanner but still archives are delivered. > > > > I'm running RH9 latest stable Mailscanner and SA > > > > Are you actually using the filetype rules - I think they are > off by default. > > I've just blocked .zip in filename rules > > P.S. Please don't post in HTML > > P.P.S If your really must post in html please drop the > animated signature - Thanks > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 12:32:50 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C58C@jessica.herefordshire.gov.uk> Our McAfee patterns updated at 02:02 GMT this morning, so they came out some time after 01:00 GMT. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: 01 March 2004 12:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > > > Steve > > I note that it only seems to be slow at certain times. I wonder if one > of the shifts is slow or not as strong as the others...Some > of the guys > on my LUG are sophos guys - I'll try and dig some dirt :-) > > > So when did McAfee have the update out? They used to the > pretty slow in > the past themselves.... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Steve Freegard wrote: > > Hi Martin, > > > > This is pretty poor really isn't it - I've actually just changed my > > MailWatch set-up to use Clam as the primary scanner for > reporting and I've > > added 'Worm' to silent viruses as there isn't an easy way > to achieve this > > with Sophos (unlike McAfee with the @MM suffix). > > > > If things don't improve soon, McAfee will have a new > customer when our > > contract with Sophos expires... > > > > Kind regards, > > Steve. > > > > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From garry at GLENDOWN.DE Mon Mar 1 12:36:36 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> Message-ID: <40432E54.7060600@glendown.de> Steve Freegard wrote: > Hi Martin, > > This is pretty poor really isn't it - I've actually just changed my > MailWatch set-up to use Clam as the primary scanner for reporting and I've > added 'Worm' to silent viruses as there isn't an easy way to achieve this > with Sophos (unlike McAfee with the @MM suffix). > > If things don't improve soon, McAfee will have a new customer when our > contract with Sophos expires... We've had pretty good experiences with F-Prot ... usually had the first virus in the logfiles well before any announcement of the virus appeared on any geek news services -gg From sysadmin at FLEETONE.COM Mon Mar 1 12:38:21 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] References: <5C0296D26910694BB9A9BBFC577E7AB001649ADC@pascal.priv.bmrb.co.uk> <40432E54.7060600@glendown.de> Message-ID: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> ----- Original Message ----- From: "Garry Glendown" To: Sent: Monday, March 01, 2004 6:36 AM Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > Steve Freegard wrote: > > > Hi Martin, > > > > This is pretty poor really isn't it - I've actually just changed my > > MailWatch set-up to use Clam as the primary scanner for reporting and > I've > > added 'Worm' to silent viruses as there isn't an easy way to achieve this > > with Sophos (unlike McAfee with the @MM suffix). > > > > If things don't improve soon, McAfee will have a new customer when our > > contract with Sophos expires... > > > We've had pretty good experiences with F-Prot ... usually had the first > virus in the logfiles well before any announcement of the virus appeared > on any geek news services > > -gg I second that for f-prot. We use it here at work and I use it at home. They send out their updates fast. Rob From pb at WANTECH.SE Mon Mar 1 12:31:01 2004 From: pb at WANTECH.SE (=?iso-8859-1?Q?Patrik_B=E4ckstr=F6m?=) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs Message-ID: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Hello. I've searched the list archives and browsed the FAQ(s) but i can't find anything that would solve my problem. We use MailScanner for several customers/domains (currently version 4.25-14) and we would like to gather statistics per customer on how many mails scanned (that i can get from postfix), how many rejected and why and so on. Currently, it only tells us that something has been blocked and why, but not from or, more importat, to who the mail was sent. Is there some configuration option i've missed or is there any other way to make MailScanner log this kind of information? /pb -- Patrik B?ckstr?m - pb@wantech.se Wantech AB - http://www.wantech.se Askims Verkstads v?g 4 - 436 34 Askim Dir: 031-748 49 11 - Mob: 070-378 49 11 Vxl: 031-748 49 00 - Fax: 031-748 49 19 From christo at IT4AFRICA.CO.ZA Mon Mar 1 12:43:19 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] {Virus Scanned} In-Reply-To: <40432902.8020101@solid-state-logic.com> Message-ID: <011501c3ff8a$c6937c70$660210ac@christoxp> F-secure still working on the Firus Update. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth > Sent: 01 March 2004 02:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > {Virus Scanned} > > > All > > looks they've got it finally!!! > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From dh at UPTIME.AT Mon Mar 1 12:56:06 2004 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> References: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: <404332E6.7090304@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Patrik B?ckstr?m wrote: | | Is there some configuration option i've missed or is there any other way to | make MailScanner log this kind of information? | | /pb | have a look at mailwatch.sf.net - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQzLlPMoaMn4kKR4RAwyQAJwIUCOv5xRpXG8onSuPdkjOrwTLwgCfcqeP /bHhhy6GJVuSnvRgH6ELKb4= =jX8j -----END PGP SIGNATURE----- From david at PLATFORMHOSTING.COM Mon Mar 1 12:59:27 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Patrik B?ckstr?m > Sent: Monday, 1 March 2004 11:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: More details in the logs > > We use MailScanner for several customers/domains (currently version 4.25- > 14) > and we would like to gather statistics per customer on how many mails > scanned (that i can get from postfix), how many rejected and why and so > on. > > Currently, it only tells us that something has been blocked and why, but > not > from or, more importat, to who the mail was sent. http://mailwatch.sf.net/ Will allow you to setup per domain/user etc etc stats for users, very useful tool indeed. Dave ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From spamtrap71892316634 at ANIME.NET Mon Mar 1 13:16:04 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> Message-ID: On Mon, 1 Mar 2004, Rob wrote: > > Steve Freegard wrote: > > We've had pretty good experiences with F-Prot ... usually had the first > > virus in the logfiles well before any announcement of the virus appeared > > on any geek news services > I second that for f-prot. We use it here at work and I use it at home. > They send out their updates fast. thirded for f-prot. i use it on win32 as well as linux. integrates nicely with mailscanner. they are always current. two thumbs up. -Dan From mailscanner at MANGO.ZW Mon Mar 1 13:24:58 2004 From: mailscanner at MANGO.ZW (Jim Holland) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: <012701c3ff89$0e735df0$0c96a8c0@internal.wantech.se> Message-ID: Hi On Mon, 1 Mar 2004, Patrik B?ckstr?m wrote: > We use MailScanner for several customers/domains (currently version > 4.25-14) and we would like to gather statistics per customer on how > many mails scanned (that i can get from postfix), how many rejected > and why and so on. > > Currently, it only tells us that something has been blocked and why, > but not from or, more importat, to who the mail was sent. I think this is an important requirement. Unlike with worms, it is not possible to be 100% certain that a particular message is spam. I would like to use a very agressive spam blocklist - eg dnsbl.net.au. However if spam is quarantined without a notice to either sender or recipient it is quite possible that genuine mail will be lost. The use of the "notify" option is not really an option, as I would not like to receive a separate notification for each of the 150 spam messages per day that people normally try to send me. Before using MailScanner we could simply analyse the sendmail maillog file for details of recipients whose mail had been blocked. Sadly, I now see that in a significant number of cases where spam is blocked there is no longer a sendmail entry indicating who it was going to be delivered to (see more details appended), and the MailScanner Spam Actions entry does not indicate the recipient either. What we are doing now is to run a nightly script that analyses the headers of all quarantined spam for recipients, and also checks the maillog file for recipients that might be listed there for the same quarantined messages. We then send a summary to our users that lists details of all quarantined mail. I think the concept of a daily archival notice is a good compromise between sending no notices at all and sending a separate notice for each message. Another way of handling this issue would be to write the MailScanner notification messages to a separate log file instead of delivering them to the recipients. That log file could then be analysed separately. However there is currently no option for sending the notifications anywhere other than to the recipient. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Logging of blocked spam Normally the sendmail maillog file will have the following entries: sendmail from= line with details of sender sendmail to= line indicating recipient, stat=queued MailScanner RBL checks: details of why message is blocked MailScanner Message line, eg: Message i21D03F24046 from 213.120.110.92 (manmeet@liquidstorms.com) to mango.zw is spam, spamhaus-XBL MailScanner Spam Actions . . . actions are store For reasons I don't understand, the second (or more, if there are multiple recipients) sendmail line is not always present, so there is no consistent log info about the recipient(s). If the MailScanner Message line could include the details of the recipients in it then it would be possible to meet the requirements of Patrik for statistics, and also use it for purposes of user notifications. A more advanced option might be for MailScanner to provide a proper daily archival notification facility rather than the current per message notification which is really unworkable given the huge volume of spam. From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 13:35:08 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: References: Message-ID: <40433C0C.8090108@solid-state-logic.com> Ok I get the message... Anyone got any indication of price in the UK? Either that or I'll just contact a reseller.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Dan Hollis wrote: > On Mon, 1 Mar 2004, Rob wrote: > >>>Steve Freegard wrote: >>>We've had pretty good experiences with F-Prot ... usually had the first >>>virus in the logfiles well before any announcement of the virus appeared >>>on any geek news services >> >>I second that for f-prot. We use it here at work and I use it at home. >>They send out their updates fast. > > > thirded for f-prot. > > i use it on win32 as well as linux. integrates nicely with mailscanner. > they are always current. > > two thumbs up. > > -Dan ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 13:39:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <40433C0C.8090108@solid-state-logic.com> References: <40433C0C.8090108@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> I bought it straight off their website. Price is in US$. At 13:35 01/03/2004, you wrote: >Ok I get the message... > >Anyone got any indication of price in the UK? > >Either that or I'll just contact a reseller.. > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Dan Hollis wrote: >>On Mon, 1 Mar 2004, Rob wrote: >> >>>>Steve Freegard wrote: >>>>We've had pretty good experiences with F-Prot ... usually had the first >>>>virus in the logfiles well before any announcement of the virus appeared >>>>on any geek news services >>> >>>I second that for f-prot. We use it here at work and I use it at home. >>>They send out their updates fast. >> >> >>thirded for f-prot. >> >>i use it on win32 as well as linux. integrates nicely with mailscanner. >>they are always current. >> >>two thumbs up. >> >>-Dan > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From john at TRADOC.FR Mon Mar 1 13:55:25 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: References: <040e01c3ff8a$14e94ef0$45a610ac@fleetone.com> Message-ID: <70g640dfebn2cjqrpqalekafjr71i9rdig@tradoc.fr> On Mon, 1 Mar 2004 05:16:04 -0800, Dan Hollis wrote: > thirded for f-prot. In general I'd agree with you, though today for Somefool.B / Netsky.D they were about 12 hours behind clamav. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 13:56:03 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> References: <40433C0C.8090108@solid-state-logic.com> <6.0.1.1.2.20040301133839.03ce5e30@imap.ecs.soton.ac.uk> Message-ID: <404340F3.1050909@solid-state-logic.com> OK, so why should buy a Mailserver when the Fileserver version is over 100 euro cheaper - what's the difference as far as they are concerned? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > I bought it straight off their website. Price is in US$. > > At 13:35 01/03/2004, you wrote: > >> Ok I get the message... >> >> Anyone got any indication of price in the UK? >> >> Either that or I'll just contact a reseller.. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> Dan Hollis wrote: >> >>> On Mon, 1 Mar 2004, Rob wrote: >>> >>>>> Steve Freegard wrote: >>>>> We've had pretty good experiences with F-Prot ... usually had the >>>>> first >>>>> virus in the logfiles well before any announcement of the virus >>>>> appeared >>>>> on any geek news services >>>> >>>> >>>> I second that for f-prot. We use it here at work and I use it at home. >>>> They send out their updates fast. >>> >>> >>> >>> thirded for f-prot. >>> >>> i use it on win32 as well as linux. integrates nicely with mailscanner. >>> they are always current. >>> >>> two thumbs up. >>> >>> -Dan >> >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From chris at TRUDEAU.ORG Mon Mar 1 13:57:36 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} References: <010e01c3ff88$d94097b0$660210ac@christoxp> Message-ID: <020e01c3ff95$270bf190$4d19000a@ATLCPW13671> Just tossing this out there...seemed to resolve my undetectable errors... Make sure you're using TAB instead of "spaces" in the config file :) that get's me everytime! CT ----- Original Message ----- From: "Christo Bezuidenhout" To: Sent: Monday, March 01, 2004 7:29 AM Subject: Re: Trying to get zip files blocked. {Virus Scanned} > Yes we are using the filetype rules with great affect. It works fine for > all other attachments. Sorry for the Animated Sig. > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > > Sent: 01 March 2004 02:00 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > > > Christo Bezuidenhout wrote: > > > I changed my setting in the filetype.rules.conf to deny > > archive files. > > > I have restarted mailscanner but still archives are delivered. > > > > > > I'm running RH9 latest stable Mailscanner and SA > > > > > > > Are you actually using the filetype rules - I think they are > > off by default. > > > > I've just blocked .zip in filename rules > > > > P.S. Please don't post in HTML > > > > P.P.S If your really must post in html please drop the > > animated signature - Thanks > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > Mailscanner thanks IT For Africa for their support. > > > > From christo at IT4AFRICA.CO.ZA Mon Mar 1 14:34:28 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:22:49 2006 Subject: Trying to get zip files blocked. {Virus Scanned} In-Reply-To: <020e01c3ff95$270bf190$4d19000a@ATLCPW13671> Message-ID: <011f01c3ff9a$4dce7b90$660210ac@christoxp> Found my problem. Copied the line from one file to other and it added a space between deny and archive. Thanx > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Chris Trudeau > Sent: 01 March 2004 03:58 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > Just tossing this out there...seemed to resolve my > undetectable errors... > > Make sure you're using TAB instead of "spaces" in the config file :) > > that get's me everytime! > > CT > > ----- Original Message ----- > From: "Christo Bezuidenhout" > To: > Sent: Monday, March 01, 2004 7:29 AM > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > Yes we are using the filetype rules with great affect. It > works fine > > for all other attachments. Sorry for the Animated Sig. > > > > > -----Original Message----- > > > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] > > > On Behalf Of Spicer, Kevin > > > Sent: 01 March 2004 02:00 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Trying to get zip files blocked. {Virus Scanned} > > > > > > > > > Christo Bezuidenhout wrote: > > > > I changed my setting in the filetype.rules.conf to deny > > > archive files. > > > > I have restarted mailscanner but still archives are delivered. > > > > > > > > I'm running RH9 latest stable Mailscanner and SA > > > > > > > > > > Are you actually using the filetype rules - I think they > are off by > > > default. > > > > > > I've just blocked .zip in filename rules > > > > > > P.S. Please don't post in HTML > > > > > > P.P.S If your really must post in html please drop the animated > > > signature - Thanks > > > > > > > > > > > > BMRB International > > > http://www.bmrb.co.uk > > > +44 (0)20 8566 5000 > > > _________________________________________________________________ > > > This message (and any attachment) is intended only for > the recipient > > > and may contain confidential and/or privileged material. If you > > > have received this in error, please contact the sender and delete > > > this message immediately. Disclosure, copying or other > action taken > > > in respect of this email or in reliance on it is > prohibited. BMRB > > > International Limited accepts no liability in relation to any > > > personal emails, or content of any email which does not directly > > > relate to our business. > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean. > > > Mailscanner thanks IT For Africa for their support. > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 1 14:43:52 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released Message-ID: Hi Julian, the reports/cat directory is empty... Is this on purpose? If not could you fix the tar distribution please? Regards, JP From rcooper at DWFORD.COM Mon Mar 1 14:54:08 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:49 2006 Subject: More details in the logs In-Reply-To: Message-ID: I have patched Message.pm to provide all the "To:" information as well as the subject in the logs. it would produce output such as: Mar 1 08:26:35 west MailScanner[17879]: Message 1AxnR4-0006Rt-5n from 66.148.140.2 (sender@domain.com) to ourdomain.com is spam, SpamAssassin (score=5.978, required 5, BODY_8BITS 1.50, HTML_70_80 1.50, HTML_COMMENT_SAVED_URL 0.82, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_FACE_BAD 0.20, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.26, HTML_TAG_BALANCE_TABLE 0.20, J_CHICKENPOX_110 0.30, J_CHICKENPOX_210 0.30, J_CHICKENPOX_33 0.30, b_OBFU_QnoU 0.50 Report Len is 323) :someone@ourdomain.com;someoneelse@ourdomain.com : FWNew ESP contact details. The spam report is truncated to 500 chars if over 500 (I have seen chickenpox/tripwire combos produce lines over 1000) and original length is show at the end of the report (ex: Len is/truncated from 323) and the "To" and Subject info is separated by colons with the multiple recipients being separated by semi-colons. I have a script that parses the output above into a HTML email in table form so it makes for easy reading. the line is: date time host MailScanner log tag message I remote host (sender_domain) "to domain" spam tag SpamAssassin report TO(s) and subject If you want to try the patch (applies cleanly to vers from at least 4.23-5 through 4.27-7) I have attached it. I did the patch because I can generally look at the to, subject and report and tell if it's really spam or a false positive without bothering to look at the actual message text. The patch includes full comments so if someone sees a cleaner way to do it please feel free to change it. Rick > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jim Holland > Sent: Monday, March 01, 2004 8:25 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: More details in the logs > > > Hi > > On Mon, 1 Mar 2004, Patrik B?ckstr?m wrote: > > > We use MailScanner for several customers/domains > (currently version > > 4.25-14) and we would like to gather statistics per > customer on how > > many mails scanned (that i can get from postfix), > how many rejected > > and why and so on. > > > > Currently, it only tells us that something has been > blocked and why, > > but not from or, more importat, to who the mail was sent. > > I think this is an important requirement. Unlike with > worms, it is not > possible to be 100% certain that a particular message > is spam. I would > like to use a very agressive spam blocklist - eg > dnsbl.net.au. However if > spam is quarantined without a notice to either sender > or recipient it is > quite possible that genuine mail will be lost. The > use of the "notify" > option is not really an option, as I would not like to > receive a separate > notification for each of the 150 spam messages per day > that people > normally try to send me. Before using MailScanner we > could simply analyse > the sendmail maillog file for details of recipients > whose mail had been > blocked. Sadly, I now see that in a significant > number of cases where > spam is blocked there is no longer a sendmail entry > indicating who it was > going to be delivered to (see more details appended), > and the MailScanner > Spam Actions entry does not indicate the recipient either. > > What we are doing now is to run a nightly script that > analyses the headers > of all quarantined spam for recipients, and also > checks the maillog file > for recipients that might be listed there for the same > quarantined > messages. We then send a summary to our users that > lists details of all > quarantined mail. I think the concept of a daily > archival notice is a > good compromise between sending no notices at all and > sending a separate > notice for each message. > > Another way of handling this issue would be to write > the MailScanner > notification messages to a separate log file instead > of delivering them to > the recipients. That log file could then be analysed > separately. However > there is currently no option for sending the > notifications anywhere other > than to the recipient. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > Logging of blocked spam > > Normally the sendmail maillog file will have the > following entries: > > sendmail from= line with details of sender > sendmail to= line indicating recipient, stat=queued > MailScanner RBL checks: details of why message > is blocked > MailScanner Message line, eg: > Message i21D03F24046 from 213.120.110.92 > (manmeet@liquidstorms.com) to mango.zw > is spam, spamhaus-XBL > MailScanner Spam Actions . . . actions are store > > For reasons I don't understand, the second (or more, > if there are multiple > recipients) sendmail line is not always present, so > there is no consistent > log info about the recipient(s). If the MailScanner > Message line could > include the details of the recipients in it then it > would be possible to > meet the requirements of Patrik for statistics, and > also use it for > purposes of user notifications. > > A more advanced option might be for MailScanner to > provide a proper daily > archival notification facility rather than the current > per message > notification which is really unworkable given the huge > volume of spam. > -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.patch Type: application/octet-stream Size: 2313 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/ca56addc/Message.obj From mailscanner at ecs.soton.ac.uk Mon Mar 1 15:26:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: References: Message-ID: <6.0.1.1.2.20040301150702.072e33e0@imap.ecs.soton.ac.uk> At 14:43 01/03/2004, you wrote: >Hi Julian, > >the reports/cat directory is empty... Is this on purpose? If not could you >fix the tar distribution please? But there should be a reports/ca directory which contains the Catalan reports. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 15:37:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Some code to help you with the current outbreak of viruses hiding inside zip files. It will scan zip archives down to a max nesting depth set in MailScanner.conf like this: Maximum Zip Archive Depth = 3 So now you can employ filename and file content checks on files hidden in zip files. If the zip file is password-protected, then zero-length versions of each of its members will be created, so you can still do filename checks. Finding a bad file inside a zip file results in the entire message being marked as bad, not just the zip file. I intend to fix that later. You must install the Perl module Archive::Zip first, before trying to run this version. It will not run without it, and none of the installation scripts will install it for you. I suggest something like this: perl -MCPAN -e shell install Archive::Zip It has a few dependencies, which is why I haven't had a chance to package it all up for you. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mkipness at GENIANT.COM Mon Mar 1 15:55:07 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller Message-ID: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/9e84ab59/attachment.html From jflowers at EZO.NET Mon Mar 1 15:29:44 2004 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:22:49 2006 Subject: bayes_toks corrupted Message-ID: <20040301150713.M70986@ezo.net> I'm not sure which feature you are referencing. I see these main choices: 1. Run MailScanner 'out of the box' with: MailScanner.conf ---------------- Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no spam.assassin.prefs.conf ------------------------ # bayes_auto_expire 0 2. Run MailScanner with rebuild/expire scheduled by MailScanner MailScanner.conf ---------------- Rebuild Bayes Every = 14400 # every 4 hours Wait During Bayes Rebuild = no # or yes spam.assassin.prefs.conf ------------------------ bayes_auto_expire 0 3. Run MailScanner with rebuild/expire scheduled by crontab MailScanner.conf ---------------- Rebuild Bayes Every = 0 # don't do it? Wait During Bayes Rebuild = no # doesn't matter spam.assassin.prefs.conf ------------------------ bayes_auto_expire 0 # don't do it? /etc/crontab ------------ when-stuff sa-learn --force-expire # includes rebuild In case 1, do I understand expire/rebuild is run after each scan? In case 2, expire/rebuild is run every 4 hours (or as configured). In case 3, expire/rebuild is run once per day via crontab. I have to admit to being confused about the different combinations. Is the above correct and which (or what) combination do you use? -- Jim Flowers From wkuiters at FREE.FR Mon Mar 1 13:28:46 2004 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:22:49 2006 Subject: Viruses picked up by Clam and not Sophos In-Reply-To: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F05@neelix.lbsltd.co.uk> Message-ID: <20040301132846.GA1624@bragann> On Mon, Mar 01, 2004 at 12:10:30PM -0000, Steve Freegard wrote: > Thanks for all the replies... > > It looks like Sophos released an IDE for Netsky-D during the last hour which > was just picked up by update_virus_scanners, as it now seems to be catching > this: > > SophosSAVI: document_word.pif was infected by W32/Netsky-D > ClamAV Module: document_word.pif was infected: Worm.SomeFool.B-petite Yep. ClamAV caught 12 of these here before Sophos released the Netsky-D ide. From sysadmin at FLEETONE.COM Mon Mar 1 13:43:35 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:49 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] References: <40433C0C.8090108@solid-state-logic.com> Message-ID: <045501c3ff93$319f1350$45a610ac@fleetone.com> According to the f-prot site, it would be ?239.51 for it. Rob ----- Original Message ----- From: "Martin Hepworth" To: Sent: Monday, March 01, 2004 7:35 AM Subject: Re: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] > Ok I get the message... > > Anyone got any indication of price in the UK? > > Either that or I'll just contact a reseller.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Dan Hollis wrote: > > On Mon, 1 Mar 2004, Rob wrote: > > > >>>Steve Freegard wrote: > >>>We've had pretty good experiences with F-Prot ... usually had the first > >>>virus in the logfiles well before any announcement of the virus appeared > >>>on any geek news services > >> > >>I second that for f-prot. We use it here at work and I use it at home. > >>They send out their updates fast. > > > > > > thirded for f-prot. > > > > i use it on win32 as well as linux. integrates nicely with mailscanner. > > they are always current. > > > > two thumbs up. > > > > -Dan > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** From mailscanner at ecs.soton.ac.uk Mon Mar 1 16:01:11 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040301160004.076bdd78@imap.ecs.soton.ac.uk> At 15:55 01/03/2004, you wrote: >Hi All, > >I've been running MailScanner for a while for a few clients. I just signed >on a new client that was using SpamKiller by Mcafee I believe. The main >reason for the service is for queueing their mail when their Exchange >server goes down which it has been every weekend due to scheduled power >outages. However, they are still relying on the Spam and Virus filtration. > >The problem is that they decided to turn off SpamKiller the other day, and >started getting spam that they assumed MailScanner would stop. Bottom line >is that when SpamKiller is enabled, they get close to no spam at all. Some >of the samples that they sent me are the very basic couple of lines type >of spam that gets a very low score. Here is what I have running: > >SpamAssassin 2.63 >ORDB-RBL >spamhaus.org >spamcop.net >dsbl.org >abuseat.org >blitzed.org >Razor2 > >I'm not doing Bayes at the moment as it seems to be a real hassle doing >the training. > >So my question is what can I do to improve the whole system? What tweaks? >Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Make sure you have Net::DNS installed. Use the xbl as well as the sbl from spamhaus. What is your Required SpamAssassin Score? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From m.sapsed at BANGOR.AC.UK Mon Mar 1 16:10:29 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:49 2006 Subject: A few questions I can't find in archive... References: <403FB59E.7040500@1SEO.net> Message-ID: <40436075.8060002@bangor.ac.uk> Nick Nelson wrote: > In that case, and with the talk of SATA drives possibly not doing as > well, I'll probably just skip back to Dual Xeons with SCSI drives. The > cost is less on the Dual Xeons as well, which is a good thing of course. Did anyone else see the stuff which suggested that cheap SATA and IDE drives weren't designed for 24/7 server use but SCSI stuff is? Something in some Hitachi or IBM warranty stuff I think it was. Any thoughts on this? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From nnelson at 1SEO.NET Mon Mar 1 16:14:09 2004 From: nnelson at 1SEO.NET (Nick Nelson) Date: Thu Jan 12 21:22:49 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40435E7A.5090005@solid-state-logic.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> Message-ID: <40436151.3000208@1SEO.net> Martin Hepworth wrote: > Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, > yes bayes really does make that much difference! I'd really suggest you > spend some time to give it the initial 200 instances of spam and ham... If you are using the machine as only a gateway (mail only passes through, never is stored on the server.) What's the best way to train it? I saw a post on the list of a script so that you could just forward spam to a certain address and it'll train it, is that the best way? I'd definitely like to use bayes however not sure of best way since no mail will stay on this server. nick -- Nick Nelson www.easyservermanagement.com We Make Server Management Easy! From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 16:17:19 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40436151.3000208@1SEO.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> <40436151.3000208@1SEO.net> Message-ID: <4043620F.7090906@solid-state-logic.com> Nick I use a imap share folder, then a script (which I've posted several times on this list) to pick up the new spam and ham. and yes my machine is also a mailgateway.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Nick Nelson wrote: > Martin Hepworth wrote: > >> Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, >> yes bayes really does make that much difference! I'd really suggest you >> spend some time to give it the initial 200 instances of spam and ham... > > > > If you are using the machine as only a gateway (mail only passes > through, never is stored on the server.) > > What's the best way to train it? I saw a post on the list of a script so > that you could just forward spam to a certain address and it'll train > it, is that the best way? I'd definitely like to use bayes however not > sure of best way since no mail will stay on this server. > > nick > > > -- > Nick Nelson > www.easyservermanagement.com > We Make Server Management Easy! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mkettler at EVI-INC.COM Mon Mar 1 16:24:34 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <6.0.0.22.0.20040301111051.028184e8@xanadu.evi-inc.com> At 10:55 AM 3/1/2004, Max Kipness wrote: >So my question is what can I do to improve the whole system? What tweaks? >Will DCC help out a lot? DCC helps quite a bit. It's slightly lower hitrate than razor in the GA tests the sa-dev team runs, but it's also less prone to service outages and timeouts due to excessive load on the checksum database servers. If you are high-volume (>100k messages/day) you can even save bandwidth by setting up a local DCC server and subscribe to the floods of server updates. >Are there any better RBLs? Tweaks to SpamAssassin? Bayes is a big help to sa, and training doesn't have to be so bad... Personally, I do it by having spamtraps and "nonspamtraps" that I feed to SA using a short shell script (I could even cron-job it, and have the cronjob email me a list of message subjects to make sure nothing got mis-placed) The spamtraps are addresses that get nothing but spam. Some are system accounts that shouldn't be used by anyone but have accounts and thus mail service on many Linux distros (ie: gopher@example.com, where example.com doesn't run a gopher service). Others are addresses I've seeded in message bodies while posting to mailing lists. For example on a sysadmin list I might discuss having an internal script which emails my pager at mkettler_sensor1@evi-inc.com whenever my server gets a http request for some oddball web page. Obviously I'd never post the real address I use, so I make up a plausible example and hope that spambots skimming archives pick it up. The "nonspamtraps" are accounts I purposefully set up, and have subscribed to reputable mailing lists that my users subscribe to. General news feeds, Industry newsletters, etc. For me, this works pretty well.. However, I have a userbase which all work for one company, thus have one primary market, making choice of nonspam newsletters pretty easy. It may or may not work for you, but it's a suggestion for a "reduced hassle" bayes training system. If things get bad and bayes can't help you, you might want to look at some of the add-on rulesets developed by some of the more avid SpamAssassin users. http://wiki.spamassassin.org/w/CustomRulesets (Disclaimer: I developed one of the add-on sets, so I am biased here.) From ugob at CAMO-ROUTE.COM Mon Mar 1 16:22:12 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:50 2006 Subject: A few questions I can't find in archive... Message-ID: <54C38A0B814C8E438EF73FC76F36292741094C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] >Envoy? : 1 mars, 2004 11:10 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: A few questions I can't find in archive... > > >Nick Nelson wrote: >> In that case, and with the talk of SATA drives possibly not doing as >> well, I'll probably just skip back to Dual Xeons with SCSI >drives. The >> cost is less on the Dual Xeons as well, which is a good >thing of course. > >Did anyone else see the stuff which suggested that cheap SATA and IDE >drives weren't designed for 24/7 server use but SCSI stuff is? >Something >in some Hitachi or IBM warranty stuff I think it was. Yes, it was from IBM (at the time they were not with Hitachi yet). For sure, I'd go with IDE drives with 3 or 5 year warranty. On could also have a look at the MTBF data of the drives. > >Any thoughts on this? > >Cheers, > >Martin > >-- >Martin Sapsed >Information Services "Who do you say I am?" >University of Wales, Bangor Jesus of Nazareth > From steve.freegard at LBSLTD.CO.UK Mon Mar 1 16:28:04 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <67D9E7698329D411936E00508B6590B902773F0A@neelix.lbsltd.co.uk> Hi Max, I thought I might have been dreaming this so I double-checked it out on Google: SpamKiller uses the SpamAssassin engine, see http://www.google.com/url?sa=U &start=9&q=http://www.asapsoftware.com/mcafee/spamkiller.htm&e=7627 I'd suggest getting them to do a scan of the local disks of the server looking for 'bayes*' files - if they exist you'll be able to copy them to the MailScanner box, and hey presto! - a pre-trained bayes database. Hope this helps. Kind regards, Steve. -----Original Message----- From: Max Kipness [mailto:mkipness@GENIANT.COM] Sent: 01 March 2004 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner vs. SpamKiller Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/6a371966/attachment.html From maillists at CONACTIVE.COM Mon Mar 1 16:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:50 2006 Subject: bayes_toks corrupted In-Reply-To: <20040301150713.M70986@ezo.net> References: <20040301150713.M70986@ezo.net> Message-ID: Jim Flowers wrote on Mon, 1 Mar 2004 10:29:44 -0500: > In case 1, do I understand expire/rebuild is run after each scan? > No. SA will determine if it is necessary to run an expire based on a token limit (which you can configure) and do it while you are scanning. If you are a very large site this could happen several times a day and slow down processing. The other two options are for avoiding this. Running it once per day during low volume hours should be most effective. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From rcooper at DWFORD.COM Mon Mar 1 16:46:49 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Monday, March 01, 2004 10:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.1 released > > > Some code to help you with the current outbreak of > viruses hiding inside > zip files. > > It will scan zip archives down to a max nesting depth set in > MailScanner.conf like this: > Maximum Zip Archive Depth = 3 > > So now you can employ filename and file content checks > on files hidden in > zip files. If the zip file is password-protected, then > zero-length versions > of each of its members will be created, so you can > still do filename checks. > > Finding a bad file inside a zip file results in the > entire message being > marked as bad, not just the zip file. I intend to fix > that later. When you work on that, would it be possible to designate separate files for the file name and type rules? For instance archive.filename.rules.conf and I could have an entry like: deny (?:Picture|caroline|Katrina|kleopatra|Caitie|Mary-Anne|Lisa|Bad girl,Julie|Aline|Anna|Barbi|Katrina|Juli|Mary|Mandy|Sara|rebecca| Jammie,kate|Audra|stacy|Rena|Kelley|Tammy|myfotos|Gallery|It_I|Ph otoalbum,Photomontage)\.(?:pif|exe|scr)$ Zipped Worm Bagle-G Detected Zipped Worm Bagle-G Detected allow \.exe$ Basically allow for a different policy for files inside archives than is enforced for raw files. > > You must install the Perl module Archive::Zip first, > before trying to run > this version. It will not run without it, and none of > the installation > scripts will install it for you. I suggest something like this: > perl -MCPAN -e shell > install Archive::Zip > It has a few dependencies, which is why I haven't had > a chance to package > it all up for you. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From mkipness at GENIANT.COM Mon Mar 1 16:46:03 2004 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.net> > Make sure you have Net::DNS installed. Use the xbl as well as the sbl from > spamhaus. > What is your Required SpamAssassin Score? I will install Net::DNS. For this domain it's 7. I will probably move it down, but some of the spam they forward to me has a score of 1 - 3. Thanks, Max From Kevin.Spicer at BMRB.CO.UK Mon Mar 1 16:55:11 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AEBB@pascal.priv.bmrb.co.uk> Julian Field wrote: > Some code to help you with the current outbreak of viruses hiding > inside zip files. > > It will scan zip archives down to a max nesting depth set in > MailScanner.conf like this: Maximum Zip Archive Depth = 3 > This looks very promising, I've just had a read of the code as I'm not in a position to do an install right now. If I'm reading it correctly it identifies archives by extension (right now this is a good thing for me, as it provides a way of deliberately getting a zip through). Two questions... This uses the same filename and filetype rules as the rest of the message, which could be problematic (for example I might wish to ban pif/scr/bat files but allow zipped exe files through) - I imagine doing anything about that might be a right PITA. Slightly less difficult I hope, is it possible to have the option to mark a file for deletion if it contains an element that cannot be unpacked (e.g. specifically a password protected file). Right now that would be very useful indeed. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jaearick at COLBY.EDU Mon Mar 1 16:57:17 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:50 2006 Subject: bigevil, backhair... STILL confused Message-ID: Gang, Back in late December there was discussion on the list about installing and having SA find local rule sets like bigevil.cf, etc. Bobby Rose offered the following hack to SA.pm to get extra rulesets to be found: Before $settings{dont_copy_prefs} = 1; # Removes need for home directory $prefs = MailScanner::Config::Value('spamassassinprefsfile'); After $settings{dont_copy_prefs} = 1; # Removes need for home directory $settings{site_rules_filename} = "/etc/mail/spamassassin"; $prefs = MailScanner::Config::Value('spamassassinprefsfile'); In private emails with Julian, he warned against this hack. I've also discovered in the list archives that (maybe) the setting "SpamAssassin Site Rules Dir" is supposed to handle this. Well, I have "SpamAssassin Site Rules Dir" defined as /etc/mail/spamassassin. In there I have local.cf as a symlink to /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, the bigevil/backhair/antidrug rules never get touched ("ls -lu") or used. Is there some other MailScanner.conf setting I have missed? Does this work for other people??? Setup: Solaris 9, MS 4.28.1, SA 2.63. Jeff Earickson Colby College From jaearick at COLBY.EDU Mon Mar 1 16:59:36 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: Julian, Is there any syslog evidence of the "Maximum Zip Archive Depth" that we can look for? I've got 4.28.1 running on my system just fine, wondering what to look for... Jeff Earickson Colby College From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 17:02:51 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <40436CBB.304@solid-state-logic.com> Jeff make sure the .cf files are readable by the MailScanner user you defined in MailScanner.conf.. should pick them up, does on my system.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jeff Earickson wrote: > Gang, > > Back in late December there was discussion on the list about > installing and having SA find local rule sets like bigevil.cf, etc. > Bobby Rose offered the following hack to SA.pm to get extra > rulesets to be found: > > Before > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > After > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > In private emails with Julian, he warned against this hack. I've > also discovered in the list archives that (maybe) the setting > "SpamAssassin Site Rules Dir" is supposed to handle this. > > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. > > Jeff Earickson > Colby College ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 17:06:04 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths Message-ID: We have MailScanner running great here, using Clam but we want to test F-Prot to see if we want an additional VS to catch all these bad email viruses (sp) In looking at the notices send to us to make sure we are getting viruses caught I only see Clam running the scan; Report: ClamAV: application.pif contains Worm.SomeFool.B-petite MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (application.pif) We did the .deb install of F-Prot from their site and it seems that everything is in /usr/local/f-prot and in looking at the f-prot wrapper and autoupdate in MS the paths all want /usr/lib/f-prot :( Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings in f-prot wrapper and autoupdate? Which is the better path to take, not the easiest:)) One other thing (If I should post a separate message I can, whack me on the head) Still trying to get this whole SA and Bayes and custom rules figured out, any good pointers would be great too, we are using BigEvil, Backhair and James Grey's rules in /etc/mail/spamasassin/ I am to assume that MailScanner will know to pickup theses additional rules here? But the above is more of a concern. TIA -- Thanks!! David Thurman List Only at Web Presence Group Net From pete at eatathome.com.au Mon Mar 1 21:01:52 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <4043620F.7090906@solid-state-logic.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40435E7A.5090005@solid-state-logic.com> <40436151.3000208@1SEO.net> <4043620F.7090906@solid-state-logic.com> Message-ID: <4043A4C0.9010007@eatathome.com.au> Martin Hepworth wrote: > Nick > > I use a imap share folder, then a script (which I've posted several > times on this list) to pick up the new spam and ham. > > and yes my machine is also a mailgateway.. > -- > > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Nick Nelson wrote: > >> Martin Hepworth wrote: >> >>> Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, >>> yes bayes really does make that much difference! I'd really suggest you >>> spend some time to give it the initial 200 instances of spam and ham... >> >> >> >> >> If you are using the machine as only a gateway (mail only passes >> through, never is stored on the server.) >> >> What's the best way to train it? I saw a post on the list of a script so >> that you could just forward spam to a certain address and it'll train >> it, is that the best way? I'd definitely like to use bayes however not >> sure of best way since no mail will stay on this server. >> >> nick >> >> >> -- >> Nick Nelson >> www.easyservermanagement.com >> We Make Server Management Easy! > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > We arent going to manual train either, just doesnt fit the culture here - asking staff to copy emails to spam folders, its too hard for them. So i turned on autolearn for bayes, and will start with deleting and rebuilding ther bayes DB once a month, i believe it was about 3 months last time before it poisened byond use - combine wiuth the ruledejour and you're set, will stop a LOT of spam. From pete at eatathome.com.au Mon Mar 1 21:06:04 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: References: Message-ID: <4043A5BC.2010806@eatathome.com.au> Dave's List Addy wrote: >On 3/1/04 10:58 AM, "Julian Field" wrote: > > > >>If Net::DNS is not installed, that would make a huge difference to your >>spam-spotting success rate. SpamAssassin would not be checking any of the >>RBL's, you would only get MailScanner RBL checking (which doesn't rely on >>Net::DNS). >> >> > >So using the above method or perl mod, should we turn RBL off in MS and on >in SA then? > >Sorry for sounding dumb, the SA part of all this is the more confusing >thing, MS seems to be for the most part straight forward. >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net > > > > > See the faq on www.mailscanner.info there is some important reading in there and in the list archives before you ask that question. From mailscanner at ecs.soton.ac.uk Mon Mar 1 16:58:36 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.ne t> References: <399D85F2BB50BC4295F78EAE203D5C222181D0@dalsxc01.geniant.net> Message-ID: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> At 16:46 01/03/2004, you wrote: > > Make sure you have Net::DNS installed. Use the xbl as well as the sbl >from > > spamhaus. > > What is your Required SpamAssassin Score? > >I will install Net::DNS. If Net::DNS is not installed, that would make a huge difference to your spam-spotting success rate. SpamAssassin would not be checking any of the RBL's, you would only get MailScanner RBL checking (which doesn't rely on Net::DNS). >For this domain it's 7. I will probably move it down, but some of the >spam they forward to me has a score of 1 - 3. You should find that greatly improves with Net::DNS. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 17:11:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths In-Reply-To: References: Message-ID: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> At 17:06 01/03/2004, you wrote: >We have MailScanner running great here, using Clam but we want to test >F-Prot to see if we want an additional VS to catch all these bad email >viruses (sp) > >In looking at the notices send to us to make sure we are getting viruses >caught I only see Clam running the scan; > > Report: ClamAV: application.pif contains Worm.SomeFool.B-petite > MailScanner: Shortcuts to MS-Dos programs are very dangerous in >email (application.pif) > >We did the .deb install of F-Prot from their site and it seems that >everything is in /usr/local/f-prot and in looking at the f-prot wrapper and >autoupdate in MS the paths all want /usr/lib/f-prot :( The non-Debian versions of MailScanner all expect /usr/local/f-prot to be the installation directory by default. You will need to change the path in /etc/MailScanner/virus.scanners.conf or wherever the Debian guys have put that file. Don't alter the scripts at all. >Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings >in f-prot wrapper and autoupdate? Which is the better path to take, not the >easiest:)) Neither. Use the virus.scanners.conf file. This is exactly why it is there. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 17:03:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301165913.03da0f60@imap.ecs.soton.ac.uk> At 16:59 01/03/2004, you wrote: >Julian, > > Is there any syslog evidence of the "Maximum Zip Archive Depth" >that we can look for? I've got 4.28.1 running on my system just >fine, wondering what to look for... No sorry, it just gets written as a report in the message. No syslog-ing yet. To do this properly, I need to re-architect a chunk of MailScanner so that each attachment file has a proper "parent file". I've never implemented this properly before, as it wasn't needed. For now the current version you have will have to do, it's going to take me a little while to have the time to write it all "properly" as it affects all the TNEF-handling code as well. As for the separate filename.rules.conf and filetype.rules.conf for inside archives as well as one for outside archives, I think a lot of less experienced admins will get confused about this. I would rather solve it in a way that is rather easier to understand and use, or not solve it at all. You need to remember that a lot of MailScanner admins are not very experienced. One of the reasons they chose MailScanner over the competition was that it was easy to use and get going. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Mon Mar 1 16:01:28 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C598@jessica.herefordshire.gov.uk> No Bayes? Therein lies your problem, or part of it. Without Bayes you'll need lots of additional rules to trap stuff. spamhaus has two RBLs these days, use both or the combined one. Add in the backhair, bigevil, evilnumbers, popcorn, etc. Check the CustomRules entry in Spamassassin's Wiki. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Max Kipness Sent: 01 March 2004 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner vs. SpamKiller Hi All, I've been running MailScanner for a while for a few clients. I just signed on a new client that was using SpamKiller by Mcafee I believe. The main reason for the service is for queueing their mail when their Exchange server goes down which it has been every weekend due to scheduled power outages. However, they are still relying on the Spam and Virus filtration. The problem is that they decided to turn off SpamKiller the other day, and started getting spam that they assumed MailScanner would stop. Bottom line is that when SpamKiller is enabled, they get close to no spam at all. Some of the samples that they sent me are the very basic couple of lines type of spam that gets a very low score. Here is what I have running: SpamAssassin 2.63 ORDB-RBL spamhaus.org spamcop.net dsbl.org abuseat.org blitzed.org Razor2 I'm not doing Bayes at the moment as it seems to be a real hassle doing the training. So my question is what can I do to improve the whole system? What tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to SpamAssassin? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/44dbc42d/attachment.html From martinh at SOLID-STATE-LOGIC.COM Mon Mar 1 16:02:02 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:50 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <40435E7A.5090005@solid-state-logic.com> Max last week several peopl (including myself) posted what extra rules we run for SA.. have a look in the archives. Without Bayes I'm getting about 95% hit rate, with bayes about 99.5%, yes bayes really does make that much difference! I'd really suggest you spend some time to give it the initial 200 instances of spam and ham... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Max Kipness wrote: > Hi All, > > > > I?ve been running MailScanner for a while for a few clients. I just > signed on a new client that was using SpamKiller by Mcafee I believe. > The main reason for the service is for queueing their mail when their > Exchange server goes down which it has been every weekend due to > scheduled power outages. However, they are still relying on the Spam and > Virus filtration. > > > > The problem is that they decided to turn off SpamKiller the other day, > and started getting spam that they assumed MailScanner would stop. > Bottom line is that when SpamKiller is enabled, they get close to no > spam at all. Some of the samples that they sent me are the very basic > couple of lines type of spam that gets a very low score. Here is what I > have running: > > > > SpamAssassin 2.63 > > ORDB-RBL > > spamhaus.org > > spamcop.net > > dsbl.org > > abuseat.org > > blitzed.org > > Razor2 > > > > I?m not doing Bayes at the moment as it seems to be a real hassle doing > the training. > > > > So my question is what can I do to improve the whole system? What > tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to > SpamAssassin? > > > > Thanks, > > Max > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dustin.baer at IHS.COM Mon Mar 1 17:17:05 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Stable 4.27.7 released References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> Message-ID: <40437011.660C81E6@ihs.com> <<< No Message Collected >>> From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 17:20:14 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:50 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 11:11 AM, "Julian Field" wrote: >> We did the .deb install of F-Prot from their site and it seems that >> everything is in /usr/local/f-prot and in looking at the f-prot wrapper and >> autoupdate in MS the paths all want /usr/lib/f-prot :( > > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > the installation directory by default. > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > wherever the Debian guys have put that file. Don't alter the scripts at all. > >> Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings >> in f-prot wrapper and autoupdate? Which is the better path to take, not the >> easiest:)) > > Neither. Use the virus.scanners.conf file. This is exactly why it is there. Thanks Julian, we will comply :)) -- Thanks!! David Thurman List Only at Web Presence Group Net From dustin.baer at IHS.COM Mon Mar 1 17:19:10 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Stable 4.27.7 released References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> <40437011.660C81E6@ihs.com> Message-ID: <4043708E.642C0511@ihs.com> Dustin Baer wrote: > > Julian Field wrote: > > > > > - Added options to add new headers containing the envelope sender and/or > > envelope recipients addresses. The names of the headers are, of course, > > configurable. > > Is there a reason that these headers (X-MailScanner-To:, > X-MailScanner-From:) don't include %org-name%? WHOOPS! Accidentally clicked send. Obviously, this can be changed to "X-%org-name%-MailScanner-From:", but I wanted to make sure there wasn't a good reason not to add %org-name%. Thanks Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From t.d.lee at DURHAM.AC.UK Mon Mar 1 17:26:39 2004 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:22:50 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: On Mon, 1 Mar 2004, Julian Field wrote: > [...] > You must install the Perl module Archive::Zip first, before trying to run > this version. It will not run without it, and none of the installation > scripts will install it for you. I suggest something like this: > perl -MCPAN -e shell > install Archive::Zip > It has a few dependencies, which is why I haven't had a chance to package > it all up for you. Thanks. While you are looking at this "convenience" packaging aspect for Redhat, could you also look at the things I sent you a couple of weeks ago for similar convenience packaging for other OSes and distribution types, please? (This was so that "install.sh", so useful on Redhat for installing the perl pre-requisites, can potentially also work on any other OS.) Thanks. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From raymond at PROLOCATION.NET Mon Mar 1 17:39:47 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: Message-ID: Hi! > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. Yes, works like a charm for me. Bye, Raymond. From cparker at SWATGEAR.COM Mon Mar 1 17:33:05 2004 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Peter Peters on Monday, March 01, 2004 3:51 AM said: >>> Its in our top10 of today: >>> >>> 4747 W32/Netsky.B@mm >>> 1275 W32/Swen.A@mm >>> 404 W32/Sober.C@mm >>> 337 W32/Mydoom.A@mm >>> 200 W32/Netsky.C@mm >>> 126 W32/Bugbear.B@mm >>> 96 W32/Bagle.F@mm >>> 57 W32/Bagle.E@mm >>> 49 W32/Mydoom.E@mm >>> 19 W32/Mimail.J@mm >> >> The G one also just came in twice: >> >> 2 W32/Bagle.G@mm > > We got > 12 removed > 12 W32/Bagle.E@mm > 1 removed > 10 W32/Bagle.F@mm > 8 W32/Bagle.C@mm > 4 removed > 4 W32/Bagle.D@mm > 9 removed > 1 W32/Bagle.G@mm peter/raymond, what is it that you are using to create those reports? chris. From dustin.baer at IHS.COM Mon Mar 1 17:49:48 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files References: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Message-ID: <404377BC.49FC7130@ihs.com> "Chris W. Parker" wrote: > > Peter Peters > on Monday, March 01, 2004 3:51 AM said: > > >>> Its in our top10 of today: > >>> > >>> 4747 W32/Netsky.B@mm > >>> 1275 W32/Swen.A@mm > >>> 404 W32/Sober.C@mm > >>> 337 W32/Mydoom.A@mm > >>> 200 W32/Netsky.C@mm > >>> 126 W32/Bugbear.B@mm > >>> 96 W32/Bagle.F@mm > >>> 57 W32/Bagle.E@mm > >>> 49 W32/Mydoom.E@mm > >>> 19 W32/Mimail.J@mm > > peter/raymond, > > what is it that you are using to create those reports? > > chris. I am not peter or raymond, but... grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed "s/found.*//" | sort | uniq -c | sort -n -r Dustin From raymond at PROLOCATION.NET Mon Mar 1 17:55:10 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B86DD@ati-ex-01.ati.local> Message-ID: Hi! > > We got > > 12 removed > > 12 W32/Bagle.E@mm > > 1 removed > > 10 W32/Bagle.F@mm > > 8 W32/Bagle.C@mm > > 4 removed > > 4 W32/Bagle.D@mm > > 9 removed > > 1 W32/Bagle.G@mm > > peter/raymond, > > what is it that you are using to create those reports? We are using some custom scripts ourelves. They are integrated with our whole backend system so we for example block local virus senders, like Julian does with his patch, but then centralized for all our mailscanner boxes. Bye, Raymond. From raymond at PROLOCATION.NET Mon Mar 1 17:58:15 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <404377BC.49FC7130@ihs.com> Message-ID: Hi! > > >>> Its in our top10 of today: > > >>> > > >>> 4747 W32/Netsky.B@mm > > >>> 1275 W32/Swen.A@mm > > >>> 404 W32/Sober.C@mm > > >>> 337 W32/Mydoom.A@mm > > >>> 200 W32/Netsky.C@mm > > >>> 126 W32/Bugbear.B@mm > > >>> 96 W32/Bagle.F@mm > > >>> 57 W32/Bagle.E@mm > > >>> 49 W32/Mydoom.E@mm > > >>> 19 W32/Mimail.J@mm > I am not peter or raymond, but... > > grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed > "s/found.*//" | sort | uniq -c | sort -n -r You might want to do this a little smarter :) We for example parse around 1.5 GB logfiles, your disk wont be happy if you grep those all over from the start again and again :) We update every 5 minutes now and have around 5-6 seconds parsing time on that :) Bye, Raymond. From dot at DOTAT.AT Mon Mar 1 17:52:02 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:51 2006 Subject: ANNOUNCE: Unstable 4.28.1 released In-Reply-To: References: <6.0.1.1.2.20040301153221.03c1f028@imap.ecs.soton.ac.uk> Message-ID: I like this new ability to check files inside zips. In order for it to be useful here, I would need to be able to distinguish password-protected zips from cleartext zips (so I can let my users use the former to get past my filter when they need to), and I'd like to be able to e.g. only splat the zip file if its only contents is an executable file (requiring a custom config function for this is OK). Tony. -- f.a.n.finch http://dotat.at/ FAIR ISLE: WESTERLY BACKING SOUTHERLY 4 OR 5, OCCASIONALLY 6. OCCASIONAL RAIN. MODERATE OR GOOD. From peter at UCGBOOK.COM Mon Mar 1 18:07:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bayes_toks corrupted In-Reply-To: <20040301150713.M70986@ezo.net> References: <20040301150713.M70986@ezo.net> Message-ID: <40437BD4.80804@ucgbook.com> Jim Flowers wrote: > In case 1, do I understand expire/rebuild is run after each scan? No, SA determines when it should/can do it, it's partly configurable but it doesn't work well at all. > In case 2, expire/rebuild is run every 4 hours (or as configured). Yes. > In case 3, expire/rebuild is run once per day via crontab. Yes, or more often if you want, use crontab as usual to schedule it. I run it at night when I have little traffic. I recommend not redirecting output so you can see what's going on in your root mail, you can redirect later when you feel confident that it's OK. > I have to admit to being confused about the different combinations. Is the > above correct and which (or what) combination do you use? Nice summary you did, it's correct. I use #3 since I don't have 4.26 (which introduced #2). You can use #2 or #3 but don't trust #1 do the job. I have had no Bayes trouble for almost 2 months now. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From sevans at FOUNDATION.SDSU.EDU Mon Mar 1 18:07:11 2004 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:22:51 2006 Subject: ANNOUNCE: Unstable 4.28.1 released Message-ID: <3A411846CD3C0D4CB3D8704F937353705891BD@be-00.foundation.sdsu.edu> Some of the new viruses send a password protected zip file, with the password in the body of the message, so this would probably be a bad idea. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tony Finch Sent: Monday, March 01, 2004 9:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Unstable 4.28.1 released I like this new ability to check files inside zips. In order for it to be useful here, I would need to be able to distinguish password-protected zips from cleartext zips (so I can let my users use the former to get past my filter when they need to), and I'd like to be able to e.g. only splat the zip file if its only contents is an executable file (requiring a custom config function for this is OK). Tony. -- f.a.n.finch http://dotat.at/ FAIR ISLE: WESTERLY BACKING SOUTHERLY 4 OR 5, OCCASIONALLY 6. OCCASIONAL RAIN. MODERATE OR GOOD. From Janssen at RZ.UNI-FRANKFURT.DE Mon Mar 1 18:10:16 2004 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:22:51 2006 Subject: Virus update times In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 1 Mar 2004, Spicer, Kevin wrote: > Julian Field wrote: > > > 2nd thoughts. I am going to make the random delay 10 minutes for now > > as I still want people to basically get updates every hour. > > > I wonder whether just pulling the 'inode modification time' (ls -lc) > of update_virus_scanners and using the minutes & seconds from that to > create a delay would be acceptable. That way the update would be > every hour, but at the same (semi-random) time every hour. This way you also know when protection came in without examinig the logs (given that you know the hour by notifications or dramatical increase of found virusses ;-). But I don't like to use the ctime. When you happen to have more than one mailscanner server, you will have different update times between servers, which might make the things complicate to track. I would use the domainname to create a semi-random number and the machines update at the same time within this domain. Unfurtunately, I don't know how to do it in perl. Shell could be: NUMERICAL_VALUE=`domainname | md5sum | \ od --address-radix=n --read-bytes 4 --format d4` DELAY=$(( NUMERICAL_VALUE % 3600 )) but this has to many assumption on installed programms (domainname is to much of a assumption). Can someone suggest how to compute the domainname with perl and turn it into a relatively random number then do "% 3600" and sleep about? Michael From m.sapsed at BANGOR.AC.UK Mon Mar 1 18:16:17 2004 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:22:51 2006 Subject: Has Sophos got slower again? Message-ID: <40437DF1.4060000@bangor.ac.uk> Hi folks, My EM Library has installed Sophos 3.79 for me on my test (Debian stable, MailScanner-4.26-4, Sophos linux.intel.libc6.glibc.2.2) box and I've noticed it being a bit sluggish today. As this box only handles my e-mail (I say only, but that's still quite a bit) it got me wondering. I tried just starting sweep on a tiny file and it took maybe 15 seconds. I tried the older version (3.78d) and it was maybe 6 seconds. Is anyone else with 3.79 seeing this slowdown? Maybe I should look at sophossavi again....? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From jaearick at COLBY.EDU Mon Mar 1 18:17:38 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: Gang, Discovered the problem after a good lunch and more staring at debug output. I had for settings: SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = and got debug output of: debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir Wrong! My perl is installed in /opt/perl5, dunno where these pathes came from. Changed the two blank config settings above to "/etc/mail/spamassassin" and the debug output changed to: debug: using "/etc/mail/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir and now backhair/bigevil/antidrug are being used by SA. Problem solved, but I don't know why MS was picking up my perl install path for blank rules directories. Jeff Earickson Colby College On Mon, 1 Mar 2004, Jeff Earickson wrote: > Date: Mon, 1 Mar 2004 11:57:17 -0500 > From: Jeff Earickson > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: bigevil, backhair... STILL confused > > Gang, > > Back in late December there was discussion on the list about > installing and having SA find local rule sets like bigevil.cf, etc. > Bobby Rose offered the following hack to SA.pm to get extra > rulesets to be found: > > Before > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > After > $settings{dont_copy_prefs} = 1; # Removes need for home directory > $settings{site_rules_filename} = "/etc/mail/spamassassin"; > $prefs = MailScanner::Config::Value('spamassassinprefsfile'); > > In private emails with Julian, he warned against this hack. I've > also discovered in the list archives that (maybe) the setting > "SpamAssassin Site Rules Dir" is supposed to handle this. > > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. > > Jeff Earickson > Colby College > From peter at UCGBOOK.COM Mon Mar 1 18:18:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> Message-ID: <40437E68.7020507@ucgbook.com> Max Kipness wrote: > I?m not doing Bayes at the moment as it seems to be a real hassle doing > the training. I don't know for other sites but I don't bother with training. I use the default autolearn feature (<0.1 ham, >12 spam) and it works great. If you have Exchange on the inside it's not easy to get a correct mail to learn from. > So my question is what can I do to improve the whole system? What > tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to > SpamAssassin? Definitely turn on Bayes, it will help a lot even without additional training. Also use DCC, it's a really good design. It's easy to install, fast and stable. Here are my top SA traps: SpamAssassin 369,153 ...HTML_MESSAGE 290,859 ...BAYES_99 285,210 ...RCVD_IN_BL_SPAMCOP_NET 255,030 ...DCC_CHECK 232,846 Out of a total of 369,153 messages identified as spam Bayes was 99% sure that 285,210 were spam, that's 5.4 points right there. The best RBL for me, as you can see, is spamcop and right after that follows the DCC checks. HTML_MESSAGE is a low scoring test that doesn't affect the total much. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From raymond at PROLOCATION.NET Mon Mar 1 18:19:57 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40437E68.7020507@ucgbook.com> Message-ID: Hi! > SpamAssassin 369,153 > ...HTML_MESSAGE 290,859 > ...BAYES_99 285,210 > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > ...DCC_CHECK 232,846 > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > that 285,210 were spam, that's 5.4 points right there. The best RBL for > me, as you can see, is spamcop and right after that follows the DCC > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > much. Do you also run with DSBL ? If not, may i suggest you give it a try ? >From today: 56397 DSBL 51884 spamcop.net 44260 SBL+XBL 38351 SORBS-DNSBL 31593 NJABL 22035 RFC-IGNORANT-ABUSE 21560 RFC-IGNORANT-POSTMASTER 7370 RFC-IGNORANT-DSN 5783 RFC-IGNORANT-WHOIS 1595 RFC-IGNORANT-BOGUSMX 821 CBL 743 SORBS-DUL Total hits on RBL lists: 282392 Bye, Raymond. From peter at UCGBOOK.COM Mon Mar 1 18:25:16 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <4043800C.7000106@ucgbook.com> Jeff Earickson wrote: > Well, I have "SpamAssassin Site Rules Dir" defined as > /etc/mail/spamassassin. In there I have local.cf as a symlink to > /opt/MailScanner/etc/spam.assassin.prefs.conf, plus the files > bigevil.cf, backhair.cf, and antidrug.cf. Without Rose's hack, > the bigevil/backhair/antidrug rules never get touched ("ls -lu") > or used. Is there some other MailScanner.conf setting I have missed? > Does this work for other people??? Setup: Solaris 9, MS 4.28.1, > SA 2.63. I have BigEvil and AntiDrug in /etc/mail/spamassassin and they work just fine. If you run "spamassassin -D", does it say that it uses /etc/mail/spamassassin as site rules dir? It should be near the top of the output. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From mkettler at EVI-INC.COM Mon Mar 1 18:37:35 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: References: Message-ID: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> At 11:57 AM 3/1/2004, Jeff Earickson wrote: >Well, I have "SpamAssassin Site Rules Dir" defined as >/etc/mail/spamassassin. In there I have local.cf as a symlink to >/opt/MailScanner/etc/spam.assassin.prefs.conf, 1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? In general that's a bad idea. If nothing else, you're forcing SA to double-parse that file when mailscanner initializes. If you really want the contents of your spam.assassin.prefs.conf to apply globally, copy it to local.cf and put a blank spam.assassin.prefs.conf in /opt/MailScanner. There's no good reason for both files to have SA config data in them. 2) Have you run spamassassin --lint against your files? Slight typoes can cause SA to get irritable and spit out whole files at a time without parsing them. From leduc at CTS.COM Mon Mar 1 18:39:26 2004 From: leduc at CTS.COM (Gene LeDuc) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> Message-ID: <200403011039.26528.leduc@cts.com> Hi Kevin, My company has always blocked passworded zips. If the gateway can't unzip the file, it gets blocked. It's a brain-dead gateway, so I won't embarrass myself (by association) by saying what it is. On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: > This virus is spreading rapidly, we've seen it overnight (although not in > its password protected form - but we had no way of spotting that so it may > have got through). > > I'm now blocking zip files (making me not very popular this morning!). > > Time to start a discussion about ways to block password protected zip > files? From kodak at FRONTIERHOMEMORTGAGE.COM Mon Mar 1 18:39:37 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:51 2006 Subject: Has Sophos got slower again? In-Reply-To: <40437DF1.4060000@bangor.ac.uk> Message-ID: <014f01c3ffbc$8ca08350$0501a8c0@darkside> > >My EM Library has installed Sophos 3.79 for me on my test (Debian >stable, MailScanner-4.26-4, Sophos linux.intel.libc6.glibc.2.2) box and >I've noticed it being a bit sluggish today. As this box only handles my >e-mail (I say only, but that's still quite a bit) it got me >wondering. I >tried just starting sweep on a tiny file and it took maybe 15 >seconds. I >tried the older version (3.78d) and it was maybe 6 seconds. Is anyone >else with 3.79 seeing this slowdown? > >Maybe I should look at sophossavi again....? I haven't had any issues with Sophos recently. I am using sophossavi, though. You should think about doing the same, I can't think of a reason not to. 15 seconds is a long time for one file, even with sweep. What's the load on your box when you're running it? You've got a bottleneck somewhere, and since you mentioned you're not running savi... that's probably it. HTH, --J(K) From peter at UCGBOOK.COM Mon Mar 1 18:41:50 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: Feature suggestion: quarantine password protected zip messages Message-ID: <404383EE.5030508@ucgbook.com> I would like to have a switch so I could choose to quarantine messages that contain unscannable attachments. A report should be sent out to the recipient with the usual from/to/subject/date that is usually enough to determine that it's nothing they asked for so they don't ask me to release it from quarantine. But if they do, I can check inside the message for the password and scan it manually before I do so. It seems to be a trend to send viruses through password protected zips now and I think this would help. What do you think? -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From peter at UCGBOOK.COM Mon Mar 1 18:46:09 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:51 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> References: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> Message-ID: <404384F1.7040701@ucgbook.com> Matt Kettler wrote: > 1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? > > In general that's a bad idea. If nothing else, you're forcing SA to > double-parse that file when mailscanner initializes. Would this double-parsing be invoked every time a message is scanned by MS/SA or only at the start of a new MS child? -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 18:52:02 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:51 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 11:11 AM, "Julian Field" wrote: > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > the installation directory by default. > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > wherever the Debian guys have put that file. Don't alter the scripts at all. Okay we have modified the virus.scanners.conf Old f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/lib/f-prot New f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/local/f-prot Looks like that was the cure :)) But on the /etc/MailScanner/autoupdate/f-prot-autoupdate We have use Sys::Syslog; use IO::File; # Stop syslogd from needing external access (or -r) eval { Sys::Syslog::setlogsock('unix'); }; $PackageDir = "/usr/lib/f-prot"; And # N.B. TempDir DIRECTORY WILL BE CLEARED so # you *really* don't want to share it with # anything else. $TempDir = "/var/tmp/f-prot"; $DefDir = "/var/lib/f-prot"; Will the autoupdate know to tap into /usr/local/f-prot Those looked hard-coded? -- Thanks!! David Thurman List Only at Web Presence Group Net From listonly at WEBPRESENCEGROUP.NET Mon Mar 1 19:10:12 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> Message-ID: On 3/1/04 10:58 AM, "Julian Field" wrote: > > If Net::DNS is not installed, that would make a huge difference to your > spam-spotting success rate. SpamAssassin would not be checking any of the > RBL's, you would only get MailScanner RBL checking (which doesn't rely on > Net::DNS). So using the above method or perl mod, should we turn RBL off in MS and on in SA then? Sorry for sounding dumb, the SA part of all this is the more confusing thing, MS seems to be for the most part straight forward. -- Thanks!! David Thurman List Only at Web Presence Group Net From mikea at MIKEA.ATH.CX Mon Mar 1 19:11:01 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:51 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: ; from P.G.M.Peters@utwente.nl on Mon, Mar 01, 2004 at 12:50:50PM +0100 References: Message-ID: <20040301131101.A70553@mikea.ath.cx> On Mon, Mar 01, 2004 at 12:50:50PM +0100, Peter Peters wrote: > On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: > > >Hi! > > > >> Its in our top10 of today: > >> > >> 4747 W32/Netsky.B@mm > >> 1275 W32/Swen.A@mm > >> 404 W32/Sober.C@mm > >> 337 W32/Mydoom.A@mm > >> 200 W32/Netsky.C@mm > >> 126 W32/Bugbear.B@mm > >> 96 W32/Bagle.F@mm > >> 57 W32/Bagle.E@mm > >> 49 W32/Mydoom.E@mm > >> 19 W32/Mimail.J@mm > > > >The G one also just came in twice: > > > >2 W32/Bagle.G@mm > > We got > 12 removed > 12 W32/Bagle.E@mm > 1 removed > 10 W32/Bagle.F@mm > 8 W32/Bagle.C@mm > 4 removed > 4 W32/Bagle.D@mm > 9 removed > 1 W32/Bagle.G@mm Here at WeBuildHighways, it's a lot like this: $ FOUNDnow # This is /home/mikea/bin/FOUND. # Start Input Phase on 2004.60 (2004 Mar 1) at 13:08:49 local Worm.Bagle.A3 1 every 1.88 hours Worm.Bagle.E 1 every 1.01 hours Worm.Bagle.F 1 every 1.88 hours Worm.Mydoom.F 1 every 52.59 minutes Worm.SCO.A 1 every 13.15 hours Worm.SomeFool 1 every 10.11 minutes Worm.SomeFool.B 1 every 56.34 minutes Worm.SomeFool.B-petite 1 every 19.72 minutes Total 1 every 4.51 minutes Now, does anyone have a pointer to translating from ClamAV's malware names to, say, Norton's, so I can see how our stats compare to others? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From gdoris at rogers.com Mon Mar 1 19:21:27 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <40437E68.7020507@ucgbook.com> References: <399D85F2BB50BC4295F78EAE203D5C222181CF@dalsxc01.geniant.net> <40437E68.7020507@ucgbook.com> Message-ID: <48210.129.80.22.143.1078168887.squirrel@65.48.246.102> > Max Kipness wrote: >> I?m not doing Bayes at the moment as it seems to be a real hassle doing >> the training. > > I don't know for other sites but I don't bother with training. I use the > default autolearn feature (<0.1 ham, >12 spam) and it works great. If > you have Exchange on the inside it's not easy to get a correct mail to > learn from. > >> So my question is what can I do to improve the whole system? What >> tweaks? Will DCC help out a lot? Are there any better RBLs? Tweaks to >> SpamAssassin? > > Definitely turn on Bayes, it will help a lot even without additional > training. Also use DCC, it's a really good design. It's easy to install, > fast and stable. > > Here are my top SA traps: > > SpamAssassin 369,153 > ...HTML_MESSAGE 290,859 > ...BAYES_99 285,210 > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > ...DCC_CHECK 232,846 > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > that 285,210 were spam, that's 5.4 points right there. The best RBL for > me, as you can see, is spamcop and right after that follows the DCC > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > much. > > -- > /Peter Bonivart I have also found Spamcop to be pretty accurate for the mail I receive. As such, I've bumped the spam score for it up a little from the default. Gerry From raymond at PROLOCATION.NET Mon Mar 1 19:45:44 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:51 2006 Subject: MailScanner vs. SpamKiller In-Reply-To: <48210.129.80.22.143.1078168887.squirrel@65.48.246.102> Message-ID: Hi! > > SpamAssassin 369,153 > > ...HTML_MESSAGE 290,859 > > ...BAYES_99 285,210 > > ...RCVD_IN_BL_SPAMCOP_NET 255,030 > > ...DCC_CHECK 232,846 > > > > Out of a total of 369,153 messages identified as spam Bayes was 99% sure > > that 285,210 were spam, that's 5.4 points right there. The best RBL for > > me, as you can see, is spamcop and right after that follows the DCC > > checks. HTML_MESSAGE is a low scoring test that doesn't affect the total > > much. > > > > -- > > /Peter Bonivart > > I have also found Spamcop to be pretty accurate for the mail I receive. > As such, I've bumped the spam score for it up a little from the default. And you can put some more RBL checks enabled :) # # Extra DNSBL checks: # # AHBL RBL checks header RCVD_IN_AHBL eval:check_rbl_txt('ahbl', 'dnsbl.ahbl.org.') describe RCVD_IN_AHBL Received via a relay in dnsbl.ahbl.org tflags RCVD_IN_AHBL net score RCVD_IN_AHBL 0 1.271 0 2.0 # RSL RBL checks header RCVD_IN_RSL eval:check_rbl_txt('rsl', 'relays.visi.com.') describe RCVD_IN_RSL Received via a relay in relays.visi.com. tflags RCVD_IN_RSL net score RCVD_IN_RSL 0 1.271 0 1.6 # CBL RBL checks header RCVD_IN_CBL eval:check_rbl_txt('cbl', 'cbl.abuseat.org.') describe RCVD_IN_CBL Received via a relay in cbl.abuseat.org. tflags RCVD_IN_CBL net score RCVD_IN_CBL 0 1.271 0 1.6 # ORDB RBL checks header RCVD_IN_ORDB eval:check_rbl_txt('ordb', 'relays.ordb.org.') describe RCVD_IN_ORDB Received via a relay in relays.ordb.org. tflags RCVD_IN_ORDB net score RCVD_IN_ORDB 0 1.271 0 1.0 score RCVD_IN_DSBL 0 1.271 0 1.6 Plus i raised the DSBL score a little. Bye, Raymond. From gdoris at rogers.com Mon Mar 1 19:54:19 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: <49777.129.80.22.143.1078170859.squirrel@65.48.246.102> > Gang, > Discovered the problem after a good lunch and more staring at > debug output. I had for settings: > > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > > and got debug output of: > > debug: using "/opt/perl5/share/spamassassin" for default rules dir > debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir > > Wrong! My perl is installed in /opt/perl5, dunno where these pathes > came from. Changed the two blank config settings above to > "/etc/mail/spamassassin" and the debug output changed to: > > debug: using "/etc/mail/spamassassin" for default rules dir > debug: using "/etc/mail/spamassassin" for site rules dir > > and now backhair/bigevil/antidrug are being used by SA. Problem > solved, but I don't know why MS was picking up my perl install path > for blank rules directories. > > Jeff Earickson > Colby College If you're not already using the "rules_du_jour" script I highly recommend it. The various rules change regularly as well as the script. Running it as a cron job will ensure you're always current. Gerry From maillists at CONACTIVE.COM Mon Mar 1 20:31:35 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:51 2006 Subject: backhair, confused... SOLVED In-Reply-To: References: Message-ID: Jeff Earickson wrote on Mon, 1 Mar 2004 13:17:38 -0500: > debug: using "/opt/perl5/share/spamassassin" for default rules dir > debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir > > Wrong! My perl is installed in /opt/perl5, dunno where these pathes > came from. Changed the two blank config settings above to > "/etc/mail/spamassassin" and the debug output changed to: > this is wrong again. Default Rules Dir should point to the SA default rules dir which is /usr/share/spamassassin on most platforms. I don't know what Local Rules Dir should be, maybe the dir (not the path) within each users homedir. Compare that: SpamAssassin Site Rules Dir = /etc/mail/spamassassin debug: using "/opt/perl5/etc/mail/spamassassin" for site rules dir see the difference? Either there is a small bug in MS which adds instead of replaces the Site Rules Dir or there is another problem. If you have a correctly installed SA this line should do it alone: SpamAssassin Prefs File = /etc/mail/spamassassin/local.cf (note: no Rules Dir whatsoever stuff!) if /etc/mail/spamassassin/ is the Sites Rules Dir (can be found out by running spamassassin --lint). Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From shrek-m at GMX.DE Mon Mar 1 20:44:39 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:51 2006 Subject: [Fwd: Sophos Anti-Virus IDE alert: W32/Netsky-D] In-Reply-To: <40432902.8020101@solid-state-logic.com> References: <40432902.8020101@solid-state-logic.com> Message-ID: <4043A0B7.3060400@gmx.de> Martin Hepworth wrote: > looks they've got it finally!!! ohhh, they are awaken and back im game ? From: Sophos Alert System Date: Mon, 01 Mar 2004 11:51:01 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Netsky-D From: Sophos Alert System Date: Mon, 01 Mar 2004 17:25:14 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Netsky-E From: Sophos Alert System Date: Mon, 01 Mar 2004 17:59:27 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-H From: Sophos Alert System Date: Mon, 01 Mar 2004 19:57:05 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Bagle-H -- shrek-m From pete at eatathome.com.au Mon Mar 1 20:48:55 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:51 2006 Subject: More details in the logs In-Reply-To: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> References: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> Message-ID: <4043A1B7.2090100@eatathome.com.au> David Hooton wrote: >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Patrik B?ckstr?m >>Sent: Monday, 1 March 2004 11:31 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: More details in the logs >> >> >> > > > > > >>We use MailScanner for several customers/domains (currently version 4.25- >>14) >>and we would like to gather statistics per customer on how many mails >>scanned (that i can get from postfix), how many rejected and why and so >>on. >> >>Currently, it only tells us that something has been blocked and why, but >>not >>from or, more importat, to who the mail was sent. >> >> > >http://mailwatch.sf.net/ > >Will allow you to setup per domain/user etc etc stats for users, very useful >tool indeed. > >Dave > > >======================================================================== > Pain free spam & virus protection by: www.mailsecurity.net.au > Forward undetected SPAM to: spam@mailsecurity.net.au >======================================================================== > > > > > If you want a text only version you could get and run the pflogsum.pl script from sourceforge too - simple perl script that greps the maillog and produces a nice report each night and emails it to me.. sample.. Postfix log summaries for Feb 26 Grand Totals ------------ messages 223 received 113 delivered 0 forwarded 187 deferred (190 deferrals) 0 bounced 17 rejected (13%) 0 reject warnings 0 held 0 discarded (0%) 4389k bytes received 3657k bytes delivered 156 senders 132 sending hosts/domains 74 recipients 3 recipient hosts/domains Per-Hour Traffic Summary time received delivered deferred bounced rejected -------------------------------------------------------------------- 0000-0100 5 0 5 0 0 0100-0200 4 0 3 0 1 0200-0300 5 1 5 0 0 0300-0400 2 1 0 0 0 0400-0500 5 4 2 0 0 0500-0600 2 0 2 0 0 0600-0700 3 0 2 0 1 Host/Domain Summary: Message Delivery sent cnt bytes defers avg dly max dly host/domain -------- ------- ------- ------- ------- ----------- 102 3539k 181 5.5 m 21.2 m primary.com.au 8 116487 9 7.6 m 16.4 m students.primary.com.au 3 3614 0 0.3 s 1.0 s mail02.primary.com.au Host/Domain Summary: Messages Received msg cnt bytes host/domain -------- ------- ----------- 9 417475 enewsletters.f2network.com.au 9 205721 yahoo.com.au 7 43904 yahoo.com 4 537k mannatech.com.au 4 123015 national.com.au 4 32121 sesahs.nsw.gov.au 4 29103 mail02.primary.com.au 4 13800 lyris.isworld.org From JLimmer at CURAGEN.COM Mon Mar 1 21:35:05 2004 From: JLimmer at CURAGEN.COM (Limmer, Jim) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. Message-ID: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040301/f19bfa95/attachment.html From steve.swaney at FSL.COM Mon Mar 1 21:54:01 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <20040301215603.9ED4721C141@mail.fsl.com> ? ________________________________________ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Limmer, Jim Sent: Monday, March 01, 2004 4:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. ?My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. I believe; 1. It's the best solution at any price. 2. It provides more features than any other commercial application. 3. It's updated much more frequently than the commercial solutions. This is very important in accurately detecting spam. It's a race between the spammers and SpamAssassin and the ruleset writers. 4. It can use multiple virus scanners of your choice at the same time. This was very important today where a lot of folks got burned by a single virus scanner (thank you ClamAV!). Your virus scanners are updated hourly. I'm sure you'll get a few other responses :) Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From dparter at CS.WISC.EDU Mon Mar 1 21:49:56 2004 From: dparter at CS.WISC.EDU (David Parter) Date: Thu Jan 12 21:22:51 2006 Subject: Justification for mailscanner. In-Reply-To: Message from "Limmer, Jim" of "Mon, 01 Mar 2004 16:35:05 EST." <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <200403012149.PAA12186@yfandes.cs.wisc.edu> > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > Unfortunatley, those answers arent going to satisfy the higher ups. > > Anyone seen any good articles, or have any comment that may help me put > together a good answer to this? how about: The amount of time we will have to spend learning and maintaining the "commercial" system is very close to the amount of time we would spend putting it together ourselves, with the added bonus that it will more closely meet our needs, and we can be more flexible and responsive to changing conditions and requirements. --david From dparter at CS.WISC.EDU Mon Mar 1 21:52:54 2004 From: dparter at CS.WISC.EDU (David Parter) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner (part 2) In-Reply-To: Message from "Limmer, Jim" of "Mon, 01 Mar 2004 16:35:05 EST." <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <200403012152.PAA12232@yfandes.cs.wisc.edu> > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? I forgot an important point: e-mail is so important to this organization, I'm more comfortable with in-house expertise to support it. Virus scanning is only part of a larger system of mail delivery and transport, which we already maintain. It is critical that we are able to support and maintain each component ... --david From jmckee at RESODYN.COM Mon Mar 1 21:53:35 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems Message-ID: <1078178015.2258.72.camel@localhost.localdomain> Good afternoon, I've recently installed MailScanner for the sole purpose of blocking attachments. I am not interested in Spam blocking or antivirus scanning (via MailScanner) at this time. My problem is that although the types are specified, .txt, .bat,. pif, etc. they are all being allowed through. I haven't been able to locate a log file specifically for MailScanner. I have watched traffic through /var/spool/maillog and messages on var/spool/messages; but nothing is making itself apparent. MailScanner does appear to be running, determined through various restarts via 'service MailScanner restart". Fedora Core 1. Sendmail 8.12.10. I have scanned the help files, google, etc. Where else can I look? I'm willing to post various log files, confs, etc if someone can help me out. Thanks, John McKee From kodak at FRONTIERHOMEMORTGAGE.COM Mon Mar 1 22:07:53 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <018a01c3ffd9$a4f80690$0501a8c0@darkside> Pocket the money and just tell them you've installed a commercial solution. :) Or , more seriously, buy "MailScanner Enterprise" from Steve and Julians company. --J(K) From jrudd at UCSC.EDU Mon Mar 1 22:04:11 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <4043B35B.3E1D45AC@ucsc.edu> > "Limmer, Jim" wrote: > > My company has budgeted a good amount of money for a spam/virus > filtering email gateway, similar to what I can accomplish with > mailscanner. We've tested a few commercial products, none to our > satisfaction. While we are meeting with their sales staff I typically > jot down each application they are using. It's amazing the amount of > money some of these vendors are charging for what is 99% open source > software. Typically these boxes are running redhat, postfix, sa, > razor... the list goes on. The only proprietary software I see on > these boxes are their web gui front ends, which are typically > attractive, but IMHO - useless. > > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to > cover a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > 1) With the open source solution, you likely will have exactly the system you need instead of something that is dictated to you by the commercial vendor (this is espeically true with the 2nd item I'm about to mention, but even without that, you are always able to tailor the code to your needs, where with non-open solutions you are often prevented from going down that path). 2) MailScanner's developer is very attentive to the needs of his user community, is up front about what features he will or wont add, and has even changed his mind through discussion with his users about features. I have yet to meet a commercial vendor that does any of those things. 3) by using Open Source software, you're not locked into the whims or economic ups and downs of a commercial vendor. If the developer decides to change directions, abandon the project, etc. you're bascially in the cold with the non-open source solution. With open source, you and the community can pick up where the developer left off. 4) With the specifics you've mentioned, they're basically charging you money for a pretty (and useless) gui as a front end to tools you can otherwise get for free. I would counter with the question "how can you justify paying for their product when the same or better is free?" 5) with Mailscanner specifically, you're not locked into specific platforms (both on the hardware and software fronts). If, for whatever reason, your IT staff decides that it is time to change platforms, you can do so without significant changes in your service offering. These days, it's harder and harder to find vendors that support identical software on mulitple platforms. Don't let vendors dictate your hardware, OS, and MTA choices to you. From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 1 22:17:06 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> Le lun 01/03/2004 ? 16:53, John McKee a ?crit : > Good afternoon, > > > I've recently installed MailScanner for the sole purpose of blocking > attachments. I am not interested in Spam blocking or antivirus scanning > (via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, > etc. they are all being allowed through. > > I haven't been able to locate a log file specifically for > MailScanner. I have watched traffic through /var/spool/maillog and > messages on var/spool/messages; but nothing is making itself apparent. > MailScanner does appear to be running, determined through various > restarts via 'service MailScanner restart". > > Fedora Core 1. Sendmail 8.12.10. > > I have scanned the help files, google, etc. Where else can I look? > I'm willing to post various log files, confs, etc if someone can help me > out. > > Thanks, > John McKee John, You probably have sendmail running alongside MailScanner. Do "service sendmail stop" and "chkconfig sendmail off", make sure no sendmail is still running and then restart MailScanner. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kevins at BMRB.CO.UK Mon Mar 1 22:22:11 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <1078179731.428.21.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 21:53, John McKee wrote: > I've recently installed MailScanner for the sole purpose of blocking > attachments. I am not interested in Spam blocking or antivirus scanning > (via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, > etc. they are all being allowed through. > I have scanned the help files, google, etc. Where else can I look? > I'm willing to post various log files, confs, etc if someone can help me > out. > May a hazard a guess that perhaps you have set Virus Scanning = no in MailScanner.conf? Because filename and filetype rules are considered part of the virus scanning process this will turn these checks off. Try setting Virus Scanning = yes Virus Scanners = none BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:18:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078178015.2258.72.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20040301221524.04403e58@imap.ecs.soton.ac.uk> At 21:53 01/03/2004, you wrote: >Good afternoon, > > > I've recently installed MailScanner for the sole purpose of blocking >attachments. I am not interested in Spam blocking or antivirus scanning >(via MailScanner) at this time. > > My problem is that although the types are specified, .txt, .bat,. pif, >etc. they are all being allowed through. > > I haven't been able to locate a log file specifically for >MailScanner. I have watched traffic through /var/spool/maillog and >messages on var/spool/messages; but nothing is making itself apparent. >MailScanner does appear to be running, determined through various >restarts via 'service MailScanner restart". MailScanner logs into /var/log/maillog via your normal syslog service. Its log entries are all marked with "MailScanner". You should set "Virus Checking = yes" and "Virus Scanners = none" to get the effect you want. The "Virus Checking" option controls the filename and filetype checking as well as the actual virus scanning, for historical reasons. > Fedora Core 1. Sendmail 8.12.10. I have run it myself on this exact configuration, so I know it works just fine. Did you install it by running the "./install.sh" script as instructed? > I have scanned the help files, google, etc. Where else can I look? >I'm willing to post various log files, confs, etc if someone can help me >out. > >Thanks, >John McKee -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 21:55:14 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Stable 4.27.7 released In-Reply-To: <4043708E.642C0511@ihs.com> References: <6.0.1.1.2.20040301112301.07342c80@imap.ecs.soton.ac.uk> <40437011.660C81E6@ihs.com> <4043708E.642C0511@ihs.com> Message-ID: <6.0.1.1.2.20040301215346.02d92ec8@imap.ecs.soton.ac.uk> At 17:19 01/03/2004, you wrote: >Dustin Baer wrote: > > > > Julian Field wrote: > > > > > > > > - Added options to add new headers containing the envelope sender and/or > > > envelope recipients addresses. The names of the headers are, of > course, > > > configurable. > > > > Is there a reason that these headers (X-MailScanner-To:, > > X-MailScanner-From:) don't include %org-name%? > >WHOOPS! Accidentally clicked send. > >Obviously, this can be changed to "X-%org-name%-MailScanner-From:", but >I wanted to make sure there wasn't a good reason not to add %org-name%. I did it to minimise the information leakage caused when people Bcc people, which these headers cause to be shown in the message headers. Headers added by later MailScanners will override those placed by earlier ones, which will reduce the Envelope-To to just those in your domain, -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:07:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner vs. SpamKiller [SCANNED] In-Reply-To: References: <6.0.1.1.2.20040301165724.03a21a58@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301220603.04346008@imap.ecs.soton.ac.uk> At 19:10 01/03/2004, you wrote: >On 3/1/04 10:58 AM, "Julian Field" wrote: > > > > > If Net::DNS is not installed, that would make a huge difference to your > > spam-spotting success rate. SpamAssassin would not be checking any of the > > RBL's, you would only get MailScanner RBL checking (which doesn't rely on > > Net::DNS). > >So using the above method or perl mod, should we turn RBL off in MS and on >in SA then? There are pros and cons for using the RBLs in any of 1) MTA 2) MailScanner 3) SpamAssassin This has been discussed here before. You definitely want at least (3). Use (1) if you want to reject connections at SMTP time. Use (2) if you want membership of any RBL to cause a message to be considered as spam. Certainly reasonable with the SBL and XBL blacklists from spamhaus.org (there is 1 list that combines both of them). >Sorry for sounding dumb, the SA part of all this is the more confusing >thing, MS seems to be for the most part straight forward. >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:05:32 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: F-Prot - Debian - MailScanner paths [SCANNED] In-Reply-To: References: <6.0.1.1.2.20040301170929.03cecc68@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040301220455.0433bbe0@imap.ecs.soton.ac.uk> The f-prot-autoupdate should (unless the Debian packagers have played with it) take the installation directory on the command line, just like the f-prot-wrapper does. At 18:52 01/03/2004, you wrote: >On 3/1/04 11:11 AM, "Julian Field" wrote: > > > The non-Debian versions of MailScanner all expect /usr/local/f-prot to be > > the installation directory by default. > > You will need to change the path in /etc/MailScanner/virus.scanners.conf or > > wherever the Debian guys have put that file. Don't alter the scripts at > all. > >Okay we have modified the virus.scanners.conf > >Old >f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/lib/f-prot >New >f-prot /etc/MailScanner/wrapper/f-prot-wrapper /usr/local/f-prot > >Looks like that was the cure :)) > >But on the /etc/MailScanner/autoupdate/f-prot-autoupdate > >We have > >use Sys::Syslog; >use IO::File; ># Stop syslogd from needing external access (or -r) >eval { Sys::Syslog::setlogsock('unix'); }; > >$PackageDir = "/usr/lib/f-prot"; > > >And > > ># N.B. TempDir DIRECTORY WILL BE CLEARED so ># you *really* don't want to share it with ># anything else. >$TempDir = "/var/tmp/f-prot"; >$DefDir = "/var/lib/f-prot"; > > >Will the autoupdate know to tap into /usr/local/f-prot Those looked >hard-coded? > >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Mar 1 22:04:02 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: bigevil, backhair... STILL confused In-Reply-To: <404384F1.7040701@ucgbook.com> References: <6.0.0.22.0.20040301125037.024c8e68@xanadu.evi-inc.com> <404384F1.7040701@ucgbook.com> Message-ID: <6.0.1.1.2.20040301220252.04383e18@imap.ecs.soton.ac.uk> At 18:46 01/03/2004, you wrote: >Matt Kettler wrote: >>1) Why do you have local.cf symlinked to your spam.assassin.prefs.conf ? >> >>In general that's a bad idea. If nothing else, you're forcing SA to >>double-parse that file when mailscanner initializes. > >Would this double-parsing be invoked every time a message is scanned by >MS/SA or only at the start of a new MS child? Only at the start of a new MS child, so it's no big deal. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jmckee at RESODYN.COM Mon Mar 1 22:23:02 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: MailScanner problems In-Reply-To: <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179426.13811.226.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1078179782.2258.77.camel@localhost.localdomain> Denis, Thanks for the reply. I tried what you suggested and it didn't work apparently. Can I try something else, check a log file for that last command set? It did throw this on the Mailscanner restart "incoming sendmail: head: /var/run/sm-client.pid: No such file or directory" Thanks, John McKee On Mon, 2004-03-01 at 15:17, Denis Beauchemin wrote: > Le lun 01/03/2004 à 16:53, John McKee a écrit : > > Good afternoon, > > > > > > I've recently installed MailScanner for the sole purpose of blocking > > attachments. I am not interested in Spam blocking or antivirus scanning > > (via MailScanner) at this time. > > > > My problem is that although the types are specified, .txt, .bat,. pif, > > etc. they are all being allowed through. > > > > I haven't been able to locate a log file specifically for > > MailScanner. I have watched traffic through /var/spool/maillog and > > messages on var/spool/messages; but nothing is making itself apparent. > > MailScanner does appear to be running, determined through various > > restarts via 'service MailScanner restart". > > > > Fedora Core 1. Sendmail 8.12.10. > > > > I have scanned the help files, google, etc. Where else can I look? > > I'm willing to post various log files, confs, etc if someone can help me > > out. > > > > Thanks, > > John McKee > > John, > > You probably have sendmail running alongside MailScanner. Do "service > sendmail stop" and "chkconfig sendmail off", make sure no sendmail is > still running and then restart MailScanner. > > Denis From jmckee at RESODYN.COM Mon Mar 1 22:26:46 2004 From: jmckee at RESODYN.COM (John McKee) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078179731.428.21.camel@bach.kevinspicer.co.uk> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> Message-ID: <1078180005.2258.79.camel@localhost.localdomain> Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "Resodyn Corp-Attachment-Warning.txt" attachment(s) for more information. This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "the entire message" is on the list of unacceptable attachments for this site and has been replaced by this warning message. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. At Mon Mar 1 15:22:28 2004 the virus scanner said: MailScanner: (msg-10413-745.txt) -- Postmaster MailScanner thanks transtec Computers for their support From mikea at MIKEA.ATH.CX Mon Mar 1 22:29:38 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <20040301215603.9ED4721C141@mail.fsl.com>; from steve.swaney@FSL.COM on Mon, Mar 01, 2004 at 04:54:01PM -0500 References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> <20040301215603.9ED4721C141@mail.fsl.com> Message-ID: <20040301162938.A71816@mikea.ath.cx> On Mon, Mar 01, 2004 at 04:54:01PM -0500, Stephen Swaney wrote: > ? > ________________________________________ > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Limmer, Jim > Sent: Monday, March 01, 2004 4:35 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Justification for mailscanner. > > > ?My company has budgeted a good amount of money for a spam/virus filtering > email gateway, similar to what I can accomplish with mailscanner. We've > tested a few commercial products, none to our satisfaction. While we are > meeting with their sales staff I typically jot down each application they > are using. It's amazing the amount of money some of these vendors are > charging for what is 99% open source software. Typically these boxes are > running redhat, postfix, sa, razor the list goes on. The only proprietary > software I see on these boxes are their web gui front ends, which are > typically attractive, but IMHO - useless. > Anyway, the question was put to me today - how can you justify wanting to > spend valuable man hours building and configuring our own system based on > open source, when we've already budgeted enough money to cover a commercial > solution? > While the simple answers are the ones that make sense to us technological > people > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > I believe; > > 1. It's the best solution at any price. > > 2. It provides more features than any other commercial application. > > 3. It's updated much more frequently than the commercial solutions. This is > very important in accurately detecting spam. It's a race between the > spammers and SpamAssassin and the ruleset writers. > > 4. It can use multiple virus scanners of your choice at the same time. This > was very important today where a lot of folks got burned by a single virus > scanner (thank you ClamAV!). Your virus scanners are updated hourly. > > I'm sure you'll get a few other responses :) I'll add to Steve's observations my own: The price was right. The bosses here at WeBuildHighways would have devoted one full-time equivalent to this function in any event, whether the solution was free or commercial, because we were being swamped. The proposed solution would have required a Sun or RS/6K box, and (I'm told) products that would have cost upward of US$30K/year in license fees, as well as that same FTE. My solution has been MailScanner, SpamAssassin, and ClamAV, all on top of FreeBSD. Every bit and byte of it has been free, as have the PeeCees, which were rescued from our to-surplus pile. The only costs have been for power and my salary, both of which would have been costs in any event. I have far better control, don't have to worry about contract and license expiration, and have at least as good support here and in the SpamAssassin-Talk list as I've ever had from any contract vendor. Ditto for FreeBSD and ClamAV. If they _insist_ on commercial support, it's available for FreeBSD and (IIRC) for MailScanner, and ISTR it may be available for SpamAssassin as well. They don't have to use ClamAV; they can pay for something else that's not-quite-as-good. This stuff Just Works, and my bosses at all levels have expressed complete satisfaction with the open-source solution. If you've got money in the budget for a commercial solution, use some of it to license the commercial AV scanners. See if the remainder can be used for getting you more-and-better hardware. Show your bosses that you're _saving_ money, and what you're spending is being spent wisely. I'd turn the question around: when there's a good, free solution to the problem, how can they justify paying for a commercial solution? That's like going into a restaurant and buying a meal when it's raining soup! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From mikes at HARTWELLCORP.COM Mon Mar 1 22:32:09 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> Kevin Spicer wrote: [snip] > I therefore propose that update_virus_scanners be moved from > /etc/cron.hourly to a file in /etc/cron.d and that the minute at which > it is scheduled in that file be generated either at random or be the > same as the minute at which the file was installed. Obviously this > would involve generating the file as part of the install process. But it's not an issue if you are running freshclam in daemon mode, is it? -- Michael St. Laurent Hartwell Corporation From kevins at BMRB.CO.UK Mon Mar 1 22:32:15 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180005.2258.79.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> <1078180005.2258.79.camel@localhost.localdomain> Message-ID: <1078180335.32607.24.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:26, John McKee wrote: > Warning: This message has had one or more attachments removed > Warning: (the entire message). Looks like you have a botched regular expression in your filename.rules.conf. Suggest you restore the original. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lindsay at PA.NET Mon Mar 1 22:35:38 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <018a01c3ffd9$a4f80690$0501a8c0@darkside> References: <018a01c3ffd9$a4f80690$0501a8c0@darkside> Message-ID: <4043BABA.5080607@pa.net> Jason Balicki wrote: > Pocket the money and just tell them you've installed a commercial > solution. :) > > Or , more seriously, buy "MailScanner Enterprise" from Steve and > Julians company. I'd love to see you take the money and send it to Julian for all of his efforts. -lindsay > > --J(K) From kevins at BMRB.CO.UK Mon Mar 1 22:35:20 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CF9@hart-exchange.hartwellcorp.com> Message-ID: <1078180520.32607.27.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:32, Michael St. Laurent wrote: > Kevin Spicer wrote: > [snip] > > I therefore propose that update_virus_scanners be moved from > > /etc/cron.hourly to a file in /etc/cron.d and that the minute at which > > it is scheduled in that file be generated either at random or be the > > same as the minute at which the file was installed. Obviously this > > would involve generating the file as part of the install process. > > But it's not an issue if you are running freshclam in daemon mode, is it? > Probably not, but most MailScanner users won't be, they'll be using upgrade_virus_scanners. This is the best solution since it stops scanning whilst updating so theres no risk of using a corrupted or partial database. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Mon Mar 1 22:37:58 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180335.32607.24.camel@bach.kevinspicer.co.uk> Message-ID: Hi! > > Warning: This message has had one or more attachments removed > > Warning: (the entire message). > > Looks like you have a botched regular expression in your > filename.rules.conf. Suggest you restore the original. It seems he got it working now hihi :) Bye, Raymond. From mikes at HARTWELLCORP.COM Mon Mar 1 22:48:15 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> Raymond Dijkxhoorn wrote: >> This virus is spreading rapidly, we've seen it overnight (although >> not in its password protected form - but we had no way of spotting >> that so it may have got through). > > Also in non protected zips... > > Its in our top10 of today: > > 4747 W32/Netsky.B@mm > 1275 W32/Swen.A@mm > 404 W32/Sober.C@mm > 337 W32/Mydoom.A@mm > 200 W32/Netsky.C@mm > 126 W32/Bugbear.B@mm > 96 W32/Bagle.F@mm > 57 W32/Bagle.E@mm > 49 W32/Mydoom.E@mm > 19 W32/Mimail.J@mm Ohhh, you have a top 10 virus summary report script? Would you mind sharing that? I'd love to send that out to management each morning. -- Michael St. Laurent Hartwell Corporation From mikes at HARTWELLCORP.COM Mon Mar 1 22:50:06 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> Kevin Spicer wrote: > Probably not, but most MailScanner users won't be, they'll be using > upgrade_virus_scanners. This is the best solution since it stops > scanning whilst updating so theres no risk of using a corrupted or > partial database. Mmmm, yes, I see that in /etc/cron.hourly. That means that I'm doing double duty :-( I should turn off the freshclam daemon then? -- Michael St. Laurent Hartwell Corporation From kevins at BMRB.CO.UK Mon Mar 1 22:59:50 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CFD@hart-exchange.hartwellcorp.com> Message-ID: <1078181990.7996.29.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 22:50, Michael St. Laurent wrote: > Kevin Spicer wrote: > > Probably not, but most MailScanner users won't be, they'll be using > > upgrade_virus_scanners. This is the best solution since it stops > > scanning whilst updating so theres no risk of using a corrupted or > > partial database. > > Mmmm, yes, I see that in /etc/cron.hourly. That means that I'm doing double > duty :-( I should turn off the freshclam daemon then? > Yes, I think the clam folks would probable prefer if you did ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rich at MAIL.WVNET.EDU Mon Mar 1 23:11:40 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <200403011039.26528.leduc@cts.com> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> Message-ID: <4043C32C.5050204@mail.wvnet.edu> Gene LeDuc wrote: >Hi Kevin, > >My company has always blocked passworded zips. If the gateway can't unzip the >file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >myself (by association) by saying what it is. > >On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: > > >>This virus is spreading rapidly, we've seen it overnight (although not in >>its password protected form - but we had no way of spotting that so it may >>have got through). >> >>I'm now blocking zip files (making me not very popular this morning!). >> >>Time to start a discussion about ways to block password protected zip >>files? >> >> Kevin, Did you find a way to block only password protected zips? We've seen a couple of hundred Bagle.F and Bagle.H incidents today. An update from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm blocking all zips. I'd like to just block the password protected ones but haven't figured out a way to do it. I suspect Mcafee uses a simplistic approach to detecting this. I won't go into why I think this for security reasons. I do think were rapidly heading towards permanently restricted password protected zips. If the content of any type of file can't be validated then we'll have to restricted it. So, any idea how to do this? -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From kk at KEEPMEDIA.COM Mon Mar 1 23:02:43 2004 From: kk at KEEPMEDIA.COM (Kristine Kimm) Date: Thu Jan 12 21:22:52 2006 Subject: deny allow rules Message-ID: Hello, Perhaps this question has already been answered - I have been unable to yet find an answer in the archives. Is it possible to deny all .zip files but allow a .zip with a specified name? I tried the following in filename.rules.conf: allow ^test\.zip$ - - deny \.zip$ - - But the deny always seems to be applied. Is there a way to set an override for an allow? I thought order in the file might have an impact but deny always was applied regardless of which statement came first. Thanks in advance for assistance with this question. -KK From doko at CS.TU-BERLIN.DE Mon Mar 1 23:12:26 2004 From: doko at CS.TU-BERLIN.DE (Matthias Klose) Date: Thu Jan 12 21:22:52 2006 Subject: F-Prot - Debian - MailScanner paths In-Reply-To: References: Message-ID: <16451.50010.999979.307502@gargle.gargle.HOWL> installing the f-prot-installer package should be fine. Dave's List Addy writes: > We have MailScanner running great here, using Clam but we want to test > F-Prot to see if we want an additional VS to catch all these bad email > viruses (sp) > > In looking at the notices send to us to make sure we are getting viruses > caught I only see Clam running the scan; > > Report: ClamAV: application.pif contains Worm.SomeFool.B-petite > MailScanner: Shortcuts to MS-Dos programs are very dangerous in > email (application.pif) > > We did the .deb install of F-Prot from their site and it seems that > everything is in /usr/local/f-prot and in looking at the f-prot wrapper and > autoupdate in MS the paths all want /usr/lib/f-prot :( > > Should we ln -s /usr/lib/f-prot /usr/local/f-prot or change the MS settings > in f-prot wrapper and autoupdate? Which is the better path to take, not the > easiest:)) > > One other thing (If I should post a separate message I can, whack me on the > head) > > Still trying to get this whole SA and Bayes and custom rules figured out, > any good pointers would be great too, we are using BigEvil, Backhair and > James Grey's rules in /etc/mail/spamasassin/ I am to assume that MailScanner > will know to pickup theses additional rules here? But the above is more of a > concern. > > TIA > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net From shrek-m at GMX.DE Mon Mar 1 23:18:40 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:52 2006 Subject: {Filename?} Re: MailScanner problems In-Reply-To: <1078180005.2258.79.camel@localhost.localdomain> References: <1078178015.2258.72.camel@localhost.localdomain> <1078179731.428.21.camel@bach.kevinspicer.co.uk> <1078180005.2258.79.camel@localhost.localdomain> Message-ID: <4043C4D0.1080504@gmx.de> John McKee wrote: >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "Resodyn Corp-Attachment-Warning.txt" attachment(s) for more information. > >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "the entire message" >is on the list of unacceptable attachments for this site and has been >replaced by this warning message. > >Due to limitations placed on us by the Regulation of Investigatory Powers >Act 2000, we were unable to keep a copy of the original attachment. > >At Mon Mar 1 15:22:28 2004 the virus scanner said: > MailScanner: (msg-10413-745.txt) > > afair you have to allow txt and html afterwards deny . -- shrek-m From kevins at BMRB.CO.UK Mon Mar 1 23:25:25 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <4043C32C.5050204@mail.wvnet.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> Message-ID: <1078183526.7996.35.camel@bach.kevinspicer.co.uk> On Mon, 2004-03-01 at 23:11, Richard Lynch wrote: > Kevin, Did you find a way to block only password protected zips? No, I got as far as trying to persuade Julian that this would be a good feature to add to the zip file recursion code in the latest beta. I'm blocking all zips for now too. I don't think theres any 'security' implications in discussing McAfees workaround [maybe you looked security up in a Microsoft dictionary). Its a common sense approach, but doubtless one that will be defeated by future viruses > We've > seen a couple of hundred Bagle.F and Bagle.H incidents today. An update > from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm > blocking all zips. I'd like to just block the password protected ones > but haven't figured out a way to do it. I suspect Mcafee uses a > simplistic approach to detecting this. I won't go into why I think this > for security reasons. I do think were rapidly heading towards > permanently restricted password protected zips. If the content of any > type of file can't be validated then we'll have to restricted it. So, > any idea how to do this? > > -- > Richard E. Lynch > Systems Programming Manager > West Virginia Network (WVNET) > 837 Chestnut Ridge Road > Morgantown, WV 26505 > (304) 293-5192 x243 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikes at HARTWELLCORP.COM Mon Mar 1 23:32:11 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:52 2006 Subject: Defunct MailScanner procs Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.hartwellcorp.com> I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct MailScanner processes on my system. I don't know if they existed before the upgrade or not as I didn't really go looking for them. Does this indicate a problem? -- Michael St. Laurent Hartwell Corporation From brent.addis at ROAMAD.COM Mon Mar 1 23:50:04 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:52 2006 Subject: AVG Message-ID: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> Hey A couple of weeks ago I queried the possibility of MailScanner supporting AVG, I was just wondering if anything had been done on this at all? Management want some sort of solution using AVG, and it would be most cool if MailScanner could do it. thanks :) -- Brent Addis Systems Administrator From miguelk at konsultex.com.br Tue Mar 2 01:14:01 2004 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. In-Reply-To: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> References: <5A1D8FAF546576439E5E0BEE5E4E772A01C2B019@ENTERPRISEA.CURAGEN.COM> Message-ID: <20040302010054.M33911@konsultex.com.br> Jim; I'm sure other have replied along these lines to your question but I'll add to this because I want to reinforce the message. The reason I use open source (Mail Scanner) and the reason we recommend it and install/configure it for others is: 1) You can use the amount you already budgeted for other good uses like solid hardware and more profits (or better salaries). Better hardware, usually, reduces costs and leads to more profits because of the reduced maintenance and all around problems. So it is in my experience. 2) Having control over you infrastructure is extremely important; you must know what is running on your infrastructure and how to correct problems. 3) Being able to tweak the code in an emergency is priceless. 4) Implementing MailScanner/Clam is in my opinion as easy as any other solution (perhaps even easier). 5) All the effort you put into tweaking the configuration is knowledge invested into the people in the company, making the knowledge base of the company more valuable. Of course you have to remember that this applies to the mail server only. If you count Clam it applies to a samba file server too. But for a complete system you need protection for Windows servers and workstations. That's where the traditional vendors come in. So if you have a company with a Unix/Linux mail server and Linux/samba file and print servers you just need to spend a little (or a lot) for the Windows (and Mac) PCs. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: "Limmer, Jim" To: MAILSCANNER@JISCMAIL.AC.UK Sent: Mon, 1 Mar 2004 16:35:05 -0500 Subject: Justification for mailscanner. > My company has budgeted a good amount of money for a spam/virus > filtering email gateway, similar to what I can accomplish with > mailscanner. We've tested a few commercial products, none to our > satisfaction. While we are meeting with their sales staff I typically > jot down each application they are using. It's amazing the amount of > money some of these vendors are charging for what is 99% open source > software. Typically these boxes are running redhat, postfix, sa, > razor... the list goes on. The only proprietary software I see on these > boxes are their web gui front ends, which are typically attractive, but > IMHO - useless. > > Anyway, the question was put to me today - how can you justify wanting > to spend valuable man hours building and configuring our own system > based on open source, when we've already budgeted enough money to cover > a commercial solution? > > While the simple answers are the ones that make sense to us > technological people > > 1> open source is good. > 2> personal satisfaction of putting your own system together > 3> It's just darn cool & techo-geeky. > > Unfortunatley, those answers arent going to satisfy the higher ups. > > Anyone seen any good articles, or have any comment that may help me put > together a good answer to this? > > Thanks, > > -Jim > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From schristen at RESOTECH.COM Tue Mar 2 03:46:39 2004 From: schristen at RESOTECH.COM (Stephan Christen) Date: Thu Jan 12 21:22:52 2006 Subject: Messages stuck in queue with Qmail Message-ID: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> I struggle now for some time to get my qmail installation working correctly. I know it's quite a long post and therefore even more i appreciate any hint or suggestion somebody can give me. Thank you! I'm not sure if this an issue with MailScanner or QMail, but because it happens where both interface i post on this mailling list. Having a new server with plesk 7.0 management software installed i've wanted to improve my basic qmail server by using MailScanner. The basic qmail server installed by plesk was working perfectly, i was able to send and receive email. At openprotect side i've found a promising package of opensource tools ( MailScanner, SpamAssassin and Clam AV) with support for qmail ( still beta they say). In order to support qmail they provide a new qmail-queue binary which basically reroutes all traffic to a newly created 'queue.in' directory. From matt at FILEHOLDER.NET Tue Mar 2 03:43:32 2004 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:22:52 2006 Subject: SMTP vs. POP3 Scanning Message-ID: <001701c40008$89026370$6500a8c0@matthewmpqowmc> When a new virus comes out it could be hours before a signature is available for the virus scanner and in that time it could slip into many mailboxes. When it does get in the virus scanner database it does nothing for the mail already in mailboxes. Many users only check there email once a day if that. Would it not be an added benefit to scan at the POP3 phase as well as SMTP? Just a thought and sorry if this has been covered before. I have got emails from a user before that had his virus scanner catch viruses mine missed. I tell all users they should still keep there virus scanners up to date. But as well as ClamAV + MS has worked for us many don't. Matt From list at souil.com Tue Mar 2 03:44:55 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:22:52 2006 Subject: Get some spams to test the new installation In-Reply-To: <404312AE.6020808@uptime.at> Message-ID: <200432114455.395777@bensil> Dear David, That's true, it's not easy to check the accuracy for 100 domains. But at leawst, before making it to production, i need to further test it in depth and have some ideas on the MS in mind. I have make me the first one to use the MS. but only a few is caught, about 5% is caught. Yesterday i have grep some more rules on the net and have it in the spamassassin config and it's now much better, about 50% caught. So, more msg and test is needed to make it more accurate and i am still testing methods to forward mail to the SA to learn. Anyway thanks for your info. :> On Mon, 1 Mar 2004 11:38:38 +0100, David Höhn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > > Ben wrote: > > > | Dear All, > | > | How could i get some more spams and hams to test the acuuracy of > my new installation of the MS? > | I have to make sure it works well before applying it to my server > with about 100 domains on it. In short, you do not. > > The accuracy of Spamassassin its bayes DB and your set up very much > depends on the kind of Mail Flow you have and that will differ from > domain to domain or if you see your installation as a whole, it > will differ on the 100 domain than what you could actually ever > test. > > The first few weeks of a new Installation will surely be a matter > of fine tuning things to your needs, the large amount of general > spam will be caught at once anyways > > - -d > > > - -- > nee amata wo mitsukete soshite midoto wasrezu > ~     domma mi mumega itakutemo soba mi iru mo > ~                        zutto...zutto...zutto > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (Darwin) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > iD8DBQFAQxKtPMoaMn4kKR4RAyTpAJ4sa7I/mkpd3EPBHEiQZhjb0pJzwACZAU0d > IHtz3nq+NlIOWYwxhQl69/Q= =RsXG -----END PGP SIGNATURE----- From ugob at CAMO-ROUTE.COM Tue Mar 2 03:45:42 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:52 2006 Subject: SMTP vs. POP3 Scanning Message-ID: <54C38A0B814C8E438EF73FC76F362927410951@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Matt [mailto:matt@FILEHOLDER.NET] >Envoy? : 1 mars, 2004 22:44 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : SMTP vs. POP3 Scanning > > >When a new virus comes out it could be hours before a >signature is available >for the virus scanner and in that time it could slip into many >mailboxes. >When it does get in the virus scanner database it does nothing >for the mail >already in mailboxes. Many users only check there email once >a day if that. >Would it not be an added benefit to scan at the POP3 phase as >well as SMTP? > >Just a thought and sorry if this has been covered before. I >have got emails >from a user before that had his virus scanner catch viruses >mine missed. I >tell all users they should still keep there virus scanners up >to date. But >as well as ClamAV + MS has worked for us many don't. > MailScanner's role stops after the delivery of the message, independantly of the way it is retreived. I think you should do a search on anti-virus with the name of your pop3 server (qpopper?), on google or sourceforge. Hth Ugo >Matt > From vinayakm at THEARGONCOMPANY.COM Tue Mar 2 05:14:47 2004 From: vinayakm at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age Message-ID: <200403021044.47005.vinayakm@theargoncompany.com> Hi We are using Mailscanner along with Sendmail 8.12 There are a lot of entries in our log which states that Mailscanner dying of old age. Is this a symptom of a deeper problem or a problem by itself? :-) -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Tel: 91-22 - 2288 2163 Ext 121 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com Linux. The Choice of the GNU generation From james at grayonline.id.au Tue Mar 2 05:39:03 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age In-Reply-To: <200403021044.47005.vinayakm@theargoncompany.com> References: <200403021044.47005.vinayakm@theargoncompany.com> Message-ID: <200403021639.04562.james@grayonline.id.au> On Tue, 2 Mar 2004 04:14 pm, Vinayakam Murugan wrote: > Hi > > We are using Mailscanner along with Sendmail 8.12 > > There are a lot of entries in our log which states that Mailscanner dying > of old age. Is this a symptom of a deeper problem or a problem by itself? > :-) > > > -- > Warm Regards > ~~~~~~~~~~~~~~~~~~~~~~~ > Vinayakam Murugan This is normal behaviour for MailScanner. In MailScanner.conf you'll find an option like this "Restart Every = 14400". As the name suggests this will cause the child to restart after 14400 seconds (4 hours). By doing this, MailScanner works around resource leak and DoS type problems. Julian can explain it much better than I can :) James -- Fortune cookies says: BOFH excuse #303: fractal radiation jamming the backbone From help at opencompt.com Tue Mar 2 05:56:38 2004 From: help at opencompt.com (Opencomputing Team) Date: Thu Jan 12 21:22:52 2006 Subject: Messages stuck in queue with Qmail In-Reply-To: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> References: <391A6F65F4C26D468BF61DE634D5A5DC06C6DC@REDWOOD-00.resotech.com> Message-ID: <40442216.9030102@opencompt.com> Dear Stephan Christen, > There are no message hung in the "queue.in" directory. Once messages are got into the real /var/qmail/queue, it is all upto qmail-send to deliver. The part until getting the queue files into /var/qmail/queue is handled by MailScanner. It would help if you send me the results of the below, preferably off the list: stop MailScanner or openprotect send a mail. get the corresponding /var/qmail/queue.in/intd/xxxxxxx and /var/qmail/queue.in/mess/yy/xxxxxxx where yy = xxxxxxx % conf-split now stop qmail and start MailScanner or openprotect and get the corresponding /var/qmail/queue/intd/zzzzzzz and /var/qmail/queue/mess/aa/zzzzzzz again, where aa = zzzzzzz % conf-split and zzzzzzz is a random number. cheers, Ganesh, KM. -- Opencomputing Team | Ph/Fax: +91 (0) 44 52166646 Opencomputing Technologies | http://opencompt.com Server Side E-Mail Protection. From raymond at PROLOCATION.NET Tue Mar 2 07:49:46 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:52 2006 Subject: Mailscanner dying of old age In-Reply-To: <200403021044.47005.vinayakm@theargoncompany.com> Message-ID: Hi! > We are using Mailscanner along with Sendmail 8.12 > > There are a lot of entries in our log which states that Mailscanner dying of > old age. Is this a symptom of a deeper problem or a problem by itself? :-) Never noticed this config setting? # To avoid resource leaks, re-start periodically Restart Every = 3600 Thats what it is. Bye, Raymond. From P.G.M.Peters at utwente.nl Tue Mar 2 08:40:06 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:52 2006 Subject: Virus update times In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0A4AEB6@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 1 Mar 2004 19:10:16 +0100, you wrote: >I would use the domainname to create a semi-random number and the >machines update at the same time within this domain. Unfurtunately, I >don't know how to do it in perl. Shell could be: > >NUMERICAL_VALUE=`domainname | md5sum | \ > od --address-radix=n --read-bytes 4 --format d4` >DELAY=$(( NUMERICAL_VALUE % 3600 )) > > >but this has to many assumption on installed programms (domainname is to >much of a assumption). What about using org-name from MailScanner.conf? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 2 09:07:33 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: FreeBSD port mailscanner-devel 4.28.1 released Message-ID: For all of you who do not want to wait for the port to be submitted... Regards, Jan-Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-devel.tgz Type: application/x-compressed Size: 9365 bytes Desc: mailscanner-devel.tgz Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/8194f718/mailscanner-devel.bin From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:28:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> This version can now detect and block password-protected zip files. By default it will block all of them, but you can of course use a ruleset to govern the behaviour of the new option Allow Password-Protected Archives Download as usual from www.mailscanner.info. I wonder what next mysteries and hacks they will throw at me today :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:29:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <4043C32C.5050204@mail.wvnet.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> At 23:11 01/03/2004, you wrote: >Gene LeDuc wrote: > >>Hi Kevin, >> >>My company has always blocked passworded zips. If the gateway can't >>unzip the >>file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >>myself (by association) by saying what it is. >> >>On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: >> >> >>>This virus is spreading rapidly, we've seen it overnight (although not in >>>its password protected form - but we had no way of spotting that so it may >>>have got through). >>> >>>I'm now blocking zip files (making me not very popular this morning!). >>> >>>Time to start a discussion about ways to block password protected zip >>>files? >>> >Kevin, Did you find a way to block only password protected zips? We've >seen a couple of hundred Bagle.F and Bagle.H incidents today. An update >from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm >blocking all zips. I'd like to just block the password protected ones >but haven't figured out a way to do it. I suspect Mcafee uses a >simplistic approach to detecting this. I won't go into why I think this >for security reasons. I do think were rapidly heading towards >permanently restricted password protected zips. If the content of any >type of file can't be validated then we'll have to restricted it. So, >any idea how to do this? See 4.28.2. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 2 09:42:15 2004 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: Will this work for ZIPs only or for RAR etc. as well? Any more perl modules needed? Do you have a text for the manpage already? :-) Regards, JP > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 02, 2004 10:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.2 released > > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course > use a ruleset to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From P.G.M.Peters at utwente.nl Tue Mar 2 09:48:51 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:52 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56CFC@hart-exchange.hartwellcorp.com> Message-ID: On Mon, 1 Mar 2004 14:48:15 -0800, you wrote: >Ohhh, you have a top 10 virus summary report script? Would you mind sharing >that? I'd love to send that out to management each morning. I have a very rudimantary script that needs a lot of optimizing. But I run in only once a month when I am writing an abuse report for management. I start the script when I start writing the report. When I need the figures the script is ready. See http://home.student.utwente.nl/p.g.m.peters/MailScanner/report -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From prandal at HEREFORDSHIRE.GOV.UK Tue Mar 2 09:56:43 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:52 2006 Subject: Justification for mailscanner. Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C59B@jessica.herefordshire.gov.uk> Free upgrades for ever. Free technical support, second to none. Full access to the source, so you can cuatomise it to your own needs, if ever you should want to. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Limmer, Jim Sent: 01 March 2004 21:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/9f48f383/attachment.html From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 09:38:51 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:52 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AF4@pascal.priv.bmrb.co.uk> Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a > ruleset to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. Julian, you never cease to amaze me! Thanks very much, I'll be trying this out this evening. > I wonder what next mysteries and hacks they will throw at me today :-) I'm sure we can think of something.... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:41:50 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Defunct MailScanner procs In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D00@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040302094101.081967e0@imap.ecs.soton.ac.uk> Check your mail log. You probably have a syntax error somewhere, your log will tell you where. Or else you might have upgraded from a version that didn't need Net::CIDR and forgotten to read the docs and install that first? At 23:32 01/03/2004, you wrote: >I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct MailScanner >processes on my system. I don't know if they existed before the upgrade or >not as I didn't really go looking for them. > >Does this indicate a problem? > >-- >Michael St. Laurent >Hartwell Corporation -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:40:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: deny allow rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302093927.038e11c0@imap.ecs.soton.ac.uk> At 23:02 01/03/2004, you wrote: >Hello, >Perhaps this question has already been answered - I have been unable to yet >find an answer in the archives. > >Is it possible to deny all .zip files but allow a .zip with a specified >name? > >I tried the following in filename.rules.conf: >allow ^test\.zip$ - - >deny \.zip$ - - > >But the deny always seems to be applied. Is there a way to set an override >for an allow? > >I thought order in the file might have an impact but deny always was >applied regardless of which statement came first. It does indeed check the rules in the order they are given in the file. Check to ensure you have separated the "fields" on each of those 2 lines with tabs and not just spaces. It is the one place in MailScanner where you have to use tabs, as each of the output strings will normally contain spaces, so MailScanner can't work out where to split up the line. >Thanks in advance for assistance with this question. > >-KK -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:42:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: AVG In-Reply-To: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> References: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> Message-ID: <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> Sorry, haven't had time. At 23:50 01/03/2004, you wrote: >Hey > >A couple of weeks ago I queried the possibility of MailScanner supporting >AVG, I was just wondering if anything had been done on this at all? >Management want some sort of solution using AVG, and it would be most >cool if MailScanner could do it. >thanks :) > > >-- >Brent Addis >Systems Administrator -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 09:56:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302095435.08195388@imap.ecs.soton.ac.uk> At 09:42 02/03/2004, you wrote: >Will this work for ZIPs only or for RAR etc. as well? Any more perl >modules needed? Only zips I'm afraid. >Do you have a text for the manpage already? :-) Just after "Block Unencrypted Messages" there is now # Should archives which contain any password-protected files be allowed? # Leaving this set to "no" is a good way of protecting against all the # protected zip files used by viruses at the moment. # This can also be the filename of a ruleset. Allow Password-Protected Archives = no Just after "Maximum Attachment Size" there is now # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. Maximum Archive Depth = 3 >Regards, > JP > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 02, 2004 10:29 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: Unstable 4.28.2 released > > > > This version can now detect and block password-protected zip files. > > > > By default it will block all of them, but you can of course > > use a ruleset to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > > > I wonder what next mysteries and hacks they will throw at me today :-) > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From slwatts at WINCKWORTHS.CO.UK Tue Mar 2 10:50:59 2004 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. Message-ID: Well, in the case of mailscanner there is no real reason to pay through the nose for any other product (IMHO!), unless of course you do not like the way mailscanner works for some reason. Main reasons for choosing opensource in addition to those below: No lock-in contracts No forced upgrade Large support community The only reason I can see for choosing a commercial product is if you need maintenance contracts - I am sure Julian or perhaps others here would be more than happy to provide such commercial support. As far as man hours setup and administering Mailscanner goes - If you have linux skills already then its no more effort than installing a commercial product. If you do not have linux skills then it will take some time to get used to and I would advise you do spend some of that money reserved for this project to get an expert to install it for you. Perhaps you need to persuade the 'higher ups' that more money does not always equate to more quality. It also helps if you give them the ballenced picture for each solution. ie. factor in man hours for implementation, projected administration and maintenance and training. Opensource is by no means free. >From personal experience working with both Mailscanner and one of the main commercial mailsweeping (hint) products I would choose Mailscanner every time - even tho it has no built in graphical interface it has been easier to administer and just doesnt go wrong (unless I have done something stupid) Hope this helps in your decision making.... Sam P.S. What really sold it to me was when our Mailscanner server blew up (almost literally). It took a whole 30 minutes to setup another server. 20 minutes of that was installing SuSE! -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 02 March 2004 09:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Justification for mailscanner. Free upgrades for ever. Free technical support, second to none. Full access to the source, so you can cuatomise it to your own needs, if ever you should want to. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Limmer, Jim Sent: 01 March 2004 21:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Justification for mailscanner. My company has budgeted a good amount of money for a spam/virus filtering email gateway, similar to what I can accomplish with mailscanner. We've tested a few commercial products, none to our satisfaction. While we are meeting with their sales staff I typically jot down each application they are using. It's amazing the amount of money some of these vendors are charging for what is 99% open source software. Typically these boxes are running redhat, postfix, sa, razor... the list goes on. The only proprietary software I see on these boxes are their web gui front ends, which are typically attractive, but IMHO - useless. Anyway, the question was put to me today - how can you justify wanting to spend valuable man hours building and configuring our own system based on open source, when we've already budgeted enough money to cover a commercial solution? While the simple answers are the ones that make sense to us technological people 1> open source is good. 2> personal satisfaction of putting your own system together 3> It's just darn cool & techo-geeky. Unfortunatley, those answers arent going to satisfy the higher ups. Anyone seen any good articles, or have any comment that may help me put together a good answer to this? Thanks, -Jim -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/4e768884/attachment.html From pete at eatathome.com.au Tue Mar 2 11:23:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: References: Message-ID: <40446EAD.8090900@eatathome.com.au> Hasnt some one already given the answer? MailScanner the product is almost no cost (shouldnt use the word free), but the developer HIMSELF offers a PRO support package - what else do you want? A Developer/Author of the product givin you direct support? Why not use this type of argument to actualy get your company to spen what i assume is going to be a small slice of the budget on MaiLScanner commercial support version? There really is nothing they can complain about this way? From pete at eatathome.com.au Tue Mar 2 11:35:29 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: <40446EAD.8090900@eatathome.com.au> References: <40446EAD.8090900@eatathome.com.au> Message-ID: <40447181.4060708@eatathome.com.au> Pete wrote: > Hasnt some one already given the answer? MailScanner the product is > almost no cost (shouldnt use the word free), but the developer HIMSELF > offers a PRO support package - what else do you want? A Developer/Author > of the product givin you direct support? > > Why not use this type of argument to actualy get your company to spen > what i assume is going to be a small slice of the budget on MaiLScanner > commercial support version? > > There really is nothing they can complain about this way? > > > . > I was going to ask some of you who have to face the poriginal posters situation of trying to convince the purse strings not to part with money (this probably makes them suss to start with) and go for a no cost solution but requiring more effort - what sort of comments have you had from your IT managers? Mine proudly announced in a meeting last month that Linux will finally 'arrive' as a serious server solution this year, while looking at me expecting some accompanying comments, and me looking at him like he has just walked down the gangway from his recently landed space ship...only recently with so much published material in so many publications has he ben unable to keep to his original arguments for BANNING linux at work, like its insecure, immature, un supported etc etc, this guy still enforces the use of an NT4 network and users having 3 or 4 user accounts for service running on the domain, "we dont need directory services" he says...anyway, we work for a Ludite, so its interesting to hear what others are up against while trying to implement awesome products like mailscanner... From pete at eatathome.com.au Tue Mar 2 11:37:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner (part 2) In-Reply-To: <200403012152.PAA12232@yfandes.cs.wisc.edu> References: <200403012152.PAA12232@yfandes.cs.wisc.edu> Message-ID: <404471F5.5090402@eatathome.com.au> David Parter wrote: >>Anyway, the question was put to me today - how can you justify wanting >>to spend valuable man hours building and configuring our own system >>based on open source, when we've already budgeted enough money to cover >>a commercial solution? >> >> > >I forgot an important point: > > e-mail is so important to this organization, I'm more comfortable with > in-house expertise to support it. Virus scanning is only part of a > larger system of mail delivery and transport, which we already > maintain. It is critical that we are able to support and maintain > each component ... > > --david > > > > > Then reduncy would be important - and mailscanner can easily be incorporated, various methods, to make sure that IF it should fail, it wont stop mail, or mail could be scanned by a 2nd server on lesser hardware while you repair the first, or hold all mail, whatever, no need to make mail delivery dependant on MS being up? From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 10:37:43 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: SMTP vs. POP3 Scanning In-Reply-To: <001701c40008$89026370$6500a8c0@matthewmpqowmc> References: <001701c40008$89026370$6500a8c0@matthewmpqowmc> Message-ID: <404463F7.5000800@solid-state-logic.com> Yes I always install a virus scanner on the desaktop. Viruses travel not just by email, but IRC,ICQ, html downloads. Securing the incoming email is just part of the solution, not the whole. Mind you given the lax way most of commercial scanners updated the Netsky-D varient it would't have me much anyhow... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matt wrote: > When a new virus comes out it could be hours before a signature is available > for the virus scanner and in that time it could slip into many mailboxes. > When it does get in the virus scanner database it does nothing for the mail > already in mailboxes. Many users only check there email once a day if that. > Would it not be an added benefit to scan at the POP3 phase as well as SMTP? > > Just a thought and sorry if this has been covered before. I have got emails > from a user before that had his virus scanner catch viruses mine missed. I > tell all users they should still keep there virus scanners up to date. But > as well as ClamAV + MS has worked for us many don't. > > Matt ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Tue Mar 2 12:45:10 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: Installed 4.28.2 and when I restarted MailScanner log showed: Mar 2 07:27:56 srv2 MailScanner[26019]: Syntax error(s) in configuration file: Mar 2 07:27:56 srv2 MailScanner[26019]: Unrecognised keyword "maximumarchivedepth" at line 294 Mar 2 07:27:56 srv2 MailScanner[26019]: Aborting due to syntax errors in /opt/MailScanner/etc/MailScanner.conf. I looked in ConfigDefs.pl and noticed: maxzipdepth = maximumziparchivedepth So "I changed Maximum Archive Depth =" To "Max Zip Depth =" Was there something in the docs, or changelog or perhaps the list, I missed on this? Also, If I change the above to 0 will that disable filename/type checking inside the archives? I am not sure I want to do that just yet, although I just LOVE the reject password protected archive option I have to generate rules that will allow the normal periodic updates that sales recieves from a couple vendors that zip the exe (since we don't allow exes) > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, March 02, 2004 4:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.2 released > > > This version can now detect and block > password-protected zip files. > > By default it will block all of them, but you can of > course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw > at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rich at MAIL.WVNET.EDU Tue Mar 2 13:27:40 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:53 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649ADA@pascal.priv.bmrb.co.uk> <200403011039.26528.leduc@cts.com> <4043C32C.5050204@mail.wvnet.edu> <6.0.1.1.2.20040302092910.038f0d48@imap.ecs.soton.ac.uk> Message-ID: <40448BCC.9090606@mail.wvnet.edu> Julian Field wrote: > At 23:11 01/03/2004, you wrote: > >> Gene LeDuc wrote: >> >>> Hi Kevin, >>> >>> My company has always blocked passworded zips. If the gateway can't >>> unzip the >>> file, it gets blocked. It's a brain-dead gateway, so I won't embarrass >>> myself (by association) by saying what it is. >>> >>> On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote: >>> >>> >>>> This virus is spreading rapidly, we've seen it overnight (although >>>> not in >>>> its password protected form - but we had no way of spotting that so >>>> it may >>>> have got through). >>>> >>>> I'm now blocking zip files (making me not very popular this morning!). >>>> >>>> Time to start a discussion about ways to block password protected zip >>>> files? >>>> >> Kevin, Did you find a way to block only password protected zips? We've >> seen a couple of hundred Bagle.F and Bagle.H incidents today. An update >> from Mcafee started catching Bagle.F but not Bagle.H yet. For now I'm >> blocking all zips. I'd like to just block the password protected ones >> but haven't figured out a way to do it. I suspect Mcafee uses a >> simplistic approach to detecting this. I won't go into why I think this >> for security reasons. I do think were rapidly heading towards >> permanently restricted password protected zips. If the content of any >> type of file can't be validated then we'll have to restricted it. So, >> any idea how to do this? > > > See 4.28.2. > -- I know I've said it before but I'll say it again. You are the most responsive developer I've encountered. Honestly! I've dealt with all the major vendors at one time or another and nothing comes close. Thank you. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From craig at WESTPRESS.COM Tue Mar 2 13:31:29 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:53 2006 Subject: Justification for mailscanner. In-Reply-To: References: Message-ID: You've already seen what everyone else has said. I am new to MailScanner, and I find myself wondering how I was getting by without it. I have seen some of the commercial solutions out there. In fact, we were considering purchasing the commercial mail server solution that SmoothWall is soon to unveil (we use their 'Corporate Server' firewall) to see if it would be any better at stopping spam, but since stumbling across MailScanner, I don't think so. Being new to MailScanner, I don't feel as though my words carry much weight, but I would suggest MailScanner, and even suggest that you look to http://www.mailscanner.biz for the professional venue of MailScanner to keep your administrative folks happy. As far as a GUI goes, might I suggest taking a look at Steve Freegard's project, MailWatch. You can find it at http://mailwatch.sourceforge.net and it have proven it's worth and in my opinion makes MailScanner whole (not that it was lacking before mind you.) It certainly has proven in-valuable with the reports and graphs, etc. That's my two cents worth, Kind regards, Craig D. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From newcomer at DICKINSON.EDU Tue Mar 2 13:25:46 2004 From: newcomer at DICKINSON.EDU (Don Newcomer) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in Message-ID: We're using MailScanner 4.26.8 and we're in the process of testing SpamAssassin 2.63. The plan is to adopt it site-wide but I like the idea of allowing users to "opt-in" to having their mail scanned for spam. I set up a ruleset that's applied to the config parameters "Spam Checks" and "Use SpamAssassin". It's working fine in testing but I've run into a few problems. This ruleset is based on "to" addresses that determines whether spam checking is done. Unfortunately, as you all know, we get lots of e-mail with forged headers that, based on the header information, shouldn't even appear in your mailbox. This makes using this ruleset for opt-in a little ineffective. Does anyone have any suggestions as to how to either (a) work around this problem or (b) a better way to allow opt-in? Thanks in advance. ================================================================================ Don Newcomer Dickinson College Senior Manager, Systems P.O. Box 1773 newcomer@dickinson.edu Carlisle, PA 17013 Phone: (717) 245-1256 FAX: (717) 245-1690 From raymond at PROLOCATION.NET Tue Mar 2 14:09:36 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in In-Reply-To: Message-ID: Hi! > spam checking is done. Unfortunately, as you all know, we get lots of > e-mail with forged headers that, based on the header information, shouldn't > even appear in your mailbox. This makes using this ruleset for opt-in a > little ineffective. > > Does anyone have any suggestions as to how to either (a) work around this > problem or (b) a better way to allow opt-in? Thanks in advance. Just do splitting on MTA level if you use sendmail, then you also avoid a to: and a cc: problem, if one user (to: one) sets spam check on and the other (cc: one) doesnt you are toast now :) You have to split each message and process them seperate. Else its just one message and if its tagged its tagged. Bye, Raymond. From prandal at HEREFORDSHIRE.GOV.UK Tue Mar 2 14:14:44 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:53 2006 Subject: opt-in Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5A3@jessica.herefordshire.gov.uk> I hate to say this, but why don't you give up and not allow opt-in? And what if users say "we'll have spam, but block all objectionable content"?. What if corporate policies require you to prevent certain material from reaching mailboxes? I guess they don't, but maybe they should. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Don Newcomer > Sent: 02 March 2004 13:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: opt-in > > > We're using MailScanner 4.26.8 and we're in the process of testing > SpamAssassin 2.63. The plan is to adopt it site-wide but I > like the idea > of allowing users to "opt-in" to having their mail scanned > for spam. I set > up a ruleset that's applied to the config parameters "Spam > Checks" and "Use > SpamAssassin". It's working fine in testing but I've run into a few > problems. This ruleset is based on "to" addresses that > determines whether > spam checking is done. Unfortunately, as you all know, we get lots of > e-mail with forged headers that, based on the header > information, shouldn't > even appear in your mailbox. This makes using this ruleset > for opt-in a > little ineffective. > > Does anyone have any suggestions as to how to either (a) work > around this > problem or (b) a better way to allow opt-in? Thanks in advance. > > ============================================================== > ================== > Don Newcomer > Dickinson College > Senior Manager, Systems P.O. Box 1773 > newcomer@dickinson.edu > Carlisle, PA 17013 > > Phone: (717) 245-1256 > > FAX: (717) 245-1690 > From drew at THEMARSHALLS.CO.UK Tue Mar 2 14:24:04 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV Message-ID: <14409.194.70.180.170.1078237444.squirrel@net.themarshalls.co.uk> All Following the excitement of the last few days/ weeks speed of definition update is king. Now I currently use F-Prot and Antivir. Both work well, F-Prot probably better than Antivir as it was able to better scan the boken mime formatted mail that came from those nice mailserver bounces which included the infected message. I also don't use the MS update scripts, preferring my own cron jobs spaced at different hourly times so that if MS is called while an update is happening the other scanner will still work and to attempt to ensure that one scanner should catch updates no matter which half of the hour they are posted. I nearly got caught with he Netsky.D when several went through 3 minutes before both scanners updated (Good old MS blocked the files as they were .pif executables, so the user was protected). Cutting to the chase (Sorry it's been longer winded that I anticipated) should I also run Clam (Which was updated quite quickly yesterday, no promise that it wil be in the future but...) or is 3 AV products over kill. The box it's on is not that big so will Clam use huge amounts of system to run? If not 3 which 2? So many questions I know but I would appreciate your thoughts. Thanks Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From sysadmins at ENHTECH.COM Tue Mar 2 14:30:43 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:53 2006 Subject: Default rules remove .wav files. Message-ID: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> Hi - Just wanted to inquire with the experts :) The default file attachment rules remove .wav files. Just curious as to why. Errol Neal From john at TRADOC.FR Tue Mar 2 14:31:49 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes rebuild never completes Message-ID: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> I've realised that since updating to 4.26.8 and setting Rebuild Bayes Every = 86400, my Bayes db has never been expired. Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes database rebuild preparing" then "SpamAssassin Bayes database rebuild starting", but never get as far as the "SpamAssassin Bayes database rebuild completed" that I see in the code. Any ideas what I'm doing wrong? This is on redhat 9, with postfix 2.0.16, if it makes any difference. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 14:31:21 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> Drew Marshall wrote: > I also don't > use the MS update scripts, preferring my own cron jobs spaced at > different hourly times so that if MS is called while an update is > happening the other scanner will still work and to attempt to ensure > that one scanner should catch updates no matter which half of the > hour they are posted. The mailscanner update script *update_virus_scanners) creates a lock file which makes MailScanner wait for the scanner updates to complete before continuing with scanning, this should be safer than your method. > should I also run Clam (Which was updated quite quickly > yesterday, no promise that it wil be in the future but...) or is 3 AV > products over kill. I now use Sophos, Clam and Symantec - Having seem the varience in update times the more the merrier is my angle. > The box it's on is not that big so will Clam use > huge amounts of system to run? Not huge (nothing like the load of Spamassassin). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 15:04:12 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <4044A26C.5060103@solid-state-logic.com> Julian initial test using the tar version on FreeBSD look good. However I note that ClamAV just blocked a passwd protects zip Bagle that MS did nothing about. I've got the default Allow Password-Protected Archives = no set, and installed the perl zip module so I'm not sure what happened there.. looking at that message, the zip file is part of a mailing list digest form, rather than an list individual message style..... PS - way top go Clam, they've beaten the commercial scanners again being the first (?) to scan inside passwd protected xzip files... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > > I wonder what next mysteries and hacks they will throw at me today :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From brose at MED.WAYNE.EDU Tue Mar 2 15:15:43 2004 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: What should MailScanner say in the logs for this? Mar 2 10:01:32 eeyore MailScanner[15039]: New Batch: Scanning 3 messages, 79390 bytes Mar 2 10:01:32 eeyore MailScanner[15039]: MCP Checks completed at 79390 bytes per second Mar 2 10:01:32 eeyore MailScanner[15039]: Spam Checks: Starting Mar 2 10:02:19 eeyore MailScanner[15039]: Spam Checks completed at 1689 bytes per second Mar 2 10:02:55 eeyore MailScanner[15039]: Password-protected archive in i22F0v6R016094 Mar 2 10:02:55 eeyore MailScanner[15039]: Virus and Content Scanning: Starting Mar 2 10:02:55 eeyore MailScanner[15039]: ERROR:: File was encrypted (530):: ./i22F0v6R016094/ctr2055.zip Mar 2 10:03:00 eeyore MailScanner[15039]: Virus Scanning: SophosSAVI found 1 infections Mar 2 10:03:01 eeyore MailScanner[15039]: Virus Scanning completed at 1890 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Uninfected: Delivered 3 messages Mar 2 10:03:02 eeyore MailScanner[15039]: Virus Processing completed at 79390 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Disinfection completed at 79390 bytes per second Mar 2 10:03:02 eeyore MailScanner[15039]: Batch completed at 882 bytes per second (79390 / 90) This looks like it let it thru. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, March 02, 2004 4:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Unstable 4.28.2 released This version can now detect and block password-protected zip files. By default it will block all of them, but you can of course use a ruleset to govern the behaviour of the new option Allow Password-Protected Archives Download as usual from www.mailscanner.info. I wonder what next mysteries and hacks they will throw at me today :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Tue Mar 2 15:18:43 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> Martin Hepworth wrote: > Julian > > initial test using the tar version on FreeBSD look good. > > However I note that ClamAV just blocked a passwd protects zip Bagle > that MS did nothing about. > According to the clam list clam doesn't scan inside password protected archives, however they have added a signature that detects the encrypted zip file. Are you sure that this particular instance of Bagle was password protected (not all copies are) - did you save a copy? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From wei at ENG.FSU.EDU Tue Mar 2 15:19:15 2004 From: wei at ENG.FSU.EDU (Wei Li) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A26C.5060103@solid-state-logic.com> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> Message-ID: <4044A5F3.2010306@eng.fsu.edu> Hi, all, We met a .zip virus in our system and have to block all encrypted .zip files. I modified filename.rules.conf in /opt/MailScanner/etc as #allow \.zip$ - - deny \.zip$ and in filetype.rules.conf I denied: deny archive - - deny self-extract No self-extracting archives No self-extracting archives allowed But the infected .zip file still could pass through the filter. We are using the latest mcfee data file. Any suggestion? Thanks a lot Wei From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 15:22:53 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AFB@pascal.priv.bmrb.co.uk> Message-ID: <4044A6CD.30805@solid-state-logic.com> Kevin yes and yes... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Spicer, Kevin wrote: > Martin Hepworth wrote: > >>Julian >> >>initial test using the tar version on FreeBSD look good. >> >>However I note that ClamAV just blocked a passwd protects zip Bagle >>that MS did nothing about. >> > > According to the clam list clam doesn't scan inside password protected archives, however they have added a signature that detects the encrypted zip file. > Are you sure that this particular instance of Bagle was password protected (not all copies are) - did you save a copy? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:34:15 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes rebuild never completes In-Reply-To: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: <6.0.1.1.2.20040302153357.09e7a150@imap.ecs.soton.ac.uk> I have seen this too. When I get a chance, I will take a look at it. At 14:31 02/03/2004, you wrote: >I've realised that since updating to 4.26.8 and setting Rebuild Bayes >Every = 86400, my Bayes db has never been expired. > >Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes >database rebuild preparing" then "SpamAssassin Bayes database rebuild >starting", but never get as far as the "SpamAssassin Bayes database >rebuild completed" that I see in the code. > >Any ideas what I'm doing wrong? This is on redhat 9, with postfix >2.0.16, if it makes any difference. > >John. > >-- >-- Over 2400 webcams from ski resorts around the world - www.snoweye.com >-- Translate your technical documents and web pages - www.tradoc.fr -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:33:44 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Default rules remove .wav files. In-Reply-To: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> References: <6.0.2.0.0.20040302092929.027d2308@mail.enhtech.com> Message-ID: <6.0.1.1.2.20040302153248.09eed528@imap.ecs.soton.ac.uk> At 14:30 02/03/2004, you wrote: >Hi - > >Just wanted to inquire with the experts :) >The default file attachment rules remove .wav files. Just curious as to why. Just to remove big audio files, I thought some people might find it useful when I wrote the example ruleset. I don't know of any exploits that have been done using wav files. Feel free to remove the rule if you don't want it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 15:27:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> I fixed this is 4.28.2-2. Sorry about that one. At 12:45 02/03/2004, you wrote: >Installed 4.28.2 and when I restarted MailScanner log showed: >Mar 2 07:27:56 srv2 MailScanner[26019]: Syntax error(s) in >configuration file: >Mar 2 07:27:56 srv2 MailScanner[26019]: Unrecognised keyword >"maximumarchivedepth" at line 294 >Mar 2 07:27:56 srv2 MailScanner[26019]: Aborting due to syntax >errors in /opt/MailScanner/etc/MailScanner.conf. > >I looked in ConfigDefs.pl and noticed: >maxzipdepth = maximumziparchivedepth > >So "I changed Maximum Archive Depth =" To "Max Zip Depth =" > >Was there something in the docs, or changelog or perhaps the >list, I missed on this? In MailScanner.conf you should have put Maximum Zip Archive Depth = >Also, If I change the above to 0 will that disable filename/type >checking inside the archives? I think so, yes. If 0 doesn't disable it, then -1 certainly will. > I am not sure I want to do that >just yet, although I just LOVE the reject password protected >archive option I have to generate rules that will allow the >normal periodic updates that sales recieves from a couple vendors >that zip the exe (since we don't allow exes) > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Tuesday, March 02, 2004 4:29 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: ANNOUNCE: Unstable 4.28.2 released > > > > > > This version can now detect and block > > password-protected zip files. > > > > By default it will block all of them, but you can of > > course use a ruleset > > to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > > > I wonder what next mysteries and hacks they will throw > > at me today :-) > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > > 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From davidnalley at BRYANRAMEY.COM Tue Mar 2 15:46:07 2004 From: davidnalley at BRYANRAMEY.COM (David Nalley) Date: Thu Jan 12 21:22:53 2006 Subject: Clam-AV/MailScanner Configuration Message-ID: <23CF5E8FD4EA414184A3AF27AEE7630618973D@bdr1.bryanramey.com> I seem to be having a problem with my current configuration. I have a relatively large percentage of virus laden emails which get past ClamAV but are trapped by SA as spam. Running clamscan on the quarantined spam clearly reveals them. I figure I must have something incorrectly configured. While I have worked through the documentation, the only thing that immediately jumps to mind is the following section from MailScanner.conf Btw, I am using MS 4.25, ClamAV 0.65, and SA 2.63 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 0 Max Unsafe Messages Per Scan = 30 Thanks in advance, David Nalley From rcooper at DWFORD.COM Tue Mar 2 15:34:07 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:53 2006 Subject: Problems with 4.28-2 Message-ID: Ok, I ran some test messages with 4.28-7 and when I sent a zip with a password or bad filename the log showed: Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 messages, 988519 bytes Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin returned 0 Mar 2 09:00:48 srv2 MailScanner[29720]: Created attachment dirs for 1 messages Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content Scanning: Starting Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by f-prot... Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by f-prot Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by clamavmodule... Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by clamavmodule Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: Windows/DOS Executable (1AyARd-0007mi-Kk 0) Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by /usr/bin/file Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No executables (1AyARd-0007mi-Kk 0) Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 problems This would repeat over and over with the same e-mail until I killed MailScanner. I put it in debug and got: Debug: In Debugging mode, not forking... Unmatched ( in regex; marked by <-- HERE in m/the sender of these problems anymore ( <-- HERE since we cannot tell legitimate senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line 1913, line 18. So I looked in the report and saw it was puking on a sentence enclosed in (). I looked at Message.pm line 1913 and noted: $line =~ s/"/\\"/g; # Escape any " characters $line =~ s/@/\\@/g; # Escape any @ characters So I removed the ( and ) and it puked on a sentence that was enclosed by **. I did some other checks and it puked on any regex reserved character and didn't like words surrounded by quotes like "To" (it did not puke on them but it complained about them) . So I commented out the two lines above and added: $line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any regex characters and everything worked fine again. I found I could not escape the "$" because it blew the eval() below this section. I have used the same reports for months and have never had this happen before. Did something change here? I'm confused as to if this problem has to do with something on this end as I have not seen other comments about the "Maximum Archive Depth", or this problem, on the list. Although I guess unless your virus.deleted or filename.deleted reports contained the same characters [()* or .*] you wouldn't notice.. come to think about it I recently add the text that was enclosed parenthetically. Might be something to look at Julian. -- Rick Cooper From raymond at PROLOCATION.NET Tue Mar 2 16:01:24 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:53 2006 Subject: Clam-AV/MailScanner Configuration In-Reply-To: <23CF5E8FD4EA414184A3AF27AEE7630618973D@bdr1.bryanramey.com> Message-ID: Hi! > but are trapped by SA as spam. Running clamscan on the quarantined spam > clearly reveals them. I figure I must have something incorrectly > configured. While I have worked through the documentation, the only > thing that immediately jumps to mind is the following section from > MailScanner.conf > Btw, I am using MS 4.25, ClamAV 0.65, and SA 2.63 > > Max Unscanned Bytes Per Scan = 100000000 > Max Unsafe Bytes Per Scan = 50000000 > Max Unscanned Messages Per Scan = 0 > Max Unsafe Messages Per Scan = 30 As you could read the mime stuff is changed recently, that might be your problem. I would suggest first upgrade to the latest stabil version and then look again. Bye, Raymond. From dnsadmin at 1BIGTHINK.COM Tue Mar 2 16:09:37 2004 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A5F3.2010306@eng.fsu.edu> References: <4044A26C.5060103@solid-state-logic.com> <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> Message-ID: <5.2.1.1.0.20040302110852.0905c8a0@mail.1bigthink.com> At 10:19 AM 3/2/2004 -0500, you wrote: >Hi, all, > >We met a .zip virus in our system and have to block all encrypted .zip >files. I modified filename.rules.conf in /opt/MailScanner/etc as > >#allow \.zip$ - - >deny \.zip$ Wei, It appears you missed the two TAB characters and the dashes in your deny line above. >and in filetype.rules.conf I denied: >deny archive - - >deny self-extract No self-extracting archives No self-extracting >archives allowed > >But the infected .zip file still could pass through the filter. We are >using the latest mcfee data file. > >Any suggestion? > >Thanks a lot > >Wei From nnelson at 1seo.net Tue Mar 2 16:17:32 2004 From: nnelson at 1seo.net (Nick Nelson) Date: Thu Jan 12 21:22:53 2006 Subject: FreeBSD 5.x Message-ID: <4044B39C.2070900@1SEO.net> Hey folks. Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) on FreeBSD? Anything I should take into consideration before starting the install? Will I lose a lot of performance going with something such as Fedora? RHES isn't an option unfortunately. Thanks.. From mailscanner at ecs.soton.ac.uk Tue Mar 2 16:11:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: .zip file passes through the filter In-Reply-To: <4044A5F3.2010306@eng.fsu.edu> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <4044A26C.5060103@solid-state-logic.com> <4044A5F3.2010306@eng.fsu.edu> Message-ID: <6.0.1.1.2.20040302161038.03f990f0@imap.ecs.soton.ac.uk> At 15:19 02/03/2004, you wrote: >Hi, all, > >We met a .zip virus in our system and have to block all encrypted .zip >files. I modified filename.rules.conf in /opt/MailScanner/etc as > >#allow \.zip$ - - >deny \.zip$ That will generate a syntax error in your maillog. There should be 2 text entries after the \.zip$ which are the log text and the user text of the warnings it should generate. Also, my comment below about tab separation applies here too. >and in filetype.rules.conf I denied: >deny archive - - >deny self-extract No self-extracting archives No self-extracting >archives allowed Are you sure those lines have the fields separated by tab characters? It clearly says at the top of the file that they need to be tab-separated. >But the infected .zip file still could pass through the filter. We are >using the latest mcfee data file. > >Any suggestion? > >Thanks a lot > >Wei -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 16:09:03 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:53 2006 Subject: Problems with 4.28-2 In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Many thanks for letting me know about that one, and for writing the fix for me. It turns up 1 other time in Message.pm as well (look for "Escape any " and you will find it). Fixed for the next release. At 15:34 02/03/2004, you wrote: >Ok, I ran some test messages with 4.28-7 and when I sent a zip >with a password or bad filename the log showed: > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 >messages, 988519 bytes >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin returned 0 >Mar 2 09:00:48 srv2 MailScanner[29720]: Created attachment dirs >for 1 messages >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content >Scanning: Starting >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by >f-prot... >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by >f-prot >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing scanning by >clamavmodule... >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by >clamavmodule >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: >Windows/DOS Executable (1AyARd-0007mi-Kk 0) >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by >/usr/bin/file >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No >executables (1AyARd-0007mi-Kk 0) >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 >problems > >This would repeat over and over with the same e-mail until I >killed MailScanner. I put it in debug and got: > >Debug: >In Debugging mode, not forking... >Unmatched ( in regex; marked by <-- HERE in m/the sender of these >problems anymore ( <-- HERE since we cannot tell legitimate >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line >1913, line 18. > >So I looked in the report and saw it was puking on a sentence >enclosed in (). I looked at Message.pm line 1913 and noted: > > $line =~ s/"/\\"/g; # Escape any " characters > $line =~ s/@/\\@/g; # Escape any @ characters > >So I removed the ( and ) and it puked on a sentence that was >enclosed by **. I did some other checks and it puked on any regex >reserved character and didn't like words surrounded by quotes >like "To" (it did not puke on them but it complained about them) >. So I commented out the two lines above and added: > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any regex >characters > >and everything worked fine again. I found I could not escape the >"$" because it blew the eval() below this section. I have used >the same reports for months and have never had this happen >before. Did something change here? I'm confused as to if this >problem has to do with something on this end as I have not seen >other comments about the "Maximum Archive Depth", or this >problem, on the list. Although I guess unless your virus.deleted >or filename.deleted reports contained the same characters [()* or >.*] you wouldn't notice.. come to think about it I recently add >the text that was enclosed parenthetically. Might be something to >look at Julian. > > >-- >Rick Cooper -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bg.mahesh at INDIAINFO.COM Tue Mar 2 16:59:43 2004 From: bg.mahesh at INDIAINFO.COM (B.G. Mahesh) Date: Thu Jan 12 21:22:53 2006 Subject: SpamAssassin+sendmail config questions Message-ID: hi I have been using SpamAssassin so for Linux with sendmail+procmail. I decided to use ClamAV and Mailscanner today. I have few basic questions, 1. I had created /etc/procmailrc for SpamAssassin. Do I leave it "as is" ? 2. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml I see that I have to create, /var/spool/MailScanner/incoming /var/spool/MailScanner/quarantine What should be the permissions of these directories? Should they be the same as mqueue.in as mentioned on http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml ? 3. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml I see the instructions for modifying sendmail commands. In my /etc/init.d/sendmail I have, daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? What should the above lines change to? regards, B.G. Mahesh From marco at MUW.EDU Tue Mar 2 17:12:22 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> Message-ID: <1078247542.4044c0766a59a@webmail.MUW.Edu> I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From sconway at WLNET.COM Tue Mar 2 17:25:07 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078247542.4044c0766a59a@webmail.MUW.Edu> Message-ID: <200403021724.i22HOqk27186@zuga.wlnet.com> Good day: Correct me if I am wrong, but if the zip is password protected, how would the end user open it w/o a password? So should I be worried if some get through? We have clients with slow Satellite connections, so it is difficult for them to upgrade their virus defs, so we are there only line of defense. Is there a way for Sophos to scan password protected zip files? Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid Sent: Tuesday, March 02, 2004 12:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From cconn at ABACOM.COM Tue Mar 2 17:28:02 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:53 2006 Subject: Header problem, part 2 Message-ID: <4044C422.1080908@abacom.com> Hello, Just to add to my previous EMAIL, I find that pretty much every message I check that contains attachments has this header: MIME_MISSING_BOUNDARY 1.84 in the spamassassin score. Could this be related? Thanks in advance, Chris From marco at MUW.EDU Tue Mar 2 17:47:22 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <1078249642.4044c8aa87a59@webmail.MUW.Edu> The worm DOES provide the user with the password :) Some of our users, as little techie as they are, managed to extract and execute the zip file ... Sophos, in my case, has been able to intercept Bagel A through F. For some reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will make it through this time before I re-allow zip attachments on my site. Quoting Stephen Conway : > Good day: > > Correct me if I am wrong, but if the zip is password protected, how would > the end user open it w/o a password? So should I be worried if some get > through? We have clients with slow Satellite connections, so it is > difficult for them to upgrade their virus defs, so we are there only line of > defense. Is there a way for Sophos to scan password protected zip files? > > Thanks, > > SC > From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 17:38:43 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078249642.4044c8aa87a59@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <4044C6A3.6080103@solid-state-logic.com> Won't help ClamAV does spot this stuff though.. Also Julian's latest 4.28.2-2 doesn't catch it either (even though it should!). I guess he's got real work on at the moment, or scratching his head as to why it didn't work :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Marco Obaid wrote: > The worm DOES provide the user with the password :) > Some of our users, as little techie as they are, managed to extract and > execute the zip file ... > > Sophos, in my case, has been able to intercept Bagel A through F. For some > reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March > relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will > make it through this time before I re-allow zip attachments on my site. > > Quoting Stephen Conway : > > >>Good day: >> >>Correct me if I am wrong, but if the zip is password protected, how would >>the end user open it w/o a password? So should I be worried if some get >>through? We have clients with slow Satellite connections, so it is >>difficult for them to upgrade their virus defs, so we are there only line of >>defense. Is there a way for Sophos to scan password protected zip files? >> >>Thanks, >> >>SC >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Newcombe at MORDOR.CLAYTON.EDU Tue Mar 2 17:43:24 2004 From: Newcombe at MORDOR.CLAYTON.EDU (Dan Newcombe) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <1078249642.4044c8aa87a59@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: On Tue, 2 Mar 2004, Marco Obaid wrote: > Sophos, in my case, has been able to intercept Bagel A through F. For some > reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the March > relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I will > make it through this time before I re-allow zip attachments on my site. Is Sophos supposed to be able to identify the password-protected zip file or just the virus that's in the file itself? I would guess that the password is different from file to file making a signature very difficult. Just can't win - instead of setting up an ftp server for once-in-a-blue-moon files needed from off site, we asked people to just send a pw-protected ZIP file, and now those are on the evil list. Ah...microsoft security. From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 17:33:01 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:53 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <4044C54D.5020904@solid-state-logic.com> Stephen the password is sent as part of the email something like. hi here's the password you need: ahfhfghftgyghjg then the user unzips the attachment, types in the password as given and spltat they're hosed.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Stephen Conway wrote: > Good day: > > Correct me if I am wrong, but if the zip is password protected, how would > the end user open it w/o a password? So should I be worried if some get > through? We have clients with slow Satellite connections, so it is > difficult for them to upgrade their virus defs, so we are there only line of > defense. Is there a way for Sophos to scan password protected zip files? > > Thanks, > > SC > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Marco Obaid > Sent: Tuesday, March 02, 2004 12:12 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bagle-i worm > > I can confirm that Bagle-I worm did make it through our MS gateways. I am > running both Sophos and Command AV (up-to-date) and both let it slip > through. > We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it > helps. Meanwhile, I have blocked zip files temporarily. > > > Quoting Derek Winkler : > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm > > will > >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files as >>well, although they didn't specifically say. >> ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From stefanzman at yahoo.com Tue Mar 2 17:55:18 2004 From: stefanzman at yahoo.com (Stefan Zauchenberger) Date: Thu Jan 12 21:22:53 2006 Subject: Clam AV In-Reply-To: <14409.194.70.180.170.1078237444.squirrel@net.themarshalls.co.uk> Message-ID: <20040302175518.35156.qmail@web41310.mail.yahoo.com> If you want a commercial AV product that provides fast response for updates, the current leader in this category is Kaspersky. Check out the following article: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3316511 Also, we have numerous installations of MailScanner with KAV. Let me know if you have any questions. --- Drew Marshall wrote: > All > > Following the excitement of the last few days/ weeks > speed of definition > update is king. Now I currently use F-Prot and > Antivir. Both work well, > F-Prot probably better than Antivir as it was able > to better scan the > boken mime formatted mail that came from those nice > mailserver bounces > which included the infected message. I also don't > use the MS update > scripts, preferring my own cron jobs spaced at > different hourly times so > that if MS is called while an update is happening > the other scanner will > still work and to attempt to ensure that one scanner > should catch updates > no matter which half of the hour they are posted. I > nearly got caught with > he Netsky.D when several went through 3 minutes > before both scanners > updated (Good old MS blocked the files as they were > .pif executables, so > the user was protected). > > Cutting to the chase (Sorry it's been longer winded > that I anticipated) > should I also run Clam (Which was updated quite > quickly yesterday, no > promise that it wil be in the future but...) or is 3 > AV products over > kill. The box it's on is not that big so will Clam > use huge amounts of > system to run? If not 3 which 2? > > So many questions I know but I would appreciate your > thoughts. > > Thanks > > Drew > > -- > In line with our policy, this message has > been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > www.themarshalls.co.uk/policy __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From gercke at HNM.DE Tue Mar 2 17:50:06 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:53 2006 Subject: Bayes filter engine {auf Viren geprüft} Message-ID: <4044C94E.1080004@hnm.de> I?ve read the article under: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/98.html Now my question: Means : "people can just redirect wrongly-classiefied messages to one of the adresses" that people can forward this mail sin their mailprogramm to one of these adresses? Because i didn?t want, that the bayes engine think these forwarders are the sender of the spam... question two: How can i define that as "High Score" marked messages, will automated learned by the bayes engine? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From raymond at PROLOCATION.NET Tue Mar 2 18:05:24 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: Message-ID: Hi! > Has anyone out there modified the MailScanner-MRTG package to work with > Cricket instead of MRTG? > > Or is anyone doing monitoring with Cricket? We have setup monitoring around RRD, i guess thats what you mean? Bye, Raymond. From Newcombe at MORDOR.CLAYTON.EDU Tue Mar 2 18:03:09 2004 From: Newcombe at MORDOR.CLAYTON.EDU (Dan Newcombe) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring Message-ID: Has anyone out there modified the MailScanner-MRTG package to work with Cricket instead of MRTG? Or is anyone doing monitoring with Cricket? From marco at MUW.EDU Tue Mar 2 18:26:19 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <1078251979.4044d1cbd836d@webmail.MUW.Edu> Quoting Dan Newcombe : > Is Sophos supposed to be able to identify the password-protected zip file > or just the virus that's in the file itself? I believe that it attempts to scan the entire file; MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: W32/Bagle.E@mm MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- E:: ./i226Mcwt003303/eaaead.zip > Just can't win - instead of setting up an ftp server for > once-in-a-blue-moon files needed from off site, we asked people to just > send a pw-protected ZIP file, and now those are on the evil list. Can't you just temporarily white list their server's IP address to skip the the virus checks? I would not attempt to whitelist their domain since these worms are skilled at spoofing the sender's address. Marco From support at EPAXSYS.NET Tue Mar 2 18:27:24 2004 From: support at EPAXSYS.NET (Support ePaxsys/FRWS) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <1078251979.4044d1cbd836d@webmail.MUW.Edu> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> Message-ID: <5.1.0.14.2.20040302111930.025b0080@mail.frws.com> Hey folks Would not an addition to the filename.rules.conf rules to adjust for allowed size ranges also help in this situation? If the Virus.ZIP file was say under 100k (and maybe check for PW protection if possible) they could be blocked instead of blocking ALL Zips. Sure its an interim fix as the Virus writers would just make them bigger or do something different - but it would give us all another weapon to use to slow this stuff down and not stop legitimate mail (our goal after all!) while the AV writers come up with a solution. Thoughts? We are blocking Zips under 200k with the word 'password:' in them using procmail right now, and it is effective. Not elegant, not perfect, but its a decent interim solution. Jerome At 12:26 PM 3/2/04 -0600, Marco Obaid wrote: >Quoting Dan Newcombe : > > > Is Sophos supposed to be able to identify the password-protected zip file > > or just the virus that's in the file itself? > >I believe that it attempts to scan the entire file; > >MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: >W32/Bagle.E@mm >MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- >E:: ./i226Mcwt003303/eaaead.zip > > > Just can't win - instead of setting up an ftp server for > > once-in-a-blue-moon files needed from off site, we asked people to just > > send a pw-protected ZIP file, and now those are on the evil list. > >Can't you just temporarily white list their server's IP address to skip the >the virus checks? I would not attempt to whitelist their domain since these >worms are skilled at spoofing the sender's address. > > >Marco ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help From dot at DOTAT.AT Tue Mar 2 18:11:06 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:54 2006 Subject: Header problem, part 2 Message-ID: I've written an auxiliary script to go with uvscan-update that finds fetches and installs extra.dat files from NAI. This should give you some useful additional protection from new viruses. Included below are my current uvscan-update and uvscan-extra scripts. Tony. -- f.a.n.finch http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST BACKING SOUTH 4 OR 5, DECREASING 3 AT TIMES. FAIR. GOOD. SLIGHT. ------------------------------------------------------------------------ #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.42 2004/03/02 18:03:11 fanf2 Exp $ # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run # uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) # and it will still look for the dat files here. If uvscan's library # dependencies can be found in a standard place (e.g. /usr/local/lib) # then you don't need a wrapper script to set LD_LIBRARY_PATH before # running it. # # The dat files are installed in a subdirectory of $DATDIR named # according to their version number, with symlinks from $PREFIX into # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. # defaults OPTS="" PREFIX=/opt/uvscan FTPDIR=http://download.nai.com/products/datfiles/4.x/nai # handle the command line usage () { echo "usage: $0 [-dfrtv] [prefix]" echo " -d delete old files" echo " -e get extra.dat" echo " -f force update" echo " -r show README" echo " -t timestamp output" echo " -v verbose" echo " prefix uvscan installation directory" exit 1 } case $# in 0|1|2) : ok ;; *) usage ;; esac for arg in "$@" do case $arg in -*) OPTS=$arg ;; /*) PREFIX=$arg ;; *) usage ;; esac done case $OPTS in *[!-dfrtv]*) usage esac option () { case $OPTS in -*$1*) eval $2=yes ;; *) eval $2=no ;; esac } option d DELETE option e EXTRA option f FORCE option r README option t TIME option v VERBOSE case $FORCE in yes) VERBOSE=yes esac # look for binaries and libraris in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX export PATH LD_LIBRARY_PATH # where this script finds things DATDIR=$PREFIX/datfiles SUBDIR=datfiles/current LINK=$PREFIX/$SUBDIR # wrapper functions for echo etc. timestamp () { case $TIME in yes) date "+%Y-%m-%d %H:%M:%S " esac } say () { case $VERBOSE in yes) echo "`timestamp`$*" esac } run () { say "> $*" "$@" } say Starting $0 say DELETE=$DELETE say FORCE=$FORCE say README=$README say TIME=$TIME say VERBOSE=$VERBOSE say PREFIX=$PREFIX if [ ! -h $LINK ] then INIT=yes VERBOSE=yes say Initial setup of $0 run mkdir -p $DATDIR fi run cd $DATDIR # version number pattern MATCH="[0-9][0-9][0-9][0-9]" # work out latest dat version CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" say "> $CMD" if eval "$CMD" then VERSION=`cat update.ini | sed "/^DATVersion=\($MATCH\).$/!d;s//\1/;q"` else cat update.err VERSION=UNKNOWN fi run rm -f update.* badversion () { VERBOSE=yes say "Failed to get McAfee datfile update from $FTPDIR" say "FTP version number \"$VERSION\" $*" run exit 1 } # check the format of the version number case $VERSION in $MATCH) : ok ;; *) badversion does not match "$MATCH" ;; esac # already got it? if [ -d $VERSION ] then case $FORCE in yes) say Forced removal of $VERSION run rm -rf $VERSION ;; *) say Already have $VERSION case $EXTRA in yes) say Checking for extra.dat file if [ ! -f $DATDIR/$VERSION/extra.dat ] then run uvscan-extra $PREFIX fi esac run exit 0 ;; esac fi # work out installed dat version PREVIOUS=`(ls -d $MATCH 2>/dev/null || echo 0000) | tail -1` # check new version is actually newer if [ $PREVIOUS -gt $VERSION ] then badversion older than installed $PREVIOUS fi VERBOSE=yes say Installed dat file is $PREVIOUS say Latest dat file is $VERSION # protect against failure fail () { trap EXIT echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR run rm -rf $VERSION run exit 1 } trap fail EXIT # fetch and extract dat files TARFILE=dat-$VERSION.tar run mkdir $VERSION run cd $VERSION run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE # verify the contents CMD="uvscan --version --dat ." say "> $CMD" OUT=`$CMD 2>&1` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail esac # protection not needed now trap '' EXIT echo "$OUT" say Update OK # show information on this update? case $README in yes) run sed 's/[[:cntrl:]]//g 1,/^====================/d /^====================/,/^NEW VIRUSES DETECTED/d /^UNDERSTANDING VIRUS NAMES/,$d s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap run rm -f *.diz *.exe *.ini *.lst *.tar *.txt # do remaining part of initial setup case $INIT in yes) for file in *.dat extra.dat do run rm -f $PREFIX/$file run ln -s $SUBDIR/$file $PREFIX/$file done esac # update the current version link run rm -f $LINK run ln -s $VERSION $LINK # maybe delete old dat files case $DELETE in yes) run cd $DATDIR run rm -rf $PREVIOUS esac say Completed OK run exit 0 # done ------------------------------------------------------------------------ #!/usr/bin/perl -Tw # # Try to obtain McAfee extra.dat file. # # $Cambridge: hermes/build/bin/uvscan-extra,v 1.3 2004/03/02 17:34:12 fanf2 Exp $ use strict; use POSIX; use LWP::UserAgent; use HTTP::Status; # taint safety undef %ENV; # external requirements my $UNZIP = '/usr/local/bin/unzip'; my $VIL = 'http://vil.nai.com/vil'; my $VILNEW = "$VIL/newly-discovered-viruses.asp"; # uvscan directories and files my $PREFIX = @ARGV ? $ARGV[0] : '/opt/uvscan'; my $UVSCAN = "$PREFIX/uvscan"; my $DATDIR = "$PREFIX/datfiles"; my $SUBDIR = "datfiles/current"; my $LINK = "$PREFIX/$SUBDIR"; # find active dat directory my $CURDAT = do { my $link = readlink $LINK or die "readlink $LINK: $!\n"; $link =~ /^([0-9]{4})$/ or die "readlink $LINK: $link is not four digits\n"; $1; }; my $CURDIR = "$DATDIR/$CURDAT"; my $EXTRADAT = "$CURDIR/extra.dat"; # HTTP things my $ua = LWP::UserAgent->new; sub get ($) { my $url = shift; my $r = $ua->get($url); if ($r->code != RC_OK) { my $e = $r->status_line; die "GET $url: $e\n" } return $r->content; } # extract list of new viruses my @v; my $vilnew = get $VILNEW; while ($vilnew !~ m|^]*>\s* ]*>\s* ([^<]+) # name \s* \s* \s* ]*>\s* ]*>\s* ([0-9]{2})/([0-9]{2})/([0-9]{4})\s* # date \s* \s* ]*>\s* ]*>\s* ]*>\s* [^<]* # risk 1 \s* \s* \s* ]*>\s* ]*>\s* ]*>\s* [^<]* # risk 2 \s* \s* \s* ]*>\s* ]*>\s* ]*>\s* ([0-9]+)\s* # datnum \s* \s* \s* \s* ]*>\s* ||sx) { push @v, { url => $1, name => $2, date => "$5-$3-$4", datnum => $6 }; } undef $vilnew; # find out which ones have useful extra.dat files my $extraurl; for my $v (@v) { next unless $v->{datnum} > $CURDAT; $v->{page} = get "$VIL/$v->{url}"; if ($v->{page} =~ m|EXTRA.DAT|) { if (defined $extraurl) { warn "ignoring additional extra.dat $1\n" unless $extraurl eq $1; } else { $extraurl = $1; } } } exit unless defined $extraurl; warn "fetching $extraurl\n"; my $zipdata = get $extraurl; my $zipname = "$DATDIR/extra.zip"; my $datname = "$DATDIR/extra.dat"; if (not defined eval { chdir "$DATDIR" or die "chdir $DATDIR: $!\n"; # note the zip file is used to prevent concurrent running # so it is removed last sysopen ZIPFILE, $zipname, O_RDWR|O_CREAT|O_EXCL or die "open $zipname: $!\n"; syswrite ZIPFILE, $zipdata or die "write $zipname: $!\n"; close ZIPFILE or die "close $zipname: $!\n"; system $UNZIP, $zipname, 'extra.dat', '-d', $DATDIR and die "$UNZIP $zipname to $datname failed\n"; system $UVSCAN, '--extra', $datname, '--version' and die "$UVSCAN failed\n"; rename $datname, $EXTRADAT or die "rename $datname to $EXTRADAT: $!"; unlink $zipname or die "remove $zipname: $!"; print "Extra dat file installed OK.\n"; exit 0; }){ warn $@; unlink $datname or warn "remove $datname: $!\n"; unlink $zipname or warn "remove $zipname: $!\n"; exit 1; } ------------------------------------------------------------------------ From kevins at BMRB.CO.UK Tue Mar 2 18:40:30 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: References: Message-ID: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 18:03, Dan Newcombe wrote: > Has anyone out there modified the MailScanner-MRTG package to work with > Cricket instead of MRTG? I have a (long term) semi-plan to migrate MailScanner-MRTG to use rrd tool eventually. You should be able to use the main mailscanner-mrtg script to supply data to pretty much anything you like. Just remember that it must be called at 5 minute intervals. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From sconway at WLNET.COM Tue Mar 2 18:45:52 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <5.1.0.14.2.20040302111930.025b0080@mail.frws.com> Message-ID: <200403021845.i22Ijck13074@zuga.wlnet.com> Good day: Does Sophos latest ide catch these, even if pw protected? Or should we upgrade sophos engine itself? Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Support ePaxsys/FRWS Sent: Tuesday, March 02, 2004 1:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm Hey folks Would not an addition to the filename.rules.conf rules to adjust for allowed size ranges also help in this situation? If the Virus.ZIP file was say under 100k (and maybe check for PW protection if possible) they could be blocked instead of blocking ALL Zips. Sure its an interim fix as the Virus writers would just make them bigger or do something different - but it would give us all another weapon to use to slow this stuff down and not stop legitimate mail (our goal after all!) while the AV writers come up with a solution. Thoughts? We are blocking Zips under 200k with the word 'password:' in them using procmail right now, and it is effective. Not elegant, not perfect, but its a decent interim solution. Jerome At 12:26 PM 3/2/04 -0600, Marco Obaid wrote: >Quoting Dan Newcombe : > > > Is Sophos supposed to be able to identify the password-protected zip file > > or just the virus that's in the file itself? > >I believe that it attempts to scan the entire file; > >MailScanner[16356]: ./i226Mcwt003303/eaaead.zip->dijhtpnq.exe Infection: >W32/Bagle.E@mm >MailScanner[16356]: INFECTED:: W32/Bagle-E W32/Bagle- >E:: ./i226Mcwt003303/eaaead.zip > > > Just can't win - instead of setting up an ftp server for > > once-in-a-blue-moon files needed from off site, we asked people to just > > send a pw-protected ZIP file, and now those are on the evil list. > >Can't you just temporarily white list their server's IP address to skip the >the virus checks? I would not attempt to whitelist their domain since these >worms are skilled at spoofing the sender's address. > > >Marco ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 18:50:19 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021845.i22Ijck13074@zuga.wlnet.com> Message-ID: <00d201c40087$35804440$0501a8c0@darkside> > >Does Sophos latest ide catch these, even if pw protected? Or should we >upgrade sophos engine itself? > >Thanks, > If you want to send a copy to me I can let you know. I've got the latest Sophos (3.79) with up to date IDE's. I don't see any bagle-i in my logs, so that may or may not be a bad sign. I'm at a relatively low volume site. --J(K) From shrek-m at GMX.DE Tue Mar 2 18:49:35 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> Message-ID: <4044D73F.5070806@gmx.de> Kevin Spicer wrote: >On Tue, 2004-03-02 at 18:03, Dan Newcombe wrote: > > >>Has anyone out there modified the MailScanner-MRTG package to work with >>Cricket instead of MRTG? >> >> hi kevin, Operating Systems The following OS's have been reported to work with the current or previous releases: * Red Hat 9 (RPM) * ... you can add $ cat /etc/fedora-release Fedora Core release 1 (Yarrow) # rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm $ lynx localhost/mailscanner-mrtg works -- shrek-m From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:20:00 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021724.i22HOqk27186@zuga.wlnet.com> References: <1078247542.4044c0766a59a@webmail.MUW.Edu> <200403021724.i22HOqk27186@zuga.wlnet.com> Message-ID: <6.0.1.1.2.20040302191910.03a33608@imap.ecs.soton.ac.uk> Short answer is "no there isn't". Upgrade to the latest beta release of MailScanner and you will be protected against password-encrypted zip files, which is about the only way to stop this at the gateway. At 17:25 02/03/2004, you wrote: >Good day: > >Correct me if I am wrong, but if the zip is password protected, how would >the end user open it w/o a password? So should I be worried if some get >through? We have clients with slow Satellite connections, so it is >difficult for them to upgrade their virus defs, so we are there only line of >defense. Is there a way for Sophos to scan password protected zip files? > >Thanks, > >SC > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Marco Obaid >Sent: Tuesday, March 02, 2004 12:12 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: bagle-i worm > >I can confirm that Bagle-I worm did make it through our MS gateways. I am >running both Sophos and Command AV (up-to-date) and both let it slip >through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > For Bagle-H Sophos included this note: > > > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > > detected by this identity. However, when unzipped by the user the worm >will > > be detected by Sophos Anti-Virus at the user's desktop." > > > > May be true of Bagle-I since it also uses password protected ZIP files as > > well, although they didn't specifically say. > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:18:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: SpamAssassin+sendmail config questions In-Reply-To: References: Message-ID: <6.0.1.1.2.20040302191547.03a31b38@imap.ecs.soton.ac.uk> At 16:59 02/03/2004, you wrote: >hi > >I have been using SpamAssassin so for Linux with sendmail+procmail. > >I decided to use ClamAV and Mailscanner today. I have few basic questions, > >1. I had created /etc/procmailrc for SpamAssassin. Do I leave it "as is" ? You can remove all the SpamAssassin stuff from this. MailScanner calls SpamAssassin directly, which is quicker than using the spamc/spamd route that is commonly used via procmail. >2. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml >I see >that I have to create, > > /var/spool/MailScanner/incoming > /var/spool/MailScanner/quarantine > >What should be the permissions of these directories? >Should they be the same as mqueue.in as mentioned on >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml ? They need to be writable by the user you are running MailScanner as. Probably root. >3. On http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml >I see the instructions for modifying sendmail commands. In my >/etc/init.d/sendmail I have, > > > daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ > $([ -n "$QUEUE" ] && echo -q$QUEUE) > RETVAL=$? > >What should the above lines change to? This makes it look like you are running RedHat Linux. If you are running RedHat or other rpm-based Linux distribution, you should be using the RPM-based distribution of MailScanner and just install it that way. Much easier. There are installation guides for the RPM-based distributions on the MailScanner website. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 19:21:07 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <4044C6A3.6080103@solid-state-logic.com> References: <200403021724.i22HOqk27186@zuga.wlnet.com> <1078249642.4044c8aa87a59@webmail.MUW.Edu> <4044C6A3.6080103@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040302192042.039354f8@imap.ecs.soton.ac.uk> Please can you put an example somewhere I can get it with a web browser? At 17:38 02/03/2004, you wrote: >Won't help > >ClamAV does spot this stuff though.. > >Also Julian's latest 4.28.2-2 doesn't catch it either (even though it >should!). I guess he's got real work on at the moment, or scratching his >head as to why it didn't work :-) > > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Marco Obaid wrote: >>The worm DOES provide the user with the password :) >>Some of our users, as little techie as they are, managed to extract and >>execute the zip file ... >> >>Sophos, in my case, has been able to intercept Bagel A through F. For some >>reason, it failed to do so for the Bagle.I. I am upgrading Sophos to the >>March >>relesse and will Upgrade MS to latest-stable. Then I will test if Bagle.I >>will >>make it through this time before I re-allow zip attachments on my site. >> >>Quoting Stephen Conway : >> >> >>>Good day: >>> >>>Correct me if I am wrong, but if the zip is password protected, how would >>>the end user open it w/o a password? So should I be worried if some get >>>through? We have clients with slow Satellite connections, so it is >>>difficult for them to upgrade their virus defs, so we are there only line of >>>defense. Is there a way for Sophos to scan password protected zip files? >>> >>>Thanks, >>> >>>SC > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hzhu at wesleyan.edu Tue Mar 2 16:35:37 2004 From: hzhu at wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: Hi, we use sophos and latest bagle-i IDE was downloaded onto our mail server this morning, however we don't think mailscanner catch them as many have passed through... any idea? thanks, Hong From sconway at WLNET.COM Tue Mar 2 19:43:07 2004 From: sconway at WLNET.COM (Stephen Conway) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <00d201c40087$35804440$0501a8c0@darkside> Message-ID: <200403021942.i22Jgq618927@zuga.wlnet.com> Good Day: We are using 3.78 as attached, we are not using mailscanner for our filtering engine at the present, although we are planning on installing soon. Our current filter process we have a lot of custom rules, i.e. if from user@a.com cc to user@b.com, or archive to /somedir/usera ..., Etc. Can mailscanner do these types of things? Also, we need a log of all messages sent through mailscanner with all details including size of message, does mailscanners logs have this? Also, we are interested to know how well does mailscanner perform under heavy loads, as we tend to send / receive messages in large batches, causing our existing filter processes to raise load averages and memory usage. Thanks, SC -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki Sent: Tuesday, March 02, 2004 1:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: bagle-i worm > >Does Sophos latest ide catch these, even if pw protected? Or should we >upgrade sophos engine itself? > >Thanks, > If you want to send a copy to me I can let you know. I've got the latest Sophos (3.79) with up to date IDE's. I don't see any bagle-i in my logs, so that may or may not be a bad sign. I'm at a relatively low volume site. --J(K) -------------- next part -------------- SWEEP virus detection utility Copyright (c) 1989,2004 Sophos Plc, www.sophos.com System time 14:35:35, System date 02 March 2004 Product version : 3.78 Engine version : 2.18 User interface version : 2.07.046 Platform : Linux/Intel Released : 02 February 2004 Total viruses (with IDEs) : 87555 Information on additional data files: Data file name : /usr/local/sav/agobo-aw.ide Data file type : IDE Data file date : 01 December 2003, 06:56:13 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotaa.ide Data file type : IDE Data file date : 22 October 2003, 11:33:58 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotab.ide Data file type : IDE Data file date : 15 October 2003, 11:29:16 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotac.ide Data file type : IDE Data file date : 24 October 2003, 05:54:09 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotaf.ide Data file type : IDE Data file date : 27 October 2003, 11:18:08 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotag.ide Data file type : IDE Data file date : 02 December 2003, 04:33:30 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotas.ide Data file type : IDE Data file date : 27 November 2003, 07:29:57 Data file status : Loaded but out of date Data file name : /usr/local/sav/agobotbd.ide Data file type : IDE Data file date : 08 December 2003, 11:32:52 Data file status : Loaded Data file name : /usr/local/sav/agobotbm.ide Data file type : IDE Data file date : 15 December 2003, 10:22:50 Data file status : Loaded Data file name : /usr/local/sav/agobotbt.ide Data file type : IDE Data file date : 30 December 2003, 06:31:52 Data file status : Loaded Data file name : /usr/local/sav/antkldam.ide Data file type : IDE Data file date : 30 December 2003, 07:38:17 Data file status : Loaded Data file name : /usr/local/sav/aozo-a.ide Data file type : IDE Data file date : 09 January 2004, 06:27:32 Data file status : Loaded Data file name : /usr/local/sav/bagle-a.ide Data file type : IDE Data file date : 18 January 2004, 20:56:53 Data file status : Loaded Data file name : /usr/local/sav/bdsinita.ide Data file type : IDE Data file date : 10 November 2003, 11:42:43 Data file status : Loaded but out of date Data file name : /usr/local/sav/bodiru-a.ide Data file type : IDE Data file date : 22 December 2003, 10:18:21 Data file status : Loaded Data file name : /usr/local/sav/corfloc.ide Data file type : IDE Data file date : 21 October 2003, 11:45:27 Data file status : Loaded but out of date Data file name : /usr/local/sav/dafly-b.ide Data file type : IDE Data file date : 21 October 2003, 05:31:52 Data file status : Loaded but out of date Data file name : /usr/local/sav/divix-a.ide Data file type : IDE Data file date : 16 January 2004, 12:26:49 Data file status : Loaded Data file name : /usr/local/sav/dloaderf.ide Data file type : IDE Data file date : 11 December 2003, 06:50:36 Data file status : Loaded Data file name : /usr/local/sav/dloaderk.ide Data file type : IDE Data file date : 06 January 2004, 05:37:59 Data file status : Loaded Data file name : /usr/local/sav/dloaderl.ide Data file type : IDE Data file date : 09 January 2004, 09:25:25 Data file status : Loaded Data file name : /usr/local/sav/donk-d.ide Data file type : IDE Data file date : 14 October 2003, 20:53:03 Data file status : Loaded but out of date Data file name : /usr/local/sav/donk-e.ide Data file type : IDE Data file date : 17 October 2003, 05:01:20 Data file status : Loaded but out of date Data file name : /usr/local/sav/dumaru-k.ide Data file type : IDE Data file date : 26 January 2004, 12:15:05 Data file status : Loaded Data file name : /usr/local/sav/dumaru-y.ide Data file type : IDE Data file date : 24 January 2004, 14:24:22 Data file status : Loaded Data file name : /usr/local/sav/eyeveg-b.ide Data file type : IDE Data file date : 29 January 2004, 08:11:20 Data file status : Loaded Data file name : /usr/local/sav/flea-a.ide Data file type : IDE Data file date : 23 October 2003, 06:15:08 Data file status : Loaded but out of date Data file name : /usr/local/sav/flea-b.ide Data file type : IDE Data file date : 20 November 2003, 11:21:57 Data file status : Loaded but out of date Data file name : /usr/local/sav/flopcopy.ide Data file type : IDE Data file date : 23 January 2004, 08:06:39 Data file status : Loaded Data file name : /usr/local/sav/gaggle-b.ide Data file type : IDE Data file date : 20 January 2004, 12:00:42 Data file status : Loaded Data file name : /usr/local/sav/hacdef84.ide Data file type : IDE Data file date : 26 November 2003, 11:36:01 Data file status : Loaded but out of date Data file name : /usr/local/sav/holar-i.ide Data file type : IDE Data file date : 29 October 2003, 07:04:19 Data file status : Loaded but out of date Data file name : /usr/local/sav/inmotcda.ide Data file type : IDE Data file date : 10 October 2003, 02:51:51 Data file status : Loaded but out of date Data file name : /usr/local/sav/inor-c.ide Data file type : IDE Data file date : 28 January 2004, 07:16:33 Data file status : Loaded Data file name : /usr/local/sav/inorb.ide Data file type : IDE Data file date : 14 January 2004, 05:43:00 Data file status : Loaded Data file name : /usr/local/sav/ircbot-p.ide Data file type : IDE Data file date : 20 October 2003, 21:15:13 Data file status : Loaded but out of date Data file name : /usr/local/sav/litmusas.ide Data file type : IDE Data file date : 25 November 2003, 09:47:50 Data file status : Loaded but out of date Data file name : /usr/local/sav/marq-a.ide Data file type : IDE Data file date : 27 October 2003, 10:03:38 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimail-l.ide Data file type : IDE Data file date : 01 December 2003, 23:27:46 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimail-m.ide Data file type : IDE Data file date : 31 December 2003, 06:48:05 Data file status : Loaded Data file name : /usr/local/sav/mimail-n.ide Data file type : IDE Data file date : 08 January 2004, 07:37:17 Data file status : Loaded Data file name : /usr/local/sav/mimail-q.ide Data file type : IDE Data file date : 26 January 2004, 13:52:26 Data file status : Loaded Data file name : /usr/local/sav/mimail-s.ide Data file type : IDE Data file date : 28 January 2004, 22:08:36 Data file status : Loaded Data file name : /usr/local/sav/mimailc.ide Data file type : IDE Data file date : 31 October 2003, 08:12:17 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimaile.ide Data file type : IDE Data file date : 01 November 2003, 19:56:49 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailf.ide Data file type : IDE Data file date : 02 November 2003, 21:14:53 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailh.ide Data file type : IDE Data file date : 03 November 2003, 10:47:49 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimaili.ide Data file type : IDE Data file date : 14 November 2003, 01:40:01 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailj.ide Data file type : IDE Data file date : 17 November 2003, 18:57:12 Data file status : Loaded but out of date Data file name : /usr/local/sav/mimailk.ide Data file type : IDE Data file date : 21 November 2003, 13:55:03 Data file status : Loaded but out of date Data file name : /usr/local/sav/mmdloada.ide Data file type : IDE Data file date : 15 January 2004, 09:43:40 Data file status : Loaded Data file name : /usr/local/sav/muly-a.ide Data file type : IDE Data file date : 12 November 2003, 10:13:25 Data file status : Loaded but out of date Data file name : /usr/local/sav/mydoom-a.ide Data file type : IDE Data file date : 26 January 2004, 19:32:05 Data file status : Loaded Data file name : /usr/local/sav/mydoom-b.ide Data file type : IDE Data file date : 30 January 2004, 10:41:30 Data file status : Loaded Data file name : /usr/local/sav/opaser-s.ide Data file type : IDE Data file date : 24 December 2003, 06:18:47 Data file status : Loaded Data file name : /usr/local/sav/opaservr.ide Data file type : IDE Data file date : 21 October 2003, 06:20:42 Data file status : Loaded but out of date Data file name : /usr/local/sav/opaservv.ide Data file type : IDE Data file date : 17 November 2003, 00:45:44 Data file status : Loaded but out of date Data file name : /usr/local/sav/proxin-a.ide Data file type : IDE Data file date : 20 January 2004, 05:36:23 Data file status : Loaded Data file name : /usr/local/sav/randex-i.ide Data file type : IDE Data file date : 17 October 2003, 09:50:45 Data file status : Loaded but out of date Data file name : /usr/local/sav/randex-q.ide Data file type : IDE Data file date : 23 October 2003, 10:59:33 Data file status : Loaded but out of date Data file name : /usr/local/sav/randex-y.ide Data file type : IDE Data file date : 12 January 2004, 06:43:48 Data file status : Loaded Data file name : /usr/local/sav/randonab.ide Data file type : IDE Data file date : 05 January 2004, 07:27:06 Data file status : Loaded Data file name : /usr/local/sav/rirc-a.ide Data file type : IDE Data file date : 15 January 2004, 05:24:33 Data file status : Loaded Data file name : /usr/local/sav/scold-a.ide Data file type : IDE Data file date : 11 December 2003, 06:19:01 Data file status : Loaded Data file name : /usr/local/sav/sdbot-dc.ide Data file type : IDE Data file date : 26 January 2004, 09:37:25 Data file status : Loaded Data file name : /usr/local/sav/sdbot-i.ide Data file type : IDE Data file date : 28 November 2003, 05:50:10 Data file status : Loaded but out of date Data file name : /usr/local/sav/sdbot-l.ide Data file type : IDE Data file date : 04 December 2003, 11:35:03 Data file status : Loaded Data file name : /usr/local/sav/sober-a.ide Data file type : IDE Data file date : 27 October 2003, 00:44:28 Data file status : Loaded but out of date Data file name : /usr/local/sav/sober-b.ide Data file type : IDE Data file date : 18 December 2003, 10:55:43 Data file status : Loaded Data file name : /usr/local/sav/sober-c.ide Data file type : IDE Data file date : 21 December 2003, 08:32:46 Data file status : Loaded Data file name : /usr/local/sav/soberenc.ide Data file type : IDE Data file date : 30 October 2003, 06:33:17 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-r.ide Data file type : IDE Data file date : 14 October 2003, 10:06:39 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-v.ide Data file type : IDE Data file date : 07 November 2003, 06:13:31 Data file status : Loaded but out of date Data file name : /usr/local/sav/spybot-w.ide Data file type : IDE Data file date : 06 November 2003, 05:02:54 Data file status : Loaded but out of date Data file name : /usr/local/sav/start-bg.ide Data file type : IDE Data file date : 05 January 2004, 10:04:53 Data file status : Loaded Data file name : /usr/local/sav/stawin-a.ide Data file type : IDE Data file date : 28 January 2004, 02:06:53 Data file status : Loaded Data file name : /usr/local/sav/suzer-b.ide Data file type : IDE Data file date : 31 December 2003, 05:15:59 Data file status : Loaded Data file name : /usr/local/sav/sysbug-a.ide Data file type : IDE Data file date : 25 November 2003, 03:01:14 Data file status : Loaded but out of date Data file name : /usr/local/sav/tofger-a.ide Data file type : IDE Data file date : 19 November 2003, 11:46:00 Data file status : Loaded but out of date Data file name : /usr/local/sav/tofger-l.ide Data file type : IDE Data file date : 23 December 2003, 05:57:07 Data file status : Loaded Data file name : /usr/local/sav/uproot-a.ide Data file type : IDE Data file date : 02 January 2004, 05:54:44 Data file status : Loaded Data file name : /usr/local/sav/weasyw-a.ide Data file type : IDE Data file date : 16 January 2004, 11:34:55 Data file status : Loaded Data file name : /usr/local/sav/webberc.ide Data file type : IDE Data file date : 11 November 2003, 10:38:44 Data file status : Loaded but out of date Data file name : /usr/local/sav/yaha-x.ide Data file type : IDE Data file date : 05 November 2003, 11:02:27 Data file status : Loaded but out of date Data file name : /usr/local/sav/Yaha-y.ide Data file type : IDE Data file date : 10 December 2003, 10:24:10 Data file status : Loaded Data file name : /usr/local/sav/zana-a.ide Data file type : IDE Data file date : 09 December 2003, 10:05:23 Data file status : Loaded Data file name : /usr/local/sav/doomj-a.ide Data file type : IDE Data file date : 09 February 2004, 14:39:28 Data file status : Loaded Data file name : /usr/local/sav/doomj-b.ide Data file type : IDE Data file date : 11 February 2004, 12:27:15 Data file status : Loaded Data file name : /usr/local/sav/deadha-a.ide Data file type : IDE Data file date : 10 February 2004, 12:54:10 Data file status : Loaded Data file name : /usr/local/sav/wukill-b.ide Data file type : IDE Data file date : 10 February 2004, 04:48:21 Data file status : Loaded Data file name : /usr/local/sav/myss-c.ide Data file type : IDE Data file date : 09 February 2004, 11:33:43 Data file status : Loaded Data file name : /usr/local/sav/sdbot-fm.ide Data file type : IDE Data file date : 06 February 2004, 10:25:52 Data file status : Loaded Data file name : /usr/local/sav/agobotcp.ide Data file type : IDE Data file date : 06 February 2004, 08:36:19 Data file status : Loaded Data file name : /usr/local/sav/mimail-t.ide Data file type : IDE Data file date : 05 February 2004, 12:08:27 Data file status : Loaded Data file name : /usr/local/sav/holar-j.ide Data file type : IDE Data file date : 05 February 2004, 10:12:35 Data file status : Loaded Data file name : /usr/local/sav/agobotcs.ide Data file type : IDE Data file date : 04 February 2004, 05:50:40 Data file status : Loaded Data file name : /usr/local/sav/agobot-p.ide Data file type : IDE Data file date : 03 February 2004, 05:19:29 Data file status : Loaded Data file name : /usr/local/sav/sdbot-w.ide Data file type : IDE Data file date : 02 February 2004, 10:48:30 Data file status : Loaded Data file name : /usr/local/sav/nachi-b.ide Data file type : IDE Data file date : 11 February 2004, 22:53:39 Data file status : Loaded Data file name : /usr/local/sav/mydoom-e.ide Data file type : IDE Data file date : 15 February 2004, 23:14:28 Data file status : Loaded Data file name : /usr/local/sav/pinbol-a.ide Data file type : IDE Data file date : 13 February 2004, 07:21:43 Data file status : Loaded Data file name : /usr/local/sav/doomhu-a.ide Data file type : IDE Data file date : 13 February 2004, 00:36:53 Data file status : Loaded Data file name : /usr/local/sav/netsky-b.ide Data file type : IDE Data file date : 19 February 2004, 10:49:20 Data file status : Loaded Data file name : /usr/local/sav/tanx-a.ide Data file type : IDE Data file date : 17 February 2004, 07:51:25 Data file status : Loaded Data file name : /usr/local/sav/agobotcw.ide Data file type : IDE Data file date : 17 February 2004, 07:16:09 Data file status : Loaded Data file name : /usr/local/sav/deadh-b.ide Data file type : IDE Data file date : 16 February 2004, 10:57:55 Data file status : Loaded Data file name : /usr/local/sav/ddossm-b.ide Data file type : IDE Data file date : 19 February 2004, 07:02:25 Data file status : Loaded Data file name : /usr/local/sav/mydoom-f.ide Data file type : IDE Data file date : 20 February 2004, 12:17:03 Data file status : Loaded Data file name : /usr/local/sav/keyhosta.ide Data file type : IDE Data file date : 19 February 2004, 12:22:13 Data file status : Loaded Data file name : /usr/local/sav/bizex-a.ide Data file type : IDE Data file date : 24 February 2004, 17:44:31 Data file status : Loaded Data file name : /usr/local/sav/netsky-c.ide Data file type : IDE Data file date : 26 February 2004, 15:29:07 Data file status : Loaded Data file name : /usr/local/sav/narhem-a.ide Data file type : IDE Data file date : 26 February 2004, 04:39:25 Data file status : Loaded Data file name : /usr/local/sav/agobotfe.ide Data file type : IDE Data file date : 27 February 2004, 07:15:03 Data file status : Loaded Data file name : /usr/local/sav/nachi-d.ide Data file type : IDE Data file date : 27 February 2004, 11:49:41 Data file status : Loaded Data file name : /usr/local/sav/bagle-c.ide Data file type : IDE Data file date : 28 February 2004, 03:05:24 Data file status : Loaded Data file name : /usr/local/sav/maddis-a.ide Data file type : IDE Data file date : 27 February 2004, 22:18:02 Data file status : Loaded Data file name : /usr/local/sav/bagled.ide Data file type : IDE Data file date : 28 February 2004, 17:46:06 Data file status : Loaded Data file name : /usr/local/sav/bagle-f.ide Data file type : IDE Data file date : 29 February 2004, 19:26:23 Data file status : Loaded Data file name : /usr/local/sav/bagle-g.ide Data file type : IDE Data file date : 29 February 2004, 23:34:01 Data file status : Loaded Data file name : /usr/local/sav/netsky-d.ide Data file type : IDE Data file date : 02 March 2004, 07:57:01 Data file status : Loaded Data file name : /usr/local/sav/bagle-h.ide Data file type : IDE Data file date : 01 March 2004, 14:48:51 Data file status : Loaded Data file name : /usr/local/sav/netsky-e.ide Data file type : IDE Data file date : 01 March 2004, 12:18:26 Data file status : Loaded Data file name : /usr/local/sav/bagle-i.ide Data file type : IDE Data file date : 02 March 2004, 06:32:18 Data file status : Loaded From kevins at BMRB.CO.UK Tue Mar 2 20:01:52 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: <1078257713.15140.35.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 09:28, Julian Field wrote: > This version can now detect and block password-protected zip files. > > By default it will block all of them, but you can of course use a ruleset > to govern the behaviour of the new option > Allow Password-Protected Archives > > Download as usual from www.mailscanner.info. > I've just installed and tested this - it seems to work as advertised. I appreciate the difficulty with removing individual archives, but just wanted to report one issue which is a side effect of removing all parts. When sending a pgp signed message the mime structure ends up wrong (you have a multipart/signed message without a signed part) which on Evolution at least results in a blank message (I'd guess this is MUA specific to some extent as the warning text is in the source, just isn't rendered due to the mime issues). Not particularly important to me, but just thought I'd mention it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Tue Mar 2 16:39:30 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: Hi! > we use sophos and latest bagle-i IDE was downloaded > onto our mail server this morning, however we don't > think mailscanner catch them as many have passed through... Can you verifu locally on the box that Sophos _IS_ detecting there? Also, be sure you are running the latest version, the changes on the MIME parts can help... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:11:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: <200403021942.i22Jgq618927@zuga.wlnet.com> References: <00d201c40087$35804440$0501a8c0@darkside> <200403021942.i22Jgq618927@zuga.wlnet.com> Message-ID: <6.0.1.1.2.20040302201048.03a28b18@imap.ecs.soton.ac.uk> At 19:43 02/03/2004, you wrote: >Good Day: > >We are using 3.78 as attached, we are not using mailscanner for our >filtering engine at the present, although we are planning on installing >soon. Our current filter process we have a lot of custom rules, i.e. if >from user@a.com cc to user@b.com, or archive to /somedir/usera ..., Etc. >Can mailscanner do these types of things? Yes. > Also, we need a log of all >messages sent through mailscanner with all details including size of >message, does mailscanners logs have this? What isn't provided by MailScanner logs is provided by MailWatch. Google will find it for you. >Also, we are interested to know how well does mailscanner perform under >heavy loads, as we tend to send / receive messages in large batches, causing >our existing filter processes to raise load averages and memory usage. It is designed to handle large loads, and shouldn't be a problem. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:18:28 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <1078257713.15140.35.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> At 20:01 02/03/2004, you wrote: >On Tue, 2004-03-02 at 09:28, Julian Field wrote: > > This version can now detect and block password-protected zip files. > > > > By default it will block all of them, but you can of course use a ruleset > > to govern the behaviour of the new option > > Allow Password-Protected Archives > > > > Download as usual from www.mailscanner.info. > > >I've just installed and tested this - it seems to work as advertised. I >appreciate the difficulty with removing individual archives, but just >wanted to report one issue which is a side effect of removing all parts. > >When sending a pgp signed message the mime structure ends up wrong (you >have a multipart/signed message without a signed part) which on >Evolution at least results in a blank message (I'd guess this is MUA >specific to some extent as the warning text is in the source, just isn't >rendered due to the mime issues). Not particularly important to me, but >just thought I'd mention it. Thanks for that report. I intend to rewrite most or all of this code properly at some point soon, when I get time. It's going to be a good weekend job as I need some uninterrupted hours, which doesn't happen at work at the moment. The TNEF handling code will have to be rewritten as well. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hzhu at wesleyan.edu Tue Mar 2 16:43:17 2004 From: hzhu at wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: yes, "netsky-d" was downloaded later than "bagle-i" and I can see mailscanner has been catching "netsky-d" however not "bagle-i"... Data file name : /usr/local/Sophos/ide/netsky-d.ide Data file type : IDE Data file date : 02 March 2004, 07:57:01 Data file status : Loaded Data file name : /usr/local/Sophos/ide/bagle-i.ide Data file type : IDE Data file date : 02 March 2004, 06:32:18 Data file status : Loaded thanks, Hong > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@jiscmail.ac.uk]On > Behalf Of Raymond Dijkxhoorn > Sent: Tuesday, March 02, 2004 11:40 AM > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: bagle-i worm > > > Hi! > > > we use sophos and latest bagle-i IDE was downloaded > > onto our mail server this morning, however we don't > > think mailscanner catch them as many have passed through... > > Can you verifu locally on the box that Sophos _IS_ detecting there? Also, > be sure you are running the latest version, the changes on the MIME parts > can help... > > Bye, > Raymond. > From drew at THEMARSHALLS.CO.UK Tue Mar 2 16:42:09 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x Message-ID: <25163.194.70.180.170.1078245729.squirrel@net.themarshalls.co.uk> Nick Nelson said: > Hey folks. > > Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) on FreeBSD? Not that I have found. I'm running 5.2.1 with out problems. Anything I should take into consideration before starting > the install? > Not really. I always install from ports but otherwise... > Will I lose a lot of performance going with something such as Fedora? RHES isn't an option unfortunately. > > Thanks.. > Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From maillists at CONACTIVE.COM Tue Mar 2 20:31:37 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:54 2006 Subject: Bayes rebuild never completes In-Reply-To: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > database rebuild preparing" then "SpamAssassin Bayes database rebuild > starting", but never get as far as the "SpamAssassin Bayes database > rebuild completed" that I see in the code. > try a manual expire and see if it gets thru, it's possible that your Bayes db is corrupted and the Expire never completes. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From rcooper at DWFORD.COM Tue Mar 2 17:20:31 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:54 2006 Subject: Problems with 4.28-2 In-Reply-To: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, March 02, 2004 11:09 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems with 4.28-2 > > > Many thanks for letting me know about that one, and > for writing the fix for > me. It turns up 1 other time in Message.pm as well > (look for "Escape any " > and you will find it). > Fixed for the next release. > Your very welcome and thank you. Next item, are you aware that the messages sent upon detecting a bad file name or protected zip are blank and the warnings: Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "SystemWarning.txt" attachment(s) for more information. Are in the warning attachment instead? > At 15:34 02/03/2004, you wrote: > >Ok, I ran some test messages with 4.28-7 and when I sent a zip > >with a password or bad filename the log showed: > > > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, > >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 > >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 > >messages, 988519 bytes > >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting > >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin > returned 0 > >Mar 2 09:00:48 srv2 MailScanner[29720]: Created > attachment dirs > >for 1 messages > >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content > >Scanning: Starting > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > scanning by > >f-prot... > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > >f-prot > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > scanning by > >clamavmodule... > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > >clamavmodule > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: > >Windows/DOS Executable (1AyARd-0007mi-Kk 0) > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by > >/usr/bin/file > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No > >executables (1AyARd-0007mi-Kk 0) > >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 > >problems > > > >This would repeat over and over with the same e-mail until I > >killed MailScanner. I put it in debug and got: > > > >Debug: > >In Debugging mode, not forking... > >Unmatched ( in regex; marked by <-- HERE in m/the > sender of these > >problems anymore ( <-- HERE since we cannot tell legitimate > >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line > >1913, line 18. > > > >So I looked in the report and saw it was puking on a sentence > >enclosed in (). I looked at Message.pm line 1913 and noted: > > > > $line =~ s/"/\\"/g; # Escape any " characters > > $line =~ s/@/\\@/g; # Escape any @ characters > > > >So I removed the ( and ) and it puked on a sentence that was > >enclosed by **. I did some other checks and it puked > on any regex > >reserved character and didn't like words surrounded by quotes > >like "To" (it did not puke on them but it complained > about them) > >. So I commented out the two lines above and added: > > > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape > any regex > >characters > > > >and everything worked fine again. I found I could not > escape the > >"$" because it blew the eval() below this section. I have used > >the same reports for months and have never had this happen > >before. Did something change here? I'm confused as to if this > >problem has to do with something on this end as I > have not seen > >other comments about the "Maximum Archive Depth", or this > >problem, on the list. Although I guess unless your > virus.deleted > >or filename.deleted reports contained the same > characters [()* or > >.*] you wouldn't notice.. come to think about it I > recently add > >the text that was enclosed parenthetically. Might be > something to > >look at Julian. > > > > > >-- > >Rick Cooper > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From mikes at HARTWELLCORP.COM Tue Mar 2 20:33:45 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Defunct MailScanner procs Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0A@hart-exchange.hartwellcorp.com> Found it. Thanks. ;-D Julian Field wrote: > Check your mail log. You probably have a syntax error somewhere, your > log will tell you where. > Or else you might have upgraded from a version that didn't need > Net::CIDR and forgotten to read the docs and install that first? > > At 23:32 01/03/2004, you wrote: >> I've just upgraded to ver. 4.27.7-1 and I'm seeing defunct >> MailScanner processes on my system. I don't know if they existed >> before the upgrade or not as I didn't really go looking for them. >> >> Does this indicate a problem? -- Michael St. Laurent Hartwell Corporation From mailscanner at ecs.soton.ac.uk Tue Mar 2 20:48:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:54 2006 Subject: Problems with 4.28-2 In-Reply-To: References: <6.0.1.1.2.20040302160819.03f0c370@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20040302204747.03a2be90@imap.ecs.soton.ac.uk> At 17:20 02/03/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Tuesday, March 02, 2004 11:09 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Problems with 4.28-2 > > > > > > Many thanks for letting me know about that one, and > > for writing the fix for > > me. It turns up 1 other time in Message.pm as well > > (look for "Escape any " > > and you will find it). > > Fixed for the next release. > > > >Your very welcome and thank you. Next item, are you aware that >the messages sent upon detecting a bad file name or protected zip >are blank and the warnings: > >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "SystemWarning.txt" attachment(s) for >more information. > >Are in the warning attachment instead? If it finds a protected zip file it knocks out the entire message, not just the zip file. Known issue. > > At 15:34 02/03/2004, you wrote: > > >Ok, I ran some test messages with 4.28-7 and when I sent a zip > > >with a password or bad filename the log showed: > > > > > >Mar 2 08:58:52 srv2 pop3d: LOGOUT, user=sbox, > > >ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0 > > >Mar 2 09:00:43 srv2 MailScanner[29720]: New Batch: Scanning 1 > > >messages, 988519 bytes > > >Mar 2 09:00:43 srv2 MailScanner[29720]: Spam Checks: Starting > > >Mar 2 09:00:46 srv2 MailScanner[29720]: SpamAssassin > > returned 0 > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Created > > attachment dirs > > >for 1 messages > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Virus and Content > > >Scanning: Starting > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > > scanning by > > >f-prot... > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > > >f-prot > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Commencing > > scanning by > > >clamavmodule... > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed scanning by > > >clamavmodule > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filename Checks: > > >Windows/DOS Executable (1AyARd-0007mi-Kk 0) > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Completed checking by > > >/usr/bin/file > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Filetype Checks: No > > >executables (1AyARd-0007mi-Kk 0) > > >Mar 2 09:00:48 srv2 MailScanner[29720]: Other Checks: Found 2 > > >problems > > > > > >This would repeat over and over with the same e-mail until I > > >killed MailScanner. I put it in debug and got: > > > > > >Debug: > > >In Debugging mode, not forking... > > >Unmatched ( in regex; marked by <-- HERE in m/the > > sender of these > > >problems anymore ( <-- HERE since we cannot tell legitimate > > >senders/ at /opt/MailScanner/lib/MailScanner/Message.pm line > > >1913, line 18. > > > > > >So I looked in the report and saw it was puking on a sentence > > >enclosed in (). I looked at Message.pm line 1913 and noted: > > > > > > $line =~ s/"/\\"/g; # Escape any " characters > > > $line =~ s/@/\\@/g; # Escape any @ characters > > > > > >So I removed the ( and ) and it puked on a sentence that was > > >enclosed by **. I did some other checks and it puked > > on any regex > > >reserved character and didn't like words surrounded by quotes > > >like "To" (it did not puke on them but it complained > > about them) > > >. So I commented out the two lines above and added: > > > > > >$line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape > > any regex > > >characters > > > > > >and everything worked fine again. I found I could not > > escape the > > >"$" because it blew the eval() below this section. I have used > > >the same reports for months and have never had this happen > > >before. Did something change here? I'm confused as to if this > > >problem has to do with something on this end as I > > have not seen > > >other comments about the "Maximum Archive Depth", or this > > >problem, on the list. Although I guess unless your > > virus.deleted > > >or filename.deleted reports contained the same > > characters [()* or > > >.*] you wouldn't notice.. come to think about it I > > recently add > > >the text that was enclosed parenthetically. Might be > > something to > > >look at Julian. > > > > > > > > >-- > > >Rick Cooper > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > > 1415 B654 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jase at SENSIS.COM Tue Mar 2 20:56:01 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:22:54 2006 Subject: McAfee PROBLEM !!! Message-ID: Thanks for this info - it was very helpful! I have the same results. Jason > -----Original Message----- > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > Sent: Tuesday, March 02, 2004 2:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > Hi, > > We installed the extra.dat this morning and it was catching some > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > Now that dat 4331 is out the same files are not detected as viruses > anymore!!! > > I reinstalled the extra.dat to be sure they are detected. > > Scan with 4331: > # uvscan --mime --mailbox --secure * > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > WBJAMVF.SCR > is password-protected. > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > ent.zip/WBJAMVF.SCR > is password-protected. > > Scan with 4331 and extra.dat: > # uvscan --mime --mailbox --secure * > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > From raymond at PROLOCATION.NET Tue Mar 2 17:59:04 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Header problem, part 2 In-Reply-To: <4044C422.1080908@abacom.com> Message-ID: Hi! > > Just to add to my previous EMAIL, I find that pretty much every message > I check that contains attachments has this header: > > MIME_MISSING_BOUNDARY 1.84 > > in the spamassassin score. > > Could this be related? Thats why i suggested upgrade MailScanner, there have been changes to the MIME stuff. Bye, Raymond. From mikes at HARTWELLCORP.COM Tue Mar 2 21:13:04 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0C@hart-exchange.hartwellcorp.com> I'm seeing a *lot* of messages such as the following in the /var/log/maillog file: Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf queue file for message i1PATTK9011213 Is there a way to configure MailScanner to do something about these instead of complaining about them incessantly? My log files are getting *Huge*! -- Michael St. Laurent Hartwell Corporation From martinh at SOLID-STATE-LOGIC.COM Tue Mar 2 16:35:59 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x In-Reply-To: <4044B39C.2070900@1SEO.net> References: <4044B39C.2070900@1SEO.net> Message-ID: <4044B7EF.2080905@solid-state-logic.com> Nick running freebsd 4.8 on a celeron 600/512MB ram with sophossavi/clamav/sa (with bayes and a whole bunch of extra rules and RBL's)/MailWatch/Mysql/Apache and exim as the MTA. I'm also running softupdates on all the filesytems (a single IDE hard disk). Using a ram disk (ie a linux style tmpfs) instead of a softupdate-ed file system made negligable performance improvements (1-2%). I get around 1200 messages an hour out of the thing, when its going full tilt. I average around 9000 messages a day no problems. BTW > 80% of my traffic is spam/viruses. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Nick Nelson wrote: > Hey folks. > > Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) > on FreeBSD? Anything I should take into consideration before starting > the install? > > Will I lose a lot of performance going with something such as Fedora? > RHES isn't an option unfortunately. > > Thanks.. v ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From kevins at BMRB.CO.UK Tue Mar 2 21:06:06 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> Message-ID: <1078261566.15141.60.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 20:18, Julian Field wrote: > At 20:01 02/03/2004, you wrote: > >On Tue, 2004-03-02 at 09:28, Julian Field wrote: > > > This version can now detect and block password-protected zip files. > > > > > > By default it will block all of them, but you can of course use a ruleset > > > to govern the behaviour of the new option > > > Allow Password-Protected Archives > > > > > > Download as usual from www.mailscanner.info. > > > One more thing to report... When the message contains a blocked file type within a zipfile the sender, recipient and postmaster get notified. (Okay) When the message contains an encrypted zip the recipient gets a warning, but neither sender nor postmaster get alerted. (Not Okay). Presumably this would vary according to the various Notify and Notices options, but personally I would like to see the same behaviour in both cases (since this is a policy decision not an actual found virus). For reference I'm running with all notifications on except notify senders of viruses. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Tue Mar 2 21:14:33 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D0C@hart-exchange.hartwellcorp.com> Message-ID: Hi! > Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf queue > file > for message i1PATTK9011213 > > Is there a way to configure MailScanner to do something about these instead > of complaining about them incessantly? My log files are getting *Huge*! What about cleaning out your incomming queue :) Thats where it starts. Bye, Raymond. From pete at eatathome.com.au Tue Mar 2 21:32:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Clam AV In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649AFA@pascal.priv.bmrb.co.uk> Message-ID: <4044FD64.90308@eatathome.com.au> Spicer, Kevin wrote: >Drew Marshall wrote: > > >>I also don't >>use the MS update scripts, preferring my own cron jobs spaced at >>different hourly times so that if MS is called while an update is >>happening the other scanner will still work and to attempt to ensure >>that one scanner should catch updates no matter which half of the >>hour they are posted. >> >> > >The mailscanner update script *update_virus_scanners) creates a lock file which makes MailScanner wait for the scanner updates to complete before continuing with scanning, this should be safer than your method. > > > >>should I also run Clam (Which was updated quite quickly >>yesterday, no promise that it wil be in the future but...) or is 3 AV >>products over kill. >> >> > >I now use Sophos, Clam and Symantec - Having seem the varience in update times the more the merrier is my angle. > > > >>The box it's on is not that big so will Clam use >>huge amounts of system to run? >> >> > >Not huge (nothing like the load of Spamassassin). > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > > > > Web have 3 layers of AV. Firstly firewall does a lot of filetype filtering then 1=Clamav on MailScanners, 2=SAV on Domino MailGateway, 3=NAV on Domino home servers, 4=Etrust on Workstations, 5=Were using NAV on File servers - but are switching to 'havent decided yet' shortly. Note - we find NAV almost completely worthless, especially compared to etrust, which is fairluy good, but none we within 12 hours (and over 24 on one occaision) of clamav in providing updates for the last 3 or 4 large outbreaks. I would think clamav is essential on the mailscanner machine. From drew at THEMARSHALLS.CO.UK Tue Mar 2 21:33:35 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: References: Message-ID: <4044FDAF.3030102@themarshalls.co.uk> Jan Elmqvist Nielsen wrote: >Hi > >I have seen 1. >Kaspersky: >/var/spool/MailScanner/incoming/23295/i22K6AC28320/AttachedDocument.zip/ycfgeutj.scr >infected: I-Worm.Bagle.h > >in the mail is writing this: >You have won!!! >password -- 01251 > >I am also running f-prot, it dosn't catch it. > > F-Port haven't officially recognised it (Or not according to their website) so there isn't a definition yet. I've just installed Clam also, any one know how to check if that's got it covered yet? >I don't know how kaspersky detect it in the password protected zip fil. >But it does :-) >Last kaspersky update from 19.01 > >/Jan Elmqvist Nielsen > > > >>>>marco@MUW.EDU 02-03-04 18:12 >>> >>>> >>>> >I can confirm that Bagle-I worm did make it through our MS gateways. I >am >running both Sophos and Command AV (up-to-date) and both let it slip >through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if >it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm >> >> >will > > >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files >> >> >as > > >>well, although they didn't specifically say. >> >> >> -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040302/ee3b696a/attachment.html From jen at AH.DK Tue Mar 2 21:30:04 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm Message-ID: Hi I have seen 1. Kaspersky: /var/spool/MailScanner/incoming/23295/i22K6AC28320/AttachedDocument.zip/ycfgeutj.scr infected: I-Worm.Bagle.h in the mail is writing this: You have won!!! password -- 01251 I am also running f-prot, it dosn't catch it. I don't know how kaspersky detect it in the password protected zip fil. But it does :-) Last kaspersky update from 19.01 /Jan Elmqvist Nielsen >>> marco@MUW.EDU 02-03-04 18:12 >>> I can confirm that Bagle-I worm did make it through our MS gateways. I am running both Sophos and Command AV (up-to-date) and both let it slip through. We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it helps. Meanwhile, I have blocked zip files temporarily. Quoting Derek Winkler : > For Bagle-H Sophos included this note: > > "W32/Bagle-H sends itself as a password protected ZIP file that is not > detected by this identity. However, when unzipped by the user the worm will > be detected by Sophos Anti-Virus at the user's desktop." > > May be true of Bagle-I since it also uses password protected ZIP files as > well, although they didn't specifically say. > From raymond at PROLOCATION.NET Tue Mar 2 16:45:09 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm In-Reply-To: Message-ID: Hi! > yes, "netsky-d" was downloaded later than "bagle-i" > and I can see mailscanner has been catching "netsky-d" > however not "bagle-i"... > > Data file name : /usr/local/Sophos/ide/netsky-d.ide > Data file type : IDE > Data file date : 02 March 2004, 07:57:01 > Data file status : Loaded > > Data file name : /usr/local/Sophos/ide/bagle-i.ide > Data file type : IDE > Data file date : 02 March 2004, 06:32:18 > Data file status : Loaded I do not care much about the files being there, test it on some files yourself. It might be a variant that your scanner is not picking up for example. Bye, Raymond. From ugob at CAMO-ROUTE.COM Wed Mar 3 07:57:59 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:54 2006 Subject: Custom Scores Message-ID: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Pete [mailto:pete@eatathome.com.au] >Envoy? : 3 mars, 2004 01:26 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Custom Scores > > >Just installed DCC on one of my servers today and is working nicely - >made me think that, if some messages are listed with checks like DCC or >certain RBLs, then they must be alsmot %100 spam, or >undesirable emails? > >Has anyone heard of DCC or the best RBLs listing legit senders or >emails? is it worth giving these a much higher score so these message >score as High Spam and are deleted on the spot? > >OR am i am missing the central reaosns why this likes DCC only >score 1.81 ? > If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: (required 6, autolearn=spam, DCC_CHECK 2.91, HTML_50_60 0.10, HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10, MIME_HEADER_CTYPE_ONLY 2.23, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, X_LIBRARY 1.58) Maybe it is a setting that is variable...maybe ask on the DCC list... hth Ugo From vermaas at JMDEJONG.NL Wed Mar 3 09:22:22 2004 From: vermaas at JMDEJONG.NL (Peter Vermaas) Date: Thu Jan 12 21:22:54 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <1078261566.15141.60.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> <1078261566.15141.60.camel@bach.kevinspicer.co.uk> Message-ID: <4045A3CE.10304@jmdejong.nl> Kevin Spicer wrote: > When the message contains an encrypted zip the recipient gets a warning, > but neither sender nor postmaster get alerted. (Not Okay). > Also the message doesn't seem to be quarantined, although the recipient gets a message which says it is quarantined. From dwinkler at ALGORITHMICS.COM Tue Mar 2 16:46:25 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:54 2006 Subject: bagle-i worm Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> For Bagle-H Sophos included this note: "W32/Bagle-H sends itself as a password protected ZIP file that is not detected by this identity. However, when unzipped by the user the worm will be detected by Sophos Anti-Virus at the user's desktop." May be true of Bagle-I since it also uses password protected ZIP files as well, although they didn't specifically say. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Hong Zhu > Sent: Tuesday, March 02, 2004 11:36 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: bagle-i worm > > > Hi, > > we use sophos and latest bagle-i IDE was downloaded > onto our mail server this morning, however we don't > think mailscanner catch them as many have passed through... > > any idea? > > thanks, > Hong > From pete at eatathome.com.au Tue Mar 2 21:56:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Whic Version should i run? Message-ID: <40450305.1070207@eatathome.com.au> I am in the process of upgrading to latest stable release, but reading the list i am now not sure if i should be running the latest beta to protect against these latest password protected zip viruses? I dont really care about content scanning them, just if its a virus then trap the message, will latest stable and clamav stop these for me? I dont really want to run beta if i can avoid it. From shrek-m at GMX.DE Tue Mar 2 21:57:31 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Cricket for monitoring In-Reply-To: <1078254550.15141.5.camel@bach.kevinspicer.co.uk> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> <4044D73F.5070806@gmx.de> <1078254550.15141.5.camel@bach.kevinspicer.co.uk> Message-ID: <4045034B.2050100@gmx.de> Kevin Spicer wrote: >On Tue, 2004-03-02 at 18:49, shrek-m@gmx.de wrote: > > >>you can add >> >>$ cat /etc/fedora-release >>Fedora Core release 1 (Yarrow) >> >># rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm >> >>$ lynx localhost/mailscanner-mrtg >> >>works >> >> > >Thanks. Bet the graphs don't look too good through lynx ;) > > in comparison with mozilla, no :-) $ lynx localhost/mailscanner-mrtg MailScanner MRTG Index Page (p1 of 4) REFRESH(300 sec): http://localhost/mailscanner-mrtg/ MailScanner-MRTG Mail Relayed Daily Graph Mail Relayed Daily Graph Spam Identified Daily Graph Spam Identified Daily Graph Virii & Blocked Content Daily Graph Virii Caught Daily Graph MTA Processes Daily Graph MTA Processes Daily Graph Copies Of MailScanner Daily Graph Copies Of MailScanner Daily Graph MBytes of Mail Transferred Daily Graph -- Leertaste f?r n?chste Seite -- Pfeile: Auf/Ab: andere Seite im Text. Rechts: Verweis folgen; Links: zur?ck.H)il -- shrek-m From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 21:58:08 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <4044FDAF.3030102@themarshalls.co.uk> Message-ID: <010101c400a1$729be310$0501a8c0@darkside> >I've just installed Clam also, any one know how to check if that's got it covered yet? grep -i bagle /path/to/share/clamav/viruses.* | cut -f 1 -d " " viruses.db:Worm.Bagle.A viruses.db2:Worm.Bagle.A2 viruses.db2:Worm.Bagle.A2-unp viruses.db2:Worm.Bagle.A3 viruses.db2:Worm.Bagle.A3-unp viruses.db2:Worm.Bagle.E viruses.db2:Worm.Bagle.F viruses.db2:Worm.Bagle.F-zippwd viruses.db2:Worm.Bagle.H viruses.db2:Worm.Bagle.F-zippwd-2 viruses.db2:Worm.Bagle.I viruses.db2:Worm.Bagle.A2-dll HTH, --J(K) From kodak at FRONTIERHOMEMORTGAGE.COM Tue Mar 2 22:12:49 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <4045054F.4010102@gmx.de> Message-ID: <010801c400a3$7ff13540$0501a8c0@darkside> >sigtool / ClamAV version 0.67 Ok, so I'm a little behind the times. :) --J(K) From shrek-m at GMX.DE Tue Mar 2 22:06:07 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:54 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <010101c400a1$729be310$0501a8c0@darkside> References: <010101c400a1$729be310$0501a8c0@darkside> Message-ID: <4045054F.4010102@gmx.de> Jason Balicki wrote: >>I've just installed Clam also, any one know how to check if that's got it >> >> >covered yet? > >grep -i bagle /path/to/share/clamav/viruses.* | cut -f 1 -d " " > >viruses.db:Worm.Bagle.A >viruses.db2:Worm.Bagle.A2 >viruses.db2:Worm.Bagle.A2-unp >viruses.db2:Worm.Bagle.A3 >viruses.db2:Worm.Bagle.A3-unp >viruses.db2:Worm.Bagle.E >viruses.db2:Worm.Bagle.F >viruses.db2:Worm.Bagle.F-zippwd >viruses.db2:Worm.Bagle.H >viruses.db2:Worm.Bagle.F-zippwd-2 >viruses.db2:Worm.Bagle.I >viruses.db2:Worm.Bagle.A2-dll > # file /usr/local/share/clamav/* /usr/local/share/clamav/daily.cvd: data /usr/local/share/clamav/main.cvd: data # sigtool --version; sigtool --list | grep -i bagle sigtool / ClamAV version 0.67 Worm.Bagle.A Worm.Bagle.A2 Worm.Bagle.A2-unp Worm.Bagle.A3 Worm.Bagle.A3-unp Worm.Bagle.E Worm.Bagle.F Worm.Bagle.F-zippwd Worm.Bagle.H Worm.Bagle.F-zippwd-2 Worm.Bagle.I Worm.Bagle.A2-dll -- shrek-m From mikes at HARTWELLCORP.COM Tue Mar 2 22:18:10 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:54 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.hartwellcorp.com> Raymond Dijkxhoorn wrote: >> Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf >> queue file for message i1PATTK9011213 >> >> Is there a way to configure MailScanner to do something about these >> instead of complaining about them incessantly? My log files are >> getting *Huge*! > > What about cleaning out your incomming queue :) Thats where it starts. I *am* cleaning it out. Each night I'm removing any file more than one day old. However, my log files are still getting bloated. -- Michael St. Laurent Hartwell Corporation From jamesb at LUDCASTLE.CO.UK Tue Mar 2 23:06:39 2004 From: jamesb at LUDCASTLE.CO.UK (James Beale) Date: Thu Jan 12 21:22:54 2006 Subject: Virus infected attachment removal Message-ID: Hi Firstly, apologies. I'm feeling a little sheepish that I can't work this out for myself! I'm using Mailscanner with Command Software's virus scanner. Mail is being picked up via Fetchmail. I am testing with Eicar test virus, and using Openwebmail as my client. Mailscanner correctly identifies that the incoming mail has a virus, and deposits {VIRUS?} in the subject field. What I can't seem to do is get the attachment either disinfected or removed from the message. Eicar is not in any activated "allowed" list or other. I have messed around with the following, and currently have them set to: Deliver To Recipients = yes Deliver From Local Domains = yes Action = delete Deliver Disinfected Files = yes Not for the first time I feel I'm missing something obvious... Thanks very much. James. From cconn at ABACOM.COM Tue Mar 2 17:09:51 2004 From: cconn at ABACOM.COM (Chris Conn) Date: Thu Jan 12 21:22:54 2006 Subject: Cannot read header Message-ID: <4044BFDF.7010509@abacom.com> Hello, What can these messages represent? I have this occasionally when customers send attachments with messages: Mar 2 06:36:59 MailScanner[18007]: Cannot parse /var/spool/MailScanner/incoming/18007/i22Bav6Q016452.header and , Mar 2 06:48:35 MailScanner[18123]: Cannot parse /var/spool/MailScanner/incoming/18123/i22BmW6Q018078.header and , Mar 2 06:52:50 MailScanner[17930]: Cannot parse /var/spool/MailScanner/incoming/17930/i22Bqj6Q018717.header and , Mar 2 08:00:54 MailScanner[23072]: Cannot parse /var/spool/MailScanner/incoming/23072/i22D0h6R031169.header and , Mar 2 08:33:23 MailScanner[23190]: Cannot parse /var/spool/MailScanner/incoming/23190/i22DXG6Q006004.header and , Mar 2 11:13:17 MailScanner[23025]: Cannot parse /var/spool/MailScanner/incoming/23025/i22GD7rx016954.header and , Mar 2 11:43:37 MailScanner[17798]: Cannot parse /var/spool/MailScanner/incoming/17798/i22GhVrx026313.header and , Mar 2 11:46:55 MailScanner[18487]: Cannot parse /var/spool/MailScanner/incoming/18487/i22Gimrx026692.header and , The messages are delivered with the virus warning and no attachments. Attachment sizes vary from small to large. I am running MailScanner-4.25-14 on RH9, and the /var/spool/MailScanner/incoming/ is on a tmpfs directory in case that matters. Thanks in advance, Chris From rzewnickie at RFA.ORG Tue Mar 2 17:51:35 2004 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:22:54 2006 Subject: More details in the logs In-Reply-To: <4043A1B7.2090100@eatathome.com.au> References: <200403011259.i21CxEY16172@mx1.mailsecurity.net.au> <4043A1B7.2090100@eatathome.com.au> Message-ID: <20040302175135.GC7683@rfa.org> On Tue, Mar 02, 2004 at 07:48:55AM +1100, Pete wrote: > If you want a text only version you could get and run the pflogsum.pl > script from sourceforge too - simple perl script that greps the maillog > and produces a nice report each night and emails it to me.. Where do you get this? I can't seem to find it on sf anywhere .... Is the version here the official, most recent version? http://jimsun.linxnet.com/postfix_contrib.html -Eric Rz. From isp-list at TULSACONNECT.COM Wed Mar 3 00:43:59 2004 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:22:54 2006 Subject: FreeBSD 5.x In-Reply-To: <4044B39C.2070900@1SEO.net> Message-ID: <5.1.1.6.2.20040302183909.06d76b00@pop3.tulsaconnect.com> At 11:17 AM 3/2/2004 -0500, you wrote: >Hey folks. > >Are there any issues with running MailScanner+ClamAV+SpamAssassin (etc) >on FreeBSD? Anything I should take into consideration before starting >the install? > >Will I lose a lot of performance going with something such as Fedora? >RHES isn't an option unfortunately. > >Thanks.. We run 3 FreeBSD boxes, two are 4.9 and one is stil 4.8. Two of them are 2x2.8G Xeon w/1GB RAM and 36GB U320 SCSI drive, the other is a 2xP3-1.6G w/1GB RAM and 18GB SCSI. We run SA+Bayes+backhair/popcorn/evillist/others+SBL+XBL+spamcop.net with exim 4.x using MySQL as the back-end for relay list validation. softupdates is turned on, and noatime is set on each filesystem in /etc/fstab. /etc/sysctl.conf has several tweaks for high volume stuff. We process about 720,000 messages a day with this configuration. We are adding a 4th machine this week as the machines are starting to lag behind during very busy times of the day. --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From pete at eatathome.com.au Wed Mar 3 01:05:17 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:54 2006 Subject: Domino/Exchange MailScanner users Message-ID: <40452F4D.4060009@eatathome.com.au> I know this has been covered before, but we are a Domino shop with MailScanners running in front of our email borders. All non spam email is relayed to Domino servers. It is not possible in this environment to ask users to forward mail to spam/non spam addresses, or copy them to spam/non spam folders etc they just wont do it. Is it practical for me to archive some non spam email each day and some spam email then run sa-learn over it with Julian's bash scripts? Is this how people who dont have the spam/non spam boxes gather non spam for bayes? I keep trying to use autio learn but i dont think it work very well and is very quickly poisened and giving negative scores to spam. Not using bayes means too many newsgroup/newsletter emails are trapped as spam, being an academic facility i, like mailscanner, consider most of the emails these people get is spam, but they dont. So i need to put some effort into getting bayes working, but without any user input. 1. Is the abiove worthwhile persuing? or does bayes really need user to input spam/non spam? 2. If i archive non spam and feed it into bayes, i would need to have a good look at it first - is there a way to apply filters to mailwatch so that mailwatch will display say only Spam, or only High Spam, or only emails that were archived, or only Non Spam? With this filtering i could then check the mail each day easily and release the legit stuff and then run the scripts on the mail remaining. Thanks in advance for ANY suggestions. Pete From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 2 19:09:09 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:54 2006 Subject: McAfee PROBLEM !!! Message-ID: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> Hi, We installed the extra.dat this morning and it was catching some W32/Bagle.gen!pwdzip (ED) with dat 4330. Now that dat 4331 is out the same files are not detected as viruses anymore!!! I reinstalled the extra.dat to be sure they are detected. Scan with 4331: # uvscan --mime --mailbox --secure * /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/WBJAMVF.SCR is password-protected. /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip/WBJAMVF.SCR is password-protected. Scan with 4331 and extra.dat: # uvscan --mime --mailbox --secure * /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip Found the W32/Bagle.gen!pwdzip (ED) virus !!! /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip Found the W32/Bagle.gen!pwdzip (ED) virus !!! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kevins at BMRB.CO.UK Tue Mar 2 19:09:10 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:55 2006 Subject: Cricket for monitoring In-Reply-To: <4044D73F.5070806@gmx.de> References: <1078252839.15141.3.camel@bach.kevinspicer.co.uk> <4044D73F.5070806@gmx.de> Message-ID: <1078254550.15141.5.camel@bach.kevinspicer.co.uk> On Tue, 2004-03-02 at 18:49, shrek-m@gmx.de wrote: > you can add > > $ cat /etc/fedora-release > Fedora Core release 1 (Yarrow) > > # rpm -ivh mailscanner-mrtg-0.08.01-1.noarch.rpm > > $ lynx localhost/mailscanner-mrtg > > works Thanks. Bet the graphs don't look too good through lynx ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Wed Mar 3 01:41:47 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:55 2006 Subject: bagle-i worm In-Reply-To: <1078247542.4044c0766a59a@webmail.MUW.Edu> References: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B26D@tormail2.algorithmics.com> <1078247542.4044c0766a59a@webmail.MUW.Edu> Message-ID: <404537DB.5070509@themarshalls.co.uk> Now I'm hoping that I've hacked the best answer I can for this. Postfix can do header & body filtering so I've set up a load of discard rules based on the Bagle-i subject lines (Just hope I've got them all :-) ) Some thing of a moral dilemma in so much as the options really are discard, which deletes the message having given the sending server a 250 response (Breaks an RFC to two!) or reject but I just don't like the idea of sending the virus laden message back to some poor innocent party. Now just have to sit back and wait... Drew Marco Obaid wrote: >I can confirm that Bagle-I worm did make it through our MS gateways. I am >running both Sophos and Command AV (up-to-date) and both let it slip through. >We are running MS 4.26.8-1 and will upgrade to the latest one soon, if it >helps. Meanwhile, I have blocked zip files temporarily. > > >Quoting Derek Winkler : > > > >>For Bagle-H Sophos included this note: >> >>"W32/Bagle-H sends itself as a password protected ZIP file that is not >>detected by this identity. However, when unzipped by the user the worm will >>be detected by Sophos Anti-Virus at the user's desktop." >> >>May be true of Bagle-I since it also uses password protected ZIP files as >>well, although they didn't specifically say. >> >> >> -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rich at MAIL.WVNET.EDU Wed Mar 3 02:05:10 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> Message-ID: <40453D56.70507@mail.wvnet.edu> Julian Field wrote: > At 12:45 02/03/2004, you wrote: > >> Also, If I change the above to 0 will that disable filename/type >> checking inside the archives? > > > I think so, yes. If 0 doesn't disable it, then -1 certainly will. > I tried setting Maximum Archive Depth = 0 (as well as -1) and the internal zip file checking was not disabled. The results were that all files including simple text messages received the warning... >Warning: This message has had one or more attachments removed >Warning: (the entire message). >Warning: Please read the "VirusWarning.txt" attachment(s) for more information. > >This is a message from the WVNET MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------------- >The original e-mail attachment "the entire message" >was scanned by our antivirus software and determined to be >infected. It has been replaced by this warning message. > >At Tue Mar 2 16:39:24 2004 the virus scanner said: > Files hidden in very deeply nested archive I understand that this is beta code --I just wanted to report it. Ideally, we would like to disallow password protected zip files as well as disable the filename/type checking of normal zip files. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From pete at eatathome.com.au Wed Mar 3 02:19:26 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Svar: Re: bagle-i worm In-Reply-To: <010801c400a3$7ff13540$0501a8c0@darkside> References: <010801c400a3$7ff13540$0501a8c0@darkside> Message-ID: <404540AE.4090600@eatathome.com.au> Jason Balicki wrote: >>sigtool / ClamAV version 0.67 >> >> > >Ok, so I'm a little behind the times. :) > >--J(K) > > >. > > > For red Hat users, if you're hopeless at remember all those parameters, create a function command so you can execute it super easily, even tab completes like all other commands #function virus_search() >>{ >>sigtool --version; sigtool --list | grep -i $1 >>} # Then simply do #virus_search VIRUSNAME BTW thanks for the tip, very useful. From pete at eatathome.com.au Wed Mar 3 02:46:58 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Domino/Exchange MailScanner users In-Reply-To: <40452F4D.4060009@eatathome.com.au> References: <40452F4D.4060009@eatathome.com.au> Message-ID: <40454722.40103@eatathome.com.au> Pete wrote: > I know this has been covered before, but we are a Domino shop with > MailScanners running in front of our email borders. All non spam email > is relayed to Domino servers. > > It is not possible in this environment to ask users to forward mail to > spam/non spam addresses, or copy them to spam/non spam folders etc they > just wont do it. > > Is it practical for me to archive some non spam email each day and some > spam email then run sa-learn over it with Julian's bash scripts? > > Is this how people who dont have the spam/non spam boxes gather non spam > for bayes? I keep trying to use autio learn but i dont think it work > very well and is very quickly poisened and giving negative scores to > spam. > > Not using bayes means too many newsgroup/newsletter emails are trapped > as spam, being an academic facility i, like mailscanner, consider most > of the emails these people get is spam, but they dont. So i need to put > some effort into getting bayes working, but without any user input. > > 1. Is the abiove worthwhile persuing? or does bayes really need user to > input spam/non spam? > 2. If i archive non spam and feed it into bayes, i would need to have a > good look at it first - is there a way to apply filters to mailwatch so > that mailwatch will display say only Spam, or only High Spam, or only > emails that were archived, or only Non Spam? > > With this filtering i could then check the mail each day easily and > release the legit stuff and then run the scripts on the mail remaining. > > Thanks in advance for ANY suggestions. > Pete > > > Sorry for replying to own post - i have tried to create my own script (from Julian's example)to make this a little easier on myself, but as you will see i am a scripting gumby. I want to run this script at the end of each day, all the spam is kept in dirs named using the date. How do i set the SPAM variable to include the date in the path? You will see i have tried to do this is my script, but it doesnt work :( Nest I will try and work out how to handle ham, aside from archiving i dont see how i will... #!/bin/sh DATE=`date '+%Y%m%d'` touch /var/log/learn/learn.$DATE.log PREFS=/etc/MailScanner/spam.assassin.prefs.conf LOGFILE=/var/log/learn/learn.$DATE.log SPAM=/var/spool/MailScanner/quarantine/$DATE/spam SA=/usr/bin/sa-learn BOX=$SPAM.processing date >> $LOGFILE #Move the Mail for exclusive access mv $SPAM $BOX #Wait for the file move to complete sleep 5 #Learn all the stuff in the current days quarantine $SA --prefs-file=$PREFS --spam $BOX >> $LOGFILE 2>&1 #delete old spam rm -Rf $BOX #display the log file cat $LOGFILE From brent.addis at ROAMAD.COM Wed Mar 3 02:54:30 2004 From: brent.addis at ROAMAD.COM (Brent Addis) Date: Thu Jan 12 21:22:55 2006 Subject: AVG In-Reply-To: <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> References: <3307.210.55.100.37.1078185004.squirrel@webmail.roamad.com> <6.0.1.1.2.20040302094202.0819bbd0@imap.ecs.soton.ac.uk> Message-ID: <3220.210.55.100.176.1078282470.squirrel@webmail.roamad.com> Thats ok, I understand your busy :) Julian Field said: > Sorry, haven't had time. > > At 23:50 01/03/2004, you wrote: >>Hey >> >>A couple of weeks ago I queried the possibility of MailScanner >>supporting AVG, I was just wondering if anything had been done on this >>at all? Management want some sort of solution using AVG, and it would >>be most cool if MailScanner could do it. >>thanks :) >> >> >>-- >>Brent Addis >>Systems Administrator > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Brent Addis Systems Administrator RoamAD From david at PLATFORMHOSTING.COM Wed Mar 3 05:46:04 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Hi All, We have one box which for some reason seems to have been hit really hard by the latest version of MailScanner the strange thing about this is that it's the newest and most highly specified box we have. The only difference I can see with this box is that it's running multithreaded perl 5.8.0 is there any known issues with this at all? The box itself is a dual processor PIV with 1Gig of Ram running RedHat 9. We have the work dirs in tmpfs etc and have no problems with our other boxes, just this one which has gone from easily able to process 100,000 messages per day down to bearly processing 15,000 Any ideas would be greatly appreciated. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/b019b793/attachment.html From pete at eatathome.com.au Wed Mar 3 06:25:37 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Custom Scores Message-ID: <40457A61.7070104@eatathome.com.au> Just installed DCC on one of my servers today and is working nicely - made me think that, if some messages are listed with checks like DCC or certain RBLs, then they must be alsmot %100 spam, or undesirable emails? Has anyone heard of DCC or the best RBLs listing legit senders or emails? is it worth giving these a much higher score so these message score as High Spam and are deleted on the spot? OR am i am missing the central reaosns why this likes DCC only score 1.81 ? From pete at eatathome.com.au Wed Mar 3 06:29:44 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <40457B58.8080600@eatathome.com.au> David Hooton wrote: > Hi All, > > We have one box which for some reason seems to have been hit really > hard by the latest version of MailScanner the strange thing about this > is that it?s the newest and most highly specified box we have. > > The only difference I can see with this box is that it?s running > multithreaded perl 5.8.0 is there any known issues with this at all? > > The box itself is a dual processor PIV with 1Gig of Ram running RedHat > 9. We have the work dirs in tmpfs etc and have no problems with our > other boxes, just this one which has gone from easily able to process > 100,000 messages per day down to bearly processing 15,000 > > Any ideas would be greatly appreciated. > > Regards, > > David Hooton > > Senior Partner > > Platform Hosting > > www.platformhosting.com > > ------------------------------------------------------------------------ > Pain free spam & virus protection - Mail Security > > To report SPAM forward the message to: spam@mailsecurity.net.au > > To report incorrectly tagged messages: notspam@mailsecurity.net.au > > > > ------------------------------------------------------------------------ I know its not comparable spec/stats, but one of my servers i upgraded from 4.24-5 to latest stable, where it was a p200/512mb scanning 500 emails per day with 6 MS processes, now cant even really run 3 without every message passing with spamassassin time outs, which i am led to believe re caused by the load on the server? Was happily cruising along with .8 load avergae which is now alsmot 3 and sometimes 5 all the time. Upgraded mailwatch too, and this is now fast as. I believe i have this machine reasonably well tuned, and as i said was running dreamily before this upgrade...before i read this i figured i must have broken something? From bg.mahesh at INDIAINFO.COM Wed Mar 3 09:32:08 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> hi I have installed the latest versions of SA, MailScanner and ClamAV on RedHat linux When I start MailScanner /var/log/maillog reads, Mar 3 14:54:50 enter3 MailScanner[3555]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 3 14:54:50 enter3 MailScanner[3555]: SpamAssassin installation could not be found I checked the FAQs and google regarding the same. I have only one version of perl [binary] [root@enter3 site_perl]# which perl /usr/bin/perl [root@enter3 site_perl]# perl -v This is perl, v5.8.1 built for i686-linux /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin has the files. What could I be doing wrong? -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From pete at eatathome.com.au Wed Mar 3 09:55:58 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: Custom Scores In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> Message-ID: <4045ABAE.5040100@eatathome.com.au> Ugo Bellavance wrote: >>-----Message d'origine----- >>De : Pete [mailto:pete@eatathome.com.au] >>Envoy? : 3 mars, 2004 01:26 >>? : MAILSCANNER@JISCMAIL.AC.UK >>Objet : Custom Scores >> >> >>Just installed DCC on one of my servers today and is working nicely - >>made me think that, if some messages are listed with checks like DCC or >>certain RBLs, then they must be alsmot %100 spam, or >>undesirable emails? >> >>Has anyone heard of DCC or the best RBLs listing legit senders or >>emails? is it worth giving these a much higher score so these message >>score as High Spam and are deleted on the spot? >> >>OR am i am missing the central reaosns why this likes DCC only >>score 1.81 ? >> >> >> > >If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: > > > (required 6, autolearn=spam, DCC_CHECK 2.91, HTML_50_60 0.10, > HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONT_BIG 0.27, HTML_MESSAGE 0.10, > MIME_HEADER_CTYPE_ONLY 2.23, MIME_HTML_NO_CHARSET 0.56, > MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_SHORT 3.03, > PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, > RAZOR2_CHECK 1.05, X_LIBRARY 1.58) > >Maybe it is a setting that is variable...maybe ask on the DCC list... > >hth > >Ugo > > > > > Thanks, twas justa thought about these types of checks in general - seems like a lot of work for 1.81 - but its most likely because i dont understand enough about whether some of the entries in these lists are sometimes legit? From john at TRADOC.FR Wed Mar 3 09:56:55 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> Message-ID: Just spotted this on the clamav list: | Our signatures Worm.Bagle.F-zippwd* are based on the "real" contents of | mail messages (stream of characters as they are), while amavisd-new (and | probably amavis) "divide" messages to parts and decode them separately, | hence ClamAV doesn't get the original stream of chars. Does this also apply to MailScanner, or does MS pass the entire message to clamav(module)? John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From john at TRADOC.FR Wed Mar 3 10:15:11 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:22:55 2006 Subject: Bayes rebuild never completes In-Reply-To: References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> Message-ID: <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> On Tue, 2 Mar 2004 21:31:37 +0100, Kai Schaetzl wrote: > John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > > > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > > database rebuild preparing" then "SpamAssassin Bayes database rebuild > > starting", but never get as far as the "SpamAssassin Bayes database > > rebuild completed" that I see in the code. > > > > try a manual expire and see if it gets thru, it's possible that your Bayes > db is corrupted and the Expire never completes. Yes, manual expire works fine. I've added some extra syslog calls in SA.pm - the init_learner() call completes, but rebuild_learner_caches() never does. Does that help at all, Julian? John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:12:54 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Whic Version should i run? In-Reply-To: <40450305.1070207@eatathome.com.au> References: <40450305.1070207@eatathome.com.au> Message-ID: <6.0.1.1.2.20040303101111.039a4950@imap.ecs.soton.ac.uk> At 21:56 02/03/2004, you wrote: >I am in the process of upgrading to latest stable release, but reading >the list i am now not sure if i should be running the latest beta to >protect against these latest password protected zip viruses? > >I dont really care about content scanning them, just if its a virus then >trap the message, will latest stable and clamav stop these for me? I >dont really want to run beta if i can avoid it. There are some viruses out there using randomly-encrypted zip archives, which cannot be scanned by the virus scanners as they are encrypted. The only exception is that ClamAV may detect them as being passworded zip archives. These viruses can only then be detected at the desktop when someone is daft enough to open one. So if you want the latest protection against this, go for 4.28.3 (assuming I don't put out any fixes later today). So wait a day first. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:15:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Virus infected attachment removal In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303101444.039bf9c8@imap.ecs.soton.ac.uk> You are running a *very* old version of MailScanner, probably version 3. Version 4 was released in the summer of 2002, to give you some idea. Upgrade to a rather more recent version. At 23:06 02/03/2004, you wrote: >Hi > >Firstly, apologies. I'm feeling a little sheepish that I can't work this >out for myself! > >I'm using Mailscanner with Command Software's virus scanner. Mail is being >picked up via Fetchmail. I am testing with Eicar test virus, and using >Openwebmail as my client. > >Mailscanner correctly identifies that the incoming mail has a virus, and >deposits {VIRUS?} in the subject field. What I can't seem to do is get the >attachment either disinfected or removed from the message. Eicar is not in >any activated "allowed" list or other. > >I have messed around with the following, and currently have them set to: >Deliver To Recipients = yes >Deliver From Local Domains = yes >Action = delete >Deliver Disinfected Files = yes > >Not for the first time I feel I'm missing something obvious... > >Thanks very much. > >James. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:22:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Bayes rebuild never completes In-Reply-To: <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> References: <2r49409404j24elkcqjgdt458csk6j208s@tradoc.fr> <8sbb40djlhdlqo8un2gv04bi9t96dn08ai@tradoc.fr> Message-ID: <6.0.1.1.2.20040303102218.03f81478@imap.ecs.soton.ac.uk> At 10:15 03/03/2004, you wrote: >On Tue, 2 Mar 2004 21:31:37 +0100, Kai Schaetzl wrote: > > John Wilcock wrote on Tue, 2 Mar 2004 15:31:49 +0100: > > > > > Syslogs show that "Bayes database rebuild is due", "SpamAssassin Bayes > > > database rebuild preparing" then "SpamAssassin Bayes database rebuild > > > starting", but never get as far as the "SpamAssassin Bayes database > > > rebuild completed" that I see in the code. > > > > > > > try a manual expire and see if it gets thru, it's possible that your Bayes > > db is corrupted and the Expire never completes. > >Yes, manual expire works fine. > >I've added some extra syslog calls in SA.pm - the init_learner() call >completes, but rebuild_learner_caches() never does. Does that help at >all, Julian? It's a file locking subtlety that I haven't sussed out completely yet. Will work on it when password-protected zip files calm down a little bit. It's not top of the list right now :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:10:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <4045A3CE.10304@jmdejong.nl> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <1078257713.15140.35.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040302201656.039abb00@imap.ecs.soton.ac.uk> <1078261566.15141.60.camel@bach.kevinspicer.co.uk> <4045A3CE.10304@jmdejong.nl> Message-ID: <6.0.1.1.2.20040303100944.039a4be0@imap.ecs.soton.ac.uk> At 09:22 03/03/2004, you wrote: >Kevin Spicer wrote: > >>When the message contains an encrypted zip the recipient gets a warning, >>but neither sender nor postmaster get alerted. (Not Okay). > >Also the message doesn't seem to be quarantined, although the recipient >gets a message which says it is quarantined. Try 4.28.3 :-) I have had a good few hours (relatively) uninterrupted work this morning, which has given me a chance to rewrite a fair chunk of the zip-file handling code. Should work rather better now. Read the docs about the Zip-Password keyword in Silent Viruses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:27:29 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released Message-ID: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Hi folks! The "fastest code factory in the West" has been running full tilt this morning :-) I have managed to rewrite a lot of the code that handles password-protected zip files. The logging, quarantining and notifications should work rather better now. I have hopefully fixed the other outstanding bugs in this area too. There is a new option keyword for the Silent Viruses list: "Zip-Password" which causes password-protected zip files to be treated "silently". I suggest you add it to your list. If "Warn Senders of Viruses" is off, then it also shouldn't send warnings about password-protected zip files, as they are more likely to be viruses than anything else, so I have treated them that way. Download as usual from www.mailscanner.info. Please report any problems! Boy, do I need a holiday... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:20:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. That can cripple Perl. At 05:46 03/03/2004, you wrote: >Hi All, > >We have one box which for some reason seems to have been hit really hard >by the latest version of MailScanner the strange thing about this is that >it's the newest and most highly specified box we have. > >The only difference I can see with this box is that it's running >multithreaded perl 5.8.0 is there any known issues with this at all? > >The box itself is a dual processor PIV with 1Gig of Ram running RedHat >9. We have the work dirs in tmpfs etc and have no problems with our other >boxes, just this one which has gone from easily able to process 100,000 >messages per day down to bearly processing 15,000 > >Any ideas would be greatly appreciated. > >Regards, > >David Hooton >Senior Partner >Platform Hosting >www.platformhosting.com > > >Pain free spam & virus protection - Mail >Security > >To report SPAM forward the message to: >spam@mailsecurity.net.au >To report incorrectly tagged messages: >notspam@mailsecurity.net.au > >28e3cd95.jpg > -------------- next part -------------- A non-text attachment was scrubbed... Name: 28e3cd95.jpg Type: image/jpeg Size: 12048 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/f74eae9e/28e3cd95.jpg -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:21:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> References: <20040303093208.53E7B3982E7@ws5-1.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040303102047.0407fa48@imap.ecs.soton.ac.uk> You probably installed SpamAssassin from the RPM distribution. Remove that rpm (use "rpm -e" to do it) and then install SpamAssassin either from source or from CPAN like this: perl -MCPAN -e shell install Mail::SpamAssassin Then you should find it works. At 09:32 03/03/2004, you wrote: >hi > >I have installed the latest versions of SA, MailScanner and ClamAV on >RedHat linux > >When I start MailScanner /var/log/maillog reads, > >Mar 3 14:54:50 enter3 MailScanner[3555]: MailScanner E-Mail Virus Scanner >version 4.27.7 starting... >Mar 3 14:54:50 enter3 MailScanner[3555]: SpamAssassin installation could >not be found > >I checked the FAQs and google regarding the same. I have only one version >of perl [binary] > >[root@enter3 site_perl]# which perl >/usr/bin/perl >[root@enter3 site_perl]# perl -v > >This is perl, v5.8.1 built for i686-linux > >/usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin has the files. What could >I be doing wrong? > > > >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:14:18 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Getting a *lot* of these In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D0D@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040303101342.039bfc58@imap.ecs.soton.ac.uk> At 22:18 02/03/2004, you wrote: >Raymond Dijkxhoorn wrote: > >> Feb 29 04:25:50 guardian MailScanner[30554]: Batch: Found invalid qf > >> queue file for message i1PATTK9011213 > >> > >> Is there a way to configure MailScanner to do something about these > >> instead of complaining about them incessantly? My log files are > >> getting *Huge*! > > > > What about cleaning out your incomming queue :) Thats where it starts. > >I *am* cleaning it out. Each night I'm removing any file more than one day >old. However, my log files are still getting bloated. How are these bad files being generated? I very rarely see this problem. I would definitely advise you to investigate the cause rather than just killing the symptom. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 10:19:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.2 released In-Reply-To: <40453D56.70507@mail.wvnet.edu> References: <6.0.1.1.2.20040302092653.038f0fd8@imap.ecs.soton.ac.uk> <6.0.1.1.2.20040302152441.09ed1b88@imap.ecs.soton.ac.uk> <40453D56.70507@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040303101901.03f3e278@imap.ecs.soton.ac.uk> At 02:05 03/03/2004, you wrote: >Julian Field wrote: > >>At 12:45 02/03/2004, you wrote: >> >>>Also, If I change the above to 0 will that disable filename/type >>>checking inside the archives? >> >> >>I think so, yes. If 0 doesn't disable it, then -1 certainly will. >I tried setting Maximum Archive Depth = 0 (as well as -1) and the >internal zip file checking was not disabled. The results were that all >files including simple text messages received the warning... It should work now (4.28.3). > >Warning: This message has had one or more attachments removed > >Warning: (the entire message). > >Warning: Please read the "VirusWarning.txt" attachment(s) for more >information. > > > >This is a message from the WVNET MailScanner E-Mail Virus Protection >Service > >---------------------------------------------------------------------------- > >The original e-mail attachment "the entire message" > >was scanned by our antivirus software and determined to be > >infected. It has been replaced by this warning message. > > > >At Tue Mar 2 16:39:24 2004 the virus scanner said: > > Files hidden in very deeply nested archive > >I understand that this is beta code --I just wanted to report it. >Ideally, we would like to disallow password protected zip files as well >as disable the filename/type checking of normal zip files. > >-- >Richard E. Lynch >Systems Programming Manager >West Virginia Network (WVNET) >837 Chestnut Ridge Road >Morgantown, WV 26505 >(304) 293-5192 x243 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 10:49:49 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045B84D.80907@solid-state-logic.com> Julian what you mean the two days in B'mouth at UKUUG wasn't a holiday :-) Thanks as always for the work - I was hoping to make it to UKUUG and buy you a drink, but 1) I'd have prob got killed in the rush.. 2) didn't make it anyhow.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Hi folks! > > The "fastest code factory in the West" has been running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that handles password-protected > zip files. > > The logging, quarantining and notifications should work rather better now. > I have hopefully fixed the other outstanding bugs in this area too. > > There is a new option keyword for the Silent Viruses list: "Zip-Password" > which causes password-protected zip files to be treated "silently". I > suggest you add it to your list. If "Warn Senders of Viruses" is off, then > it also shouldn't send warnings about password-protected zip files, as they > are more likely to be viruses than anything else, so I have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Wed Mar 3 10:55:47 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module In-Reply-To: <4045B3D2.8050505@solid-state-logic.com> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: Wednesday, March 03, 2004 5:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ClamAV module > > > Guys > > Which version of the tjhe clamAVmodule should I be > using. I recall > something about one of the versions not working > properly with MS, but i > can't see anything on the archives. > > (btw - running MS 4.28.2-2 and clamav 0.67) > I think it was 0.66 (maybe .65) and it didn't work period.. the developers accidentally left some code from the test phase that was to be removed upon install so the ClamAV.pm mod was looking for a file that did not exist and bailed (just so you know it wasn't a MS problem) > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ******************************************************* > *************** > > This email and any files transmitted with it are > confidential and > intended solely for the use of the individual or > entity to whom they > are addressed. If you have received this email in > error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed > to be clean. > > ******************************************************* > *************** > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From david at PLATFORMHOSTING.COM Wed Mar 3 10:57:22 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Message-ID: <200403031057.i23AvNC31852@mx1.mailsecurity.net.au> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, 3 March 2004 9:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Multi Threaded Perl > > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > Certainly have :) It's the first thign I kill on a RedHat box :) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From steve.freegard at LBSLTD.CO.UK Wed Mar 3 10:37:10 2004 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module Message-ID: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Hi Martin, I don't think it matters at all - this morning I just upgraded Clam to .67 as I realised I'd downloaded it but not installed it (Duh!). I was already running the Mail::ClamAV module so to be on the safe side I stopped MS just prior to the 'make install' of .67 and installed the latest Mail::ClamAV via CPAN at the same time, just in case the libraries had changed at all. Working nicely so far... Kind regards, Steve. > -----Original Message----- > From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > Sent: 03 March 2004 10:31 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ClamAV module > > > Guys > > Which version of the tjhe clamAVmodule should I be using. I recall > something about one of the versions not working properly with > MS, but i > can't see anything on the archives. > > (btw - running MS 4.28.2-2 and clamav 0.67) > > > -- > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 10:30:42 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ClamAV module Message-ID: <4045B3D2.8050505@solid-state-logic.com> Guys Which version of the tjhe clamAVmodule should I be using. I recall something about one of the versions not working properly with MS, but i can't see anything on the archives. (btw - running MS 4.28.2-2 and clamav 0.67) -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From david at PLATFORMHOSTING.COM Wed Mar 3 11:03:37 2004 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces Message-ID: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> Hi All, We've got a domain that is being joe jobbed and we want to setup a special ruleset for any mail from <> to be handled differently. I've tried the following and it didn't work.. From: <> delete forward user@domain.com Any advice greatly appreciated. Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/a22a3316/attachment.html From kfliong at WOFS.COM Wed Mar 3 10:53:34 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration Message-ID: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> Hi, I have this email which is not spam but have a score of 5.642 which is high as default of more than 5 is considered spam. Can I know how I can reduce the score? spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING 2.30....where can i get more details on what those score means? Does mailscanner uses a different config file for controlling spamassassin? thanks in advance thanks From pete at eatathome.com.au Wed Mar 3 11:09:19 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> Message-ID: <4045BCDF.8020402@eatathome.com.au> kfliong wrote: > Hi, > > I have this email which is not spam but have a score of 5.642 which is > high > as default of more than 5 is considered spam. > > Can I know how I can reduce the score? > > spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, > DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, > HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) > > Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING > 2.30....where can i get more details on what those score means? Does > mailscanner uses a different config file for controlling spamassassin? > > thanks in advance > > > thanks > > > ISnt this a situation for learning as ham? I am NO expert, but if you have no other method maybe turn on archiving till you get a copy of this message, then sa-learn it as ham?: From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:23:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces In-Reply-To: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> References: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> Message-ID: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> At 11:03 03/03/2004, you wrote: >Hi All, > >We've got a domain that is being joe jobbed and we want to setup a special >ruleset for any mail from <> to be handled differently. I've tried the >following and it didn't work.. > >From: <> delete forward >user@domain.com Try From: /^$/ delete forward user@domain.com > >Any advice greatly appreciated. > >Regards, > >David Hooton > >Pain free spam & virus protection - Mail >Security > >To report SPAM forward the message to: >spam@mailsecurity.net.au >To report incorrectly tagged messages: >notspam@mailsecurity.net.au > >291d7c03.jpg > -------------- next part -------------- A non-text attachment was scrubbed... Name: 291d7c03.jpg Type: image/jpeg Size: 12048 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/8daf2f72/291d7c03.jpg -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at petermair.at Wed Mar 3 11:25:10 2004 From: mailscanner at petermair.at (Patrick Petermair) Date: Thu Jan 12 21:22:55 2006 Subject: Why is this mail spam? Message-ID: <4045C096.9060108@petermair.at> Hi! I've implemented mailscanner yesterday, and it seems to work fine. However, I have a some mails, that are marked as spam and are _under_ the spamscore of 5. I have even increased "Spam Lists To Reach High Score" to 3 instead of 2 (the mails that are marked as spam are found in only 1 Spam List. Here is an example from the logfile: Mar 3 03:09:59 watt MailScanner[3426]: New Batch: Scanning 1 messages, 4177 bytes Mar 3 03:09:59 watt MailScanner[3426]: MCP Checks completed at 4177 bytes per second Mar 3 03:09:59 watt MailScanner[3426]: Spam Checks: Starting Mar 3 03:10:01 watt MailScanner[3426]: RBL checks: 1AyLpd-0000tK-VF found in spamhaus.org Mar 3 03:10:05 watt MailScanner[3426]: Message 1AyLpd-0000tK-VF from 69.42.78.187 (bdbiflciclcdbagglbgabcgeba@dc41.com) to anecon.com is spam, spamhaus.org, SpamAssassin (score=3.634, required 5, BAYES_90 2.10, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, RCVD_IN_SBL 1.11) Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks: Found 1 spam messages Mar 3 03:10:05 watt MailScanner[3426]: Spam Actions: message 1AyLpd-0000tK-VF actions are store,deliver,striphtml Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks completed at 696 bytes per second As you can see, 5 points are required and this mail got 3.634 and was only in 1 RBL. What could trigger this? I have nothing special configured (no whitelists, no blacklists,..) Patrick From maillists at CONACTIVE.COM Wed Mar 3 11:31:28 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:55 2006 Subject: Svar: bagle-i worm In-Reply-To: <404540AE.4090600@eatathome.com.au> References: <010801c400a3$7ff13540$0501a8c0@darkside> <404540AE.4090600@eatathome.com.au> Message-ID: Pete wrote on Wed, 3 Mar 2004 13:19:26 +1100: > For red Hat users > Why do you think this is supposed to be limited to Red Hat users? It's standard shell functionality. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 11:36:33 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045C341.8020400@solid-state-logic.com> Julian the fastest code factory in the west ain't producing the fastet code:-( My CPU is running at 100% and just about keeping up with the mail traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was pushing about 1500 per hour.. eek! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Hi folks! > > The "fastest code factory in the West" has been running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that handles password-protected > zip files. > > The logging, quarantining and notifications should work rather better now. > I have hopefully fixed the other outstanding bugs in this area too. > > There is a new option keyword for the Silent Viruses list: "Zip-Password" > which causes password-protected zip files to be treated "silently". I > suggest you add it to your list. If "Warn Senders of Viruses" is off, then > it also shouldn't send warnings about password-protected zip files, as they > are more likely to be viruses than anything else, so I have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From andersjk at SOL-INVICTUS.ORG Wed Mar 3 11:39:55 2004 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:22:55 2006 Subject: Rules to catch bounces In-Reply-To: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> Message-ID: We had that happen as well, we setup a server just to handle those small domains, change the mx record and bingo, spam dropped off, as the hunters went off to spam the stand alone box... they don't realize the mails go nowhere. thanks, kevin On Wed, 3 Mar 2004, Julian Field wrote: > At 11:03 03/03/2004, you wrote: > >Hi All, > > > >We've got a domain that is being joe jobbed and we want to setup a special > >ruleset for any mail from <> to be handled differently. I've tried the > >following and it didn't work.. > > > >From: <> delete forward > >user@domain.com > > Try > From: /^$/ delete forward user@domain.com > > > > > >Any advice greatly appreciated. > > > >Regards, > > > >David Hooton > > > >Pain free spam & virus protection - Mail > >Security > > > >To report SPAM forward the message to: > >spam@mailsecurity.net.au > >To report incorrectly tagged messages: > >notspam@mailsecurity.net.au > > > >291d7c03.jpg > > > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:37:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: Why is this mail spam? In-Reply-To: <4045C096.9060108@petermair.at> References: <4045C096.9060108@petermair.at> Message-ID: <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> At 11:25 03/03/2004, you wrote: >Hi! > >I've implemented mailscanner yesterday, and it seems to work fine. >However, I have a some mails, that are marked as spam and are _under_ >the spamscore of 5. I have even increased "Spam Lists To Reach High >Score" to 3 instead of 2 (the mails that are marked as spam are found in >only 1 Spam List. If it is found in 1 spam list it is still marked as spam. As the option name says, it is "Spam Lists to reach **High** score". High-scoring spam is handled according to the "High Scoring Spam Actions" actions. Normal spam is handled according to the "Spam Actions" setting. >Here is an example from the logfile: > >Mar 3 03:09:59 watt MailScanner[3426]: New Batch: Scanning 1 messages, >4177 bytes >Mar 3 03:09:59 watt MailScanner[3426]: MCP Checks completed at 4177 >bytes per second >Mar 3 03:09:59 watt MailScanner[3426]: Spam Checks: Starting >Mar 3 03:10:01 watt MailScanner[3426]: RBL checks: 1AyLpd-0000tK-VF >found in spamhaus.org >Mar 3 03:10:05 watt MailScanner[3426]: Message 1AyLpd-0000tK-VF from >69.42.78.187 (bdbiflciclcdbagglbgabcgeba@dc41.com) to anecon.com is >spam, spamhaus.org, SpamAssassin (score=3.634, required 5, BAYES_90 >2.10, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, RCVD_IN_SBL 1.11) >Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks: Found 1 spam messages >Mar 3 03:10:05 watt MailScanner[3426]: Spam Actions: message >1AyLpd-0000tK-VF actions are store,deliver,striphtml >Mar 3 03:10:05 watt MailScanner[3426]: Spam Checks completed at 696 >bytes per second > > >As you can see, 5 points are required and this mail got 3.634 and was >only in 1 RBL. >What could trigger this? I have nothing special configured (no >whitelists, no blacklists,..) Appearance in 1 RBL causes the message to be marked as spam. If you don't like that, set "Spam List =" (i.e. set it to nothing) and just use the RBL functionality that is provided by SpamAssassin. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:43:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045C341.8020400@solid-state-logic.com> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045C341.8020400@solid-state-logic.com> Message-ID: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Can other people confirm this please? At 11:36 03/03/2004, you wrote: >Julian > >the fastest code factory in the west ain't producing the fastet code:-( > >My CPU is running at 100% and just about keeping up with the mail >traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >pushing about 1500 per hour.. > >eek! > > >-- >Martin Hepworth >Snr Systems Administrator >Solid State Logic >Tel: +44 (0)1865 842300 > > >Julian Field wrote: >>Hi folks! >> >>The "fastest code factory in the West" has been running full tilt this >>morning :-) >> >>I have managed to rewrite a lot of the code that handles password-protected >>zip files. >> >>The logging, quarantining and notifications should work rather better now. >>I have hopefully fixed the other outstanding bugs in this area too. >> >>There is a new option keyword for the Silent Viruses list: "Zip-Password" >>which causes password-protected zip files to be treated "silently". I >>suggest you add it to your list. If "Warn Senders of Viruses" is off, then >>it also shouldn't send warnings about password-protected zip files, as they >>are more likely to be viruses than anything else, so I have treated them >>that way. >> >>Download as usual from www.mailscanner.info. >> >>Please report any problems! >> >>Boy, do I need a holiday... ;-) >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >********************************************************************** > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote confirms that this email message has been swept >for the presence of computer viruses and is believed to be clean. > >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From gercke at HNM.DE Wed Mar 3 11:39:45 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:55 2006 Subject: # SENDMAIL_RELAY Question Message-ID: <4045C401.20200@hnm.de> Hello, i have a problem. im running a mailserver with a lot of domains and users. now i hav setup another server with mailscanner. now for some domains i want incoming mails will go through mailscanner and mailscanner should relay this to the old mailserver. for mail coming for world this works fine. but wenn a lokal domain form mailserver sends to another lokal account this mail wouldn?t send through mailscanner this mail will localy delivered. Now my question: What would happen if i add SENDMAIL_RELAY="mailscanner" to sendmailconfig of mailserver ? Will there be a mailloop between these machines? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From kfliong at WOFS.COM Wed Mar 3 11:41:27 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <4045BCDF.8020402@eatathome.com.au> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> Message-ID: <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> err...what's "ham"? At 07:09 PM 3/3/2004, you wrote: >kfliong wrote: > >>Hi, >> >>I have this email which is not spam but have a score of 5.642 which is >>high >>as default of more than 5 is considered spam. >> >>Can I know how I can reduce the score? >> >>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, >>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) >> >>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>2.30....where can i get more details on what those score means? Does >>mailscanner uses a different config file for controlling spamassassin? >> >>thanks in advance >> >> >>thanks >> >> >ISnt this a situation for learning as ham? I am NO expert, but if you >have no other method maybe turn on archiving till you get a copy of this >message, then sa-learn it as ham?: thanks From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:47:13 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> Message-ID: <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> Stuff that isn't spam. At 11:41 03/03/2004, you wrote: >err...what's "ham"? > >At 07:09 PM 3/3/2004, you wrote: > >>kfliong wrote: >> >>>Hi, >>> >>>I have this email which is not spam but have a score of 5.642 which is >>>high >>>as default of more than 5 is considered spam. >>> >>>Can I know how I can reduce the score? >>> >>>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE 0.10, >>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A 0.20) >>> >>>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>2.30....where can i get more details on what those score means? Does >>>mailscanner uses a different config file for controlling spamassassin? >>> >>>thanks in advance >>> >>> >>>thanks >>> >>ISnt this a situation for learning as ham? I am NO expert, but if you >>have no other method maybe turn on archiving till you get a copy of this >>message, then sa-learn it as ham?: > >thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DWFORD.COM Wed Mar 3 11:57:17 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: Just installed 4.28.3 and ran a few tests. I sent a mail with a protected ZIP and a Zipped executable. It caught the protected zip and did the notice thing, and kept the message body (great thanks!) but passed the zipped executable on through in tact. The log looks like it stopped processing on the protected zip altogether. I sent another with just the zipped exe and it caught it that time. Did another test with the zipped exe being the first attachment and the protected zip being the second and it caught both. So I then sent a message with the protected zip as the first attachment and a raw exe as the second attachment, and it caught both of those. so it looks like zip processing halts when the password protected zip is found and the other file name/type checks must be performed prior to the zip extraction tests? In any event you probably want to fix it so subsequent zip files are processed after the protected zip fails or someone could just send the password protected as attachment one and then attach a zipped exe file in attachment two and the user may think attachment two is safe since it cleaned one and left the other. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Wednesday, March 03, 2004 5:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: ANNOUNCE: Unstable 4.28.3 released > > > Hi folks! > > The "fastest code factory in the West" has been > running full tilt this > morning :-) > > I have managed to rewrite a lot of the code that > handles password-protected > zip files. > > The logging, quarantining and notifications should > work rather better now. > I have hopefully fixed the other outstanding bugs in > this area too. > > There is a new option keyword for the Silent Viruses > list: "Zip-Password" > which causes password-protected zip files to be > treated "silently". I > suggest you add it to your list. If "Warn Senders of > Viruses" is off, then > it also shouldn't send warnings about > password-protected zip files, as they > are more likely to be viruses than anything else, so I > have treated them > that way. > > Download as usual from www.mailscanner.info. > > Please report any problems! > > Boy, do I need a holiday... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From P.G.M.Peters at utwente.nl Wed Mar 3 11:58:41 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: On Wed, 3 Mar 2004 10:27:29 +0000, you wrote: >The "fastest code factory in the West" has been running full tilt this >morning :-) Big thanks. >There is a new option keyword for the Silent Viruses list: "Zip-Password" >which causes password-protected zip files to be treated "silently". I >suggest you add it to your list. If "Warn Senders of Viruses" is off, then >it also shouldn't send warnings about password-protected zip files, as they >are more likely to be viruses than anything else, so I have treated them >that way. Does this mean "All-viruses" does not include "Zip-Password"? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Mar 3 11:56:48 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:55 2006 Subject: SpamAssassin installation could not be found In-Reply-To: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> References: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040303115547.04185f68@imap.ecs.soton.ac.uk> At 11:51 03/03/2004, you wrote: > > You probably installed SpamAssassin from the RPM distribution. Remove that > > rpm (use "rpm -e" to do it) and then install SpamAssassin either from > > source or from CPAN like this: > > perl -MCPAN -e shell > > install Mail::SpamAssassin > > > > Then you should find it works. > > > >Nops, I installed it from the source file. This box did not have a RPM >distribution before I started the installation from source. What does perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' produce? And what about which perl and /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at SMITS.CO.UK Wed Mar 3 12:11:20 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip.net> My /etc/sysconfig/i18n says: LANG="en_US.UTF-8" SUPPORTED="en_US.UTF:en_US:en" SYSFONT="latarcyrheb-sun16" Should I change that to: LANG="en_US" SUPPORTED="en_US:en" Can I keep the SYSFONT setting alone? Thanks, Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Hooton Posted At: 03 March 2004 10:57 Posted To: MailScanner Conversation: Multi Threaded Perl Subject: Re: Multi Threaded Perl > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Julian Field > Sent: Wednesday, 3 March 2004 9:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Multi Threaded Perl > > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > Certainly have :) It's the first thign I kill on a RedHat box :) Regards, David Hooton ======================================================================== Pain free spam & virus protection by: www.mailsecurity.net.au Forward undetected SPAM to: spam@mailsecurity.net.au ======================================================================== From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 12:23:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045C341.8020400@solid-state-logic.com> <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Message-ID: <4045CE31.2000309@solid-state-logic.com> Julian Ok seems to have caught with itself now - I'll keep a check on processing times....The whole thing just seemed to take much much longer to spark into life. I'll now try and figure out why clammodule ain't working... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Can other people confirm this please? > > At 11:36 03/03/2004, you wrote: > >> Julian >> >> the fastest code factory in the west ain't producing the fastet code:-( >> >> My CPU is running at 100% and just about keeping up with the mail >> traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >> pushing about 1500 per hour.. >> >> eek! >> >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >> Julian Field wrote: >> >>> Hi folks! >>> >>> The "fastest code factory in the West" has been running full tilt this >>> morning :-) >>> >>> I have managed to rewrite a lot of the code that handles >>> password-protected >>> zip files. >>> >>> The logging, quarantining and notifications should work rather better >>> now. >>> I have hopefully fixed the other outstanding bugs in this area too. >>> >>> There is a new option keyword for the Silent Viruses list: >>> "Zip-Password" >>> which causes password-protected zip files to be treated "silently". I >>> suggest you add it to your list. If "Warn Senders of Viruses" is off, >>> then >>> it also shouldn't send warnings about password-protected zip files, >>> as they >>> are more likely to be viruses than anything else, so I have treated them >>> that way. >>> >>> Download as usual from www.mailscanner.info. >>> >>> Please report any problems! >>> >>> Boy, do I need a holiday... ;-) >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mike-sender-1ed4e7 at zanker.org Wed Mar 3 12:24:24 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309831@hermes.clumpton.homeip .net> Message-ID: <264099984.1078316664@jemima.zanker.org> On 03 March 2004 12:11 +0000 MailScanner wrote: > Should I change that to: > > LANG="en_US" > SUPPORTED="en_US:en" Mine is: LANG="en_GB" SUPPORTED="en_GB:en" SYSFONT="latarcyrheb-sun16" and I never have any perl issues or any other system problems. Mike. From Peter.Bates at LSHTM.AC.UK Wed Mar 3 12:56:00 2004 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:22:55 2006 Subject: Selectively blocking .zip files with a ruleset Message-ID: Hello all... Until I get round to upgrading our creaking MS box to one of the unstable versions with more 'Zip savvy', I'm looking for a reasonable quick-fix. I'd like to go to deny \.zip$ in filename.rules.conf but I've been informed we have some users that regularly send data only in zip-files, and that can't be necessarily convinced to rename them (not a brilliant suggestion, I know, but...) How can I change 'Filename Rules' to be a ruleset, keep most of the ones I have already, but build up a list of 'allowed email senders' for .zip? Still running MS 4.25, SA 2.63, on Postfix... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From tony.johansson at SVENSKAKYRKAN.SE Wed Mar 3 13:03:13 2004 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME Message-ID: Apologies if this is Sendmail and not MailScanner related. Any pointers appriciated. We have some users that complain about email not beeing properly displayed in their clients. The headers show: X-MIME-Autoconverted: from 8bit to quoted-printable by scanner.ourdomain.com id i231555N010471 Is there a way to avoid converting messages? Does anyone have a solution to our problem? Regards, Tony From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 13:07:07 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> Tony Johansson wrote: > Apologies if this is Sendmail and not MailScanner related. Any > pointers appriciated. > > We have some users that complain about email not beeing properly > displayed in their clients. The headers show: > X-MIME-Autoconverted: from 8bit to quoted-printable by > scanner.ourdomain.com id i231555N010471 > Its a sendmail message, I've seen it before but I can't remember why. Have you checked the archives? Are you running the latest sendmail? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at SMITS.CO.UK Wed Mar 3 13:28:34 2004 From: mailscanner at SMITS.CO.UK (MailScanner) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl Message-ID: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Thanks Mike, I will make the change outside business hours. I'm assuming that MS will pick it up when it next accesses a Perl routine, or does it require a service MailScanner reload? Bart... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: MailScanner Conversation: Multi Threaded Perl Subject: Re: Multi Threaded Perl On 03 March 2004 12:11 +0000 MailScanner wrote: > Should I change that to: > > LANG="en_US" > SUPPORTED="en_US:en" Mine is: LANG="en_GB" SUPPORTED="en_GB:en" SYSFONT="latarcyrheb-sun16" and I never have any perl issues or any other system problems. Mike. From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 13:38:59 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:55 2006 Subject: McAfee PROBLEM !!! Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Does DAT 4332 fix it? Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Desai, Jason > Sent: 02 March 2004 20:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: McAfee PROBLEM !!! > > > Thanks for this info - it was very helpful! I have the same results. > > Jason > > > -----Original Message----- > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > Sent: Tuesday, March 02, 2004 2:09 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > Hi, > > > > We installed the extra.dat this morning and it was catching some > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > Now that dat 4331 is out the same files are not detected as viruses > > anymore!!! > > > > I reinstalled the extra.dat to be sure they are detected. > > > > Scan with 4331: > > # uvscan --mime --mailbox --secure * > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > WBJAMVF.SCR > > is password-protected. > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > ent.zip/WBJAMVF.SCR > > is password-protected. > > > > Scan with 4331 and extra.dat: > > # uvscan --mime --mailbox --secure * > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > Denis > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > > From jfraley at glenraven.com Wed Mar 3 13:39:05 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:55 2006 Subject: sort virus results Message-ID: <1078321144.2142.19.camel@jfraleyx.glenraven.com> Is there away to have MailScanner write to a file the results of each of the virus scanner's results. We currently use McAfee and ClamAV and are looking to add at least one more scanner. I have been asked to be able to compare the performance of each scanner that we use. So, I need the information such as: Message ID Scanner Virus i23DR2KW026160 McAfee W32/Netsky.d@MM i23DR2KW026160 ClamAV Module Worm.SomeFool.D i23DR2KW026160 MailScanner Shortcuts to MS-Dos programs are very dangerous in email (your_details.pif) I can not easily get this from the logs. Jon From g.pentland at SOTON.AC.UK Wed Mar 3 13:42:44 2004 From: g.pentland at SOTON.AC.UK (Pentland G.) Date: Thu Jan 12 21:22:55 2006 Subject: # SENDMAIL_RELAY Question Message-ID: Try this... LOCAL_CONFIG # If email is bound to the local domain, what will do local delivery for us? dnl D{DefaultLocalDeliveryHost}YOURHOST.DOMAIN.COM LOCAL_RULE_0 # Allocate a slot for the domain name R$+ $: < > $1 # Addresses qualified with the local machine name - unqualify them R< > $+ < @ $j . > $: < > $1 # Addresses qualified with a local domain - unqualify them R< > $+ < @ $=w . > $: < > $1 # Anything else on the qualification is non-local so return and parse normally R< > $* @ $* $@ $1 @ $2 # Anything unqualified qualify with the local domain R< > $+ $: < $M > $1 # Now send these local emails to the default local delivery servers R< $+ > $+ $#esmtp $@ ${DefaultLocalDeliveryHost} $: $2 < @ $1 . > Hope that helps. -----Original Message----- From: Daniel Gercke [mailto:gercke@HNM.DE] Sent: Wed 3/3/2004 11:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: # SENDMAIL_RELAY Question Hello, i have a problem. im running a mailserver with a lot of domains and users. now i hav setup another server with mailscanner. now for some domains i want incoming mails will go through mailscanner and mailscanner should relay this to the old mailserver. for mail coming for world this works fine. but wenn a lokal domain form mailserver sends to another lokal account this mail wouldn?t send through mailscanner this mail will localy delivered. Now my question: What would happen if i add SENDMAIL_RELAY="mailscanner" to sendmailconfig of mailserver ? Will there be a mailloop between these machines? -- Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. MailScanner dankt transtec fur die freundliche Unterstutzung. From rich at MAIL.WVNET.EDU Wed Mar 3 13:49:08 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:22:55 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> Message-ID: <4045E254.900@mail.wvnet.edu> Julian Field wrote: > Download as usual from www.mailscanner.info. > > Please report any problems! Ok, something is still no right. I have... Allow Password-Protected Archives = no and Maximum Archive Depth = 0 (I also tried -1) When Maximum Archive Depth is set to -1 or 0 it will deliver a password protected zip file even though I have Allow Password-Protected Archives set to "no". If I have Maximum Archive Depth set to 3 then the protected zip is not delivered as expected but internal zip checking is done which is what I want to disable. I hope I'm not misinterpreting how this should work. > > Boy, do I need a holiday... ;-) > I can sympathize with that. I keep having visions of a nice trout stream in the mountains. :) -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 13:49:40 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:55 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: <1078321780.13811.283.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 08:38, Randal, Phil a ?crit : > Does DAT 4332 fix it? No. Still the same detection problem. I reinstalled my old extra.dat (101068-a.zip) and it now detects them OK. BTW with plain 4332 I unzipped one password-protected file and scanned its contents and it then recognized the virus. Denis > > > -----Original Message----- > > > > > > We installed the extra.dat this morning and it was catching some > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > anymore!!! > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > Scan with 4331: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > WBJAMVF.SCR > > > is password-protected. > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > ent.zip/WBJAMVF.SCR > > > is password-protected. > > > > > > Scan with 4331 and extra.dat: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From P.G.M.Peters at utwente.nl Wed Mar 3 13:50:41 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:55 2006 Subject: X-MIME In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B03@pascal.priv.bmrb.co.uk> Message-ID: On Wed, 3 Mar 2004 13:07:07 -0000, you wrote: >Tony Johansson wrote: >> Apologies if this is Sendmail and not MailScanner related. Any >> pointers appriciated. >> >> We have some users that complain about email not beeing properly >> displayed in their clients. The headers show: >> X-MIME-Autoconverted: from 8bit to quoted-printable by >> scanner.ourdomain.com id i231555N010471 >> >Its a sendmail message, I've seen it before but I can't remember why. Have you checked the archives? Are you running the latest sendmail? As far as I know this happens when sendmail notices that the receiving end does not support 8BITMIME. You can test it by connecting to the receiving server and issue "EHLO ". It should give something like: 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-XUSR 250 HELP -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 13:51:28 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:55 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Message-ID: <1078321887.13811.285.camel@dbeauchemin.sti.usherbrooke.ca> I always reboot after such a change... too many processes depending on this value... but maybe I am jus paranoid ;-) Denis Le mer 03/03/2004 ? 08:28, MailScanner a ?crit : > Thanks Mike, > > I will make the change outside business hours. I'm assuming that MS will > pick it up when it next accesses a Perl routine, or does it require a > service MailScanner reload? > > Bart... > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: > MailScanner > Conversation: Multi Threaded Perl > Subject: Re: Multi Threaded Perl > > > On 03 March 2004 12:11 +0000 MailScanner > wrote: > > > Should I change that to: > > > > LANG="en_US" > > SUPPORTED="en_US:en" > > Mine is: > > LANG="en_GB" > SUPPORTED="en_GB:en" > SYSFONT="latarcyrheb-sun16" > > and I never have any perl issues or any other system problems. > > Mike. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jfraley at glenraven.com Wed Mar 3 13:50:20 2004 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:22:55 2006 Subject: sort virus results In-Reply-To: <6.0.0.22.2.20040303074435.02173ed0@spyderinternet.com> References: <1078321144.2142.19.camel@jfraleyx.glenraven.com> <6.0.0.22.2.20040303074435.02173ed0@spyderinternet.com> Message-ID: <1078321819.2142.24.camel@jfraleyx.glenraven.com> Yea, I have a report that I generate that looks like that, but I need to be able to tie the scanner to the message and the virus. Number of messages processed : 8243 Number of virus messages : 554 (6.72%) Number of spam messages : 1472 (17.85%) Number of clean messages : 6217 (75.42%) Top Spam Score : 47.472 Average Spam Score : 14.43 Viruses detected: W32/Bagle.c!zip 8 W32/Bagle.e!zip 15 W32/Bagle.f!pwdzip 2 W32/Bagle.j@MM 1 W32/Dumaru.a@MM 6 W32/Klez.h@MM 7 W32/Mimail.a@MM 2 W32/Mimail.j@MM 2 W32/Mydoom.a@MM 4 W32/Mydoom.f!zip 6 W32/Mydoom.f.zip 13 W32/Mydoom.f@MM 4 W32/Netsky.b@MM 14 W32/Netsky.b@MM!zip 7 W32/Netsky.c@MM 301 W32/Netsky.c@MM!zip 15 W32/Netsky.d@MM 173 W32/Swen@MM 2 On Wed, 2004-03-03 at 08:47, jester wrote: > john, > > I use this, dont know if there is a better way, and im sure its not > perfect, but, works for me :) > > cat maillog | grep "Virus '" | cut -f8 "-d " | sort | uniq -c | sort -k1 -n -r > > which out puts for me: > > 204 Virus > 81 'W32/Netsky-C' > 8 'W32/Gibe-F' > 2 'W32/Mydoom-F' > 1 'W32/MyDoom-A' > 1 'W32/Mimail-A' > 1 'W32/Bugbear-B' > 1 'Troj/Sefex-A' > > hope that helps > Michael > Spyderinternet > > At 07:39 AM 3/3/2004, you wrote: > > >Is there away to have MailScanner write to a file the results of each of > >the virus scanner's results. We currently use McAfee and ClamAV and are > >looking to add at least one more scanner. I have been asked to be able > >to compare the performance of each scanner that we use. So, I need the > >information such as: > > > >Message ID Scanner Virus > >i23DR2KW026160 McAfee W32/Netsky.d@MM > >i23DR2KW026160 ClamAV Module Worm.SomeFool.D > >i23DR2KW026160 MailScanner Shortcuts to MS-Dos programs are very > >dangerous in email (your_details.pif) > > > >I can not easily get this from the logs. > > > >Jon > > > >-- > >Spydernet has scanned this message for viruses and > >dangerous content. > > From shrek-m at GMX.DE Wed Mar 3 13:55:36 2004 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:22:55 2006 Subject: Selectively blocking .zip files with a ruleset In-Reply-To: References: Message-ID: <4045E3D8.9040204@gmx.de> Peter Bates wrote: >I'd like to go to > >deny \.zip$ > >in filename.rules.conf > >but I've been informed we have some users that regularly send data only >in zip-files, and that can't be necessarily convinced to rename them >(not a brilliant suggestion, I know, but...) > >How can I change 'Filename Rules' to be a ruleset, keep most of the >ones I have already, but build up a list of 'allowed email senders' for >.zip? > >Still running MS 4.25, SA 2.63, on Postfix... > > search the archives and see /etc/MailScanner/rules/* eg. not tested and no guarantee. please correct me if i am wrong i have no great experiences with rules. i prefer [tab] as delimiter in all rules /etc/MailScanner/MailScanner.conf ##Filename Rules = %etc-dir%/filename.rules.conf Filename Rules = %etc-dir%/filename.rules /etc/MailScanner/filename.rules FromOrTo: user1@sld.tld %etc-dir%/rules/user.conf FromOrTo: user2@sld.tld %etc-dir%/rules/user.conf FromOrTo: default %etc-dir%/filename.rules.conf /etc/MailScanner/rules/user.conf allow \.zip$ - - -------- jump to "filename.rules" if user[12]@sld.tld" go to "user.conf" zip is allowed default go to "filename.rules.conf" ------- restart / reload mailscanner # service MailScanner restart check the logs # tail -f /var/log/maillog and test it -- shrek-m From mailscanner at petermair.at Wed Mar 3 14:05:56 2004 From: mailscanner at petermair.at (Patrick Petermair) Date: Thu Jan 12 21:22:56 2006 Subject: Why is this mail spam? In-Reply-To: <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> References: <4045C096.9060108@petermair.at> <6.0.1.1.2.20040303113543.04172008@imap.ecs.soton.ac.uk> Message-ID: <4045E644.9070706@petermair.at> Julian Field wrote: > Appearance in 1 RBL causes the message to be marked as spam. If you don't > like that, set "Spam List =" (i.e. set it to nothing) and just use the RBL > functionality that is provided by SpamAssassin. Thnx Julian, now it works as planned. However, for future releases a "Spam Lists to reach Spam score" would be nice, because "appearance in 1 spam list = spam" is pretty aggressive. Patrick From raymond at PROLOCATION.NET Wed Mar 3 14:09:42 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Message-ID: Hi! > I was already running the Mail::ClamAV module so to be on the safe side I > stopped MS just prior to the 'make install' of .67 and installed the latest > Mail::ClamAV via CPAN at the same time, just in case the libraries had > changed at all. > > Working nicely so far... Are you sure ? Mail-ClamAV-0.05 is broken, you should use .4 Bye, Raymond. From gdoris at rogers.com Wed Mar 3 14:12:18 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> Message-ID: <40302.129.80.22.133.1078323138.squirrel@65.48.246.102> > Thanks Mike, > > I will make the change outside business hours. I'm assuming that MS will > pick it up when it next accesses a Perl routine, or does it require a > service MailScanner reload? > > Bart... > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Mike Zanker Posted At: 03 March 2004 12:24 Posted To: > MailScanner > Conversation: Multi Threaded Perl > Subject: Re: Multi Threaded Perl > > > On 03 March 2004 12:11 +0000 MailScanner > wrote: > >> Should I change that to: >> >> LANG="en_US" >> SUPPORTED="en_US:en" I have the following in my file: LANG="en_US" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" I had to change it from the RH default to get things working correctly. Gerry From dot at DOTAT.AT Wed Mar 3 14:04:15 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: Denis Beauchemin wrote: >Le mer 03/03/2004 =E0 08:38, Randal, Phil a =E9crit : >> Does DAT 4332 fix it? > >No. Still the same detection problem. I reinstalled my old extra.dat >(101068-a.zip) and it now detects them OK. > >BTW with plain 4332 I unzipped one password-protected file and scanned >its contents and it then recognized the virus. PLEASE PLEASE PLEASE report sightings to AVERT Labs so that they realise the 4332 dats have a problem! Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTH 4 OR 5, BUT 6 OR 7 LOCALLY GALE 8 IN THE WEST, LATER VEERING SOUTHWEST AND DECREASING 4 OR 5 GENERALLY. RAIN SPREADING FROM THE WEST, THEN TURNING SHOWERY. GOOD DECREASING MODERATE AT TIMES IN RAIN. MODERATE TO ROUGH BUILDING ROUGH TO VERY ROUGH FOR A TIME. From raymond at PROLOCATION.NET Wed Mar 3 14:17:49 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045C341.8020400@solid-state-logic.com> Message-ID: Hi! > the fastest code factory in the west ain't producing the fastet code:-( > > My CPU is running at 100% and just about keeping up with the mail > traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was > pushing about 1500 per hour.. I hope Julian also can have a look on the MIME fixes implented recently, it really drives my CPU up. My boxes can keep up, but i am sure it will break a lot of others. Bye, Raymond. From craig at WESTPRESS.COM Wed Mar 3 14:23:02 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? Message-ID: I have a co-worker who is expecting some files via file attachment for a job she is working on. When her client sends them to her, the files are being stripped out and she is receiving 'Bad Content' removed messages from MailScanner. The files that are being stripped out are *.lnk files. What are these? These should be MS Word or MS Publisher files. When I release these messages, they show up as folder shortcuts on a MS system, and useless files on a Macintosh. It is entirely possible that her client does not know how to send these files (though I may get the argument that 'they have always gotten files to us before and not had any problems'. You know what argument I'm talking about?) And while we're on the subject. Since I have installed MailScanner, I have noticed that a couple co-workers now have mail showing up that is split into multi-part messages. (ie. upwards of 16 different parts) What causes this to happen? The file attachments associated with these messages are typically un-usable, and the co-worker calls the client to figure something else out instead (like using the file transfer system we built into our website). And I notice that this is typically only MS stuff that I have problems with. Why does Microsoft have to suck so much? (That's a rhetorical question....) -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 14:22:20 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin err ors Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk> >From the Fedora list. Looks like MailScanner users running on Fedora should hold pack on the Perl 5.8.3 update. Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: fedora-list-admin@redhat.com [mailto:fedora-list-admin@redhat.com]On Behalf Of G?tz Reinicke Sent: 03 March 2004 14:12 To: fedora-list@redhat.com Subject: Re: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin errors Furthormore this update stopped my mailserver :-( I'm using Mailscanner and Spamassasin. :-(((( Downgrading to the working old perl-5.8.1 worked! G?tz Reinicke wrote: <...> > But : > [root@mail etc]# slocate Glob.pm > /usr/lib/perl5/5.8.1/File/DosGlob.pm > /usr/lib/perl5/5.8.1/i386-linux-thread-multi/File/Glob.pm old slocate Data! G?tz -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list From raymond at PROLOCATION.NET Wed Mar 3 14:24:14 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303114308.03f3e0c0@imap.ecs.soton.ac.uk> Message-ID: Hi! > Can other people confirm this please? > >the fastest code factory in the west ain't producing the fastet code:-( > > > >My CPU is running at 100% and just about keeping up with the mail > >traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was > >pushing about 1500 per hour.. Can upgrade tonight to that version to check, but i can confirm (that was in the readme so no surprise) the new train is running much slower. So perhaps review the MIME code... I know you allready did all you could but it really is a pain like it is now. Bye, Raymond. From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 14:26:36 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BB@jessica.herefordshire.gov.uk> I've forward it to the Total Virus Defense Mailing list - the NAI guys who lurk there will doubtless look into it. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Finch > Sent: 03 March 2004 14:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: McAfee PROBLEM !!! > > > Denis Beauchemin wrote: > >Le mer 03/03/2004 =E0 08:38, Randal, Phil a =E9crit : > >> Does DAT 4332 fix it? > > > >No. Still the same detection problem. I reinstalled my old > extra.dat > >(101068-a.zip) and it now detects them OK. > > > >BTW with plain 4332 I unzipped one password-protected file > and scanned > >its contents and it then recognized the virus. > > PLEASE PLEASE PLEASE report sightings to AVERT Labs so that > they realise > the 4332 dats have a problem! > > Tony. > -- > f.a.n.finch http://dotat.at/ > LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: > SOUTH 4 OR 5, BUT 6 > OR 7 LOCALLY GALE 8 IN THE WEST, LATER VEERING SOUTHWEST AND > DECREASING 4 OR 5 > GENERALLY. RAIN SPREADING FROM THE WEST, THEN TURNING > SHOWERY. GOOD DECREASING > MODERATE AT TIMES IN RAIN. MODERATE TO ROUGH BUILDING ROUGH > TO VERY ROUGH FOR > A TIME. > From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 14:26:57 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B06@pascal.priv.bmrb.co.uk> Craig Daters wrote: > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. When I release > these messages, they show up as folder shortcuts on a MS system, and > useless files on a Macintosh. > It is entirely possible that her client does not know how to send these files Got it in one! Those are windows shortcuts. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gdoris at rogers.com Wed Mar 3 14:30:23 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: <45605.129.80.22.133.1078324223.squirrel@65.48.246.102> > I have a co-worker who is expecting some files via file attachment > for a job she is working on. When her client sends them to her, the > files are being stripped out and she is receiving 'Bad Content' > removed messages from MailScanner. > > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. When I release > these messages, they show up as folder shortcuts on a MS system, and > useless files on a Macintosh. It is entirely possible that her client > does not know how to send these files (though I may get the argument > that 'they have always gotten files to us before and not had any > problems'. You know what argument I'm talking about?) > *.lnk files are link files on an Microsoft system. I think this lady's clients are sending her the link instead of the file they're pointing to. Gerry From kodak at FRONTIERHOMEMORTGAGE.COM Wed Mar 3 14:36:01 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: Message-ID: <005101c4012c$d9d48970$0501a8c0@darkside> >The files that are being stripped out are *.lnk files. What are >these? These should be MS Word or MS Publisher files. When I release >these messages, they show up as folder shortcuts on a MS system, and >useless files on a Macintosh. It is entirely possible that her client >does not know how to send these files (though I may get the argument >that 'they have always gotten files to us before and not had any >problems'. You know what argument I'm talking about?) Most likely the person who's sending the files is sending a Microsoft shortcut instead of the actual file. Microsoft shortcuts are .lnk, which can be a shortcut to a file, program or a URL, but that's all it is, a "shortcut". Instruct the sender to send the actual file and you'll be fine. When something "suddenly stops working" the fault can always be blamed on some person, except in the case of automatic upgrades. :) I can't answer the second part of your question, sorry. >Why does Microsoft have to suck so much? (That's a rhetorical >question....) I know it's rhetorical, but it sucks so much so that you'll buy the next version in the hopes it'll be better. This tactic is nearing end-of-life, finally. --J(K) From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 14:35:51 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: <1078324551.13811.299.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 09:23, Craig Daters a ?crit : > And while we're on the subject. Since I have installed MailScanner, I > have noticed that a couple co-workers now have mail showing up that > is split into multi-part messages. (ie. upwards of 16 different > parts) What causes this to happen? The file attachments associated > with these messages are typically un-usable, and the co-worker calls > the client to figure something else out instead (like using the file > transfer system we built into our website). And I notice that this is > typically only MS stuff that I have problems with. All Microsoft email software has the ability to chop big emails in smaller parts that are supposed to be reassembled together on the destination PC (if it is from Microsoft, of course). This is another bad Microsoft design choice... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From james at DENY.ORG Wed Mar 3 14:33:56 2004 From: james at DENY.ORG (James Sizemore) Date: Thu Jan 12 21:22:56 2006 Subject: Postfix and spam.actions.rules and delete not working? Message-ID: <4045ECD4.6040406@deny.org> I use Postfix and MailScanner 4.26.5-1 and use spam.action.rules, however I have been testing the delete option and it does not seem to work at all. I still get tagged spam. I have included what I believe to be all pertinent lines from my configs. Any ideal what I munged up? MailScanner.conf : %rules-dir% = /etc/MailScanner/rules Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = %rules-dir%/high.spam.actions.rules Use Default Rules With Multiple Recipients = yes /etc/MailScanner/rules/spam.actions.rules : To: james@deny.org delete To: jimmy@isdn.net delete FromOrTo: default deliver /etc/MailScanner/rules/high.spam.actions.rules : FromOrTo: default delete From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 14:45:51 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS Message-ID: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Hi all, I tried to modify SweepViruses.pm so it could grab McAfee's "is password-protected" string and just treat the attachment as a virus but it doesn't work... I modified ProcessMcAfeeOutput() this way: #return 0 unless $line =~ /Found/; return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); Any ideas why it is not kicking in? Could it be because McAfee returns a zero return code if it detects a password-protected zip file (I know this is what it does)? If so, could there be another way of achieving the same result without having to upgrade to the latest unstable version? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Wed Mar 3 14:36:47 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045E254.900@mail.wvnet.edu> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> Message-ID: <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> At 13:49 03/03/2004, you wrote: >Julian Field wrote: > >>Download as usual from www.mailscanner.info. >> >>Please report any problems! > >Ok, something is still no right. I have... > >Allow Password-Protected Archives = no > >and > >Maximum Archive Depth = 0 (I also tried -1) > >When Maximum Archive Depth is set to -1 or 0 it will deliver a password >protected zip file even though I have Allow Password-Protected Archives >set to "no". If I have Maximum Archive Depth set to 3 then the >protected zip is not delivered as expected but internal zip checking is >done which is what I want to disable. I hope I'm not misinterpreting >how this should work. You can't currently check the contents of the zip files without unpacking them. Unpacking them causes the other checks to be run on their members. So now I have changed it: setting the options as you have given it above will now just test the first level of zip files to see if their members are encrypted at all. It won't actually extract them. Because it doesn't extract them it can't do any more levels of nesting. BTW "All-Viruses" now includes "Zip-Password" in the silent viruses list. >>Boy, do I need a holiday... ;-) >I can sympathize with that. I keep having visions of a nice trout >stream in the mountains. :) Give me some nice looking hills, a comfy pair of boots, some sunshine, and a map. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bg.mahesh at INDIAINFO.COM Wed Mar 3 11:51:34 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:56 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303115134.584DC21AF4D@ws5-6.us4.outblaze.com> > You probably installed SpamAssassin from the RPM distribution. Remove that > rpm (use "rpm -e" to do it) and then install SpamAssassin either from > source or from CPAN like this: > perl -MCPAN -e shell > install Mail::SpamAssassin > > Then you should find it works. > Nops, I installed it from the source file. This box did not have a RPM distribution before I started the installation from source. -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From jamesb at LUDCASTLE.CO.UK Wed Mar 3 13:23:18 2004 From: jamesb at LUDCASTLE.CO.UK (James Beale) Date: Thu Jan 12 21:22:56 2006 Subject: Virus infected attachment removal Message-ID: Julian Thanks so much for the - as always - most helpful reply. And yes, dead right, version 3.22-10, to be precise! How did you know!?! :) (No reply needed to that!) I shall do as you advise, and upgrade to see what happens. Again, thank you. James. On Wed, 3 Mar 2004 10:15:29 +0000, Julian Field wrote: >You are running a *very* old version of MailScanner, probably version 3. >Version 4 was released in the summer of 2002, to give you some idea. >Upgrade to a rather more recent version. > >At 23:06 02/03/2004, you wrote: >>Hi >> >>Firstly, apologies. I'm feeling a little sheepish that I can't work this >>out for myself! >> >>I'm using Mailscanner with Command Software's virus scanner. Mail is being >>picked up via Fetchmail. I am testing with Eicar test virus, and using >>Openwebmail as my client. >> >>Mailscanner correctly identifies that the incoming mail has a virus, and >>deposits {VIRUS?} in the subject field. What I can't seem to do is get the >>attachment either disinfected or removed from the message. Eicar is not in >>any activated "allowed" list or other. >> >>I have messed around with the following, and currently have them set to: >>Deliver To Recipients = yes >>Deliver From Local Domains = yes >>Action = delete >>Deliver Disinfected Files = yes >> >>Not for the first time I feel I'm missing something obvious... >> >>Thanks very much. >> >>James. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tony.johansson at SVENSKAKYRKAN.SE Wed Mar 3 13:29:01 2004 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:22:56 2006 Subject: X-MIME Message-ID: On Wed, 3 Mar 2004 13:07:07 -0000, Spicer, Kevin wrote: >Tony Johansson wrote: >> Apologies if this is Sendmail and not MailScanner related. Any >> pointers appriciated. >> >> We have some users that complain about email not beeing properly >> displayed in their clients. The headers show: >> X-MIME-Autoconverted: from 8bit to quoted-printable by >> scanner.ourdomain.com id i231555N010471 >> >Its a sendmail message, I've seen it before but I can't remember why. >Have you checked the archives? Are you running the latest sendmail? Latest sendmail available with redhat enterprise linux, yes I found a reference to setting "O DefaultCharSet=iso-8859-1" in sendmail.cf, trying that now. It was in there but commented out for some reason Regards, Tony From dwinkler at ALGORITHMICS.COM Wed Mar 3 14:48:19 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:56 2006 Subject: X-MIME Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B289@tormail2.algorithmics.com> I think I remember this having something to do with the character set specified in the sendmail config. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Tony Johansson > Sent: Wednesday, March 03, 2004 8:03 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: X-MIME > > > Apologies if this is Sendmail and not MailScanner related. > Any pointers > appriciated. > > We have some users that complain about email not beeing > properly displayed > in their clients. The headers show: > X-MIME-Autoconverted: from 8bit to quoted-printable by > scanner.ourdomain.com id i231555N010471 > > Is there a way to avoid converting messages? > Does anyone have a solution to our problem? > > Regards, Tony > From dwinkler at ALGORITHMICS.COM Wed Mar 3 14:43:11 2004 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:22:56 2006 Subject: Custom Scores Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B288@tormail2.algorithmics.com> DCC tracks how many times it has seen the email based on some fuzzy hashes I believe. It tracks spam and ham. In the case of a heavily distributed mailing list, which may be considered ham, it would also trigger. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 1:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Custom Scores > > > Just installed DCC on one of my servers today and is working nicely - > made me think that, if some messages are listed with checks > like DCC or > certain RBLs, then they must be alsmot %100 spam, or > undesirable emails? > > Has anyone heard of DCC or the best RBLs listing legit senders or > emails? is it worth giving these a much higher score so these message > score as High Spam and are deleted on the spot? > > OR am i am missing the central reaosns why this likes DCC > only score 1.81 ? > From gdoris at rogers.com Wed Mar 3 14:51:47 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <4045E254.900@mail.wvnet.edu> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> Message-ID: <35919.129.80.22.133.1078325507.squirrel@65.48.246.102> > Julian Field wrote: > >> Download as usual from www.mailscanner.info. >> >> Please report any problems! > > Ok, something is still no right. I have... > > Allow Password-Protected Archives = no > > and > > Maximum Archive Depth = 0 (I also tried -1) > > When Maximum Archive Depth is set to -1 or 0 it will deliver a password > protected zip file even though I have Allow Password-Protected Archives > set to "no". If I have Maximum Archive Depth set to 3 then the > protected zip is not delivered as expected but internal zip checking is > done which is what I want to disable. I hope I'm not misinterpreting > how this should work. > >> >> Boy, do I need a holiday... ;-) >> > I can sympathize with that. I keep having visions of a nice trout > stream in the mountains. :) On a positive note.... The delay of up to 600 seconds for the upgrade_virus_scanners seems to be working just fine. Gerry From rabellino at DI.UNITO.IT Wed Mar 3 14:52:44 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <4045F13C.5060100@di.unito.it> Denis Beauchemin wrote: > Hi all, > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > password-protected" string and just treat the attachment as a virus but > it doesn't work... > > I modified ProcessMcAfeeOutput() this way: > #return 0 unless $line =~ /Found/; > return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); > > Any ideas why it is not kicking in? Could it be because McAfee returns > a zero return code if it detects a password-protected zip file (I know > this is what it does)? > > If so, could there be another way of achieving the same result without > having to upgrade to the latest unstable version? > > Thanks! > > Denis probably the message "password protected" is printed on a second line or to stderr. But I've read that the latest release of mailscanner can check Bagle's zip or I'm wrong ? thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From mailscanner at ecs.soton.ac.uk Wed Mar 3 14:58:09 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Guess what.... 4.28.4 Message-ID: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Sorry the updates are appearing so thick and fast at the moment. I wish everything was rather quieter than it is right now. But you folks need protection against the latest nasties, so I haven't much option. I have corrected the problem with this morning's code where it wasn't correctly handling messages that contained both a password-protected zip and an unprotected zip. I have also added a check so that if you set the max nesting depth to 0 but still ban password-protected zip files, then the attachments are checked for password-protected zips without the other rules being enforced on the contents of the zip files. It will only check the first level of nesting though, as it obviously can't check a zip file it has been asked not to unpack or create in the first place. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 15:37:10 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BE@jessica.herefordshire.gov.uk> Phew, I might try it tomorrow night, then. I've noticed that Net::DNS and Net::CIDR have been updated since I first installed them a few months back, too. MailScanner works fine with the new versions. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Gerry Doris > Sent: 03 March 2004 15:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - > Webmin > > > >>From the Fedora list. Looks like MailScanner users running > on Fedora > >> should > > hold pack on the Perl 5.8.3 update. > > > > Cheers, > > > > Phil > > I upgraded Perl yesterday and later noticed that > MailScanner/SpamAssassin > had stopped running. I wasn't sure what had caused this. > Mail was just > piling up but not lost. > > I restarted the box and everything started working again. > There's been no > problems since. > > > Gerry > From dustin.baer at IHS.COM Wed Mar 3 15:31:36 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:56 2006 Subject: bagle SpamAssassin rule Message-ID: <4045FA58.C955B333@ihs.com> For those of you who want to try to catch these with SpamAssassin, I think the following should work: body BAGLE_PASSWORD /password.*[0-9]{4,}/i describe BAGLE_PASSWORD Password.*numbers score BAGLE_PASSWORD 6.5 If anyone has a better suggestion, let us know! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From vinayakm at THEARGONCOMPANY.COM Wed Mar 3 15:35:13 2004 From: vinayakm at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H Message-ID: <200403032105.13375.vinayakm@theargoncompany.com> Hi Some machine on our network has been infected by Worm.Bagel.J and other variants. This is spawning a whole lot of mails with password encrypted zip files which contain infected executables. We are using MailScanner-4.21 along with clamav-0.67-1. Anybody face a similar problem? Any pointers would be great. -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Tel: 91-22 - 2288 2163 Ext 121 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com Linux. The Choice of the GNU generation From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 15:46:37 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Message-ID: <4045FDDD.4030207@solid-state-logic.com> Julian OK got it , installed it, so far so good.. The 'slowness' does affect all 4.28 BTW - just didn't notice on 4.28.2-2 yesterday. I guess once features etc have been sorted the speed will have to be looked at (no I'm not volunteering as I'm no perl guru). For what it's worth 4.28.4 'feels' faster looking at the log files...no timings so I can't say for certain. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. > I wish everything was rather quieter than it is right now. But you folks > need protection against the latest nasties, so I haven't much option. > > I have corrected the problem with this morning's code where it wasn't > correctly handling messages that contained both a password-protected zip > and an unprotected zip. > > I have also added a check so that if you set the max nesting depth to 0 but > still ban password-protected zip files, then the attachments are checked > for password-protected zips without the other rules being enforced on the > contents of the zip files. It will only check the first level of nesting > though, as it obviously can't check a zip file it has been asked not to > unpack or create in the first place. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at DWFORD.COM Wed Mar 3 15:48:21 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Craig Daters > Sent: Wednesday, March 03, 2004 9:23 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: What is this Eudora security hole attack? > > > I have a co-worker who is expecting some files via > file attachment > for a job she is working on. When her client sends > them to her, the > files are being stripped out and she is receiving 'Bad Content' > removed messages from MailScanner. If you click on an exe in Eudora it will pop up a box telling you executing this file could be dangerous but, on some versions, if you click on a shortcut (.lnk) to the same exe attachment it will run it without warning. And shortcuts can be quite dangerous because they execute another file such as, say format C: or the shortcut points to "c:\windows\commands\deltree.exe /Y c:\" > > The files that are being stripped out are *.lnk files. What are > these? These should be MS Word or MS Publisher files. > When I release > these messages, they show up as folder shortcuts on a > MS system, and > useless files on a Macintosh. It is entirely possible > that her client > does not know how to send these files (though I may > get the argument > that 'they have always gotten files to us before and > not had any > problems'. You know what argument I'm talking about?) > She is sending a shortcut to the file, not the file it's self > And while we're on the subject. Since I have installed > MailScanner, I > have noticed that a couple co-workers now have mail > showing up that > is split into multi-part messages. (ie. upwards of 16 different > parts) What causes this to happen? The file > attachments associated I would look at the size of the attachments and the tools->accounts-advanced tab and see if it's set to breakup messages over xxx bytes (seems like the default is like 2mg) > with these messages are typically un-usable, and the > co-worker calls > the client to figure something else out instead (like > using the file > transfer system we built into our website). And I > notice that this is > typically only MS stuff that I have problems with. > > Why does Microsoft have to suck so much? (That's a > rhetorical question....) There lucky they get through, I do not allow multi-part messages because they cannot be scanned for viruses or content... bad mojo. > -- > -- > > Craig Daters (craig@westpress.com) > Systems Administrator > West Press Printing > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > -- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 15:49:49 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773F13@neelix.lbsltd.co.uk> Message-ID: <4045FE9D.9060906@solid-state-logic.com> only Mail::clamav i find at the moment is 0.06 which doesn't seem to work..just sits there after initialisting SophosSavi.... works on debug mode so I dunno why? anyone got a tar of 0.04 I can have to try that? Mail me direct of you have to save clogging the list. Ta -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Steve Freegard wrote: > Hi Martin, > > I don't think it matters at all - this morning I just upgraded Clam to .67 > as I realised I'd downloaded it but not installed it (Duh!). > > I was already running the Mail::ClamAV module so to be on the safe side I > stopped MS just prior to the 'make install' of .67 and installed the latest > Mail::ClamAV via CPAN at the same time, just in case the libraries had > changed at all. > > Working nicely so far... > > Kind regards, > Steve. > > >>-----Original Message----- >>From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] >>Sent: 03 March 2004 10:31 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: ClamAV module >> >> >>Guys >> >>Which version of the tjhe clamAVmodule should I be using. I recall >>something about one of the versions not working properly with >>MS, but i >>can't see anything on the archives. >> >>(btw - running MS 4.28.2-2 and clamav 0.67) >> >> >>-- >>-- >>Martin Hepworth >>Snr Systems Administrator >>Solid State Logic >>Tel: +44 (0)1865 842300 >> >>********************************************************************** >> >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote confirms that this email message has been swept >>for the presence of computer viruses and is believed to be clean. >> >>********************************************************************** >> > > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From henker at S-H-COM.DE Wed Mar 3 15:51:52 2004 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: References: Message-ID: On Wed, 3 Mar 2004, Raymond Dijkxhoorn wrote: > Are you sure ? Mail-ClamAV-0.05 is broken, you should use .4 You can use .05, if you comment out the line regarding the "config.pl" as Julian suggested some time ago. But sticking with .04 sounds like a good idea. Regards, Steffan From craig at WESTPRESS.COM Wed Mar 3 15:55:38 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:56 2006 Subject: What is this Eudora security hole attack? In-Reply-To: References: Message-ID: >If you click on an exe in Eudora it will pop up a box telling you >executing this file could be dangerous but, on some versions, >if you click on a shortcut (.lnk) to the same exe attachment it >will run it without warning. And shortcuts can be quite dangerous >because they execute another file such as, say format C: or the >shortcut >points to "c:\windows\commands\deltree.exe /Y c:\" Thank you, that explains it. And "thank you" to everyone else that gave their input. All the information submitted was helpful. >I would look at the size of the attachments and the >tools->accounts-advanced >tab and see if it's set to breakup messages over xxx bytes (seems >like the >default is like 2mg) [- snip -] >There lucky they get through, I do not allow multi-part messages >because they cannot be scanned for viruses or content... bad >mojo. Yes, I agree it is bad mojo. I bet this feature was implemented to try and overcome the filesize limit imposed by some ISP regarding file attachments. I think file attachments are bad anyway, and never pass up an opportunity to try and sell FTP to someone. -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From sysadmins at ENHTECH.COM Wed Mar 3 15:56:58 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:56 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: References: <404377BC.49FC7130@ihs.com> Message-ID: <6.0.2.0.0.20040303105604.027d6e00@mail.enhtech.com> At 12:58 PM 3/1/2004, Raymond Dijkxhoorn wrote: >Hi! > > > > >>> Its in our top10 of today: > > > >>> > > > >>> 4747 W32/Netsky.B@mm > > > >>> 1275 W32/Swen.A@mm > > > >>> 404 W32/Sober.C@mm > > > >>> 337 W32/Mydoom.A@mm > > > >>> 200 W32/Netsky.C@mm > > > >>> 126 W32/Bugbear.B@mm > > > >>> 96 W32/Bagle.F@mm > > > >>> 57 W32/Bagle.E@mm > > > >>> 49 W32/Mydoom.E@mm > > > >>> 19 W32/Mimail.J@mm > > > I am not peter or raymond, but... > > > > grep "Virus '.*' found" /PATH/TO/YOUR/SYSLOG | sed "s/[^']*//" | sed > > "s/found.*//" | sort | uniq -c | sort -n -r > >You might want to do this a little smarter :) We for example parse around >1.5 GB logfiles, your disk wont be happy if you grep those all over from >the start again and again :) We update every 5 minutes now and have >around 5-6 seconds parsing time on that :) > >Bye, >Raymond. Raymond, How is it that you are detecting these viruses in the password protected archives? They just fly past sophos on my mailscanner Errol Neal From Kevin.Spicer at BMRB.CO.UK Wed Mar 3 15:57:23 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> Vinayakam Murugan wrote: > Hi > > Some machine on our network has been infected by Worm.Bagel.J and > other variants. This is spawning a whole lot of mails with password > encrypted zip files which contain infected executables. > > We are using MailScanner-4.21 along with clamav-0.67-1. > > Anybody face a similar problem? Any pointers would be great. Find its IP, deny access to SMTP port via iptables. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From drew at THEMARSHALLS.CO.UK Wed Mar 3 15:56:29 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <200403032105.13375.vinayakm@theargoncompany.com> References: <200403032105.13375.vinayakm@theargoncompany.com> Message-ID: <12951.194.70.180.170.1078329389.squirrel@net.themarshalls.co.uk> Vinayakam Murugan said: > Hi > > Some machine on our network has been infected by Worm.Bagel.J and other > variants. This is spawning a whole lot of mails with password encrypted > zip > files which contain infected executables. Shut down your network and get all those machines cleaned. > > We are using MailScanner-4.21 along with clamav-0.67-1. > Upgrade MS to the latest beta (And keep an eye on this list as Julian is working overtime at the moment keeping up. Ther have been 4 (Or is it 5, I've lost count!) new beta releases in just over 24 hours. (Got to take the oportunity to say, thanks Julian. No commercial software could keep up with that.) > Anybody face a similar problem? Any pointers would be great. > > -- > Warm Regards > ~~~~~~~~~~~~~~~~~~~~~~~ > Vinayakam Murugan > > Tel: 91-22 - 2288 2163 Ext 121 > Help Desk: 91-22 - 2288 2774 > Fax Number: 91-22 - 2288 2812 > > http://www.TheArgonCompany.com > > Viruses getting you down? > Get your virus protected mailbox at http://www.tassm.com > > Linux. The Choice of the GNU generation > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From rcooper at DWFORD.COM Wed Mar 3 16:08:51 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Denis Beauchemin > Sent: Wednesday, March 03, 2004 9:46 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: McAfee and password-protected zip file detection in MS > > > Hi all, > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > password-protected" string and just treat the > attachment as a virus but > it doesn't work... > > I modified ProcessMcAfeeOutput() this way: > #return 0 unless $line =~ /Found/; > return 0 unless (($line =~ /Found/) or ($line =~ /is > password-protected/)); How about adding a log to stderr like: print STDERR "Line Was: $line\n"; return 0 unless $line =~ /Found|password-protected/ Then run MS in debug and watch and see what it is seeing, perhaps something is a bit different than you thought, like case? > > Any ideas why it is not kicking in? Could it be > because McAfee returns > a zero return code if it detects a password-protected > zip file (I know > this is what it does)? > > If so, could there be another way of achieving the > same result without > having to upgrade to the latest unstable version? > > Thanks! > > Denis > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rcooper at DWFORD.COM Wed Mar 3 16:13:35 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: Encrypted Zip files - how to block In-Reply-To: <6.0.2.0.0.20040303100437.027d5810@mail.enhtech.com> Message-ID: yes, to 4.28.4 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Admin Team > Sent: Wednesday, March 03, 2004 10:07 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Encrypted Zip files - how to block > > > Hi, > > We are getting a bunch of encrypted zip files making > it through our > MailScanners. I am running 4.25-14, the last stable > version with the > original bounce option. Would upgrading solve this > issue of these files > making it through? > > > Errol Neal > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From P.G.M.Peters at utwente.nl Wed Mar 3 16:17:58 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: References: <4045C341.8020400@solid-state-logic.com> Message-ID: On Wed, 3 Mar 2004 15:17:49 +0100, you wrote: >Hi! > >> the fastest code factory in the west ain't producing the fastet code:-( >> >> My CPU is running at 100% and just about keeping up with the mail >> traffic - ie processing about 375 messages an hour. Version 4.28.2-2 was >> pushing about 1500 per hour.. > >I hope Julian also can have a look on the MIME fixes implented recently, >it really drives my CPU up. My boxes can keep up, but i am sure it will >break a lot of others. I have installed the new version and it can clean incoming (I keep incoming sendmail running during upgrades) almost as fast as the old one. That's the indication for me whether a version is fast enough to handle our load. And I have another problem. Our third mailserver is behind a dead router so I had to redirect all pointers to the two servers locally. They now get 50% extra messages to chew on and they still manage to get it done. Nice piece of software. ;-) -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 16:18:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: MS 4.28.4 Message-ID: <40460545.6090708@solid-state-logic.com> Julian Using the default settings (including archive depth and so on) looks like MS just trapped one the the bagle varients.. Just need to confirm with the user in question, but the 'from address' is a Belgian domain and the ip, is a verizon NY dialup/broadband ip address so it's very suspect.. And ClamAV didn't spot it either.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mike at TC3NET.COM Wed Mar 3 16:25:00 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee and password-protected zip file detection in MS In-Reply-To: References: Message-ID: <1078331100.3290.1.camel@mike-new2.tc3net.com> So is McAfee uvscan with the latest .dat working or not? I am seeing Bagle.j's caught, looking at my statistics. Regards MIKE > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Denis Beauchemin > > Sent: Wednesday, March 03, 2004 9:46 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: McAfee and password-protected zip file detection in MS > > > > > > Hi all, > > > > I tried to modify SweepViruses.pm so it could grab McAfee's "is > > password-protected" string and just treat the > > attachment as a virus but > > it doesn't work... > > > > I modified ProcessMcAfeeOutput() this way: > > #return 0 unless $line =~ /Found/; > > return 0 unless (($line =~ /Found/) or ($line =~ /is > > password-protected/)); > > How about adding a log to stderr like: > print STDERR "Line Was: $line\n"; > return 0 unless $line =~ /Found|password-protected/ > > Then run MS in debug and watch and see what it is seeing, perhaps > something is a bit different than you thought, like case? > > > > > Any ideas why it is not kicking in? Could it be > > because McAfee returns > > a zero return code if it detects a password-protected > > zip file (I know > > this is what it does)? > > > > If so, could there be another way of achieving the > > same result without > > having to upgrade to the latest unstable version? > > > > Thanks! > > > > Denis > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 16:26:05 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files Message-ID: <4046071D.7040602@trayerproducts.com> I recently enabled "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. How do I send the queued message on to the intended recipient? Thanks, Rod From rcooper at DWFORD.COM Wed Mar 3 16:30:06 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: <4045FE9D.9060906@solid-state-logic.com> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Martin Hepworth > Sent: Wednesday, March 03, 2004 10:50 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ClamAV module > > > only Mail::clamav i find at the moment is 0.06 which > doesn't seem to > work..just sits there after initialisting > SophosSavi.... works on debug > mode so I dunno why? > > anyone got a tar of 0.04 I can have to try that? Mail > me direct of you > have to save clogging the list. I am using the latest 0.06 and it works fine: Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found virus EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: /var/spool/mailscanner/incoming/17017/1AyZ9e-0004QW-EQ/eicar.com Infection: EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found virus EICAR_Test_File Mar 3 11:23:37 srv2 MailScanner[17017]: Completed scanning by f-prot Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: F-Prot found 2 infections Mar 3 11:23:37 srv2 MailScanner[17017]: Commencing scanning by clamavmodule... Mar 3 11:23:37 srv2 MailScanner[17017]: INFECTED:: Eicar-Test-Signature:: ./1AyZ9e-0004QW-EQ/eicar_com.zip Mar 3 11:23:37 srv2 MailScanner[17017]: INFECTED:: Eicar-Test-Signature:: ./1AyZ9e-0004QW-EQ/eicar.com Mar 3 11:23:37 srv2 MailScanner[17017]: Completed scanning by clamavmodule Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: ClamAV Module found 2 infections Mar 3 11:23:37 srv2 MailScanner[17017]: Infected message 1AyZ9e-0004QW-EQ came from 192.168.1.3 Mar 3 11:23:37 srv2 MailScanner[17017]: Virus Scanning: Found 2 viruses Mar 3 11:23:37 srv2 MailScanner[17017]: Filename Checks: Windows/DOS Executable (1AyZ9e-0004QW-EQ eicar.com) Note both f-prot and clamavmodule reported both the Eicar signatures, the previous version was broken, more or less, but that problem was fixed (I checked for the lines related to the missing file) and obviously works now. > > Ta > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Steve Freegard wrote: > > Hi Martin, > > > > I don't think it matters at all - this morning I > just upgraded Clam to .67 > > as I realised I'd downloaded it but not installed it (Duh!). > > > > I was already running the Mail::ClamAV module so to > be on the safe side I > > stopped MS just prior to the 'make install' of .67 > and installed the latest > > Mail::ClamAV via CPAN at the same time, just in case > the libraries had > > changed at all. > > > > Working nicely so far... > > > > Kind regards, > > Steve. > > > > > >>-----Original Message----- > >>From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] > >>Sent: 03 March 2004 10:31 > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: ClamAV module > >> > >> > >>Guys > >> > >>Which version of the tjhe clamAVmodule should I be > using. I recall > >>something about one of the versions not working properly with > >>MS, but i > >>can't see anything on the archives. > >> > >>(btw - running MS 4.28.2-2 and clamav 0.67) > >> > >> > >>-- > >>-- > >>Martin Hepworth > >>Snr Systems Administrator > >>Solid State Logic > >>Tel: +44 (0)1865 842300 > >> > >>***************************************************** > ***************** > >> > >>This email and any files transmitted with it are > confidential and > >>intended solely for the use of the individual or > entity to whom they > >>are addressed. If you have received this email in > error please notify > >>the system manager. > >> > >>This footnote confirms that this email message has been swept > >>for the presence of computer viruses and is believed > to be clean. > >> > >>***************************************************** > ***************** > >> > > > > > > -- > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the sender and delete the message from your mailbox. > > > > This footnote also confirms that this email message > has been swept by > > MailScanner (www.mailscanner.info) for the presence > of computer viruses. > > ******************************************************* > *************** > > This email and any files transmitted with it are > confidential and > intended solely for the use of the individual or > entity to whom they > are addressed. If you have received this email in > error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed > to be clean. > > ******************************************************* > *************** > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From maillists at CONACTIVE.COM Wed Mar 3 16:31:36 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F485.5060807@1SEO.net> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> Message-ID: Nick Nelson wrote on Wed, 3 Mar 2004 10:06:45 -0500: > Great idea. > You can already do that with the rules. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From wei at ENG.FSU.EDU Wed Mar 3 16:32:25 2004 From: wei at ENG.FSU.EDU (Wei Li) Date: Thu Jan 12 21:22:56 2006 Subject: .doc attachment stays in the queue In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> Message-ID: <40460899.1030703@eng.fsu.edu> Hi, One of the user could not send email with a .doc attachment. It stayed in the queue, even could not be sent mannually. I tried to send a .doc mail to myself, it does not work, too. Any suggestion? Thanks root:/var/spool/mqueue> grep microscopy5937-syl.doc * dfi23FuTI28433:Content-Type: application/msword; name="microscopy5937-syl.doc"; dfi23FuTI28433:Content-Disposition: attachment; filename="microscopy5937-syl.doc" Mar 3 10:56:32 sendmail[28433]: [ID 801593 mail.info] i23FuTI28433: from=, size=675222, class=0 , nrcpts=2, msgid=<6.0.0.22.2.20040303105755.01e98118@>, proto=ESMTP, daemon=MTA-IPv4, relay=cmsghost1 [ ] From kodak at FRONTIERHOMEMORTGAGE.COM Wed Mar 3 16:19:34 2004 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> Message-ID: <008401c4013b$50d4d440$0501a8c0@darkside> >> Some machine on our network has been infected by Worm.Bagel.J and >> other variants. This is spawning a whole lot of mails with password >> encrypted zip files which contain infected executables. >> >> We are using MailScanner-4.21 along with clamav-0.67-1. >> >> Anybody face a similar problem? Any pointers would be great. > >Find its IP, deny access to SMTP port via iptables. > Better yet, unplug it from the network until you get it cleaned. --J(K) From mike at TC3NET.COM Wed Mar 3 16:34:56 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> Message-ID: <1078331696.3290.7.camel@mike-new2.tc3net.com> Good Question, Does DAT 4332 fix it, my understanding was that it handled the unzipping and so forth, and MailScanner interpreted the response, I'm looking for confirmation, I'm running an older version of MailScanner (4.25-14 I believe), I hate to upgrade unless it's necessary. Regards MIKE > Does DAT 4332 fix it? > > Phil > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Desai, Jason > > Sent: 02 March 2004 20:56 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: McAfee PROBLEM !!! > > > > > > Thanks for this info - it was very helpful! I have the same results. > > > > Jason > > > > > -----Original Message----- > > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > > Sent: Tuesday, March 02, 2004 2:09 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > > > > Hi, > > > > > > We installed the extra.dat this morning and it was catching some > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > anymore!!! > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > Scan with 4331: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > WBJAMVF.SCR > > > is password-protected. > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > ent.zip/WBJAMVF.SCR > > > is password-protected. > > > > > > Scan with 4331 and extra.dat: > > > # uvscan --mime --mailbox --secure * > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > Denis > > > -- > > > Denis Beauchemin, analyste > > > Universit? de Sherbrooke, S.T.I. > > > T: 819.821.8000x2252 F: 819.821.8045 > > > > > > From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 16:38:05 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:56 2006 Subject: ClamAV module In-Reply-To: References: Message-ID: <404609ED.4030605@solid-state-logic.com> Rick yeah 0.04 hangs as well, must be file permissions somewhere as it works find when running in debug mode...I'll have to have a poke around.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Martin Hepworth >>Sent: Wednesday, March 03, 2004 10:50 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: ClamAV module >> >> >>only Mail::clamav i find at the moment is 0.06 which >>doesn't seem to >>work..just sits there after initialisting >>SophosSavi.... works on debug >>mode so I dunno why? >> >>anyone got a tar of 0.04 I can have to try that? Mail >>me direct of you >>have to save clogging the list. > > > I am using the latest 0.06 and it works fine: > ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gercke at HNM.DE Wed Mar 3 15:00:44 2004 From: gercke at HNM.DE (Daniel Gercke) Date: Thu Jan 12 21:22:56 2006 Subject: Spam: Re: # SENDMAIL_RELAY Question In-Reply-To: References: Message-ID: <4045F31C.5040005@hnm.de> Sorry i?m not very familiar with sendmail config. Where should i add this (sendmail.m4 or sendmail.cf) When i add this, will the machine called mailscanner relay the mails or must i add all domains to /etc/mail/relay-domains ? Pentland G. schrieb: > Try this... > > LOCAL_CONFIG > # If email is bound to the local domain, what will do local delivery for us? > dnl > D{DefaultLocalDeliveryHost}YOURHOST.DOMAIN.COM > > LOCAL_RULE_0 > # Allocate a slot for the domain name > R$+ $: < > $1 > # Addresses qualified with the local machine name - unqualify them > R< > $+ < @ $j . > $: < > $1 > # Addresses qualified with a local domain - unqualify them > R< > $+ < @ $=w . > $: < > $1 > # Anything else on the qualification is non-local so return and parse normally > R< > $* @ $* $@ $1 @ $2 > # Anything unqualified qualify with the local domain > R< > $+ $: < $M > $1 > # Now send these local emails to the default local delivery servers > R< $+ > $+ $#esmtp $@ ${DefaultLocalDeliveryHost} $: $2 < @ $1 . > > > Hope that helps. > > -----Original Message----- > From: Daniel Gercke [mailto:gercke@HNM.DE] > Sent: Wed 3/3/2004 11:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Cc: > Subject: # SENDMAIL_RELAY Question > > > > Hello, > > i have a problem. im running a mailserver with a lot of domains and > users. now i hav setup another server with mailscanner. now for some > domains i want incoming mails will go through mailscanner and > mailscanner should relay this to the old mailserver. > for mail coming for world this works fine. but wenn a lokal domain form > mailserver sends to another lokal account this mail wouldn?t send > through mailscanner this mail will localy delivered. > Now my question: > What would happen if i add SENDMAIL_RELAY="mailscanner" to > sendmailconfig of mailserver ? Will there be a mailloop between these > machines? > > > > > > -- > Diese Nachricht wurde auf Viren und andere gefaerliche Inhalte untersucht > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > MailScanner dankt transtec fur die freundliche Unterstutzung. > > > From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 15:02:14 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments Message-ID: <4045F376.7030808@trayerproducts.com> Hello. Is it possible to prevent MailScanner from sending a "Blocked Attachment" message to a recipient when the file attachment that was blocked was say, a pif file? There's no reason to send a pif file therefore I would like the users not even notified about receiving and blocking it. Thanks, Rod From sysadmins at ENHTECH.COM Wed Mar 3 15:06:32 2004 From: sysadmins at ENHTECH.COM (Admin Team) Date: Thu Jan 12 21:22:56 2006 Subject: Encrypted Zip files - how to block Message-ID: <6.0.2.0.0.20040303100437.027d5810@mail.enhtech.com> Hi, We are getting a bunch of encrypted zip files making it through our MailScanners. I am running 4.25-14, the last stable version with the original bounce option. Would upgrading solve this issue of these files making it through? Errol Neal From nnelson at 1seo.net Wed Mar 3 15:06:45 2004 From: nnelson at 1seo.net (Nick Nelson) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F376.7030808@trayerproducts.com> References: <4045F376.7030808@trayerproducts.com> Message-ID: <4045F485.5060807@1SEO.net> Rodney Green wrote: > Hello. Is it possible to prevent MailScanner from sending a "Blocked > Attachment" message to a recipient when the file attachment that was > blocked was say, a pif file? There's no reason to send a pif file > therefore I would like the users not even notified about receiving and > blocking it. > > Thanks, > Rod Great idea. I would agree, the definite viruses (pif, scr, etc) should have an option to turn on/off notifications. They only cause more questions. From mike-sender-1ed4e7 at zanker.org Wed Mar 3 15:07:43 2004 From: mike-sender-1ed4e7 at zanker.org (Mike Zanker) Date: Thu Jan 12 21:22:56 2006 Subject: Multi Threaded Perl In-Reply-To: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip.net> References: <58696C94787F16468267F3509F1150309833@hermes.clumpton.homeip .net> Message-ID: <273898531.1078326463@jemima.zanker.org> On 03 March 2004 13:28 +0000 MailScanner wrote: > I will make the change outside business hours. I'm assuming that MS > will pick it up when it next accesses a Perl routine, or does it > require a service MailScanner reload? If I were you I'd reboot the box. /etc/sysconfig/i18n is read by /etc/init.d/functions which, in turn, is used by just about everything else in /etc/init.d. Mike. From gdoris at rogers.com Wed Mar 3 15:20:37 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: FW: FEDORA-2004-085: perl 5.8.3-10 available for FC1 - Webmin In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk > References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B9@jessica.herefordshire.gov.uk> Message-ID: <56879.129.80.22.133.1078327237.squirrel@65.48.246.102> >>From the Fedora list. Looks like MailScanner users running on Fedora >> should > hold pack on the Perl 5.8.3 update. > > Cheers, > > Phil I upgraded Perl yesterday and later noticed that MailScanner/SpamAssassin had stopped running. I wasn't sure what had caused this. Mail was just piling up but not lost. I restarted the box and everything started working again. There's been no problems since. Gerry From rabellino at DI.UNITO.IT Wed Mar 3 15:22:16 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:56 2006 Subject: Upgrade from an very OLD release Message-ID: <4045F828.5080700@di.unito.it> I've not understood on how to re-create the old feature "Deliver From Local Domain = no" that was used in 3.x release of mailscanner... The conf's instructions tells me to create a "ruleset" for Deliver Cleaned ... (a file .conf ?) configured (I believe) like : From: mylocaldomain no FromOrTo: default yes But Mailscanner complain about a binary option (yes or no) only (... I was away for a while ...) Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From gdoris at rogers.com Wed Mar 3 15:26:59 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:56 2006 Subject: Redhat Upgrades Perl to 5.8.3-10 Message-ID: <42735.129.80.22.133.1078327619.squirrel@65.48.246.102> In the for what it's worth department... Yesterday I updated my Fedora mail server to the latest Redhat perl 5.8.3-10. Later I noticed that mail was piling up in the inqueue and not being delivered. Checking the logs I found that they were filled with messages about not being able to find SpamAssassin and MailScanner was constantly restarting. I just rebooted the box and all went back to normal. Gerry From prandal at HEREFORDSHIRE.GOV.UK Wed Mar 3 15:30:42 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:22:56 2006 Subject: ANNOUNCE: Unstable 4.28.3 released Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5BD@jessica.herefordshire.gov.uk> Julian Field sighed: > >>Boy, do I need a holiday... ;-) > >I can sympathize with that. I keep having visions of a nice trout > >stream in the mountains. :) > > Give me some nice looking hills, a comfy pair of boots, some > sunshine, and a map. It's much more fun without a map! Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mailscanner at ecs.soton.ac.uk Wed Mar 3 16:46:25 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Speed problems Message-ID: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> I have been trying to reproduce the loss of speed running various different versions on the same mail messages in debug mode. Unsuccessfully :-( I have used versions from 4.23 onwards. All appear to run at the same speed. I am using a "reasonable" configuration with 1 RBL check and F-Prot. The only thing is I am not running SpamAssassin, as its speed is very variable and so hides the real speed of the underlying process. If you are suffering speed problems, please can you tell me what was the last fast version you used, and what was the first slow version. Did you downgrade again to fix the problem? Was it successful, and what version was again nice and fast? If you run a batch through in Debug mode does it always take the same time regardless of what version you are running? Maybe the problem only surfaces when running lots of child processes? The better I can narrow down exactly when the problem occurred, the better chance I have of finding it. It doesn't appear to be in the more robust MIME code I implemented, that doesn't make any difference. Please can you help me folks? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dustin.baer at IHS.COM Wed Mar 3 17:00:41 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files References: <4046071D.7040602@trayerproducts.com> Message-ID: <40460F39.20CC6455@ihs.com> Rodney Green wrote: > > I recently enabled > "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. > How do I send the queued message on to the intended recipient? > > Thanks, > Rod Move them both to mqueue (or your outgoing queue). Note that they will not have been checked for viruses, if they were quarantined as spam. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From bg.mahesh at INDIAINFO.COM Wed Mar 3 17:03:10 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:22:56 2006 Subject: SpamAssassin installation could not be found Message-ID: <20040303170310.6047F3AA466@ws5-8.us4.outblaze.com> > > What does > perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' > produce? % perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' 2.63 > And what about > which perl % whereis perl perl: /usr/bin/perl /usr/share/man/man1/perl.1 /usr/share/man/man1/perl.1.gz % which perl /usr/bin/perl > and > /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' % /usr/bin/perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION' 2.63 I saw there were multiple perl versions in /usr/local/lib/perl5 /usr/lib/perl5/. I got rid of the Mail directory in all non-5.8.1 directories and install SA again. Seems to work. The email headers don't talk about SA yet. I guess I need to look hard into the configuration file now. -- bgm -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:08:40 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40460F39.20CC6455@ihs.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> Message-ID: <40461118.2060108@trayerproducts.com> Thanks Dustin. By "both of them" do you mean the message and the attachment file? Rod Dustin Baer wrote: >Rodney Green wrote: > > >>I recently enabled >> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >>How do I send the queued message on to the intended recipient? >> >>Thanks, >>Rod >> >> > >Move them both to mqueue (or your outgoing queue). Note that they will >not have been checked for viruses, if they were quarantined as spam. > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 > > > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:06:40 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <4046071D.7040602@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303170607.03a23ab8@imap.ecs.soton.ac.uk> At 16:26 03/03/2004, you wrote: >I recently enabled >"Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >How do I send the queued message on to the intended recipient? Drop the files into /var/spool/mqueue. The next queue run will pick them up and deliver them. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:13:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <4045F485.5060807@1SEO.net> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> Message-ID: <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> At 15:06 03/03/2004, you wrote: >Rodney Green wrote: >>Hello. Is it possible to prevent MailScanner from sending a "Blocked >>Attachment" message to a recipient when the file attachment that was >>blocked was say, a pif file? There's no reason to send a pif file >>therefore I would like the users not even notified about receiving and >>blocking it. >> >>Thanks, >>Rod > >Great idea. I would agree, the definite viruses (pif, scr, etc) should >have an option to turn on/off notifications. They only cause more questions. You can already effectively do this with the setting Notify Senders Of Blocked Filenames Or Filetypes = no -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:11:46 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Bagel.H In-Reply-To: <008401c4013b$50d4d440$0501a8c0@darkside> References: <5C0296D26910694BB9A9BBFC577E7AB001649B0D@pascal.priv.bmrb.co.uk> <008401c4013b$50d4d440$0501a8c0@darkside> Message-ID: <6.0.1.1.2.20040303170757.038e0500@imap.ecs.soton.ac.uk> At 16:19 03/03/2004, you wrote: > >> Some machine on our network has been infected by Worm.Bagel.J and > >> other variants. This is spawning a whole lot of mails with password > >> encrypted zip files which contain infected executables. > >> > >> We are using MailScanner-4.21 along with clamav-0.67-1. > >> > >> Anybody face a similar problem? Any pointers would be great. > > > >Find its IP, deny access to SMTP port via iptables. > > > >Better yet, unplug it from the network until you get it >cleaned. If you are using sendmail, take a look at the IPBlock code in CustomConfig.pm. You can create a configuration file which specifies how many messages per hour to accept from various hosts and networks. If a host on any of the defined networks exceeds its hourly rate, it is automatically blocked for the rest of that hour using sendmail's access database. At the end of the hour, the blocks are removed and mail can flow again, until a limit is exceeded again. It logs an entry every time a machine is blocked for exceeding its limit. So you can say that, for example, you expect at most 30 messages per hour from any internal computer, except for bigger limits (3000?) from your mail servers. It will stop you being flooded by mail from infected PCs until you get a chance to clean them. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:16:42 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Upgrade from an very OLD release In-Reply-To: <4045F828.5080700@di.unito.it> References: <4045F828.5080700@di.unito.it> Message-ID: <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> At 15:22 03/03/2004, you wrote: >I've not understood on how to re-create the old feature "Deliver From >Local Domain = no" that was used in 3.x release of >mailscanner... > >The conf's instructions tells me to create a "ruleset" for Deliver Cleaned >... (a file .conf ?) configured (I believe) >like : > >From: mylocaldomain no >FromOrTo: default yes > >But Mailscanner complain about a binary option (yes or no) only Set Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.cleaned.rules in MailScanner.conf. Then in /etc/MailScanner/rules/deliver.cleaned.rules put this: From: yourdomain.com no FromOrTo: default yes and substitute your own domain name for "yourdomain.com" in the line above. Then reload MailScanner (service MailScanner reload) or just restart it, and the rules will be applied. This general-purpose ruleset system applies to virtually all configuration options in MailScanner.conf, and so is a *lot* more flexible than the simple system I had in version 3. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 17:18:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:56 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40461118.2060108@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> At 17:08 03/03/2004, you wrote: >Thanks Dustin. By "both of them" do you mean the message and the >attachment file? He means the qf and df files (if you are using sendmail) or the -D and -H files (if you are using Exim). For other MTAs there is just 1 file (not sure about Qmail). >Rod > >Dustin Baer wrote: > >>Rodney Green wrote: >> >> >>>I recently enabled >>>"Quarantine Whole Messages As Queue Files" in my MailScanner.conf file. >>>How do I send the queued message on to the intended recipient? >>> >>>Thanks, >>>Rod >>> >> >>Move them both to mqueue (or your outgoing queue). Note that they will >>not have been checked for viruses, if they were quarantined as spam. >> >>Dustin >>-- >>Dustin Baer >>Unix Administrator/Postmaster >>Information Handling Services >>15 Inverness Way East >>Englewood, CO 80112 >>303-397-2836 >> >> >> > >-- >"Please remain calm...I may be mad, but I am a professional." > >-Mad Scientist -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 17:14:34 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:56 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078331696.3290.7.camel@mike-new2.tc3net.com> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> Message-ID: <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> Many infected password-protected zip files passed through our McAfee AV (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since midnight. To block password-protected zip files in my current MS (mailscanner-4.23-11), I did the following: - modify /usr/lib/MailScanner/mcafee-wrapper this way: #!/bin/bash # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script PackageDir=$1 shift prog=uvscan # `basename $0` datDIR=$PackageDir LD_LIBRARY_PATH=$PackageDir export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/$prog ] && exit 0 exit 1 fi OUTPUT=$(${PackageDir}/$prog -d $datDIR "$@" 2>&1 ) RC=$? if [[ "$OUTPUT" = "" ]]; then exit $RC else echo "$OUTPUT" if [[ $(echo "$OUTPUT" | grep -c "password-protected") > 0 ]]; then exit 13 else exit $RC fi fi - modify /usr/lib/MailScanner/MailScanner/SweepViruses.pm this way: in "sub ProcessMcAfeeOutput", change return 0 unless $line =~ /Found/; for return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); - stop MailScanner and restart it - remove any extra.dat that detects some password-protected zip files. Denis Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > Good Question, Does DAT 4332 fix it, my understanding was that it > handled the unzipping and so forth, and MailScanner interpreted the > response, I'm looking for confirmation, I'm running an older version of > MailScanner (4.25-14 I believe), I hate to upgrade unless it's > necessary. > > Regards > MIKE > > > Does DAT 4332 fix it? > > > > Phil > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Desai, Jason > > > Sent: 02 March 2004 20:56 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: McAfee PROBLEM !!! > > > > > > > > > Thanks for this info - it was very helpful! I have the same results. > > > > > > Jason > > > > > > > -----Original Message----- > > > > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > > > > Sent: Tuesday, March 02, 2004 2:09 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: [MAILSCANNER] McAfee PROBLEM !!! > > > > > > > > > > > > Hi, > > > > > > > > We installed the extra.dat this morning and it was catching some > > > > W32/Bagle.gen!pwdzip (ED) with dat 4330. > > > > > > > > Now that dat 4331 is out the same files are not detected as viruses > > > > anymore!!! > > > > > > > > I reinstalled the extra.dat to be sure they are detected. > > > > > > > > Scan with 4331: > > > > # uvscan --mime --mailbox --secure * > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip/ > > > > WBJAMVF.SCR > > > > is password-protected. > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Docum > > > > ent.zip/WBJAMVF.SCR > > > > is password-protected. > > > > > > > > Scan with 4331 and extra.dat: > > > > # uvscan --mime --mailbox --secure * > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/Document.zip > > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > > /quarantaine/usherbrooke/20040302/i22HBCOJ000853/message/Document.zip > > > > Found the W32/Bagle.gen!pwdzip (ED) virus !!! > > > > > > > > Denis > > > > -- > > > > Denis Beauchemin, analyste > > > > Universit? de Sherbrooke, S.T.I. > > > > T: 819.821.8000x2252 F: 819.821.8045 > > > > > > > > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:22:40 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> Message-ID: <40461460.7020602@trayerproducts.com> I'm using Postfix. Moving the file to the /var/spool/mqueue directory isn't working for me. Where would I move for Postfix? Thanks, Rod Julian Field wrote: > At 17:08 03/03/2004, you wrote: > >> Thanks Dustin. By "both of them" do you mean the message and the >> attachment file? > > > He means the qf and df files (if you are using sendmail) or the -D and -H > files (if you are using Exim). For other MTAs there is just 1 file (not > sure about Qmail). > > >> Rod >> >> Dustin Baer wrote: >> >>> Rodney Green wrote: >>> >>> >>>> I recently enabled >>>> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf >>>> file. >>>> How do I send the queued message on to the intended recipient? >>>> >>>> Thanks, >>>> Rod >>>> >>> >>> Move them both to mqueue (or your outgoing queue). Note that they will >>> not have been checked for viruses, if they were quarantined as spam. >>> >>> Dustin >>> -- >>> Dustin Baer >>> Unix Administrator/Postmaster >>> Information Handling Services >>> 15 Inverness Way East >>> Englewood, CO 80112 >>> 303-397-2836 >>> >>> >>> >> >> -- >> "Please remain calm...I may be mad, but I am a professional." >> >> -Mad Scientist > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From craig at WESTPRESS.COM Wed Mar 3 17:24:03 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting Message-ID: Where is it better to whitelist people/mail-lists/etc.? In: /etc/MailScanner/spam.assassin.prefs.conf, or in /etc/MailScanner/rules/spam.whitelist.rules Is there a line of thought as to why I might want to in one versus the other? Does MailScanner prefer one over the other? -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From mikes at HARTWELLCORP.COM Wed Mar 3 17:26:55 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D11@hart-exchange.hartwellcorp.com> I experienced *extreme* slowness of the entire system running MailScanner yesterday. A system reboot resulted in restored performance. I've not had time to try and diagnose the cause yet as it has not yet repeated. I'm using MailScanner-4.27.7-1 on a Red Hat 9 system with Spamassassin-2.63-5 and Clamav-0.67-1. I did not notice this happening with MailScanner-4.26.8-1. Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and > F-Prot. The only thing is I am not running SpamAssassin, as its speed > is very variable and so hides the real speed of the underlying > process. > > If you are suffering speed problems, please can you tell me what was > the last fast version you used, and what was the first slow version. > Did you downgrade again to fix the problem? Was it successful, and > what version was again nice and fast? > > If you run a batch through in Debug mode does it always take the same > time regardless of what version you are running? Maybe the problem > only surfaces when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the > better chance I have of finding it. It doesn't appear to be in the > more robust MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? -- Michael St. Laurent Hartwell Corporation From test at NEXTMILL.NET Wed Mar 3 17:27:56 2004 From: test at NEXTMILL.NET (Brian Lewis) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? Message-ID: What is the correct procedure to safely upgrade from 4.26.8 to the latest revision? The Installation Documentation and FAQ don't seem to mention an 'upgrade' procedure. Do I still use the ./install.sh script? (or is there an upgrade.sh script somewhere??) Do I need to backup any configuration files in the /etc/MailScanner folder? Which files are commonly modified during this install that I should be concerned it? MailScanner 4.26.8 currently SpamAssassin ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs partition) 512mb TMPFS partition for clamav and mailscanner /etc/MailScanner/spam.assassin.prefs.conf modified /etc/MailScanner/filename.rules.conf modified /etc/MailScanner/MailScanner.conf modified From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 17:21:01 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: <404613FD.2060605@solid-state-logic.com> Julian went from 4.24.4 to 4.28.2-2 yesterday and it's slow..running 4.28.4 right now and still slow. yes it seems alot faster in debug mode - perhaps this is also related to my clamavmodule problems which also works in debug mode, but not in forking mode (ooo err:-) dropping back to 4.24.4 gets me a nice speedy system again, but then I loose the passwded zip file functionality... I've tried dropping the number of Children down from 5 to 2 and this has made little differnce... top shows alot more 'system' activity when running 4.28 then 4.24, dunno why??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > I have been trying to reproduce the loss of speed running various different > versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and F-Prot. > The only thing is I am not running SpamAssassin, as its speed is very > variable and so hides the real speed of the underlying process. > > If you are suffering speed problems, please can you tell me what was the > last fast version you used, and what was the first slow version. Did you > downgrade again to fix the problem? Was it successful, and what version was > again nice and fast? > > If you run a batch through in Debug mode does it always take the same time > regardless of what version you are running? Maybe the problem only surfaces > when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the better > chance I have of finding it. It doesn't appear to be in the more robust > MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jase at SENSIS.COM Wed Mar 3 17:31:02 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:22:57 2006 Subject: ClamAV and Password Protected Bagles Message-ID: Hello. I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and ClamAV. I have had some of the latest Bagle viruses in password protected zip files get through. I know that various virus scanners are having trouble detecting these. I had one of these emails get quarantined because the attachment name was Message.zip. When testing to see if the virus would get caught yet I found something interesting with ClamAV. If I scan the attachment itself (Message.zip) clam reports it as clean. But if I scan the queue files (from Exim) clam finds the virus! Here is the output of a scan with the queue files and attachment in the same directory: # /opt/MailScanner/lib/clamav-wrapper . /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- 00-H: OK /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- 00-D: Worm.Bagle.F-zippwd-3 FOUND /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 20372 Scanned directories: 1 Scanned files: 3 Infected files: 1 Data scanned: 0.03 Mb I/O buffer size: 131072 bytes Time: 0.325 sec (0 m 0 s) # So I assume that MailScanner unpacks the attachment and just scans that. Does it make sense to allow the virus scanners to scan the queue files as well? Jason From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 17:34:53 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: BlackList / Whitelist settings in spam.assassin.prefs.conf Message-ID: Hi I have been reading the FAQ, searching the MailScanner archives and doing lot of Google'ing and can't seem get a good grip on this question. I want to have a whitelist and a blacklist using some of the lists from SpamAssassin's wiki. I am letting MailScanner do the white and blacklist work and I guess I am confused here. Can I use the blacklist from SA or would I be better off to use MS spam.assassin.prefs.conf. Also can I create a link to a blacklist and whitelist file in the spam.assassin.prefs.conf file, this would be the; whitelist_from and the blacklist_from Can I do this then? whitelist_from_path /etc/MailScanner/rules/whitelist_from.conf blacklist_from_path /etc/MailScanner/rules/blacklist_from.conf -- Thanks!! David Thurman List Only at Web Presence Group Net From rabellino at DI.UNITO.IT Wed Mar 3 17:41:02 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrade from an very OLD release In-Reply-To: <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> References: <4045F828.5080700@di.unito.it> <6.0.1.1.2.20040303171403.03b3ce00@imap.ecs.soton.ac.uk> Message-ID: <404618AE.30906@di.unito.it> Julian Field wrote: > At 15:22 03/03/2004, you wrote: > >> I've not understood on how to re-create the old feature "Deliver From >> Local Domain = no" that was used in 3.x release of >> mailscanner... >> >> The conf's instructions tells me to create a "ruleset" for Deliver >> Cleaned >> ... (a file .conf ?) configured (I believe) >> like : >> >> From: mylocaldomain no >> FromOrTo: default yes >> >> But Mailscanner complain about a binary option (yes or no) only > > > Set > Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.cleaned.rules > in MailScanner.conf. > Then in /etc/MailScanner/rules/deliver.cleaned.rules put this: > From: yourdomain.com no > FromOrTo: default yes > and substitute your own domain name for "yourdomain.com" in the line above. > Then reload MailScanner (service MailScanner reload) or just restart it, > and the rules will be applied. > > This general-purpose ruleset system applies to virtually all configuration > options in MailScanner.conf, and so is a *lot* more flexible than the > simple system I had in version 3. > Thanks I was missing a space before the word default causing a syntax error . -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 17:35:14 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > Many infected password-protected zip files passed through our McAfee AV > (using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since > midnight. > Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > > Good Question, Does DAT 4332 fix it, my understanding was that it > > handled the unzipping and so forth, and MailScanner interpreted the > > response, I'm looking for confirmation, I'm running an older version of > > MailScanner (4.25-14 I believe), I hate to upgrade unless it's > > necessary. I've taken a look at the Bagle.j detected so far and none were in a zip file (all were plain pif files). So I'd say 4332 is definitely not catching any password-protected Bagle! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:45:33 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: Quarantine Whole Messages As Queue Files In-Reply-To: <40461460.7020602@trayerproducts.com> References: <4046071D.7040602@trayerproducts.com> <40460F39.20CC6455@ihs.com> <40461118.2060108@trayerproducts.com> <6.0.1.1.2.20040303171815.03b43de8@imap.ecs.soton.ac.uk> <40461460.7020602@trayerproducts.com> Message-ID: <404619BD.10508@trayerproducts.com> I moved the file to /var/spool/postfix/incoming/ and that allowed it to be queued and sent. Rodney Green wrote: > I'm using Postfix. Moving the file to the /var/spool/mqueue directory > isn't working for me. Where would I move for Postfix? > > Thanks, > Rod > > Julian Field wrote: > >> At 17:08 03/03/2004, you wrote: >> >>> Thanks Dustin. By "both of them" do you mean the message and the >>> attachment file? >> >> >> >> He means the qf and df files (if you are using sendmail) or the -D >> and -H >> files (if you are using Exim). For other MTAs there is just 1 file (not >> sure about Qmail). >> >> >>> Rod >>> >>> Dustin Baer wrote: >>> >>>> Rodney Green wrote: >>>> >>>> >>>>> I recently enabled >>>>> "Quarantine Whole Messages As Queue Files" in my MailScanner.conf >>>>> file. >>>>> How do I send the queued message on to the intended recipient? >>>>> >>>>> Thanks, >>>>> Rod >>>>> >>>> >>>> Move them both to mqueue (or your outgoing queue). Note that they >>>> will >>>> not have been checked for viruses, if they were quarantined as spam. >>>> >>>> Dustin >>>> -- >>>> Dustin Baer >>>> Unix Administrator/Postmaster >>>> Information Handling Services >>>> 15 Inverness Way East >>>> Englewood, CO 80112 >>>> 303-397-2836 >>>> >>>> >>>> >>> >>> -- >>> "Please remain calm...I may be mad, but I am a professional." >>> >>> -Mad Scientist >> >> >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> > > -- > "Please remain calm...I may be mad, but I am a professional." > > -Mad Scientist > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From rgreen at TRAYERPRODUCTS.COM Wed Mar 3 17:49:49 2004 From: rgreen at TRAYERPRODUCTS.COM (Rodney Green) Date: Thu Jan 12 21:22:57 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> Message-ID: <40461ABD.5080007@trayerproducts.com> That setting will prevent MailScanner from sending Blocked Attachment messages to the recipient? I'm not talking about the sender of the blocked attachment. I'm talking about the intended recipient. Just wanted to be clear about this. Thanks, Rod Julian Field wrote: > At 15:06 03/03/2004, you wrote: > >> Rodney Green wrote: >> >>> Hello. Is it possible to prevent MailScanner from sending a "Blocked >>> Attachment" message to a recipient when the file attachment that was >>> blocked was say, a pif file? There's no reason to send a pif file >>> therefore I would like the users not even notified about receiving and >>> blocking it. >>> >>> Thanks, >>> Rod >> >> >> Great idea. I would agree, the definite viruses (pif, scr, etc) should >> have an option to turn on/off notifications. They only cause more >> questions. > > > You can already effectively do this with the setting > Notify Senders Of Blocked Filenames Or Filetypes = no > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- "Please remain calm...I may be mad, but I am a professional." -Mad Scientist From rabellino at DI.UNITO.IT Wed Mar 3 17:51:35 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <40461B27.3050204@di.unito.it> Denis Beauchemin wrote: > Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > >>Many infected password-protected zip files passed through our McAfee AV >>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>midnight. >>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >> >>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>handled the unzipping and so forth, and MailScanner interpreted the >>>response, I'm looking for confirmation, I'm running an older version of >>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's >>>necessary. > > > I've taken a look at the Bagle.j detected so far and none were in a zip > file (all were plain pif files). > > So I'd say 4332 is definitely not catching any password-protected Bagle! > > Denis As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a virus encrypted in 999999 different forms ? (the password is 6 integer digits) I far as I know, the only solution is to trash any password protected zip at all, as the latest MS does; I've done today the upgrade from a 3.x release (yes was almost fine before today....) and all the Bagle was cutted off my inboxes. Bye. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jrudd at UCSC.EDU Wed Mar 3 17:55:31 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: On Mar 3, 2004, at 8:46 AM, Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different > versions on the same mail messages in debug mode. > Unsuccessfully :-( Didn't someone post an hour or so ago that their speed problem came from redhat's perl update, and not from mailscanner's update? Once they downgraded the speed problem went away? or something like that? (is anyone having the problem not using redhat, and if you're using redhat and having the speed problem, did you update your version of perl, via redhat instead of direct from perl, around the same time your speed problem started?) From victor at PIXELMAGICFX.COM Wed Mar 3 18:09:33 2004 From: victor at PIXELMAGICFX.COM (Victor DiMichina) Date: Thu Jan 12 21:22:57 2006 Subject: Spamassassin stopped working Message-ID: <40461F5D.6050803@pixelmagicfx.com> I fed a few messages to spamassassin yesterday, and rebuilt the database. BAM, it stopped working, or works at about 20% of its former success rate. It gave me some feedback about "expired old bayes database entries" and gave a number of tokens it kept, and the number deleted. This is the first time I'd ever seen this message, and now it doesn't work. Any suggestions? I've already done a --forget on the files I learned yesterday, but it hasn't helped. Thanks Vic From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:02:01 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303175915.03af2e98@imap.ecs.soton.ac.uk> At 17:27 03/03/2004, you wrote: >What is the correct procedure to safely upgrade from 4.26.8 to the latest >revision? The Installation Documentation and FAQ don't seem to mention >an 'upgrade' procedure. > >Do I still use the ./install.sh script? (or is there an upgrade.sh script >somewhere??) I haven't changed anything in the other RPMs so you don't need to run install.sh but it won't do any harm. You could just use rpm -Uvh mailscanner*rpm >Do I need to backup any configuration files in the /etc/MailScanner folder? >Which files are commonly modified during this install that I should be >concerned it? They are all maintained for you. After upgrading the rpm run the "upgrade_MailScanner_conf" command and it will tell you what to do. If you had just run the ./install.sh script then it would have told you to do this anyway. >MailScanner 4.26.8 currently >SpamAssassin >ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs >partition) You will need to save a copy of that, as it will be overwritten by the upgrade with the latest version of the script. >512mb TMPFS partition for clamav and mailscanner >/etc/MailScanner/spam.assassin.prefs.conf modified >/etc/MailScanner/filename.rules.conf modified >/etc/MailScanner/MailScanner.conf modified Those 3 /etc files will be maintained. But you will need to upgrade MailScanner.conf using the command above. Just run the command, it will print out instructions on what to do. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:04:41 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: BlackList / Whitelist settings in spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303180340.03d9ce68@imap.ecs.soton.ac.uk> I would advise doing them with MailScanner.conf entries "Is Definitely Spam" (used for blacklisting) and "Is Definitely Not Spam" (used for whitelisting). The whitelist is already setup for you as an example. Just do the same for the blacklist. At 17:34 03/03/2004, you wrote: >Hi > >I have been reading the FAQ, searching the MailScanner archives and doing >lot of Google'ing and can't seem get a good grip on this question. > >I want to have a whitelist and a blacklist using some of the lists from >SpamAssassin's wiki. I am letting MailScanner do the white and blacklist >work and I guess I am confused here. Can I use the blacklist from SA or >would I be better off to use MS spam.assassin.prefs.conf. > >Also can I create a link to a blacklist and whitelist file in the >spam.assassin.prefs.conf file, this would be the; > > whitelist_from and the blacklist_from > >Can I do this then? > >whitelist_from_path /etc/MailScanner/rules/whitelist_from.conf >blacklist_from_path /etc/MailScanner/rules/blacklist_from.conf >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 18:06:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: blocked attachment message for certain file attachments In-Reply-To: <40461ABD.5080007@trayerproducts.com> References: <4045F376.7030808@trayerproducts.com> <4045F485.5060807@1SEO.net> <6.0.1.1.2.20040303171215.03b708e0@imap.ecs.soton.ac.uk> <40461ABD.5080007@trayerproducts.com> Message-ID: <6.0.1.1.2.20040303180546.03afae58@imap.ecs.soton.ac.uk> I don't think you can do more than switch off "Deliver Cleaned Messages" (though you can switch it off for some users while it being on for other users, using a ruleset). At 17:49 03/03/2004, you wrote: >That setting will prevent MailScanner from sending Blocked Attachment >messages to the recipient? I'm not talking about the sender of the >blocked attachment. I'm talking about the intended recipient. Just >wanted to be clear about this. > >Thanks, >Rod > >Julian Field wrote: > >>At 15:06 03/03/2004, you wrote: >> >>>Rodney Green wrote: >>> >>>>Hello. Is it possible to prevent MailScanner from sending a "Blocked >>>>Attachment" message to a recipient when the file attachment that was >>>>blocked was say, a pif file? There's no reason to send a pif file >>>>therefore I would like the users not even notified about receiving and >>>>blocking it. >>>> >>>>Thanks, >>>>Rod >>> >>> >>>Great idea. I would agree, the definite viruses (pif, scr, etc) should >>>have an option to turn on/off notifications. They only cause more >>>questions. >> >> >>You can already effectively do this with the setting >>Notify Senders Of Blocked Filenames Or Filetypes = no >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > >-- >"Please remain calm...I may be mad, but I am a professional." > >-Mad Scientist -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Wed Mar 3 18:09:27 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:22:57 2006 Subject: Speed problems In-Reply-To: References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> Message-ID: <40461F57.7030805@solid-state-logic.com> John Using FreeBSD 4.8 and perl 5.8.0 from ports, not changed Perl for ages.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 John Rudd wrote: > On Mar 3, 2004, at 8:46 AM, Julian Field wrote: > >> I have been trying to reproduce the loss of speed running various >> different >> versions on the same mail messages in debug mode. >> Unsuccessfully :-( > > > Didn't someone post an hour or so ago that their speed problem came > from redhat's perl update, and not from mailscanner's update? Once > they downgraded the speed problem went away? or something like that? > > (is anyone having the problem not using redhat, and if you're using > redhat and having the speed problem, did you update your version of > perl, via redhat instead of direct from perl, around the same time your > speed problem started?) ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at COLBY.EDU Wed Mar 3 18:24:53 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! Message-ID: Julian, Installed 4.28.4 this morning, turned on quarantining, works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam 0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). Lots of emails that generate: ERROR:: File was encrypted in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 when I fun the quarantined files thru clamscan. I also have not noticed any significant increase in load/ slowdown on my system (a Sun V1280) because of the new code. Great work, many thanks. Jeff Earickson Colby College From mike at TC3NET.COM Wed Mar 3 18:39:49 2004 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:22:57 2006 Subject: Rules to catch bounces In-Reply-To: <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> References: <200403031103.i23B3cC03864@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303112257.03f87ca8@imap.ecs.soton.ac.uk> Message-ID: <1078339189.3290.18.camel@mike-new2.tc3net.com> Ok, so this ruleset will stop the addresses with no from address from being delivered? I'm looking at it, is user@domain.com a dummy address or an address where these mails are forwarded to? I just want them deleted, so will adding the following to my deliver.rules take care of it? From: /^$/ delete Regards MIKE > At 11:03 03/03/2004, you wrote: > >Hi All, > > > >We've got a domain that is being joe jobbed and we want to setup a special > >ruleset for any mail from <> to be handled differently. I've tried the > >following and it didn't work.. > > > >From: <> delete forward > >user@domain.com > > Try > From: /^$/ delete forward user@domain.com > > > > > >Any advice greatly appreciated. > > > >Regards, > > > >David Hooton > > > >Pain free spam & virus protection - Mail > >Security > > > >To report SPAM forward the message to: > >spam@mailsecurity.net.au > >To report incorrectly tagged messages: > >notspam@mailsecurity.net.au > > > >291d7c03.jpg > > > > ______________________________________________________________________ > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rabollinger at COMCAST.NET Wed Mar 3 18:56:44 2004 From: rabollinger at COMCAST.NET (Richard Bollinger) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee and password-protected zip file detection in MS References: <1078325150.13811.306.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <036c01c40151$46155b40$8b030180@elliottturbo.com> Add this change to combine stderr with stdout: --- mcafee-wrapper.FCS Sat Dec 14 05:07:56 2002 +++ mcafee-wrapper Wed Mar 3 12:48:38 2004 @@ -46,5 +46,4 @@ exit 1 fi -exec ${PackageDir}/$prog -d $datDIR "$@" - +exec ${PackageDir}/$prog -d $datDIR "$@" 2>&1 ----- Original Message ----- From: "Denis Beauchemin" To: Sent: Wednesday, March 03, 2004 9:45 AM Subject: McAfee and password-protected zip file detection in MS Hi all, I tried to modify SweepViruses.pm so it could grab McAfee's "is password-protected" string and just treat the attachment as a virus but it doesn't work... I modified ProcessMcAfeeOutput() this way: #return 0 unless $line =~ /Found/; return 0 unless (($line =~ /Found/) or ($line =~ /is password-protected/)); Any ideas why it is not kicking in? Could it be because McAfee returns a zero return code if it detects a password-protected zip file (I know this is what it does)? If so, could there be another way of achieving the same result without having to upgrade to the latest unstable version? Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 18:58:53 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <40461B27.3050204@di.unito.it> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> <40461B27.3050204@di.unito.it> Message-ID: <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : > Denis Beauchemin wrote: > > Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : > > > >>Many infected password-protected zip files passed through our McAfee AV > >>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since > >>midnight. > >>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : > >> > >>>Good Question, Does DAT 4332 fix it, my understanding was that it > >>>handled the unzipping and so forth, and MailScanner interpreted the > >>>response, I'm looking for confirmation, I'm running an older version of > >>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's > >>>necessary. > > > > > > I've taken a look at the Bagle.j detected so far and none were in a zip > > file (all were plain pif files). > > > > So I'd say 4332 is definitely not catching any password-protected Bagle! > > > > Denis > As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a > virus encrypted in 999999 different forms ? (the password is 6 integer digits) Sergio, They can't unzip the file but they can compare its size and some checksum they computed on infected zip files. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dev at ORIONHOST.NET Wed Mar 3 18:52:58 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <40461F5D.6050803@pixelmagicfx.com> References: <40461F5D.6050803@pixelmagicfx.com> Message-ID: <4046298A.1050709@orionhost.net> I am having a real problem with random word spam receiving a spam score zero or very low, less that 3. Lots of this type of spam is getting through, while many legitimate messages get scores over 4. Some of my users are getting a hundred or more spam messages per day, about 90% of their total incoming mail. Are other people having problems with this? Any suggestions? Thanks, Cathy Cramer From spamtrap71892316634 at ANIME.NET Wed Mar 3 19:03:59 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:57 2006 Subject: No subject Message-ID: Would it be possible for Mailscanner to unzip password protected zipfiles the same way some of the virus scanners do? Eg look for the text string in the message. It would make mailscanner work with f-prot to catch W32/Bagle. -Dan From lists at STHOMAS.NET Wed Mar 3 19:03:47 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <4046298A.1050709@orionhost.net>; from dev@ORIONHOST.NET on Wed, Mar 03, 2004 at 11:52:58AM -0700 References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: <20040303110347.A29084@sthomas.net> On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have said: > > I am having a real problem with random word spam receiving a spam score > zero or very low, less that 3. Lots of this type of spam is getting > through, while many legitimate messages get scores over 4. Some of my > users are getting a hundred or more spam messages per day, about 90% of > their total incoming mail. Are other people having problems with this? > Any suggestions? Are you using bayes and the DNSBLs? -- "Logic is in the eye of the logician." - Gloria Steinem From mkettler at EVI-INC.COM Wed Mar 3 19:11:58 2004 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting In-Reply-To: References: Message-ID: <6.0.0.22.0.20040303140818.025beea8@xanadu.evi-inc.com> At 12:24 PM 3/3/2004, Craig Daters wrote: >Where is it better to whitelist people/mail-lists/etc.? In: > >/etc/MailScanner/spam.assassin.prefs.conf, or in >/etc/MailScanner/rules/spam.whitelist.rules > >Is there a line of thought as to why I might want to in one versus >the other? Does MailScanner prefer one over the other? It is SIGNIFICANTLY better to use spam.whitelist.rules. SA's whitelist features are, by definition, a hack. It's nearly always preferable to whitelist in a higher layer than spamassassin. Unless your MTA inserts a copy of the envelope recipient into the message headers, SA will not be able to effectively whitelist any CCed messages. SA doesn't get a copy of the envelope, so without hints, it doesn't know the true recipient. Also, if you use any spam lists at the MailScanner level, the whitelist will only be effective if it's in spam.whitelist.rules. From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:13:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: No subject In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303191243.03b15458@imap.ecs.soton.ac.uk> At 19:03 03/03/2004, you wrote: >Would it be possible for Mailscanner to unzip password protected zipfiles >the same way some of the virus scanners do? Eg look for the text string in >the message. > >It would make mailscanner work with f-prot to catch W32/Bagle. They aren't doing exactly that, I believe. They are simply looking for key-strings in the mail message or looking for details of the contents/size of the zip file. With the modern Zip encryption schemes, decrypting them is not trivial. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From peter at UCGBOOK.COM Wed Mar 3 19:28:46 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: Custom Scores In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927410965@mtlnt501fs.CAMOROUTE.COM> Message-ID: <404631EE.3060509@ucgbook.com> Sorry for answering two persons (Ugo and Pete) in one mail... >>Just installed DCC on one of my servers today and is working nicely - >>made me think that, if some messages are listed with checks like DCC or >>certain RBLs, then they must be alsmot %100 spam, or >>undesirable emails? RBL:s sometimes list legit servers for a while for several reasons and DCC doesn't even try to decide if a message is ham or spam, it just assumes that if really many of the same message circulate it's spam. That sounds crazy but it works really well. But you can't depend on any single one source, that's why SA adds them up. >>Has anyone heard of DCC or the best RBLs listing legit senders or >>emails? is it worth giving these a much higher score so these message >>score as High Spam and are deleted on the spot? Read above comment. Don't bump the score excessively. >>OR am i am missing the central reaosns why this likes DCC only >>score 1.81 ? It scores 1.81 because you don't use Bayes, if you did you would get 2.91. Bayes helps a lot, a BAYES99 adds 5.4 points. > If that can help you, I got many DCC_CHECK score with 1.81, but also one with 2.91, like the one below: Read above comment. Look in /usr/share/spamassassin/50_scores.cf (or /usr/local/share/spamassassin/50_scores.cf), the last column is used when you have net tests and Bayes enabled. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From drew at THEMARSHALLS.CO.UK Wed Mar 3 19:28:01 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! In-Reply-To: References: Message-ID: <404631C1.7000408@themarshalls.co.uk> Jeff Earickson wrote: >Julian, > Installed 4.28.4 this morning, turned on quarantining, >works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam >0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). > >Lots of emails that generate: > >ERROR:: File was encrypted > >in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 >when I fun the quarantined files thru clamscan. > >I also have not noticed any significant increase in load/ >slowdown on my system (a Sun V1280) because of the new code. > >Great work, many thanks. > >Jeff Earickson >Colby College > > Julian I know you said that you weren't intending to do another stable release for several weeks but I think this change is such a major safety feature that it would be worth doing. What do you think? It would help those who only subscribe to the Freshmeat mailing list to get the new and improved version and I would think that you would be the first with a real, workable, secure solution to the password encrypted virus in a zip problem. A real coup! Just another point that made me smile today, I happened to notice that on the bottom of an automated signature from a company that pays $$$ to Messagelabs they were stating: 'This message has been scanned by Messagelabs for viruses, it should be noted that we can not scan encrypted or password protected messages'. Looks like even the mighty Messagelabs have not worked a fix yet!! Well done, a great result for MailScanner, still the best (IMHO ;-) ) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From kevins at BMRB.CO.UK Wed Mar 3 19:32:59 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> Message-ID: <1078342380.689.18.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 14:58, Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. No need to apologise, I for one am very glad to see them! Just testing 4.28.4 - a great improvement! I've only got one (small) niggle. The all-viruses keyword seems to encompass the Zip-Pasword keyword, shouldn't All-Viruses only be viruses detected by scanners? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From garry at GLENDOWN.DE Wed Mar 3 19:38:47 2004 From: garry at GLENDOWN.DE (Garry Glendown) Date: Thu Jan 12 21:22:57 2006 Subject: No subject In-Reply-To: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> Message-ID: <40463447.10806@glendown.de> Mike McMullen wrote: > Could a signature or checksum be calculated that was within a certain error > bounds that said it was the virus zip? > > I understand that extra random length files could be added to throw off a > checksum but at some point in the bitstream wouldn't there be a recognizable > pattern? Apart from the unencrypted part (which, as I understand, consists only of the filename, length, and checksum) I don't think there are any ways to identify a virus - after all, if you could it would defeat the reason (or quality) of an encryption. Of those listed above, the checksum will most likely be based on the encrypted data, which means it will be different for every key used. Also, the lenght (if not for this virus) might be different for every mail if the virus writer should decide to modify the amount of data written. So, just about anything left is the filename, which again only depends on the creativity of the programmer ... The only other possibility would be to find the password in the accompanying message and decrypt the zip using it ... (for encrypted zips, the scanner could use every string found in the message and try to decode with it ... that would work for any virus message, as the virus only makes sense if it is sent together with the password ...) -gg From craig at WESTPRESS.COM Wed Mar 3 19:39:43 2004 From: craig at WESTPRESS.COM (Craig Daters) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <4046298A.1050709@orionhost.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: Cathy, you should look to 'Rules Du Jour' to add SA Rule checks that would catch a lot of that if you are not already. Then SA-Learn goes a long way towards catching things like this too once it it trained. I trained mine real quick when one of our users was receiving so much spam, that we changed his email address. I turned his old email address into a 'spam trap'. I have a script written and set up as a cron job to parse these 'spam trap' accounts daily. Likewise I have a few 'ham trap' email addresses set up to do the same, though with the exception of one, I do not auto parse these as I want to puruse them beforehand to confirm that spam is not slipping in. The spam@ourdomain.com and notspam@ourdomain.com are emails that are set up for our users to bounce messages to that make it through. Check out the FAQ at http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/275.html Here is my script and crontab entry: crontab: 05 0 * * * /usr/local/bin/my_sa_learn.sh my_sa_learn.sh: #!/bin/sh if [ -e /var/mail/spam ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/spam rm /var/mail/spam > /dev/null fi if [ -e /var/mail/jet ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/jet rm /var/mail/jet > /dev/null fi if [ -e /var/mail/graphics ]; then /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/graphics rm /var/mail/graphics > /dev/null fi if [ -e /var/mail/notspam ]; then /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf --mbox /var/mail/notspam rm /var/mail/notspam > /dev/null fi /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf This has really helped to bring our spam problem to -- -- Craig Daters (craig@westpress.com) Systems Administrator West Press Printing 1663 West Grant Road Tucson, Arizona 85745-1433 Tel: 520-624-4939 Fax: 520-624-2715 www.westpress.com -- From ugob at CAMO-ROUTE.COM Wed Mar 3 19:39:26 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:57 2006 Subject: Whitelisting Message-ID: <54C38A0B814C8E438EF73FC76F36292741096C@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Craig Daters [mailto:craig@WESTPRESS.COM] >Envoy? : 3 mars, 2004 12:24 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Whitelisting > > >Where is it better to whitelist people/mail-lists/etc.? In: > >/etc/MailScanner/spam.assassin.prefs.conf, or in >/etc/MailScanner/rules/spam.whitelist.rules > >Is there a line of thought as to why I might want to in one versus >the other? Does MailScanner prefer one over the other? I think spam.whitelist.rules is better, since it probably disables DNSBL checks as well, not just SA >-- >-- > >Craig Daters (craig@westpress.com) >Systems Administrator >West Press Printing >1663 West Grant Road >Tucson, Arizona 85745-1433 > >Tel: 520-624-4939 >Fax: 520-624-2715 > >www.westpress.com > >-- > From ugob at CAMO-ROUTE.COM Wed Mar 3 19:40:43 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:57 2006 Subject: Upgrading from 4.26.8 to latest revision? Message-ID: <54C38A0B814C8E438EF73FC76F36292741096D@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Brian Lewis [mailto:test@NEXTMILL.NET] >Envoy? : 3 mars, 2004 12:28 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Upgrading from 4.26.8 to latest revision? > > >What is the correct procedure to safely upgrade from 4.26.8 to >the latest >revision? The Installation Documentation and FAQ don't seem to mention >an 'upgrade' procedure. > >Do I still use the ./install.sh script? (or is there an >upgrade.sh script >somewhere??) >Do I need to backup any configuration files in the >/etc/MailScanner folder? >Which files are commonly modified during this install that I should be >concerned it? The common upgrade procedure is using the install.sh, then run upgrade_mailscanner_conf. > >MailScanner 4.26.8 currently >SpamAssassin >ClamAV (/usr/lib/MailScanner/clamav-wrapper modified to use tmpfs >partition) >512mb TMPFS partition for clamav and mailscanner >/etc/MailScanner/spam.assassin.prefs.conf modified >/etc/MailScanner/filename.rules.conf modified >/etc/MailScanner/MailScanner.conf modified > From spamtrap71892316634 at ANIME.NET Wed Mar 3 19:41:32 2004 From: spamtrap71892316634 at ANIME.NET (Dan Hollis) Date: Thu Jan 12 21:22:57 2006 Subject: your mail In-Reply-To: <6.0.1.1.2.20040303191243.03b15458@imap.ecs.soton.ac.uk> Message-ID: On Wed, 3 Mar 2004, Julian Field wrote: > At 19:03 03/03/2004, you wrote: > >Would it be possible for Mailscanner to unzip password protected zipfiles > >the same way some of the virus scanners do? Eg look for the text string in > >the message. > >It would make mailscanner work with f-prot to catch W32/Bagle. > They aren't doing exactly that, I believe. They are simply looking for > key-strings in the mail message or looking for details of the contents/size > of the zip file. > With the modern Zip encryption schemes, decrypting them is not trivial. Well, what techniques would be practical to add to mailscanner? Interfacing with /usr/bin/unzip (which does handle encryption)? -Dan From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:42:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28.4, works great! In-Reply-To: <404631C1.7000408@themarshalls.co.uk> References: <404631C1.7000408@themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040303194122.039bba58@imap.ecs.soton.ac.uk> At 19:28 03/03/2004, you wrote: >Jeff Earickson wrote: >>Julian, >> Installed 4.28.4 this morning, turned on quarantining, >>works great (setup: sol 9, perl 5.8.2, sophos 2.79, clam >>0.67-1, using sophossavi and clamavmodule, SA 2.63, razor). >> >>Lots of emails that generate: >> >>ERROR:: File was encrypted >> >>in syslog turn out to be infected with Worm.Bagle.F-zippwd-3 >>when I fun the quarantined files thru clamscan. >> >>I also have not noticed any significant increase in load/ >>slowdown on my system (a Sun V1280) because of the new code. >> >>Great work, many thanks. >> >>Jeff Earickson >>Colby College >> >Julian > >I know you said that you weren't intending to do another stable release >for several weeks but I think this change is such a major safety feature >that it would be worth doing. What do you think? It would help those who >only subscribe to the Freshmeat mailing list to get the new and improved >version and I would think that you would be the first with a real, >workable, secure solution to the password encrypted virus in a zip >problem. A real coup! I just want to "settle" the code for a couple of days first. I don't want to do a stable release and have to replace it 24 hours later. But otherwise, great idea! >Just another point that made me smile today, I happened to notice that >on the bottom of an automated signature from a company that pays $$$ to >Messagelabs they were stating: 'This message has been scanned by >Messagelabs for viruses, it should be noted that we can not scan >encrypted or password protected messages'. Looks like even the mighty >Messagelabs have not worked a fix yet!! Aw, shucks :-) >Well done, a great result for MailScanner, still the best (IMHO ;-) ) Thankyou. That is much appreciated. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 19:44:06 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <1078342380.689.18.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> At 19:32 03/03/2004, you wrote: >On Wed, 2004-03-03 at 14:58, Julian Field wrote: > > Sorry the updates are appearing so thick and fast at the moment. > >No need to apologise, I for one am very glad to see them! > >Just testing 4.28.4 - a great improvement! I've only got one (small) >niggle. The all-viruses keyword seems to encompass the Zip-Pasword >keyword, shouldn't All-Viruses only be viruses detected by scanners? Yes, but pretty much all of them are appearing as part of undetectable viruses at the moment. Someone else suggested including them, and it seemed a good idea. I might add it as an option to the Non-Forging Viruses list. Would that solve the problem for you? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From denis at CROOMBS.ORG Wed Mar 3 19:49:38 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: I have installed this version, but when I do a restart, I get the following:- Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 /vendor_perl/5.6.1/i386- linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. [ OK ] And my mail system is broken Any clues Denis From peter at UCGBOOK.COM Wed Mar 3 19:51:49 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 In-Reply-To: References: Message-ID: <40463755.5070109@ucgbook.com> Denis Croombs wrote: > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- As stated above and in Julians posts and on the web site, install Archive::Zip. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From sysadmin at FLEETONE.COM Wed Mar 3 19:51:41 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <007301c40158$f2eb4030$45a610ac@fleetone.com> > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > For those of you who want to try to catch these with SpamAssassin, I > > think the following should work: > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > describe BAGLE_PASSWORD Password.*numbers > > score BAGLE_PASSWORD 6.5 > > > > If anyone has a better suggestion, let us know! > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > since we did a apt-get install :( Will know better next time :) > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net I forwarded an infected mail with the bagle zip attatchment and it caught it and threw it in my spam folder. The header information showed it was the BAGLE rule set that found it. Rob From sysadmin at FLEETONE.COM Wed Mar 3 19:53:20 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 References: Message-ID: <007d01c40159$2dbc9fb0$45a610ac@fleetone.com> Just a guess, but it sounds like you need to install the Perl module Archive::Zip Rob ----- Original Message ----- From: "Denis Croombs" To: Sent: Wednesday, March 03, 2004 1:49 PM Subject: System down ! with 4.28-4.1 > I have installed this version, but when I do a restart, I get the > following:- > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- > linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- > linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- > linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 > /vendor_perl/5.6.1/i386- > linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib > /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted > at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > And my mail system is broken > > Any clues > > Denis > From dustin.baer at IHS.COM Wed Mar 3 19:53:18 2004 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <404637AE.8E125994@ihs.com> Dave's List Addy wrote: > > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > For those of you who want to try to catch these with SpamAssassin, I > > think the following should work: > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > describe BAGLE_PASSWORD Password.*numbers > > score BAGLE_PASSWORD 6.5 > > > > If anyone has a better suggestion, let us know! > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > since we did a apt-get install :( Will know better next time :) It works for me. I had to increase the score, since BAYES_00 was basically erasing the 6.5 I gave it. Dustin From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 19:54:00 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <007301c40158$f2eb4030$45a610ac@fleetone.com> Message-ID: On 3/3/04 1:51 PM, "Rob" wrote: >>> For those of you who want to try to catch these with SpamAssassin, I >>> think the following should work: >>> >>> body BAGLE_PASSWORD /password.*[0-9]{4,}/i >>> describe BAGLE_PASSWORD Password.*numbers >>> score BAGLE_PASSWORD 6.5 >>> >>> If anyone has a better suggestion, let us know! >> >> Has anyone found this to work? We can't upgrade as of yet to the latest MS >> since we did a apt-get install :( Will know better next time :) >> -- >> Thanks!! >> David Thurman >> List Only at Web Presence Group Net > > I forwarded an infected mail with the bagle zip attatchment and it caught it > and threw it in my spam folder. The header information showed it was the > BAGLE rule set that found it. Thanks!! Band-aid for now :) -- Thanks!! David Thurman List Only at Web Presence Group Net From denis at CROOMBS.ORG Wed Mar 3 19:54:51 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: Sorry forgot to include the following data:- Redhat 7.3, Installed from RPM, with Spam Assassin 2.63 & clamav Denis Croombs From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 19:49:02 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <4045FA58.C955B333@ihs.com> Message-ID: On 3/3/04 9:31 AM, "Dustin Baer" wrote: > For those of you who want to try to catch these with SpamAssassin, I > think the following should work: > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > describe BAGLE_PASSWORD Password.*numbers > score BAGLE_PASSWORD 6.5 > > If anyone has a better suggestion, let us know! Has anyone found this to work? We can't upgrade as of yet to the latest MS since we did a apt-get install :( Will know better next time :) -- Thanks!! David Thurman List Only at Web Presence Group Net From mlm at LOANPROCESSING.NET Wed Mar 3 19:16:33 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:57 2006 Subject: No subject References: Message-ID: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> From: "Dan Hollis" > Would it be possible for Mailscanner to unzip password protected zipfiles > the same way some of the virus scanners do? Eg look for the text string in > the message. > > It would make mailscanner work with f-prot to catch W32/Bagle. > > -Dan > Maybe this is a dumb question, but would it be possible to catch virues in password protected zip files without unzipping them at all? Could a signature or checksum be calculated that was within a certain error bounds that said it was the virus zip? I understand that extra random length files could be added to throw off a checksum but at some point in the bitstream wouldn't there be a recognizable pattern? Mike From sysadmin at FLEETONE.COM Wed Mar 3 19:55:32 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 References: Message-ID: <009301c40159$7c2eb750$45a610ac@fleetone.com> Depending on your version of linux, the RPM's can be found here for redhat or fedora systems: http://dag.wieers.com/packages/perl-Archive-Zip/ Rob ----- Original Message ----- From: "Denis Croombs" To: Sent: Wednesday, March 03, 2004 1:49 PM Subject: System down ! with 4.28-4.1 > I have installed this version, but when I do a restart, I get the > following:- > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386- > linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386- > linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386- > linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5 > /vendor_perl/5.6.1/i386- > linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib > /MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > BEGIN failed--compilation aborted > at /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > [ OK ] > > And my mail system is broken > > Any clues > > Denis > From denis at CROOMBS.ORG Wed Mar 3 20:03:13 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: System down ! with 4.28-4.1 Message-ID: Hi >Depending on your version of linux, the RPM's can be found here for redhat >or fedora systems: >http://dag.wieers.com/packages/perl-Archive-Zip/ >Rob Thanks for that that worked 1st time Denis Croombs From denis at CROOMBS.ORG Wed Mar 3 18:23:00 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28-4.1 Message-ID: <026e01c4014c$8fb8c610$85b8fea9@Laptop> I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed OK but when I try and restart it I get the following error:- MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Any clues ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From denis at CROOMBS.ORG Wed Mar 3 18:55:28 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! Message-ID: <028001c40151$192f5e50$85b8fea9@Laptop> I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed OK but when I try and restart it I get the following error:- MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Any clues ? Thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From marco at MUW.EDU Wed Mar 3 20:22:46 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: References: Message-ID: <1078345366.40463e96aeb70@webmail.MUW.Edu> Something I thought about this morning, since the protected-zip delimma ignited all over this list and that is: Is it safe to assume that virus-writers are getting desperate, that they are resorting to compressing their damage AND password-protect it and send it to users? Have they exahusted all other means? Is it safe to say the tools like the great MailScanner, and the work put forth by my hero Jules, that the robe is getting tighter around their necks? Maybe these questions can help us, MailScanner community, help MailScanner be more of a proactive tool. We seem to respond to crisis, after the fact, maybe the virus-writers ARE a step ahead. How can we catch up with them and maybe be a step ahead? I am just over-worked and in need of a good night sleep, just like all of you. Marco From dbird at SGHMS.AC.UK Wed Mar 3 20:10:41 2004 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! In-Reply-To: <028001c40151$192f5e50$85b8fea9@Laptop> References: <028001c40151$192f5e50$85b8fea9@Laptop> Message-ID: <40463BC1.7070801@sghms.ac.uk> Denis Croombs wrote: >I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed >OK but when I try and restart it I get the following error:- > > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: > /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 > /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 > /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 > /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux > /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line > 46. >BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > Compilation failed in require at /usr/sbin/MailScanner line 52. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > Any clues ? > > You need to install Compress::zlib and Archive:zip from www.cpan.org Dan >Thanks Denis > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Marvin the E-Mail scanner > > > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikes at HARTWELLCORP.COM Wed Mar 3 20:03:23 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:57 2006 Subject: Getting a *lot* of these Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D15@hart-exchange.hartwellcorp.com> Julian Field wrote: >>> What about cleaning out your incomming queue :) Thats where it >>> starts. >> >> I *am* cleaning it out. Each night I'm removing any file more than >> one day old. However, my log files are still getting bloated. > > How are these bad files being generated? I very rarely see this > problem. I would definitely advise you to investigate the cause > rather than just killing the symptom. Julian, My /var/log/maillog file now has almost 8 million lines in it. I don't have the luxury of trying to find out what is generating the files under these conditions. I've commented out the line in Sendmail.pm that makes the log entries for now. -- Michael St. Laurent Hartwell Corporation From chris at TRUDEAU.ORG Wed Mar 3 20:15:39 2004 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:22:57 2006 Subject: No subject References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> <40463447.10806@glendown.de> Message-ID: <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> Sorry for the top post, but I found this on a Microsoft Mailing list, does this avenue provide a possible solution? I've found that the A/V software does see the file within the ZIP archive, but cannot process it because it does not recognize the extension. When the archive is password protected, the file enclosed receives a "+" character at the end of the extension (ie test.exe becomes test.exe+) Since the A/V software doesn't recognize that kind of extension, it lets it pass thru. I found that by adding the "+" character to file extensions that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file extension and perform the necessary actions on it. I know this would possibly require a change to filename routines, but is this possible using MailScanner? Just a thought. CT ----- Original Message ----- From: "Garry Glendown" To: Sent: Wednesday, March 03, 2004 2:38 PM > Mike McMullen wrote: > > Could a signature or checksum be calculated that was within a certain error > > bounds that said it was the virus zip? > > > > I understand that extra random length files could be added to throw off a > > checksum but at some point in the bitstream wouldn't there be a recognizable > > pattern? > > Apart from the unencrypted part (which, as I understand, consists only > of the filename, length, and checksum) I don't think there are any ways > to identify a virus - after all, if you could it would defeat the reason > (or quality) of an encryption. Of those listed above, the checksum will > most likely be based on the encrypted data, which means it will be > different for every key used. Also, the lenght (if not for this virus) > might be different for every mail if the virus writer should decide to > modify the amount of data written. So, just about anything left is the > filename, which again only depends on the creativity of the programmer ... > > The only other possibility would be to find the password in the > accompanying message and decrypt the zip using it ... (for encrypted > zips, the scanner could use every string found in the message and try to > decode with it ... that would work for any virus message, as the virus > only makes sense if it is sent together with the password ...) > > -gg From denis at CROOMBS.ORG Wed Mar 3 20:18:54 2004 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:22:57 2006 Subject: HELP ! ! 4.28-4.1 System down ! References: <028001c40151$192f5e50$85b8fea9@Laptop> <40463BC1.7070801@sghms.ac.uk> Message-ID: <02eb01c4015c$c0c261c0$85b8fea9@Laptop> >> You need to install Compress::zlib and Archive:zip from www.cpan.org > > Dan > Thanks I have now done that. Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From peter at UCGBOOK.COM Wed Mar 3 20:20:36 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: <1078345366.40463e96aeb70@webmail.MUW.Edu> References: <1078345366.40463e96aeb70@webmail.MUW.Edu> Message-ID: <40463E14.5030202@ucgbook.com> Marco Obaid wrote: > Is it safe to assume that virus-writers are getting desperate, that they are > resorting to compressing their damage AND password-protect it and send it to > users? Have they exahusted all other means? I have also thought about this and I wonder what their next step is going to be. They obviously want to send their attachments as executables for maximum chance of successful infection but many filter those out even without virus scanners and even the worst client of them all, Outlook, don't execute them automatically anymore. Then they started sending their attachments inside zips who usually goes through the filters and has to be virus scanned with an updated signature to be detected. But Julian now goes inside zips and allows us to block filenames in them so that doesn't work anymore. So they have finally resorted to sending their viruses in password protected zips but now we can block them too so how are they going to go around this last obstacle? I guess the real question is, how is it possible that there still is users stupid enough to spread this? :-) -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From brett at PROSOLUTIONSINC.COM Wed Mar 3 20:29:14 2004 From: brett at PROSOLUTIONSINC.COM (Brett) Date: Thu Jan 12 21:22:57 2006 Subject: whitelist per user Message-ID: ok question i set up /etc/MailScanner/spam.bydomain/whitelist/ and created user@domain.com and inside of that inserted the 3 domains i want whitelisted and iin mailscanner.conf put Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules to Is Definitely Not Spam = &ByDomainSpamWhiteList and retarted mailscanner was that all i had to do i feel like i missed something and how do i verifiy mailscanner is useing the file Thanks All Brett From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 20:30:01 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought [SCANNED] In-Reply-To: <40463E14.5030202@ucgbook.com> Message-ID: On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > I guess the real question is, how is it possible that there still is > users stupid enough to spread this? :-) I read something the other day that was a study of users and how they felt; A. The Help Desk should be handling this. B. They don't have time to make sure it's not a virus and should be able to open mail as they please (refer to A.) Or bother with updates. (Gotta EBay!!) C. Nothing they can do about it so what's the fuss. Many more but those seemed to stand out to me. This was a Novel Study I think done in the UK. -- Thanks!! David Thurman List Only at Web Presence Group Net From maillists at CONACTIVE.COM Wed Mar 3 20:31:39 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:22:57 2006 Subject: McAfee PROBLEM !!! In-Reply-To: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> References: <1078254549.13811.274.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: I was wondering why I couldn't find any trace or mail with one of these Bagles on our machines, not even on high-traffic domains, and checked the virus description at f-secure.com. Bagle uses it's own SMTP engine and apparently connects directly to the target SMTP server. If you use RBLs for dialup and dynamic IP ranges and a good access list which also specializes in dialup IPs most if not all Bagles will simply bounce from your MTA. No Bagle problem at all. Same for many of the other mass-mailing worms. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From kevins at BMRB.CO.UK Wed Mar 3 20:33:56 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:57 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> Message-ID: <1078346036.690.50.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 19:44, Julian Field wrote: > >Just testing 4.28.4 - a great improvement! I've only got one (small) > >niggle. The all-viruses keyword seems to encompass the Zip-Pasword > >keyword, shouldn't All-Viruses only be viruses detected by scanners? > > Yes, but pretty much all of them are appearing as part of undetectable > viruses at the moment. Someone else suggested including them, and it seemed > a good idea. I might add it as an option to the Non-Forging Viruses list. > Would that solve the problem for you? Yes, I think it probably would. My issue is that I have, at times, suggested users use password protected zips for various reasons - so I would like to use a ruleset to ensure that any local senders are notified when they send a password protected zip. I presume the Non-Forging list overrides the Silent Viruses list, so... Silent Viruses = All-Viruses Non-Forging Viruses = Zip-Password Notify Senders of Viruses = /path/to/ruleset .. would do what I want?# A couple of points relating to reports I forgot to mention... I'm seeing duplicate lines in the postmaster and sender notifications, like this one from a copy of putty.exe zipped as putty.zip Report: Executable DOS/Windows programs are dangerous in email (putty.exe) No programs allowed (putty.exe) Report: Executable DOS/Windows programs are dangerous in email (putty.exe) No programs allowed (putty.exe) The recipient notification also isn't as clear as it might be (not sure if this is trivial or not). It seems to imply that there were two attachments, when in fact there was only one. Warning: This message has had one or more attachments removed Warning: (putty.exe, putty.zip). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. These are little niggles only, the core functionality is exactly what we need. Thank you so much. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From marco at MUW.EDU Wed Mar 3 20:51:16 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: References: Message-ID: <1078347076.4046454465774@webmail.MUW.Edu> Quoting Dave's List Addy : > On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > I guess the real question is, how is it possible that there still is > > users stupid enough to spread this? :-) > > I read something the other day that was a study of users and how they felt; > > A. The Help Desk should be handling this. > > B. They don't have time to make sure it's not a virus and should be able to > open mail as they please (refer to A.) Or bother with updates. (Gotta > EBay!!) > > C. Nothing they can do about it so what's the fuss. Add to this, that most Desktop Antivirus solutions do hijack system resources. I have caught many users turning off the Antivirus because it "slows down" their machines. I do not blame them, because I have done this myself a time or two when I was working on complex project with so many screens open. > > Many more but those seemed to stand out to me. This was a Novel Study I > think done in the UK. > -- > Thanks!! > David Thurman > List Only at Web Presence Group Net > From dev at ORIONHOST.NET Wed Mar 3 20:37:49 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: <20040303110347.A29084@sthomas.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> <20040303110347.A29084@sthomas.net> Message-ID: <4046421D.3020408@orionhost.net> Thanks Steve, I've got MailScanner v 4.26.8-1. Bayes is running automatically. To say that I am *using* it may be overstating. I don't know how to train Bayes. I've read that you are supposed to feed it using sa-learn, but it is not clear to me exactly how that is done. I've been trying to figure it out from the FAQ. It doesn't help that I don't know my way around Linux very well. I changed servers recently and the old Bayes database was copied to the new server. I don't think DNSBLs are used, but I am not sure. Cathy Cramer Steve Thomas wrote: > On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have said: > >>I am having a real problem with random word spam receiving a spam score >>zero or very low, less that 3. Lots of this type of spam is getting >>through, while many legitimate messages get scores over 4. Some of my >>users are getting a hundred or more spam messages per day, about 90% of >>their total incoming mail. Are other people having problems with this? >>Any suggestions? > > > Are you using bayes and the DNSBLs? > > > -- > "Logic is in the eye of the logician." > - Gloria Steinem > From dev at ORIONHOST.NET Wed Mar 3 20:42:57 2004 From: dev at ORIONHOST.NET (Cathy Cramer) Date: Thu Jan 12 21:22:57 2006 Subject: low scoring spam In-Reply-To: References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> Message-ID: <40464351.9080103@orionhost.net> Thanks Craig, RulesDuJour looks like it would help. I am trying to figure out how to install that now. Thanks also for the script below. It would be great if users could bounce back their spam for processing. I also have a user who is about ready to dump their old address and get a new one because the amount of spam is so bad. Cathy Cramer Craig Daters wrote: > Cathy, you should look to 'Rules Du Jour' to add SA Rule checks that > would catch a lot of that if you are not already. Then SA-Learn goes > a long way towards catching things like this too once it it trained. > > I trained mine real quick when one of our users was receiving so much > spam, that we changed his email address. I turned his old email > address into a 'spam trap'. I have a script written and set up as a > cron job to parse these 'spam trap' accounts daily. > > Likewise I have a few 'ham trap' email addresses set up to do the > same, though with the exception of one, I do not auto parse these as > I want to puruse them beforehand to confirm that spam is not slipping > in. > > The spam@ourdomain.com and notspam@ourdomain.com are emails that are > set up for our users to bounce messages to that make it through. > > Check out the FAQ at > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/275.html > > Here is my script and crontab entry: > > crontab: > > 05 0 * * * /usr/local/bin/my_sa_learn.sh > > my_sa_learn.sh: > > #!/bin/sh > > if [ -e /var/mail/spam ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/spam > rm /var/mail/spam > /dev/null > fi > > if [ -e /var/mail/jet ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/jet > rm /var/mail/jet > /dev/null > fi > > if [ -e /var/mail/graphics ]; then > /usr/bin/sa-learn --spam -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/graphics > rm /var/mail/graphics > /dev/null > fi > > if [ -e /var/mail/notspam ]; then > /usr/bin/sa-learn --ham -p /etc/MailScanner/spam.assassin.prefs.conf > --mbox /var/mail/notspam > rm /var/mail/notspam > /dev/null > fi > > /usr/bin/sa-learn --rebuild -p /etc/MailScanner/spam.assassin.prefs.conf > > This has really helped to bring our spam problem to > -- > -- > > Craig Daters (craig@westpress.com) > Systems Administrator > West Press Printing > 1663 West Grant Road > Tucson, Arizona 85745-1433 > > Tel: 520-624-4939 > Fax: 520-624-2715 > > www.westpress.com > > -- > From jen at AH.DK Wed Mar 3 20:43:13 2004 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:22:57 2006 Subject: 4.28-4.1 and Deliver Disinfected Files = Message-ID: Hi I have just install 4.28-4.1 on 2 MS servers and the first MS server marked Bagle zip files as virus and Dangerous. The second MS server found the Password-protected archive and put it into quarantine BUT didn't marked as virus and Dangerous!! And put this in the maillog: "Disinfection: Rescan found only 0 viruses" the first MS server has "Deliver Disinfected Files = no" the second "Deliver Disinfected Files = yes" When I change second MS server to "Deliver Disinfected Files = no" the Password-protected archive was marked as virus and Dangerous. /Jan Elmqvist Nielsen From gdoris at rogers.com Wed Mar 3 20:43:26 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:22:57 2006 Subject: Food for thought In-Reply-To: <1078347076.4046454465774@webmail.MUW.Edu> References: <1078347076.4046454465774@webmail.MUW.Edu> Message-ID: <34368.129.80.22.133.1078346606.squirrel@65.48.246.102> > Quoting Dave's List Addy : > >> On 3/3/04 2:20 PM, "Peter Bonivart" wrote: >> >> > I guess the real question is, how is it possible that there still is >> > users stupid enough to spread this? :-) >> >> I read something the other day that was a study of users and how they >> felt; >> >> A. The Help Desk should be handling this. >> >> B. They don't have time to make sure it's not a virus and should be able >> to >> open mail as they please (refer to A.) Or bother with updates. (Gotta >> EBay!!) >> >> C. Nothing they can do about it so what's the fuss. > > Add to this, that most Desktop Antivirus solutions do hijack system > resources. > I have caught many users turning off the Antivirus because it "slows down" > their machines. I do not blame them, because I have done this myself a > time or > two when I was working on complex project with so many screens open. More importantly those scanners really mess up Microsoft games! Gerry From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:34:43 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: No subject In-Reply-To: <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> References: <050f01c40154$0ad490c0$3e01a8c0@express.loanprocessing.net> <40463447.10806@glendown.de> <016401c4015c$4c5dc810$4d19000a@ATLCPW13671> Message-ID: <6.0.1.1.2.20040303203422.03b22040@imap.ecs.soton.ac.uk> At 20:15 03/03/2004, you wrote: >Sorry for the top post, but I found this on a Microsoft Mailing list, does >this avenue provide a possible solution? > > >I've found that the A/V software does see the file within the ZIP archive, >but cannot process it because it does not recognize the extension. When the >archive is password protected, the file enclosed receives a "+" character at >the end of the extension (ie test.exe becomes test.exe+) Since the A/V >software doesn't recognize that kind of extension, it lets it pass thru. > >I found that by adding the "+" character to file extensions that are blocked >(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file >extension and perform the necessary actions on it. > > >I know this would possibly require a change to filename routines, but is >this possible using MailScanner? The zip archive unpacking I do doesn't add anything to the end of the filename. >Just a thought. > >CT > > >----- Original Message ----- >From: "Garry Glendown" >To: >Sent: Wednesday, March 03, 2004 2:38 PM > > > > Mike McMullen wrote: > > > Could a signature or checksum be calculated that was within a certain >error > > > bounds that said it was the virus zip? > > > > > > I understand that extra random length files could be added to throw off >a > > > checksum but at some point in the bitstream wouldn't there be a >recognizable > > > pattern? > > > > Apart from the unencrypted part (which, as I understand, consists only > > of the filename, length, and checksum) I don't think there are any ways > > to identify a virus - after all, if you could it would defeat the reason > > (or quality) of an encryption. Of those listed above, the checksum will > > most likely be based on the encrypted data, which means it will be > > different for every key used. Also, the lenght (if not for this virus) > > might be different for every mail if the virus writer should decide to > > modify the amount of data written. So, just about anything left is the > > filename, which again only depends on the creativity of the programmer ... > > > > The only other possibility would be to find the password in the > > accompanying message and decrypt the zip using it ... (for encrypted > > zips, the scanner could use every string found in the message and try to > > decode with it ... that would work for any virus message, as the virus > > only makes sense if it is sent together with the password ...) > > > > -gg -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:49:27 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: References: <40463E14.5030202@ucgbook.com> Message-ID: <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> At 20:30 03/03/2004, you wrote: >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > I guess the real question is, how is it possible that there still is > > users stupid enough to spread this? :-) > >I read something the other day that was a study of users and how they felt; > >A. The Help Desk should be handling this. > >B. They don't have time to make sure it's not a virus and should be able to >open mail as they please (refer to A.) Or bother with updates. (Gotta >EBay!!) > >C. Nothing they can do about it so what's the fuss. > >Many more but those seemed to stand out to me. This was a Novel Study I >think done in the UK. It was done by a marketing company called TNS I believe. The best report on it I have seen is here: http://www.theregister.co.uk/content/55/35393.html It makes for alarming reading! Believe me, the users really are that stupid. They don't care. Maybe responsible computer use needs to take the same path that Health and Safety has taken. People used to ignore that because they were "too busy" or other such lame excuses. Now they don't have an option, and can be disciplined/sued if they breach H+S legislation. These lame excuses cost real businesses real money, and I think it is up to the businesses to start enforcing their rules, just like they do now with H+S rules and policies. I would certainly back company policies governing computer use, as long as they were enforced. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:40:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <1078346036.690.50.camel@bach.kevinspicer.co.uk> References: <6.0.1.1.2.20040303145508.03cbd698@imap.ecs.soton.ac.uk> <1078342380.689.18.camel@bach.kevinspicer.co.uk> <6.0.1.1.2.20040303194252.03af2200@imap.ecs.soton.ac.uk> <1078346036.690.50.camel@bach.kevinspicer.co.uk> Message-ID: <6.0.1.1.2.20040303203917.03b38ec0@imap.ecs.soton.ac.uk> At 20:33 03/03/2004, you wrote: >On Wed, 2004-03-03 at 19:44, Julian Field wrote: > > >Just testing 4.28.4 - a great improvement! I've only got one (small) > > >niggle. The all-viruses keyword seems to encompass the Zip-Pasword > > >keyword, shouldn't All-Viruses only be viruses detected by scanners? > > > > Yes, but pretty much all of them are appearing as part of undetectable > > viruses at the moment. Someone else suggested including them, and it seemed > > a good idea. I might add it as an option to the Non-Forging Viruses list. > > Would that solve the problem for you? > >Yes, I think it probably would. My issue is that I have, at times, >suggested users use password protected zips for various reasons - so I >would like to use a ruleset to ensure that any local senders are >notified when they send a password protected zip. Will do. >I presume the Non-Forging list overrides the Silent Viruses list, so... Correct. >Silent Viruses = All-Viruses >Non-Forging Viruses = Zip-Password >Notify Senders of Viruses = /path/to/ruleset >.. would do what I want?# > >A couple of points relating to reports I forgot to mention... >I'm seeing duplicate lines in the postmaster and sender notifications, >like this one from a copy of putty.exe zipped as putty.zip > > Report: Executable DOS/Windows programs are dangerous in email >(putty.exe) > No programs allowed (putty.exe) > Report: Executable DOS/Windows programs are dangerous in email >(putty.exe) > No programs allowed (putty.exe) > > >The recipient notification also isn't as clear as it might be (not sure >if this is trivial or not). It seems to imply that there were two >attachments, when in fact there was only one. > >Warning: This message has had one or more attachments removed >Warning: (putty.exe, putty.zip). >Warning: Please read the "VirusWarning.txt" attachment(s) for more >information. I agree. Not trivial to fix I think. >These are little niggles only, the core functionality is exactly what we >need. Thank you so much. My pleasure. But feel free to buy me goodies from my wishlist even so :-)))))))) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:37:34 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: whitelist per user In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303203610.03b38d78@imap.ecs.soton.ac.uk> At 20:29 03/03/2004, you wrote: >ok question i set up /etc/MailScanner/spam.bydomain/whitelist/ >and created user@domain.com and inside of that inserted >the 3 domains i want whitelisted and iin mailscanner.conf >put >Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules >to >Is Definitely Not Spam = &ByDomainSpamWhiteList >and retarted mailscanner > >was that all i had to do i feel like i missed something >and how do i verifiy mailscanner is useing the file Check in CustomConfig.pm. Add the top of the ByDomain white and blacklisting code, there are a couple of directory names defined that contain all the user@domain and domain files. Make sure that is set correctly. When you start up, it should print out the number of domains and users it has read white+blacklists for. Check that is roughly the figure you are expecting. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Mar 3 20:52:04 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: low scoring spam In-Reply-To: <4046421D.3020408@orionhost.net> References: <40461F5D.6050803@pixelmagicfx.com> <4046298A.1050709@orionhost.net> <20040303110347.A29084@sthomas.net> <4046421D.3020408@orionhost.net> Message-ID: <6.0.1.1.2.20040303204951.039c1da8@imap.ecs.soton.ac.uk> To a large extent, the Bayes database in SpamAssassin will teach itself. You don't actually need to do anything, except when it gets it wrong. Then you need to feed messages to "sa-learn". I'll leave others to explain how to use sa-learn, but there have been many discussions on this here before. But left to its own devices, SpamAssassin uses all its other rules to work out what is definitely spam and definitely non-spam, and feeds those definite messages back into the database learning code. So it trains itself. Neat huh? At 20:37 03/03/2004, you wrote: >Thanks Steve, > >I've got MailScanner v 4.26.8-1. > >Bayes is running automatically. To say that I am *using* it may be >overstating. I don't know how to train Bayes. I've read that you are >supposed to feed it using sa-learn, but it is not clear to me exactly >how that is done. I've been trying to figure it out from the FAQ. It >doesn't help that I don't know my way around Linux very well. > >I changed servers recently and the old Bayes database was copied to the >new server. > >I don't think DNSBLs are used, but I am not sure. > >Cathy Cramer > > > > >Steve Thomas wrote: > >>On Wed, Mar 03, 2004 at 11:52:58AM -0700, Cathy Cramer is rumored to have >>said: >> >>>I am having a real problem with random word spam receiving a spam score >>>zero or very low, less that 3. Lots of this type of spam is getting >>>through, while many legitimate messages get scores over 4. Some of my >>>users are getting a hundred or more spam messages per day, about 90% of >>>their total incoming mail. Are other people having problems with this? >>>Any suggestions? >> >> >>Are you using bayes and the DNSBLs? >> >> >>-- >>"Logic is in the eye of the logician." >>- Gloria Steinem -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Wed Mar 3 20:47:10 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:22:58 2006 Subject: OT:Food for thought Message-ID: <54C38A0B814C8E438EF73FC76F362927410975@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Marco Obaid [mailto:marco@MUW.EDU] >Envoy? : 3 mars, 2004 15:51 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Re: Food for thought > > >Quoting Dave's List Addy : > >> On 3/3/04 2:20 PM, "Peter Bonivart" wrote: >> >> > I guess the real question is, how is it possible that >there still is >> > users stupid enough to spread this? :-) >> >> I read something the other day that was a study of users and >how they felt; >> >> A. The Help Desk should be handling this. >> >> B. They don't have time to make sure it's not a virus and >should be able to >> open mail as they please (refer to A.) Or bother with updates. (Gotta >> EBay!!) >> >> C. Nothing they can do about it so what's the fuss. > >Add to this, that most Desktop Antivirus solutions do hijack >system resources. >I have caught many users turning off the Antivirus because it >"slows down" >their machines. I do not blame them, because I have done this >myself a time or >two when I was working on complex project with so many screens open. Your users should't be able do disable it. I used to work with Mcafee a lot and by tweaking the settings for some applications, we saw tremendous results. I just disabled the "scan all files" and enabled "scan executables only" (a lot more than .exe were on the list, though... dlls, and other types). We got from 1m40s for opening a map to 40 secs. We did that only for users using this specific application. Even with a careful analysis, i couldn't find exactly what type of files I had to exclude :(. The next day, I was recognized as a god in this department :) > > >> >> Many more but those seemed to stand out to me. This was a >Novel Study I >> think done in the UK. >> -- >> Thanks!! >> David Thurman >> List Only at Web Presence Group Net >> > From peter at UCGBOOK.COM Wed Mar 3 20:58:20 2004 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <1078347076.4046454465774@webmail.MUW.Edu> References: <1078347076.4046454465774@webmail.MUW.Edu> Message-ID: <404646EC.1000001@ucgbook.com> Marco Obaid wrote: > Add to this, that most Desktop Antivirus solutions do hijack system resources. > I have caught many users turning off the Antivirus because it "slows down" > their machines. I do not blame them, because I have done this myself a time or > two when I was working on complex project with so many screens open. The user of a workstation should not be logged on as an admin and the virus scanner should run as an admin so it can't be closed by the user. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 From jrudd at UCSC.EDU Wed Mar 3 20:53:32 2004 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] References: <404637AE.8E125994@ihs.com> Message-ID: <404645CC.8EEA7401@ucsc.edu> Dustin Baer wrote: > > Dave's List Addy wrote: > > > > On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > > > For those of you who want to try to catch these with SpamAssassin, I > > > think the following should work: > > > > > > body BAGLE_PASSWORD /password.*[0-9]{4,}/i > > > describe BAGLE_PASSWORD Password.*numbers > > > score BAGLE_PASSWORD 6.5 > > > > > > If anyone has a better suggestion, let us know! > > > > Has anyone found this to work? We can't upgrade as of yet to the latest MS > > since we did a apt-get install :( Will know better next time :) > > It works for me. I had to increase the score, since BAYES_00 was > basically erasing the 6.5 I gave it. > > Dustin Note, I've also seen them just use "pass" and not "password". From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:24:21 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: 4.28-4.1 and Deliver Disinfected Files = In-Reply-To: References: Message-ID: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> Fixed in the next release. I have also added the Compress::Zlib and Archive::Zip modules to the RPM distributions and to the Perl module installation docs on the website. Getting closer to a stable release... At 20:43 03/03/2004, you wrote: >Hi > >I have just install 4.28-4.1 on 2 MS servers and the first MS server >marked Bagle zip files as virus and Dangerous. >The second MS server found the Password-protected archive and put it >into quarantine BUT didn't marked as virus and Dangerous!! >And put this in the maillog: >"Disinfection: Rescan found only 0 viruses" > >the first MS server has "Deliver Disinfected Files = no" >the second "Deliver Disinfected Files = yes" > >When I change second MS server to "Deliver Disinfected Files = no" the >Password-protected archive was marked as virus and Dangerous. > >/Jan Elmqvist Nielsen -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rob at thehostmasters.com Wed Mar 3 21:17:14 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: Beag.J getting through via zip files! Message-ID: <00e701c40164$e6aaff20$0d01a8c0@basement> only when its in a zip it does not get found... but yet I have found other viruses in zip just not this one as of today... what should I do I got 3 sent to me already! Any suggestions? They are not password protected, well I never tried to open them so I figure they are not... Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/b926d106/attachment.html From rob at thehostmasters.com Wed Mar 3 21:04:06 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: A virus got through my server after 3 years?!!? References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> Message-ID: <005801c40163$10cbd380$0d01a8c0@basement> I think a virus got through... here are the headers there is an attachemner that i have not opened... Why would this get through?? i never had a problem before... i use Macafee i am on 4333 not sure what virus it is though?? ------------------------------------ Return-Path: Received: from tipe.utoronto.ca (tst15.tst.utoronto.ca [128.100.56.15]) by localhost.localdomain (8.12.10/8.12.5) with SMTP id i23HdjsB029765 for ; Wed, 3 Mar 2004 12:39:45 -0500 Date: Wed, 03 Mar 2004 12:44:52 -0500 To: info@thehostmasters.com Subject: Warning about your e-mail account. From: noreply@thehostmasters.com Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------taojqrvqlobuwwcadujp" X-MailScanner-Information: Please contact info@thehostmasters.com for more info X-MailScanner: Found to be clean X-UIDL: Za&"!N#S"!)2N!!1#7!! ----------taojqrvqlobuwwcadujp Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello user of Thehostmasters.com e-mail server, Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. For details see the attached file. In order to read the attach you have to use the following password: 38683. The Management, The Thehostmasters.com team http://www.thehostmasters.com ----------taojqrvqlobuwwcadujp Content-Type: application/octet-stream; name="TextFile.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="TextFile.zip" ------------------------------------------------------------------- Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Peter Bonivart" To: Sent: Wednesday, March 03, 2004 3:58 PM Subject: Re: Food for thought > Marco Obaid wrote: > > Add to this, that most Desktop Antivirus solutions do hijack system resources. > > I have caught many users turning off the Antivirus because it "slows down" > > their machines. I do not blame them, because I have done this myself a time or > > two when I was working on complex project with so many screens open. > > The user of a workstation should not be logged on as an admin and the > virus scanner should run as an admin so it can't be closed by the user. > > -- > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, > SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2 > From dz at SIAMESERESCUE.ORG Wed Mar 3 21:27:58 2004 From: dz at SIAMESERESCUE.ORG (Darrell) Date: Thu Jan 12 21:22:58 2006 Subject: Bagle Zip format (from nanog) Message-ID: <200403032128.i23LRxeg018538@siameserescue.net> Just in case this isn't common knowledge already. Z -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jeffrey I. Schiller Sent: Wednesday, March 03, 2004 4:13 PM To: Brian Wilson Cc: Dan Hollis; 'nanog@merit.edu' Subject: Re: dealing with w32/bagle Turns out that the ZIP file format that all of these beasties are using is a little bit non-standard. Specifically they are all version 1.0 zip archives and the first (and only) component is not compressed. At MIT we are matching these two strings to recognize the infected ZIP files while letting most (actually I have seen no false positives) if not all "real" ZIP files. We are matching them anywhere within an attachment (well, within the first 16K). However you really only need to see if they are the beginning characters (this is a ZIP file header). What follows are the base64 encoded strings. I have put an asterisk between the first and second character, so my own filters won't reject this message, do remove that before using... U*EsDBAoAAAAAA <= Matches unencrypted ZIP file U*EsDBAoAAQAAA <= Matches encrypted version. -Jeff From mlm at LOANPROCESSING.NET Wed Mar 3 21:15:54 2004 From: mlm at LOANPROCESSING.NET (Mike McMullen) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> Message-ID: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, March 03, 2004 12:49 PM Subject: Re: Food for thought > At 20:30 03/03/2004, you wrote: > >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > I guess the real question is, how is it possible that there still is > > > users stupid enough to spread this? :-) > > > >I read something the other day that was a study of users and how they felt; > > > >A. The Help Desk should be handling this. > > > >B. They don't have time to make sure it's not a virus and should be able to > >open mail as they please (refer to A.) Or bother with updates. (Gotta > >EBay!!) > > > >C. Nothing they can do about it so what's the fuss. > > > >Many more but those seemed to stand out to me. This was a Novel Study I > >think done in the UK. > > It was done by a marketing company called TNS I believe. The best report on > it I have seen is here: > http://www.theregister.co.uk/content/55/35393.html > It makes for alarming reading! > > Believe me, the users really are that stupid. They don't care. > > Maybe responsible computer use needs to take the same path that Health and > Safety has taken. People used to ignore that because they were "too busy" > or other such lame excuses. Now they don't have an option, and can be > disciplined/sued if they breach H+S legislation. > > These lame excuses cost real businesses real money, and I think it is up to > the businesses to start enforcing their rules, just like they do now with > H+S rules and policies. I would certainly back company policies governing > computer use, as long as they were enforced. > -- What it comes down to is nobody wants to take responsibility for themselves or their actions anymore. One reason why courts are full of frivolous lawsuits. Personally at an emotional level I feel that this whole password protected zip viri thing is the equivalent of FedEX delivering a package containing bullets and a gun with instructions to place bullet in gun, point barrel to head, and pull trigger. Repeat if necessary. Somehow FedEx would be sued for wrongful death. Opening up a password protected zip file with the password in the same email whether it is a known email address or not is the height of stupidity. Especially if the email body is as funky as the ones I've seen for Bagle. Mike From pete at eatathome.com.au Wed Mar 3 21:12:25 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: Multi Threaded Perl In-Reply-To: <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> Message-ID: <40464A39.9040908@eatathome.com.au> Julian Field wrote: > Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. > That can cripple Perl. > > At 05:46 03/03/2004, you wrote: > >> Hi All, >> >> We have one box which for some reason seems to have been hit really hard >> by the latest version of MailScanner the strange thing about this is >> that >> it's the newest and most highly specified box we have. >> >> The only difference I can see with this box is that it's running >> multithreaded perl 5.8.0 is there any known issues with this at all? >> >> The box itself is a dual processor PIV with 1Gig of Ram running RedHat >> 9. We have the work dirs in tmpfs etc and have no problems with our >> other >> boxes, just this one which has gone from easily able to process 100,000 >> messages per day down to bearly processing 15,000 >> >> Any ideas would be greatly appreciated. >> >> Regards, >> >> David Hooton >> Senior Partner >> Platform Hosting >> www.platformhosting.com >> >> >> Pain free spam & virus protection - >> Mail >> Security >> >> To report SPAM forward the message to: >> spam@mailsecurity.net.au >> To report incorrectly tagged messages: >> notspam@mailsecurity.net.au >> >> 28e3cd95.jpg >> > > ------------------------------------------------------------------------ my file reads LANG="C" #LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" What should i change supported to? Just change to C? From pete at eatathome.com.au Wed Mar 3 21:20:34 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20040303184946.03c29e88@192.168.10.2> <4045BCDF.8020402@eatathome.com.au> <6.0.0.22.0.20040303194102.03c426b0@192.168.10.2> <6.0.1.1.2.20040303114651.03ee7990@imap.ecs.soton.ac.uk> Message-ID: <40464C22.7050002@eatathome.com.au> Julian Field wrote: > Stuff that isn't spam. > > At 11:41 03/03/2004, you wrote: > >> err...what's "ham"? >> >> At 07:09 PM 3/3/2004, you wrote: >> >>> kfliong wrote: >>> >>>> Hi, >>>> >>>> I have this email which is not spam but have a score of 5.642 which is >>>> high >>>> as default of more than 5 is considered spam. >>>> >>>> Can I know how I can reduce the score? >>>> >>>> spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>> DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE >>>> 0.10, >>>> HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A >>>> 0.20) >>>> >>>> Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>> 2.30....where can i get more details on what those score means? Does >>>> mailscanner uses a different config file for controlling spamassassin? >>>> >>>> thanks in advance >>>> >>>> >>>> thanks >>>> >>> ISnt this a situation for learning as ham? I am NO expert, but if you >>> have no other method maybe turn on archiving till you get a copy of >>> this >>> message, then sa-learn it as ham?: >> >> >> thanks > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Since i think Julian's comment is confirmation - this is the sort of thing that using Bayesian Learning (Bayes) with spama assassin will fix. I am not well versed enought o try and explain it, so have a search through the list archives, or google, its works plenty good with mailscanner and spam assassin. From kevins at BMRB.CO.UK Wed Mar 3 21:19:17 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> Message-ID: <1078348757.691.95.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 20:49, Julian Field wrote: > It was done by a marketing company called TNS I believe. The best report on > it I have seen is here: > http://www.theregister.co.uk/content/55/35393.html > It makes for alarming reading! It certainly does. TNS are a market research (not marketing) company - this means their research is independently conducted and meets certain standards (we are also a market research company and TNS are one of our main competitors). Knowing the professional standards they are obliged to work to concerns me more because I can't dismiss this as purely scare-mongering by a major IT firm (as I might if it was a 'Messagelabs say' type article). A colleague and I were today talking about launching some sort of 'web-wise' campaign internally to alert users to the risks they face (I'm particularly concerned about phishing - I had a really convincing scam email 'from Barclays' yesterday). This report will really help me push for permission to do this. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevin at KEVINSPICER.CO.UK Wed Mar 3 21:05:24 2004 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <1078345366.40463e96aeb70@webmail.MUW.Edu> References: <1078345366.40463e96aeb70@webmail.MUW.Edu> Message-ID: <1078347924.689.77.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 20:22, Marco Obaid wrote: > Something I thought about this morning, since the protected-zip delimma > ignited all over this list and that is: > About a month ago a colleague and I were commenting on the virus in zip files thing and speculating how long it would be before we saw password protected zips being used (based on the principle that if you can trick a user into opening a zip and running the attachment you can get them to enter a password - after all it is there to protect them, right?). We weren't being entirely serious, so we were a little surprised when it actually happened! So the question is where next? Despite all the viruses circulating right now (or perhaps because of them) virus detection is getting better and better, more people (especially large ISP's and corportations) are implementing mail filtering. I don't think theres a lot of mileage left in the 'virus in attachment' issue - theres really only two other ways I can think of (off the top of my head). 1) Encryption (to make messages unscannable). It would be fairly easy to target PGP users by grabbing public keys and email addresses from the key servers. But most PGP users are more sophisticated users who aren't likely to fall for unsubtle social engineering tricks. Anyway there aren't (relatively speaking) very many PGP users around, so any virus targeting this method is unlikely to reach the critical mass required for a large scale outbreak. I imagine similar problems for virus writers attempting to use other encryption technologies. 2) Virus external to message. In other words social engineer the user into clicking a hyperlink in an html message. The first time I considered this I thought that it would be difficult because a website spreading a virus would probably be quickly disabled. Of course it could attempt to infect running webservers it finds and use those. But would this be enough to gain critical mass? We have already seen viruses running their own SMTP engine, I wonder how long before we see viruses with a built in HTTP server (trivial to code if you only want to return one page). We recently implemented HTTP filters and catch a few viruses every week (mostly javascript stuff), I think effective http filtering is likely to become increasingly important. I think there may be a sudden move back towards email as a primarily text only form of communication (as companies find themselves needing to block or strip html content in emails) My other prediction is that there will be more convergence between virus and spam traffic. Viruses spread most effectively by fooling users into thinking they are from someone they know, whereas spam is always from complete strangers. How long before the network of spam zombies starts sending spam to contacts found on the unfortunate user's hard drive, just as the virus that turned the machine into a zombie originally spread. It concerns me that this could lead to a major breakdown in the usefulness of email as a form of communication. Just my thoughts, anyone care to join in?... -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040303/e547b768/attachment.bin From lists at STHOMAS.NET Wed Mar 3 21:33:08 2004 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:22:58 2006 Subject: FW: Re: dealing with w32/bagle Message-ID: <20040303133308.A899@sthomas.net> FYI - this is from the NANOG list. It may help some with creating filters for the bagle beasties. ----- Forwarded message from "Jeffrey I. Schiller" ----- Date: Wed, 3 Mar 2004 16:12:55 -0500 From: "Jeffrey I. Schiller" Subject: Re: dealing with w32/bagle Turns out that the ZIP file format that all of these beasties are using is a little bit non-standard. Specifically they are all version 1.0 zip archives and the first (and only) component is not compressed. At MIT we are matching these two strings to recognize the infected ZIP files while letting most (actually I have seen no false positives) if not all "real" ZIP files. We are matching them anywhere within an attachment (well, within the first 16K). However you really only need to see if they are the beginning characters (this is a ZIP file header). What follows are the base64 encoded strings. I have put an asterisk between the first and second character, so my own filters won't reject this message, do remove that before using... U*EsDBAoAAAAAA <= Matches unencrypted ZIP file U*EsDBAoAAQAAA <= Matches encrypted version. -Jeff ----- End forwarded message ----- -- "A narcissist is someone better looking than you are." - Gore Vidal From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:38:16 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Multi Threaded Perl In-Reply-To: <40464A39.9040908@eatathome.com.au> References: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> <6.0.1.1.2.20040303101957.0407f008@imap.ecs.soton.ac.uk> <40464A39.9040908@eatathome.com.au> Message-ID: <6.0.1.1.2.20040303213743.03b861f8@imap.ecs.soton.ac.uk> At 21:12 03/03/2004, you wrote: >Julian Field wrote: > >>Make sure you have removed all traces of utf8 from /etc/sysconfig/i18n. >>That can cripple Perl. >> >>At 05:46 03/03/2004, you wrote: >> >>>Hi All, >>> >>>We have one box which for some reason seems to have been hit really hard >>>by the latest version of MailScanner the strange thing about this is >>>that >>>it's the newest and most highly specified box we have. >>> >>>The only difference I can see with this box is that it's running >>>multithreaded perl 5.8.0 is there any known issues with this at all? >>> >>>The box itself is a dual processor PIV with 1Gig of Ram running RedHat >>>9. We have the work dirs in tmpfs etc and have no problems with our >>>other >>>boxes, just this one which has gone from easily able to process 100,000 >>>messages per day down to bearly processing 15,000 >>> >>>Any ideas would be greatly appreciated. >>> >>>Regards, >>> >>>David Hooton >>>Senior Partner >>>Platform Hosting >>>www.platformhosting.com >>> >>> >>>Pain free spam & virus protection - >>>Mail >>>Security >>> >>>To report SPAM forward the message to: >>>spam@mailsecurity.net.au >>>To report incorrectly tagged messages: >>>notspam@mailsecurity.net.au >>> >>>28e3cd95.jpg >> >>------------------------------------------------------------------------ > >my file reads >LANG="C" >#LANG="en_US.UTF-8" >SUPPORTED="en_US.UTF-8:en_US:en" >SYSFONT="latarcyrheb-sun16" > > >What should i change supported to? Just change to C? Change the SUPPORTED to something like SUPPORTED="en_US:en" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Wed Mar 3 21:42:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems In-Reply-To: <40461F57.7030805@solid-state-logic.com> References: <6.0.1.1.2.20040303163557.03a07c98@imap.ecs.soton.ac.uk> <40461F57.7030805@solid-state-logic.com> Message-ID: <40465130.7000204@eatathome.com.au> Martin Hepworth wrote: > John > > Using FreeBSD 4.8 and perl 5.8.0 from ports, not changed Perl for ages.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > John Rudd wrote: > >> On Mar 3, 2004, at 8:46 AM, Julian Field wrote: >> >>> I have been trying to reproduce the loss of speed running various >>> different >>> versions on the same mail messages in debug mode. >>> Unsuccessfully :-( >> >> >> >> Didn't someone post an hour or so ago that their speed problem came >> from redhat's perl update, and not from mailscanner's update? Once >> they downgraded the speed problem went away? or something like that? >> >> (is anyone having the problem not using redhat, and if you're using >> redhat and having the speed problem, did you update your version of >> perl, via redhat instead of direct from perl, around the same time your >> speed problem started?) > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Using RH9 and havent updated anything. 4.24-5 was perfect on this amchine, 4.26.8-1 almost no successfull scans, spamassassin would time out - i upgraded to SA 2.63, clamav.67, mailwatch.51 and mailscanner 4.26.8-1 all in one go. I reduce the child process to 2 and still the same. My i18n file looks like - am not sure if i should change anything, i had to chaneg teh LANG to a C or i couldnt compile stuff. LANG="C" #LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" From mikea at MIKEA.ATH.CX Wed Mar 3 21:45:35 2004 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <40463E14.5030202@ucgbook.com>; from peter@UCGBOOK.COM on Wed, Mar 03, 2004 at 09:20:36PM +0100 References: <1078345366.40463e96aeb70@webmail.MUW.Edu> <40463E14.5030202@ucgbook.com> Message-ID: <20040303154535.A88296@mikea.ath.cx> On Wed, Mar 03, 2004 at 09:20:36PM +0100, Peter Bonivart wrote: [About various worms that require explicit user interaction to spread] > I guess the real question is, how is it possible that there still is > users stupid enough to spread this? :-) Where I work, a place which I'll refer to as WeBuildHighways, about 10% of the users are Registered Professional Engineers, and the rest are quite sharp in their technical specialties -- most of which have little or nothing to do with the internals of E-mail or operating systems. I get at least one "Should I do this" note per week from my user community about deleting the "JDBGMGR.EXE virus -- the one with the panda bear as the icon". Usually it's a forward from someone else at work who has just deleted that virus because someone outside told him/her/it to do so. It's no wonder at all to me that the social engineering in more recent worms works so well: these people are ignorant and gullible, and if (to quote a poster in another mailing list) each of them got a note with instructions to put a sharp pencil up against an eyelid and run down the hall as fast as possible, I suspect at least a few would do just that. This quote applies, too: "I think when people get on the Internet their common sense may be weakened if not suspended." -- Charles Harwood, regional director of the Federal Trade Commission's Seattle office. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From cstamas at digitus.itk.ppke.hu Wed Mar 3 21:46:25 2004 From: cstamas at digitus.itk.ppke.hu (Csillag =?iso-8859-2?Q?Tam=E1s?=) Date: Thu Jan 12 21:22:58 2006 Subject: HEADS UP - viruses in password protected zip files In-Reply-To: <20040301131101.A70553@mikea.ath.cx> References: <20040301131101.A70553@mikea.ath.cx> Message-ID: <20040303214625.GN6156@digitus> On 03/01, mikea wrote: > On Mon, Mar 01, 2004 at 12:50:50PM +0100, Peter Peters wrote: > > On Mon, 1 Mar 2004 11:29:29 +0100, you wrote: > > .... > # This is /home/mikea/bin/FOUND. > # Start Input Phase on 2004.60 (2004 Mar 1) at 13:08:49 local > Worm.Bagle.A3 1 every 1.88 hours > Worm.Bagle.E 1 every 1.01 hours > Worm.Bagle.F 1 every 1.88 hours > Worm.Mydoom.F 1 every 52.59 minutes > Worm.SCO.A 1 every 13.15 hours > Worm.SomeFool 1 every 10.11 minutes > Worm.SomeFool.B 1 every 56.34 minutes > Worm.SomeFool.B-petite 1 every 19.72 minutes > Total 1 every 4.51 minutes > > Now, does anyone have a pointer to translating from ClamAV's malware > names to, say, Norton's, so I can see how our stats compare to others? Look at this: http://sourceforge.net/mailarchive/forum.php?forum=clamav-virusdb -- cstamas From mikes at HARTWELLCORP.COM Wed Mar 3 21:51:24 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.hartwellcorp.com> Julian, I don't know if it is relevant but I tried switching from clamav to clamavmodule and within an hour my problems had returned. I had to switch back after running into horrible slowness issues. Julian Field wrote: > I have been trying to reproduce the loss of speed running various > different versions on the same mail messages in debug mode. > Unsuccessfully :-( > I have used versions from 4.23 onwards. All appear to run at the same > speed. I am using a "reasonable" configuration with 1 RBL check and > F-Prot. The only thing is I am not running SpamAssassin, as its speed > is very variable and so hides the real speed of the underlying > process. > > If you are suffering speed problems, please can you tell me what was > the last fast version you used, and what was the first slow version. > Did you downgrade again to fix the problem? Was it successful, and > what version was again nice and fast? > > If you run a batch through in Debug mode does it always take the same > time regardless of what version you are running? Maybe the problem > only surfaces when running lots of child processes? > > The better I can narrow down exactly when the problem occurred, the > better chance I have of finding it. It doesn't appear to be in the > more robust MIME code I implemented, that doesn't make any difference. > > Please can you help me folks? -- Michael St. Laurent Hartwell Corporation From rob at thehostmasters.com Wed Mar 3 21:50:48 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:22:58 2006 Subject: Bagle Zip format (from nanog) References: <200403032128.i23LRxeg018538@siameserescue.net> Message-ID: <01f401c40169$96e35050$0d01a8c0@basement> So can someone help me out and show me how I would create this filter as to catch a password encrypted zip file and not a regular zip file... I am not to keen on filters... thanks.... Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: "Darrell" To: Sent: Wednesday, March 03, 2004 4:27 PM Subject: Bagle Zip format (from nanog) > Just in case this isn't common knowledge already. > > Z > > -----Original Message----- > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf > Of Jeffrey I. Schiller > Sent: Wednesday, March 03, 2004 4:13 PM > To: Brian Wilson > Cc: Dan Hollis; 'nanog@merit.edu' > Subject: Re: dealing with w32/bagle > > Turns out that the ZIP file format that all of these beasties are > using is a little bit non-standard. Specifically they are all version > 1.0 zip archives and the first (and only) component is not > compressed. > > At MIT we are matching these two strings to recognize the infected ZIP > files while letting most (actually I have seen no false positives) if > not all "real" ZIP files. We are matching them anywhere within an > attachment (well, within the first 16K). However you really only need > to see if they are the beginning characters (this is a ZIP file > header). > > What follows are the base64 encoded strings. I have put an asterisk > between the first and second character, so my own filters won't reject > this message, do remove that before using... > > U*EsDBAoAAAAAA <= Matches unencrypted ZIP file > U*EsDBAoAAQAAA <= Matches encrypted version. > > -Jeff > From hermit921 at YAHOO.COM Wed Mar 3 21:46:26 2004 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:22:58 2006 Subject: Food for thought In-Reply-To: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> References: <40463E14.5030202@ucgbook.com> <6.0.1.1.2.20040303204501.03925688@imap.ecs.soton.ac.uk> <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> Message-ID: <6.0.0.22.2.20040303133616.01c05b78@pop.mail.yahoo.com> At 01:15 PM 3/3/2004, Mike McMullen wrote: >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, March 03, 2004 12:49 PM >Subject: Re: Food for thought > > > > At 20:30 03/03/2004, you wrote: > > >On 3/3/04 2:20 PM, "Peter Bonivart" wrote: > > > > I guess the real question is, how is it possible that there still is > > > > users stupid enough to spread this? :-) > > > > > >I read something the other day that was a study of users and how they > felt; > > > > > >A. The Help Desk should be handling this. > > > > > >B. They don't have time to make sure it's not a virus and should be > able to > > >open mail as they please (refer to A.) Or bother with updates. (Gotta > EBay!!) > > > > > >C. Nothing they can do about it so what's the fuss. > > > > > >Many more but those seemed to stand out to me. This was a Novel Study I > > >think done in the UK. > > > > It was done by a marketing company called TNS I believe. The best report on > > it I have seen is here: > > http://www.theregister.co.uk/content/55/35393.html > > It makes for alarming reading! > > > > Believe me, the users really are that stupid. They don't care. > > > > Maybe responsible computer use needs to take the same path that Health and > > Safety has taken. People used to ignore that because they were "too busy" > > or other such lame excuses. Now they don't have an option, and can be > > disciplined/sued if they breach H+S legislation. > > > > These lame excuses cost real businesses real money, and I think it is up to > > the businesses to start enforcing their rules, just like they do now with > > H+S rules and policies. I would certainly back company policies governing > > computer use, as long as they were enforced. > > -- > >What it comes down to is nobody wants to take responsibility for themselves or >their actions anymore. One reason why courts are full of frivolous lawsuits. > >Personally at an emotional level I feel that this whole password protected >zip viri thing is the equivalent of FedEX delivering a package containing >bullets and a gun with instructions to place bullet in gun, point barrel to >head, and pull trigger. Repeat if necessary. > >Somehow FedEx would be sued for wrongful death. > >Opening up a password protected zip file with the password in the same email >whether it is a known email address or not is the height of stupidity. >Especially if the email body is as funky as the ones I've seen for Bagle. > >Mike More like a grenade wrapped in plain brown paper with the pin sticking out. You can't see it is a grenade, but you can still pull the pin. Grenades tend to have more collateral damage than guns. hermit921 From mailscanner at ecs.soton.ac.uk Wed Mar 3 21:56:17 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems In-Reply-To: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.har twellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB02C56D1E@hart-exchange.hartwellcorp.com> Message-ID: <6.0.1.1.2.20040303215601.03b58360@imap.ecs.soton.ac.uk> What does your /etc/sysconfig/i18n file contain? At 21:51 03/03/2004, you wrote: >Julian, > >I don't know if it is relevant but I tried switching from clamav to >clamavmodule and within an hour my problems had returned. I had to switch >back after running into horrible slowness issues. > >Julian Field wrote: > > I have been trying to reproduce the loss of speed running various > > different versions on the same mail messages in debug mode. > > Unsuccessfully :-( > > I have used versions from 4.23 onwards. All appear to run at the same > > speed. I am using a "reasonable" configuration with 1 RBL check and > > F-Prot. The only thing is I am not running SpamAssassin, as its speed > > is very variable and so hides the real speed of the underlying > > process. > > > > If you are suffering speed problems, please can you tell me what was > > the last fast version you used, and what was the first slow version. > > Did you downgrade again to fix the problem? Was it successful, and > > what version was again nice and fast? > > > > If you run a batch through in Debug mode does it always take the same > > time regardless of what version you are running? Maybe the problem > > only surfaces when running lots of child processes? > > > > The better I can narrow down exactly when the problem occurred, the > > better chance I have of finding it. It doesn't appear to be in the > > more robust MIME code I implemented, that doesn't make any difference. > > > > Please can you help me folks? > > > >-- >Michael St. Laurent >Hartwell Corporation -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lindsay at pa.net Wed Mar 3 22:10:20 2004 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <404657CC.9000802@pa.net> amavisd was patched to fix all of this mess by making the original email available in the 'parts' directory. If mailscanner dropped the original email in to be scanned, the virus scanner may be able to do the hard work. -lindsay Desai, Jason wrote: > Hello. > > I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and > ClamAV. I have had some of the latest Bagle viruses in password protected > zip files get through. I know that various virus scanners are having > trouble detecting these. I had one of these emails get quarantined because > the attachment name was Message.zip. When testing to see if the virus would > get caught yet I found something interesting with ClamAV. > > If I scan the attachment itself (Message.zip) clam reports it as clean. But > if I scan the queue files (from Exim) clam finds the virus! Here is the > output of a scan with the queue files and attachment in the same directory: > > # /opt/MailScanner/lib/clamav-wrapper . > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-H: OK > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-D: Worm.Bagle.F-zippwd-3 FOUND > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: > OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 20372 > Scanned directories: 1 > Scanned files: 3 > Infected files: 1 > Data scanned: 0.03 Mb > I/O buffer size: 131072 bytes > Time: 0.325 sec (0 m 0 s) > # > > So I assume that MailScanner unpacks the attachment and just scans that. > Does it make sense to allow the virus scanners to scan the queue files as > well? > > Jason From lindsay at PA.NET Wed Mar 3 22:10:20 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <404657CC.9000802@pa.net> amavisd was patched to fix all of this mess by making the original email available in the 'parts' directory. If mailscanner dropped the original email in to be scanned, the virus scanner may be able to do the hard work. -lindsay Desai, Jason wrote: > Hello. > > I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and > ClamAV. I have had some of the latest Bagle viruses in password protected > zip files get through. I know that various virus scanners are having > trouble detecting these. I had one of these emails get quarantined because > the attachment name was Message.zip. When testing to see if the virus would > get caught yet I found something interesting with ClamAV. > > If I scan the attachment itself (Message.zip) clam reports it as clean. But > if I scan the queue files (from Exim) clam finds the virus! Here is the > output of a scan with the queue files and attachment in the same directory: > > # /opt/MailScanner/lib/clamav-wrapper . > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-H: OK > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- > 00-D: Worm.Bagle.F-zippwd-3 FOUND > /var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: > OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 20372 > Scanned directories: 1 > Scanned files: 3 > Infected files: 1 > Data scanned: 0.03 Mb > I/O buffer size: 131072 bytes > Time: 0.325 sec (0 m 0 s) > # > > So I assume that MailScanner unpacks the attachment and just scans that. > Does it make sense to allow the virus scanners to scan the queue files as > well? > > Jason From kevins at BMRB.CO.UK Wed Mar 3 22:14:29 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <404657CC.9000802@pa.net> References: <404657CC.9000802@pa.net> Message-ID: <1078352069.690.118.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: > amavisd was patched to fix all of this mess by making the original email > available in the 'parts' directory. If mailscanner dropped the original > email in to be scanned, the virus scanner may be able to do the hard work. > -lindsay > On the other hand the virus scanner will attempt to unpack the parts too. I use three virus scanners so that means the original email would get unpacked 4 times. We're already unzipping things 4 times now! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Mar 3 21:32:59 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:58 2006 Subject: {Blocked Attachment} A virus got through my server after 3 years?!!? In-Reply-To: <005801c40163$10cbd380$0d01a8c0@basement> References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> <005801c40163$10cbd380$0d01a8c0@basement> Message-ID: <1078349579.691.98.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 21:04, Rob Charles wrote: > Warning: Alert from BMRB Systems > Warning: This message has had one or more attachments removed > Warning: (the entire message). > Warning: Please read the "VirusWarning.txt" attachment(s) for more information. > Didn't get though mine! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Wed Mar 3 22:14:55 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <404657CC.9000802@pa.net> References: <404657CC.9000802@pa.net> Message-ID: <6.0.1.1.2.20040303221408.03943488@imap.ecs.soton.ac.uk> At 22:10 03/03/2004, you wrote: >amavisd was patched to fix all of this mess by making the original email >available in the 'parts' directory. If mailscanner dropped the original >email in to be scanned, the virus scanner may be able to do the hard work. I could have done this too. But it relies on the AV companies to be up to date, which is a problem at the moment. I feel more lines of defence are needed. And as they should already know if they have done their research, they would have discovered that this only works for some of the commercial virus scanners. My method works for all of them. For example Sophos cannot find them until they are opened on the desktop. Their web pages openly admit it. A lot of MailScanner users have Sophos as their main (or lone) scanner, I have to come up with a solution that works for all of them, not just the ones using particular scanners. >-lindsay > >Desai, Jason wrote: >>Hello. >>I am running Mailscanner 4.22-5 (will be upgrading soon) with McAfee and >>ClamAV. I have had some of the latest Bagle viruses in password protected >>zip files get through. I know that various virus scanners are having >>trouble detecting these. I had one of these emails get quarantined because >>the attachment name was Message.zip. When testing to see if the virus would >>get caught yet I found something interesting with ClamAV. >>If I scan the attachment itself (Message.zip) clam reports it as clean. But >>if I scan the queue files (from Exim) clam finds the virus! Here is the >>output of a scan with the queue files and attachment in the same directory: >># /opt/MailScanner/lib/clamav-wrapper . >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- >>00-H: OK >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./1AyVhB-0000OK- >>00-D: Worm.Bagle.F-zippwd-3 FOUND >>/var/spool/MailScanner/quarantine/20040303/1AyVhB-0000OK-00/./Message.zip: >>OK >>----------- SCAN SUMMARY ----------- >>Known viruses: 20372 >>Scanned directories: 1 >>Scanned files: 3 >>Infected files: 1 >>Data scanned: 0.03 Mb >>I/O buffer size: 131072 bytes >>Time: 0.325 sec (0 m 0 s) >># >>So I assume that MailScanner unpacks the attachment and just scans that. >>Does it make sense to allow the virus scanners to scan the queue files as >>well? >>Jason -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vosburgh at DALSEMI.COM Wed Mar 3 22:22:53 2004 From: vosburgh at DALSEMI.COM (David Vosburgh) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] References: Message-ID: <40465ABD.9050209@dalsemi.com> Dave's List Addy wrote: >On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > >>For those of you who want to try to catch these with SpamAssassin, I >>think the following should work: >> >>body BAGLE_PASSWORD /password.*[0-9]{4,}/i >>describe BAGLE_PASSWORD Password.*numbers >>score BAGLE_PASSWORD 6.5 >> >>If anyone has a better suggestion, let us know! >> >> > >Has anyone found this to work? We can't upgrade as of yet to the latest MS >since we did a apt-get install :( Will know better next time :) > I tried it briefly but was getting more false positives than legitimate hits. The problem seemed to be primarily caused by phone numbers (specifically, the last four digits) included in the senders signature coming after "password". That ".*" is pretty aggressive ;-). >-- >Thanks!! >David Thurman >List Only at Web Presence Group Net > > > -- Dave Vosburgh From mikes at HARTWELLCORP.COM Wed Mar 3 22:31:19 2004 From: mikes at HARTWELLCORP.COM (Michael St. Laurent) Date: Thu Jan 12 21:22:58 2006 Subject: Speed problems Message-ID: <91A5926EFF44D3118B1200104B7276EB02C56D20@hart-exchange.hartwellcorp.com> Urmmmm... at the moment it contains LANG="en_US" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" After I made the recommended change earlier today. Unfortunately, I don't remember if I made that change before or after. If it will help troubleshoot I'll try switching back to clamavmodule again. Julian Field wrote: > What does your /etc/sysconfig/i18n file contain? > > At 21:51 03/03/2004, you wrote: >> Julian, >> >> I don't know if it is relevant but I tried switching from clamav to >> clamavmodule and within an hour my problems had returned. I had to >> switch back after running into horrible slowness issues. -- Michael St. Laurent Hartwell Corporation From Denis.Beauchemin at USHERBROOKE.CA Wed Mar 3 22:30:25 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:22:58 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <40465ABD.9050209@dalsemi.com> References: <40465ABD.9050209@dalsemi.com> Message-ID: <1078353024.13811.379.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/03/2004 ? 17:22, David Vosburgh a ?crit : > Dave's List Addy wrote: > > >On 3/3/04 9:31 AM, "Dustin Baer" wrote: > > > > > > > >>For those of you who want to try to catch these with SpamAssassin, I > >>think the following should work: > >> > >>body BAGLE_PASSWORD /password.*[0-9]{4,}/i > >>describe BAGLE_PASSWORD Password.*numbers > >>score BAGLE_PASSWORD 6.5 > >> > >>If anyone has a better suggestion, let us know! > >> > >> > > > >Has anyone found this to work? We can't upgrade as of yet to the latest MS > >since we did a apt-get install :( Will know better next time :) > > > I tried it briefly but was getting more false positives than legitimate > hits. The problem seemed to be primarily caused by phone numbers > (specifically, the last four digits) included in the senders signature > coming after "password". That ".*" is pretty aggressive ;-). Agreed. That's why I have the following: describe UDES_VIRUS01 Bagle virus full UDES_VIRUS01 /^(archive\s+)?password((\s+for\s+archive)?:|\s+--)\s+\d{5}/i score UDES_VIRUS01 100 describe UDES_VIRUS02 Bagle virus full UDES_VIRUS02 /^Attached\s+file.*protected\s+with.* Password\s+is\s+\d{5}\./i score UDES_VIRUS02 100 describe UDES_VIRUS03 Bagle virus full UDES_VIRUS03 /^For\s+security\s+purposes.*password\s+protected\.\s+Password\s+is\s+\"\d{5}\"\./i score UDES_VIRUS03 100 describe UDES_VIRUS04 Bagle virus full UDES_VIRUS04 /^In\s+order\s+to\s+read.*following\s+password:\s+\d{5}\./i score UDES_VIRUS04 100 describe UDES_VIRUS05 Bagle virus full UDES_VIRUS05 /^\d{5}\s+--\s+archive\s+password/i score UDES_VIRUS05 100 describe UDES_VIRUS06 Bagle virus full UDES_VIRUS06 /^\.\.btw,\s+\"\d{5}\"\s+is\s+a\s+password\s+for\s+archive/i score UDES_VIRUS06 100 I've created them from the messages I received and quarantined. So far, my SA rules didn't register anything 8-) Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From lindsay at PA.NET Wed Mar 3 22:32:54 2004 From: lindsay at PA.NET (Lindsay Snider) Date: Thu Jan 12 21:22:58 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <1078352069.690.118.camel@bach.kevinspicer.co.uk> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> Message-ID: <40465D16.6030506@pa.net> Kevin Spicer wrote: > On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: > >>amavisd was patched to fix all of this mess by making the original email >>available in the 'parts' directory. If mailscanner dropped the original >>email in to be scanned, the virus scanner may be able to do the hard work. >>-lindsay >> > > On the other hand the virus scanner will attempt to unpack the parts > too. I use three virus scanners so that means the original email would > get unpacked 4 times. If some virus scanners can see viruses by seeing the message as a whole rather then in parts, it would be nice to come up with something to let them try. Maybe it could be an option setting in MailScanner.conf to include or not include the original message when virus scanning. > > We're already unzipping things 4 times now! Do you happen to use /dev/shm? If not, it may make the email explosions less painful. -lindsay > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From Matthew.Day at BUCKINGHAM.AC.UK Wed Mar 3 22:43:25 2004 From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day) Date: Thu Jan 12 21:22:59 2006 Subject: bagle SpamAssassin rule [SCANNED] Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D57BCA@GILA> Dustin Baer wrote: > It works for me. I had to increase the score, since BAYES_00 was > basically erasing the 6.5 I gave it. David Vosburgh wrote: >I tried it briefly but was getting more false positives than legitimate >hits. The problem seemed to be primarily caused by phone numbers >(specifically, the last four digits) included in the senders signature >coming after "password". That ".*" is pretty aggressive ;-). Taking these on-board; the following seems to be working for us: body BAGLE_PASSWORD /pass.{0,15}[0-9]{4,}/i describe BAGLE_PASSWORD Looks like Bagle virus score BAGLE_PASSWORD 11 Matthew Day University of Buckingham From mailscanner at ecs.soton.ac.uk Wed Mar 3 22:50:30 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:22:59 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <40465D16.6030506@pa.net> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> <40465D16.6030506@pa.net> Message-ID: <6.0.1.1.2.20040303224850.03a09bc0@imap.ecs.soton.ac.uk> At 22:32 03/03/2004, you wrote: >Kevin Spicer wrote: >>On Wed, 2004-03-03 at 22:10, Lindsay Snider wrote: >> >>>amavisd was patched to fix all of this mess by making the original email >>>available in the 'parts' directory. If mailscanner dropped the original >>>email in to be scanned, the virus scanner may be able to do the hard work. >>>-lindsay >> >>On the other hand the virus scanner will attempt to unpack the parts >>too. I use three virus scanners so that means the original email would >>get unpacked 4 times. > > >If some virus scanners can see viruses by seeing the message as a whole >rather then in parts, it would be nice to come up with something to let >them try. Maybe it could be an option setting in MailScanner.conf to >include or not include the original message when virus scanning. That will involve yet more I/O, but I'll definitely consider it. >>We're already unzipping things 4 times now! > >Do you happen to use /dev/shm? If not, it may make the email explosions >less painful. Most people already use tmpfs or BSD softupdates. Using /dev/shm itself is not necessary, it's tmpfs you are trying to get. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From marco at MUW.EDU Wed Mar 3 22:37:46 2004 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:22:59 2006 Subject: Food for thought In-Reply-To: <404646EC.1000001@ucgbook.com> References: <1078347076.4046454465774@webmail.MUW.Edu> <404646EC.1000001@ucgbook.com> Message-ID: <1078353466.40465e3aaeb73@webmail.MUW.Edu> I agree to some extent that the key to defeating virus-writers lies within the hands of our users. However, some of the techniques used can trick even the most technical savvy of us. For example, my boss got his computer infected with a spayware from one site that he visited. The site displayed an Ad that looked just like a windows message (I had to really stare at it for a while). Users do not breathe and eat this stuff like we do. If they knew what we know, they would certinly be a bit more cautious. We all make mistakes, but it seems that computer mistakes nowadays are very costly. Therefore, I do *not* trust users and I want to have defenses in place because users will make mistakes and will open an attachment that they shouldn't. Kevin Spicer pointed out great points on some predictions of future viruses. I think it is wise to consider such scenarios and prepare for them rather than upgrade MailScanner, go about our business, and wait till another crisis occur. I am considering Kevin's approach to Web filtering. Spyware *is* emerging to be one of the major threats. Who knows, maybe one day MailScanner will evolve to become a filter for not only SMTP traffic but also for HTTP traffic. Marco From listonly at WEBPRESENCEGROUP.NET Wed Mar 3 23:00:18 2004 From: listonly at WEBPRESENCEGROUP.NET (Dave's List Addy) Date: Thu Jan 12 21:22:59 2006 Subject: Food for thought [SCANNED] In-Reply-To: <06f901c40164$b719df60$3e01a8c0@express.loanprocessing.net> Message-ID: On 3/3/04 3:15 PM, "Mike McMullen" wrote: > Somehow FedEx would be sued for wrongful death. Sadly you are right. Even if the news and police told people about the "Bad" FedEX package, someone in the juror system would side with the fool. Ack! I watch way to much Law & Order :) -- Thanks!! David Thurman List Only at Web Presence Group Net From kevins at BMRB.CO.UK Wed Mar 3 23:01:52 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:59 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: <40465D16.6030506@pa.net> References: <404657CC.9000802@pa.net> <1078352069.690.118.camel@bach.kevinspicer.co.uk> <40465D16.6030506@pa.net> Message-ID: <1078354913.690.123.camel@bach.kevinspicer.co.uk> On Wed, 2004-03-03 at 22:32, Lindsay Snider wrote: > > > > We're already unzipping things 4 times now! > > Do you happen to use /dev/shm? If not, it may make the email explosions > less painful. Yes, if you mean tmpfs. Its as much th CPU and the I/O I'm worried about since unzipping requires a fair bit of both. My machine is reaching its safe limit (copes okay day to day but got a bit behind with the first MyDoom explosion). I need to spend some time giving it a little TLC, tweak the kernel - that sort of thing. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Wed Mar 3 23:07:35 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( Message-ID: <40466537.5020603@eatathome.com.au> What should i do to rectify or prevent this? Nothing leave it to MS? Load avergae is stuck on 7 and almost nothing is wworking on this machine, even ssh commands have a 10sec delay. Will deleting the offending email be the entire solution? Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, size=3477, nrcpt=1 (queue active) Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from adl0133.systems.sa.gov.au[143.216.236.20] Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: to=, relay=none, delay=0, status=deferred (deferred transport) Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for clamav Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 12 of 20 Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner clamavmodule timed out! Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner clamavmodule timed out! Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of Service attack is in message A086133CDD Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need updating Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of Service attack detected! Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 13 of 20 Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: Host not found Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still being delivered Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still being delivered Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 14 of 20 Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and was killed, consecutive failure 15 of 20 From steve.swaney at FSL.COM Wed Mar 3 23:39:21 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <40466537.5020603@eatathome.com.au> Message-ID: <20040303233922.24C6B21C29A@mail.fsl.com> I'm top posting so this won't get lost. This was written by one of our clients to handle a really severe Joe-job. His name shall be revealed if he let's me, but I don't know if he wants the credit for breaking RFC 1123 (this certainly does). This deletes any incoming email that has a return address of "<>". BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the Left hand side from the right hand side rules and comments. The have been lost in the email transmission. You' know if you've missed a tab because sendmail will croak when you try and start it. I can't verify that this works but he insisted it saved his axx. He was so upset by the attack he stayed up for 30 hours straight and learned to write sendmail.cf files from scratch. No Small feat. Possible some sendmail guru whose not battling the bagel will be kind enough to put the hack into a sendmail.mc format. ------------------ snip ----------------------------- ###################################################################### ###################################################################### ##### ##### REWRITING RULES ##### ###################################################################### ###################################################################### #Added by XXX to handle joe job on 020404 HSubject: $>Check_Subject1 D{MPat}Returned SCheck_Subject1 R${MPat} $* $#discard ###################################################################### ### check_mail -- check SMTP `MAIL FROM:' command argument ###################################################################### SLocal_check_mail Scheck_mail R$* $: $1 $| $>"Local_check_mail" $1 R$* $| $#$* $#$2 R$* $| $* $@ $>"Basic_check_mail" $1 SBasic_check_mail # check for deferred delivery mode R$* $: < $&{deliveryMode} > $1 R< d > $* $@ deferred R< $* > $* $: $2 # authenticated? R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL R$* $| $#$+ $#$2 R$* $| $* $: $1 #modified by XXX to handle joe job on 020404 Note: org line above #R<> $@ we MUST accept <> (RFC 1123) R<> $@ $#discard we MUST accept <> (RFC 1123) R$+ $: $1 R<$+> $: <@> <$1> R$+ $: <@> <$1> R$* $: $&{daemon_flags} $| $1 R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > R$* u $* $| <@> < $* > $: < $3 > R$* $| $* $: $2 # handle case of @localhost on address ------------------ snip ----------------------------- Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 6:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: DOS attacked :( > > What should i do to rectify or prevent this? Nothing leave it to MS? > > Load avergae is stuck on 7 and almost nothing is wworking on this > machine, even ssh commands have a 10sec delay. > > Will deleting the offending email be the entire solution? > > > Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, > size=3477, nrcpt=1 (queue active) > Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from > adl0133.systems.sa.gov.au[143.216.236.20] > Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: > to=, relay=none, delay=0, status=deferred > (deferred transport) > Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed > Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for > clamav > Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 12 of 20 > Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner > clamavmodule timed out! > Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner > clamavmodule timed out! > Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of > Service attack is in message A086133CDD > Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need > updating > Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of > Service attack detected! > Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 13 of 20 > Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: > hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: > Host not found > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still > being delivered > Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still > being delivered > Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 14 of 20 > Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and > was killed, consecutive failure 15 of 20 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Fortress Systems Ltd. > www.fsl.com > -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From pete at eatathome.com.au Thu Mar 4 00:05:21 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <20040303233922.24C6B21C29A@mail.fsl.com> References: <20040303233922.24C6B21C29A@mail.fsl.com> Message-ID: <404672C1.4010508@eatathome.com.au> Stephen Swaney wrote: >I'm top posting so this won't get lost. This was written by one of our >clients to handle a really severe Joe-job. His name shall be revealed if he >let's me, but I don't know if he wants the credit for breaking RFC 1123 >(this certainly does). This deletes any incoming email that has a return >address of "<>". > >BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >Left hand side from the right hand side rules and comments. The have been >lost in the email transmission. You' know if you've missed a tab because >sendmail will croak when you try and start it. > >I can't verify that this works but he insisted it saved his axx. He was so >upset by the attack he stayed up for 30 hours straight and learned to write >sendmail.cf files from scratch. No Small feat. > >Possible some sendmail guru whose not battling the bagel will be kind enough >to put the hack into a sendmail.mc format. > >------------------ snip ----------------------------- >###################################################################### >###################################################################### >##### >##### REWRITING RULES >##### >###################################################################### >###################################################################### >#Added by XXX to handle joe job on 020404 > >HSubject: $>Check_Subject1 >D{MPat}Returned >SCheck_Subject1 >R${MPat} $* $#discard > > >###################################################################### >### check_mail -- check SMTP `MAIL FROM:' command argument >###################################################################### > >SLocal_check_mail >Scheck_mail >R$* $: $1 $| $>"Local_check_mail" $1 >R$* $| $#$* $#$2 >R$* $| $* $@ $>"Basic_check_mail" $1 > >SBasic_check_mail ># check for deferred delivery mode >R$* $: < $&{deliveryMode} > $1 >R< d > $* $@ deferred >R< $* > $* $: $2 > ># authenticated? >R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >R$* $| $#$+ $#$2 >R$* $| $* $: $1 > >#modified by XXX to handle joe job on 020404 Note: org line above >#R<> $@ we MUST accept <> (RFC 1123) >R<> $@ $#discard we MUST accept <> (RFC 1123) >R$+ $: $1 >R<$+> $: <@> <$1> >R$+ $: <@> <$1> >R$* $: $&{daemon_flags} $| $1 >R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >R$* u $* $| <@> < $* > $: < $3 > >R$* $| $* $: $2 ># handle case of @localhost on address >------------------ snip ----------------------------- > > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 6:08 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: DOS attacked :( >> >>What should i do to rectify or prevent this? Nothing leave it to MS? >> >>Load avergae is stuck on 7 and almost nothing is wworking on this >>machine, even ssh commands have a 10sec delay. >> >>Will deleting the offending email be the entire solution? >> >> >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>size=3477, nrcpt=1 (queue active) >>Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>adl0133.systems.sa.gov.au[143.216.236.20] >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>to=, relay=none, delay=0, status=deferred >>(deferred transport) >>Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>clamav >>Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 12 of 20 >>Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>clamavmodule timed out! >>Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>clamavmodule timed out! >>Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>Service attack is in message A086133CDD >>Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>updating >>Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>Service attack detected! >>Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 13 of 20 >>Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>Host not found >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>being delivered >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>being delivered >>Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 14 of 20 >>Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>was killed, consecutive failure 15 of 20 >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >> >>Fortress Systems Ltd. >>www.fsl.com >> >> >> > > > >-- >This message has been scanned for viruses and >dangerous content by Fortress Secure Mail Gateway >and was found to be clean. > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working perfectly until this morning, even after upgrade yesterday and added DCC and pyzor, although pyzor never worked and i didnt get a change to look at it yet. I have tried changing the accellerated scanning mode to 40 (i assume this means when the queue is 40+ deep it will accellerate the scanning mode? Can some one tell me how to use postfix to display the amount of messages in the queue from command line, or any other usefull postfix commands? I did mailq -v but this disaplays nothing. The latest change i made was to clamavmodule from regular clamav, tried changing it back but no luck. attached is my debug, nothing seems really obviously broken? Attached also is a log sample, complete, from immedietly after a service MailScanner restart Its getting worse and all i see is 100+ messages in the queue, changed the batch mode to only do 10 at once but stikll all i get in the maillog is Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was killed, consecutive failure 8 of 20 thanks in advance for ANY help i can get on this, its a big problem and its getting worse by the minute :( -------------- next part -------------- debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: Score set 1 chosen. debug: Initialising learner debug: is Net::DNS::Resolver available? yes debug: trying (3) microsoft.com... debug: looking up MX for 'microsoft.com' debug: MX for 'microsoft.com' exists? 1 debug: MX lookup of microsoft.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin debug: executable for pyzor was found at /usr/bin/pyzor debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=35931 Fuz1=235142 Fuz2=235801 debug: leaving helper-app run mode debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME debug: received-header: parsed as [ ip=203.55.179.230 rdns=chedns02.simplot.com.au helo=chedns.simnetad.simplot.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'from' 203.55.179.230 is near to first 'by' debug: received-header: relay 203.55.179.230 trusted? yes debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: rohan.hughes@simplot.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.286 debug: running uri tests; score so far=0.286 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.286 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: KKaddatz@mteliza.com.au debug: DNS MX records found: 2 debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=0.286 debug: is spam? score=0.286 required=5 tests=HTML_MESSAGE,NO_REAL_NAME debug: received-header: parsed as [ ip=138.217.224.22 rdns=CPE-138-217-224-22.wa.bigpond.net.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 138.217.224.22 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: ben.martin@wanews.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.285 debug: running uri tests; score so far=0.285 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.285 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 debug: leaving helper-app run mode debug: all '*To' addrs: emp@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=bigpond.net.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'bigpond.net.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=6.241 debug: is spam? score=6.241 required=5 tests=MSGID_FROM_MTA_SHORT,NO_REAL_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=144.136.10.124 rdns=CPE-144-136-10-124.vic.bigpond.net.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 144.136.10.124 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: sales@rarreg.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0.285 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.285 debug: running uri tests; score so far=0.285 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.285 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=13 Fuz2=217 debug: leaving helper-app run mode debug: all '*To' addrs: jjennings@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=bigpond.net.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'bigpond.net.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=6.241 debug: is spam? score=8.225 required=5 tests=MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=210.86.15.147 rdns=mta204-rme.xtra.co.nz helo=mta204-rme.xtra.co.nz by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=210.86.15.141 rdns=mta1-rme.xtra.co.nz helo= by=mta204-rme.xtra.co.nz ident= ] debug: received-header: parsed as [ ip=219.89.124.118 rdns=worthyxp05 helo= by=mta1-rme.xtra.co.nz ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 210.86.15.147 trusted? no debug: received-header: relay 210.86.15.141 trusted? no debug: received-header: relay 219.89.124.118 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: worthynz@xtra.co.nz debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.7 debug: running uri tests; score so far=0.7 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.7 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=3 Fuz1=3 Fuz2=3 debug: leaving helper-app run mode debug: all '*To' addrs: JScott@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=xtra.co.nz helo=xtra.co.nz by=mteliza.com.au debug: forged-HELO: from=xtra.co.nz helo= by=xtra.co.nz debug: forged-HELO: from=worthyxp05 helo= by=xtra.co.nz debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0.7 debug: is spam? score=0.961 required=5 tests=HTML_50_60,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_UNKNOWN,HTML_FONT_BIG,HTML_MESSAGE,HTML_TAG_EXISTS_TBODY,LINES_OF_YELLING,LINES_OF_YELLING_2,UPPERCASE_25_50 debug: received-header: parsed as [ ip=210.193.192.21 rdns=mail.archergroup.com.au helo=melex01.archergroup.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 210.193.192.21 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: mmorgan@archergroup.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.171 debug: running uri tests; score so far=0.171 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.171 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: gcocks@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=archergroup.com.au helo=archergroup.com.au by=mteliza.com.au debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=0.171 debug: is spam? score=0.171 required=5 tests=EXCUSE_16 debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '209.182.98.114' debug: PTR for '209.182.98.114': 'la-209-182-98-114' debug: received-header: parsed as [ ip=209.182.98.114 rdns=la-209-182-98-114 helo=mail.symlog.com by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=24.94.11.195 rdns=bob helo= by=mail.symlog.com ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 209.182.98.114 trusted? no debug: received-header: relay 24.94.11.195 trusted? no debug: all '*From' addrs: bob@symlog.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.575 debug: running uri tests; score so far=0.575 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.575 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: KMorley@mteliza.com.au CSykes@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=la-209-182-98-114 helo=symlog.com by=mteliza.com.au debug: forged-HELO: from=bob helo= by=symlog.com debug: RBL: success for 17 of 17 queries debug: running meta tests; score so far=0.675 debug: is spam? score=0.675 required=5 tests=HTML_40_50,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,RCVD_IN_SORBS debug: received-header: parsed as [ ip=211.29.105.109 rdns=winax12-109.dialup.optusnet.com.au helo=mteliza.com.au by=mail01.mteliza.com.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 211.29.105.109 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: jbdgwvi6825023@aol.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=3.94 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=3.94 debug: running uri tests; score so far=3.94 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=3.94 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 debug: leaving helper-app run mode debug: all '*To' addrs: 3dfrobinson@mteliza.com.au debug: DNS MX records found: 4 debug: forged-HELO: from=optusnet.com.au helo=mteliza.com.au by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'mteliza.com.au' != 'optusnet.com.au' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=9.896 debug: is spam? score=11.88 required=5 tests=ADDR_NUMS_AT_BIGSITE,FROM_ENDS_IN_NUMS,FROM_WEBMAIL_END_NUMS6,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS debug: received-header: parsed as [ ip=137.157.8.253 rdns=tachyon.gw.ansto.gov.au helo=tachyon.gw.ansto.gov.au by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=137.157.13.219 rdns=hadron.ansto.gov.au helo= by=tachyon.gw.ansto.gov.au ident= ] debug: received-header: parsed as [ ip=137.157.58.208 rdns=paradise.ansto.gov.au helo=paradise.ansto.gov.au by=hadron.ansto.gov.au ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 137.157.8.253 trusted? no debug: received-header: relay 137.157.13.219 trusted? no debug: received-header: relay 137.157.58.208 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: hhx@ansto.gov.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: JGuillot@mteliza.com.au debug: DNS MX records found: 2 debug: forged-HELO: from=ansto.gov.au helo=ansto.gov.au by=mteliza.com.au debug: forged-HELO: from=ansto.gov.au helo= by=ansto.gov.au debug: forged-HELO: from=ansto.gov.au helo=ansto.gov.au by=ansto.gov.au debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0 debug: is spam? score=0 required=5 tests= debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '199.40.206.2' debug: PTR for '199.40.206.2': '' debug: received-header: parsed as [ ip=199.40.206.2 rdns=199.40.206.2 helo=gateway5a.dhl.com by=mail01.mteliza.com.au ident= ] debug: received-header: ignoring localhost handover debug: IP is reserved, not looking up PTR debug: received-header: parsed as [ ip=10.192.8.73 rdns=10.192.8.73 helo=viruswall by=atlas.syd-co.au.dhl.com ident= ] debug: IP is reserved, not looking up PTR debug: received-header: parsed as [ ip=10.192.23.88 rdns=10.192.23.88 helo=Unknown by=viruswall ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 199.40.206.2 trusted? no debug: received-header: relay 10.192.8.73 trusted? no debug: received-header: relay 10.192.23.88 trusted? no debug: all '*From' addrs: michelle.dagamapinto@dhl.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=2.155 debug: running uri tests; score so far=2.155 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=2.155 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=1 Fuz1=1 Fuz2=1 debug: leaving helper-app run mode debug: all '*To' addrs: cdagamap@mteliza.com.au mariebeatrice@rediffmail.com frank_calderone@cathaypacific.com gina@acpworldwide.com.au michael.da.gama.pinto@au.pwcglobal.com monishamendes@aol.com paulita_dgp@hotmail.com Audrey_Pinto@mcgraw-hill.com debug: DNS MX records found: 4 debug: forged-HELO: from=199.40.206.2 helo=dhl.com by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'dhl.com' != '199.40.206.2' debug: forged-HELO: from=10.192.8.73 helo=viruswall by=dhl.com debug: forged-HELO: mismatch on from: '199.40.206.2' != 'dhl.com' debug: RBL: success for 9 of 9 queries debug: running meta tests; score so far=2.155 debug: is spam? score=2.318 required=5 tests=EXCUSE_16,HTML_50_60,HTML_MESSAGE,J_CHICKENPOX_12,J_CHICKENPOX_36,J_CHICKENPOX_56,MIME_BOUND_NEXTPART debug: received-header: parsed as [ ip=144.140.71.11 rdns=gizmo01ps.bigpond.com helo=gizmo01ps.bigpond.com by=mail01.mteliza.com.au ident= ] debug: is Net::DNS::Resolver available? yes debug: looking up PTR record for '144.135.25.78' debug: PTR for '144.135.25.78': 'psmam04.bigpond.com' debug: received-header: parsed as [ ip=144.135.25.78 rdns=psmam04.bigpond.com helo=psmam04.bigpond.com by=gizmo01ps.bigpond.com ident= ] debug: looking up PTR record for '138.217.40.190' debug: PTR for '138.217.40.190': 'CPE-138-217-40-190.vic.bigpond.net.au' debug: received-header: parsed as [ ip=138.217.40.190 rdns=CPE-138-217-40-190.vic.bigpond.net.au helo=cpe-138-217-40-190.vic.bigpond.net.au by=psmam04.bigpond.com!MAM ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 144.140.71.11 trusted? no debug: received-header: relay 144.135.25.78 trusted? no debug: received-header: relay 138.217.40.190 trusted? no debug: all '*From' addrs: jlassoc@bigpond.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=0.575 debug: running uri tests; score so far=0.575 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.575 debug: Razor2 is not available debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "/usr/bin/python2: can't open file '/usr/bin/pyzor'" debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-dcc.uncw.edu-Metrics: mail01.mteliza.com.au 1201; Body=3 Fuz1=3 Fuz2=3 debug: leaving helper-app run mode debug: all '*To' addrs: FRobinson@mteliza.com.au TMandler@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=bigpond.com helo=bigpond.com by=mteliza.com.au debug: forged-HELO: from=bigpond.com helo=bigpond.com by=bigpond.com debug: RBL: success for 25 of 25 queries debug: running meta tests; score so far=0.675 debug: is spam? score=0.675 required=5 tests=HTML_40_50,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,RCVD_IN_SORBS Stopping now as you are debugging me. -------------- next part -------------- Mar 4 11:09:36 mail01 postfix/smtpd[4624]: disconnect from strangecosmos.com[209.50.251.60] Mar 4 11:09:37 mail01 MailScanner[4657]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 11:09:38 mail01 MailScanner[4657]: Config: calling custom init function MailWatchLogging Mar 4 11:09:39 mail01 MailScanner[4657]: Initialising database connection Mar 4 11:09:39 mail01 MailScanner[4657]: Finished initialising database connection Mar 4 11:09:41 mail01 MailScanner[4622]: Using locktype = flock Mar 4 11:09:43 mail01 MailScanner[4622]: New Batch: Found 119 messages waiting Mar 4 11:09:43 mail01 MailScanner[4622]: New Batch: Scanning 10 messages, 740375 bytes Mar 4 11:09:43 mail01 MailScanner[4622]: Spam Checks: Starting Mar 4 11:09:47 mail01 MailScanner[4670]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 11:09:48 mail01 MailScanner[4670]: Config: calling custom init function MailWatchLogging Mar 4 11:09:49 mail01 MailScanner[4670]: Initialising database connection Mar 4 11:09:49 mail01 MailScanner[4670]: Finished initialising database connection Mar 4 11:09:54 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:09:54 mail01 postfix/smtpd[4624]: 3E96633E13: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:09:57 mail01 MailScanner[4641]: Using locktype = flock Mar 4 11:09:56 mail01 postfix/cleanup[4626]: 3E96633E13: message-id=<20040304000954.3E96633E13@mail01.mteliza.com.au> Mar 4 11:09:57 mail01 MailScanner[4641]: New Batch: Found 119 messages waiting Mar 4 11:09:57 mail01 MailScanner[4641]: New Batch: Scanning 10 messages, 119970 bytes Mar 4 11:09:57 mail01 MailScanner[4641]: Spam Checks: Starting Mar 4 11:09:57 mail01 postfix/qmgr[4497]: 3E96633E13: from=, size=1019, nrcpt=1 (queue active) Mar 4 11:09:57 mail01 postfix/qmgr[4497]: 3E96633E13: to=, relay=none, delay=3, status=deferred (deferred transport) Mar 4 11:09:58 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:04 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:05 mail01 postfix/smtpd[4624]: 0420833E11: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/cleanup[4626]: 0420833E11: message-id=<20040304001005.0420833E11@mail01.mteliza.com.au> Mar 4 11:10:13 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/smtpd[4701]: 8508933E10: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:13 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:14 mail01 postfix/qmgr[4497]: 0420833E11: from=, size=1003, nrcpt=1 (queue active) Mar 4 11:10:16 mail01 postfix/qmgr[4497]: 0420833E11: to=<10@mteliza.com.au>, relay=none, delay=10, status=deferred (deferred transport) Mar 4 11:10:19 mail01 postfix/cleanup[4626]: 8508933E10: message-id=<20040304001013.8508933E10@mail01.mteliza.com.au> Mar 4 11:10:21 mail01 postfix/qmgr[4497]: 8508933E10: from=, size=1016, nrcpt=1 (queue active) Mar 4 11:10:21 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:21 mail01 postfix/qmgr[4497]: 8508933E10: to=, relay=none, delay=8, status=deferred (deferred transport) Mar 4 11:10:29 mail01 MailScanner[4657]: Using locktype = flock Mar 4 11:10:29 mail01 postfix/smtpd[4624]: connect from CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:30 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:31 mail01 postfix/smtpd[4624]: 6D13C33E12: client=CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:34 mail01 MailScanner[4657]: New Batch: Found 122 messages waiting Mar 4 11:10:34 mail01 MailScanner[4657]: New Batch: Scanning 10 messages, 206807 bytes Mar 4 11:10:34 mail01 MailScanner[4657]: Spam Checks: Starting Mar 4 11:10:37 mail01 MailScanner[4641]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:40 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:42 mail01 postfix/cleanup[4626]: 6D13C33E12: message-id=<20040304001031.6D13C33E12@mail01.mteliza.com.au> Mar 4 11:10:42 mail01 postfix/qmgr[4497]: 6D13C33E12: from=, size=1011, nrcpt=1 (queue active) Mar 4 11:10:42 mail01 postfix/qmgr[4497]: 6D13C33E12: to=, relay=none, delay=11, status=deferred (deferred transport) Mar 4 11:10:43 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 4 11:10:44 mail01 postfix/smtpd[4624]: disconnect from CPE-144-137-52-32.vic.bigpond.net.au[144.137.52.32] Mar 4 11:10:54 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:54 mail01 postfix/smtpd[4701]: 8A80533E17: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:58 mail01 MailScanner[4670]: Using locktype = flock Mar 4 11:10:58 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:58 mail01 MailScanner[4670]: New Batch: Found 123 messages waiting Mar 4 11:10:58 mail01 MailScanner[4670]: New Batch: Scanning 10 messages, 81945 bytes Mar 4 11:10:59 mail01 MailScanner[4670]: Spam Checks: Starting Mar 4 11:10:59 mail01 postfix/cleanup[4626]: 8A80533E17: message-id=<20040304001054.8A80533E17@mail01.mteliza.com.au> Mar 4 11:10:59 mail01 postfix/smtpd[4624]: 2C5A533E18: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:59 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:10:59 mail01 postfix/qmgr[4497]: 8A80533E17: from=, size=1015, nrcpt=1 (queue active) Mar 4 11:10:59 mail01 postfix/qmgr[4497]: 8A80533E17: to=, relay=none, delay=5, status=deferred (deferred transport) Mar 4 11:11:06 mail01 postfix/smtpd[4701]: warning: 200.232.207.120: hostname 200-232-207-120.dsl.telesp.net.br verification failed: Host not found Mar 4 11:11:06 mail01 postfix/smtpd[4701]: connect from unknown[200.232.207.120] Mar 4 11:11:08 mail01 postfix/smtpd[4853]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:08 mail01 postfix/smtpd[4701]: D381A33E19: client=unknown[200.232.207.120] Mar 4 11:11:09 mail01 postfix/smtpd[4853]: 46C5733E1B: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:09 mail01 postfix/cleanup[4626]: 2C5A533E18: message-id=<20040304001059.2C5A533E18@mail01.mteliza.com.au> Mar 4 11:11:10 mail01 postfix/qmgr[4497]: 2C5A533E18: from=<20728@c4m01.postdirect.com>, size=1013, nrcpt=1 (queue active) Mar 4 11:11:10 mail01 postfix/qmgr[4497]: 2C5A533E18: to=, relay=none, delay=11, status=deferred (deferred transport) Mar 4 11:11:11 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:12 mail01 postfix/smtpd[4624]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:13 mail01 postfix/smtpd[4624]: 117BB33E16: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:13 mail01 postfix/cleanup[4836]: D381A33E19: message-id= Mar 4 11:11:14 mail01 postfix/qmgr[4497]: D381A33E19: from=, size=5600, nrcpt=1 (queue active) Mar 4 11:11:14 mail01 MailScanner[4657]: Message 3E96633E13 from 150.101.123.85 (m_tannahill@bigpond.com) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:14 mail01 postfix/qmgr[4497]: D381A33E19: to=, relay=none, delay=6, status=deferred (deferred transport) Mar 4 11:11:15 mail01 postfix/cleanup[4858]: 46C5733E1B: message-id=<20040304001109.46C5733E1B@mail01.mteliza.com.au> Mar 4 11:11:16 mail01 postfix/smtpd[4701]: disconnect from unknown[200.232.207.120] Mar 4 11:11:16 mail01 postfix/qmgr[4497]: 46C5733E1B: from=, size=1009, nrcpt=1 (queue active) Mar 4 11:11:16 mail01 postfix/smtpd[4853]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:16 mail01 postfix/qmgr[4497]: 46C5733E1B: to=, relay=none, delay=7, status=deferred (deferred transport) Mar 4 11:11:17 mail01 postfix/smtpd[4701]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:17 mail01 postfix/smtpd[4701]: 6983133E1C: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:19 mail01 postfix/cleanup[4626]: 117BB33E16: message-id=<20040304001113.117BB33E16@mail01.mteliza.com.au> Mar 4 11:11:19 mail01 MailScanner[4657]: Message 8508933E10 from 150.101.123.85 (fremdgp@ozemail.com.au) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:19 mail01 postfix/qmgr[4497]: 117BB33E16: from=, size=1025, nrcpt=1 (queue active) Mar 4 11:11:19 mail01 postfix/smtpd[4624]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:19 mail01 postfix/qmgr[4497]: 117BB33E16: to=, relay=none, delay=6, status=deferred (deferred transport) Mar 4 11:11:21 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:22 mail01 postfix/smtpd[4853]: connect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:22 mail01 postfix/smtpd[4853]: 6D0A233E1E: client=ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:22 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:25 mail01 postfix/cleanup[4858]: 6D0A233E1E: message-id=<20040304001122.6D0A233E1E@mail01.mteliza.com.au> Mar 4 11:11:28 mail01 postfix/cleanup[4836]: 6983133E1C: message-id=<20040304001117.6983133E1C@mail01.mteliza.com.au> Mar 4 11:11:29 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6D0A233E1E: from=<317@au.eyi.com>, size=1025, nrcpt=1 (queue active) Mar 4 11:11:29 mail01 postfix/smtpd[4853]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6D0A233E1E: to=, relay=none, delay=7, status=deferred (deferred transport) Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6983133E1C: from=, size=1031, nrcpt=1 (queue active) Mar 4 11:11:29 mail01 postfix/qmgr[4497]: 6983133E1C: to=, relay=none, delay=12, status=deferred (deferred transport) Mar 4 11:11:30 mail01 postfix/smtpd[4701]: disconnect from ppp123-85.lns1.syd2.internode.on.net[150.101.123.85] Mar 4 11:11:31 mail01 MailScanner[4657]: Message 93A4F33D14 from 67.83.169.199 (ssadler_zo@draware.dk) to mteliza.com.au is spam, SpamAssassin (score=8.248, required 5, HTML_30_40 0.81, HTML_MESSAGE 0.00, MIME_HTML_NO_CHARSET 0.72, MIME_HTML_ONLY 0.10, RCVD_IN_BL_SPAMCOP_NET 2.25, RCVD_IN_DSBL 1.10, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_DIALUP 0.53, RCVD_IN_SORBS 0.10) Mar 4 11:11:36 mail01 MailScanner[4641]: Message 5021C33DFB from 150.101.123.85 (barbara_carr@t-online.de) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:36 mail01 postfix/smtpd[4624]: warning: 209.216.97.71: hostname smtp216.tam10.com verification failed: Host not found Mar 4 11:11:36 mail01 postfix/smtpd[4624]: connect from unknown[209.216.97.71] Mar 4 11:11:37 mail01 postfix/smtpd[4624]: 2521A33E1A: client=unknown[209.216.97.71] Mar 4 11:11:37 mail01 MailScanner[4670]: Message 962ED33E0E from 150.101.123.85 (566@syd02.aimnsw.com.au) to mteliza.com.au is spam, SpamAssassin (score=12.932, required 5, FROM_ALL_NUMS 1.16, FROM_ENDS_IN_NUMS 0.87, FROM_STARTS_WITH_NUMS 1.57, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_DNS_FOR_FROM 1.10, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:11:39 mail01 postfix/cleanup[4626]: 2521A33E1A: message-id=<20040304001137.2521A33E1A@mail01.mteliza.com.au> Mar 4 11:11:40 mail01 postfix/qmgr[4497]: 2521A33E1A: from=, size=4273, nrcpt=1 (queue active) Mar 4 11:11:40 mail01 postfix/qmgr[4497]: 2521A33E1A: to=, relay=none, delay=3, status=deferred (deferred transport) Mar 4 11:11:40 mail01 postfix/smtpd[4624]: disconnect from unknown[209.216.97.71] Mar 4 11:11:44 mail01 postfix/smtpd[4701]: connect from level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:44 mail01 postfix/smtpd[4701]: D3BD033E1D: client=level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:46 mail01 postfix/cleanup[4858]: D3BD033E1D: message-id=<20040304001144.D3BD033E1D@mail01.mteliza.com.au> Mar 4 11:11:46 mail01 postfix/qmgr[4497]: D3BD033E1D: from=, size=1024, nrcpt=1 (queue active) Mar 4 11:11:46 mail01 postfix/smtpd[4701]: disconnect from level-3-right-153.newcastle.edu.au[134.148.196.153] Mar 4 11:11:46 mail01 postfix/qmgr[4497]: D3BD033E1D: to=, relay=none, delay=2, status=deferred (deferred transport) Mar 4 11:11:54 mail01 MailScanner[4641]: Message 54EF233CEC from 202.126.109.6 (lawriedrew@optusnet.com.au) to mteliza.com.au is spam, SpamAssassin (score=5.579, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83) Mar 4 11:11:58 mail01 postfix/smtpd[4853]: connect from unknown[203.55.54.254] Mar 4 11:11:58 mail01 postfix/smtpd[4853]: 8441733E1F: client=unknown[203.55.54.254] Mar 4 11:11:58 mail01 postfix/cleanup[4836]: 8441733E1F: message-id=<200403040000.i24006UC000752@HylaFAX> Mar 4 11:12:00 mail01 postfix/qmgr[4497]: 8441733E1F: from=, size=129573, nrcpt=1 (queue active) Mar 4 11:12:00 mail01 postfix/smtpd[4853]: disconnect from unknown[203.55.54.254] Mar 4 11:12:00 mail01 postfix/qmgr[4497]: 8441733E1F: to=, relay=none, delay=2, status=deferred (deferred transport) Mar 4 11:12:05 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:06 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:10 mail01 MailScanner[4670]: Message 90E8D33D05 from 144.137.47.17 (3@mta08ps.p) to mteliza.com.au is spam, SpamAssassin (score=10.489, required 5, FROM_ALL_NUMS 1.16, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_DNS_FOR_FROM 1.10, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:12:11 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 4 11:12:47 mail01 MailScanner[4599]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 4 11:12:48 mail01 MailScanner[4622]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 4 11:12:50 mail01 MailScanner[4657]: Message 97DD833D3D from 202.53.34.134 (chiltons@netspace.net.au) to mteliza.com.au is spam, SpamAssassin (score=5.579, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83) Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Checks: Found 4 spam messages Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 3E96633E13 actions are store Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 8508933E10 actions are store Mar 4 11:12:50 mail01 MailScanner[4657]: Spam Actions: message 93A4F33D14 actions are store Mar 4 11:12:50 mail01 MailScanner[4670]: Message 6D13C33E12 from 144.137.52.32 (blossompalmiter@velnet.com) to mteliza.com.au is spam, SpamAssassin (score=8.225, required 5, MISSING_MIMEOLE 1.15, MSGID_FROM_MTA_SHORT 3.31, NO_REAL_NAME 0.28, PRIORITY_NO_NAME 0.83, RCVD_IN_DYNABLOCK 2.55, RCVD_IN_SORBS 0.10) Mar 4 11:12:51 mail01 MailScanner[4657]: Spam Actions: message 97DD833D3D actions are store Mar 4 11:12:52 mail01 MailScanner[4610]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 From kevins at BMRB.CO.UK Thu Mar 4 00:32:27 2004 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:22:59 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <1078360347.11239.146.camel@bach.kevinspicer.co.uk> Is update_virus_scanners running? If for some reason a scanner update hangs MailScanner will stop processing mail. If this is the case please post which scanner is the problem so that timeout code can be added to its wrapper script. Is Spamassasin trying to use pyzor? Make sure its not if it isn't working properly. Maybe turn SA off for a while to catch up? Or just turn off all SA's network checks. Maybe the bayes database is causing a problem, try turning off bayes (turn off the bayes auto rebuild in MailScanner too if your version has it). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mark at TIPPINGMAR.COM Thu Mar 4 00:36:29 2004 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> Message-ID: <4046098D.24598.6AD4D29@localhost> On 4 Mar 2004 at 11:05, Pete wrote: > Stephen Swaney wrote: > > >I'm top posting so this won't get lost. This was written by one of our > >clients to handle a really severe Joe-job. His name shall be revealed if he > >let's me, but I don't know if he wants the credit for breaking RFC 1123 > >(this certainly does). This deletes any incoming email that has a return > >address of "<>". > > > >BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the > >Left hand side from the right hand side rules and comments. The have been > >lost in the email transmission. You' know if you've missed a tab because > >sendmail will croak when you try and start it. > > > >I can't verify that this works but he insisted it saved his axx. He was so > >upset by the attack he stayed up for 30 hours straight and learned to write > >sendmail.cf files from scratch. No Small feat. > > > >Possible some sendmail guru whose not battling the bagel will be kind enough > >to put the hack into a sendmail.mc format. > > > >------------------ snip ----------------------------- > >###################################################################### > >###################################################################### > >##### > >##### REWRITING RULES > >##### > >###################################################################### > >###################################################################### > >#Added by XXX to handle joe job on 020404 > > > >HSubject: $>Check_Subject1 > >D{MPat}Returned > >SCheck_Subject1 > >R${MPat} $* $#discard > > > > > >###################################################################### > >### check_mail -- check SMTP `MAIL FROM:' command argument > >###################################################################### > > > >SLocal_check_mail > >Scheck_mail > >R$* $: $1 $| $>"Local_check_mail" $1 > >R$* $| $#$* $#$2 > >R$* $| $* $@ $>"Basic_check_mail" $1 > > > >SBasic_check_mail > ># check for deferred delivery mode > >R$* $: < $&{deliveryMode} > $1 > >R< d > $* $@ deferred > >R< $* > $* $: $2 > > > ># authenticated? > >R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL > >R$* $| $#$+ $#$2 > >R$* $| $* $: $1 > > > >#modified by XXX to handle joe job on 020404 Note: org line above > >#R<> $@ we MUST accept <> (RFC 1123) > >R<> $@ $#discard we MUST accept <> (RFC 1123) > >R$+ $: $1 > >R<$+> $: <@> <$1> > >R$+ $: <@> <$1> > >R$* $: $&{daemon_flags} $| $1 > >R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > > >R$* u $* $| <@> < $* > $: < $3 > > >R$* $| $* $: $2 > ># handle case of @localhost on address > >------------------ snip ----------------------------- > > > > > >Steve > > > >Stephen Swaney > >President > >Fortress Systems Ltd. > >Steve.Swaney@FSL.com > > > > > > > > > >>-----Original Message----- > >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 6:08 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: DOS attacked :( > >> > >>What should i do to rectify or prevent this? Nothing leave it to MS? > >> > >>Load avergae is stuck on 7 and almost nothing is wworking on this > >>machine, even ssh commands have a 10sec delay. > >> > >>Will deleting the offending email be the entire solution? > >> > >> > >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, > >>size=3477, nrcpt=1 (queue active) > >>Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from > >>adl0133.systems.sa.gov.au[143.216.236.20] > >>Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: > >>to=, relay=none, delay=0, status=deferred > >>(deferred transport) > >>Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed > >>Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for > >>clamav > >>Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 12 of 20 > >>Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner > >>clamavmodule timed out! > >>Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner > >>clamavmodule timed out! > >>Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of > >>Service attack is in message A086133CDD > >>Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need > >>updating > >>Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of > >>Service attack detected! > >>Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 13 of 20 > >>Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: > >>hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: > >>Host not found > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still > >>being delivered > >>Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still > >>being delivered > >>Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 14 of 20 > >>Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and > >>was killed, consecutive failure 15 of 20 > >> > >>-- > >>This message has been scanned for viruses and > >>dangerous content by MailScanner, and is > >>believed to be clean. > >> > >>Fortress Systems Ltd. > >>www.fsl.com > >> > >> > >> > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by Fortress Secure Mail Gateway > >and was found to be clean. > > > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > > > > > > > > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > Your problem is the SpamAssassin timeouts. You could disable SpamAssassin in your MailScanner.conf until your machine catches up, or you could debug the timeouts. Here is a suggested method from a recent posting by Julian Field: Kill all the MailScanner processes (some of them will take several seconds to die, let them get on with it). Edit /etc/MailScanner/MailScanner.conf. Set Debug = yes Set Debug SpamAssassin = yes Wait until you have a few messages collected in /var/spool/mqueue.in. Then run "check_MailScanner". It should spew output about SpamAssassin, during which it will hopefully pause, waiting for something to happen. The output when it pauses should hopefully give you some clue about why it is timing out. It will run 1 batch of messages and then quit. -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From pete at eatathome.com.au Thu Mar 4 01:09:37 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <1078360347.11239.146.camel@bach.kevinspicer.co.uk> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> <1078360347.11239.146.camel@bach.kevinspicer.co.uk> Message-ID: <404681D1.2040902@eatathome.com.au> Kevin Spicer wrote: >Is update_virus_scanners running? If for some reason a scanner update >hangs MailScanner will stop processing mail. If this is the case please >post which scanner is the problem so that timeout code can be added to >its wrapper script. > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't >working properly. > >Maybe turn SA off for a while to catch up? Or just turn off all SA's >network checks. > >Maybe the bayes database is causing a problem, try turning off bayes >(turn off the bayes auto rebuild in MailScanner too if your version has >it). > > > First thing i did was turn off bayes. Yes virus update scaner is running, although i did see some deferred for 600secs messages, but recently i did see it had updated. I have only updated tpo clamavmodule this morning, previously was just clamav. I have already added Use_pyzor 0 since i couldnt get it to work (is it a matter of install and then restart MS?) I turned did skip rbls and this made a huge difference in reducing the queue size. I have now turned them back on. I have the leatest stable release, and now i have turned off auto rebuild too. Seems like the queue gets reduced, then something becomes broken again and then queue grows and this repeats - have had never had a message stuck before, not even one - today there were 120, this went down to 40 when i made the changes suggested above, then sa timeouts and back up 100. I dont really want to turn off SA, I want to stop spam. SO i will persevere for the rest of the day trying to get this workiing again. Thanks for your help. From rich at MAIL.WVNET.EDU Thu Mar 4 01:35:41 2004 From: rich at MAIL.WVNET.EDU (Richard Lynch) Date: Thu Jan 12 21:23:00 2006 Subject: ANNOUNCE: Unstable 4.28.3 released In-Reply-To: <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303102258.03e5d788@imap.ecs.soton.ac.uk> <4045E254.900@mail.wvnet.edu> <6.0.1.1.2.20040303140840.03f839d8@imap.ecs.soton.ac.uk> Message-ID: <404687ED.7020904@mail.wvnet.edu> Julian Field wrote: > At 13:49 03/03/2004, you wrote: > >> Julian Field wrote: >> >>> Download as usual from www.mailscanner.info. >>> >>> Please report any problems! >> >> >> Ok, something is still no right. I have... >> >> Allow Password-Protected Archives = no >> >> and >> >> Maximum Archive Depth = 0 (I also tried -1) >> >> When Maximum Archive Depth is set to -1 or 0 it will deliver a password >> protected zip file even though I have Allow Password-Protected Archives >> set to "no". If I have Maximum Archive Depth set to 3 then the >> protected zip is not delivered as expected but internal zip checking is >> done which is what I want to disable. I hope I'm not misinterpreting >> how this should work. > > > You can't currently check the contents of the zip files without unpacking > them. Unpacking them causes the other checks to be run on their members. > > So now I have changed it: > setting the options as you have given it above will now just test the > first > level of zip files to see if their members are encrypted at all. It won't > actually extract them. Because it doesn't extract them it can't do any > more > levels of nesting. > > BTW "All-Viruses" now includes "Zip-Password" in the silent viruses > list. > I tested it this afternoon and moved it into production a little while ago. Everything is working great. Regular zip files are allowed again and the password protected zips are now banned. The complaints have stopped... life is good. You did it again Julian. Your contributions are outstanding. K-12, Higher-Ed, and state government in WVa all get enormous benefit from what you do. Thank you. -- Richard E. Lynch Systems Programming Manager West Virginia Network (WVNET) 837 Chestnut Ridge Road Morgantown, WV 26505 (304) 293-5192 x243 From raymond at PROLOCATION.NET Thu Mar 4 01:57:46 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? Message-ID: Hi! Revision history for Perl extension Mail::ClamAV. 0.06 Thu Feb 12 08:11:38 AM 2004 - added INC for include paths, LIBS does not work for includes - updated README 0.06 Thu Feb 12 08:04:27 AM 2004 - added back accidentally removed code which removes the require code from ClamAV.pm. Reported by Julian Field Bye, Raymond. From pete at eatathome.com.au Thu Mar 4 02:05:24 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? In-Reply-To: References: Message-ID: <40468EE4.8060705@eatathome.com.au> Raymond Dijkxhoorn wrote: >Hi! > >Revision history for Perl extension Mail::ClamAV. > >0.06 Thu Feb 12 08:11:38 AM 2004 > - added INC for include paths, LIBS does not work for includes > - updated README > >0.06 Thu Feb 12 08:04:27 AM 2004 > - added back accidentally removed code which removes the require > code from ClamAV.pm. > Reported by Julian Field > >Bye, >Raymond. > > >. > > > Does this mean we should be doing an install Mail::ClamAV in cpan to update this? I installed 5 hours ago, up to date enough? From steve.swaney at FSL.COM Thu Mar 4 02:11:54 2004 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <404681D1.2040902@eatathome.com.au> Message-ID: <20040304021154.488EF21C29A@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 8:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > Kevin Spicer wrote: > > >Is update_virus_scanners running? If for some reason a scanner update > >hangs MailScanner will stop processing mail. If this is the case please > >post which scanner is the problem so that timeout code can be added to > >its wrapper script. > > > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't > >working properly. > > > >Maybe turn SA off for a while to catch up? Or just turn off all SA's > >network checks. > > > >Maybe the bayes database is causing a problem, try turning off bayes > >(turn off the bayes auto rebuild in MailScanner too if your version has > >it). > > > > > > > First thing i did was turn off bayes. > Yes virus update scaner is running, although i did see some deferred for > 600secs messages, This is normal with the latest versions of MailScanner. Julian added a delay so we wouldn't all hit the ClamAV servers at the top of the hour. You might want to change the delay in your update_virus_scanners so we don't all hit the servers at 600 seconds after the hour. > but recently i did see it had updated. I have only > updated tpo clamavmodule this morning, previously was just clamav. > I have already added Use_pyzor 0 since i couldnt get it to work (is it a > matter of install and then restart MS?) Form your earlier post: debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: /usr/bin/python2: can't open file '/usr/bin/pyzor' There is something wrong with your Pyzor installation. You can't open /usr/bin/Pyzor. Leave use_pyzor 0 Set in your spam.assassin.prefs.conf until you get this sorted out. > I turned did skip rbls and this made a huge difference in reducing the > queue size. I have now turned them back on. This is telling you something. When you turn off SpamAssassin network checks, things improve. When you turn them on things get worse. You are having a problem running network checks. Try running: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint and see if you can see or feel any delays. Also from your debug output: debug: Razor2 is not available leave use_razor2 0 off until you get this sorted out. Often this is caused by not following the Install instructions, i.e. running razor-admin -create razor-admin -register After the install. Go to the razor web site and read the installation documents. > I have the leatest stable release, and now i have turned off auto > rebuild too. >From looking at your debug output you're not trying to use Bayes at this point. > Seems like the queue gets reduced, then something becomes broken again > and then queue grows and this repeats - have had never had a message > stuck before, not even one - today there were 120, this went down to 40 > when i made the changes suggested above, then sa timeouts and back up 100. They are not stuck, they're just delayed. We have some ISP customer's whose incoming queues fluctuate for 2 to 700 message waiting depending on the time of day and spam loads. > I don't really want to turn off SA, I want to stop spam. SO i will > persevere for the rest of the day trying to get this workiing again. > Thanks for your help. > You'll still stop spam with the network checks off - just not as much. SpamAssassin weighs scores differently if network checks are off so it's not as bad as it seems. And finally 1. What versions of MailScanner and SpamAssassin were you running before the upgrade 2. What hardware - processor, disks and memory are you using? 3. What is your daily email volume? Steve Stephen Swaney President Fortress Systems Ltd. Steve.Swaney@FSL.com -- This message has been scanned for viruses and dangerous content by Fortress Secure Mail Gateway and was found to be clean. Fortress Systems Ltd. - http://www.fsl.com From raymond at PROLOCATION.NET Thu Mar 4 02:29:26 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:00 2006 Subject: Clamlib fixed ? In-Reply-To: <40468EE4.8060705@eatathome.com.au> Message-ID: Hi! > >0.06 Thu Feb 12 08:11:38 AM 2004 > > - added INC for include paths, LIBS does not work for includes > > - updated README > > > >0.06 Thu Feb 12 08:04:27 AM 2004 > > - added back accidentally removed code which removes the require > > code from ClamAV.pm. > > Reported by Julian Field > Does this mean we should be doing an install Mail::ClamAV in cpan to > update this? > > I installed 5 hours ago, up to date enough? You most likely have that version running now. Its working it seems :) Mar 4 03:28:24 vmx10 MailScanner[3921]: INFECTED:: Worm.SomeFool.Gen-1:: ./i242SGsl003912/your_picture.pif Mar 4 03:28:24 vmx10 MailScanner[3921]: Virus Scanning: ClamAV Module found 1 infections Mar 4 03:28:24 vmx10 MailScanner[3805]: Virus and Content Scanning: Starting Mar 4 03:28:24 vmx10 MailScanner[3921]: /var/spool/MailScanner/incoming/3921/i242SGsl003912/your_picture.pif Infection: W32/Netsky.D@mm Bye, Raymond. From pete at eatathome.com.au Thu Mar 4 02:32:42 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:00 2006 Subject: DOS attacked :( In-Reply-To: <20040304021154.488EF21C29A@mail.fsl.com> References: <20040304021154.488EF21C29A@mail.fsl.com> Message-ID: <4046954A.8010000@eatathome.com.au> Stephen Swaney wrote: >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 8:10 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >>Kevin Spicer wrote: >> >> >> >>>Is update_virus_scanners running? If for some reason a scanner update >>>hangs MailScanner will stop processing mail. If this is the case please >>>post which scanner is the problem so that timeout code can be added to >>>its wrapper script. >>> >>>Is Spamassasin trying to use pyzor? Make sure its not if it isn't >>>working properly. >>> >>>Maybe turn SA off for a while to catch up? Or just turn off all SA's >>>network checks. >>> >>>Maybe the bayes database is causing a problem, try turning off bayes >>>(turn off the bayes auto rebuild in MailScanner too if your version has >>>it). >>> >>> >>> >>First thing i did was turn off bayes. >>Yes virus update scaner is running, although i did see some deferred for >>600secs messages, >> >> > >This is normal with the latest versions of MailScanner. Julian added a delay >so we wouldn't all hit the ClamAV servers at the top of the hour. You might >want to change the delay in your update_virus_scanners so we don't all hit >the servers at 600 seconds after the hour. > > Will change that now. Thanks. >>but recently i did see it had updated. I have only >>updated tpo clamavmodule this morning, previously was just clamav. >>I have already added Use_pyzor 0 since i couldnt get it to work (is it a >>matter of install and then restart MS?) >> >> > >Form your earlier post: > >debug: Pyzor is available: /usr/bin/pyzor >debug: entering helper-app run mode >debug: Pyzor: got response: /usr/bin/python2: can't open file >'/usr/bin/pyzor' > >There is something wrong with your Pyzor installation. You can't open >/usr/bin/Pyzor. Leave > >use_pyzor 0 > >Set in your spam.assassin.prefs.conf until you get this sorted out. > > Yep, have left this on since i first tried to install pyzor, that output appears in the debug anyway, i havent tried to install razor2 yet as i stopp installed stuff when i didnt get pyzor doing, dcc weas working fine, but disabled it when these troubles started and will off for the time being. All 3 entries exist in spa,.assassin.prefs.conf usepzyor 0, razor and dcc. >>I turned did skip rbls and this made a huge difference in reducing the >>queue size. I have now turned them back on. >> >> > >This is telling you something. When you turn off SpamAssassin network >checks, things improve. When you turn them on things get worse. You are >having a problem running network checks. Try running: > >spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > >and see if you can see or feel any delays. > >Also from your debug output: >debug: Razor2 is not available > >leave use_razor2 0 > >off until you get this sorted out. Often this is caused by not following the >Install instructions, i.e. running > >razor-admin -create >razor-admin -register > >After the install. Go to the razor web site and read the installation >documents. > > > >>I have the leatest stable release, and now i have turned off auto >>rebuild too. >> >> > >>From looking at your debug output you're not trying to use Bayes at this >point. > > > >>Seems like the queue gets reduced, then something becomes broken again >>and then queue grows and this repeats - have had never had a message >>stuck before, not even one - today there were 120, this went down to 40 >>when i made the changes suggested above, then sa timeouts and back up 100. >> >> > >They are not stuck, they're just delayed. We have some ISP customer's whose >incoming queues fluctuate for 2 to 700 message waiting depending on the time >of day and spam loads. > > I mentioned this because prior to upgrading i never ever had any messages delayed in the queue, now i have a 100 all the time. >>I don't really want to turn off SA, I want to stop spam. SO i will >>persevere for the rest of the day trying to get this workiing again. >>Thanks for your help. >> >> >> > >You'll still stop spam with the network checks off - just not as much. >SpamAssassin weighs scores differently if network checks are off so it's not >as bad as it seems. > >And finally > >1. What versions of MailScanner and SpamAssassin were you running before the >upgrade >2. What hardware - processor, disks and memory are you using? >3. What is your daily email volume? > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > RH9, untouched or upgraded since original installation. I started with MS4.24-5, postfix 2.16, sa2.60, clamav .60, mailwatch 3.b upgraded to MS 4.27.7, postfix is unchanged and untouched, sa 2.63 (from source), clamav .67, mailwatch .4>.51 Its a dual P200 (thats two hundred)NEC server, many GB os spare HDD space and 512mb RAM. This machine ran perfectly with the original versions i installed. We get around 2000 messages per day on this machine. I have been hassling for better hardware now that i have proven this works (the plan was to prove it work without spending any cash) but company has merged and now boss wont approve new hardware, he advises if i need new hardware, must use a P2 400 PC, which i am not willing to try with. With this low mail volume i rarely see anymore than %50 CPU usage on either cpu. I was just thinking Julian says to use perl SA, but i had already installed from source originally so thought it was best to upgrade this way, could this be the killer, i need to remove and install with cpan? Or install from cpan and leave the source install alone? >-- >This message has been scanned for viruses and >dangerous content by Fortress Secure Mail Gateway >and was found to be clean. > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > wow - thanks for taking the time to help me, much appreciated. From list at souil.com Thu Mar 4 03:09:03 2004 From: list at souil.com (Ben) Date: Thu Jan 12 21:23:00 2006 Subject: Spamassassin (RPM) install path In-Reply-To: <200403030545.i235jlQ15502@mx1.mailsecurity.net.au> Message-ID: <2004341193.688863@bensil> Dear All, My Spamassassin installed as the RPM and also as the perl module(Mail::SpamAssassin). So how should i fill the "SpamAssassin Install Prefix" in the MailScanner.conf ? From ugob at CAMO-ROUTE.COM Thu Mar 4 03:11:09 2004 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:23:00 2006 Subject: Spamassassin (RPM) install path Message-ID: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUTE.COM> >-----Message d'origine----- >De : Ben [mailto:list@souil.com] >Envoy? : 3 mars, 2004 22:09 >? : MAILSCANNER@JISCMAIL.AC.UK >Objet : Spamassassin (RPM) install path > > >Dear All, > >My Spamassassin installed as the RPM and also as the perl >module(Mail::SpamAssassin). So how should i fill the >"SpamAssassin Install Prefix" in the MailScanner.conf ? Just remove the rpm. Test in debug. Reinstall from cpan or source if necessary. > From rcooper at DWFORD.COM Thu Mar 4 03:31:06 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <4046954A.8010000@eatathome.com.au> Message-ID: Sorry to top post, but Are you sure that Net::CIDR is installed ( I think that requirement came after your original install version), and are you using a local caching name server? Slow downs in the network test arena are many time caused by resolver problems. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 9:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Stephen Swaney wrote: > > >>-----Original Message----- > >>From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 8:10 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: DOS attacked :( > >> > >>Kevin Spicer wrote: > >> > >> > >> > >>>Is update_virus_scanners running? If for some > reason a scanner update > >>>hangs MailScanner will stop processing mail. If > this is the case please > >>>post which scanner is the problem so that timeout > code can be added to > >>>its wrapper script. > >>> > >>>Is Spamassasin trying to use pyzor? Make sure its > not if it isn't > >>>working properly. > >>> > >>>Maybe turn SA off for a while to catch up? Or just > turn off all SA's > >>>network checks. > >>> > >>>Maybe the bayes database is causing a problem, try > turning off bayes > >>>(turn off the bayes auto rebuild in MailScanner too > if your version has > >>>it). > >>> > >>> > >>> > >>First thing i did was turn off bayes. > >>Yes virus update scaner is running, although i did > see some deferred for > >>600secs messages, > >> > >> > > > >This is normal with the latest versions of > MailScanner. Julian added a delay > >so we wouldn't all hit the ClamAV servers at the top > of the hour. You might > >want to change the delay in your > update_virus_scanners so we don't all hit > >the servers at 600 seconds after the hour. > > > > > Will change that now. Thanks. > > >>but recently i did see it had updated. I have only > >>updated tpo clamavmodule this morning, previously > was just clamav. > >>I have already added Use_pyzor 0 since i couldnt get > it to work (is it a > >>matter of install and then restart MS?) > >> > >> > > > >Form your earlier post: > > > >debug: Pyzor is available: /usr/bin/pyzor > >debug: entering helper-app run mode > >debug: Pyzor: got response: /usr/bin/python2: can't open file > >'/usr/bin/pyzor' > > > >There is something wrong with your Pyzor > installation. You can't open > >/usr/bin/Pyzor. Leave > > > >use_pyzor 0 > > > >Set in your spam.assassin.prefs.conf until you get > this sorted out. > > > > > Yep, have left this on since i first tried to install > pyzor, that output > appears in the debug anyway, i havent tried to install > razor2 yet as i > stopp installed stuff when i didnt get pyzor doing, > dcc weas working > fine, but disabled it when these troubles started and > will off for the > time being. All 3 entries exist in > spa,.assassin.prefs.conf usepzyor > 0, razor and dcc. > > >>I turned did skip rbls and this made a huge > difference in reducing the > >>queue size. I have now turned them back on. > >> > >> > > > >This is telling you something. When you turn off > SpamAssassin network > >checks, things improve. When you turn them on things > get worse. You are > >having a problem running network checks. Try running: > > > >spamassassin -D -p > /etc/MailScanner/spam.assassin.prefs.conf --lint > > > >and see if you can see or feel any delays. > > > >Also from your debug output: > >debug: Razor2 is not available > > > >leave use_razor2 0 > > > >off until you get this sorted out. Often this is > caused by not following the > >Install instructions, i.e. running > > > >razor-admin -create > >razor-admin -register > > > >After the install. Go to the razor web site and read > the installation > >documents. > > > > > > > >>I have the leatest stable release, and now i have > turned off auto > >>rebuild too. > >> > >> > > > >>From looking at your debug output you're not trying > to use Bayes at this > >point. > > > > > > > >>Seems like the queue gets reduced, then something > becomes broken again > >>and then queue grows and this repeats - have had > never had a message > >>stuck before, not even one - today there were 120, > this went down to 40 > >>when i made the changes suggested above, then sa > timeouts and back up 100. > >> > >> > > > >They are not stuck, they're just delayed. We have > some ISP customer's whose > >incoming queues fluctuate for 2 to 700 message > waiting depending on the time > >of day and spam loads. > > > > > I mentioned this because prior to upgrading i never > ever had any > messages delayed in the queue, now i have a 100 all the time. > > >>I don't really want to turn off SA, I want to stop > spam. SO i will > >>persevere for the rest of the day trying to get this > workiing again. > >>Thanks for your help. > >> > >> > >> > > > >You'll still stop spam with the network checks off - > just not as much. > >SpamAssassin weighs scores differently if network > checks are off so it's not > >as bad as it seems. > > > >And finally > > > >1. What versions of MailScanner and SpamAssassin were > you running before the > >upgrade > >2. What hardware - processor, disks and memory are you using? > >3. What is your daily email volume? > > > >Steve > > > >Stephen Swaney > >President > >Fortress Systems Ltd. > >Steve.Swaney@FSL.com > > > > > > > > > RH9, untouched or upgraded since original installation. > I started with MS4.24-5, postfix 2.16, sa2.60, clamav > .60, mailwatch 3.b > upgraded to > MS 4.27.7, postfix is unchanged and untouched, sa 2.63 > (from source), > clamav .67, mailwatch .4>.51 > > Its a dual P200 (thats two hundred)NEC server, many GB > os spare HDD > space and 512mb RAM. This machine ran perfectly with > the original > versions i installed. We get around 2000 messages per > day on this machine. > > I have been hassling for better hardware now that i > have proven this > works (the plan was to prove it work without spending > any cash) but > company has merged and now boss wont approve new > hardware, he advises if > i need new hardware, must use a P2 400 PC, which i am > not willing to try > with. With this low mail volume i rarely see anymore > than %50 CPU usage > on either cpu. > > I was just thinking Julian says to use perl SA, but i > had already > installed from source originally so thought it was > best to upgrade this > way, could this be the killer, i need to remove and > install with cpan? > Or install from cpan and leave the source install alone? > > >-- > >This message has been scanned for viruses and > >dangerous content by Fortress Secure Mail Gateway > >and was found to be clean. > > > >Fortress Systems Ltd. - http://www.fsl.com > > > > > > > > > > > > > wow - thanks for taking the time to help me, much appreciated. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 4 03:33:17 2004 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... Message-ID: <4046A37D.6090400@USherbrooke.ca> Hello all, Our security officer contacted McAfee to let them know about our detection problems with password-protected zip files. Here is their answer: The reason this is happening is because the archive file when sent is encrypted as a password protected file. In order for the desktop/server products to detect these virus's the end-user would need to launch the .ZIP, manually enter in the password and at that point when the EXE is written to the local disk a detection would occur. The Perimeter products and Stinger scan at a top level in which these detection's are taking place because of a generic detection from the signature of the archive itself. The command line scanner is not able to open the file without firt providing the password. In other words, they say it is a technical problem that prevents their command-line utility to detect password-protected zip files, but they also say that their small cleaning program (Stinger) and their email scanning software are able to detect them! Looks like they want to restrict this capability to some of their products... a very bad decision!!! Denis From pete at eatathome.com.au Thu Mar 4 04:29:05 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <4046B091.3010900@eatathome.com.au> Rick Cooper wrote: >Sorry to top post, but > >Are you sure that Net::CIDR is installed ( I think that >requirement came after your original install version), and are >you using a local caching name server? Slow downs in the network >test arena are many time caused by resolver problems. > > > > Have not got internal DNS, all external, and net::cidr is installed/updated with rpm mailscanner installation. But this got me thinking, i tried to ping all the servers listed in spam.lists.conf and i cannot resolve any, me think its is not good. Although i can ping almost any other domain name i can think of, but not any of the spamlist ones. I can ping the dcc#.dcc-servers.net found when doing cdcc info. CPAN shell doesnt work cos it cannot resolve the perl sites. I have changed nothing regarding DNS or networks. I assume this is the cause/symptom of my problems? Having spamassassin off is a nightmare and we are getting heaps of spam. From mhewryk at SYMCOR.COM Thu Mar 4 05:29:31 2004 From: mhewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:23:01 2006 Subject: Need a help to understand viruses.to.delete.rules Message-ID: Hi, I probably don't understand what the 'Silent Viruses' option supposed to do. My goal is to make the MailScanner to stop sending people (recipients) the notification about the infected emails. To achieve that I listed all possible viruses under 'Silent Viruses' option in the MailScanner.conf file. Silent Viruses = HTML-IFrame All-Viruses Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Netsky Bagle MyDoom Is the above correct or I should make a list similary to: Netsky.b Netsky.c Netsky.d Netsky.f etc... I can see some people list all the possibilities of viruses' names. /?/ My solution to list all names under 'Silent Viruses' option doesn't work, people gets notified and all viruses are logged in the maillog file. Should I try with the rules file? What is the difference between listing the virues' names under the MailScanner.conf file and the rules file? This is my second option which I have not tested yet. Silent Viruses = /etc/MailScanner/rules/viruses.to.delete.rules Virus: Netsky no Virus: Bagle no Virus: MyDoom no Virus: NoVarg no Virus: SCO no Virus: Dumaru no Virus: Holar no Virus: Klez no Virus: Mimail no Virus: Swen no Virus: Valla no Virus: Bugbear no Virus: default yes Thanks, Magda From josh at iconz.org Thu Mar 4 05:55:21 2004 From: josh at iconz.org (Josh) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner Message-ID: <20040304055524.EB30E6A65A@mail.netspace.net.au> Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/7c3a35ba/attachment.html From james at grayonline.id.au Thu Mar 4 06:01:32 2004 From: james at grayonline.id.au (James Gray) Date: Thu Jan 12 21:23:01 2006 Subject: ANN: Custom SpamAssassin Rules Message-ID: <200403041701.15024.james@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I've done a major over-haul of the custom rules to remove hundreds of redundant Perl regex matches. Like why the hell was I using ".*\/?\.?" or "\.?.*" when ".*" would match EXACTLY the same text? Anyway, if you've used my rules before you may want to grab the latest version I uploaded a few minutes ago - they made a measurable improvement in my mail gateway's performance over the previous rule sets :) http://files.grayonline.id.au/ Any feedback is welcome. Cheers, James - -- Fortune cookies says: The whole intent of Perl 5's module system was to encourage the growth of Perl culture rather than the Perl core. -- Larry Wall in <199705101952.MAA00756@wall.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFARsY8wBHpdJO7b9ERAoSGAJsGdycUv4nLk2BDcAECoCkdbr53bQCfUltR D+mKIJtxhRzw5fpK6432q58= =DI3q -----END PGP SIGNATURE----- From josh at ICONZ.ORG Thu Mar 4 05:55:21 2004 From: josh at ICONZ.ORG (Josh) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner Message-ID: <20040304055524.EB30E6A65A@mail.netspace.net.au> Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/7c3a35ba/attachment-0001.html From SJCJonker at SJC.NL Thu Mar 4 06:26:16 2004 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:23:01 2006 Subject: trouble starting mailscanner In-Reply-To: <20040304055524.EB30E6A65A@mail.netspace.net.au> References: <20040304055524.EB30E6A65A@mail.netspace.net.au> Message-ID: <4046CC08.7000809@SJC.nl> Josh, As mentioned on several places the newest version of mailscanner requires Archive::Zip cpan module and it dependencies. Josh said the following on 04-03-04 06:55: > Hi I?m new to the list, > > > > Having a bit of trouble with the following > > > > Starting MailScanner... > > Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner > /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 > /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 > /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.6.1/i386-linux > /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm > line 46. > > BEGIN failed--compilation aborted at > > /usr/lib/MailScanner/MailScanner/Message.pm line 46. > > Compilation failed in require at /usr/sbin/MailScanner line 52. > > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. > > > > > > Line 46 in Message.pm is: > > use Archive::Zip qv( :ERROR_CODES ); > > > > Line 52 in Mailscanner is: > > Use Mailscanner: :Message; > > I couldn?t find anything in the FAQ about configuring the > /usr/sbin/Mailscanner file or the > /usr/lib/Mailscanner/Mailscanner/Message.pm file. > > > > I am using redhat 7.3 current version of Mailscanner and Sophos > > > > Sorry if this is newbie stuff but this is my first look at mailscanner > and I need to get up and running asap, any help guys?? > > > > e-mail me or I?m on icq: 89616901 and msn josh@roshtechnq.com.au > > > > thanks in advance, > -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker From christo at IT4AFRICA.CO.ZA Thu Mar 4 07:18:43 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release Message-ID: <009801c401b8$ee7b3a40$660210ac@christoxp> When I try to install the latest release of MS I must install Archive::Zip first. OK here is the problem. I'm running RH9. I do the following. perl -MCPAN -e shell install Archive::Zip And I get the following errors Removing previously used /root/.cpan/build/Archive-Zip-1.09 CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz Checking if your kit is complete... Looks good Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make' Writing Makefile for Archive::Zip Makefile:88: *** missing separator. Stop. /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible I checked to see where my pod2man is and it is there which pod2man /usr/bin/pod2man I need to urgently upgrade to be able to block only encrypted zip files for we get lots of zip files from customers. Any help appreciated -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/052f029c/attachment.html From P.G.M.Peters at utwente.nl Thu Mar 4 07:26:13 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 In-Reply-To: <026e01c4014c$8fb8c610$85b8fea9@Laptop> References: <026e01c4014c$8fb8c610$85b8fea9@Laptop> Message-ID: On Wed, 3 Mar 2004 18:23:00 -0000, you wrote: >I have just installed 4.28-4.1 from rpm on a Redhat 7.3 system. It installed >OK but when I try and restart it I get the following error:- > > MailScanner: Can't locate Archive/Zip.pm in @INC (@INC contains: You need to install Archive::Zip from CPAN. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From cslyon at NETSVCS.COM Thu Mar 4 07:33:15 2004 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release Message-ID: Give this a try: LANG=C perl -MCPAN -e shell install Archive::Zip That should work if you are using RH9 with the defaults LANG, en_US.UTF-8. -----Original Message----- From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] Sent: Wednesday, March 03, 2004 11:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Unable to install latest release When I try to install the latest release of MS I must install Archive::Zip first. ? OK here is the problem. I'm running RH9. I do the following. perl -MCPAN -e shell install Archive::Zip ? And I get the following errors ? Removing previously used /root/.cpan/build/Archive-Zip-1.09 ? ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz ? Checking if your kit is complete... Looks good ? Warning: I could not locate your pod2man program. Please make sure, ???????? your pod2man program is in your PATH before you execute 'make' ? Writing Makefile for Archive::Zip Makefile:88: *** missing separator.? Stop. ? /usr/bin/make? -- NOT OK Running make test ? Can't test without successful make Running make install ? make had returned bad status, install seems impossible ? I checked to see where my pod2man is and it is there which pod2man /usr/bin/pod2man I need to urgently upgrade to be able to block only encrypted zip files for we get lots of zip files from customers. ? Any help appreciated From christo at IT4AFRICA.CO.ZA Thu Mar 4 07:39:14 2004 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release {Virus Scanned} In-Reply-To: Message-ID: <00a201c401bb$cb1f3a30$660210ac@christoxp> Thanx That sorted the problem. How would I fix the LANG=C thing. > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > Sent: 04 March 2004 09:33 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Unable to install latest release {Virus Scanned} > > > Give this a try: > > LANG=C perl -MCPAN -e shell > install Archive::Zip > > That should work if you are using RH9 with the defaults LANG, > en_US.UTF-8. > > > > > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: Wednesday, March 03, 2004 11:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Unable to install latest release > > When I try to install the latest release of MS I must install > Archive::Zip first. > ? > OK here is the problem. I'm running RH9. I do the following. > perl -MCPAN -e shell install Archive::Zip > ? > And I get the following errors > ? > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > ? > ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > ? > Checking if your kit is complete... > Looks good > ? > Warning: I could not locate your pod2man program. Please make sure, > ???????? your pod2man program is in your PATH before you > execute 'make' > ? > Writing Makefile for Archive::Zip > Makefile:88: *** missing separator.? Stop. > ? /usr/bin/make? -- NOT OK > Running make test > ? Can't test without successful make > Running make install > ? make had returned bad status, install seems impossible > ? > I checked to see where my pod2man is and it is there > which pod2man > /usr/bin/pod2man > I need to urgently upgrade to be able to block only encrypted > zip files for we get lots of zip files from customers. > ? > Any help appreciated > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks IT For Africa for their support. > > From P.G.M.Peters at utwente.nl Thu Mar 4 07:37:36 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:01 2006 Subject: bagle SpamAssassin rule [SCANNED] In-Reply-To: <40465ABD.9050209@dalsemi.com> References: <40465ABD.9050209@dalsemi.com> Message-ID: <24nd40pvv7a2d9mjbdhhrql2u3fdhm21em@4ax.com> On Wed, 3 Mar 2004 16:22:53 -0600, you wrote: >I tried it briefly but was getting more false positives than legitimate >hits. The problem seemed to be primarily caused by phone numbers >(specifically, the last four digits) included in the senders signature >coming after "password". That ".*" is pretty aggressive ;-). I have had some false positives from security mailing lists where people discussed this thing. And they offcourse included samples of the messages. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From leduc at CTS.COM Thu Mar 4 07:34:10 2004 From: leduc at CTS.COM (Gene & Mary LeDuc) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release In-Reply-To: <009801c401b8$ee7b3a40$660210ac@christoxp> References: <009801c401b8$ee7b3a40$660210ac@christoxp> Message-ID: <4046DBF2.4010409@cts.com> I ran into the same problem on RH 8 this afternoon. In /etc/sysconfig/i18n find the LANG= line: LANG="en_US.UTF-8" and remove the '.UTF-8': LANG="en_US" and that should do it (apparently the ".UTF-8" breaks things). Don't even think about asking me why, I don't have a clue. Someone else on this list probably knows and may even tell us. Regards, Gene Christo Bezuidenhout wrote: > When I try to install the latest release of MS I must install > Archive::Zip first. > > OK here is the problem. I'm running RH9. I do the following. > perl -MCPAN -e shell > install Archive::Zip > > And I get the following errors > > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > > CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > > Checking if your kit is complete... > Looks good > > Warning: I could not locate your pod2man program. Please make sure, > your pod2man program is in your PATH before you execute 'make' > > Writing Makefile for Archive::Zip > Makefile:88: *** missing separator. Stop. > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > > I checked to see where my pod2man is and it is there > which pod2man > /usr/bin/pod2man > I need to urgently upgrade to be able to block only encrypted zip files > for we get lots of zip files from customers. > > Any help appreciated From cslyon at NETSVCS.COM Thu Mar 4 07:55:24 2004 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release {Virus Scanned} Message-ID: > -----Original Message----- > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > Sent: Wednesday, March 03, 2004 11:39 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Unable to install latest release {Virus Scanned} > > Thanx That sorted the problem. How would I fix the LANG=C thing. You were able to install without any problems? How to fix it: Check out this FAQ. http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/121.html I don't know that you want to do it system wide or not! That is your call because I don't know your setup or what is running on the machine, nor do I care :) You can google.com/linux "LANG=C on RH9" for information on how to fix it. > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > > Sent: 04 March 2004 09:33 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Unable to install latest release {Virus Scanned} > > > > > > Give this a try: > > > > LANG=C perl -MCPAN -e shell > > install Archive::Zip > > > > That should work if you are using RH9 with the defaults LANG, > > en_US.UTF-8. > > > > > > > > > > -----Original Message----- > > From: Christo Bezuidenhout [mailto:christo@IT4AFRICA.CO.ZA] > > Sent: Wednesday, March 03, 2004 11:19 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Unable to install latest release > > > > When I try to install the latest release of MS I must install > > Archive::Zip first. > > > > OK here is the problem. I'm running RH9. I do the following. > > perl -MCPAN -e shell install Archive::Zip > > > > And I get the following errors > > > > Removing previously used /root/.cpan/build/Archive-Zip-1.09 > > > > ? CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz > > > > Checking if your kit is complete... > > Looks good > > > > Warning: I could not locate your pod2man program. Please make sure, > > ???????? your pod2man program is in your PATH before you > > execute 'make' > > > > Writing Makefile for Archive::Zip > > Makefile:88: *** missing separator.? Stop. > > ? /usr/bin/make? -- NOT OK > > Running make test > > ? Can't test without successful make > > Running make install > > ? make had returned bad status, install seems impossible > > > > I checked to see where my pod2man is and it is there > > which pod2man > > /usr/bin/pod2man > > I need to urgently upgrade to be able to block only encrypted > > zip files for we get lots of zip files from customers. > > > > Any help appreciated > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > Mailscanner thanks IT For Africa for their support. > > > > From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:00:24 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 and speed issues.. In-Reply-To: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040303212326.03afa078@imap.ecs.soton.ac.uk> Message-ID: <4046F028.409@solid-state-logic.com> Julian Good Morning. Ok installed Compress::Zlib and speed 'seems' to be better - will let you know after more than 3 minutes of running! Still no luck getting clamavmodule to work though, only seems to work on debug mode and not live...will investigate further after coffee... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Julian Field wrote: > Fixed in the next release. > I have also added the Compress::Zlib and Archive::Zip modules to the RPM > distributions and to the Perl module installation docs on the website. > Getting closer to a stable release... > > At 20:43 03/03/2004, you wrote: > >> Hi >> >> I have just install 4.28-4.1 on 2 MS servers and the first MS server >> marked Bagle zip files as virus and Dangerous. >> The second MS server found the Password-protected archive and put it >> into quarantine BUT didn't marked as virus and Dangerous!! >> And put this in the maillog: >> "Disinfection: Rescan found only 0 viruses" >> >> the first MS server has "Deliver Disinfected Files = no" >> the second "Deliver Disinfected Files = yes" >> >> When I change second MS server to "Deliver Disinfected Files = no" the >> Password-protected archive was marked as virus and Dangerous. >> >> /Jan Elmqvist Nielsen > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:08:13 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: Unable to install latest release In-Reply-To: <4046DBF2.4010409@cts.com> References: <009801c401b8$ee7b3a40$660210ac@christoxp> <4046DBF2.4010409@cts.com> Message-ID: <4046F1FD.7060305@solid-state-logic.com> I'll have a look where this is set in FreeBSD stable, see if it makes any difference to clamavmodule - doesn't seem to be set on my shell enviroment.... Had problems with my Mandrake desktop on this for Mozilla 1.6 and acrobat reader. ended up poping in little LANG=.... in the scripts themselves so I didn't break anything else. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Gene & Mary LeDuc wrote: > I ran into the same problem on RH 8 this afternoon. > > In /etc/sysconfig/i18n find the LANG= line: > LANG="en_US.UTF-8" > and remove the '.UTF-8': > LANG="en_US" > > and that should do it (apparently the ".UTF-8" breaks things). Don't > even think about asking me why, I don't have a clue. Someone else on > this list probably knows and may even tell us. > > Regards, > Gene > > Christo Bezuidenhout wrote: > >> When I try to install the latest release of MS I must install >> Archive::Zip first. >> >> OK here is the problem. I'm running RH9. I do the following. >> perl -MCPAN -e shell >> install Archive::Zip >> >> And I get the following errors >> >> Removing previously used /root/.cpan/build/Archive-Zip-1.09 >> >> CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz >> >> Checking if your kit is complete... >> Looks good >> >> Warning: I could not locate your pod2man program. Please make sure, >> your pod2man program is in your PATH before you execute 'make' >> >> Writing Makefile for Archive::Zip >> Makefile:88: *** missing separator. Stop. >> /usr/bin/make -- NOT OK >> Running make test >> Can't test without successful make >> Running make install >> make had returned bad status, install seems impossible >> >> I checked to see where my pod2man is and it is there >> which pod2man >> /usr/bin/pod2man >> I need to urgently upgrade to be able to block only encrypted zip files >> for we get lots of zip files from customers. >> >> Any help appreciated ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rabellino at DI.UNITO.IT Thu Mar 4 09:04:38 2004 From: rabellino at DI.UNITO.IT (Rabellino Sergio) Date: Thu Jan 12 21:23:01 2006 Subject: McAfee PROBLEM !!! (solved) In-Reply-To: <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5B8@jessica.herefordshire.gov.uk> <1078331696.3290.7.camel@mike-new2.tc3net.com> <1078334073.13811.330.camel@dbeauchemin.sti.usherbrooke.ca> <1078335314.13811.334.camel@dbeauchemin.sti.usherbrooke.ca> <40461B27.3050204@di.unito.it> <1078340333.13811.337.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <4046F126.8070007@di.unito.it> Denis Beauchemin wrote: > Le mer 03/03/2004 ? 12:51, Rabellino Sergio a ?crit : > >>Denis Beauchemin wrote: >> >>>Le mer 03/03/2004 ? 12:14, Denis Beauchemin a ?crit : >>> >>> >>>>Many infected password-protected zip files passed through our McAfee AV >>>>(using 4332). Nonetheless we detected 341 W32/Bagle.j@MM since >>>>midnight. >>>>Le mer 03/03/2004 ? 11:34, Michael Baird a ?crit : >>>> >>>> >>>>>Good Question, Does DAT 4332 fix it, my understanding was that it >>>>>handled the unzipping and so forth, and MailScanner interpreted the >>>>>response, I'm looking for confirmation, I'm running an older version of >>>>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's >>>>>necessary. >>> >>> >>>I've taken a look at the Bagle.j detected so far and none were in a zip >>>file (all were plain pif files). >>> >>>So I'd say 4332 is definitely not catching any password-protected Bagle! >>> >>>Denis >> >>As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a >>virus encrypted in 999999 different forms ? (the password is 6 integer digits) > > > Sergio, > > They can't unzip the file but they can compare its size and some > checksum they computed on infected zip files. > But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used.... The only solution is to ban the zip encrypted files . -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From raymond at PROLOCATION.NET Thu Mar 4 09:17:23 2004 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:23:01 2006 Subject: 4.28-4.1 and speed issues.. In-Reply-To: <4046F028.409@solid-state-logic.com> Message-ID: Hi! > Still no luck getting clamavmodule to work though, only seems to work on > debug mode and not live...will investigate further after coffee... Did you upgrade to the latest perl module version like i posted last night ? Switched back to clamlib on all my boxes, works fine. Bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 09:26:30 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:01 2006 Subject: Clamavmodule (was 4.28-4.1 and speed issues..) In-Reply-To: References: Message-ID: <4046F646.2030108@solid-state-logic.com> Raymond yeah - installed 0.06 from CPAN, just seems to hang somewhere initialising the thing - ie staight after the Savi message and my virus sscanners are 'sophossavi clamavmodule' in that order. running ClamAV 0.67 as well so I'm sure where to look right now.. odd that it runs fine in debug mode, and alot quicker too, just makes me wonder if the problems aren't related??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Raymond Dijkxhoorn wrote: > Hi! > > >>Still no luck getting clamavmodule to work though, only seems to work on >>debug mode and not live...will investigate further after coffee... > > > Did you upgrade to the latest perl module version like i posted last night ? > Switched back to clamlib on all my boxes, works fine. > > Bye, > Raymond ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From john at TRADOC.FR Thu Mar 4 09:30:10 2004 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive Message-ID: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> Just upgraded to 4.28.4, and minutes later a Bagle shows up. > Subject: E-mail account disabling warning. > Report: Message contained password-protected archive How about prefixing the report text with "MailScanner:", for consistency with other virus reports - and to show that MS itself is the bees' knees! John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From Peter.Bates at LSHTM.AC.UK Thu Mar 4 09:12:40 2004 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:23:01 2006 Subject: Quick fix for encrypted zip problem? Message-ID: Hello all... I know this is a rather *hot* topic for discussion at the moment, but I was just glancing at part of MailScanner, or rather SweepViruses.pm SweepViruses.pm: if ($line =~ /\s\sNot scanned \(encrypted\)/ || ... obviously it's an evil hack, but seeing as my system (either Sophos with SAVI or something else) is reporting these zip files as 'encrypted', is there any way the check above can be changed quickly to assume that such a file *is* infected? ... oh, and thanks to 'shrek-m' on the list for a solution using a ruleset and filename rules, but my users still weren't happy... ho-hum. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From kfliong at WOFS.COM Thu Mar 4 10:09:46 2004 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:23:01 2006 Subject: changing spamassassin points configuration Message-ID: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> So in other word, I just have to let the user stop getting some mails (eventhough some might be important) while waiting for SA to learn that the sender is not sending spams? At 05:20 AM 3/4/2004, you wrote: >Julian Field wrote: > >>Stuff that isn't spam. >> >>At 11:41 03/03/2004, you wrote: >> >>>err...what's "ham"? >>> >>>At 07:09 PM 3/3/2004, you wrote: >>> >>>>kfliong wrote: >>>> >>>>>Hi, >>>>> >>>>>I have this email which is not spam but have a score of 5.642 which is >>>>>high >>>>>as default of more than 5 is considered spam. >>>>> >>>>>Can I know how I can reduce the score? >>>>> >>>>>spam, SpamAssassin (score=5.642, required 5, BAYES_90 2.10, >>>>>DATE_IN_PAST_12_24 0.75, DEAR_SOMETHING 2.30, HTML_FONTCOLOR_BLUE >>>>>0.10, >>>>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10, HTML_TAG_BALANCE_A >>>>>0.20) >>>>> >>>>>Also, the scores mainly comes from BAYES_90 2.10 and DEAR_SOMETHING >>>>>2.30....where can i get more details on what those score means? Does >>>>>mailscanner uses a different config file for controlling spamassassin? >>>>> >>>>>thanks in advance >>>>> >>>>> >>>>>thanks >>>>ISnt this a situation for learning as ham? I am NO expert, but if you >>>>have no other method maybe turn on archiving till you get a copy of >>>>this >>>>message, then sa-learn it as ham?: >>> >>> >>>thanks >> >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >Since i think Julian's comment is confirmation - this is the sort of >thing that using Bayesian Learning (Bayes) with spama assassin will fix. > >I am not well versed enought o try and explain it, so have a search >through the list archives, or google, its works plenty good with >mailscanner and spam assassin. thanks From rggarcia at IMGAME.NET Thu Mar 4 10:18:07 2004 From: rggarcia at IMGAME.NET (Rosaldo Garcia) Date: Thu Jan 12 21:23:01 2006 Subject: redhat advance server + postfix + mailscanner Message-ID: Hello, Why is it when i try to put an # on ( smtp inet n - y - - smtpd ) under /etc/postfix/master.cf, i get this error The TCP/IP connection was unexpectedly terminated by the server. (Account:192.168.0.2, SMTP Server:192.168.0.2, Error Number 0x800ccc0f I successfully installed MailScanner and my postfix runs without error message when i put the # back. Here is the links for all the instructions ive just followed http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml Any help is much appreciated. - Ross From Matthew.Day at BUCKINGHAM.AC.UK Thu Mar 4 10:24:13 2004 From: Matthew.Day at BUCKINGHAM.AC.UK (Matthew Day) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... Message-ID: <0EAE842EEAA4D711A05C00B0D0FED1D57BCF@GILA> > In other words, they say it is a technical problem that > prevents their command-line utility to detect > password-protected zip files, but they also say that their > small cleaning program (Stinger) and their email scanning > software are able to detect them! This ties in with what we're seeing; GroupShield for Exchange spots the virus but Virus Scan for Linux doesn't. IMHO McAfee are shooting themselves in the foot here, they've just given us another reason to switch when the license comes up for renewal. As if the pop-up ads on their virus info pages weren't reason enough - when you're in the midst of a virus outbreak you don't want to have to fight through popups to get at the info you need. Matthew Day University of Buckingham From danielk at AVALONPUB.COM Thu Mar 4 10:25:22 2004 From: danielk at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:23:01 2006 Subject: changing spamassassin points configuration In-Reply-To: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> References: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> Message-ID: <40470412.5080101@avalonpub.com> kfliong wrote: > So in other word, I just have to let the user stop getting some mails > (eventhough some might be important) while waiting for SA to learn > that the > sender is not sending spams? > If you have a copy of the email you can teach it to SA by using the command "sa-learn". See "man sa-learn" or the list archives for more info. In summary, have a copy of the mail as either a single file with the headers and body or a bunch of them in a mbox style mailbox and run the command (as the same user that MS runs as): sa-learn --ham filename Daniel From dot at DOTAT.AT Thu Mar 4 10:26:02 2004 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:23:01 2006 Subject: Stupid answer from McAfee... In-Reply-To: Message-ID: Denis Beauchemin wrote: > >In other words, they say it is a technical problem that prevents their >command-line utility to detect password-protected zip files, but they >also say that their small cleaning program (Stinger) and their email >scanning software are able to detect them! The extra.dat files from the webimmune site enable the command-line scanner to identify them too. >Looks like they want to restrict this capability to some of their >products... a very bad decision!!! Aaargh. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTH 4 OR 5 GRADUALLY DECREASING 1 OR 2 AND BECOMING VARIABLE. RAIN FOR A TIME. GOOD DECREASING MODERATE IN RAIN. SLIGHT TO MODERATE BUILDING MODERATE, LATER DECAYING SLIGHT. From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:35:51 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive In-Reply-To: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> References: <6htd40p7n6sth5j2vl8dkq6o7g7d1gv7mt@tradoc.fr> Message-ID: <6.0.1.1.2.20040304103527.03bdde20@imap.ecs.soton.ac.uk> At 09:30 04/03/2004, you wrote: >Just upgraded to 4.28.4, and minutes later a Bagle shows up. > > > Subject: E-mail account disabling warning. > > Report: Message contained password-protected archive > >How about prefixing the report text with "MailScanner:", for consistency >with other virus reports - and to show that MS itself is the bees' >knees! Good idea. I have moved the report strings into languages.conf so they can be translated too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:39:02 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Calling all translators Message-ID: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Hi folks! It's translation time again. I would like you all to translate these strings into your language of choice. They are used when unreadable or protected archives and zip files are found. Message contained archive which could not be read Message contained password-protected archive Many thanks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:08:56 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Need a help to understand viruses.to.delete.rules In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304100734.03b3e078@imap.ecs.soton.ac.uk> At 05:29 04/03/2004, you wrote: >Hi, >I probably don't understand what the 'Silent Viruses' option supposed to do. > >My goal is to make the MailScanner to stop sending people (recipients) the >notification about the infected emails. To achieve that I listed all >possible viruses under 'Silent Viruses' option in the MailScanner.conf file. > >Silent Viruses = HTML-IFrame All-Viruses Klez Yaha-E Bugbear Braid-A >WinEvar Palyh Sobig Fizzer Netsky Bagle MyDoom That would work for those named viruses. >Is the above correct or I should make a list similary to: Netsky.b Netsky.c >Netsky.d Netsky.f etc... I can see some people list all the possibilities >of viruses' names. /?/ You don't need to. Just set Silent Viruses = All-Viruses and it will stop notifications for any of them, assuming you have a recent enough version of MailScanner. Check the comments above the Silent Viruses setting, it should mention this. >My solution to list all names under 'Silent Viruses' option doesn't work, >people gets notified and all viruses are logged in the maillog file. > > >Should I try with the rules file? What is the difference between listing >the virues' names under the MailScanner.conf file and the rules file? > >This is my second option which I have not tested yet. >Silent Viruses = /etc/MailScanner/rules/viruses.to.delete.rules > >Virus: Netsky no >Virus: Bagle no >Virus: MyDoom no >Virus: NoVarg no >Virus: SCO no >Virus: Dumaru no >Virus: Holar no >Virus: Klez no >Virus: Mimail no >Virus: Swen no >Virus: Valla no >Virus: Bugbear no >Virus: default yes > > >Thanks, >Magda -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:05:33 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <20040304021154.488EF21C29A@mail.fsl.com> References: <404681D1.2040902@eatathome.com.au> <20040304021154.488EF21C29A@mail.fsl.com> Message-ID: <6.0.1.1.2.20040304100442.03dfad08@imap.ecs.soton.ac.uk> At 02:11 04/03/2004, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Pete > > Sent: Wednesday, March 03, 2004 8:10 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: DOS attacked :( > > > > Kevin Spicer wrote: > > > > >Is update_virus_scanners running? If for some reason a scanner update > > >hangs MailScanner will stop processing mail. If this is the case please > > >post which scanner is the problem so that timeout code can be added to > > >its wrapper script. > > > > > >Is Spamassasin trying to use pyzor? Make sure its not if it isn't > > >working properly. > > > > > >Maybe turn SA off for a while to catch up? Or just turn off all SA's > > >network checks. > > > > > >Maybe the bayes database is causing a problem, try turning off bayes > > >(turn off the bayes auto rebuild in MailScanner too if your version has > > >it). > > > > > > > > > > > First thing i did was turn off bayes. > > Yes virus update scaner is running, although i did see some deferred for > > 600secs messages, > >This is normal with the latest versions of MailScanner. Julian added a delay >so we wouldn't all hit the ClamAV servers at the top of the hour. You might >want to change the delay in your update_virus_scanners so we don't all hit >the servers at 600 seconds after the hour. It delays the cron job by a random amount up to 600 seconds, not just 600 seconds every time. If you check the syslog message you will find it says this: "Delaying cron job up to 600 seconds" -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 10:06:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:01 2006 Subject: Spamassassin (RPM) install path In-Reply-To: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUT E.COM> References: <54C38A0B814C8E438EF73FC76F362927410979@mtlnt501fs.CAMOROUTE.COM> Message-ID: <6.0.1.1.2.20040304100603.04026860@imap.ecs.soton.ac.uk> At 03:11 04/03/2004, you wrote: > >-----Message d'origine----- > >De : Ben [mailto:list@souil.com] > >Envoy? : 3 mars, 2004 22:09 > >? : MAILSCANNER@JISCMAIL.AC.UK > >Objet : Spamassassin (RPM) install path > > > > > >Dear All, > > > >My Spamassassin installed as the RPM and also as the perl > >module(Mail::SpamAssassin). So how should i fill the > >"SpamAssassin Install Prefix" in the MailScanner.conf ? Leave it blank. >Just remove the rpm. Test in debug. Reinstall from cpan or source if >necessary. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 10:43:17 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:01 2006 Subject: Report text for password protected archive Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B12@pascal.priv.bmrb.co.uk> Julian Field wrote: > Good idea. I have moved the report strings into > languages.conf so they can > be translated too. Quick point, before this makes it into 'stable' I had to edit the reports to remove references to ~ change the name or put in a zip to avoid this constraint. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Thu Mar 4 11:05:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <40470D62.1090700@eatathome.com.au> Pete wrote: > Stephen Swaney wrote: > >> I'm top posting so this won't get lost. This was written by one of our >> clients to handle a really severe Joe-job. His name shall be revealed >> if he >> let's me, but I don't know if he wants the credit for breaking RFC 1123 >> (this certainly does). This deletes any incoming email that has a return >> address of "<>". >> >> BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >> Left hand side from the right hand side rules and comments. The have >> been >> lost in the email transmission. You' know if you've missed a tab because >> sendmail will croak when you try and start it. >> >> I can't verify that this works but he insisted it saved his axx. He >> was so >> upset by the attack he stayed up for 30 hours straight and learned to >> write >> sendmail.cf files from scratch. No Small feat. >> >> Possible some sendmail guru whose not battling the bagel will be kind >> enough >> to put the hack into a sendmail.mc format. >> >> ------------------ snip ----------------------------- >> ###################################################################### >> ###################################################################### >> ##### >> ##### REWRITING RULES >> ##### >> ###################################################################### >> ###################################################################### >> #Added by XXX to handle joe job on 020404 >> >> HSubject: $>Check_Subject1 >> D{MPat}Returned >> SCheck_Subject1 >> R${MPat} $* $#discard >> >> >> ###################################################################### >> ### check_mail -- check SMTP `MAIL FROM:' command argument >> ###################################################################### >> >> SLocal_check_mail >> Scheck_mail >> R$* $: $1 $| $>"Local_check_mail" $1 >> R$* $| $#$* $#$2 >> R$* $| $* $@ $>"Basic_check_mail" $1 >> >> SBasic_check_mail >> # check for deferred delivery mode >> R$* $: < $&{deliveryMode} > $1 >> R< d > $* $@ deferred >> R< $* > $* $: $2 >> >> # authenticated? >> R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >> R$* $| $#$+ $#$2 >> R$* $| $* $: $1 >> >> #modified by XXX to handle joe job on 020404 Note: org line above >> #R<> $@ we MUST accept <> (RFC 1123) >> R<> $@ $#discard we MUST accept <> (RFC 1123) >> R$+ $: $1 >> R<$+> $: <@> <$1> >> R$+ $: <@> <$1> >> R$* $: $&{daemon_flags} $| $1 >> R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >> R$* u $* $| <@> < $* > $: < $3 > >> R$* $| $* $: $2 >> # handle case of @localhost on address >> ------------------ snip ----------------------------- >> >> >> Steve >> >> Stephen Swaney >> President >> Fortress Systems Ltd. >> Steve.Swaney@FSL.com >> >> >> >> >>> -----Original Message----- >>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>> Behalf Of Pete >>> Sent: Wednesday, March 03, 2004 6:08 PM >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: DOS attacked :( >>> >>> What should i do to rectify or prevent this? Nothing leave it to MS? >>> >>> Load avergae is stuck on 7 and almost nothing is wworking on this >>> machine, even ssh commands have a 10sec delay. >>> >>> Will deleting the offending email be the entire solution? >>> >>> >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>> size=3477, nrcpt=1 (queue active) >>> Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>> adl0133.systems.sa.gov.au[143.216.236.20] >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>> to=, relay=none, delay=0, status=deferred >>> (deferred transport) >>> Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>> Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>> clamav >>> Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 12 of 20 >>> Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>> Service attack is in message A086133CDD >>> Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>> updating >>> Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>> Service attack detected! >>> Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 13 of 20 >>> Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>> Host not found >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>> being delivered >>> Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 14 of 20 >>> Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 15 of 20 >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> Fortress Systems Ltd. >>> www.fsl.com >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by Fortress Secure Mail Gateway >> and was found to be clean. >> >> Fortress Systems Ltd. - http://www.fsl.com >> >> >> >> >> >> > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the > maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > I am convinced this isnt entirely a spamassassin problem,. have had SA switched off for 6+ hours now and still see messages having to be requeued (this happens when they are too old i believe?) an the queue building up to 10, at least its not 100, but its a slow time of day here (evening). Anyone got any suggestions on this problem, it doesnt appear as though its going away by itself as i absolutely cannot have spamassassin running or no messages are ever scanned. Is it possible/necessary to uninstall the SA source install and install from cpan, would this help? If not, how do i downgrade? I would like to go back to my original versions that worked, its a long weekend end here after tomorrow and i cant leave it for 3 days not scanning any spam. :( Appreciate any suggestions or pointers to get this resolved, am really getting desperate. From pete at eatathome.com.au Thu Mar 4 11:05:06 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:01 2006 Subject: DOS attacked :( In-Reply-To: <404672C1.4010508@eatathome.com.au> References: <20040303233922.24C6B21C29A@mail.fsl.com> <404672C1.4010508@eatathome.com.au> Message-ID: <40470D62.1090700@eatathome.com.au> Pete wrote: > Stephen Swaney wrote: > >> I'm top posting so this won't get lost. This was written by one of our >> clients to handle a really severe Joe-job. His name shall be revealed >> if he >> let's me, but I don't know if he wants the credit for breaking RFC 1123 >> (this certainly does). This deletes any incoming email that has a return >> address of "<>". >> >> BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the >> Left hand side from the right hand side rules and comments. The have >> been >> lost in the email transmission. You' know if you've missed a tab because >> sendmail will croak when you try and start it. >> >> I can't verify that this works but he insisted it saved his axx. He >> was so >> upset by the attack he stayed up for 30 hours straight and learned to >> write >> sendmail.cf files from scratch. No Small feat. >> >> Possible some sendmail guru whose not battling the bagel will be kind >> enough >> to put the hack into a sendmail.mc format. >> >> ------------------ snip ----------------------------- >> ###################################################################### >> ###################################################################### >> ##### >> ##### REWRITING RULES >> ##### >> ###################################################################### >> ###################################################################### >> #Added by XXX to handle joe job on 020404 >> >> HSubject: $>Check_Subject1 >> D{MPat}Returned >> SCheck_Subject1 >> R${MPat} $* $#discard >> >> >> ###################################################################### >> ### check_mail -- check SMTP `MAIL FROM:' command argument >> ###################################################################### >> >> SLocal_check_mail >> Scheck_mail >> R$* $: $1 $| $>"Local_check_mail" $1 >> R$* $| $#$* $#$2 >> R$* $| $* $@ $>"Basic_check_mail" $1 >> >> SBasic_check_mail >> # check for deferred delivery mode >> R$* $: < $&{deliveryMode} > $1 >> R< d > $* $@ deferred >> R< $* > $* $: $2 >> >> # authenticated? >> R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL >> R$* $| $#$+ $#$2 >> R$* $| $* $: $1 >> >> #modified by XXX to handle joe job on 020404 Note: org line above >> #R<> $@ we MUST accept <> (RFC 1123) >> R<> $@ $#discard we MUST accept <> (RFC 1123) >> R$+ $: $1 >> R<$+> $: <@> <$1> >> R$+ $: <@> <$1> >> R$* $: $&{daemon_flags} $| $1 >> R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > >> R$* u $* $| <@> < $* > $: < $3 > >> R$* $| $* $: $2 >> # handle case of @localhost on address >> ------------------ snip ----------------------------- >> >> >> Steve >> >> Stephen Swaney >> President >> Fortress Systems Ltd. >> Steve.Swaney@FSL.com >> >> >> >> >>> -----Original Message----- >>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>> Behalf Of Pete >>> Sent: Wednesday, March 03, 2004 6:08 PM >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: DOS attacked :( >>> >>> What should i do to rectify or prevent this? Nothing leave it to MS? >>> >>> Load avergae is stuck on 7 and almost nothing is wworking on this >>> machine, even ssh commands have a 10sec delay. >>> >>> Will deleting the offending email be the entire solution? >>> >>> >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>, >>> size=3477, nrcpt=1 (queue active) >>> Mar 4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from >>> adl0133.systems.sa.gov.au[143.216.236.20] >>> Mar 4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: >>> to=, relay=none, delay=0, status=deferred >>> (deferred transport) >>> Mar 4 10:10:20 mail01 update.virus.scanners: Found clamav installed >>> Mar 4 10:10:20 mail01 update.virus.scanners: Running autoupdate for >>> clamav >>> Mar 4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 12 of 20 >>> Mar 4 10:10:50 mail01 MailScanner[14171]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:50 mail01 MailScanner[14182]: Commercial scanner >>> clamavmodule timed out! >>> Mar 4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of >>> Service attack is in message A086133CDD >>> Mar 4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need >>> updating >>> Mar 4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of >>> Service attack detected! >>> Mar 4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 13 of 20 >>> Mar 4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149: >>> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed: >>> Host not found >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still >>> being delivered >>> Mar 4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still >>> being delivered >>> Mar 4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 14 of 20 >>> Mar 4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and >>> was killed, consecutive failure 15 of 20 >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> Fortress Systems Ltd. >>> www.fsl.com >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by Fortress Secure Mail Gateway >> and was found to be clean. >> >> Fortress Systems Ltd. - http://www.fsl.com >> >> >> >> >> >> > Sorry, i wasnt clear enough - this is a poistfix 2.016 - working > perfectly until this morning, even after upgrade yesterday and added DCC > and pyzor, although pyzor never worked and i didnt get a change to look > at it yet. I have tried changing the accellerated scanning mode to 40 (i > assume this means when the queue is 40+ deep it will accellerate the > scanning mode? > > Can some one tell me how to use postfix to display the amount of > messages in the queue from command line, or any other usefull postfix > commands? I did mailq -v but this disaplays nothing. > > The latest change i made was to clamavmodule from regular clamav, tried > changing it back but no luck. attached is my debug, nothing seems really > obviously broken? > > Attached also is a log sample, complete, from immedietly after a service > MailScanner restart > > Its getting worse and all i see is 100+ messages in the queue, changed > the batch mode to only do 10 at once but stikll all i get in the > maillog is > Mar 4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was > killed, consecutive failure 8 of 20 > > thanks in advance for ANY help i can get on this, its a big problem and > its getting worse by the minute :( > I am convinced this isnt entirely a spamassassin problem,. have had SA switched off for 6+ hours now and still see messages having to be requeued (this happens when they are too old i believe?) an the queue building up to 10, at least its not 100, but its a slow time of day here (evening). Anyone got any suggestions on this problem, it doesnt appear as though its going away by itself as i absolutely cannot have spamassassin running or no messages are ever scanned. Is it possible/necessary to uninstall the SA source install and install from cpan, would this help? If not, how do i downgrade? I would like to go back to my original versions that worked, its a long weekend end here after tomorrow and i cant leave it for 3 days not scanning any spam. :( Appreciate any suggestions or pointers to get this resolved, am really getting desperate. From miguelk at konsultex.com.br Thu Mar 4 11:07:45 2004 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <20040304110341.M98332@konsultex.com.br> Julian; Portuguese = A menssagem contem um anexo comprimido que n?o pode ser lido. A menssagem contem um anexo comprimido protegido com senha. Spanish = El mensaje contiene un anexo comprimido que no se puede leer. El mensaje contiene un anexo comprimido protegido con clave. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thu, 4 Mar 2004 10:39:02 +0000 Subject: Calling all translators > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From P.G.M.Peters at utwente.nl Thu Mar 4 11:13:25 2004 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators (dutch) In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 4 Mar 2004 10:39:02 +0000, you wrote: >It's translation time again. I would like you all to translate these >strings into your language of choice. They are used when unreadable or >protected archives and zip files are found. > > Message contained archive which could not be read Het bericht bevat een archief dat niet gelezen kan worden. > Message contained password-protected archive Het bericht bevat een archief dat met een wachtwoord is beveiligd. Julian, I saw a couple of new report-files which aren't translated yet to all languages. Need them too? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From pete at eatathome.com.au Thu Mar 4 11:26:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471250.1080407@eatathome.com.au> So you're sure thats all i have to do, no messing about and trying to learn bind? If i have to learn to drive Bind i am not going to bother, but its its a matter of just starting it up, am happy to try, even will try right now. Other thing i wanted to know was whether an upgrade to 4.28.8-4 would be the shot? Or stick with latest stable? >Sorry, I thought you said you installed from source. > >Have you thought about enabling named (/etc/init.d/named start) >on your box, the default would be just a caching name server but >it would resolve from root servers without using the external DNS >servers as the default and set your /etc/resolv.conf to something >like > >options ndots:1 >nameserver 127.0.0.1 >nameserver current.ns.1.address >nameserver current.ns2.address >multi on > >then /etc/init.d/network restart > >You may well see a noticeable improvement with RBLS and such that >require a lot of DNS lookups. If it helps just add/enable with >chkconfig > > > > > > From wkuiters at FREE.FR Thu Mar 4 11:25:28 2004 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: <20040304112528.GB2055@bragann> On Thu, Mar 04, 2004 at 10:39:02AM +0000, Julian Field wrote: > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read (Dutch) "Bericht bevatte een bestand wat niet gelezen kon worden" > Message contained password-protected archive (Dutch) "Bericht bevatte een met wachtwoord beschermd bestand" > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From pete at eatathome.com.au Thu Mar 4 11:26:08 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471250.1080407@eatathome.com.au> So you're sure thats all i have to do, no messing about and trying to learn bind? If i have to learn to drive Bind i am not going to bother, but its its a matter of just starting it up, am happy to try, even will try right now. Other thing i wanted to know was whether an upgrade to 4.28.8-4 would be the shot? Or stick with latest stable? >Sorry, I thought you said you installed from source. > >Have you thought about enabling named (/etc/init.d/named start) >on your box, the default would be just a caching name server but >it would resolve from root servers without using the external DNS >servers as the default and set your /etc/resolv.conf to something >like > >options ndots:1 >nameserver 127.0.0.1 >nameserver current.ns.1.address >nameserver current.ns2.address >multi on > >then /etc/init.d/network restart > >You may well see a noticeable improvement with RBLS and such that >require a lot of DNS lookups. If it helps just add/enable with >chkconfig > > > > > > From rcooper at DWFORD.COM Thu Mar 4 11:26:25 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <4046B091.3010900@eatathome.com.au> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Wednesday, March 03, 2004 11:29 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Rick Cooper wrote: > > >Sorry to top post, but > > > >Are you sure that Net::CIDR is installed ( I think that > >requirement came after your original install version), and are > >you using a local caching name server? Slow downs in > the network > >test arena are many time caused by resolver problems. > > > > > > > > > Have not got internal DNS, all external, and net::cidr is > installed/updated with rpm mailscanner installation. > > But this got me thinking, i tried to ping all the > servers listed in > spam.lists.conf and i cannot resolve any, me think its > is not good. > Although i can ping almost any other domain name i can > think of, but not > any of the spamlist ones. I can ping the > dcc#.dcc-servers.net found when > doing cdcc info. > > CPAN shell doesnt work cos it cannot resolve the perl sites. > > I have changed nothing regarding DNS or networks. I > assume this is the > cause/symptom of my problems? > > Having spamassassin off is a nightmare and we are > getting heaps of spam. > > -- Run Makes you wonder if your ISP changed name servers on you, or you have a firewall problem. Change /etc/resolv.conf options ndots:1 nameserver 127.0.0.1 nameserver put current ns1 address here nameserver put current ns2 address here multi on then /etc/init.d/named start then /etc/init.d/network restart and try your test again. If your resolver isn't working you will have *very* slow network tests as you will be waiting for each outbound to timeout.. with a caching name server running you will see improvements in many things with your mail service. Rick From pete at eatathome.com.au Thu Mar 4 11:30:11 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: Unable to install latest release In-Reply-To: <4046F1FD.7060305@solid-state-logic.com> References: <009801c401b8$ee7b3a40$660210ac@christoxp> <4046DBF2.4010409@cts.com> <4046F1FD.7060305@solid-state-logic.com> Message-ID: <40471343.2000703@eatathome.com.au> Martin Hepworth wrote: > I'll have a look where this is set in FreeBSD stable, see if it makes > any difference to clamavmodule - doesn't seem to be set on my shell > enviroment.... > > Had problems with my Mandrake desktop on this for Mozilla 1.6 and > acrobat reader. ended up poping in little LANG=.... in the scripts > themselves so I didn't break anything else. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > Gene & Mary LeDuc wrote: > >> I ran into the same problem on RH 8 this afternoon. >> >> In /etc/sysconfig/i18n find the LANG= line: >> LANG="en_US.UTF-8" >> and remove the '.UTF-8': >> LANG="en_US" >> >> and that should do it (apparently the ".UTF-8" breaks things). Don't >> even think about asking me why, I don't have a clue. Someone else on >> this list probably knows and may even tell us. >> >> Regards, >> Gene >> >> Christo Bezuidenhout wrote: >> >>> When I try to install the latest release of MS I must install >>> Archive::Zip first. >>> >>> OK here is the problem. I'm running RH9. I do the following. >>> perl -MCPAN -e shell >>> install Archive::Zip >>> >>> And I get the following errors >>> >>> Removing previously used /root/.cpan/build/Archive-Zip-1.09 >>> >>> CPAN.pm: Going to build N/NE/NEDKONZ/Archive-Zip-1.09.tar.gz >>> >>> Checking if your kit is complete... >>> Looks good >>> >>> Warning: I could not locate your pod2man program. Please make sure, >>> your pod2man program is in your PATH before you execute 'make' >>> >>> Writing Makefile for Archive::Zip >>> Makefile:88: *** missing separator. Stop. >>> /usr/bin/make -- NOT OK >>> Running make test >>> Can't test without successful make >>> Running make install >>> make had returned bad status, install seems impossible >>> >>> I checked to see where my pod2man is and it is there >>> which pod2man >>> /usr/bin/pod2man >>> I need to urgently upgrade to be able to block only encrypted zip files >>> for we get lots of zip files from customers. >>> >>> Any help appreciated >> > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > > Unless i set LANG=C i cant compile loads of stuf on RH9, so now its the first thying i do, and now i learnt from a perl God (Julian) that its also important to remove the utf stuff, who knows why...the below works fine for me now, other have said LANG=en_US is good, but i dont knwo the difference, in regards to effect on the workings of perl or MS. LANG="C" SUPPORTED="en_US:en" SYSFONT="latarcyrheb-sun16" ~ From rcooper at DWFORD.COM Thu Mar 4 11:33:42 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: trouble starting mailscanner In-Reply-To: <20040304055524.EB30E6A65A@mail.netspace.net.au> Message-ID: -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Josh Sent: Thursday, March 04, 2004 12:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: trouble starting mailscanner Hi I'm new to the list, Having a bit of trouble with the following Starting MailScanner... Can't locate Archive/Zip.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/lib/MailScanner/MailScanner/Message.pm line 46. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 46. Compilation failed in require at /usr/sbin/MailScanner line 52. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 52. Line 46 in Message.pm is: use Archive::Zip qv( :ERROR_CODES ); Line 52 in Mailscanner is: Use Mailscanner: :Message; I couldn't find anything in the FAQ about configuring the /usr/sbin/Mailscanner file or the /usr/lib/Mailscanner/Mailscanner/Message.pm file. I am using redhat 7.3 current version of Mailscanner and Sophos Sorry if this is newbie stuff but this is my first look at mailscanner and I need to get up and running asap, any help guys.? e-mail me or I'm on icq: 89616901 and msn josh@roshtechnq.com.au thanks in advance, [Rick Cooper] I believe running (one line no wrap): cpan -i Parse::RecDescent Inline::MakeMaker Net::CIDR IO::Stringy MIME::Base64 M/MA/MARKOV/MailTools-1.60.tar.gz File::Spec HTML::Tagset HTML::Parser MIME::Tools File::Temp DB_File Convert::TNEF Mail::ClamAV Archive::Zip Will get you about everything you need to get MailScanner running but you really should use the patched version of MIME::Tools from the MailScanner site http://www.sng.ecs.soton.ac.uk/mailscanner/files/modules/MIME-too ls-5.411-patched.tar.gz and this assumes you have cpan installed (can't imagine why it wouldn't be) Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/5b40d5bf/attachment.html From lists at DVD-GOETSCH.DE Thu Mar 4 11:43:20 2004 From: lists at DVD-GOETSCH.DE (sebastian ruchti) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304103740.03a82be8@imap.ecs.soton.ac.uk> Message-ID: German= Die Nachricht enthielt ein Archiv, das nicht gelesen werden konnte Die Nachricht enthielt ein Passwort gesch?tztes Archiv resp.: Die Nachricht enthielt ein Passwort geschuetztes Archiv .sebastian > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, March 04, 2004 11:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Calling all translators > > > Hi folks! > > It's translation time again. I would like you all to translate these > strings into your language of choice. They are used when unreadable or > protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > > Many thanks. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at dwford.com Thu Mar 4 11:49:53 2004 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471250.1080407@eatathome.com.au> Message-ID: > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Thursday, March 04, 2004 6:26 AM > To: Rick Cooper; Julian Field; MailScanner mailing list > Subject: Re: DOS attacked :( > > > So you're sure thats all i have to do, no messing > about and trying to learn bind? If i have to learn to > drive Bind i am not going to bother, but its its a > matter of just starting it up, am happy to try, even > will try right now. > > Other thing i wanted to know was whether an upgrade to > 4.28.8-4 would be the shot? Or stick with latest stable? I would sort out your network problems before you go one more step, MailScanner has nothing to do with this if you cannot even manully ping a RBL host by name. It's been awhile since I used a bone stock redhat configuration and I have never bothered with RH.9 but I am sure the bone stock named config is only a caching server so it alows updates from none, listens on 127.0.0.1 only and allows access from 127.0.0.1 only. No need to do anything clever just resolve for the localhost only. Just do the items I described earlier and redo your manual rbl tests. If you can ping by name then try your MS tests again, I think you will be amazed. But once you get things sorted out don't forget to chkconfig --add named and chkconfig named on If you cannot resolve a host name nothing is going to work properly, I can't image how you are sending the mail? Have you looked at your outbound queue? > > > > >Sorry, I thought you said you installed from source. > > > >Have you thought about enabling named > (/etc/init.d/named start) > >on your box, the default would be just a caching name > server but > >it would resolve from root servers without using the > external DNS > >servers as the default and set your /etc/resolv.conf > to something > >like > > > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver current.ns.1.address > >nameserver current.ns2.address > >multi on > > > >then /etc/init.d/network restart > > > >You may well see a noticeable improvement with RBLS > and such that > >require a lot of DNS lookups. If it helps just add/enable with > >chkconfig > > > > > > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From rcooper at DWFORD.COM Thu Mar 4 11:49:53 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471250.1080407@eatathome.com.au> Message-ID: > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Thursday, March 04, 2004 6:26 AM > To: Rick Cooper; Julian Field; MailScanner mailing list > Subject: Re: DOS attacked :( > > > So you're sure thats all i have to do, no messing > about and trying to learn bind? If i have to learn to > drive Bind i am not going to bother, but its its a > matter of just starting it up, am happy to try, even > will try right now. > > Other thing i wanted to know was whether an upgrade to > 4.28.8-4 would be the shot? Or stick with latest stable? I would sort out your network problems before you go one more step, MailScanner has nothing to do with this if you cannot even manully ping a RBL host by name. It's been awhile since I used a bone stock redhat configuration and I have never bothered with RH.9 but I am sure the bone stock named config is only a caching server so it alows updates from none, listens on 127.0.0.1 only and allows access from 127.0.0.1 only. No need to do anything clever just resolve for the localhost only. Just do the items I described earlier and redo your manual rbl tests. If you can ping by name then try your MS tests again, I think you will be amazed. But once you get things sorted out don't forget to chkconfig --add named and chkconfig named on If you cannot resolve a host name nothing is going to work properly, I can't image how you are sending the mail? Have you looked at your outbound queue? > > > > >Sorry, I thought you said you installed from source. > > > >Have you thought about enabling named > (/etc/init.d/named start) > >on your box, the default would be just a caching name > server but > >it would resolve from root servers without using the > external DNS > >servers as the default and set your /etc/resolv.conf > to something > >like > > > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver current.ns.1.address > >nameserver current.ns2.address > >multi on > > > >then /etc/init.d/network restart > > > >You may well see a noticeable improvement with RBLS > and such that > >require a lot of DNS lookups. If it helps just add/enable with > >chkconfig > > > > > > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From max.gaspari at MERCATONEUNO.IT Thu Mar 4 11:55:01 2004 From: max.gaspari at MERCATONEUNO.IT (Massimo Gaspari) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators Message-ID: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> English : "Message contained archive which could not be read" "Message contained password-protected archive" Italian: "Il messaggio contiene un archivio che non pu? essere letto" or "Il messaggio contiene un archivio che non ? stato possibile aprire" "Il messaggio contiene un archivio protetto da password" Bye -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 04, 2004 11:39 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Calling all translators Hi folks! It's translation time again. I would like you all to translate these strings into your language of choice. They are used when unreadable or protected archives and zip files are found. Message contained archive which could not be read Message contained password-protected archive Many thanks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Il messaggio e' stato controllato dal nostro "Sistema di Protezione". Evita comunque di aprire gli allegati se non strettamente necessario! Potrebbero compromettere il corretto funzionamento della tua postazione. Area.NET Mercatone UNO -- From pete at eatathome.com.au Thu Mar 4 11:56:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <40471964.2040504@eatathome.com.au> Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Pete >>Sent: Wednesday, March 03, 2004 11:29 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >> >>Rick Cooper wrote: >> >> >> >>>Sorry to top post, but >>> >>>Are you sure that Net::CIDR is installed ( I think that >>>requirement came after your original install version), and are >>>you using a local caching name server? Slow downs in >>> >>> >>the network >> >> >>>test arena are many time caused by resolver problems. >>> >>> >>> >>> >>> >>> >>Have not got internal DNS, all external, and net::cidr is >>installed/updated with rpm mailscanner installation. >> >>But this got me thinking, i tried to ping all the >>servers listed in >>spam.lists.conf and i cannot resolve any, me think its >>is not good. >>Although i can ping almost any other domain name i can >>think of, but not >>any of the spamlist ones. I can ping the >>dcc#.dcc-servers.net found when >>doing cdcc info. >> >>CPAN shell doesnt work cos it cannot resolve the perl sites. >> >>I have changed nothing regarding DNS or networks. I >>assume this is the >>cause/symptom of my problems? >> >>Having spamassassin off is a nightmare and we are >>getting heaps of spam. >> >>-- >> >> > >Run >Makes you wonder if your ISP changed name servers on you, or you >have a firewall problem. > >Change /etc/resolv.conf >options ndots:1 >nameserver 127.0.0.1 >nameserver put current ns1 address here >nameserver put current ns2 address here >multi on > >then /etc/init.d/named start >then /etc/init.d/network restart > >and try your test again. If your resolver isn't working you will >have *very* slow network tests as you will be waiting for each >outbound to timeout.. with a caching name server running you will >see improvements in many things with your mail service. > >Rick > > > Thanks. Enabled the named and changed the resolv and restart, turned on spamassassin and sent through some bagles and netskys and all was good, they were detected and and processed properly. (while writing this i noticed quite a few bagles-gen2 getting detected) Maybe a combination of the DOS attack message in the maillog (does this mean zip of death?), slow as network connection and therefore big hassles with RBLs, sa or ms runs MUCH slower than previous versions, probably due to all the extra message handling needed to combat these new nasties? Although just looking through the stats now, we dont have anywhere near (hundreds of times less) virus stats as when mydoom was going hard, and we dont anymore email volume in total than usual; and we detected half as spam as we did yeterdya (cos SA was off almost all day?), so i guess it was something to do with some of these nasties we havent previously seen? Boss has given permission to buy a cheapo 2nd hand old fashioned server, so hopefully will be able to double the specs on this and have some more luck with that... From rcooper at DWFORD.COM Thu Mar 4 11:58:10 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: Report text for password protected archive In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B12@pascal.priv.bmrb.co.uk> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Spicer, Kevin > Sent: Thursday, March 04, 2004 5:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Report text for password protected archive > > > Julian Field wrote: > > Good idea. I have moved the report strings into > > languages.conf so they can > > be translated too. > > Quick point, before this makes it into 'stable' > > I had to edit the reports to remove references to ~ > change the name or put in a zip to avoid this constraint. I just changed it to: archive it in a zip file. If it's already in .zip form then it is has been named the same as a .zip file used by a virus/worm or it has been password protected. Our system does not allow password protected .zip files as they cannot be scanned for viruses or content. If this is the case you should change the name of the .zip file or remove the password protection which ever the case may be. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _______________________________________________________ > __________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please > contact the > sender and delete this message immediately. > Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From drew at THEMARSHALLS.CO.UK Thu Mar 4 12:00:55 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: <40471250.1080407@eatathome.com.au> Message-ID: <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> Rick Cooper said: >> -----Original Message----- >> From: Pete [mailto:pete@eatathome.com.au] >> Sent: Thursday, March 04, 2004 6:26 AM >> To: Rick Cooper; Julian Field; MailScanner mailing list >> Subject: Re: DOS attacked :( >> >> >> So you're sure thats all i have to do, no messing >> about and trying to learn bind? If i have to learn to >> drive Bind i am not going to bother, but its its a >> matter of just starting it up, am happy to try, even >> will try right now. >> >> Other thing i wanted to know was whether an upgrade to >> 4.28.8-4 would be the shot? Or stick with latest stable? > > I would sort out your network problems before you go one more > step, MailScanner has nothing to do with this if you cannot even > manully ping a RBL host by name. > > It's been awhile since I used a bone stock redhat configuration > and I have never bothered with RH.9 but I am sure the bone stock > named config is only a caching server so it alows updates from > none, listens on 127.0.0.1 only and allows access from 127.0.0.1 > only. No need to do anything clever just resolve for the > localhost only. This will also stop Postfix if you are using any of it's UCE features. Assuming you get some form of DNS running again, I would start just one Postfix process - the out going one (Postfix not postfix.in) as $ postfix -C /etc/postfix start and watch your logs, you should see any 'out going' (Scanned) queued mail be delivered, then start MailScanner and get MS to clear it's queue, ten re-start the postfix.in to allow more incoming. Heep an eye on the log files and the mail queue ($ mailq). That at least will tell you where the hold up occrs (If any where). > > Just do the items I described earlier and redo your manual rbl > tests. If you can ping by name then try your MS tests again, I > think you will be amazed. But once you get things sorted out > don't forget to chkconfig --add named and chkconfig named on > > If you cannot resolve a host name nothing is going to work > properly, I can't image how you are sending the mail? Have you > looked at your outbound queue? > >> >> >> >> >Sorry, I thought you said you installed from source. >> > >> >Have you thought about enabling named >> (/etc/init.d/named start) >> >on your box, the default would be just a caching name >> server but >> >it would resolve from root servers without using the >> external DNS >> >servers as the default and set your /etc/resolv.conf >> to something >> >like >> > >> >options ndots:1 >> >nameserver 127.0.0.1 >> >nameserver current.ns.1.address >> >nameserver current.ns2.address >> >multi on >> > >> >then /etc/init.d/network restart >> > >> >You may well see a noticeable improvement with RBLS >> and such that >> >require a lot of DNS lookups. If it helps just add/enable with >> >chkconfig >> > >> > >> > >> > >> > >> > >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Thu Mar 4 12:02:39 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercato neuno.it> References: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> Message-ID: <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> At 11:55 04/03/2004, you wrote: >English : > >"Message contained archive which could not be read" >"Message contained password-protected archive" > >Italian: > >"Il messaggio contiene un archivio che non pu? essere letto" or "Il >messaggio contiene un archivio che non ? stato possibile aprire" Which? Giving me 2 options, neither of which I can understand (never studied Italian) doesn't help me :-) >"Il messaggio contiene un archivio protetto da password" > > >Bye >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 04, 2004 11:39 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Calling all translators > > >Hi folks! > >It's translation time again. I would like you all to translate these >strings into your language of choice. They are used when unreadable or >protected archives and zip files are found. > > Message contained archive which could not be read > > Message contained password-protected archive > >Many thanks. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Il messaggio e' stato controllato dal nostro "Sistema di Protezione". >Evita comunque di aprire gli allegati se non strettamente necessario! >Potrebbero compromettere il corretto funzionamento della tua postazione. > >Area.NET Mercatone UNO >-- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rcooper at DWFORD.COM Thu Mar 4 12:18:25 2004 From: rcooper at DWFORD.COM (Rick Cooper) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <40471964.2040504@eatathome.com.au> Message-ID: > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Pete > Sent: Thursday, March 04, 2004 6:56 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: DOS attacked :( > > > Rick Cooper wrote: > > >>-----Original Message----- > >>From: MailScanner mailing list > >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >>Behalf Of Pete > >>Sent: Wednesday, March 03, 2004 11:29 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: DOS attacked :( > >> > >> > >>Rick Cooper wrote: > >> > >> > >> > >>>Sorry to top post, but > >>> > >>>Are you sure that Net::CIDR is installed ( I think that > >>>requirement came after your original install > version), and are > >>>you using a local caching name server? Slow downs in > >>> > >>> > >>the network > >> > >> > >>>test arena are many time caused by resolver problems. > >>> > >>> > >>> > >>> > >>> > >>> > >>Have not got internal DNS, all external, and net::cidr is > >>installed/updated with rpm mailscanner installation. > >> > >>But this got me thinking, i tried to ping all the > >>servers listed in > >>spam.lists.conf and i cannot resolve any, me think its > >>is not good. > >>Although i can ping almost any other domain name i can > >>think of, but not > >>any of the spamlist ones. I can ping the > >>dcc#.dcc-servers.net found when > >>doing cdcc info. > >> > >>CPAN shell doesnt work cos it cannot resolve the perl sites. > >> > >>I have changed nothing regarding DNS or networks. I > >>assume this is the > >>cause/symptom of my problems? > >> > >>Having spamassassin off is a nightmare and we are > >>getting heaps of spam. > >> > >>-- > >> > >> > > > >Run > >Makes you wonder if your ISP changed name servers on > you, or you > >have a firewall problem. > > > >Change /etc/resolv.conf > >options ndots:1 > >nameserver 127.0.0.1 > >nameserver put current ns1 address here > >nameserver put current ns2 address here > >multi on > > > >then /etc/init.d/named start > >then /etc/init.d/network restart > > > >and try your test again. If your resolver isn't > working you will > >have *very* slow network tests as you will be waiting for each > >outbound to timeout.. with a caching name server > running you will > >see improvements in many things with your mail service. > > > >Rick > > > > > > > Thanks. > > Enabled the named and changed the resolv and restart, turned on > spamassassin and sent through some bagles and netskys > and all was good, > they were detected and and processed properly. (while > writing this i > noticed quite a few bagles-gen2 getting detected) > > Maybe a combination of the DOS attack message in the > maillog (does this > mean zip of death?), slow as network connection and > therefore big > hassles with RBLs, sa or ms runs MUCH slower than > previous versions, > probably due to all the extra message handling needed > to combat these > new nasties? > > Although just looking through the stats now, we dont > have anywhere near > (hundreds of times less) virus stats as when mydoom > was going hard, and > we dont anymore email volume in total than usual; and > we detected half > as spam as we did yeterdya (cos SA was off almost all > day?), so i guess > it was something to do with some of these nasties we > havent previously seen? Your welcome.. I think the DOS stuff you were seeing had to do with the network problems not ZipOfDeath problems. I assume you have SA backup and running, but I don't think I would say 100% solved as you still don't know why your ISP's name servers disappeared. Also, make sure you did the chkconfig things or the next reboot and your DNS goes away. Your not on a dynamic IP are you? I have seen this type of thing happen when a host on a dynamic IP (like cable) sets their IP static and the ISP does some network reconfigurations and suddenly the name servers don't work, network slows down because they are supposed to be on a different gateway (even though the current gw works), etc... That name server thing would make me nervous even if I don't use their name servers. Good luck. > > Boss has given permission to buy a cheapo 2nd hand old > fashioned server, > so hopefully will be able to double the specs on this > and have some more > luck with that... Ebay... there is always Ebay :-> From pete at eatathome.com.au Thu Mar 4 12:27:20 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> References: <40471250.1080407@eatathome.com.au> <18122.194.70.180.170.1078401655.squirrel@net.themarshalls.co.uk> Message-ID: <404720A8.7000104@eatathome.com.au> Drew Marshall wrote: >Rick Cooper said: > > >>>-----Original Message----- >>>From: Pete [mailto:pete@eatathome.com.au] >>>Sent: Thursday, March 04, 2004 6:26 AM >>>To: Rick Cooper; Julian Field; MailScanner mailing list >>>Subject: Re: DOS attacked :( >>> >>> >>>So you're sure thats all i have to do, no messing >>>about and trying to learn bind? If i have to learn to >>>drive Bind i am not going to bother, but its its a >>>matter of just starting it up, am happy to try, even >>>will try right now. >>> >>>Other thing i wanted to know was whether an upgrade to >>>4.28.8-4 would be the shot? Or stick with latest stable? >>> >>> >>I would sort out your network problems before you go one more >>step, MailScanner has nothing to do with this if you cannot even >>manully ping a RBL host by name. >> >>It's been awhile since I used a bone stock redhat configuration >>and I have never bothered with RH.9 but I am sure the bone stock >>named config is only a caching server so it alows updates from >>none, listens on 127.0.0.1 only and allows access from 127.0.0.1 >>only. No need to do anything clever just resolve for the >>localhost only. >> >> > >This will also stop Postfix if you are using any of it's UCE features. >Assuming you get some form of DNS running again, I would start just one >Postfix process - the out going one (Postfix not postfix.in) as $ postfix >-C /etc/postfix start and watch your logs, you should see any 'out going' >(Scanned) queued mail be delivered, then start MailScanner and get MS to >clear it's queue, ten re-start the postfix.in to allow more incoming. Heep >an eye on the log files and the mail queue ($ mailq). That at least will >tell you where the hold up occrs (If any where). > > > >>Just do the items I described earlier and redo your manual rbl >>tests. If you can ping by name then try your MS tests again, I >>think you will be amazed. But once you get things sorted out >>don't forget to chkconfig --add named and chkconfig named on >> >>If you cannot resolve a host name nothing is going to work >>properly, I can't image how you are sending the mail? Have you >>looked at your outbound queue? >> >> >> >>> >>> >>> >>>>Sorry, I thought you said you installed from source. >>>> >>>>Have you thought about enabling named >>>> >>>> >>>(/etc/init.d/named start) >>> >>> >>>>on your box, the default would be just a caching name >>>> >>>> >>>server but >>> >>> >>>>it would resolve from root servers without using the >>>> >>>> >>>external DNS >>> >>> >>>>servers as the default and set your /etc/resolv.conf >>>> >>>> >>>to something >>> >>> >>>>like >>>> >>>>options ndots:1 >>>>nameserver 127.0.0.1 >>>>nameserver current.ns.1.address >>>>nameserver current.ns2.address >>>>multi on >>>> >>>>then /etc/init.d/network restart >>>> >>>>You may well see a noticeable improvement with RBLS >>>> >>>> >>>and such that >>> >>> >>>>require a lot of DNS lookups. If it helps just add/enable with >>>>chkconfig >>>> >>>> >>>> >>>> >>>> >>>> This is getting really wierd, i tried with both caching nameserrver on and off and have tried with 6 or more different external DNS that seem to work ok when using on my XP machine. I get same result in the MS debug, although from the MS machine i can ping any amount of domain names, ones i have never tried to access before now and they work fine, but the RBLs always fail. Have attached the log while debugging and the output of the debug. -------------- next part -------------- [root@mail01 root]# taillog 0 Mar 4 23:24:10 mail01 MailScanner[26092]: MailScanner E-Mail Virus Scanner version 4.27.7 starting... Mar 4 23:24:10 mail01 MailScanner[26092]: Config: calling custom init function MailWatchLogging Mar 4 23:24:10 mail01 MailScanner[26092]: Initialising database connection Mar 4 23:24:10 mail01 MailScanner[26092]: Finished initialising database connection Mar 4 23:25:05 mail01 MailScanner[26092]: lock.pl sees Config LockType = flock Mar 4 23:25:05 mail01 MailScanner[26092]: lock.pl sees have_module = 0 Mar 4 23:25:06 mail01 MailScanner[26092]: Using locktype = flock Mar 4 23:25:07 mail01 MailScanner[26092]: New Batch: Found 6 messages waiting Mar 4 23:25:07 mail01 MailScanner[26092]: New Batch: Scanning 1 messages, 38361 bytes Mar 4 23:25:07 mail01 MailScanner[26092]: Spam Checks: Starting Mar 4 23:25:46 mail01 MailScanner[26092]: SpamAssassin returned 0 Mar 4 23:25:47 mail01 MailScanner[26092]: Created attachment dirs for 1 messages Mar 4 23:25:47 mail01 MailScanner[26092]: Virus and Content Scanning: Starting Mar 4 23:25:47 mail01 MailScanner[26092]: Commencing scanning by clamav... Mar 4 23:25:53 mail01 MailScanner[26092]: /var/spool/MailScanner/incoming/26092/./8546833984/pic_regid.zip: Worm.SomeFool.Gen-1 FOUND Mar 4 23:25:53 mail01 MailScanner[26092]: Completed scanning by clamav Mar 4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: ClamAV found 1 infections Mar 4 23:25:53 mail01 MailScanner[26092]: Infected message 8546833984 came from 69.50.209.211 Mar 4 23:25:53 mail01 MailScanner[26092]: Virus Scanning: Found 1 viruses Mar 4 23:25:53 mail01 MailScanner[26092]: Saved entire message to /var/spool/MailScanner/quarantine/20040304/8546833984 Mar 4 23:25:53 mail01 MailScanner[26092]: Saved infected "pic_regid.zip" to /var/spool/MailScanner/quarantine/20040304/8546833984 Mar 4 23:25:54 mail01 MailScanner[26092]: Requeue: 8546833984 to 081C0C1B7 Mar 4 23:25:54 mail01 MailScanner[26092]: About to deliver 1 messages -------------- next part -------------- Starting MailScanner... In Debugging mode, not forking... debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file debug: Score set 1 chosen. debug: Initialising learner debug: is Net::DNS::Resolver available? yes debug: trying (3) amazon.com... debug: looking up MX for 'amazon.com' debug: MX for 'amazon.com' exists? 1 debug: MX lookup of amazon.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: debug: RBL: success for 0 of 1 queries debug: RBL: timeout for rfci-dsn after 40 seconds debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=5 tests=DATE_MISSING,NO_REAL_NAME debug: received-header: parsed as [ ip=69.50.209.211 rdns=nsurl.us helo=server.nsurl.us by=mail01.mteliza.com.au ident= ] debug: received-header: parsed as [ ip=203.217.40.138 rdns=m040-138.nv.iinet.net.au helo=eatathome.com.au by=server.nsurl.us ident= ] debug: received-header: 'by' mail01.mteliza.com.au has public IP 203.55.54.21 debug: received-header: relay 69.50.209.211 trusted? no debug: received-header: relay 203.217.40.138 trusted? no debug: is Net::DNS::Resolver available? yes debug: all '*From' addrs: pete@eatathome.com.au debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=0.077 debug: running uri tests; score so far=0.077 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=0.077 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: prussell@mteliza.com.au debug: DNS MX records found: 1 debug: forged-HELO: from=nsurl.us helo=server.nsurl.us by=mteliza.com.au debug: forged-HELO: mismatch on HELO: 'server.nsurl.us' != 'nsurl.us' debug: forged-HELO: from=iinet.net.au helo=eatathome.com.au by=server.nsurl.us debug: forged-HELO: mismatch on HELO: 'eatathome.com.au' != 'iinet.net.au' debug: forged-HELO: mismatch on from: 'nsurl.us' != 'server.nsurl.us' debug: RBL: success for 0 of 17 queries debug: RBL: timeout for rfci-dsn after 40 seconds debug: RBL: timeout for opm after 40 seconds debug: RBL: timeout for njabl-notfirsthop,njabl after 40 seconds debug: RBL: timeout for opm after 40 seconds debug: RBL: timeout for sorbs after 40 seconds debug: RBL: timeout for sorbs,sorbs-notfirsthop after 40 seconds debug: RBL: timeout for njabl after 40 seconds debug: RBL: timeout for dsbl after 40 seconds debug: RBL: timeout for rfci after 40 seconds debug: RBL: timeout for bsp-untrusted after 40 seconds debug: RBL: timeout for sbl after 40 seconds debug: RBL: timeout for dsbl after 40 seconds debug: RBL: timeout for bsp-firsttrusted after 40 seconds debug: RBL: timeout for spamcop after 40 seconds debug: RBL: timeout for sbl after 40 seconds debug: RBL: timeout for rfci after 40 seconds debug: RBL: timeout for spamcop after 40 seconds debug: running meta tests; score so far=0.077 debug: is spam? score=0.077 required=5 tests=TW_YP From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 12:46:26 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5CC@jessica.herefordshire.gov.uk> Pete wrote: > Not on dyn IP, sa ISNT working with RBLs, this appears to be the cause > of all my woes, although i am not really sure, but it seems > that way. I > have posted already with my logs, but i notice i can ping spamcop.net > but NOT bl.spamcop.net as it appears in spam.lists.conf, this is the > same from XP machine, so assume its meant to be this way - but non the > less all the rbls fail every time whan run by SA. Are you running the latest version of Net::DNS ? perl -MCPAN -e install Net::DNS will install it. Also, on the subject of DNS, the IP address of one of the DNS root servers changed on January 29th. The definitive source of the list is ftp://ftp.rs.internic.net/domain/named.root. On some boxes it will be called named.cache or named.ca. Phil P.S. Net::DNS v0.45 and later is said to be twice as fast as earlier versions in handling DNS packets, so it is worthwhile upgrading it. --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From max.gaspari at MERCATONEUNO.IT Thu Mar 4 12:50:03 2004 From: max.gaspari at MERCATONEUNO.IT (Massimo Gaspari) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators Message-ID: <17747180E2329145AB61BC6AA3FDEAC943A260@MUS-SRV-020.mercatoneuno.it> "Message contained archive which could not be read" = "Il messaggio contiene un archivio che non pu? essere letto" Is better .. Sorry :-) Bye -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 04, 2004 1:03 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Calling all translators At 11:55 04/03/2004, you wrote: >English : > >"Message contained archive which could not be read" >"Message contained password-protected archive" > >Italian: > >"Il messaggio contiene un archivio che non pu? essere letto" or "Il >messaggio contiene un archivio che non ? stato possibile aprire" Which? Giving me 2 options, neither of which I can understand (never studied Italian) doesn't help me :-) From bg.mahesh at INDIAINFO.COM Thu Mar 4 13:04:29 2004 From: bg.mahesh at INDIAINFO.COM (BG Mahesh) Date: Thu Jan 12 21:23:02 2006 Subject: Emails in mqueue.in not being processed Message-ID: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> hi I installed Mailscanner+ClamAV+SpammAssassin on a RedHat Linux machine and it seemed to work fine [the test emails were delivered without any problem]. I installed the same on our production Mailserver (RedHat Linux). All incoming emails are in /var/spool/mqueue.in and have been there for a long time [30 minutes]. So far they haven't been delivered to the local user. Earlier I had SA running on this machine, I have deleted /etc/procmailrc now. Also, spamd is not running as before. The following entries in MailScanner.conf were changed by me, Virus Scanners = clamavmodule Use SpamAssassin = yes Always Include SpamAssassin Report = yes High Scoring Spam Actions = delete Log Speed = yes Log Spam = yes SpamAssassin Local Rules Dir = /etc/mail/spamassassin Delivery Method = queue I looked into /var/log/maillog /var/log/messages, I don't see any error messages. What could I be doing wrong? Also, what should be the permissions/ownership of /var/spool/clientmqueue regards, -- B.G. Mahesh bg.mahesh@indiainfo.com http://www.indiainfo.com/ -- ______________________________________________ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes! Powered by Outblaze From drew at THEMARSHALLS.CO.UK Thu Mar 4 13:18:01 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script Message-ID: <2632.194.70.180.170.1078406281.squirrel@net.themarshalls.co.uk> All It looks like I have managed to get myself a little confused. It seems like Julian's update virus scanner script automatically runs as some form of automated 'cron' job. I assumed that I needed to run it from cron, so now have my av scanners updating extremely regularly (No excuse for not being up todate :-) but a little over the top!) If I remove it from cron, do I need to execute it as a boot script or will just starting MS do that for me? Sorry, I'm sure I could find out if I understood Perl (But hey, I struggle with regex!). Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 13:26:21 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> Drew Marshall wrote: > All > > It looks like I have managed to get myself a little confused. It seems > like Julian's update virus scanner script automatically runs as some > form of automated 'cron' job. I assumed that I needed to run it from > cron, so now have my av scanners updating extremely regularly (No > excuse for not being up todate :-) but a little over the top!) If I > remove it from cron, do I need to execute it as a boot script or will > just starting MS do that for me? > On an rpm distribution it just drops a file into /etc/cron.hourly. There should be a run-parts line in /etc/crontab which checks the cron.hourly directory hourly and runs the files within. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at eatathome.com.au Thu Mar 4 13:28:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: <20040304131259.456E821C29C@mail.fsl.com> References: <20040304131259.456E821C29C@mail.fsl.com> Message-ID: <40472F10.7010805@eatathome.com.au> Stephen Swaney wrote: >Pete, > >After reading through all of the emails a few questions: > >Did you install SpamAssassin from the rpm? >Are you trying to ping RBL servers to test DNS? >Have you changed any settings in /etc/sysconfig/i18n > >Steve > >Stephen Swaney >President >Fortress Systems Ltd. >Steve.Swaney@FSL.com > > > > > > > Mate, thanks for taking the time to read through it all, i know i post a lot. I did not, nor have i ever installed SA from the RPM on this machine - i did this during MS pilot stage and soon found it doesnt work, ever since i have used the source. Never installed from CPAN, cos i had already installed from source and didnt what the effect would be. I have tried to ping the RBLs listed in spam.lists.conf - if i ping bl.spamcop.net it doesnt work, ping spamcop.net and it works, i figured this is meant to be this way as i have tried on my machine and on online tracerts etc that certainly wouldnt be using same DNS as me. I can ping plenty of other stuff, stuf that i havent, nor would the server have have attempted to resolve before, HEAPS of domains i tried. I have only changed the Supported line, i did that that uesterday? (the other day) as advised by Julian. I just reversed it and rebooted, it didnt help. LANG="C" SUPPORTED="en_US:en" #LANG="en_US.UTF-8" #SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16" From p.g.b.kruit at PL.HANZE.NL Thu Mar 4 13:18:34 2004 From: p.g.b.kruit at PL.HANZE.NL (Peter Kruit) Date: Thu Jan 12 21:23:02 2006 Subject: First MailScanner child freezes Message-ID: <003601c401eb$3285ac20$19ce2191@helo.hanze.nl> Hello, I'm currently testing MailScanner with Spamassassin for later implementation on our productions servers. To test MailScanner with a high volume of e-mail, I copied the mqueue directory from one of our productions servers which contained about 8000 e-mails. At first everything looked fine and all e-mail was processed. When I looked closer, however, I found out that MailScanner left 30 e-mails in the mqueue.in directory and left the same amount (with corresponding IDs) in the incoming directory of one of the children. Further investigation showed that I had one child more running then I should have (in MailScanner.conf I set Max Children to 5, normal would be to see 6 (1 parent + 5 children), but I had 7). After giving the parent process a TERM signal, this one child didn't die. The logfile told me the following: Mar 2 19:39:43 xx MailScanner[8100]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 2 19:39:47 xx MailScanner[8100]: Message i22AcqG11276 from 127.0.0.1 (mailer-daemon) to listmanager.smallcapmarketwatch.com is not spam, SpamAssassin (timed out) Mar 2 19:39:57 xx MailScanner[8100]: RBL Check timed out and was killed, consecutive failure 1 of 7 This was the last logging for this process. All other RBL and Spamassassin tests worked fine. In another test the same thing happened. The logfile entries: Mar 3 16:46:20 xx MailScanner[12779]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 3 16:46:21 xx MailScanner[12779]: Message i22FQc0T011912 from 145.222.138.19 (nrc-html-return-nbs@nrc.nl) to xx is not spam, SpamAssassin (timed out) Mar 3 16:46:31 xx MailScanner[12779]: RBL Check timed out and was killed, consecutive failure 1 of 7 In both tests 7770 e-mails were processed, except the 30 from the child that froze. Debug showed the following: Starting MailScanner... In Debugging mode, not forking... debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: test message to precompile patterns and load modules debug: using "/opt/perl/share/spamassassin" for default rules dir debug: using "/etc/spamassassin" for site rules dir debug: using "/opt/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 182 ham(s) in Bayes DB < 200 debug: bayes: 20797 untie-ing debug: bayes: 20797 untie-ing db_toks debug: bayes: 20797 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks debug: bayes: 20797 tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 182 ham(s) in Bayes DB < 200 debug: bayes: 20797 untie-ing debug: bayes: 20797 untie-ing db_toks debug: bayes: 20797 untie-ing db_seen debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: DCCifd is not available: no r/w dccifd socket found. debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: all '*To' addrs: debug: is Net::DNS::Resolver available? yes debug: trying (3) yahoo.de... debug: looking up MX for 'yahoo.de' debug: MX for 'google.de' exists? 1 debug: MX lookup of google.de succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 <..> The last few lines were: debug: is Net::DNS::Resolver available? yes debug: DNS MX records found: 0 debug: DNS MX records found: 0 After this, MailScanner froze. I was wondering if this is due to the fact that I copied the mqueue from another server. All the tests I did delivering e-mail via the MTA processed without any problems. Thanks, Peter Kruit From pete at eatathome.com.au Thu Mar 4 12:32:43 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:02 2006 Subject: DOS attacked :( In-Reply-To: References: Message-ID: <404721EB.6010503@eatathome.com.au> Rick Cooper wrote: >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>Behalf Of Pete >>Sent: Thursday, March 04, 2004 6:56 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: DOS attacked :( >> >> >>Rick Cooper wrote: >> >> >> >>>>-----Original Message----- >>>>From: MailScanner mailing list >>>>[mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>>Behalf Of Pete >>>>Sent: Wednesday, March 03, 2004 11:29 PM >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: DOS attacked :( >>>> >>>> >>>>Rick Cooper wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Sorry to top post, but >>>>> >>>>>Are you sure that Net::CIDR is installed ( I think that >>>>>requirement came after your original install >>>>> >>>>> >>version), and are >> >> >>>>>you using a local caching name server? Slow downs in >>>>> >>>>> >>>>> >>>>> >>>>the network >>>> >>>> >>>> >>>> >>>>>test arena are many time caused by resolver problems. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Have not got internal DNS, all external, and net::cidr is >>>>installed/updated with rpm mailscanner installation. >>>> >>>>But this got me thinking, i tried to ping all the >>>>servers listed in >>>>spam.lists.conf and i cannot resolve any, me think its >>>>is not good. >>>>Although i can ping almost any other domain name i can >>>>think of, but not >>>>any of the spamlist ones. I can ping the >>>>dcc#.dcc-servers.net found when >>>>doing cdcc info. >>>> >>>>CPAN shell doesnt work cos it cannot resolve the perl sites. >>>> >>>>I have changed nothing regarding DNS or networks. I >>>>assume this is the >>>>cause/symptom of my problems? >>>> >>>>Having spamassassin off is a nightmare and we are >>>>getting heaps of spam. >>>> >>>>-- >>>> >>>> >>>> >>>> >>>Run >>>Makes you wonder if your ISP changed name servers on >>> >>> >>you, or you >> >> >>>have a firewall problem. >>> >>>Change /etc/resolv.conf >>>options ndots:1 >>>nameserver 127.0.0.1 >>>nameserver put current ns1 address here >>>nameserver put current ns2 address here >>>multi on >>> >>>then /etc/init.d/named start >>>then /etc/init.d/network restart >>> >>>and try your test again. If your resolver isn't >>> >>> >>working you will >> >> >>>have *very* slow network tests as you will be waiting for each >>>outbound to timeout.. with a caching name server >>> >>> >>running you will >> >> >>>see improvements in many things with your mail service. >>> >>>Rick >>> >>> >>> >>> >>> >>Thanks. >> >>Enabled the named and changed the resolv and restart, turned on >>spamassassin and sent through some bagles and netskys >>and all was good, >>they were detected and and processed properly. (while >>writing this i >>noticed quite a few bagles-gen2 getting detected) >> >>Maybe a combination of the DOS attack message in the >>maillog (does this >>mean zip of death?), slow as network connection and >>therefore big >>hassles with RBLs, sa or ms runs MUCH slower than >>previous versions, >>probably due to all the extra message handling needed >>to combat these >>new nasties? >> >> Although just looking through the stats now, we dont >>have anywhere near >>(hundreds of times less) virus stats as when mydoom >>was going hard, and >>we dont anymore email volume in total than usual; and >>we detected half >>as spam as we did yeterdya (cos SA was off almost all >>day?), so i guess >>it was something to do with some of these nasties we >>havent previously seen? >> >> > >Your welcome.. I think the DOS stuff you were seeing had to do >with >the network problems not ZipOfDeath problems. I assume you have >SA >backup and running, but I don't think I would say 100% solved as >you still don't know why your ISP's name servers disappeared. >Also, >make sure you did the chkconfig things or the next reboot and >your >DNS goes away. Your not on a dynamic IP are you? I have seen this >type >of thing happen when a host on a dynamic IP (like cable) sets >their >IP static and the ISP does some network reconfigurations and >suddenly >the name servers don't work, network slows down because they are >supposed to be on a different gateway (even though the current gw >works), >etc... That name server thing would make me nervous even if I >don't use >their name servers. > >Good luck. > > > > > >>Boss has given permission to buy a cheapo 2nd hand old >>fashioned server, >>so hopefully will be able to double the specs on this >>and have some more >>luck with that... >> >> > >Ebay... there is always Ebay :-> > > > > > Not on dyn IP, sa ISNT working with RBLs, this appears to be the cause of all my woes, although i am not really sure, but it seems that way. I have posted already with my logs, but i notice i can ping spamcop.net but NOT bl.spamcop.net as it appears in spam.lists.conf, this is the same from XP machine, so assume its meant to be this way - but non the less all the rbls fail every time whan run by SA. From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:28:10 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:02 2006 Subject: Emails in mqueue.in not being processed In-Reply-To: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> References: <20040304130429.B4C2A4160BD@ws5-2.us4.outblaze.com> Message-ID: <6.0.1.1.2.20040304132716.03ae2d18@imap.ecs.soton.ac.uk> At 13:04 04/03/2004, you wrote: >hi > >I installed Mailscanner+ClamAV+SpammAssassin on a RedHat Linux machine and >it seemed >to work fine [the test emails were delivered without any problem]. > >I installed the same on our production Mailserver (RedHat Linux). All >incoming emails >are in /var/spool/mqueue.in and have been there for a long time [30 minutes]. >So far they haven't been delivered to the local user. > >Earlier I had SA running on this machine, I have deleted /etc/procmailrc >now. Also, >spamd is not running as before. MailScanner doesn't use spamd, it does it faster than that. >The following entries in MailScanner.conf were changed by me, > > Virus Scanners = clamavmodule > Use SpamAssassin = yes > Always Include SpamAssassin Report = yes > High Scoring Spam Actions = delete > Log Speed = yes > Log Spam = yes > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > Delivery Method = queue > >I looked into /var/log/maillog /var/log/messages, I don't see any error >messages. >What could I be doing wrong? Set "Debug = yes" in your MailScanner.conf and run "check_MailScanner". That will probably tell you what is wrong. >Also, what should be the permissions/ownership of /var/spool/clientmqueue > >regards, > > >-- >B.G. Mahesh >bg.mahesh@indiainfo.com >http://www.indiainfo.com/ > >-- >______________________________________________ >IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com >Check out our value-added Premium features, such as an extra 20MB for mail >storage, POP3, e-mail forwarding, and ads-free mailboxes! > >Powered by Outblaze -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From maillists at CONACTIVE.COM Thu Mar 4 13:31:32 2004 From: maillists at CONACTIVE.COM (Kai Schaetzl) Date: Thu Jan 12 21:23:02 2006 Subject: Calling all translators In-Reply-To: <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> References: <17747180E2329145AB61BC6AA3FDEAC94509A1@MUS-SRV-020.mercatoneuno.it> <6.0.1.1.2.20040304120206.03636db0@imap.ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 4 Mar 2004 12:02:39 +0000: > >"Il messaggio contiene un archivio che non può essere letto" or "Il > >messaggio contiene un archivio che non è stato possibile aprire" > > Which? Giving me 2 options, neither of which I can understand (never > studied Italian) doesn't help me :-) > It's the difference between "could not be read" and "was impossible to open", so I'd use the first one ;-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org From jaearick at COLBY.EDU Thu Mar 4 13:42:26 2004 From: jaearick at COLBY.EDU (Jeff Earickson) Date: Thu Jan 12 21:23:02 2006 Subject: 4.28.x = more spam? Message-ID: Julian, This may be coincidence, but I've noticed a big uptick in spam to my personal mailbox since going to 4.28.x (4 now). I've done a "spamassassin -D --lint" and looked at the output; nothing unusual there. What would the equivalent by-hand SA command be for what MS does internally? Is "spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, or would there be more arguments? This deserves an entry in the FAQ. Jeff Earickson Colby College From drew at THEMARSHALLS.CO.UK Thu Mar 4 13:45:20 2004 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:23:02 2006 Subject: Update virus scanner script In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> Message-ID: <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.co.uk> Spicer, Kevin said: > Drew Marshall wrote: >> All >> >> It looks like I have managed to get myself a little confused. It seems >> like Julian's update virus scanner script automatically runs as some >> form of automated 'cron' job. I assumed that I needed to run it from >> cron, so now have my av scanners updating extremely regularly (No >> excuse for not being up todate :-) but a little over the top!) If I >> remove it from cron, do I need to execute it as a boot script or will >> just starting MS do that for me? >> > On an rpm distribution it just drops a file into /etc/cron.hourly. There > should be a run-parts line in /etc/crontab which checks the cron.hourly > directory hourly and runs the files within. > It's not a problem getting it to run from cron but I set it to run at 39 minutes passed the hour and in the logs it shows that it runs then and at the top of each hour (Not as per cron, I haven't updated to the latest release yet, it's not in the BSD ports yet). I assumed that this was brought about by the script auto running following the cron job running initially. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From pete at eatathome.com.au Thu Mar 4 13:48:48 2004 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <404733C0.7070503@eatathome.com.au> Jeff Earickson wrote: >Julian, > This may be coincidence, but I've noticed a big uptick >in spam to my personal mailbox since going to 4.28.x (4 now). >I've done a "spamassassin -D --lint" and looked at the output; >nothing unusual there. What would the equivalent by-hand >SA command be for what MS does internally? Is >"spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, >or would there be more arguments? This deserves an entry in >the FAQ. > >Jeff Earickson >Colby College > > >. > > > spamassassin -D --prefs-file=/etc/MailScanner/spam.assassin.prefs.conf --lint You can possibly do it other ways, but this is what i have picked up reading the list. Pete From martinh at SOLID-STATE-LOGIC.COM Thu Mar 4 13:48:19 2004 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <404733A3.30306@solid-state-logic.com> Jeff spamassassin -D -C /path/to/spam.assassin.prefs.conf --lint the spam.assassin.prefs.conf should be in the same directory as the MailScanner.conf Worth checking the Bayes permissions so the DB is still readable by the user mentioned in MailScanner.conf. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jeff Earickson wrote: > Julian, > This may be coincidence, but I've noticed a big uptick > in spam to my personal mailbox since going to 4.28.x (4 now). > I've done a "spamassassin -D --lint" and looked at the output; > nothing unusual there. What would the equivalent by-hand > SA command be for what MS does internally? Is > "spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, > or would there be more arguments? This deserves an entry in > the FAQ. > > Jeff Earickson > Colby College ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jase at SENSIS.COM Thu Mar 4 13:54:17 2004 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles Message-ID: > >If some virus scanners can see viruses by seeing the message as a whole > >rather then in parts, it would be nice to come up with something to let > >them try. Maybe it could be an option setting in MailScanner.conf to > >include or not include the original message when virus scanning. > > That will involve yet more I/O, but I'll definitely consider it. Could you please make this an option? You can keep it disabled by default. For those of us using McAfee, which seems like it won't be able to detect these, we could at least add ClamAV which will catch them if it scans the queue file. Thanks for your consideration. Jason From dean.plant at ROKE.CO.UK Thu Mar 4 13:53:18 2004 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 Message-ID: Julian Field wrote: > Sorry the updates are appearing so thick and fast at the moment. > I wish everything was rather quieter than it is right now. But you > folks need protection against the latest nasties, so I haven't much > option. > > I have corrected the problem with this morning's code where it wasn't > correctly handling messages that contained both a password-protected > zip and an unprotected zip. > > I have also added a check so that if you set the max nesting depth to > 0 but still ban password-protected zip files, then the attachments > are checked for password-protected zips without the other rules being > enforced on the contents of the zip files. It will only check the > first level of nesting though, as it obviously can't check a zip file > it has been asked not to unpack or create in the first place. Having upgraded to 4.28.4 password-protected zips are now blocked correctly but I am having a few problems as we also receive genuine files of this type. I have Silent Viruses = All-Viruses Non-Forging Viruses = Zip-Password But users are not notified of inbound password protected zips. With other blocked file types users are notified correctly. I also am unable to release any quarantined password protected zips from Mailwatch as it is marked as a virus and not a blocked file. Have I understood the Non-Forging setting correctly? Thanks Dean Plant -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 13:55:37 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Plant, Dean wrote: > I have > Silent Viruses = All-Viruses > Non-Forging Viruses = Zip-Password > > But users are not notified of inbound password protected zips. With > other blocked file types users are notified correctly. > > I also am unable to release any quarantined password protected zips > from Mailwatch as it is marked as a virus and not a blocked file. > > Have I understood the Non-Forging setting correctly? > That is what Julian suggested he might do for the next/ a future release however that is not the behaviour yet BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 13:57:39 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/1fde2869/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 14:03:46 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D2@jessica.herefordshire.gov.uk> The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/10c4d604/attachment.html From sysadmin at FLEETONE.COM Thu Mar 4 14:05:47 2004 From: sysadmin at FLEETONE.COM (Rob) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner References: <221C759285B78647AEE6181FD6AF36A70A075318@BAMBI> Message-ID: <089601c401f1$caa7fed0$45a610ac@fleetone.com> IMHO, f-prot. Their updates seems as fast as anyone else out there, and their prices were cheaper then most of the others when we looked into them. Rob From: Harnish, Joe To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 7:57 AM Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/3f93de0e/attachment.html From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:46:12 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: 4.28.x = more spam? In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304134446.03d5f6e8@imap.ecs.soton.ac.uk> As far as I am aware, I haven't changed any of the spam code recently, except for 1 minor change to what happens if SpamAssassin times out 20 times in a row. At 13:42 04/03/2004, you wrote: >Julian, > This may be coincidence, but I've noticed a big uptick >in spam to my personal mailbox since going to 4.28.x (4 now). >I've done a "spamassassin -D --lint" and looked at the output; >nothing unusual there. What would the equivalent by-hand >SA command be for what MS does internally? Is >"spamassassin -p /etc/mail/spamassassin -D --lint" equivalent, >or would there be more arguments? Not sure, I never use the command-line script myself. But you need to tell SA about your spam.assassin.prefs.conf file (which looks rather like a user_prefs file). > This deserves an entry in >the FAQ. > >Jeff Earickson >Colby College -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:05:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb. co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Message-ID: <6.0.1.1.2.20040304140303.072b1aa0@imap.ecs.soton.ac.uk> At 13:55 04/03/2004, you wrote: >Plant, Dean wrote: > > I have > > Silent Viruses = All-Viruses > > Non-Forging Viruses = Zip-Password > > > > But users are not notified of inbound password protected zips. With > > other blocked file types users are notified correctly. > > > > I also am unable to release any quarantined password protected zips > > from Mailwatch as it is marked as a virus and not a blocked file. I guess it really should be a blocked file rather than a virus, you are right. I'll change that. > > > > Have I understood the Non-Forging setting correctly? > > >That is what Julian suggested he might do for the next/ a future release >however that is not the behaviour yet > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 13:47:58 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Update virus scanner script In-Reply-To: <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.c o.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B19@pascal.priv.bmrb.co.uk> <6536.194.70.180.170.1078407920.squirrel@net.themarshalls.co.uk> Message-ID: <6.0.1.1.2.20040304134634.0415b578@imap.ecs.soton.ac.uk> At 13:45 04/03/2004, you wrote: >Spicer, Kevin said: > > Drew Marshall wrote: > >> All > >> > >> It looks like I have managed to get myself a little confused. It seems > >> like Julian's update virus scanner script automatically runs as some > >> form of automated 'cron' job. I assumed that I needed to run it from > >> cron, so now have my av scanners updating extremely regularly (No > >> excuse for not being up todate :-) but a little over the top!) If I > >> remove it from cron, do I need to execute it as a boot script or will > >> just starting MS do that for me? > >> > > On an rpm distribution it just drops a file into /etc/cron.hourly. There > > should be a run-parts line in /etc/crontab which checks the cron.hourly > > directory hourly and runs the files within. > > >It's not a problem getting it to run from cron but I set it to run at 39 >minutes passed the hour and in the logs it shows that it runs then and at >the top of each hour (Not as per cron, I haven't updated to the latest >release yet, it's not in the BSD ports yet). I assumed that this was >brought about by the script auto running following the cron job running >initially. My RPM distributions just put the script in /etc/cron.hourly so that the root crontab runs it once per hour. I can only assume that BSD might have a similar setup, and you also have put it in your root crontab as well. It doesn't "auto run", I'm not quite sure what you mean by that. > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > > > > >-- >In line with our policy, this message has >been scanned for viruses and dangerous >content by MailScanner, and is believed to be clean. >www.themarshalls.co.uk/policy -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:02:20 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles In-Reply-To: References: Message-ID: <6.0.1.1.2.20040304135816.03bb26f8@imap.ecs.soton.ac.uk> At 13:54 04/03/2004, you wrote: > > >If some virus scanners can see viruses by seeing the message as a whole > > >rather then in parts, it would be nice to come up with something to let > > >them try. Maybe it could be an option setting in MailScanner.conf to > > >include or not include the original message when virus scanning. > > > > That will involve yet more I/O, but I'll definitely consider it. > >Could you please make this an option? It's not as trivial to implement as it sounds, as MailScanner scans many messages at once and needs to be able to spot the difference between the message text and any similarly-named attachment. Whatever I decide to call the raw message text, someone will write a virus which contains a harmless attachment called the same thing to try to defeat me. I wonder how (or even if) the Amavis guys have solved this problem? I intend to do a stable release tomorrow and it certainly won't be in that. Too late to start implementing new features now. But I will think about ways of overcoming the problems, something will come to mind. Be warned it will make MailScanner go slower as more I/O will have to be done on the entire message. > You can keep it disabled by default. >For those of us using McAfee, which seems like it won't be able to detect >these, we could at least add ClamAV which will catch them if it scans the >queue file. Thanks for your consideration. > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From rob at thehostmasters.com Thu Mar 4 14:09:14 2004 From: rob at thehostmasters.com (Rob Charles) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D2@jessica.herefordshire.gov.uk> Message-ID: <038e01c401f2$46d8e730$0d01a8c0@basement> I am installing ClamAV to work with MacAfee, but how do I tell Mailscanner to use it also? And which should I run first? Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:03 AM Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/d44d0cf2/attachment.html From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 14:08:42 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A07531A@BAMBI> Best on Fedora/RedHat Linux. I am adding ClamAV and keeping McAfee (because it is free with our contract) but I got approval to buy another commercial product to add to our solution. Thanks for the link to the dailydat. Joe _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Randal, Phil Sent: Thursday, March 04, 2004 9:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/a3346f19/attachment.html From prandal at HEREFORDSHIRE.GOV.UK Thu Mar 4 14:11:40 2004 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefordshire.gov.uk> One of our (savvy) users emailed me to say: >Im trying to send an email with zipped and renamed exe files Mailscanner intercepted and did say unto us: "Consider renaming the files or putting them into a "zip" file to avoid this constraint." The files were, of course, in a zip file. So, what do we need to do to that error message so that recipients of the reject message don't get completely confused? Suggestions? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mdlaney at MOREHOUSE.EDU Thu Mar 4 14:13:00 2004 From: mdlaney at MOREHOUSE.EDU (Matt Laney) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> Message-ID: <20040304141300.GA15664@morehouse.edu> Spicer, Kevin responded to Plant, Dean... > > [DP] But users are not notified of inbound password protected zips. With > > other blocked file types users are notified correctly. > > > > I also am unable to release any quarantined password protected zips > > from Mailwatch as it is marked as a virus and not a blocked file. > > > > Have I understood the Non-Forging setting correctly? > > [KS] That is what Julian suggested he might do for the next/ a future > release however that is not the behaviour yet I haven't tried this, but might the desired behaviour be approximated by using filetype checking to pick out ZIP files of version 1.0 (see previous discussion about MIT, etc.)? My file command (version 4.07) shows the following on one bad and one OK ZIP: Text.zip: Zip archive data, at least v1.0 to extract fine.zip: Zip archive data, at least v2.0 to extract (The first one's the Bagle virus.) A quick scan through the magic file shows that the ZIP line is the only place "v1.0" appears as an isolated word. Could one make a filetype entry like this deny " v1.0 " No v1.0 ZIP archives, possible Bagle ditto in filetype.rules.conf and use filetype checking to get these? It doesn't sound efficient, but might it work? I'm not sure what else might use v1.0 ZIP archives, but the MIT guys seem to think that not much does. -Matt -- Matt Laney, mdlaney@morehouse.edu Director of Network Services Morehouse College; Atlanta, GA, USA From Kevin.Spicer at BMRB.CO.UK Thu Mar 4 14:14:38 2004 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:23:03 2006 Subject: ClamAV and Password Protected Bagles Message-ID: <5C0296D26910694BB9A9BBFC577E7AB001649B1D@pascal.priv.bmrb.co.uk> Julian Field wrote: >> Could you please make this an option? > > It's not as trivial to implement as it sounds, as MailScanner scans > many messages at once and needs to be able to spot the difference > between the message text and any similarly-named attachment. Whatever > I decide to call the raw message text, someone will write a virus > which contains a harmless attachment called the same thing to try to > defeat me. I wonder how (or even if) the Amavis guys have solved this > problem? How about .txt - that should be fairly difficult to predict. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jharnish at CI.GRAND-RAPIDS.MI.US Thu Mar 4 14:19:48 2004 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:23:03 2006 Subject: Best Antivirus Scanner Message-ID: <221C759285B78647AEE6181FD6AF36A70A07531E@BAMBI> I believe you just put the av tools in a list in your config file and they run in order like: Virus Scanners = clamav mcafee I am planning on running clam first so I can see which ones aren't being picked up by Mcafee to send them to clamav so they can get updated. Joe _____ From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rob Charles Sent: Thursday, March 04, 2004 9:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Best Antivirus Scanner I am installing ClamAV to work with MacAfee, but how do I tell Mailscanner to use it also? And which should I run first? Rob Charles TheHostMasters Montreal, Canada 514-846-0006 Rob@TheHostMasters.com http://www.TheHostMasters.com ----- Original Message ----- From: Randal, Phil To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, March 04, 2004 9:03 AM Subject: Re: Best Antivirus Scanner The current daily dat files from McAfee ( http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.TAR ) seem to work OK. Best on what platform? The best is a combination of scanners from different vendors. This is one of the things I love about MailScanner - you can run as many as you like. I'd recommend ClamAV plus a commercial scanner. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Harnish, Joe Sent: 04 March 2004 13:58 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Best Antivirus Scanner All, With recent issues with McAfee Antivirus, was wondering what AV tool you think is the best and why. Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040304/530c0997/attachment.html From gdoris at rogers.com Thu Mar 4 14:20:25 2004 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:23:03 2006 Subject: changing spamassassin points configuration In-Reply-To: <40470412.5080101@avalonpub.com> References: <6.0.0.22.0.20040304180940.02c20488@192.168.10.2> <40470412.5080101@avalonpub.com> Message-ID: <55073.129.80.22.143.1078410025.squirrel@65.48.246.102> > kfliong wrote: > >> So in other word, I just have to let the user stop getting some mails >> (eventhough some might be important) while waiting for SA to learn >> that the >> sender is not sending spams? >> > If you have a copy of the email you can teach it to SA by using the > command "sa-learn". See "man sa-learn" or the list archives for more > info. In summary, have a copy of the mail as either a single file with > the headers and body or a bunch of them in a mbox style mailbox and run > the command (as the same user that MS runs as): > sa-learn --ham filename > > Daniel Also, you can download a file of spam from the SpamAssassin site and use it to train your bayes database. I did this originally as I have a low volume server and it was taking forever to get bayes trained. It's not the best way as you're teaching bayes from someone else's spam, but I figured spammers are an equal opportunity group and send their stuff to everyone! Once it's up and running it automagically trains itself on your specific spam from there on. Gerry From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:25:31 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Now that we scan for executables in .zip files.... In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C5D3@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20040304142511.076aa488@imap.ecs.soton.ac.uk> At 14:11 04/03/2004, you wrote: >One of our (savvy) users emailed me to say: > > >Im trying to send an email with zipped and renamed exe files > >Mailscanner intercepted and did say unto us: > >"Consider renaming the files or putting them into a "zip" file to avoid >this constraint." > >The files were, of course, in a zip file. > >So, what do we need to do to that error message so that recipients of the >reject message don't get completely confused? > >Suggestions? How about you edit the report file if you don't like what it currently says? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Mar 4 14:27:19 2004 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:23:03 2006 Subject: Guess what.... 4.28.4 In-Reply-To: <20040304141300.GA15664@morehouse.edu> References: <5C0296D26910694BB9A9BBFC577E7AB001649B1B@pascal.priv.bmrb.co.uk> <20040304141300.GA15664@morehouse.edu> Message-ID: <6.0.1.1.2.20040304142558.076aa1f8@imap.ecs.soton.ac.uk> At 14:13 04/03/2004, you wrote: >Spicer, Kevin responded to Plant, Dean... > > > > [DP] But users are not notified of inbound password protected zips. With > > > other blocked file types users are notified correctly. > > > > > > I also am unable to release any quarantined password protected zips > > > from Mailwatch as it is marked as a viru