From ugob at camo-route.com Tue Aug 1 01:36:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Aug 1 01:37:19 2006 Subject: SOLVED: RE: Some mail (up to 7 days old) is stuck in/var/spool/mqueue In-Reply-To: <8f54b4330607271417h2ba1b692ufcb6a59fc0e5c151@mail.gmail.com> References: <97FD54B5E57A1842AA1A4B232E4761172D8F0F@ati-ex-02.ati.local> <8f54b4330607271417h2ba1b692ufcb6a59fc0e5c151@mail.gmail.com> Message-ID: Nathan Olson wrote: > Worse comes to worse, stick a MailScanner box in front of the Exchange box. > > Nate > Yeah, none of my client's exchange server accept connexions from the net. They all have a mailscanner box in front of it. From ajos1 at onion.demon.co.uk Tue Aug 1 02:59:45 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Tue Aug 1 02:59:51 2006 Subject: Rules_Du_Jour Script at sandgnat.com Message-ID: - Rules_Du_Jour Script at sandgnat.com Has sandgnat.com disappeared... no web-access at the moment... I was wanting to see if the Rules_Du_Jour had been updated lately or not. From MailScanner at ecs.soton.ac.uk Tue Aug 1 09:14:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 1 09:15:51 2006 Subject: MailScanner ANNOUNCE: 4.55 stable released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning/Afternoon/Evening all! I have just released the latest stable release of MailScanner, 4.55. There are many minor changes this month, nothing earth-shattering, and a few fixes for you. One new feature you may find useful is the "--changed" command-line option, which will make MailScanner print out a table of all the settings you have changed from the defaults. This should help diagnosing problem much easier, as you won't have to read the MailScanner.conf and try to spot the changes any more. Just run "MailScanner --changed" and it will tell you all you need to know. Download as usual from www.mailscanner.info The full Change Log is here: * New Features and Improvements * 1 Added educ.ar and uba.ar to country.domains.conf for less strict phishing net. 1 Code tidy up in Message constructor. 1 Speed improvements to ZMailer attachment extraction to keep up with the other MTAs. 1 "Log Speed = no" now does what it says on the tin. (UK in-joke :-) 1 Added "stopms" option to Linux init.d scripts. 1 Improved behaviour when %percentvars% at start of MailScanner.conf have not been configured at all. It now uses the fully-qualified hostname to guess the domain name and website address. It used to refuse to run which was very impolite. 1 Added Sys::Hostname::Long to list of required modules to implement the above. 2 Documentation rationalisation. Most up to date versions are all on the web. 3 Now output lock type in use with "--lint". 4 Improvement to Sophos.install for Sophos Version 5 so that email logging is disabled. 4 Now use syslog "notice" priority instead of "info" when issuing messages that are nearly warnings. This helps you drastically reduce the amount of syslog output by just logging priorities greater than or equal to "notice". 5 Added a "Contact Us" web page instead of just a mailto: link. 6 Improved Help guidance in Contact Us web page. 6 New command-line option: "-c" or "--changed". This will print out a table of all the configuration settings that have been changed from the default values hard-coded into MailScanner. Note this may not be quite the same as the differences from the supplied default MailScanner.conf file. 6 Updated hard-coded defaults to better match MailScanner.conf settings. 6 Improved handling of broken Custom Functions. Having a broken Custom Function will now just result in the setting's default value being used. 7 Bugfix for "--changed" printing when using Custom Functions. 8 Improved syslog-ing code so it doesn't matter is syslogd dies. 8 Upgraded DBD-SQLite to version 1.12 as it builds a lot more easily. 8 Improved handling of Postfix virtual users. Thanks to jpabuyer@tecnoera.com. 9 Added catch to commercial virus scanning code to allow syslogd to die during a virus scan. 9 Improved speed logging to remove chatter. 9 Upgraded Sys::Syslog to 0.17 which builds okay, unlike 0.16. 9 MCP timings are no longer output if MCP checks are disabled. * Fixes * 1 Put back in the checks of free disk space that were in 4.53.1 but then lost. 1 Fix in check_MailScanner for MacOSX. 3 Default lock type for sendmail is now posix, as it should be. 4 Fix to phishing net so that links to "www.domain.com." are accepted as legal. 6 Fixed problem with dangerous filenames in TNEF archives when using the external TNEF expander. 8 Fixed problem with long SpamAssassin report in report files getting truncated at % signs. 8 Fixed phishing net problem with some cases of outbind://\d+/.... URLs. 9 Stopped logging code producing ridiculous numbers. 9 Improved Denial-of-service attack detector to handle multiple virus scanners more quickly. Now clears detection in 2 x Virus Scanner Timeout, as expected. 9 Fixed minor bug in TNEF handling of bad messages. 9 "service MailScanner reload" should work properly now. - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFEzw2LEfZZRxQVtlQRAkXgAJsGcNkLiq3fIciMmq6f6gbvouA6UgCg5ND9 DWtjaI46fNH1v4XPt9FK1Pk= =/a/k -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rob at robhq.com Tue Aug 1 12:45:26 2006 From: rob at robhq.com (rob freeman) Date: Tue Aug 1 12:31:09 2006 Subject: Increase in spam getting through Message-ID: <32096235.1154432726754.JavaMail.root@gollum.robhq.com> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end to our exchange 2003 server. Have rules_du_jour running with these rules: TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; Also have DCC, pyzor, razor, and bayes going. We have a rise on spam getting through in the past 2 weeks. Mostly looks like an image with words at the end. Here is the mail source:

Deals And Sale Items Keyword Group Product StoreAll Products View: GridSort Top Price

delicacy Before cm equipment amount floor referred washing machines hookups motors

achieve speeds beyond Notebook smaller slower capacity. whereas newest

startup rises decay younger fewer startstop better surviving literally drags Maxtor series

area Cup World pertinent

Partial Response Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI releases barrier broken First

reports

merchants provided third parties purposes only.

Greek Award winning area Cup World pertinent info Cup. Over

From Katrina

width Neel Spikes granular opposite opposed spikes appear. These magnets align because cancel

eBooks variety subjects such as: novels

Barcode UNIX WebCam download: Most popular Releases Picks

sims Film video film emulateur google

warnings worldwide local groups climate severe news. browsers FTP Usenet readers

host page. knowledge HTML.

behind devices. FCAL connected fibre optics. networks protocols iSCSI Ethernet well.SATA pair receiving device.

audience member. Fact Day: pound

Buying Selling Models Cutting

Buy Yahoo YahooMail pageYahoo InNew User Sign Primary Clothing Garden My Lists CareHome

APIs powering Tech. paid Inc. Rights

name... eg. Solaris SunOS SCO

HDA. Almost designer Kenneth Haughton rifle suited protected center harsh delicacy Before cm equipment amount floor referred washing

NEWS Center Here will latest sites: English USA/UK German Spanish French Italian

this. Website Tools counters polls engines add homepage Website.

PSP audio MP... Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI Controls Trial Deluxe

Beverage Genealogy Health Nutrition Parenting Science Animation Authoring Editing Media ActiveX Compilers Libraries Debugging

Players PlugIns Streaming Puzzles

basic rate. cases Small Interface ESDI always werent downward wouldnt

browsers

actual

him student Visa when others cannot PM Lifetime Fiscal approved

And the scores we get are: Subject: bresil But Date: Mon, 31 Jul 2006 09:48:28 -0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Message-Id: X-fleetone.com-MailScanner-Information: Please contact the ISP for more information X-fleetone.com-MailScanner: Found to be clean X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.963, required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) X-fleetone.com-MailScanner-SpamScore: 2 X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl Return-Path: xbalmmoiw@direct-adsl.nl X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) FILETIME=[18E0AAD0:01C6B478] ------=_NextPart_000_0003_01C6B486.796DE3A0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" ------=_NextPart_001_0004_01C6B486.796DE3A0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit ------=_NextPart_001_0004_01C6B486.796DE3A0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_0004_01C6B486.796DE3A0-- ------=_NextPart_000_0003_01C6B486.796DE3A0 Content-Type: image/gif; name="image001.gif" Content-Transfer-Encoding: base64 Content-ID: ------=_NextPart_000_0003_01C6B486.796DE3A0-- A MailScanner --lint does not return any problems on the server: [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint Read 757 hostnames from the phishing whitelist Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Not sure why this is being sent on as non spam. Any thoughts? Rob From email at ace.net.au Tue Aug 1 12:34:15 2006 From: email at ace.net.au (Peter Nitschke) Date: Tue Aug 1 12:32:43 2006 Subject: Maximum Archive Depth Message-ID: <200608012104150699.5D3CB06E@smtp1.ace.net.au> Using MS 4.54.6-1 Setting "Maximum Archive Depth" to 1 is causing zip files with any safe content - eg a simple txt file, to be tagged with "Message contained archive nested too deeply". Setting to either 0 or 2 is fine however. Is there a reason why 1 should cause this problem? Peter From prandal at herefordshire.gov.uk Tue Aug 1 13:19:11 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Aug 1 13:36:35 2006 Subject: Increase in spam getting through Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> Derek Harding posted this rule on the spamassassin-users mailing list: rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 1.5 That'll get all inline images, not just the spammy ones. I'm scoring it 2 at the moment (but our bayes is well trained and can compensate). Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of rob freeman > Sent: 01 August 2006 12:45 > To: MailScanner discussion > Subject: Increase in spam getting through > > Running MailScanner 4.53.8 on CentOS 4.3. It is a front end > to our exchange 2003 server. Have rules_du_jour running with > these rules: > > TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU > TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 > SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 > SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM > SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; > > Also have DCC, pyzor, razor, and bayes going. > > We have a rise on spam getting through in the past 2 weeks. > Mostly looks like an image with words at the end. Here is > the mail source: > > xmlns:o="urn:schemas-microsoft-com:office:office" > xmlns:w="urn:schemas-microsoft-com:office:word" > xmlns:st1="urn:schemas-microsoft-com:office:smarttags" > xmlns="http://www.w3.org/TR/REC-html40"> > > > namespaceuri="urn:schemas-microsoft-com:office:smarttags" > name="City"/> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" > name="place"/> > > > > >
>

style='font-size:10.0pt; > font-family:Arial'> src="cid:image001.gif@01C6B486.796DE3A0"> size=2 face=Arial> lang=EN-US > style='font-size:10.0pt;font-family:Arial'>< > /font>

>

style='font-size:10.0pt;font-family:Arial'>Deals And Sale > Items Keyword Group Product StoreAll Products View: GridSort > Top Price

>

style='font-size:10.0pt;font-family:Arial'>delicacy Before cm > equipment amount floor referred washing machines hookups > motors

>

style='font-size:10.0pt;font-family:Arial'>achieve speeds > beyond Notebook smaller slower capacity. whereas > newest

>

style='font-size:10.0pt;font-family:Arial'>startup rises > decay younger fewer startstop better surviving literally > drags Maxtor series

>

style='font-size:10.0pt;font-family:Arial'>area Cup World > pertinent

>

style='font-size:10.0pt;font-family:Arial'>Partial Response > Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI > releases barrier broken First

>

style='font-size:10.0pt;font-family:Arial'>reports< > /span>

>

style='font-size:10.0pt;font-family:Arial'>merchants provided > third parties purposes only.

>

style='font-size:10.0pt;font-family:Arial'>Greek Award > winning area Cup World pertinent info Cup. > Over

>

style='font-size:10.0pt;font-family:Arial'>From > Katrina

>

style='font-size:10.0pt;font-family:Arial'>width Neel Spikes > granular opposite opposed spikes appear. These magnets align > because cancel

>

style='font-size:10.0pt;font-family:Arial'>eBooks variety > subjects such as: novels

>

style='font-size:10.0pt;font-family:Arial'>Barcode UNIX > WebCam download: Most popular Releases > Picks

>

style='font-size:10.0pt;font-family:Arial'>sims Film video > film emulateur google

>

style='font-size:10.0pt;font-family:Arial'>warnings worldwide > local groups climate severe news. browsers FTP Usenet > readers

>

style='font-size:10.0pt;font-family:Arial'>host page. > knowledge HTML.

>

style='font-size:10.0pt;font-family:Arial'>behind devices. > FCAL connected fibre optics. networks protocols iSCSI > Ethernet well.SATA pair receiving device.

>

style='font-size:10.0pt;font-family:Arial'>audience member. > Fact Day: pound

>

style='font-size:10.0pt;font-family:Arial'>Buying Selling > Models Cutting

>

style='font-size:10.0pt;font-family:Arial'>Buy Yahoo > YahooMail pageYahoo InNew User Sign Primary Clothing Garden > My Lists CareHome

>

style='font-size:10.0pt;font-family:Arial'>APIs powering > Tech. paid Inc. Rights

>

style='font-size:10.0pt;font-family:Arial'>name... eg. > Solaris SunOS SCO

>

style='font-size:10.0pt;font-family:Arial'>HDA. Almost > designer Kenneth Haughton rifle suited protected center harsh > delicacy Before cm equipment amount floor referred > washing

>

style='font-size:10.0pt;font-family:Arial'>NEWS Center Here > will latest sites: English USA/UK German Spanish French > Italian

>

style='font-size:10.0pt;font-family:Arial'>this. Website > Tools counters polls engines add homepage > Website.

>

style='font-size:10.0pt;font-family:Arial'>PSP audio MP... > Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI > Controls Trial Deluxe

>

style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy > Health Nutrition Parenting Science Animation Authoring > Editing Media ActiveX Compilers Libraries > Debugging

>

style='font-size:10.0pt;font-family:Arial'>Players PlugIns > Streaming Puzzles

>

style='font-size:10.0pt;font-family:Arial'>basic rate. cases > Small Interface ESDI always werent downward > wouldnt

>

style='font-size:10.0pt;font-family:Arial'>browsers >

>

style='font-size:10.0pt;font-family:Arial'>actual span>

>

style='font-size:10.0pt;font-family:Arial'>him student Visa > when others cannot PM Lifetime Fiscal > approved

>
> > > > > And the scores we get are: > > Subject: bresil But > Date: Mon, 31 Jul 2006 09:48:28 -0200 > MIME-Version: 1.0 > Content-Type: multipart/related; > boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" > X-Mailer: Microsoft Office Outlook, Build 11.0.5510 > Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 > Message-Id: > X-fleetone.com-MailScanner-Information: Please contact the > ISP for more information > X-fleetone.com-MailScanner: Found to be clean > X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin > (score=2.963, > required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, > DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) > X-fleetone.com-MailScanner-SpamScore: 2 > X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl > Return-Path: xbalmmoiw@direct-adsl.nl > X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) > FILETIME=[18E0AAD0:01C6B478] > ------=_NextPart_000_0003_01C6B486.796DE3A0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" > ------=_NextPart_001_0004_01C6B486.796DE3A0 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > ------=_NextPart_001_0004_01C6B486.796DE3A0 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > ------=_NextPart_001_0004_01C6B486.796DE3A0-- > ------=_NextPart_000_0003_01C6B486.796DE3A0 > Content-Type: image/gif; > name="image001.gif" > Content-Transfer-Encoding: base64 > Content-ID: > > ------=_NextPart_000_0003_01C6B486.796DE3A0-- > > A MailScanner --lint does not return any problems on the server: > > [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint > Read 757 hostnames from the phishing whitelist > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > > Not sure why this is being sent on as non spam. Any thoughts? > > Rob > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Tue Aug 1 14:03:57 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Aug 1 14:07:12 2006 Subject: Increase in spam getting through In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> Message-ID: Thanks! I just rolled this into my spam.assassin.prefs.conf, and it is already whapping the spam. Jeff Earickson Colby College On Tue, 1 Aug 2006, Randal, Phil wrote: > Date: Tue, 1 Aug 2006 13:19:11 +0100 > From: "Randal, Phil" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Increase in spam getting through > > Derek Harding posted this rule on the spamassassin-users mailing list: > > rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i > describe INLINE_IMAGE Inline Images > score INLINE_IMAGE 1.5 > > That'll get all inline images, not just the spammy ones. > > I'm scoring it 2 at the moment (but our bayes is well trained and can > compensate). > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of rob freeman >> Sent: 01 August 2006 12:45 >> To: MailScanner discussion >> Subject: Increase in spam getting through >> >> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end >> to our exchange 2003 server. Have rules_du_jour running with >> these rules: >> >> TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU >> TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 >> SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 >> SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM >> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; >> >> Also have DCC, pyzor, razor, and bayes going. >> >> We have a rise on spam getting through in the past 2 weeks. >> Mostly looks like an image with words at the end. Here is >> the mail source: >> >> > xmlns:o="urn:schemas-microsoft-com:office:office" >> xmlns:w="urn:schemas-microsoft-com:office:word" >> xmlns:st1="urn:schemas-microsoft-com:office:smarttags" >> xmlns="http://www.w3.org/TR/REC-html40"> >> >> >> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" >> name="City"/> >> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" >> name="place"/> >> >> >> >> >>
>>

> style='font-size:10.0pt; >> font-family:Arial'>> src="cid:image001.gif@01C6B486.796DE3A0">> size=2 face=Arial>> lang=EN-US >> style='font-size:10.0pt;font-family:Arial'>< >> /font>

>>

> style='font-size:10.0pt;font-family:Arial'>Deals And Sale >> Items Keyword Group Product StoreAll Products View: GridSort >> Top Price

>>

> style='font-size:10.0pt;font-family:Arial'>delicacy Before cm >> equipment amount floor referred washing machines hookups >> motors

>>

> style='font-size:10.0pt;font-family:Arial'>achieve speeds >> beyond Notebook smaller slower capacity. whereas >> newest

>>

> style='font-size:10.0pt;font-family:Arial'>startup rises >> decay younger fewer startstop better surviving literally >> drags Maxtor series

>>

> style='font-size:10.0pt;font-family:Arial'>area Cup World >> pertinent

>>

> style='font-size:10.0pt;font-family:Arial'>Partial Response >> Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI >> releases barrier broken First

>>

> style='font-size:10.0pt;font-family:Arial'>reports< >> /span>

>>

> style='font-size:10.0pt;font-family:Arial'>merchants provided >> third parties purposes only.

>>

> style='font-size:10.0pt;font-family:Arial'>Greek Award >> winning area Cup World pertinent info Cup. >> Over

>>

> style='font-size:10.0pt;font-family:Arial'>From >> Katrina

>>

> style='font-size:10.0pt;font-family:Arial'>width Neel Spikes >> granular opposite opposed spikes appear. These magnets align >> because cancel

>>

> style='font-size:10.0pt;font-family:Arial'>eBooks variety >> subjects such as: novels

>>

> style='font-size:10.0pt;font-family:Arial'>Barcode UNIX >> WebCam download: Most popular Releases >> Picks

>>

> style='font-size:10.0pt;font-family:Arial'>sims Film video >> film emulateur google

>>

> style='font-size:10.0pt;font-family:Arial'>warnings worldwide >> local groups climate severe news. browsers FTP Usenet >> readers

>>

> style='font-size:10.0pt;font-family:Arial'>host page. >> knowledge HTML.

>>

> style='font-size:10.0pt;font-family:Arial'>behind devices. >> FCAL connected fibre optics. networks protocols iSCSI >> Ethernet well.SATA pair receiving device.

>>

> style='font-size:10.0pt;font-family:Arial'>audience member. >> Fact Day: pound

>>

> style='font-size:10.0pt;font-family:Arial'>Buying Selling >> Models Cutting

>>

> style='font-size:10.0pt;font-family:Arial'>Buy Yahoo >> YahooMail pageYahoo InNew User Sign Primary Clothing Garden >> My Lists CareHome

>>

> style='font-size:10.0pt;font-family:Arial'>APIs powering >> Tech. paid Inc. Rights

>>

> style='font-size:10.0pt;font-family:Arial'>name... eg. >> Solaris SunOS SCO

>>

> style='font-size:10.0pt;font-family:Arial'>HDA. Almost >> designer Kenneth Haughton rifle suited protected center harsh >> delicacy Before cm equipment amount floor referred >> washing

>>

> style='font-size:10.0pt;font-family:Arial'>NEWS Center Here >> will latest sites: English USA/UK German Spanish French >> Italian

>>

> style='font-size:10.0pt;font-family:Arial'>this. Website >> Tools counters polls engines add homepage >> Website.

>>

> style='font-size:10.0pt;font-family:Arial'>PSP audio MP... >> Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI >> Controls Trial Deluxe

>>

> style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy >> Health Nutrition Parenting Science Animation Authoring >> Editing Media ActiveX Compilers Libraries >> Debugging

>>

> style='font-size:10.0pt;font-family:Arial'>Players PlugIns >> Streaming Puzzles

>>

> style='font-size:10.0pt;font-family:Arial'>basic rate. cases >> Small Interface ESDI always werent downward >> wouldnt

>>

> style='font-size:10.0pt;font-family:Arial'>browsers >>

>>

> style='font-size:10.0pt;font-family:Arial'>actual> span>

>>

> style='font-size:10.0pt;font-family:Arial'>him student Visa >> when others cannot PM Lifetime Fiscal >> approved

>>
>> >> >> >> >> And the scores we get are: >> >> Subject: bresil But >> Date: Mon, 31 Jul 2006 09:48:28 -0200 >> MIME-Version: 1.0 >> Content-Type: multipart/related; >> boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" >> X-Mailer: Microsoft Office Outlook, Build 11.0.5510 >> Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 >> Message-Id: >> X-fleetone.com-MailScanner-Information: Please contact the >> ISP for more information >> X-fleetone.com-MailScanner: Found to be clean >> X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin >> (score=2.963, >> required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, >> DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) >> X-fleetone.com-MailScanner-SpamScore: 2 >> X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl >> Return-Path: xbalmmoiw@direct-adsl.nl >> X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) >> FILETIME=[18E0AAD0:01C6B478] >> ------=_NextPart_000_0003_01C6B486.796DE3A0 >> Content-Type: multipart/alternative; >> boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" >> ------=_NextPart_001_0004_01C6B486.796DE3A0 >> Content-Type: text/plain; >> charset="us-ascii" >> Content-Transfer-Encoding: 7bit >> ------=_NextPart_001_0004_01C6B486.796DE3A0 >> Content-Type: text/html; >> charset="us-ascii" >> Content-Transfer-Encoding: quoted-printable >> >> ------=_NextPart_001_0004_01C6B486.796DE3A0-- >> ------=_NextPart_000_0003_01C6B486.796DE3A0 >> Content-Type: image/gif; >> name="image001.gif" >> Content-Transfer-Encoding: base64 >> Content-ID: >> >> ------=_NextPart_000_0003_01C6B486.796DE3A0-- >> >> A MailScanner --lint does not return any problems on the server: >> >> [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint >> Read 757 hostnames from the phishing whitelist >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> >> Not sure why this is being sent on as non spam. Any thoughts? >> >> Rob >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From chris at tac.esi.net Tue Aug 1 14:13:30 2006 From: chris at tac.esi.net (Chris Hammond) Date: Tue Aug 1 14:13:45 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CE3A0A.9060102@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D20226D03D@UBIMAIL1.ubisoft.org> <44CE3A0A.9060102@mail.wvnet.edu> Message-ID: <44CF1B87.B662.0038.0@tac.esi.net> Daniel, would you share how you setup yours? Thanks Chris >>> Richard Lynch 07/31/06 1:12 PM >>> Daniel Maher wrote: > Hello, > > I actually hold the bayes files on a ram disk, and it is /much/ faster than putting in on a hard disk of any type, in any configuration. > > Julian's suggestion (a simple cp command) is, in fact, sufficient. I have successfully recovered from a system crash using the method. > > For reference, my mail servers handle around half a million pieces of mail per day, so the bayes databases are massive... > > Mine too. We do about 700,000/mpd and my bayesDBs grows to about 1.3G. I, too, like the ram disk idea but I don't have 1.5G of ram to spare. Moving bayes to /var was a huge improvement for me. I'd guess that using ram would be phenomenal! ~rich -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Peter.Bates at lshtm.ac.uk Tue Aug 1 14:28:13 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Tue Aug 1 14:28:46 2006 Subject: SpamAssassin 3.1.4 Message-ID: <44CF64FD020000760000654D@193.63.251.15> Hello all... Might just be a slow summer, but I don't recall having seen any mention of SA 3.1.4 on here. I'm guessing it's just a minor bugfix version, but are people out there using it? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From daniel.maher at ubisoft.com Tue Aug 1 14:43:44 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 1 14:43:48 2006 Subject: A quick and easy performance improvement Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> Sure, it's actually quite simple. I just created a ramdisk in the standard way, and mounted it as /var/spool/MailScanner/incoming I then created a simple cronjob that runs every couple of hours, which runs sa-learn --sync, and then copies the /var/spool/MailScanner/incoming/bayes/* to a directory on a physical disk. I should point out that the contents of /bayes/ is around 500MB to 600MB on each of the servers in my mail pool, so the more RAM the better. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Hammond > Sent: August 1, 2006 9:14 AM > To: MailScanner discussion > Subject: Re: A quick and easy performance improvement > > Daniel, would you share how you setup yours? > > Thanks > Chris From chris at tac.esi.net Tue Aug 1 14:49:51 2006 From: chris at tac.esi.net (Chris Hammond) Date: Tue Aug 1 14:50:07 2006 Subject: A quick and easy performance improvement In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> Message-ID: <44CF240C.B662.0038.0@tac.esi.net> Thanks Daniel, it does sound quite simple. I will look at trying this. Thanks Chris >>> "Daniel Maher" 08/01/06 9:43 AM >>> Sure, it's actually quite simple. I just created a ramdisk in the standard way, and mounted it as /var/spool/MailScanner/incoming I then created a simple cronjob that runs every couple of hours, which runs sa- learn -- sync, and then copies the /var/spool/MailScanner/incoming/bayes/* to a directory on a physical disk. I should point out that the contents of /bayes/ is around 500MB to 600MB on each of the servers in my mail pool, so the more RAM the better. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > ----- Original Message----- > From: mailscanner- bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Hammond > Sent: August 1, 2006 9:14 AM > To: MailScanner discussion > Subject: Re: A quick and easy performance improvement > > Daniel, would you share how you setup yours? > > Thanks > Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rgreen at trayerproducts.com Tue Aug 1 15:03:20 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Tue Aug 1 15:04:24 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CF240C.B662.0038.0@tac.esi.net> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> Message-ID: <44CF5F28.6030203@trayerproducts.com> Here's a link to a howto on creating a ramdisk... http://www.vanemery.com/Linux/Ramdisk/ramdisk.html Chris Hammond wrote: > Thanks Daniel, it does sound quite simple. I will look at trying this. > > Thanks > Chris > > >>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>> > Sure, it's actually quite simple. > > I just created a ramdisk in the standard way, and mounted it as > /var/spool/MailScanner/incoming > > I then created a simple cronjob that runs every couple of hours, which > runs sa- learn -- sync, and then copies the > /var/spool/MailScanner/incoming/bayes/* to a directory on a physical > disk. > > I should point out that the contents of /bayes/ is around 500MB to > 600MB on each of the servers in my mail pool, so the more RAM the > better. :) > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > >> ----- Original Message----- >> From: mailscanner- bounces@lists.mailscanner.info >> > [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >> Sent: August 1, 2006 9:14 AM >> To: MailScanner discussion >> Subject: Re: A quick and easy performance improvement >> >> Daniel, would you share how you setup yours? >> >> Thanks >> Chris >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- Rodney Green Network Administrator Trayer Products, Inc. /rgreen@trayerproducts.com / /607-734-8124 Ext. 343 Security+ Certified / "Cross country skiing is great if you live in a small country." - Steven Wright Honor the Fallen -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Tue Aug 1 15:07:30 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 1 15:05:34 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: <44CF64FD020000760000654D@193.63.251.15> Message-ID: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Bates > Sent: Tuesday, August 01, 2006 9:28 AM > To: mailscanner@lists.mailscanner.info > Subject: SpamAssassin 3.1.4 > > > Hello all... > > Might just be a slow summer, but I don't recall having seen any mention > of SA 3.1.4 on here. > > I'm guessing it's just a minor bugfix version, but are people out there > using it? > > ... We've tested and found some of the SARE rules are generating errors: [21887] info: rules: meta test SARE_SUB_ACCEPT_CCARDS has undefined dependency ' __SARE_SUB_FROM_PAYPAL' [21887] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG _LINE' with a zero score [21887] info: rules: meta test TVD_EB_PHISH has dependency 'NORMAL_HTTP_TO_IP' w ith a zero score [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_MKSHRT' [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_GT' [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_TINY' [21887] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency ' VIRUS_WARNING_MYDOOM4' [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_O BFU_CIALIS2' [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENET RATION' But these don't appear to be causing any problems. There are many comments on the Internet similar to: http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html Any SA list readers out there care to comment? Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From raymond at prolocation.net Tue Aug 1 15:14:28 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Aug 1 15:14:27 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> References: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> Message-ID: Hi Steve, >> I'm guessing it's just a minor bugfix version, but are people out there >> using it? >> >> ... > > We've tested and found some of the SARE rules are generating errors: > VIRUS_WARNING_MYDOOM4' > [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency > 'SARE_O > BFU_CIALIS2' > [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency > 'FP_PENET > RATION' > > But these don't appear to be causing any problems. There are many comments > on the Internet similar to: > http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html > > Any SA list readers out there care to comment? We are allready working to get all the rules fixed. We allready put some changes in SVN. Most are harmless, oh and btw, you also listed non SARE rules ;) Bye, Raymond. From acabrera at etapatelecom.net Tue Aug 1 23:40:58 2006 From: acabrera at etapatelecom.net (Ing. Augusto Cabrera D.) Date: Tue Aug 1 23:52:14 2006 Subject: Information about software for work with sendmail. In-Reply-To: <44B5FDEF.8010605@solid-state-logic.com> Message-ID: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Hello everybody.- I need information about a software to create and delete accounts with a graphics interface with Sendmail. Thank you Ing. Augusto Cabrera Duffaut. ISP - ADMINISTRADOR DE SERVIDORES Dep. Valor Agregado ETAPATELECOM S.A. Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) CUENCA - ECUADOR _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. From csweeney at osubucks.org Wed Aug 2 00:02:40 2006 From: csweeney at osubucks.org (Christopher Sweeney) Date: Wed Aug 2 00:03:05 2006 Subject: Information about software for work with sendmail. In-Reply-To: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> References: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Message-ID: <44CFDD90.9030705@osubucks.org> Ing. Augusto Cabrera D. wrote: > Hello everybody.- > > I need information about a software to create and delete accounts with a > graphics interface with Sendmail. > > > Thank you > > Ing. Augusto Cabrera Duffaut. > ISP - ADMINISTRADOR DE SERVIDORES > Dep. Valor Agregado > ETAPATELECOM S.A. > Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) > CUENCA - ECUADOR > > > > _____________________________________ > Este mensaje ha sido analizado por el > Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. > > www.webmin.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Wed Aug 2 00:03:10 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Wed Aug 2 00:03:33 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CF5F28.6030203@trayerproducts.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> <44CF5F28.6030203@trayerproducts.com> Message-ID: <44CFDDAE.1040304@mail.wvnet.edu> What about using tmpfs instead of a ramdisk for bayes's DB? The problem I have with a ramdisk is that you're giving up real memory for it. In my case that would be about 1.5GB. That's a lot to give up. With tmpfs it would be in virtual memory and grow or shrink as needed (using the swap file). That wouldn't be as good as a ramdisk in term of performance but it would be more flexible. Has anyone done that? How did it work out? ~rich Green, Rodney wrote: > Here's a link to a howto on creating a ramdisk... > > http://www.vanemery.com/Linux/Ramdisk/ramdisk.html > > Chris Hammond wrote: >> Thanks Daniel, it does sound quite simple. I will look at trying this. >> >> Thanks >> Chris >> >> >>>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>>> >> Sure, it's actually quite simple. >> >> I just created a ramdisk in the standard way, and mounted it as >> /var/spool/MailScanner/incoming >> >> I then created a simple cronjob that runs every couple of hours, which >> runs sa- learn -- sync, and then copies the >> /var/spool/MailScanner/incoming/bayes/* to a directory on a physical >> disk. >> >> I should point out that the contents of /bayes/ is around 500MB to >> 600MB on each of the servers in my mail pool, so the more RAM the >> better. :) >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> >>> ----- Original Message----- >>> From: mailscanner- bounces@lists.mailscanner.info >>> >> [mailto:mailscanner- >> >>> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >>> Sent: August 1, 2006 9:14 AM >>> To: MailScanner discussion >>> Subject: Re: A quick and easy performance improvement >>> >>> Daniel, would you share how you setup yours? >>> >>> Thanks >>> Chris >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060801/c24609b4/rich.vcf From alex at nkpanama.com Wed Aug 2 00:27:15 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 2 00:27:41 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CFDDAE.1040304@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> <44CF5F28.6030203@trayerproducts.com> <44CFDDAE.1040304@mail.wvnet.edu> Message-ID: <44CFE353.2020005@nkpanama.com> Works great for me so far... Don't have on many production servers, but most of my low volume and/or testing servers seem to work better with bayes in tmpfs. Richard Lynch wrote: > What about using tmpfs instead of a ramdisk for bayes's DB? The > problem I have with a ramdisk is that you're giving up real memory for > it. In my case that would be about 1.5GB. That's a lot to give up. > With tmpfs it would be in virtual memory and grow or shrink as needed > (using the swap file). That wouldn't be as good as a ramdisk in term > of performance but it would be more flexible. Has anyone done that? > How did it work out? > > ~rich > > Green, Rodney wrote: >> Here's a link to a howto on creating a ramdisk... >> >> http://www.vanemery.com/Linux/Ramdisk/ramdisk.html >> >> Chris Hammond wrote: >>> Thanks Daniel, it does sound quite simple. I will look at trying this. >>> >>> Thanks >>> Chris >>> >>> >>>>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>>>> >>> Sure, it's actually quite simple. >>> >>> I just created a ramdisk in the standard way, and mounted it as >>> /var/spool/MailScanner/incoming >>> >>> I then created a simple cronjob that runs every couple of hours, which >>> runs sa- learn -- sync, and then copies the >>> /var/spool/MailScanner/incoming/bayes/* to a directory on a physical >>> disk. >>> >>> I should point out that the contents of /bayes/ is around 500MB to >>> 600MB on each of the servers in my mail pool, so the more RAM the >>> better. :) >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> ----- Original Message----- >>>> From: mailscanner- bounces@lists.mailscanner.info >>>> >>> [mailto:mailscanner- >>> >>>> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >>>> Sent: August 1, 2006 9:14 AM >>>> To: MailScanner discussion >>>> Subject: Re: A quick and easy performance improvement >>>> >>>> Daniel, would you share how you setup yours? >>>> >>>> Thanks >>>> Chris >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> > > From miguelk at konsultex.com.br Wed Aug 2 02:47:03 2006 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Wed Aug 2 02:47:37 2006 Subject: Information about software for work with sendmail. In-Reply-To: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> References: <44B5FDEF.8010605@solid-state-logic.com> <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Message-ID: <20060802014527.M55833@konsultex.com.br> Augusto; I use Webmin to manage the server, including user accounts, Sendmail and MailScanner. See it at http://www.webmin.com Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: "Ing. Augusto Cabrera D." To: "'MailScanner discussion'" Sent: Tue, 1 Aug 2006 17:40:58 -0500 Subject: Information about software for work with sendmail. > Hello everybody.- > > I need information about a software to create and delete accounts with a > graphics interface with Sendmail. > > Thank you > > Ing. Augusto Cabrera Duffaut. > ISP - ADMINISTRADOR DE SERVIDORES > Dep. Valor Agregado > ETAPATELECOM S.A. > Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) > CUENCA - ECUADOR > > _____________________________________ > Este mensaje ha sido analizado por el > Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From gmane at tippingmar.com Wed Aug 2 06:24:11 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Wed Aug 2 06:24:35 2006 Subject: DNS question Message-ID: I'm running a caching nameserver on my MailScanner machine. For the last two days I have been seeing lots of these is /var/log/messages: Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down due to TCP receive error: 64.202.165.202#53: connection reset The times seem to correspond to when MailScanner starts scanning a batch. The IP address is always the one shown above or 68.178.211.201. That said, named is still running and I can dig, etc. And mail is being delivered. I updated DCC, razor, and pyzor servers, so that isn't it. Thanks for any ideas, Mark Nienberg From P.G.M.Peters at utwente.nl Wed Aug 2 08:37:35 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 2 08:37:39 2006 Subject: blocking out-of-office Message-ID: <44D0563F.90409@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm back from vacation in Wales and I didn't set Out-of-Office. But it turns out a lot of our employees do. And they all use Exchange so a lot of OOO's are send out because of spam. I remember there was a way to tell MailScanner to block these messages but I can't find anything in the archives. Does anybody else have a better memory? - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE0FY/elLo80lrIdIRAkshAJ0fWujj/jwRzY5EOfiLhmJZVqfOLQCeJGkn HttUb7dMpNK7D0/nv0dLJ+Y= =/ToE -----END PGP SIGNATURE----- From glenn.steen at gmail.com Wed Aug 2 08:48:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 2 08:48:17 2006 Subject: DNS question In-Reply-To: References: Message-ID: <223f97700608020048x6eece12fy9f0b4ba863ce1622@mail.gmail.com> On 02/08/06, Mark Nienberg wrote: > I'm running a caching nameserver on my MailScanner machine. For the > last two days I have been seeing lots of these is /var/log/messages: > > Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down > due to TCP receive error: 64.202.165.202#53: connection reset > > The times seem to correspond to when MailScanner starts scanning a > batch. The IP address is always the one shown above or 68.178.211.201. > > That said, named is still running and I can dig, etc. And mail is being > delivered. I updated DCC, razor, and pyzor servers, so that isn't it. > > Thanks for any ideas, > Mark Nienberg > Whois says "go daddy software, inc." and reverse lookup gives .secureserver.net ... I'm not sure you need do anything (or worry too much:-)... Either an error in their end, or some ... foolery... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 2 09:00:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 2 09:01:17 2006 Subject: blocking out-of-office In-Reply-To: <44D0563F.90409@utwente.nl> References: <44D0563F.90409@utwente.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Read the comments above the "Remove These Headers" option. # If any of these headers are included in a a message, they will be deleted. # This is very useful for removing return-receipt requests and any headers # which mean special things to your email client application. # X-Mozilla-Status is bad as it allows spammers to make a message appear to # have already been read, which is believed to bypass some naive spam # filtering systems. # Receipt requests are bad as they give any attacker confirmation that an # account is active and being read. You don't want this sort of information # to leak outside your corporation. So you might want to remove # Disposition-Notification-To and Return-Receipt-To. # If you are having problems with duplicate message-id headers when you # release spam from the quarantine and send it to an Exchange server, then add # Message-Id. # Each header should end in a ":", but MailScanner will add it if you forget. # Headers should be separated by commas or spaces. # This can also be the filename of a ruleset. Remove These Headers = Return-Receipt-To, Disposition-Notification- To, X-Mozilla-Status On 2 Aug 2006, at 08:37, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm back from vacation in Wales and I didn't set Out-of-Office. But it > turns out a lot of our employees do. And they all use Exchange so a > lot > of OOO's are send out because of spam. I remember there was a way to > tell MailScanner to block these messages but I can't find anything in > the archives. > > Does anybody else have a better memory? > > - -- > Peter Peters, senior beheerder (Security) > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http:// > www.utwente.nl/itbe > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE0FY/elLo80lrIdIRAkshAJ0fWujj/jwRzY5EOfiLhmJZVqfOLQCeJGkn > HttUb7dMpNK7D0/nv0dLJ+Y= > =/ToE > -----END PGP SIGNATURE----- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE0FucEfZZRxQVtlQRAouIAJwL9n/fGpiRA0iJiFdbeuu2FF7EGACgsj9z msP9OXp0U4ltUbNjfAF3v6s= =fuZY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From P.G.M.Peters at utwente.nl Wed Aug 2 09:10:30 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 2 09:10:35 2006 Subject: blocking out-of-office In-Reply-To: References: <44D0563F.90409@utwente.nl> Message-ID: <44D05DF6.6030505@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Julian Field wrote on 2-8-2006 10:00: > Read the comments above the "Remove These Headers" option. > > # If any of these headers are included in a a message, they will be > deleted. > # This is very useful for removing return-receipt requests and any > headers > # which mean special things to your email client application. This helps only when the sender asks for a DSN. This does not help when the recipient has configured to send an out of office to every message he receives. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE0F32elLo80lrIdIRAmbQAKCJ4h3BGz3Gw2IJEX6u0+k9oSNXiACgiN/b K+JnG0vXyTQc0MW0AFXmV7c= =w6I2 -----END PGP SIGNATURE----- From nick.smith67 at googlemail.com Wed Aug 2 09:53:11 2006 From: nick.smith67 at googlemail.com (Nick Smith) Date: Wed Aug 2 09:53:18 2006 Subject: Sys::Syslog Message-ID: Hi all, Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog from 0.05 (which was part of the OS's Perl installation) to 0.17 After the upgrade, MS wouldn't log to syslog and neither would the original MS version (4.54) I downgraded Sys::Syslog back to 0.05 and it started working again In the past, I have always had to run syslogd in "remote mode" with a UDP listener for it to work with 0.05, but 0.17 wouldn't log at all whether using remote mode or not This test script worked fine with 0.17 installed: use strict; use Sys::Syslog; openlog("testprog", 'pid, nowait', "local6"); syslog("local6.info", "testing"); After some trial (and mostly) error, I finally discovered that adding the "ndelay" parameter to MS's openlog statement in Log.pm made it work: eval { Sys::Syslog::openlog($name, 'pid, nowait, ndelay', $facility); }; I don't pretend to have any clue what is going on here, I would assume that 99% of folks don't need to specify ndelay or it would have come to light previously. However in my case it would seem to be required. BTW Sys::Syslog 0.17 has the welcome side effect that I no longer need to run syslogd in UDP "remote mode" for MS to work Solaris 10 (Intel) Perl 5.8.4 Logging to facility local6 Anybody have any insight? Any downside to using "ndelay"? If there is no downside, can the MS distribution be changed to use it? Thanks Nick From res at ausics.net Wed Aug 2 11:00:28 2006 From: res at ausics.net (Res) Date: Wed Aug 2 11:00:38 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: Hi Nick, > > I downgraded Sys::Syslog back to 0.05 and it started working again I hope you mean 0.15 ? > After some trial (and mostly) error, I finally discovered that adding > the "ndelay" parameter to MS's openlog statement in Log.pm made it > work: > > eval { Sys::Syslog::openlog($name, 'pid, nowait, ndelay', $facility); }; ndelay is good > Anybody have any insight? Any downside to using "ndelay"? If there is > no downside, can the MS distribution be changed to use it? A regression has been introduced between versions 0.15 and 0.17 the changes should have been orthogonal to that functional part of the code affected by this problem and Sebastien is looking into it, be this part of your problem or not, time will tell :) -- Cheers Res From nick.smith67 at googlemail.com Wed Aug 2 11:38:44 2006 From: nick.smith67 at googlemail.com (Nick Smith) Date: Wed Aug 2 11:38:46 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: Hi Res, Thanks for the reply... On 8/2/06, Res wrote: > Hi Nick, > > > > > I downgraded Sys::Syslog back to 0.05 and it started working again > > I hope you mean 0.15 ? > ...actually I do mean 0.05 - from Syslog.pm: $VERSION = '0.05'; The Sys::Syslog module was simply the one bundled with the Perl 5.8.4 installation on the box - I've never touched it before, and probably never would have done if the MS installation hadn't upgraded it :) > > A regression has been introduced between versions 0.15 and 0.17 > the changes should have been orthogonal to that functional part of the > code affected by this problem and Sebastien is looking into it, be this > part of your problem or not, time will tell :) > Interesting - unfortunately since I leapt from 0.05 to 0.17 without ever having used 0.15 or 0.16 it isn't easy to tell The bit that I really don't get though is why the test script would work without ndelay being used yet MS seems to require it to make it work Thanks Nick From res at ausics.net Wed Aug 2 13:03:55 2006 From: res at ausics.net (Res) Date: Wed Aug 2 13:04:08 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: On Wed, 2 Aug 2006, Nick Smith wrote: > Hi Res, > > Thanks for the reply... > > On 8/2/06, Res wrote: >> Hi Nick, >> >> > >> > I downgraded Sys::Syslog back to 0.05 and it started working again >> >> I hope you mean 0.15 ? >> > > ...actually I do mean 0.05 - from Syslog.pm: > > $VERSION = '0.05'; > > The Sys::Syslog module was simply the one bundled with the Perl 5.8.4 > installation on the box - I've never touched it before, and probably > never would have done if the MS installation hadn't upgraded it :) > >> >> A regression has been introduced between versions 0.15 and 0.17 >> the changes should have been orthogonal to that functional part of the >> code affected by this problem and Sebastien is looking into it, be this >> part of your problem or not, time will tell :) >> > > Interesting - unfortunately since I leapt from 0.05 to 0.17 without > ever having used 0.15 or 0.16 it isn't easy to tell > > The bit that I really don't get though is why the test script would > work without ndelay being used yet MS seems to require it to make it > work > That is weird, I might play with our test bed in morning and see what comes up there > Thanks > > Nick > -- Cheers Res From alex at erus.co.uk Wed Aug 2 13:40:46 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Wed Aug 2 13:40:53 2006 Subject: DNS question Message-ID: <44D09D4E.3060104@erus.co.uk> Mark Nienberg wrote: > I'm running a caching nameserver on my MailScanner machine. For the > last two days I have been seeing lots of these is /var/log/messages: > > Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down > due to TCP receive error: 64.202.165.202#53: connection reset > There has been something very similar reported on NANOG in the last few days: > > Has anyone else seen an increase of the following named errors? > > > > Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: > > shutting down due to TCP receive error: unexpected error > > Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: > > shutting down due to TCP receive error: unexpected error > Noted similar here, started Jul 31 17:06:09 (GMT+1). > > .. someone trying some new anti-bind trickery? > The error can occur in "normal" usage of BIND9 so may reflect a change > in > firewall practice or similar. > It is occurring on recursive servers with no remote recursive queries > allowed, > so it is presumably in response to some query initiated locally > (email/spam > related perhaps?). > > Suggest the DNS ops list may be best place to take further comments." I'd try the DNS ops list and see if they've cracked it yet. Regards, Alex From ugob at camo-route.com Wed Aug 2 14:45:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 2 14:45:52 2006 Subject: DNS question In-Reply-To: <44D09D4E.3060104@erus.co.uk> References: <44D09D4E.3060104@erus.co.uk> Message-ID: Alex Pimperton wrote: > Mark Nienberg wrote: >> I'm running a caching nameserver on my MailScanner machine. For the >> last two days I have been seeing lots of these is /var/log/messages: >> >> Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down >> due to TCP receive error: 64.202.165.202#53: connection reset >> > > >> Suggest the DNS ops list may be best place to take further comments." > > I'd try the DNS ops list and see if they've cracked it yet. Please let us know if you have an answer... Thanks Ugo From bbecken at aafp.org Wed Aug 2 15:19:32 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Aug 2 15:20:07 2006 Subject: Kaspersky A/V not running. Message-ID: <44D06E18.D87E.0068.3@aafp.org> I've got a valid license for Kaspersky and I've been trying to get MailScanner to use it without success. I have kaspersky-4.5 defined in mailscanner.conf and I have updated the virus.scanners.conf file to point to the kaspersky directory. The wrapper script runs successfully, yet the log file never shows that kaspersky scan the email ( I can see Clamav and bitdefender entries). The maillog shows that the autoupdate scripts are running (shown below). I've even run MailScanner --lint and it's not showing any errors. Any suggestions and what's missing? Vitals: MailScanner v4.54.6 Kaspersky v5.5.3 installed in the default location: /opt/kav/5.5/kav4unix # cat /var/log/maillog | grep kaspersky Aug 2 05:02:12 mx1 update.virus.scanners: Found kaspersky-4.5 installed Aug 2 05:02:12 mx1 update.virus.scanners: Running autoupdate for kaspersky-4.5 Aug 2 05:02:27 mx1 kaspersky-autoupdate[13356]: Kaspersky-5.0 updated MailScanner.conf: # This *cannot* be the filename of a ruleset. Virus Scanners = clamav bitdefender kaspersky-4.5 virus.scanners.conf # Kaspersky 4.5 and newer kaspersky-4.5 /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix kaspersky /usr/lib/MailScanner/kaspersky-wrapper /opt/AVP Wrapper test. # /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix /tmp [02/08/06 09:06:32 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.5.3/RELEASE build #100, compiled Jul 27 2005, 15:36:21 [02/08/06 09:06:32 I] Copyright (C) Kaspersky Lab, 1997-2005. [02/08/06 09:06:32 I] Portions Copyright (C) Lan Crypto [02/08/06 09:06:32 I] There are 1 Kaspersky license keys found: [02/08/06 09:06:32 I] License file xxxxxxx.key, serial xxxx-xxxxxx-xxxxxxxx, "Kaspersky Anti-Virus BO Suite US Edition. 1-1 FileServer Base Licence + 1 year Maintenance", expires 13-11-2006 in 100 days [02/08/06 09:06:40 I] The scan path: /tmp [02/08/06 09:06:40 I] Silent mode is on From listacct at tulsaconnect.com Wed Aug 2 17:04:05 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 17:04:02 2006 Subject: ClamAV on FreeBSD - ports or Perl module? Message-ID: <44D0CCF5.9000905@tulsaconnect.com> I am deploying a new generation of MailScanner boxes, and am going with FreeBSD 6.1 and the latest version of MS. In addition to a few commerical AV scanners, I am going to give ClamAV a try. Question is -- should I install from ports, or install the ClamAV Perl module, or both? I've seen references to where the ClamAV Perl module is faster. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From davidj at synaq.com Wed Aug 2 17:09:02 2006 From: davidj at synaq.com (David Jacobson) Date: Wed Aug 2 17:09:41 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0CCF5.9000905@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> Message-ID: <1154534942.28994.99.camel@jakes.synaq.com> Hi Mike, I'd recommend installing ClamAV from source and getting the module via CPAN. The module is a lot faster and if you have auto in your Virus Scanners function it will pick up the module as the preferred scanneer. Kind Regards, David On Wed, 2006-08-02 at 11:04 -0500, TCIS List Acct wrote: > I am deploying a new generation of MailScanner boxes, and am going with FreeBSD > 6.1 and the latest version of MS. In addition to a few commerical AV scanners, > I am going to give ClamAV a try. Question is -- should I install from ports, or > install the ClamAV Perl module, or both? I've seen references to where the > ClamAV Perl module is faster. > > -- > > ----------------------------------------- > Mike Bacher / listacct@tulsaconnect.com > TCIS - TulsaConnect Internet Services > http://www.tulsaconnect.com > ----------------------------------------- -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 245 5888 Direct: 011 245 5889 Fax: 011 783 9275 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From listacct at tulsaconnect.com Wed Aug 2 17:42:51 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 17:42:48 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <1154534942.28994.99.camel@jakes.synaq.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> Message-ID: <44D0D60B.1040805@tulsaconnect.com> David Jacobson wrote: > Hi Mike, > > I'd recommend installing ClamAV from source and getting the module via > CPAN. > > The module is a lot faster and if you have auto in your Virus Scanners > function it will pick up the module as the preferred scanneer. > > Kind Regards, > David I installed ClamAV from ports and then tried to install Mail::ClamAV from CPAN, but it failed due to the default Perl 5.8.8 install on FreeBSD not being built with threads. So, I then tried to build from ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, but gave a warning at the end saying my Perl needed to be built with threading, so looks like there is no way around that requirement. Anyone know how stable Perl 5.8.8 on FreeBSD 6.1 is with threading enabled? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From amoore at dekalbmemorial.com Wed Aug 2 18:17:00 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Aug 2 18:17:14 2006 Subject: DNS question In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> Ugo Bellavance wrote: > Please let us know if you have an answer... The SANS Internet Storm Center's handlers are following this. Their findings are available at http://isc.sans.org/diary.php?storyid=1538 . -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN E-mail: amoore@dekalbmemorial.com From ka at pacific.net Wed Aug 2 18:29:22 2006 From: ka at pacific.net (Ken A) Date: Wed Aug 2 18:28:34 2006 Subject: DNS question In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> Message-ID: <44D0E0F2.7040700@pacific.net> Mark Andrews posted yesterday to bind-users list: > ...there is a bug in tcpmsg.c where the address is not copied from the socket event to the tcpmsg structure. Ken A Pacific.Net Aaron K. Moore wrote: > Ugo Bellavance wrote: >> Please let us know if you have an answer... > > The SANS Internet Storm Center's handlers are following this. Their > findings are available at http://isc.sans.org/diary.php?storyid=1538 . > From ewr at erols.com Wed Aug 2 18:39:58 2006 From: ewr at erols.com (ewr@erols.com) Date: Wed Aug 2 18:46:44 2006 Subject: RBL and trusted users from blacklisted IP addresses Message-ID: <0e3c01c6b65a$aca45300$c664a8c0@ew> This is probably as much of a sendmail question as a mailscanner question, but I figured I'd start here. My mail server is set up to use pop-before-smtp for authentication. When a user pops their email from the server, the IP address that they are checking their mail from gets added to sendmail's access.db for 10 minutes. It is inserted into the file as " RELAY". I am using mailscanner/spamassassin to scan all incoming mails. "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf My users are spread out around the country and connect to the internet from constantly changing locations. Most of the time everything works great. The problem I am occassionally running into is that my users will occassionally try to send email from a black-listed IP address. This is happening more and more as my users begin to use their laptops at hotels, use Verizon wireless cards, etc. If one of my users trys to send an email to another user on my system from an RBL'd IP address, the email will be marked as spam. I don't have a complete understanding of the order of how sendmail processes the headers, passes the email to mailscanner, etc... But I suspect that there must be some way to prevent these mails from being marked as spam. I have a considered a few approaches, but haven't figured out how to actually accomplish any of them yet: #1) Is there a way to rewrite the IP address in the "Recieved" header in the email after it is accepted for RELAY? I know I trust the email after it makes it past the "access.db", so I could just put one of my own IP addresses in there. #2) Is there a way to check the IP against a dynamic white-list and mark it as non-spam no matter what? I can probably update our pop-before-smtp to update another whitelist. Any suggestions would be greatly appreciated. We do have a VPN and if a user uses the VPN there is no problem, but for various reasons VPN access isn't always available. Thanks! Eric From alex at nkpanama.com Wed Aug 2 19:01:47 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 2 19:02:28 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: <44D0E88B.6070409@nkpanama.com> My only suggestion would be to avoid POP-before-SMTP altogether and institute SMTP AUTH. It will avoid many problems and add an additional level of accountability for your users. Look for a thread here started by Muhammad Nauman (if I recall correctly) regarding the advantages of this. Otherwise, to fiddle around too much with headers (even to go as far as rewriting them) is usually not kosher. ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf > > My users are spread out around the country and connect to the internet from > constantly changing locations. Most of the time everything works great. > > The problem I am occassionally running into is that my users will > occassionally try to send email from a black-listed IP address. This is > happening more and more as my users begin to use their laptops at hotels, > use Verizon wireless cards, etc. If one of my users trys to send an email > to another user on my system from an RBL'd IP address, the email will be > marked as spam. > > I don't have a complete understanding of the order of how sendmail processes > the headers, passes the email to mailscanner, etc... But I suspect that > there must be some way to prevent these mails from being marked as spam. > > I have a considered a few approaches, but haven't figured out how to > actually accomplish any of them yet: > #1) Is there a way to rewrite the IP address in the "Recieved" header in the > email after it is accepted for RELAY? I know I trust the email after it > makes it past the "access.db", so I could just put one of my own IP > addresses in there. > > #2) Is there a way to check the IP against a dynamic white-list and mark it > as non-spam no matter what? I can probably update our pop-before-smtp to > update another whitelist. > > Any suggestions would be greatly appreciated. We do have a VPN and if a > user uses the VPN there is no problem, but for various reasons VPN access > isn't always available. > > Thanks! > > Eric > > From steve.freegard at fsl.com Wed Aug 2 19:10:25 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 2 19:08:32 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: <44D0EA91.40900@fsl.com> Hi Eric, ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf Why not move the RBL checks from MailScanner into Sendmail?? -- this will reduce the load on your system as black listed host connections will be rejected with a 5xx SMTP error which is cheaper than MailScanner+SpamAssassin. You will need to modify the POP before SMTP script to write to the access.db in the format 'Connect:ip.add.re.ss RELAY' to allow the bypass of the RBL checks for POP before SMTP users though, and you might want to think about setting FEATURE(`delay_checks') too. This will stop MailScanner marking the message with {Spam?} if the client appears on an RBL -- but it might just move the problem into SpamAssassin as it will probably get scored accordingly, you'll have to try and see. > #2) Is there a way to check the IP against a dynamic white-list and mark it > as non-spam no matter what? I can probably update our pop-before-smtp to > update another whitelist. You could create a CustomFunction on the 'Spam Checks' setting which looks up entries in the access.db and returns 'No' if the $message->{clientip} key exists with a RELAY value. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. From ugob at camo-route.com Wed Aug 2 19:16:53 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 2 19:17:55 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: > Hi Daniel, > > In your local.cf or spamassassin.prefs.conf check the settings of > ok_languages and ok_locales. > These 2 SpamAssassin settings are used for the FARWAY and other rules. I guess that every time we add something to these settings, the catch rate for foreign spam is reduced? Ugo From mikej at rogers.com Wed Aug 2 19:25:31 2006 From: mikej at rogers.com (Mike Jakubik) Date: Wed Aug 2 19:25:26 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0D60B.1040805@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: <44D0EE1B.5080402@rogers.com> TCIS List Acct wrote: > I installed ClamAV from ports and then tried to install Mail::ClamAV > from CPAN, but it failed due to the default Perl 5.8.8 install on > FreeBSD not being built with threads. So, I then tried to build from > ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, but gave a > warning at the end saying my Perl needed to be built with threading, > so looks like there is no way around that requirement. Anyone know > how stable Perl 5.8.8 on FreeBSD 6.1 is with threading enabled? > First of all, you should always stick to the ports if possible. It will ensure things just work, and it will be easier for you to manage and keep the software up to date. As for the ClamAV perl module, last time i tested it, it worked just fine without a threaded perl. All in all you should probably test it yourself before deployment, you can recompile perl with thread support. For any further questions, i would go to the freebsd-ports mailing list. From drew at themarshalls.co.uk Wed Aug 2 19:30:51 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 2 19:31:08 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0D60B.1040805@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: On 2 Aug 2006, at 17:42, TCIS List Acct wrote: > > > David Jacobson wrote: >> Hi Mike, >> I'd recommend installing ClamAV from source and getting the module >> via >> CPAN. >> The module is a lot faster and if you have auto in your Virus >> Scanners >> function it will pick up the module as the preferred scanneer. >> Kind Regards, >> David > > I installed ClamAV from ports and then tried to install > Mail::ClamAV from CPAN, but it failed due to the default Perl 5.8.8 > install on FreeBSD not being built with threads. So, I then tried > to build from ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, > but gave a warning at the end saying my Perl needed to be built > with threading, so looks like there is no way around that > requirement. Anyone know how stable Perl 5.8.8 on FreeBSD 6.1 is > with threading enabled? > I would always say go with the ports. They are up dated pretty regularly so never far behind the source any way. I am also running the ClamAV Perl module on Perl 5.8.8 with out threading (Admittedly in FreeBSD 6.0) and have no issues at all. I would think you should be fine as you are although it's worth monitoring MailScanner and chuck a few Eicar test viruses through to make sure Clam (Via it's module) is being used, just to be sure. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From bpumphrey at WoodMacLaw.com Wed Aug 2 19:49:03 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 2 19:49:08 2006 Subject: blocking out-of-office In-Reply-To: <44D0563F.90409@utwente.nl> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Peters > Sent: Wednesday, August 02, 2006 3:38 AM > To: MailScanner discussion > Subject: blocking out-of-office > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm back from vacation in Wales and I didn't set Out-of-Office. But it > turns out a lot of our employees do. And they all use Exchange so a lot > of OOO's are send out because of spam. I remember there was a way to > tell MailScanner to block these messages but I can't find anything in > the archives. > > Does anybody else have a better memory? > > - -- Does this have anything to do with this... My employees report that when they have the out of office turned on they receive more spam..... From evan at espphotography.com Wed Aug 2 20:07:08 2006 From: evan at espphotography.com (Evan Platt) Date: Wed Aug 2 20:07:53 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmacl aw.local> References: <44D0563F.90409@utwente.nl> <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> Message-ID: <7.0.1.0.2.20060802120551.02062650@espphotography.com> At 11:49 AM 8/2/2006, you wrote: >My employees report that when they have the out of office turned on they >receive more spam..... I don't know how the two are related. Most spam I see doesn't have a valid reply address. My suggestion is to use a *nix based autoresponder. Have it only reply to addresses in your address book. Or better yet, ditch the autoresponder. From jgolden at ci.grand-rapids.mi.us Wed Aug 2 20:33:30 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 2 20:35:30 2006 Subject: Question about spam.assassin.prefs.conf Message-ID: <1154547210.12498.5.camel@doit-b8wsw21.grand-rapids.mi.us> Hi all, I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060802/3af6652a/attachment.html From lshaw at emitinc.com Wed Aug 2 20:57:54 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Aug 2 20:58:07 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: On Wed, 2 Aug 2006, ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf > > My users are spread out around the country and connect to the internet from > constantly changing locations. Most of the time everything works great. > > The problem I am occassionally running into is that my users will > occassionally try to send email from a black-listed IP address. One simple solution to this is to set up sendmail to listen on port 587, the mail submission port. The users would then connect to port 587 and do authenticated SMTP. You can then set up a separate sendmail instance to listen on this port and bypass the MailScanner queue entirely. If the users are doing authentication, there is little need to worry about spam. The only problem might be protecting machines from viruses spreading *from* your users' machines. Whether that's going to be an issue you need to worry about depends on your users. - Logan From ewr at erols.com Wed Aug 2 21:29:15 2006 From: ewr at erols.com (ewr@erols.com) Date: Wed Aug 2 21:48:35 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <44D0E88B.6070409@nkpanama.com> Message-ID: <0eb801c6b672$52aacc90$c664a8c0@ew> >My only suggestion would be to avoid POP-before-SMTP >altogether and institute SMTP AUTH. It will avoid many >problems and add an additional level of accountability for >your users. Look for a thread here started by Muhammad Nauman >(if I recall correctly) regarding the advantages of this. > >Otherwise, to fiddle around too much with headers (even to go >as far as rewriting them) is usually not kosher. I looked for the thread but didn't find anything relevant. Do you know how long ago it was? I actually have AUTH turned on, my users just aren't "forced" to use it yet... but I'm not sure exactly how SMTP Auth will help with this. Does an email arriving that has been AUTH'ed somehow become immune to RBL checks? From listacct at tulsaconnect.com Wed Aug 2 21:54:57 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 21:54:54 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: <44D11121.2080104@tulsaconnect.com> Drew Marshall wrote: > I would always say go with the ports. They are up dated pretty regularly > so never far behind the source any way. > > I am also running the ClamAV Perl module on Perl 5.8.8 with out > threading (Admittedly in FreeBSD 6.0) and have no issues at all. I would > think you should be fine as you are although it's worth monitoring > MailScanner and chuck a few Eicar test viruses through to make sure Clam > (Via it's module) is being used, just to be sure. > > Drew > http://www.freshports.org/mail/p5-Mail-ClamAV/ See entry on 23 Feb 2004 I get that warning after I install that port.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From drew at themarshalls.co.uk Wed Aug 2 22:06:27 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 2 22:06:43 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D11121.2080104@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> <44D11121.2080104@tulsaconnect.com> Message-ID: On 2 Aug 2006, at 21:54, TCIS List Acct wrote: > > > Drew Marshall wrote: > >> I would always say go with the ports. They are up dated pretty >> regularly so never far behind the source any way. >> I am also running the ClamAV Perl module on Perl 5.8.8 with out >> threading (Admittedly in FreeBSD 6.0) and have no issues at all. I >> would think you should be fine as you are although it's worth >> monitoring MailScanner and chuck a few Eicar test viruses through >> to make sure Clam (Via it's module) is being used, just to be sure. >> Drew > > http://www.freshports.org/mail/p5-Mail-ClamAV/ > > See entry on 23 Feb 2004 > > I get that warning after I install that port.. Hmm, interesting. As Jan-Peter (The port maintainer) also just happens to be a MailScanner user (And the maintainer for the MS port) and a subscriber to the list, perhaps he could comment better. I am running that version without threading and have done so for ages with no issues, so I don't understand (Like normal ;-) ). I'll drop him a line off list as he is a very busy lad and doesn't always read every post from the list. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From radus at smartpost.ro Thu Aug 3 00:27:27 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Thu Aug 3 00:27:36 2006 Subject: mailscanner and SMTP AUTH Message-ID: <44D134DF.3080102@smartpost.ro> Hi Can mailscanner be configured to ignore all checks for messages sent via smtp auth? In my current setup, when i try to send an email from home using SMTP AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip block was added in rbls as it's used for home use). Radu From mrm at medicine.wisc.edu Thu Aug 3 00:58:40 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Aug 3 00:59:03 2006 Subject: Inline image havoc Message-ID: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> I apologize because this is more of a SA related question, but I was curious if anyone running a busy Mailscanner is also running any of the various SA pluggins that do OCR checking to defeat inline image spam? Do they work? How much extra load on the server have you noticed? Is there any pluggin that seems better overall? Seems as of late, the only spam that ever gets through is the inline image stuff and just recently we are getting bombarded with the junk.... It's bad enough that pine looks like a good option again..... Mike From ajos1 at onion.demon.co.uk Thu Aug 3 01:17:25 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:17:36 2006 Subject: SpamAssassin 3.1.4 Message-ID: - We have it running on 6 linux servers... and one Microsoft exchange... I trust it is working!! (Not yet checked if there are any false positives). >> >> Might just be a slow summer, but I don't recall having seen any mention of SA 3.1.4 on here. I'm guessing it's just a minor bugfix version, but are people out there using it? >> From michele at blacknight.ie Thu Aug 3 01:22:38 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Thu Aug 3 01:22:41 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <44D141CE.9090805@blacknight.ie> Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu Do you have a fixed IP at home? You could simply whitelist your home IP or your ISP's netblock -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jaearick at colby.edu Thu Aug 3 01:21:16 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 01:26:11 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: I added this to my spam.assassin.prefs.conf file the other day, and it has helped. It was posted by another reader a few days ago: #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 BTW, I *am* a pine user. I still don't like image spam... Jeff Earickson Colby College On Wed, 2 Aug 2006, Michael Masse wrote: > Date: Wed, 02 Aug 2006 18:58:40 -0500 > From: Michael Masse > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Inline image havoc > > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ajos1 at onion.demon.co.uk Thu Aug 3 01:32:23 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:32:28 2006 Subject: Sys::Syslog Message-ID: This is happening to me on FC5 as well... >> >> Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog from 0.05 (which was part of the OS's Perl installation) to 0.17 >> >> After the upgrade, MS wouldn't log to syslog and neither would the original MS version (4.54) >> == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From ajos1 at onion.demon.co.uk Thu Aug 3 01:40:45 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:40:52 2006 Subject: Question about spam.assassin.prefs.conf Message-ID: - How long ago was your previous update? I do ALL the STABLE updates... from RPM... and my spamassassin.prefs.conf is dated: -rw-r--r-- 1 root root 11023 May 8 14:53 spam.assassin.prefs.conf (There is no RPMNEW)... so I am assuming May 8 is the lastest version to have? >> >> I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? >> == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From res at ausics.net Thu Aug 3 02:03:12 2006 From: res at ausics.net (Res) Date: Thu Aug 3 02:03:23 2006 Subject: {MailScanner: Spam?} Re: Sys::Syslog In-Reply-To: References: Message-ID: On Thu, 3 Aug 2006, ajos1@onion.demon.co.uk wrote: > This is happening to me on FC5 as well... On Linux? or Sun.. ? > >>> >>> Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog > from 0.05 (which was part of the OS's Perl installation) to 0.17 >>> >>> After the upgrade, MS wouldn't log to syslog and neither would the > original MS version (4.54) >>> > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- Cheers Res From pete at enitech.com.au Thu Aug 3 02:25:15 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 02:25:33 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: References: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> Message-ID: <44D1507B.7060804@enitech.com.au> Julian has his package up with 3.1.4 - should we go ahead and update? Raymond Dijkxhoorn wrote: > Hi Steve, > >>> I'm guessing it's just a minor bugfix version, but are people out there >>> using it? >>> >>> ... >> >> We've tested and found some of the SARE rules are generating errors: > >> VIRUS_WARNING_MYDOOM4' >> [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency >> 'SARE_O >> BFU_CIALIS2' >> [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency >> 'FP_PENET >> RATION' >> >> But these don't appear to be causing any problems. There are many >> comments >> on the Internet similar to: >> http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html >> >> Any SA list readers out there care to comment? > > We are allready working to get all the rules fixed. We allready put some > changes in SVN. Most are harmless, oh and btw, you also listed non SARE > rules ;) > > Bye, > Raymond. From jrudd at ucsc.edu Thu Aug 3 02:47:25 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 3 02:47:57 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <777745c1dc10717ce27ebe7f61581188@ucsc.edu> In the rule that invokes mailscanner, add the condition: Source is not authenticated On Aug 2, 2006, at 4:27 PM, Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent > via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jrudd at ucsc.edu Thu Aug 3 02:49:23 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 3 02:49:51 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <4bfc7f70e5e06f88919dfc6345ff34f8@ucsc.edu> oops, ignore my last comment... I was mixing up which list I'm on. On Aug 2, 2006, at 4:27 PM, Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent > via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Thu Aug 3 03:09:02 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 3 03:09:35 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D15ABE.5030407@pixelhammer.com> Michael Masse wrote: > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > We just recently moved our SA from the mail toasters running spamc to using MailScanner. It's much better btw, adding full SA to MailScanner was a negliable resource increase. Doing so I again tried bayes, not having much luck with it in previous years. Feeding bayes the image spams that got through, and using SARE stock rules, have made my image spams decrease a large amount. There is a large debate going whether the resources needed for checking images will be worth the trouble. Personally I'm waiting until someone has a plugin that gets mentioned as a 'must have' like SURBL or URIBL before I bother with it. Of course everyones spam is different, might not work for you. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Thu Aug 3 03:12:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 3 03:12:55 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0eb801c6b672$52aacc90$c664a8c0@ew> References: <0eb801c6b672$52aacc90$c664a8c0@ew> Message-ID: <44D15B7D.2020007@nkpanama.com> ewr@erols.com wrote: >> My only suggestion would be to avoid POP-before-SMTP >> altogether and institute SMTP AUTH. It will avoid many >> problems and add an additional level of accountability for >> your users. Look for a thread here started by Muhammad Nauman >> (if I recall correctly) regarding the advantages of this. >> >> Otherwise, to fiddle around too much with headers (even to go >> as far as rewriting them) is usually not kosher. >> > > I looked for the thread but didn't find anything relevant. Do you know how > long ago it was? > > I actually have AUTH turned on, my users just aren't "forced" to use it > yet... but I'm not sure exactly how SMTP Auth will help with this. Does an > email arriving that has been AUTH'ed somehow become immune to RBL checks? > > You can create spamassassin rules tailored to your server that recognize the AUTH header and act accordingly. The other suggestion (MSA on port 587 independent from MailScanner) is also an option. From pete at enitech.com.au Thu Aug 3 03:20:41 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 03:20:54 2006 Subject: MailScanner ANNOUNCE: 4.55 stable released In-Reply-To: References: Message-ID: <44D15D79.1030105@enitech.com.au> Hi, i have upgraded to the latest version and tried --chnged on one of my machines and get a wierd error. This is Red Hat Enterprise Linux AS release 4 (Nahant) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.55.9 # MailScanner --changed Cannot open config file --changed, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 605. Compilation failed in require at /usr/sbin/MailScanner line 69. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. Any ideas on the cause? Thanks Pete Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning/Afternoon/Evening all! > > I have just released the latest stable release of MailScanner, 4.55. > > There are many minor changes this month, nothing earth-shattering, > and a few fixes for you. One new feature you may find useful is the > "--changed" command-line option, which will make MailScanner print > out a table of all the settings you have changed from the defaults. > This should help diagnosing problem much easier, as you won't have to > read the MailScanner.conf and try to spot the changes any more. Just > run "MailScanner --changed" and it will tell you all you need to know. > > Download as usual from > www.mailscanner.info > > The full Change Log is here: > > * New Features and Improvements * > 1 Added educ.ar and uba.ar to country.domains.conf for less strict > phishing net. > 1 Code tidy up in Message constructor. > 1 Speed improvements to ZMailer attachment extraction to keep up with > the > other MTAs. > 1 "Log Speed = no" now does what it says on the tin. (UK in-joke :-) > 1 Added "stopms" option to Linux init.d scripts. > 1 Improved behaviour when %percentvars% at start of MailScanner.conf > have not > been configured at all. It now uses the fully-qualified hostname > to guess > the domain name and website address. It used to refuse to run > which was > very impolite. > 1 Added Sys::Hostname::Long to list of required modules to implement > the above. > 2 Documentation rationalisation. Most up to date versions are all on > the web. > 3 Now output lock type in use with "--lint". > 4 Improvement to Sophos.install for Sophos Version 5 so that email > logging is > disabled. > 4 Now use syslog "notice" priority instead of "info" when issuing > messages > that are nearly warnings. This helps you drastically reduce the > amount of > syslog output by just logging priorities greater than or equal to > "notice". > 5 Added a "Contact Us" web page instead of just a mailto: link. > 6 Improved Help guidance in Contact Us web page. > 6 New command-line option: "-c" or "--changed". > This will print out a table of all the configuration settings that > have > been changed from the default values hard-coded into MailScanner. > Note > this may not be quite the same as the differences from the supplied > default MailScanner.conf file. > 6 Updated hard-coded defaults to better match MailScanner.conf settings. > 6 Improved handling of broken Custom Functions. Having a broken Custom > Function will now just result in the setting's default value being > used. > 7 Bugfix for "--changed" printing when using Custom Functions. > 8 Improved syslog-ing code so it doesn't matter is syslogd dies. > 8 Upgraded DBD-SQLite to version 1.12 as it builds a lot more easily. > 8 Improved handling of Postfix virtual users. Thanks to > jpabuyer@tecnoera.com. > 9 Added catch to commercial virus scanning code to allow syslogd to > die during > a virus scan. > 9 Improved speed logging to remove chatter. > 9 Upgraded Sys::Syslog to 0.17 which builds okay, unlike 0.16. > 9 MCP timings are no longer output if MCP checks are disabled. > > * Fixes * > 1 Put back in the checks of free disk space that were in 4.53.1 but > then lost. > 1 Fix in check_MailScanner for MacOSX. > 3 Default lock type for sendmail is now posix, as it should be. > 4 Fix to phishing net so that links to "www.domain.com." are accepted > as legal. > 6 Fixed problem with dangerous filenames in TNEF archives when using the > external TNEF expander. > 8 Fixed problem with long SpamAssassin report in report files getting > truncated > at % signs. > 8 Fixed phishing net problem with some cases of outbind://\d+/.... URLs. > 9 Stopped logging code producing ridiculous numbers. > 9 Improved Denial-of-service attack detector to handle multiple virus > scanners > more quickly. Now clears detection in 2 x Virus Scanner Timeout, > as expected. > 9 Fixed minor bug in TNEF handling of bad messages. > 9 "service MailScanner reload" should work properly now. > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFEzw2LEfZZRxQVtlQRAkXgAJsGcNkLiq3fIciMmq6f6gbvouA6UgCg5ND9 > DWtjaI46fNH1v4XPt9FK1Pk= > =/a/k > -----END PGP SIGNATURE----- > From mrm at medicine.wisc.edu Thu Aug 3 04:31:44 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Aug 3 04:32:16 2006 Subject: Inline image havoc In-Reply-To: References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D12796.7FBE.00FC.3@medicine.wisc.edu> >>> On 8/2/2006 at 7:21 PM, in message , "Jeff A. Earickson" wrote: > I added this to my spam.assassin.prefs.conf file the other day, > and it has helped. It was posted by another reader a few days > ago: > > #---added 8/1/2006 to combat image spam > rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i > describe INLINE_IMAGE Inline Images > score INLINE_IMAGE 2.0 > I have been running this as well and it certainly has helped, but some are still slipping through. I guess I'll try a score of 3 points and see if that helps. Mike From pete at enitech.com.au Thu Aug 3 04:53:20 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 04:53:32 2006 Subject: Inline image havoc In-Reply-To: <44D12796.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> <44D12796.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D17330.70409@enitech.com.au> Working nicely here on 1.50 My low spam score is 6 and this pushes them over. SpamAssassin Score: 6.32 6 required -0.18 BAYES_40 Bayesian spam probability is 20 to 40% 2.77 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 0.00 HTML_MESSAGE HTML included in message 1.50 INLINE_IMAGE 2.23 RCVD_IN_WHOIS_INVALID CompleteWhois: sender on invalid IP block Michael Masse wrote: > >>>> On 8/2/2006 at 7:21 PM, in message > , > "Jeff A. Earickson" wrote: >> I added this to my spam.assassin.prefs.conf file the other day, >> and it has helped. It was posted by another reader a few days >> ago: >> >> #---added 8/1/2006 to combat image spam >> rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i >> describe INLINE_IMAGE Inline Images >> score INLINE_IMAGE 2.0 >> > > > I have been running this as well and it certainly has helped, but some > are still slipping through. I guess I'll try a score of 3 points and > see if that helps. > > Mike > From doc at maddoc.net Thu Aug 3 06:28:39 2006 From: doc at maddoc.net (Doc Schneider) Date: Thu Aug 3 06:28:44 2006 Subject: 70_sare_stocks.cf Message-ID: <44D18987.4070400@maddoc.net> I added a "tweak" to the rule set that should catch more of these dang image spams. For those of you running "SARE_STOCK" please let me know if these are now being caught. Thanks! I can be contacted off list either at this address or maddoc@maddoc.net which is the contact address in the rules. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From chrisgreen at hotmail.com Thu Aug 3 06:34:26 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Thu Aug 3 06:34:47 2006 Subject: blocking out-of-office In-Reply-To: <7.0.1.0.2.20060802120551.02062650@espphotography.com> Message-ID: >At 11:49 AM 8/2/2006, you wrote: > >>My employees report that when they have the out of office turned on they >>receive more spam..... > > >I don't know how the two are related. Most spam I see doesn't have a valid >reply address. > >My suggestion is to use a *nix based autoresponder. Have it only reply to >addresses in your address book. Or better yet, ditch the autoresponder. > Spam comes in and gets through filter Out Of Office AutoReply goes out Boiiiing! - NDR arrives in inbox Therefore spam, in the implied sense of the word, would double. It pollutes auto-whitelists too, but doesn't usually expose you to more spam due because bogus addresses are unlikely to be reused. From sujithem at cdacb.ernet.in Thu Aug 3 06:45:33 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Thu Aug 3 06:46:12 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D18987.4070400@maddoc.net> References: <44D18987.4070400@maddoc.net> Message-ID: <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> Please lemme know when you last updated the rule, 2006-08-02? Thanks Sujith Emmanuel On 8/3/06, Doc Schneider wrote: > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/b9620790/attachment.html From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 07:10:20 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 07:10:58 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: Message-ID: On Wednesday, August 02, 2006 11:06 PM Drew Marshall wrote: Drew, thanks for the wake-up call off-list. :-) >>> I would always say go with the ports. Yes. You should do that with every software available as a port. >>> They are up dated pretty >>> regularly so never far behind the source any way. Well in case of MailScanner: Mea culpa once again. I will try to produce an up-to-date version today. >> http://www.freshports.org/mail/p5-Mail-ClamAV/ >> >> See entry on 23 Feb 2004 So long ago. Let me search my memory. :-) At that time the module required threaded perl to work. I am not sure whether or not this was a perl or a clamav requirement. Recompiling perl with threaded support helped but personally gave me other problems so I always went for the command-line version. If others say it works with the non-threaded version now things might have changed. I will give it a try (maybe this afternoon). Are you "only" getting the warning in pkg-message? If so I would guess it is just an outdated warning. Kind regards, JP From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 07:16:50 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 07:17:15 2006 Subject: Manpages / FreeBSD Message-ID: Hi, just a quick question. Obviously the documentation is now on the web. I just realized that the latest version does not seem to contain any documentation at all. Question: Is everybody ok with this? I could try to maintain the man pages and patch them in the FreeBSD port but I could also save some time and simply rely on the web documentation. Just want to make sure not everyone port user is going to kill me for that later on. :-) Regards, JP From doc at maddoc.net Thu Aug 3 07:20:42 2006 From: doc at maddoc.net (Doc Schneider) Date: Thu Aug 3 07:20:47 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> References: <44D18987.4070400@maddoc.net> <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> Message-ID: <44D195BA.6050308@maddoc.net> Sujith Emmanuel wrote: > Please lemme know when you last updated the rule, 2006-08-02? > > Thanks > Sujith Emmanuel > > On 8/3/06, *Doc Schneider* < doc@maddoc.net > wrote: > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or > maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > # Version: 01.00.28 # Created: 2005-12-18 # Modified: 2006-08-02 Is the latest and greatest. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From sujithem at cdacb.ernet.in Thu Aug 3 07:52:17 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Thu Aug 3 07:52:54 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D195BA.6050308@maddoc.net> References: <44D18987.4070400@maddoc.net> <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> <44D195BA.6050308@maddoc.net> Message-ID: <1d1e72700608022352n71f1517al5c45bfc6d550bd57@mail.gmail.com> Yes i got that today, thank you very much. Lemme check out the results. Thanks and Regards Sujith Emmanuel # Version: 01.00.28 # Created: 2005-12-18 # Modified: 2006-08-02 Is the latest and greatest. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/7de732ec/attachment.html From davidj at synaq.com Thu Aug 3 08:13:10 2006 From: davidj at synaq.com (David Jacobson) Date: Thu Aug 3 08:13:57 2006 Subject: MCP Speed... Message-ID: <1154589190.14071.3.camel@jakes.synaq.com> Hi Gents, I wonder if you can help with a small problem regarding MCP speeds. We maintain a number of MailScanner servers for a customer which processes about a million e-mails a month. The client has requested that we check for certain keywords +/- 20 and send them through to an address. We've implemented this for them, but it adds an extreme load on the servers. I've had a close look at the MCP spam.assassin.prefs.conf and even though it disabled Razor / Pyzor / DCC etc I still believe it's doing way too many checks than required for pure keyword analysis. It appears to load all the plugins when doing a spamassassin - p /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf such as SPF, AWL, etc etc all from v310.pre, can someone tell me how I can disable the MCP prefs from using this? I still obviously want to keep the plugins so I can't remove them from v310.pre Any advise would be appreciated... -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 245 5888 Direct: 011 245 5889 Fax: 011 783 9275 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From adrik at salesmanager.nl Thu Aug 3 08:23:46 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 08:23:49 2006 Subject: Manpages / FreeBSD Message-ID: Hi JanPeter, I promise not to kill you. :-) ManPages are nice to have on the system, but I think I can live without them if need be. Perhaps a compromise, where you install small and simple ManPages, which tell you to visit the web for more detailed and advanced information? These would only have to written once and never updated anymore. Regards, Adri. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: donderdag 3 augustus 2006 8:17 > To: MailScanner discussion > Subject: Manpages / FreeBSD > > Hi, > > just a quick question. Obviously the documentation is now on > the web. I just realized that the latest version does not > seem to contain any documentation at all. Question: Is > everybody ok with this? I could try to maintain the man pages > and patch them in the FreeBSD port but I could also save some > time and simply rely on the web documentation. Just want to > make sure not everyone port user is going to kill me for that > later on. :-) > > > Regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From adrik at salesmanager.nl Thu Aug 3 08:29:07 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 08:29:10 2006 Subject: ClamAV on FreeBSD - ports or Perl module? Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: donderdag 3 augustus 2006 8:10 > To: MailScanner discussion > Subject: RE: ClamAV on FreeBSD - ports or Perl module? > > On Wednesday, August 02, 2006 11:06 PM Drew Marshall wrote: > > Drew, thanks for the wake-up call off-list. :-) > > >>> I would always say go with the ports. > > Yes. You should do that with every software available as a port. > > >>> They are up dated pretty > >>> regularly so never far behind the source any way. > > Well in case of MailScanner: Mea culpa once again. I will try > to produce an up-to-date version today. > > >> http://www.freshports.org/mail/p5-Mail-ClamAV/ > >> > >> See entry on 23 Feb 2004 > > So long ago. Let me search my memory. :-) At that time the > module required threaded perl to work. I am not sure whether > or not this was a perl or a clamav requirement. Recompiling > perl with threaded support helped but personally gave me > other problems so I always went for the command-line version. > If others say it works with the non-threaded version now > things might have changed. I will give it a try (maybe this > afternoon). Are you "only" getting the warning in > pkg-message? If so I would guess it is just an outdated warning. Jan Peter, I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on FreeBSD 5.4 without any problems for over 1 year now. Regards, Adri. From glenn.steen at gmail.com Thu Aug 3 08:54:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 3 08:55:03 2006 Subject: blocking out-of-office In-Reply-To: <44D05DF6.6030505@utwente.nl> References: <44D0563F.90409@utwente.nl> <44D05DF6.6030505@utwente.nl> Message-ID: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> On 02/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Julian Field wrote on 2-8-2006 10:00: > > Read the comments above the "Remove These Headers" option. > > > > # If any of these headers are included in a a message, they will be > > deleted. > > # This is very useful for removing return-receipt requests and any > > headers > > # which mean special things to your email client application. > > This helps only when the sender asks for a DSN. This does not help when > the recipient has configured to send an out of office to every message > he receives. > This has been asked before on the list, but never really answered.... because it can't be(!)... OoO/vacation really is a phenomenon, not a standardised thing, so you don't have much to go by... Other than scoring the actual text (usually in the subject), I don't think you have many options. If you use Postfix, you could make a DISCARDing header_check, but then.... that might end badly:-). The sane solution is to not allow OoO, and encourage your user to use other measures (like "mailbox delegations" etc). Unfortunately PHBs are rarely sane...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From adrik at salesmanager.nl Thu Aug 3 09:00:23 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 09:00:28 2006 Subject: chinese-language email Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: woensdag 2 augustus 2006 20:17 > To: mailscanner@lists.mailscanner.info > Subject: Re: chinese-language email > > Adri Koppes wrote: > > Hi Daniel, > > > > In your local.cf or spamassassin.prefs.conf check the settings of > > ok_languages and ok_locales. > > These 2 SpamAssassin settings are used for the FARWAY and > other rules. > > I guess that every time we add something to these settings, > the catch rate for foreign spam is reduced? > Ugo, For every language you add to these settings, they will no longer be marked and some of the FARAWAY and CHARSET rules score quite heavily. When people start using these settings, I recommend they add all the foreign languages and locales they expect to receive in legitimate messages. Adri. From drew at themarshalls.co.uk Thu Aug 3 09:09:40 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Thu Aug 3 09:09:53 2006 Subject: Manpages / FreeBSD In-Reply-To: References: Message-ID: <55502.194.70.180.170.1154592580.squirrel@webmail.r-bit.net> On Thu, August 3, 2006 08:23, Adri Koppes wrote: > Hi JanPeter, > > I promise not to kill you. :-) Me too! :-) > ManPages are nice to have on the system, but I think I can live without > them if need be. > Perhaps a compromise, where you install small and simple ManPages, which > tell you to visit the web for more detailed and advanced information? > These would only have to written once and never updated anymore. Agreed. This would be a good option. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From navshobhmagotra at cdacnoida.in Thu Aug 3 11:51:03 2006 From: navshobhmagotra at cdacnoida.in (Nasvhobh Magotra) Date: Thu Aug 3 11:51:51 2006 Subject: SpamAssassin MailScanner Problem Message-ID: <200608031051.k73AplgA012739@bkserver.blacknight.ie> Hi all Members I have configured a qmail server with openprotect-5.0.4 that contains mailscanner ,spamassassin and clamav as default scanners on a debian sarge system. The installation went smoothly. But I have a peculiar problem. The clamav scanning is working perfectly but spamassassin is not. I have checked Mailscanner.conf and it is perfectly fine. If I test GTUBE it is giving perfect results i.e. score 1000 but if I test the example file "/etc/Mailscanner/testmessages/sample-spam.txt" it always gives a score of zero. If I run /usr/bin/spamc on the file it results in a score of 16.2 . I am not able to find exactly what is the problem . the example /var/log/mail.log is : Aug 3 16:05:42 email MailScanner[6361]: Filetype Checks: Allowing 4660723 msg-6361-1.txt Aug 3 16:05:42 email MailScanner[6361]: Uninfected: Delivered 1 messages Aug 3 16:14:51 email MailScanner[6314]: New Batch: Scanning 1 messages, 664 bytes Aug 3 16:14:51 email MailScanner[6314]: MCP Checks: Starting Aug 3 16:14:51 email MailScanner[6314]: Spam Checks: Starting Aug 3 16:15:07 email MailScanner[6314]: Message 4660723 from ece (test@test.com) to test.com is not spam, SpamAssassin (score=0, required 3) Aug 3 16:15:07 email MailScanner[6314]: Virus and Content Scanning: Starting Aug 3 16:15:08 email MailScanner[6314]: Filename Checks: Allowing 4660723 msg-6314-2.txt Aug 3 16:15:08 email MailScanner[6314]: Filetype Checks: Allowing 4660723 msg-6314-2.txt Aug 3 16:15:08 email MailScanner[6314]: Uninfected: Delivered 1 messages Aug 3 16:15:53 email MailScanner[6314]: New Batch: Scanning 1 messages, 735 bytes Aug 3 16:15:53 email MailScanner[6314]: MCP Checks: Starting Aug 3 16:15:53 email MailScanner[6314]: Spam Checks: Starting Aug 3 16:15:55 email MailScanner[6314]: Message 4660723 from ece (test@test.com) to test.com is spam, SpamAssassin (score=1000, required 3, GTUBE 1000.00) Aug 3 16:15:55 email MailScanner[6314]: Spam Checks: Found 1 spam messages Aug 3 16:15:55 email MailScanner[6314]: Spam Actions: message 4660723 actions are deliver Aug 3 16:15:55 email MailScanner[6314]: Virus and Content Scanning: Starting Aug 3 16:15:57 email MailScanner[6314]: Filename Checks: Allowing 4660723 msg-6314-3.txt Aug 3 16:15:57 email MailScanner[6314]: Filetype Checks: Allowing 4660723 msg-6314-3.txt Aug 3 16:15:57 email MailScanner[6314]: Uninfected: Delivered 1 messages Regards, Navshobh Magotra, Network Administrator, C-56/1, Anusandhan Bhavan Institutional Area, CDAC, Sector-62,Noida-201307 Ph. 0120-3063330/331 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/be88f071/attachment.html From ugob at camo-route.com Thu Aug 3 13:34:51 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 3 13:35:33 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Ugo Bellavance >> Sent: woensdag 2 augustus 2006 20:17 >> To: mailscanner@lists.mailscanner.info >> Subject: Re: chinese-language email >> >> Adri Koppes wrote: >>> Hi Daniel, >>> >>> In your local.cf or spamassassin.prefs.conf check the settings of >>> ok_languages and ok_locales. >>> These 2 SpamAssassin settings are used for the FARWAY and >> other rules. >> >> I guess that every time we add something to these settings, >> the catch rate for foreign spam is reduced? >> > Ugo, > > For every language you add to these settings, they will no longer be > marked and some of the FARAWAY and CHARSET rules score quite heavily. > When people start using these settings, I recommend they add all the > foreign languages and locales they expect to receive in legitimate > messages. Ok, but from what I've seen, the default is en, so we're all using it. This doesn't really answer my question... What I meant is that CHARSET and FARAWAY rules helps us catch some spam from foreign countries. If I get a few false positives for chinese e-mails and I put chinese in ok_locales and ok_languages, my catch rate for chinese spam will we lower right? Most of our traffic is english and french. Thanks. Ugo > > Adri. From adrik at salesmanager.nl Thu Aug 3 13:44:43 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 13:44:44 2006 Subject: chinese-language email Message-ID: > Ok, but from what I've seen, the default is en, so we're all > using it. > This doesn't really answer my question... What I meant is > that CHARSET and FARAWAY rules helps us catch some spam from > foreign countries. If I get a few false positives for > chinese e-mails and I put chinese in ok_locales and > ok_languages, my catch rate for chinese spam will we lower > right? Most of our traffic is english and french. Ugo, I know, Jules put the default for english only in spam.preferences.conf. This means any non-english message will get an extra 2 or 3 points added to the SA score. When you add the chinese language, it will no longer add the extra score to these messages, so yes, the catch rate for chinese spam will be lower. If most of your traffic is english and french, I'd suggest using 'en fr' for ok_languages. Adri. From daniel.maher at ubisoft.com Thu Aug 3 14:27:10 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 3 14:27:14 2006 Subject: 70_sare_stocks.cf Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Hello, Would it be possible for you to post a diff for your tweaks? I'm curious, and I'm sure I'm not the only one! :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Doc Schneider > Sent: August 3, 2006 1:29 AM > To: MailScanner discussion > Subject: 70_sare_stocks.cf > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Thu Aug 3 14:33:22 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 3 14:33:25 2006 Subject: chinese-language email Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D070@UBIMAIL1.ubisoft.org> If you actually receive a fair amount of Chinese-language spam, you may want to consider the following: http://www.ccert.edu.cn/spam/sa/Chinese_rules_en.htm -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Adri Koppes > Sent: August 3, 2006 8:45 AM > To: MailScanner discussion > Subject: RE: chinese-language email > > > Ok, but from what I've seen, the default is en, so we're all > > using it. > > This doesn't really answer my question... What I meant is > > that CHARSET and FARAWAY rules helps us catch some spam from > > foreign countries. If I get a few false positives for > > chinese e-mails and I put chinese in ok_locales and > > ok_languages, my catch rate for chinese spam will we lower > > right? Most of our traffic is english and french. > > Ugo, > > I know, Jules put the default for english only in spam.preferences.conf. > This means any non-english message will get an extra 2 or 3 points added > to the SA score. > When you add the chinese language, it will no longer add the extra score > to these messages, so yes, the catch rate for chinese spam will be > lower. > If most of your traffic is english and french, I'd suggest using 'en fr' > for ok_languages. > > Adri. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dhawal at netmagicsolutions.com Thu Aug 3 14:37:57 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 3 14:38:11 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Message-ID: <44D1FC35.1030804@netmagicsolutions.com> Daniel Maher wrote: > Hello, > > Would it be possible for you to post a diff for your tweaks? I'm curious, and I'm sure I'm not the only one! :) here.. [root@sauron ~]# diff 70_sare_stocks.cf 70_sare_stocks.cf.20060803-1409 2c2 < # Version: 01.00.28 --- > # Version: 01.00.27 4c4 < # Modified: 2006-08-02 --- > # Modified: 2006-07-24 48d47 < # 01.00.28 Tweeked GIF catcher rule. 729c728 < full SARE_GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i --- > full SARE_GIF_ATTACH /name=\"[a-z.]{3,18}\.gif\"/i Works fine for me so far.. in addition i use these posted on the sa-users list.. though i ought to be using the second one as a meta rule. rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Image score INLINE_IMAGE 2.0 rawbody INLINE_IMAGE2 /src\s*=\s*["']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 2.0 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Doc Schneider >> Sent: August 3, 2006 1:29 AM >> To: MailScanner discussion >> Subject: 70_sare_stocks.cf >> >> I added a "tweak" to the rule set that should catch more of these dang >> image spams. >> >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. >> >> Thanks! >> >> I can be contacted off list either at this address or maddoc@maddoc.net >> which is the contact address in the rules. >> >> -- >> -Doc >> Lincoln, NE. >> http://www.genealogyforyou.com/ >> http://www.cairnproductions.com/ From raymond at prolocation.net Thu Aug 3 14:47:13 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Aug 3 14:47:13 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Message-ID: Hi! > Would it be possible for you to post a diff for your tweaks? I'm > curious, and I'm sure I'm not the only one! :) >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. >> >> Thanks! Just get a new version of the ruleset, all is included there. Bye, Raymond. From jgolden at ci.grand-rapids.mi.us Thu Aug 3 15:39:09 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 15:39:56 2006 Subject: Spamassassin Timeouts Message-ID: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> I received this info from Logwatch, but I am not sure if it is something I should be concerned about. Would anyone else be kind enough to fill me in? And what to do about it if it is not an OK thing? MailScanner Status: 21351 messages Scanned by MailScanner 968.5 Total MB 13531 Spam messages detected by MailScanner 13531 Spam messages with action(s) store 902 hits from MailScanner SpamAssassin cache 6 Viruses found by MailScanner 4 Banned attachments found by MailScanner 967 Content Problems found by MailScanner 7778 Messages delivered by MailScanner 61 SpamAssassin timeout(s Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/cea8193a/attachment.html From jgolden at ci.grand-rapids.mi.us Thu Aug 3 16:14:12 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 16:14:48 2006 Subject: Question about spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> Sorry, I should have put that info in there. I'm not sure what the original date of the file was, because now I moved it. I did a compare on my old one and the rpmnew one. -rw-r--r-- 1 root root 10963 May 27 15:19 spam.assassin.prefs.conf.rpmnew In the old file test I found this as a latest edit: # JKF 12/01/2005 - known troublesome rule So, after the compare, I then added any settings entry that was missing (which was about 3 lines) (bayes_path, awl_path, and one other) to the file. and then replaced the old one with the rpmnew version. Everything looks OK. I was just wondering if I missed a step. I know I ran a few scripts to upgrade Mailscanner.conf and another, but I didn't remember doing it for spam.assassin.prefs.conf file. I did just upgrade to the 4.54.6-1 version. I didn't do it via RPM, I did it via the script from MailScanner (if I remember correctly). Thanks for the response, James On Thu, 2006-08-03 at 01:40 -0400, ajos1@onion.demon.co.uk wrote: > - > > How long ago was your previous update? > > I do ALL the STABLE updates... from RPM... and my spamassassin.prefs.conf is dated: > > -rw-r--r-- 1 root root 11023 May 8 14:53 spam.assassin.prefs.conf > > (There is no RPMNEW)... so I am assuming May 8 is the lastest version to have? > > >> > >> I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? > >> > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/2879767a/attachment.html From steve.swaney at fsl.com Thu Aug 3 16:23:46 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Aug 3 16:21:54 2006 Subject: Spamassassin Timeouts In-Reply-To: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <006b01c6b710$d0657e70$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Thursday, August 03, 2006 10:39 AM > To: MailScanner discussion > Subject: Spamassassin Timeouts > > I received this info from Logwatch, but I am not sure if it is something I > should be concerned about. Would anyone else be kind enough to fill me > in? And what to do about it if it is not an OK thing? > > MailScanner Status: > 21351 messages Scanned by MailScanner > 968.5 Total MB > 13531 Spam messages detected by MailScanner > 13531 Spam messages with action(s) store > 902 hits from MailScanner SpamAssassin cache > 6 Viruses found by MailScanner > 4 Banned attachments found by MailScanner > 967 Content Problems found by MailScanner > 7778 Messages delivered by MailScanner > > 61 SpamAssassin timeout(s > > Thanks, > > James You should be concerned because probably some spam is getting through and MailScanner processing is taking longer than it should. SpamAssassin time outs most often occur because the SpamAssassin network tests are taking too long or never completing. Check your DNS lookup speed and the health of your network in general. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ka at pacific.net Thu Aug 3 16:25:45 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 3 16:24:54 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D21579.3050601@pacific.net> Try this: full LOCAL_IMAGE_07312006 /QKAAQMAAQOAAQAA/ describe LOCAL_IMAGE_07312006 spam image score LOCAL_IMAGE_07312006 10.0 It's nabbed all of them here, but it's entirely dependent on the content of the image, so ymmv. The image analysis consists of copying the base64 parts from 4 spams to 4 files, then doing 'cat 1 2 3 4 | sort' and look for repeat lines. I expect the image will change at about 5pm tomorrow... just before I go home for the weekend. Ken A. Pacific.Net Michael Masse wrote: > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > From dstraka at caspercollege.edu Thu Aug 3 16:39:49 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Aug 3 16:40:36 2006 Subject: Logwatch MailScanner Status Missing Message-ID: <44D1C465.61A4.0000.0@caspercollege.edu> I recently installed a new MailScanner machine with SUSE Enterprise 10 and sendmail, I was previously on RedHat 7.3. MailScanner seems to be working fine, but Logwatch does not display a MailScanner Status section as it did with Redhat. Also SUSE has several mail log files (mail, mail.info, mail.err, mail.warn) whereas Redhat had only the file "maillog". Logwatch doesn't seem to recognize any of these. Can anyone guide with how to get Logwatch to report the MailScanner Status section for me on this system? Thanks..Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jgolden at ci.grand-rapids.mi.us Thu Aug 3 16:51:12 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 16:51:18 2006 Subject: [Fwd: RE: Spamassassin Timeouts] Message-ID: <1154620273.6014.1.camel@doit-b8wsw21.grand-rapids.mi.us> Thanks for that. I am thinking it may be more of a hardware issue. My digs were quick Worst: real 0m0.324s user 0m0.010s sys 0m0.020s Best: real 0m0.090s user 0m0.020s sys 0m0.000s When I looked at top though I find this is typical: 11:47:08 up 8 days, 8:27, 1 user, load average: 7.78, 6.86, 6.88 102 processes: 94 sleeping, 4 running, 4 zombie, 0 stopped CPU states: cpu user nice system irq softirq iowait idle total 131.8% 0.0% 31.4% 0.0% 0.0% 0.0% 36.4% cpu00 55.7% 0.0% 15.6% 0.0% 0.0% 0.0% 28.5% cpu01 76.1% 0.0% 15.8% 0.0% 0.0% 0.0% 8.0% Mem: 2068248k av, 1857084k used, 211164k free, 0k shrd, 291000k buff 896772k active, 775948k inactive Swap: 1020088k av, 158976k used, 861112k free 616232k cached Any recommendations? Should I cut back on some network tests? I have been very happy with the setup lately as it has been catching a LOT more spam that it was a week ago. I have 8 Mailscanner processes allowed to run at a time Thanks, James > From: Stephen Swaney > Reply-To: MailScanner discussion > To: 'MailScanner discussion' > Subject: RE: Spamassassin Timeouts > Date: Thu, 3 Aug 2006 11:23:46 -0400 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Golden, James > > Sent: Thursday, August 03, 2006 10:39 AM > > To: MailScanner discussion > > Subject: Spamassassin Timeouts > > > > I received this info from Logwatch, but I am not sure if it is something I > > should be concerned about. Would anyone else be kind enough to fill me > > in? And what to do about it if it is not an OK thing? > > > > MailScanner Status: > > 21351 messages Scanned by MailScanner > > 968.5 Total MB > > 13531 Spam messages detected by MailScanner > > 13531 Spam messages with action(s) store > > 902 hits from MailScanner SpamAssassin cache > > 6 Viruses found by MailScanner > > 4 Banned attachments found by MailScanner > > 967 Content Problems found by MailScanner > > 7778 Messages delivered by MailScanner > > > > 61 SpamAssassin timeout(s > > > > Thanks, > > > > James > > You should be concerned because probably some spam is getting through and > MailScanner processing is taking longer than it should. > > SpamAssassin time outs most often occur because the SpamAssassin network > tests are taking too long or never completing. Check your DNS lookup speed > and the health of your network in general. > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/c579d4d8/attachment.html From jaearick at colby.edu Thu Aug 3 17:15:12 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 17:21:23 2006 Subject: SA rules_du_jour lint bug: FOUND Message-ID: Gang, I upgraded to SA 3.1.4 last night, and continued to be plagued by lint failures in the rules_du_jour script, like so: /opt/perl5/bin/spamassassin -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint [27791] warn: config: SpamAssassin failed to parse line, "/var/spool/spamassassin" is not valid for "bayes_path", skipping: bayes_path /var/spool/spamassassin I had this problem in earlier versions of SA, but had worked around it by having a different spam.assassin.prefs.conf with no bayes_path entry. This hack quit working with 3.1.4. I found where the problem is in the SpamAssassin code. The following diff to [perlpath]/5.8.8/Mail/SpamAssassin/Conf.pm "fixes" the problem: *** Conf.pm.orig Thu Aug 3 11:49:37 2006 --- Conf.pm.new Thu Aug 3 12:04:24 2006 *************** *** 2239,2246 **** unless (defined $value && $value !~ /^$/) { return $MISSING_REQUIRED_VALUE; } ! if (-d $value) { ! return $INVALID_VALUE; } $self->{bayes_path} = $value; } --- 2239,2246 ---- unless (defined $value && $value !~ /^$/) { return $MISSING_REQUIRED_VALUE; } ! if (-f $value) { ! return $INVALID_VALUE; } $self->{bayes_path} = $value; } I know this isn't quite right, since the test should be "if NOT a directory, return INVALID_VALUE". But the code: if ( ! -d $value) didn't work correctly. Anyway, this clearly seems to be a bug in SpamAssassin. Since I'm not a subscriber to SpamAssassin-dev, would somebody else (Raymond?) care to post this bug to the SA developers? Jeff Earickson Colby College From mkettler at evi-inc.com Thu Aug 3 17:57:10 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 3 17:57:31 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: Message-ID: <44D22AE6.4020709@evi-inc.com> Jeff A. Earickson wrote: > Gang, > > I upgraded to SA 3.1.4 last night, and continued to be plagued by > lint failures in the rules_du_jour script, like so: > > /opt/perl5/bin/spamassassin -p > /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > [27791] warn: config: SpamAssassin failed to parse line, > "/var/spool/spamassassin" is not valid for "bayes_path", skipping: > bayes_path /var/spool/spamassassin > > I had this problem in earlier versions of SA, but had worked around > > I know this isn't quite right, since the test should be "if NOT a > directory, return INVALID_VALUE". But the code: NO! It should be IF a directory, return invalid. It is NOT valid to specify a directory as a bayes path, because bayes_path is not just a path. It's a path plus partial filename! From jaearick at colby.edu Thu Aug 3 18:54:03 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 19:04:51 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: <44D22AE6.4020709@evi-inc.com> References: <44D22AE6.4020709@evi-inc.com> Message-ID: Matt, Doh!! Thanks for pointing this out, I had always thought that bayes_path was a directory name, not some strange combo of directory + file prepend. I fixed my spam.assassin.prefs.conf, reverted to the original SA Conf.pm, everything works with Rules_du_jour again. Julian, Could you please modify the spam.assassin.prefs.conf to include the following useful comments (diff -c format)? *************** *** 83,89 **** --- 83,96 ---- # FSL Note: we need to coordinate the Bayes File Placement # With MailWatch + # bayes_path should NOT be directory! + # The Rules_du_jour script will choke if it is a directory. + # It needs to be a full pathname, PLUS a partial filename. + # In this example, the trailing "bayes" will be the "bayes*" + # files in the directory "/etc/MailScanner/bayes/" + # Thanks to Matt Kettler for pointing this out. #bayes_path /etc/MailScanner/bayes/bayes + # This is actually used as a mask, not a raw chmod setting. # Thanks for Matt Kettler for spotting this one. # Commented out: this if for MailWatch and Exim/Postfix users only. Jeff Earickson Colby College On Thu, 3 Aug 2006, Matt Kettler wrote: > Date: Thu, 03 Aug 2006 12:57:10 -0400 > From: Matt Kettler > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: SA rules_du_jour lint bug: FOUND > > Jeff A. Earickson wrote: >> Gang, >> >> I upgraded to SA 3.1.4 last night, and continued to be plagued by >> lint failures in the rules_du_jour script, like so: >> >> /opt/perl5/bin/spamassassin -p >> /opt/MailScanner/etc/spam.assassin.prefs.conf --lint >> [27791] warn: config: SpamAssassin failed to parse line, >> "/var/spool/spamassassin" is not valid for "bayes_path", skipping: >> bayes_path /var/spool/spamassassin >> >> I had this problem in earlier versions of SA, but had worked around > > >> >> I know this isn't quite right, since the test should be "if NOT a >> directory, return INVALID_VALUE". But the code: > > NO! It should be IF a directory, return invalid. It is NOT valid to specify a > directory as a bayes path, because bayes_path is not just a path. It's a path > plus partial filename! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at WoodMacLaw.com Thu Aug 3 19:05:21 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 3 19:05:27 2006 Subject: blocking out-of-office In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Green > Sent: Thursday, August 03, 2006 1:34 AM > To: mailscanner@lists.mailscanner.info > Subject: RE: blocking out-of-office > > >At 11:49 AM 8/2/2006, you wrote: > > > >>My employees report that when they have the out of office turned on they > >>receive more spam..... > > > > > >I don't know how the two are related. Most spam I see doesn't have a > valid > >reply address. > > > >My suggestion is to use a *nix based autoresponder. Have it only reply to > >addresses in your address book. Or better yet, ditch the autoresponder. > > > Spam comes in and gets through filter > Out Of Office AutoReply goes out > Boiiiing! - NDR arrives in inbox > Therefore spam, in the implied sense of the word, would double. > > It pollutes auto-whitelists too, but doesn't usually expose you to more > spam > due because bogus addresses are unlikely to be reused. > > Makes sense. I also assume that Outlook 2003's client side filter sends out a Out of Office response to the filtered spam that ends up in the junk mail folder. True? From jase at sensis.com Thu Aug 3 19:09:32 2006 From: jase at sensis.com (Desai, Jason) Date: Thu Aug 3 19:09:59 2006 Subject: blocking out-of-office Message-ID: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> mailscanner-bounces@lists.mailscanner.info wrote: SHA1 wrote: > Hi, > > Julian Field wrote on 2-8-2006 10:00: >> Read the comments above the "Remove These Headers" option. >> >> # If any of these headers are included in a a message, they will be >> deleted. # This is very useful for removing return-receipt requests >> and any headers # which mean special things to your email client >> application. > > This helps only when the sender asks for a DSN. This does not help > when the recipient has configured to send an out of office to every > message he receives. Peter, I have recently implemented something similar. Management wanted to allow only some people to send out of office messages over the internet. Since our MailScanner box is inline, I wrote a custom function for the Is Definitely MCP option. It's not a complex function. I am waiting to hear back from management to see if I can post it here. Jase From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:44:37 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:45:03 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: Message-ID: On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on > FreeBSD 5.4 without any problems for over 1 year now. Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:46:35 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:46:58 2006 Subject: Manpages / FreeBSD In-Reply-To: Message-ID: On Thursday, August 03, 2006 9:24 AM Adri Koppes wrote: > I promise not to kill you. :-) I will take your word for it! :-) > ManPages are nice to have on the system, but I think I can live > without them if need be. > Perhaps a compromise, where you install small and simple ManPages, > which tell you to visit the web for more detailed and advanced > information? These would only have to written once and never updated > anymore. Sounds like a good solution to me. I will need to adjust the port a bit due to several files not being in there anymore. Therefore it will be a few days before I can release the new version. Moreover I will have to look through the web documentation and see if there are FreeBSD specific things that I need to point out in the man pages or need to be ajusted on the web. Regards, JP From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:56:07 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:56:26 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> Message-ID: On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > The sane solution is to not allow OoO, Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. > and encourage your user to use > other measures (like "mailbox delegations" etc). Unfortunately PHBs > are rarely sane...:-) And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. Regards, JP From mailscanner at yeticomputers.com Thu Aug 3 20:06:38 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 20:06:48 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D2493E.1080209@yeticomputers.com> Koopmann, Jan-Peter wrote: > And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. I'm curious as to some of the situations you believe need OoO. I can't think of any that wouldn't be better handled by a different solution. Of course, "better" is subjective, so I might have considered the situations you're referring to and felt differently. Still, can you give me an idea of what you're thinking? Rick From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 20:14:53 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 20:15:26 2006 Subject: blocking out-of-office In-Reply-To: <44D2493E.1080209@yeticomputers.com> Message-ID: On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > I'm curious as to some of the situations you believe need OoO. I > can't think of any that wouldn't be better handled by a different > solution. Of course, "better" is subjective, so I might have > considered the situations you're referring to and felt differently. > Still, can you give me an idea of what you're thinking? I tend to get private and business mail in one mailbox. Therefore I cannot simply forward all my mail to a collegue or give him/her access to it. Maybe there is not even a collegue so things simply have to wait a week but I want to let the client/customer/friend know. Etc. From campbell at cnpapers.com Thu Aug 3 20:33:40 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 3 20:33:54 2006 Subject: blocking out-of-office References: Message-ID: <000801c6b733$b9845370$0705000a@DDF5DW71> ----- Original Message ----- From: "Koopmann, Jan-Peter" To: "MailScanner discussion" Sent: Thursday, August 03, 2006 3:14 PM Subject: RE: blocking out-of-office > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > >> I'm curious as to some of the situations you believe need OoO. I >> can't think of any that wouldn't be better handled by a different >> solution. Of course, "better" is subjective, so I might have >> considered the situations you're referring to and felt differently. >> Still, can you give me an idea of what you're thinking? > > I tend to get private and business mail in one mailbox. Therefore I cannot > simply forward all my mail to a collegue or give him/her access to it. > Maybe there is not even a collegue so things simply have to wait a week > but I want to let the client/customer/friend know. Etc. I'm fighting this with some of our salespeople. They want it and insist on doing it, regardless of the reasons I give them for not doing it. Some just want mail forwarded to another salesperson. I feel, though, that it would be more polite to their customers, to set up a group of contacts, business and personal, for them to notify of their absence. They could also mention a temporary contact during their absence. (Personal email would not require this). This accomplishes two things: The account does not find out after sending email that their salesperson is gone, and It reminds the account that there is a company with staff that is thinking of them (good will type stuff). Of course, all of this means the salesperson must do a little extra work in creating and maintaining the lists, which they say is too much work for them. By using a personalized mailman list, this could appear even more thoughtful as the contact could be addressed directly. Just my two cents worth - I haven't been able to convince anyone to do this yet here. Steve Campbell campbell@cnpapers.com Charleston Newspapers > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jethro.binks at strath.ac.uk Thu Aug 3 20:34:04 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Aug 3 20:34:07 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <20060803202427.S10038@defjam.cc.strath.ac.uk> On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > > I'm curious as to some of the situations you believe need OoO. I > > can't think of any that wouldn't be better handled by a different > > solution. Of course, "better" is subjective, so I might have > > considered the situations you're referring to and felt differently. > > Still, can you give me an idea of what you're thinking? > > I tend to get private and business mail in one mailbox. Therefore I > cannot simply forward all my mail to a collegue or give him/her access > to it. Maybe there is not even a collegue so things simply have to wait > a week but I want to let the client/customer/friend know. Etc. This is quite common. We have legal reasons for requiring OoO; for example, the Freedom of Information Act in England and Wales considers a request sent by email to be 'received' by a public authority unless the sender hears otherwise (by way of a bounce or OoO). If you're away for two or three weeks and hence don't respond to the request within the prescribed time, and the sender has no reason to believe the request has not been received (no OoO), then the public authority has failed in the obligations the Act places upon it. But likewise I don't like the lack of controllability that Exchange (which is used internally) offers for OoO. I have implemented autoresponse systems in Exim with extreme measures so that it won't respond to, generically, 'stuff that it shouldn't respond to', so far as that is possible. I can't do a fraction of that stuff with Exchange, so it will willy-nilly send mail out in response to practically any old tat it receives. You can mitigate things by having delegated access to mailboxes, of course, but that all gets rather sticky where personal mail may be present (or there is no-one appropriate to delegate to, or whether mailbox contents really confidential to their owner, or there is no-one available to authorise delegation, or whatever). Saying "personal mail is not permitted" isn't good enough unfortunately; regardless of whether it should be there or not, if it is there, it needs to be treated with respect. (Because of all this, I have been writing guidelines for our users in this area; how they should use OoOs, recommendations how they should handle personal mail, and so on). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mailscanner at yeticomputers.com Thu Aug 3 21:05:24 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 21:05:35 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D25704.3050300@yeticomputers.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > >> ...can you give me an idea of what you're thinking? >> > > I tend to get private and business mail in one mailbox. Therefore I cannot simply forward all my mail to a collegue or give him/her access to it. Maybe there is not even a collegue so things simply have to wait a week but I want to let the client/customer/friend know. Etc. Thanks for the reply. I'd handle it differently (and a lot less conveniently), but I can see now where you're coming from. It's just that my hatred of OoO messages is so great that I'll do pretty much anything to avoid using them (or allowing them to be used.) A few months ago, one of my users set up his email client to autoreply with a nice message, sent a test message to himself from the /same account/ and left for vacation without bothering to check the results of his test. Moments later, my mail log started scrolling madly... (sigh) Of course, this is far from the first time that such antics have caused me pain. Did I mention that I despise OoO messages? Rick From mailscanner at yeticomputers.com Thu Aug 3 21:17:22 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 21:17:38 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: <44D259D2.6080009@yeticomputers.com> Jethro R Binks wrote: > Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. You think so? I strongly disagree. If someone abuses a system (and knowingly using it outside of the standards established *is* abuse) then their conduct in no way deserves respect. I'm far too cynical to believe that anyone claiming not to know the rules is being truthful. If I loaned someone my car with the condition "smoking is not permitted" and they *did* smoke... Grrrr. I'd not respect that decision, either. I suppose that if there is no set policy I might make an allowance, but really... who nowadays doesn't know that a corporate account should not be used for personal communication? Rick From ugob at camo-route.com Thu Aug 3 21:33:18 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 3 21:33:49 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: >> Ok, but from what I've seen, the default is en, so we're all >> using it. >> This doesn't really answer my question... What I meant is >> that CHARSET and FARAWAY rules helps us catch some spam from >> foreign countries. If I get a few false positives for >> chinese e-mails and I put chinese in ok_locales and >> ok_languages, my catch rate for chinese spam will we lower >> right? Most of our traffic is english and french. > > Ugo, > > I know, Jules put the default for english only in spam.preferences.conf. > This means any non-english message will get an extra 2 or 3 points added > to the SA score. > When you add the chinese language, it will no longer add the extra score > to these messages, so yes, the catch rate for chinese spam will be > lower. > If most of your traffic is english and french, I'd suggest using 'en fr' > for ok_languages. Thanks, I really appreciate your answer. Regards, Ugo From ssilva at sgvwater.com Thu Aug 3 21:38:38 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:39:04 2006 Subject: MCP Speed... In-Reply-To: <1154589190.14071.3.camel@jakes.synaq.com> References: <1154589190.14071.3.camel@jakes.synaq.com> Message-ID: David Jacobson spake the following on 8/3/2006 12:13 AM: > Hi Gents, > > I wonder if you can help with a small problem regarding MCP speeds. > > We maintain a number of MailScanner servers for a customer which > processes about a million e-mails a month. > > The client has requested that we check for certain keywords +/- 20 and > send them through to an address. > > We've implemented this for them, but it adds an extreme load on the > servers. I've had a close look at the MCP spam.assassin.prefs.conf and > even though it disabled Razor / Pyzor / DCC etc I still believe it's > doing way too many checks than required for pure keyword analysis. > > It appears to load all the plugins when doing a spamassassin - > p /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf such as SPF, AWL, > etc etc all from v310.pre, can someone tell me how I can disable the MCP > prefs from using this? > > I still obviously want to keep the plugins so I can't remove them from > v310.pre > > Any advise would be appreciated... > Maybe a custom function would work here? Might be a lot lighter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jethro.binks at strath.ac.uk Thu Aug 3 21:43:35 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Aug 3 21:43:40 2006 Subject: blocking out-of-office In-Reply-To: <44D259D2.6080009@yeticomputers.com> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <44D259D2.6080009@yeticomputers.com> Message-ID: <20060803213821.W10038@defjam.cc.strath.ac.uk> On Thu, 3 Aug 2006, Rick Chadderdon wrote: > Jethro R Binks wrote: > > Saying "personal mail is not > > permitted" isn't good enough unfortunately; regardless of whether it > > should be there or not, if it is there, it needs to be treated with > > respect. > You think so? I strongly disagree. You can disagree all you like, but that's essentially what legislation says we must do (Human Rights Act, and the European legislation from which it derives). > who nowadays doesn't know that a corporate account should not be used > for personal communication? The people who have not been told that it shouldn't be used for such, and the people who have been told that it may be used for such. And speaking personally, I find such rules oppressive and offensive. One's personal life doesn't end when one walks through the office door. This is the real world. There are, of course, reasonable limits on how far 'personal use' should extend. Most sane employers got over their hangup about use of telephones for personal use years ago, and set out the circumstances under which it may occur. Email is little different. It's about treating employees as human beings, not automatons. As long as the corporate policies and procedures are in place, and everyone is well aware of the guidelines and boundaries, then there is little to fear. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From ssilva at sgvwater.com Thu Aug 3 21:41:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:45:24 2006 Subject: SpamAssassin MailScanner Problem In-Reply-To: <200608031051.k73AplgA012739@bkserver.blacknight.ie> References: <200608031051.k73AplgA012739@bkserver.blacknight.ie> Message-ID: Nasvhobh Magotra spake the following on 8/3/2006 3:51 AM: > Hi all Members > > > > I have configured a qmail server with openprotect-5.0.4 that contains > mailscanner ,spamassassin and clamav as default scanners on a debian > sarge system. The installation went smoothly. But I have a peculiar > problem. The clamav scanning is working perfectly but spamassassin is > not. I have checked Mailscanner.conf and it is perfectly fine. > Since Openprotect is a custom project BASED on MailScanner, their list might be a better place to look. They seem to have stopped development, at least of the free version, as it seems to be behind a few versions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Aug 3 21:47:46 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:50:18 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: Message-ID: Jeff A. Earickson spake the following on 8/3/2006 9:15 AM: > Gang, > > I upgraded to SA 3.1.4 last night, and continued to be plagued by > lint failures in the rules_du_jour script, like so: > > /opt/perl5/bin/spamassassin -p > /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > [27791] warn: config: SpamAssassin failed to parse line, > "/var/spool/spamassassin" is not valid for "bayes_path", skipping: > bayes_path /var/spool/spamassassin But that is not a valid bayes path. It would be something like var/spool/spamassassin/bayes where the directory of /var/spool/spamassassin/ had files like; bayes_journal bayes_seen bayes_toks Notice all the files start with the last part of the bayes_path statement. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Aug 3 23:19:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 23:20:05 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: Jethro R Binks spake the following on 8/3/2006 12:34 PM: > On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > >> On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: >> >>> I'm curious as to some of the situations you believe need OoO. I >>> can't think of any that wouldn't be better handled by a different >>> solution. Of course, "better" is subjective, so I might have >>> considered the situations you're referring to and felt differently. >>> Still, can you give me an idea of what you're thinking? >> I tend to get private and business mail in one mailbox. Therefore I >> cannot simply forward all my mail to a collegue or give him/her access >> to it. Maybe there is not even a collegue so things simply have to wait >> a week but I want to let the client/customer/friend know. Etc. > > This is quite common. > > We have legal reasons for requiring OoO; for example, the Freedom of > Information Act in England and Wales considers a request sent by email to > be 'received' by a public authority unless the sender hears otherwise (by > way of a bounce or OoO). If you're away for two or three weeks and hence > don't respond to the request within the prescribed time, and the sender > has no reason to believe the request has not been received (no OoO), then > the public authority has failed in the obligations the Act places upon it. > > But likewise I don't like the lack of controllability that Exchange (which > is used internally) offers for OoO. I have implemented autoresponse > systems in Exim with extreme measures so that it won't respond to, > generically, 'stuff that it shouldn't respond to', so far as that is > possible. I can't do a fraction of that stuff with Exchange, so it will > willy-nilly send mail out in response to practically any old tat it > receives. > > You can mitigate things by having delegated access to mailboxes, of > course, but that all gets rather sticky where personal mail may be present > (or there is no-one appropriate to delegate to, or whether mailbox > contents really confidential to their owner, or there is no-one available > to authorise delegation, or whatever). Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. Personal mail is a loaded subject. What if a business contact hears about some event in your life and sends a congratulation/condolence? That now is a personal e-mail, even though it is a business contact. And having a system that responds to business contacts from a list would fail here. So I agree with your thoughts on the respect issue. > > (Because of all this, I have been writing guidelines for our users in this > area; how they should use OoOs, recommendations how they should handle > personal mail, and so on). > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services > University Of Strathclyde, Glasgow, UK -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From marcel-ml at irc-addicts.de Thu Aug 3 23:48:41 2006 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Thu Aug 3 23:49:16 2006 Subject: Spamassassin Timeouts In-Reply-To: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: Hi there, On Thu, 3 Aug 2006, Golden, James wrote: > I received this info from Logwatch, but I am not sure if it is something > I should be concerned about. Would anyone else be kind enough to fill > me in? And what to do about it if it is not an OK thing? > > MailScanner Status: > 21351 messages Scanned by MailScanner > 968.5 Total MB > 13531 Spam messages detected by MailScanner > 13531 Spam messages with action(s) store > 902 hits from MailScanner SpamAssassin cache > 6 Viruses found by MailScanner > 4 Banned attachments found by MailScanner > 967 Content Problems found by MailScanner > 7778 Messages delivered by MailScanner > > 61 SpamAssassin timeout(s > > Thanks, > > James > i also had those problems. A lot of timeouts with spamassassin. What worked for me (and please do not laugh) i setup a cronjob, which does the following every 4 hours.. /usr/bin/sa-learn --force-expire --sync and now there are no timeouts anymore and everything works just fine.. if there is another way to handle this problem..let me know =) Marcel From jon.bates at summitmotors.com.au Fri Aug 4 01:08:40 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Fri Aug 4 01:08:57 2006 Subject: Blocking attachments - Stopping sneaky employees Message-ID: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> I've got all audio and video type files being quarantined on my servers. Some users are now getting smart to the fact that they can simply change the extention on the file to bypass this system. Is there some way to filter attachments based on the attachment mime type or something? I've done a few hours searching and I havent come up with a suitable answer. Any guidance would be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/2106548f/attachment.html From res at ausics.net Fri Aug 4 01:22:44 2006 From: res at ausics.net (Res) Date: Fri Aug 4 01:22:52 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > >> The sane solution is to not allow OoO, > > Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. Part of the problem is most will ignore and not send OoO's to those marked as Precedence: junk bulk However many lists, including this one use list, which is not AFAIK a default searched for item, hence mailman is not telling the receving server to ignore it, mind you, not that i've sene many exchange servers correctly setup to ignore bulk/junk anyway :) -- Cheers Res From brent.addis at pronet.co.nz Fri Aug 4 01:24:37 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Fri Aug 4 01:25:29 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: <44D293C5.904@pronet.co.nz> Use the file command. do a search for #file in your MailScanner.conf Jon Bates wrote: > > I've got all audio and video type files being quarantined on my > servers. Some users are now getting smart to the fact that they can > simply change the extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime > type or something? I've done a few hours searching and I havent come > up with a suitable answer. > > Any guidance would be appreciated! ------------------------------------------------------------------------ From res at ausics.net Fri Aug 4 01:27:50 2006 From: res at ausics.net (Res) Date: Fri Aug 4 01:27:58 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: Jon, On Fri, 4 Aug 2006, Jon Bates wrote: > > I've got all audio and video type files being quarantined on my servers. > Some users are now getting smart to the fact that they can simply change the > extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime type or > something? I've done a few hours searching and I havent come up with a > suitable answer. This is already in MailScanner.conf # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. File Command = /usr/bin/file > > Any guidance would be appreciated! > -- Cheers Res From dhawal at netmagicsolutions.com Fri Aug 4 01:28:24 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 4 01:28:39 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: <44D294A8.8070108@netmagicsolutions.com> Jon Bates wrote: > > I've got all audio and video type files being quarantined on my servers. > Some users are now getting smart to the fact that they can simply change > the extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime > type or something? I've done a few hours searching and I havent come up > with a suitable answer. > > Any guidance would be appreciated! See the following configuration options in MailScanner.conf File Command Allow Filetypes Deny Filetypes Filetype Rules See here for more description. http://mailscanner.info/MailScanner.conf.index.html - dhawal From sujithem at cdacb.ernet.in Fri Aug 4 05:09:44 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Fri Aug 4 05:10:32 2006 Subject: Spamassassin Timeouts In-Reply-To: References: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <1d1e72700608032109t15942410n8034c427a8ab79b4@mail.gmail.com> Hi there, Even am getting a lot of timeouts, maybe a caching nameserver on the same server could help. Regards Sujith Emmanuel On 8/4/06, Marcel Blenkers wrote: > > Hi there, > > > > On Thu, 3 Aug 2006, Golden, James wrote: > > > I received this info from Logwatch, but I am not sure if it is something > > I should be concerned about. Would anyone else be kind enough to fill > > me in? And what to do about it if it is not an OK thing? > > > > MailScanner Status: > > 21351 messages Scanned by MailScanner > > 968.5 Total MB > > 13531 Spam messages detected by MailScanner > > 13531 Spam messages with action(s) store > > 902 hits from MailScanner SpamAssassin cache > > 6 Viruses found by MailScanner > > 4 Banned attachments found by MailScanner > > 967 Content Problems found by MailScanner > > 7778 Messages delivered by MailScanner > > > > 61 SpamAssassin timeout(s > > > > Thanks, > > > > James > > > > i also had those problems. > A lot of timeouts with spamassassin. > > What worked for me (and please do not laugh) i setup a cronjob, which does > the following every 4 hours.. > > /usr/bin/sa-learn --force-expire --sync > > and now there are no timeouts anymore and everything works just fine.. > > if there is another way to handle this problem..let me know =) > > Marcel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/8cb3ce9a/attachment.html From febrianto at sioenasia.com Fri Aug 4 05:38:54 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Fri Aug 4 05:34:48 2006 Subject: ClamAV detected as SophosSavi in logwatch Message-ID: I never install Sophos, but in LogWatch entry of my mailscanner it say it this. Entry in LogWatch : SophosSavi Virus Report: (Total Seen = 1081) Exploit.HTML.IFrame: 204 Times(s) HTML.Phishing.Auction-149: 1 Times(s) HTML.Phishing.Bank-623: 103 Times(s) HTML.Phishing.Bank-626: 2 Times(s) HTML.Phishing.Bank-627: 78 Times(s) Worm.Bagle.Gen-zippwd-5: 2 Times(s) Worm.Bagle.pwd-eml: 9 Times(s) Worm.Mydoom.I: 24 Times(s) Worm.Mytob.FN: 302 Times(s) Worm.Mytob.NK: 18 Times(s) Worm.SomeFool.AA-2: 2 Times(s) Worm.SomeFool.P: 332 Times(s) Worm.VB-9: 4 Times(s) >From MailScanner --lint Read 753 hostnames from the phishing whitelist Config: calling custom init function MailWatchLogging Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = clamavmodule" Found these virus scanners installed: clamavmodule Is this normal, Or I missconefigured something? Best Regards From MailScanner at ecs.soton.ac.uk Fri Aug 4 08:44:57 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 08:45:35 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: <44D22AE6.4020709@evi-inc.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done. On 3 Aug 2006, at 18:54, Jeff A. Earickson wrote: > Matt, > > Doh!! Thanks for pointing this out, I had always thought that > bayes_path was a directory name, not some strange combo of > directory + file prepend. I fixed my spam.assassin.prefs.conf, > reverted to the original SA Conf.pm, everything works with > Rules_du_jour again. > > Julian, > > Could you please modify the spam.assassin.prefs.conf to include > the following useful comments (diff -c format)? > > *************** > *** 83,89 **** > --- 83,96 ---- > # FSL Note: we need to coordinate the Bayes File Placement > # With MailWatch > > + # bayes_path should NOT be directory! > + # The Rules_du_jour script will choke if it is a directory. > + # It needs to be a full pathname, PLUS a partial filename. > + # In this example, the trailing "bayes" will be the "bayes*" + # > files in the directory "/etc/MailScanner/bayes/" > + # Thanks to Matt Kettler for pointing this out. > #bayes_path /etc/MailScanner/bayes/bayes > + > # This is actually used as a mask, not a raw chmod setting. > # Thanks for Matt Kettler for spotting this one. > # Commented out: this if for MailWatch and Exim/Postfix users only. > > Jeff Earickson > Colby College > > On Thu, 3 Aug 2006, Matt Kettler wrote: > >> Date: Thu, 03 Aug 2006 12:57:10 -0400 >> From: Matt Kettler >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: SA rules_du_jour lint bug: FOUND >> Jeff A. Earickson wrote: >>> Gang, >>> >>> I upgraded to SA 3.1.4 last night, and continued to be plagued by >>> lint failures in the rules_du_jour script, like so: >>> >>> /opt/perl5/bin/spamassassin -p >>> /opt/MailScanner/etc/spam.assassin.prefs.conf --lint >>> [27791] warn: config: SpamAssassin failed to parse line, >>> "/var/spool/spamassassin" is not valid for "bayes_path", skipping: >>> bayes_path /var/spool/spamassassin >>> >>> I had this problem in earlier versions of SA, but had worked around >> >> >>> >>> I know this isn't quite right, since the test should be "if NOT a >>> directory, return INVALID_VALUE". But the code: >> >> NO! It should be IF a directory, return invalid. It is NOT valid >> to specify a >> directory as a bayes path, because bayes_path is not just a path. >> It's a path >> plus partial filename! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE0vsJEfZZRxQVtlQRAnMnAKCamaEbaf67kxl4XjZoVewzM0y59wCg8GbO GcFz6a0YfMO+vJfEO8BzMPM= =Zsn4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Fri Aug 4 08:55:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 08:55:22 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> Message-ID: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> On 03/08/06, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > > > The sane solution is to not allow OoO, > > Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. Of course. OoO can have a somewhat meaningful role inside the organisation. > > and encourage your user to use > > other measures (like "mailbox delegations" etc). Unfortunately PHBs > > are rarely sane...:-) > > And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. > Everyone is entiteled to their own opinion, but ... "Need" is a strong word:). There are at least two issues at hand. One is the phenomenon as such, the other is badly behaving MTAs in conjunction with OoO. Most problems with OoO *could* be alleviated if someone did make a stab at an RFC, so that we could stop fumbling around trying to wrest some form of control on the issue and instead have clearly defined interfaces for it (That's not probable to happen though:-). Then one would have the policy issue to tangle with... Having said that, I'd be interrested in seeing what you've accomplished so far, and perhaps adapting it to a postfix environment... I assume it's based on some form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). Oh BTW, from that you can see that I don't have a particularily sane PHB;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pieter at verhaeghe-textiel.be Fri Aug 4 08:59:18 2006 From: pieter at verhaeghe-textiel.be (Pieter Verhaeghe) Date: Fri Aug 4 08:59:46 2006 Subject: Permissions archive messages Message-ID: Hi, I want to change the group owner of the archive messages. This is possible for the quarantine messages with the configuration option "Quarantine group". But I found no "Archive group" in MailScanner.conf. How should I configure this? Thanks for your support! Greetings, Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/dbd7a4ee/attachment.html From jethro.binks at strath.ac.uk Fri Aug 4 09:22:44 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Aug 4 09:22:46 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <20060804091650.E10038@defjam.cc.strath.ac.uk> On Fri, 4 Aug 2006, Res wrote: > Part of the problem is most will ignore and not send OoO's to those marked as > Precedence: junk bulk > However many lists, including this one use list, which is not AFAIK a default > searched for item, hence mailman is not telling the receving server to ignore > it, mind you, not that i've sene many exchange servers correctly setup to > ignore bulk/junk anyway :) I fear we are dangerously off-topic for MailScanner now, but hopefully still of general interest ... It would be nice if Exchange could be made more intelligent with regard to whom (or not) it will send OoO messages. It would be nicer if it could be configurable too. Maybe I should ask our Microsoft contacts about the prospects of more intelligence in future versions. FWIW, this page relating to Exim displays the conditions I use in an autoresponse implementation: http://www.exim.org/eximwiki/EximAutoReply I'd be grateful for feedback on other tricks for detecting messages (mostly 'autogenerated' in some way) to which an autoresponse (including OoO) should not be sent, or problems known with the rules I am using. (I didn't write the original page, but I did enhance it with Example 2 and other commentary, and added some useful references). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From glenn.steen at gmail.com Fri Aug 4 09:28:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 09:28:15 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> On 03/08/06, Jethro R Binks wrote: > On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > > > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > > > > I'm curious as to some of the situations you believe need OoO. I > > > can't think of any that wouldn't be better handled by a different > > > solution. Of course, "better" is subjective, so I might have > > > considered the situations you're referring to and felt differently. > > > Still, can you give me an idea of what you're thinking? > > > > I tend to get private and business mail in one mailbox. Therefore I > > cannot simply forward all my mail to a collegue or give him/her access > > to it. Maybe there is not even a collegue so things simply have to wait > > a week but I want to let the client/customer/friend know. Etc. > > This is quite common. Yes. Not all can be solved by mailbox delegations, this is quite true. But is it really helpful for the sender to receive an OoO? Most times no. If it is really urgent, why would you be using *email* and not the phone? In an emergency? Oh well, that is a philosophical matter I guess:-). > We have legal reasons for requiring OoO; for example, the Freedom of > Information Act in England and Wales considers a request sent by email to > be 'received' by a public authority unless the sender hears otherwise (by > way of a bounce or OoO). If you're away for two or three weeks and hence > don't respond to the request within the prescribed time, and the sender > has no reason to believe the request has not been received (no OoO), then > the public authority has failed in the obligations the Act places upon it. Legislation differ from country to country, so ... An OoO would not be enough, here in Sweden. Why? Cutting a long thing very short: Because OoO is not a standardised thing. So it is neither a help or a hindrance for the diverse agencies here. Further, any missive sent to the government becomes a public document upon receipt (unless specifically covered by secrecy... Not that much is;), so in theory... the "private" mail one handles at ones work address could simply become a public document (The principle of public access... We've been busy selling the idea to the EU for quite some time now:-). > But likewise I don't like the lack of controllability that Exchange (which > is used internally) offers for OoO. I have implemented autoresponse > systems in Exim with extreme measures so that it won't respond to, > generically, 'stuff that it shouldn't respond to', so far as that is > possible. I can't do a fraction of that stuff with Exchange, so it will > willy-nilly send mail out in response to practically any old tat it > receives. No argument there:) > You can mitigate things by having delegated access to mailboxes, of > course, but that all gets rather sticky where personal mail may be present > (or there is no-one appropriate to delegate to, or whether mailbox > contents really confidential to their owner, or there is no-one available > to authorise delegation, or whatever). Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. Actually, for some organisations, it would be quite all right. But in the real world, well... people are people, and one should take care with their integrity. Mailbox delegation was mentioned just as an example, not the surefire solution to the OoO madness. You and JP mention letting a more capable autoresponder handle the autoresponding... And that is a fine way to solve some of the madness too. We have two problems: The policy decision regarding OoO (and this is usually the domain of the PHBs), and the badness of some MTAs in regards to autoresponding > (Because of all this, I have been writing guidelines for our users in this > area; how they should use OoOs, recommendations how they should handle > personal mail, and so on). Ah yes, the third option... Enlightenment. Unfortunately users are people, and people a people... and there will always be a few that simply don't read the guidelines. Sigh. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 4 09:37:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 09:37:49 2006 Subject: Question about spam.assassin.prefs.conf In-Reply-To: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <223f97700608040137u7e22feb3y7cf34ae158c75b2d@mail.gmail.com> On 03/08/06, Golden, James wrote: > (snip) > So, after the compare, I then added any settings entry that was missing > (which was about 3 lines) (bayes_path, awl_path, and one other) to the file. > and then replaced the old one with the rpmnew version. Everything looks > OK. I was just wondering if I missed a step. I know I ran a few scripts to > upgrade Mailscanner.conf and another, but I didn't remember doing it for > spam.assassin.prefs.conf file. No, I don't think you missed a step... That is exactly why you got an rpmnew file, and further, that is exactly what you are supposed to do: Check the differences, make an educated guess as to what you should have and make the necessary changes. > I did just upgrade to the 4.54.6-1 version. I didn't do it via RPM, I did > it via the script from MailScanner (if I remember correctly). The MailScanner RPM install is done by running the install.sh script from the tar-ball ... that contain all the necessary rpms... which will then be built/installed as needed. You wouldn't have gotten an rpmnew file if you hadn't;-) (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ckowarzik at email.de Fri Aug 4 09:39:42 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 09:40:28 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <44D307CE.7020806@email.de> Hi I use the following spamassassin rules in my /etc/mail/spamassassin/local.cf to decrease the spamassassin score for email senders using smtp auth: header __OUR_AUTH Received =~ /authenticated .* by smtp\.xxx\.de/i header __NOT_OUR_AUTH Received !~ /authenticated .* by smtp\.xxx\.de/i meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH == 0) describe INIT_RECVD_OUR_AUTH Initially received by us using authentication tflags INIT_RECVD_OUR_AUTH nice score INIT_RECVD_OUR_AUTH -20 First I test that the email was received using smtp-auth and second i test that there exists no "non-authenticated" received lines in the email header. So if both conditions are true I know that my email server initially received that email and the sender is authenticated. Christian Radu Spineanu schrieb: > Hi > > Can mailscanner be configured to ignore all checks for messages sent via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:29:28 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:29:25 2006 Subject: blocking out-of-office In-Reply-To: <44D259D2.6080009@yeticomputers.com> Message-ID: On Thursday, August 03, 2006 10:17 PM Rick Chadderdon wrote: > You think so? I strongly disagree. Fine. German Law does not care about you disagreeing. If you do not explicitly forbid private use of your e-mail system (and the employee has to sign the agreement) you basically have no administrative access to the users mailbox. Moreover you as a company can choose to allow private use. Several studies confirm that allowing the private use of mail and internet are good for the company. People tend to stay longer at work since they are not forced to leave "early" or on time to finish their ebay auction etc. > If someone abuses a system (and > knowingly using it outside of the standards established *is* abuse) > then their conduct in no way deserves respect. If you forbid private use and make sure this is done in a lawful way: I agree. Regards, JP From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:31:52 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:31:51 2006 Subject: blocking out-of-office In-Reply-To: Message-ID: On Friday, August 04, 2006 2:23 AM Res wrote: >> Which is easily done in Exchange itself. You can configure it to >> only send OOO within your Exchange installation but not send it out >> via SMTP. > > > Part of the problem is most will ignore and not send OoO's to those > marked as Precedence: junk bulk However many lists, including this Exchange does not respect Precedence headers. Their sort of detection of "bulk mail" is "different" if not broken. :-) From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:34:42 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:34:39 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: On Friday, August 04, 2006 9:55 AM Glenn Steen wrote: > Everyone is entiteled to their own opinion, but ... "Need" is a > strong word:). If I am forced to use OoO - due to legislation or simply because it is my spec or the spec of my boss (if I had one) - then "Need" is the only word. :-) > adapting it to a postfix environment... I assume it's based on some > form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). > Oh BTW, from that you can see that I don't have a particularily sane > PHB;-). -- You cannot get the OoO info via LDAP. You need to login to the mailbox using Outlook CDOs. There might be a way using WebDAV but I am not entirely sure. The project is a bit abandoned... :-) From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:42:01 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:42:11 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: On Friday, August 04, 2006 10:28 AM Glenn Steen wrote: > Yes. Not all can be solved by mailbox delegations, this is quite true. > But is it really helpful for the sender to receive an OoO? Most times > no. If it is really urgent, why would you be using *email* and not > the phone? So I need to tell my clients to phone me everytime to make sure a more or less urgent matter needs attending? Let's say 200 business days a year e-mail would be sufficient. And during my 5 day vacation they would need to call me in order to find out. That does not really make sense. > In an emergency? Oh well, that is a philosophical matter I > guess:-). Indeed. > too. We have two problems: The policy decision regarding OoO (and > this is usually the domain of the PHBs), and the badness of some MTAs > in regards to autoresponding Agreed. > Ah yes, the third option... Enlightenment. That works? :-) > Unfortunately users are > people, and people a people... and there will always be a few that > simply don't read the guidelines. Sigh. That's what I think as well. Let's stop this thread. Whether or not we like he use of OoO there always will be and noone here will change that even if we wanted to. :-) In real world there is the need for OoO even if some of you do not agree or would try to solve it otherwise. Regards, JP From glenn.steen at gmail.com Fri Aug 4 11:59:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 11:59:59 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> On 04/08/06, Koopmann, Jan-Peter wrote: > On Friday, August 04, 2006 9:55 AM Glenn Steen wrote: > > > Everyone is entiteled to their own opinion, but ... "Need" is a > > strong word:). > > If I am forced to use OoO - due to legislation or simply because it is > my spec or the spec of my boss (if I had one) - then "Need" is the only > word. :-) True. As said (to Jethro), legislation differ, so "Need" it is then... for you:-). > > adapting it to a postfix environment... I assume it's based on some > > form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). > > Oh BTW, from that you can see that I don't have a particularily sane > > PHB;-). -- > > You cannot get the OoO info via LDAP. You need to login to the mailbox > using Outlook CDOs. There might be a way using WebDAV but I am not > entirely sure. The project is a bit abandoned... :-) Ah. Too bad. Then again, what was I thinking there.... that M$ would make anything simple to look up....? :-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Fri Aug 4 12:09:52 2006 From: res at ausics.net (Res) Date: Fri Aug 4 12:10:03 2006 Subject: blocking out-of-office In-Reply-To: <20060804091650.E10038@defjam.cc.strath.ac.uk> References: <20060804091650.E10038@defjam.cc.strath.ac.uk> Message-ID: On Fri, 4 Aug 2006, Jethro R Binks wrote: > configurable too. Maybe I should ask our Microsoft contacts about the > prospects of more intelligence in future versions. hahahahhahahahahahha do you moonlight at the comedy club ? :P hahah you must as you used M$ and intelligence in the same sentance ;) -- Cheers Res From glenn.steen at gmail.com Fri Aug 4 12:12:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 12:12:28 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: <223f97700608040412i4311a64cj6b36335c9221732d@mail.gmail.com> Sorry all, this is drifting wildly off-topic....:-) On 04/08/06, Koopmann, Jan-Peter wrote: > On Friday, August 04, 2006 10:28 AM Glenn Steen wrote: > > > Yes. Not all can be solved by mailbox delegations, this is quite true. > > But is it really helpful for the sender to receive an OoO? Most times > > no. If it is really urgent, why would you be using *email* and not > > the phone? > > So I need to tell my clients to phone me everytime to make sure a more > or less urgent matter needs attending? Let's say 200 business days a > year e-mail would be sufficient. And during my 5 day vacation they would > need to call me in order to find out. That does not really make sense. Ah, but then ... that's not really an emegency then. Oh well. It all depends on your situation. BTW, 5 _days_ vacation? In total? If so, you need another Union:-D. But if you are away for only five days, then surely there is nothing sent by email that just couldn't wait...? > > In an emergency? Oh well, that is a philosophical matter I > > guess:-). > > Indeed. > > > too. We have two problems: The policy decision regarding OoO (and > > this is usually the domain of the PHBs), and the badness of some MTAs > > in regards to autoresponding > > Agreed. > > > Ah yes, the third option... Enlightenment. > > That works? :-) Nope. Or at least hasn't done so for the past 20-odd years:-). > > Unfortunately users are > > people, and people a people... and there will always be a few that > > simply don't read the guidelines. Sigh. > > That's what I think as well. > > Let's stop this thread. Whether or not we like he use of OoO there > always will be and noone here will change that even if we wanted to. :-) > In real world there is the need for OoO even if some of you do not agree > or would try to solve it otherwise. > This subthread at least. The original question posed by Peter was how to limit the spread of OoO by use of MailScanner... and that has perhaps some room for discussion left. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dhawal at netmagicsolutions.com Fri Aug 4 12:14:23 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 4 12:18:15 2006 Subject: blocking out-of-office discussions In-Reply-To: <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> Message-ID: <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> This us getting absolutely OT.. MailScanner has nothing to do with legislation.. Can we end this silly thread which is only contributing towards polluting the list archives and wasting time / bandwidth. From jethro.binks at strath.ac.uk Fri Aug 4 12:55:46 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Aug 4 12:55:48 2006 Subject: blocking out-of-office discussions In-Reply-To: <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> Message-ID: <20060804125505.C10038@defjam.cc.strath.ac.uk> On Fri, 4 Aug 2006, Dhawal Doshy wrote: > This us getting absolutely OT.. MailScanner has nothing to do with > legislation.. > Can we end this silly thread which is only contributing towards polluting the > list archives and wasting time / bandwidth. Speaking perfectly frankly, that seems to be a common theme on this list anyway. At least this discussion is mail-related and generically useful. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From Andreas.Doerfler at kempten.de Fri Aug 4 12:57:13 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Fri Aug 4 12:57:34 2006 Subject: ignored messeges Message-ID: hey there, i havent checked my mqueue.in for months .. because i tough everyting works fine. that more im scared to find about 200 undelivered mails in there short example: -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 ... -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 most of em are spam so i dont see a problem, but some are not. dont understand how this can happen because i deliver about 6000 mails everyday without any problems. some ignored mails from last year ... from the mail log i take these when restart MS: Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue directory /var/spool/mqueue.in/dfj1C64nMG031005 ... got this message multible times, but ive senn em first time, tried now more times but it wont come again in the logs i use sendmail, ms 4.55.9 on a suse 9.2 box greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \ From radus at smartpost.ro Fri Aug 4 13:20:16 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Fri Aug 4 13:20:36 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D141CE.9090805@blacknight.ie> References: <44D134DF.3080102@smartpost.ro> <44D141CE.9090805@blacknight.ie> Message-ID: <44D33B80.3000300@smartpost.ro> Michele Neylon:: Blacknight.ie wrote: > Radu Spineanu wrote: >> Hi >> >> Can mailscanner be configured to ignore all checks for messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu > Do you have a fixed IP at home? You could simply whitelist your home IP > or your ISP's netblock > Unfortunately no. And most people using this mail setup are from different parts of the world. Radu From P.G.M.Peters at utwente.nl Fri Aug 4 14:44:16 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:44:23 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: <44D34F30.2070300@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 4-8-2006 9:55: > On 03/08/06, Koopmann, Jan-Peter wrote: >> On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: >> >> > The sane solution is to not allow OoO, >> >> Which is easily done in Exchange itself. You can configure it to only >> send OOO within your Exchange installation but not send it out via SMTP. > > Of course. OoO can have a somewhat meaningful role inside the organisation. But we have a lot of organizations in our organization. A lot of the (bigger) departments run their own exchange. And while the AD is shared they still tend to send e-mail from one department to the other through SMTP (which is good because it gets scanned by MailScanner). Luckily I managed to get it on-topic again. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE008welLo80lrIdIRAuxFAJ9X2zISVfF+XnJOhBGc6mWZ3FP+5QCgkEy2 cLuZ4I4wekZfoSc5pxtyGX8= =Qixt -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Fri Aug 4 14:46:56 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:47:00 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> Message-ID: <44D34FD0.6020309@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Billy A. Pumphrey wrote on 2-8-2006 20:49: > My employees report that when they have the out of office turned on they > receive more spam..... Considering OOO could be called spam (according to the definition of unwanted bulk e-mail) you could say that when those employees have turned on OOO it is holiday so more people have done the same. Resulting in OOO's from others (perhaps based on forged sender addresses in spam). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE00/QelLo80lrIdIRAubCAJ9U2DV2R5xeoiwv0QOagpNS7ZSYmwCbBIUa 3UPxoBWcafLsyFVlYZlTMTE= =hPf9 -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Fri Aug 4 14:47:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 14:47:37 2006 Subject: ignored messeges In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 df files without qf files are just left-over junk from things like broken TCP connections and stuff like that. df files without qf files (or vice versa) can just be deleted. On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > hey there, > > i havent checked my mqueue.in for months .. because i tough > everyting works fine. > that more im scared to find about 200 undelivered mails in there > > short example: > -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 > ... > -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 > -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 > -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 > -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 > -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 > > most of em are spam so i dont see a problem, but some are not. > > dont understand how this can happen because i deliver about > 6000 mails everyday without any problems. > some ignored mails from last year ... > > from the mail log i take these when restart MS: > > Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue > directory /var/spool/mqueue.in/dfj1C64nMG031005 > ... > got this message multible times, but ive senn em first time, > tried now more times but it wont come again in the logs > > i use sendmail, ms 4.55.9 on a suse 9.2 box > > greetings > andy > > --free your mind, use open source > http://www.mono-project.com > > ASCII ribbon campaign ( ) > - against HTML email X > & vCards / \ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX XMpMnj01s3jHrNv1vy+V69A= =rXe0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From P.G.M.Peters at utwente.nl Fri Aug 4 14:48:08 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:48:12 2006 Subject: blocking out-of-office In-Reply-To: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> Message-ID: <44D35018.3000409@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Desai, Jason wrote on 3-8-2006 20:09: > I have recently implemented something similar. Management wanted to > allow only some people to send out of office messages over the internet. > Since our MailScanner box is inline, I wrote a custom function for the > Is Definitely MCP option. It's not a complex function. I am waiting to > hear back from management to see if I can post it here. That would be great. Perhaps something for Julian to include in some future version. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE01AYelLo80lrIdIRAp3oAJ44Tohs+im5ZALx5u+s5ud17KMoIQCffyMT dD6KMGuj8nAb/hdRkjYCa80= =gM/7 -----END PGP SIGNATURE----- From mgt at stellarcore.net Fri Aug 4 14:57:47 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Aug 4 14:58:01 2006 Subject: Subject: ClamAV detected as SophosSavi in logwatch In-Reply-To: <200608041106.k74B6h9R001647@bkserver.blacknight.ie> References: <200608041106.k74B6h9R001647@bkserver.blacknight.ie> Message-ID: <1154699868.3202.4.camel@dwarfstar.stellarcore.net> On Fri, 2006-08-04 at 12:06 +0100, mailscanner- request@lists.mailscanner.info wrote: > I never install Sophos, but in LogWatch entry of my mailscanner it say it > this. > > Entry in LogWatch : > SophosSavi Virus Report: (Total Seen = 1081) > Exploit.HTML.IFrame: 204 Times(s) > HTML.Phishing.Auction-149: 1 Times(s) > HTML.Phishing.Bank-623: 103 Times(s) > HTML.Phishing.Bank-626: 2 Times(s) > HTML.Phishing.Bank-627: 78 Times(s) > Worm.Bagle.Gen-zippwd-5: 2 Times(s) > Worm.Bagle.pwd-eml: 9 Times(s) > Worm.Mydoom.I: 24 Times(s) > Worm.Mytob.FN: 302 Times(s) > Worm.Mytob.NK: 18 Times(s) > Worm.SomeFool.AA-2: 2 Times(s) > Worm.SomeFool.P: 332 Times(s) > Worm.VB-9: 4 Times(s) That is a Logwatch problem not a Mailscanner problem. If you can tell me which version of Logwatch you are running [and MailScanner/ClamAV] I'll take a look. [FYI current stable Logwatch is 7.3]. You can send this to me directly or to the logwatch at logwatch org list. -Mike From glenn.steen at gmail.com Fri Aug 4 15:10:04 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 15:10:09 2006 Subject: blocking out-of-office In-Reply-To: <44D34F30.2070300@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> Message-ID: <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 9:55: > > On 03/08/06, Koopmann, Jan-Peter wrote: > >> On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > >> > >> > The sane solution is to not allow OoO, > >> > >> Which is easily done in Exchange itself. You can configure it to only > >> send OOO within your Exchange installation but not send it out via SMTP. > > > > Of course. OoO can have a somewhat meaningful role inside the organisation. > > But we have a lot of organizations in our organization. A lot of the > (bigger) departments run their own exchange. And while the AD is shared > they still tend to send e-mail from one department to the other through > SMTP (which is good because it gets scanned by MailScanner). Um, I'm feeling more than the usual tad slow here (Friday afternoon syndrome:-), are you saying you want to block all OoO trying to exit the "superorganisation" or the ones bouncing around between suborganisations? SA rule(s) could help you, I suppose, if you want something selective (PF header_checks are bit limited so wouldn't handle that gracefully:-). > Luckily I managed to get it on-topic again. :-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ewr at erols.com Fri Aug 4 15:04:47 2006 From: ewr at erols.com (ewr@erols.com) Date: Fri Aug 4 15:10:49 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D307CE.7020806@email.de> Message-ID: <01af01c6b7ce$f24b6090$4f02a8c0@ew> Thanks Christian! I like this idea and think it will work well. I am not entirely up to speed (yet) on how the SA rules work and have a question about it. Does this rule only check the first Received header? I want to make sure that a forged Received header farther down the email doesn't get the -20 deduct. Sorry for my ignorance! Thanks! Eric >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >Of Christian Kowarzik >Sent: Friday, August 04, 2006 4:40 AM >To: MailScanner discussion >Subject: Re: mailscanner and SMTP AUTH > >Hi > >I use the following spamassassin rules in my >/etc/mail/spamassassin/local.cf to decrease the spamassassin >score for email senders using smtp auth: > > >header __OUR_AUTH Received =~ >/authenticated .* by smtp\.xxx\.de/i >header __NOT_OUR_AUTH Received !~ >/authenticated .* by smtp\.xxx\.de/i >meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( >__NOT_OUR_AUTH == 0) >describe INIT_RECVD_OUR_AUTH Initially received by >us using authentication >tflags INIT_RECVD_OUR_AUTH nice >score INIT_RECVD_OUR_AUTH -20 > >First I test that the email was received using smtp-auth and >second i test that there exists no >"non-authenticated" received lines in the email header. >So if both conditions are true I know that my email server >initially received that email and the >sender is authenticated. > >Christian > >Radu Spineanu schrieb: >> Hi >> >> Can mailscanner be configured to ignore all checks for >messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From dstraka at caspercollege.edu Fri Aug 4 15:22:04 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Aug 4 15:22:58 2006 Subject: MS Status not Reporting in Logwatch Message-ID: <44D303AB.61A4.0000.0@caspercollege.edu> I recently installed a new MailScanner machine with SUSE Enterprise 10 and sendmail, I was previously on RedHat 7.3. Logwatch does not display the MailScanner Status section as it did with Redhat. Also SUSE has different mail logging (ie, several mail log files mail, mail.info, mail.err, mail.warn) whereas Redhat had only the file "maillog". Can anyone guide me with how to get Logwatch to report the MailScanner Status section for me on this system? Thanks, Dan Straka Systems Coordinator Casper College 307.268.2399 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From listacct at tulsaconnect.com Fri Aug 4 15:50:01 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Aug 4 15:49:56 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: Message-ID: <44D35E99.7020507@tulsaconnect.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > >> I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on >> FreeBSD 5.4 without any problems for over 1 year now. > > Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! Tried installing Mail-ClamAV from ports, it installed fine (other than the threaded Perl warning), but when I try to use it: Aug 4 09:45:15 mx5 MailScanner[42648]: ClamAV Perl module not found, did you install it? but yet: $ ls -al /var/db/pkg/ | grep ClamAV drwxr-xr-x 2 root wheel 512 Aug 2 11:38 p5-Mail-ClamAV-0.17 ..it is clearly installed.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mailscanner at yeticomputers.com Fri Aug 4 15:57:08 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 15:57:18 2006 Subject: blocking out-of-office In-Reply-To: <20060803213821.W10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <44D259D2.6080009@yeticomputers.com> <20060803213821.W10038@defjam.cc.strath.ac.uk> Message-ID: <44D36044.3020804@yeticomputers.com> Jethro R Binks wrote: > On Thu, 3 Aug 2006, Rick Chadderdon wrote: >> who nowadays doesn't know that a corporate account should not be used >> for personal communication? >> > > The people who have not been told that it shouldn't be used for such, and > the people who have been told that it may be used for such. > I guess I wasn't clear at all in my post. The line you quoted was intended to refer to situations where there is no established policy. The latter group you mention clearly does not apply. I *do* believe that, by now, most of the former group should be aware (and are aware) that unless it is explicitly allowed, most companies do not want you to use their resources for your own personal needs - and that's what I meant by the sentence you quoted above. > And speaking personally, I find such rules oppressive and offensive. > One's personal life doesn't end when one walks through the office door. > This is the real world. There are, of course, reasonable limits on how > far 'personal use' should extend. Yes. Unfortunately, it has been my experience that a seemingly growing number of people will extend and abuse every tiny privilege you offer them. While I would not work for a place with such rules in place and I do not enforce such rules on my own employees, I can fully understand why a company would do so. One of my clients was able to reduce his bandwidth consumption by about 90% (freeing him from the need to get a larger pipe than his existing T1) by simply having me block the staff's access to any website that was not on a list of sites they needed to do their work. Amazingly, he was also able to reduce his staff by about 50% once all of his people had to do their jobs rather than "socially network". This is entirely a philosophical issue, and I apologize if I appeared to be attacking your beliefs. Rick From mailscanner at yeticomputers.com Fri Aug 4 15:57:13 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 15:57:22 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D36049.40407@yeticomputers.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 10:17 PM Rick Chadderdon wrote: > > >> You think so? I strongly disagree. >> > > Fine. German Law does not care about you disagreeing. > [...] > Moreover you as a company can choose to allow private use. > I wasn't referring to situations where the region's prevailing law compels behavior, or where policy allows such use. I incorrectly assumed that this was obvious in my post. For that, I apologize. To clarify: If law allows one to set policy whereby personal email can be disallowed, and such policy is set, I don't believe that those who violate such policies should be tolerated or 'respected'. Rick From jgolden at ci.grand-rapids.mi.us Fri Aug 4 15:59:39 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 15:59:34 2006 Subject: Retreiving quarntined email/attachments Message-ID: <1154703579.6475.6.camel@doit-b8wsw21.grand-rapids.mi.us> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smiley-4.png Type: image/png Size: 822 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/08ed62a0/smiley-4.png From P.G.M.Peters at utwente.nl Fri Aug 4 16:01:48 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 16:01:52 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> Message-ID: <44D3615C.7010709@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 4-8-2006 16:10: >> But we have a lot of organizations in our organization. A lot of the >> (bigger) departments run their own exchange. And while the AD is shared >> they still tend to send e-mail from one department to the other through >> SMTP (which is good because it gets scanned by MailScanner). > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > syndrome:-), are you saying you want to block all OoO trying to exit > the "superorganisation" or the ones bouncing around between > suborganisations? > SA rule(s) could help you, I suppose, if you want something selective > (PF header_checks are bit limited so wouldn't handle that > gracefully:-). Yes, I would want to block OoO's trying to get outside the university but keep the OoO's flowing between the departments. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE02FcelLo80lrIdIRAgGxAJ9x/m6RodTMYzSngXuwtBj/f1N63ACgizTJ 8un13fmbVhYS17h2P8uPWtw= =UM1D -----END PGP SIGNATURE----- From ssilva at sgvwater.com Fri Aug 4 16:03:01 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 4 16:03:34 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: > Ah yes, the third option... Enlightenment. Unfortunately users are > people, and people a people... and there will always be a few that > simply don't read the guidelines. Sigh. > More like en'lart'enment. As in a big stick to the harder regions of the cranium ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From danc at bluestarshows.com Fri Aug 4 16:07:27 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Aug 4 16:10:57 2006 Subject: Sendmail question Message-ID: <003d01c6b7d7$b331e100$0200000a@danc3> Anyone willing to answer a sendmail question? Or atleast point me in the right direction. (I don't have news) I can send mail fine thru my sendmail/Mailerscanner server with windows clients but when I send it thru from my other linux server Yahoo marks it as BULK(spam). Thanks Dan From cconn at abacom.com Fri Aug 4 16:11:14 2006 From: cconn at abacom.com (Chris Conn) Date: Fri Aug 4 16:11:20 2006 Subject: ignored messeges In-Reply-To: References: Message-ID: <44D36392.6000009@abacom.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > df files without qf files are just left-over junk from things like > broken TCP connections and stuff like that. df files without qf files > (or vice versa) can just be deleted. > #!/bin/sh cd /var/spool/mqueue.in/ find ./ -daystart -ctime +1|xargs rm Gets rid of files that are a couple of days old or older in the mqueue.in directory (change it to the right path if not the same). Chris > On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > > >>hey there, >> >>i havent checked my mqueue.in for months .. because i tough >>everyting works fine. >>that more im scared to find about 200 undelivered mails in there >> >>short example: >>-rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 >>... >>-rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 >>-rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 >>-rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 >>-rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 >>-rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 >> >>most of em are spam so i dont see a problem, but some are not. >> >>dont understand how this can happen because i deliver about >>6000 mails everyday without any problems. >>some ignored mails from last year ... >> >>from the mail log i take these when restart MS: >> >>Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue >>directory /var/spool/mqueue.in/dfj1C64nMG031005 >>... >>got this message multible times, but ive senn em first time, >>tried now more times but it wont come again in the logs >> >>i use sendmail, ms 4.55.9 on a suse 9.2 box >> >>greetings >>andy >> >>--free your mind, use open source >>http://www.mono-project.com >> >>ASCII ribbon campaign ( ) >> - against HTML email X >> & vCards / \ >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! > > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX > XMpMnj01s3jHrNv1vy+V69A= > =rXe0 > -----END PGP SIGNATURE----- > From glenn.steen at gmail.com Fri Aug 4 17:13:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 17:20:35 2006 Subject: blocking out-of-office In-Reply-To: <44D3615C.7010709@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> Message-ID: <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 16:10: > > >> But we have a lot of organizations in our organization. A lot of the > >> (bigger) departments run their own exchange. And while the AD is shared > >> they still tend to send e-mail from one department to the other through > >> SMTP (which is good because it gets scanned by MailScanner). > > > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > > syndrome:-), are you saying you want to block all OoO trying to exit > > the "superorganisation" or the ones bouncing around between > > suborganisations? > > SA rule(s) could help you, I suppose, if you want something selective > > (PF header_checks are bit limited so wouldn't handle that > > gracefully:-). > > Yes, I would want to block OoO's trying to get outside the university > but keep the OoO's flowing between the departments. > Well then, you'd have two problems: 1) Identifying an OoO. 2) selectively disallowing them to exit your organization. I'd look into making a set of SA rules to facilitate this. One or two to identify that the message really is an OoO, that it originates from one of your subdomains, and finally one rule to combine those results and giving that one a truly hefty score, pushing it into the high scoring spam category. Either that, or go the CustomFunction route (or perhaps even try to make something out of the generic AV option). My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome (into my first beer and fired up the grill), so I'd not trust myself further than that:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Fri Aug 4 17:21:27 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 4 17:21:32 2006 Subject: Sendmail question In-Reply-To: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: Dan Carl wrote: > Anyone willing to answer a sendmail question? > Or atleast point me in the right direction. (I don't have news) > I can send mail fine thru my sendmail/Mailerscanner server with > windows clients but when I send it thru from my other linux server > Yahoo marks it as BULK(spam). > Thanks > Dan So Yahoo bounces spam? I'd have thought they were more on the ball than that. Not much to go on here - what error's being returned? It might be instructive to see a post from one of your linux boxes. I noted that this one came from Outlook Express. Are you using SPF? If so, do you have all your servers listed? Do your linux servers send directly or do they use mail.bluestarshows.com? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Fri Aug 4 17:11:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 17:50:07 2006 Subject: blocking out-of-office In-Reply-To: <44D3615C.7010709@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> Message-ID: <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 16:10: > > >> But we have a lot of organizations in our organization. A lot of the > >> (bigger) departments run their own exchange. And while the AD is shared > >> they still tend to send e-mail from one department to the other through > >> SMTP (which is good because it gets scanned by MailScanner). > > > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > > syndrome:-), are you saying you want to block all OoO trying to exit > > the "superorganisation" or the ones bouncing around between > > suborganisations? > > SA rule(s) could help you, I suppose, if you want something selective > > (PF header_checks are bit limited so wouldn't handle that > > gracefully:-). > > Yes, I would want to block OoO's trying to get outside the university > but keep the OoO's flowing between the departments. > Well then, you'd have two problems: 1) Identifying an OoO. 2) selectively disallowing them to exit your organization. I'd look into making a set of SA rules to facilitate this. One or two to identify that the message really is an OoO, that it originates from one of your subdomains, and finally one rule to combine those results and giving that one a truly hefty score, pushing it into the high scoring spam category. Either that, or go the CustomFunction route (or perhaps even try to make something out of the generic AV option). My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome (into my first beer and fired up the grill), so I'd not trust myself further than that:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Aug 4 18:10:08 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Aug 4 18:11:05 2006 Subject: Sendmail question In-Reply-To: References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: Kevin Miller wrote: > Dan Carl wrote: >> Anyone willing to answer a sendmail question? >> Or atleast point me in the right direction. (I don't have news) >> I can send mail fine thru my sendmail/Mailerscanner server with >> windows clients but when I send it thru from my other linux server >> Yahoo marks it as BULK(spam). >> Thanks >> Dan > > So Yahoo bounces spam? I'd have thought they were more on the ball than > that. Not much to go on here - what error's being returned? It might > be instructive to see a post from one of your linux boxes. I noted that > this one came from Outlook Express. He said that Yahoo marks it, not bounces it. > > Are you using SPF? If so, do you have all your servers listed? > > Do your linux servers send directly or do they use > mail.bluestarshows.com? -> good points... > > ...Kevin From Kevin_Miller at ci.juneau.ak.us Fri Aug 4 18:14:17 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 4 18:14:20 2006 Subject: filename/type exceptions Message-ID: It's the end of the week, I'd rather be out fishing, and most of my latte is still in the cup so induldge me please if I'm being braindead. A person is trying to send some of my users an .mp3 file but it is blocked. ( I pretty much just go w/the MS defaults for file name/type blocking.) I figured no problem, a ruleset is the way to go. Thing is, the sample rulesets and those I've created in the past have an action of "yes" or "no". The MailScanner.conf says the filename and filetype can be the name of a ruleset, but right now for instance, Filename Rules = %etc-dir%/filename.rules.conf So if I was to make a new ruleset in the rules dir, (ending in .rules of course) what would it look like. I want to maintain the existing filename/type exclusions as a default, but allow this one fellow to send the .mp3 file. Would I have to copy the filename.rules.conf file to something like filename.exceptions.conf, rem out the line for mpegs, the create a filename.rules file that has: From: Joe.Blow@kokomo.com filename.exceptions.conf FromOrTo: default filename.rules.conf Then do the same for filetype? Seems like overkill to have to make a custom filename/type file for each exception but maybe that's how it's done? TIA... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lshaw at emitinc.com Fri Aug 4 18:26:23 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 4 18:26:41 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> Message-ID: On Fri, 4 Aug 2006, Glenn Steen wrote: > On 04/08/06, Peter Peters wrote: >> Yes, I would want to block OoO's trying to get outside the university >> but keep the OoO's flowing between the departments. >> > Well then, you'd have two problems: > 1) Identifying an OoO. > 2) selectively disallowing them to exit your organization. > > I'd look into making a set of SA rules to facilitate this. One or two > to identify that the message really is an OoO, that it originates from > one of your subdomains, and finally one rule to combine those results > and giving that one a truly hefty score, pushing it into the high > scoring spam category. One down side of that approach is that scoring a legit user's message (even if an OoO) as spam will screw up that user's SpamAssassin AWL average, thus affecting the user's other messages. - Logan From TGFurnish at herffjones.com Fri Aug 4 18:27:32 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Fri Aug 4 18:27:35 2006 Subject: simple question? use multiple 'always looked up last' functions? Message-ID: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> What's the best/cleanest/simplest way to use more than one function for Always Looked Up Last? In particular, I'd like to use IPBlock and MailWatch at the same time. Do I have to write a new, combined function? Please say no... :-) -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator From ckowarzik at email.de Fri Aug 4 18:33:22 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 18:35:40 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <01af01c6b7ce$f24b6090$4f02a8c0@ew> References: <01af01c6b7ce$f24b6090$4f02a8c0@ew> Message-ID: <44D384E2.40205@email.de> Hi Eric ewr@erols.com schrieb: > Thanks Christian! > > I like this idea and think it will work well. I am not entirely up to speed (yet) on how the SA > rules work and have a question about it. > > Does this rule only check the first Received header? No, both rules check all received headers of the mail. > I want to make sure that a forged Received header farther down the email doesn't get the -20 > deduct. The meta rule will *only* match if all received lines in the email are "authenticated". The meta rule will *not* match if there are any "non-authenticated" received headers in the email. And this is exactly what we want ;-) Christian > > Sorry for my ignorance! > > Thanks! > > Eric > >> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christian Kowarzik Sent: >> Friday, August 04, 2006 4:40 AM To: MailScanner discussion Subject: Re: mailscanner and SMTP >> AUTH >> >> Hi >> >> I use the following spamassassin rules in my /etc/mail/spamassassin/local.cf to decrease the >> spamassassin score for email senders using smtp auth: >> >> >> header __OUR_AUTH Received =~ /authenticated .* by smtp\.xxx\.de/i header >> __NOT_OUR_AUTH Received !~ /authenticated .* by smtp\.xxx\.de/i meta >> INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH == 0) describe >> INIT_RECVD_OUR_AUTH Initially received by us using authentication tflags >> INIT_RECVD_OUR_AUTH nice score INIT_RECVD_OUR_AUTH -20 >> >> First I test that the email was received using smtp-auth and second i test that there exists no >> "non-authenticated" received lines in the email header. So if both conditions are true I know >> that my email server initially received that email and the sender is authenticated. >> >> Christian >> >> Radu Spineanu schrieb: >>> Hi >>> >>> Can mailscanner be configured to ignore all checks for >> messages sent via >>> smtp auth? >>> >>> In my current setup, when i try to send an email from home using SMTP AUTH it's marked as >>> SPAM because if fails SPF and some RBL checks (ip block was added in rbls as it's used for >>> home use). >>> >>> Radu >> -- MailScanner mailing list mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > From mgt at stellarcore.net Fri Aug 4 18:55:53 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Aug 4 18:56:03 2006 Subject: Subject: MS Status not Reporting in Logwatch In-Reply-To: <200608041741.k74HfrM5013558@bkserver.blacknight.ie> References: <200608041741.k74HfrM5013558@bkserver.blacknight.ie> Message-ID: <1154714153.3202.10.camel@dwarfstar.stellarcore.net> > From: "Daniel Straka" > Subject: MS Status not Reporting in Logwatch > To: > Message-ID: <44D303AB.61A4.0000.0@caspercollege.edu> > Content-Type: text/plain; charset="us-ascii" > > I recently installed a new MailScanner machine with SUSE Enterprise 10 > and sendmail, I was previously on RedHat 7.3. Logwatch does not > display > the MailScanner Status section as it did with Redhat. Also SUSE has > different > mail logging (ie, several mail log files mail, mail.info, mail.err, > mail.warn) > whereas Redhat had only the file "maillog". > > Can anyone guide me with how to get Logwatch to report the MailScanner > Status section for me on this system? > > Thanks, I don't have SuSE to verify the paths but the general idea is to copy /usr/share/logwatch/default.conf/logfiles/maillog.conf to /etc/logwatch/conf/logfiles/maillog.conf And edit LogFile = maillog LogFile = syslog To cover all the logfiles you want to look at. [This is one of the reasons there is a dist.conf directory also so distribution can set this stuff up for you. :/] Any follow ups to this should go to logwatch at logwatch org as this is not a MailScanner problem - Thanks -Mike From ckowarzik at email.de Fri Aug 4 19:02:32 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 19:00:08 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D307CE.7020806@email.de> References: <44D134DF.3080102@smartpost.ro> <44D307CE.7020806@email.de> Message-ID: <44D38BB8.7060605@email.de> Hi This works for sendmail received headers (we use sendmail 8.12.11-4 on RHEL3) as sendmail adds the word "authenticated" (and more) to the received header if the email was received using smtp-auth. For the format of your received header, look for "HReceived:" in your your sendmail.cf or for "confRECEIVED_HEADER" in your sendmail.mc. Christian Christian Kowarzik schrieb: > Hi > > I use the following spamassassin rules in my > /etc/mail/spamassassin/local.cf to decrease the spamassassin score for > email senders using smtp auth: > > > header __OUR_AUTH Received =~ /authenticated .* by > smtp\.xxx\.de/i > header __NOT_OUR_AUTH Received !~ /authenticated .* by > smtp\.xxx\.de/i > meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH > == 0) > describe INIT_RECVD_OUR_AUTH Initially received by us using > authentication > tflags INIT_RECVD_OUR_AUTH nice > score INIT_RECVD_OUR_AUTH -20 > > First I test that the email was received using smtp-auth and second i > test that there exists no "non-authenticated" received lines in the > email header. > So if both conditions are true I know that my email server initially > received that email and the sender is authenticated. > > Christian > > Radu Spineanu schrieb: >> Hi >> >> Can mailscanner be configured to ignore all checks for messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu From radus at smartpost.ro Fri Aug 4 19:22:01 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Fri Aug 4 19:22:08 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D38BB8.7060605@email.de> References: <44D134DF.3080102@smartpost.ro> <44D307CE.7020806@email.de> <44D38BB8.7060605@email.de> Message-ID: <44D39049.5050808@smartpost.ro> Hi For postfix i think "smtpd_sasl_authenticated_header" is needed which was added in 2.3. Radu Christian Kowarzik wrote: > Hi > > This works for sendmail received headers (we use sendmail 8.12.11-4 on > RHEL3) as sendmail adds the word "authenticated" (and more) to the > received header if the email was received using smtp-auth. > > For the format of your received header, look for "HReceived:" in your > your sendmail.cf or for "confRECEIVED_HEADER" in your sendmail.mc. > > Christian > > Christian Kowarzik schrieb: >> Hi >> >> I use the following spamassassin rules in my >> /etc/mail/spamassassin/local.cf to decrease the spamassassin score for >> email senders using smtp auth: >> >> >> header __OUR_AUTH Received =~ /authenticated .* >> by smtp\.xxx\.de/i >> header __NOT_OUR_AUTH Received !~ /authenticated .* >> by smtp\.xxx\.de/i >> meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH >> == 0) >> describe INIT_RECVD_OUR_AUTH Initially received by us using >> authentication >> tflags INIT_RECVD_OUR_AUTH nice >> score INIT_RECVD_OUR_AUTH -20 >> >> First I test that the email was received using smtp-auth and second i >> test that there exists no "non-authenticated" received lines in the >> email header. >> So if both conditions are true I know that my email server initially >> received that email and the sender is authenticated. >> >> Christian >> >> Radu Spineanu schrieb: >>> Hi >>> >>> Can mailscanner be configured to ignore all checks for messages sent via >>> smtp auth? >>> >>> In my current setup, when i try to send an email from home using SMTP >>> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >>> block was added in rbls as it's used for home use). >>> >>> Radu From mailscanner at ecs.soton.ac.uk Fri Aug 4 21:39:00 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 21:39:14 2006 Subject: simple question? use multiple 'always looked up last' functions? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> Message-ID: <44D3B064.9000809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Furnish, Trever G wrote: > What's the best/cleanest/simplest way to use more than one function for > Always Looked Up Last? > > In particular, I'd like to use IPBlock and MailWatch at the same time. > Do I have to write a new, combined function? Please say no... :-) You need to write a combined function that just calls the others. So yes, but it only needs to be a 2-liner. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE07BmEfZZRxQVtlQRAmEEAKDaJAF+L4aa4Av6/vbZk/2lbL2JFwCgowoc E1BuFUg/iZhZFb1nUmNhzwo= =1TBD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jgolden at ci.grand-rapids.mi.us Fri Aug 4 21:38:43 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 21:41:10 2006 Subject: Retreiving attachments Message-ID: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Hello, I've have been wasting my whole day trying to figure out how to do this. Can anyone could help besides telling me to install Mailwatch (because it's not an option right now). I have messages that are being snagged by MailScanner because the attachment is too large. When I go to the directory the attachment is in binary in the message. I tried using a sendmail -t < message, but of course it gets snagged again by MS. Is there an option I'm missing to store the attachments seperatly from the message, is there a way to send this on without it bieng scanned? Is there a way to get the attachement out of the message? I need help soon as this is becoming a large issue today (about 6 end users) and my boss is hearing about it! Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/b344842d/attachment.html From r.berber at computer.org Fri Aug 4 21:40:32 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Aug 4 21:41:14 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D35E99.7020507@tulsaconnect.com> References: <44D35E99.7020507@tulsaconnect.com> Message-ID: TCIS wrote: [snip] > Tried installing Mail-ClamAV from ports, it installed fine (other than > the threaded Perl warning), but when I try to use it: > > Aug 4 09:45:15 mx5 MailScanner[42648]: ClamAV Perl module not found, > did you install it? Do you have more than one perl version installed? > but yet: > > $ ls -al /var/db/pkg/ | grep ClamAV > drwxr-xr-x 2 root wheel 512 Aug 2 11:38 p5-Mail-ClamAV-0.17 > > ..it is clearly installed.. Clearly? Use cpan, inside the shell use "i Mail::ClamAV" that will tell you if it really is installed. If you have more than one version of perl, then make sure the module was installed to the same perl used by MailScanner. -- Ren? Berber From mailscanner at ecs.soton.ac.uk Fri Aug 4 21:41:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 21:41:51 2006 Subject: filename/type exceptions In-Reply-To: References: Message-ID: <44D3B102.50304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > It's the end of the week, I'd rather be out fishing, and most of my > latte is still in the cup so induldge me please if I'm being braindead. > A person is trying to send some of my users an .mp3 file but it is > blocked. ( I pretty much just go w/the MS defaults for file name/type > blocking.) I figured no problem, a ruleset is the way to go. Thing is, > the sample rulesets and those I've created in the past have an action of > "yes" or "no". > > The MailScanner.conf says the filename and filetype can be the name of a > ruleset, but right now for instance, > Filename Rules = %etc-dir%/filename.rules.conf > > So if I was to make a new ruleset in the rules dir, (ending in .rules of > course) what would it look like. I want to maintain the existing > filename/type exclusions as a default, but allow this one fellow to send > the .mp3 file. > > Would I have to copy the filename.rules.conf file to something like > filename.exceptions.conf, rem out the line for mpegs, the create a > filename.rules file that has: > > From: Joe.Blow@kokomo.com filename.exceptions.conf > FromOrTo: default filename.rules.conf > > Then do the same for filetype? > > Seems like overkill to have to make a custom filename/type file for each > exception but maybe that's how it's done? The easy solution is to see the "Allow Filetypes" setting in MailScanner.conf. This saves you having to mess around with multiple filetype.rules.conf files. Similar for filenames as well. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE07EEEfZZRxQVtlQRAnvsAJ9UsHeSGMAbbhbXO7cp2T++aHGqhQCgo4q/ pWGePXZNHxhbEtIqTzoF6K4= =/ac5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jgolden at ci.grand-rapids.mi.us Fri Aug 4 22:10:19 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 22:09:51 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <1154725820.8831.6.camel@doit-b8wsw21.grand-rapids.mi.us> The attachments seem to be .doc or .xls or others and the client always seems to be Outlook. On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > separately from the message, is there a way to send this on without it > being scanned? Is there a way to get the attachment out of the > message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! > > Thanks, > > James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/fa919d9c/attachment.html From dwinkler at algorithmics.com Fri Aug 4 21:07:09 2006 From: dwinkler at algorithmics.com (Derek Winkler) Date: Fri Aug 4 22:14:56 2006 Subject: http://lists.mailscanner.info/mailman/listinfo/mailscanner not Wo rking Message-ID: <23675CFC52BBC44EB355406A3A8A0491FC9CB0@TORMAIL.algorithmics.com> I can't access the list management URL... http://lists.mailscanner.info/mailman/listinfo/mailscanner Trying to disable mail delivery as I'll be turning on OoO, please forgive me if you get my OoO. This email and any files transmitted with it are confidential and proprietary to Algorithmics Incorporated and its affiliates ("Algorithmics"). If received in error, use is prohibited. Please destroy, and notify sender. Sender does not waive confidentiality or privilege. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. Algorithmics does not accept liability for any errors or omissions. Any commitment intended to bind Algorithmics must be reduced to writing and signed by an authorized signatory. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/90450ee4/attachment.html From mailscanner at yeticomputers.com Fri Aug 4 22:17:31 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 22:17:43 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <44D3B96B.8030908@yeticomputers.com> You could try increasing the maximum allowed attachment size temporarily and resubmitting those messages. Maybe consider permanently increasing the maximum attachment size to accommodate the files your users actually send. Try to get your boss to let you limit the size to something reasonable, although I know how hard that can be. Rick Golden, James wrote: > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > seperatly from the message, is there a way to send this on without it > bieng scanned? Is there a way to get the attachement out of the message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! > > Thanks, > > James From ssilva at sgvwater.com Fri Aug 4 22:48:16 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 4 22:48:28 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/4/2006 9:13 AM: > On 04/08/06, Peter Peters wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote on 4-8-2006 16:10: >> >> >> But we have a lot of organizations in our organization. A lot of the >> >> (bigger) departments run their own exchange. And while the AD is >> shared >> >> they still tend to send e-mail from one department to the other >> through >> >> SMTP (which is good because it gets scanned by MailScanner). >> > >> > Um, I'm feeling more than the usual tad slow here (Friday afternoon >> > syndrome:-), are you saying you want to block all OoO trying to exit >> > the "superorganisation" or the ones bouncing around between >> > suborganisations? >> > SA rule(s) could help you, I suppose, if you want something selective >> > (PF header_checks are bit limited so wouldn't handle that >> > gracefully:-). >> >> Yes, I would want to block OoO's trying to get outside the university >> but keep the OoO's flowing between the departments. >> > Well then, you'd have two problems: > 1) Identifying an OoO. > 2) selectively disallowing them to exit your organization. > > I'd look into making a set of SA rules to facilitate this. One or two > to identify that the message really is an OoO, that it originates from > one of your subdomains, and finally one rule to combine those results > and giving that one a truly hefty score, pushing it into the high > scoring spam category. > Either that, or go the CustomFunction route (or perhaps even try to > make something out of the generic AV option). > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome > (into my first beer and fired up the grill), so I'd not trust myself > further than that:-) > > Cheers Tip one for us!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.swaney at fsl.com Fri Aug 4 22:50:49 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Aug 4 22:48:58 2006 Subject: Retreiving attachments In-Reply-To: <1154725820.8831.6.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Friday, August 04, 2006 5:10 PM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > The attachments seem to be .doc or .xls or others and the client always > seems to be Outlook. > > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > > > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is in > binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > separately from the message, is there a way to send this on without it > being scanned? Is there a way to get the attachment out of the message? > > I need help soon as this is becoming a large issue today (about 6 > end users) and my boss is hearing about it! > > Thanks, > > James You need to create a rule sets that exempt the localhost from attachment filename and filetype checking. If you have a Red Hat, CentOS or SuSE system, the following paths will be correct. They will vary on other systems but the same principals will work. First create two files: /etc/MailScanner/filename.rules.allowall.conf /etc/MailScanner/filetype.rules.allowall.conf The contents of each file will be identical: allow *. - - The spaces MUST be Tabs so the contents of both files is really: allow*.->Tab>- Then create the file /etc/MailScanner/rules/filename.rules. The contents of this file should be: # Allow all filenames from localhost From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then create the file /etc/MailScanner/rules/filetype.rules. The contents of this file should be: # Allow all filetypes from localhost From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf # Default entry FromOrTo: default /etc/MailScanner/filetype.rules.conf Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting for Filename Rules to be: Filename Rules = %rules-dir%/filename.rules And change the setting for Filetype Rules to be: Filetype Rules = %rules-dir%/filetype.rules Then reload MailScanner. You should now be able to release the files using the `sendmail -t < message` command without MailScanner re-quarantining the files. Have a nice weekend. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From listacct at tulsaconnect.com Fri Aug 4 22:57:51 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Aug 4 22:57:54 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: <44D35E99.7020507@tulsaconnect.com> Message-ID: <44D3C2DF.8090303@tulsaconnect.com> Ren? Berber wrote: > Do you have more than one perl version installed? > Nope. Fresh FreeBSD 6.1 install.. > Clearly? Use cpan, inside the shell use "i Mail::ClamAV" that will tell you if > it really is installed. > > If you have more than one version of perl, then make sure the module was > installed to the same perl used by MailScanner. Module id = Mail::ClamAV CPAN_USERID SABECK (Scott Beck ) CPAN_VERSION 0.17 CPAN_FILE S/SA/SABECK/Mail-ClamAV-0.17.tar.gz UPLOAD_DATE 2005-03-08 DSLIP_STATUS (,,,,) MANPAGE Mail::ClamAV - Perl extension for the clamav virus scanner INST_FILE /usr/local/lib/perl5/site_perl/5.8.8/mach/Mail/ClamAV.pm INST_VERSION 0.17 -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From danc at bluestarshows.com Fri Aug 4 22:58:12 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Aug 4 23:01:47 2006 Subject: Sendmail question References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: <001901c6b811$1525ee40$0200000a@danc3> I got it work vi mutt but not using PHP yahoo marks it as bulk because the Return-Path: nobody@mydomain.com if I use the -f I can change the Return-Path: but then yahoo marks it as bulk because of this: X-Authentication-Warning mydomain.com: nobody set sender to me@mydomain.com using -f Sorry about the off-topic post time to search google. ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Friday, August 04, 2006 12:10 PM Subject: Re: Sendmail question > Kevin Miller wrote: > > Dan Carl wrote: > >> Anyone willing to answer a sendmail question? > >> Or atleast point me in the right direction. (I don't have news) > >> I can send mail fine thru my sendmail/Mailerscanner server with > >> windows clients but when I send it thru from my other linux server > >> Yahoo marks it as BULK(spam). > >> Thanks > >> Dan > > > > So Yahoo bounces spam? I'd have thought they were more on the ball than > > that. Not much to go on here - what error's being returned? It might > > be instructive to see a post from one of your linux boxes. I noted that > > this one came from Outlook Express. > > He said that Yahoo marks it, not bounces it. > > > > > Are you using SPF? If so, do you have all your servers listed? > > > > Do your linux servers send directly or do they use > > mail.bluestarshows.com? > > -> good points... > > > > > ...Kevin > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Fri Aug 4 23:12:42 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Aug 4 23:10:51 2006 Subject: Retreiving attachments In-Reply-To: <44D3B96B.8030908@yeticomputers.com> Message-ID: <0ba401c6b813$1ceea890$287ba8c0@office.fsl> Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rick Chadderdon > Sent: Friday, August 04, 2006 5:18 PM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > You could try increasing the maximum allowed attachment size temporarily > and resubmitting those messages. Maybe consider permanently increasing > the maximum attachment size to accommodate the files your users actually > send. Try to get your boss to let you limit the size to something > reasonable, although I know how hard that can be. > > Rick > > Golden, James wrote: > > Hello, > > > > I've have been wasting my whole day trying to figure out how to do > > this. Can anyone could help besides telling me to install Mailwatch > > (because it's not an option right now). > > > > I have messages that are being snagged by MailScanner because the > > attachment is too large. When I go to the directory the attachment is > > in binary in the message. > > > > I tried using a sendmail -t < message, but of course it gets snagged > > again by MS. Is there an option I'm missing to store the attachments > > seperatly from the message, is there a way to send this on without it > > bieng scanned? Is there a way to get the attachement out of the > message? > > > > I need help soon as this is becoming a large issue today (about 6 end > > users) and my boss is hearing about it! > > > > Thanks, > > > > James Sorry I misunderstood. My previous posting will allow the release of messages that have been trapped by filename filetype rules. To release a message that has an attachment that is too large, just temporarily remove the Maximum Attachment Size limit in MailScanner.conf: Minimum Attachment Size = 0 Relaese the message and tnem set back to the original setting. You could alss create a ruleset: Minimum Attachment Size = %rules-dir%/max.attachment.rules where /etc/MailScanner/rules/max.attachment.rules contains: # allow anything for local host From: 127.0.0.1 0 FormOrTo: default 10000000 Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From res at ausics.net Sat Aug 5 04:38:22 2006 From: res at ausics.net (Res) Date: Sat Aug 5 04:38:36 2006 Subject: Sendmail question In-Reply-To: References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: On Fri, 4 Aug 2006, Ugo Bellavance wrote: > > He said that Yahoo marks it, not bounces it. pitty they did not mark there own spamming scum as spammers -- Cheers Res From alex at nkpanama.com Sat Aug 5 06:28:21 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Aug 5 06:28:44 2006 Subject: ignored messeges In-Reply-To: <44D36392.6000009@abacom.com> References: <44D36392.6000009@abacom.com> Message-ID: <44D42C75.7000303@nkpanama.com> Chris Conn wrote: > > > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> df files without qf files are just left-over junk from things like >> broken TCP connections and stuff like that. df files without qf >> files (or vice versa) can just be deleted. >> > > #!/bin/sh > > cd /var/spool/mqueue.in/ > find ./ -daystart -ctime +1|xargs rm > > > Gets rid of files that are a couple of days old or older in the > mqueue.in directory (change it to the right path if not the same). > > Chris > Shouldn't it read... find ./ -daystart -ctime +1|xargs -r rm ... so that if there aren't any files to delete you won't get an error message? From glenn.steen at gmail.com Sat Aug 5 08:47:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 5 08:47:49 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> Message-ID: <223f97700608050047x3b63e572g2a8fc95b517527f7@mail.gmail.com> On 04/08/06, Logan Shaw wrote: > On Fri, 4 Aug 2006, Glenn Steen wrote: > > On 04/08/06, Peter Peters wrote: > >> Yes, I would want to block OoO's trying to get outside the university > >> but keep the OoO's flowing between the departments. > >> > > Well then, you'd have two problems: > > 1) Identifying an OoO. > > 2) selectively disallowing them to exit your organization. > > > > I'd look into making a set of SA rules to facilitate this. One or two > > to identify that the message really is an OoO, that it originates from > > one of your subdomains, and finally one rule to combine those results > > and giving that one a truly hefty score, pushing it into the high > > scoring spam category. > > One down side of that approach is that scoring a legit user's > message (even if an OoO) as spam will screw up that user's > SpamAssassin AWL average, thus affecting the user's other > messages. > > - Logan Yep. But that would be where MCP could make a difference... If one can get the two different calls to SA to not interfere with each other (I started looking at MCP earlier this week, and I have some doubts... Need to check more before airing those doubts on the list though. Might be me misunderstanding something:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bgmahesh at gmail.com Sat Aug 5 08:50:29 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sat Aug 5 08:50:31 2006 Subject: Envelope-To and Bcc Message-ID: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> # Do you want to add the Envelope-To: header? # This can be useful for tracking spam destinations, but should be # used with care due to possible privacy concerns with the use of # Bcc: headers by users. # This can also be the filename of a ruleset. Add Envelope To Header = no Is there anyway to use the above feature without comprimising on privacy? I see that bcc info is included in the Envelope-To line [as clearly mentioned in the docs]. -- -- B.G. Mahesh http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060805/f91a2377/attachment.html From glenn.steen at gmail.com Sat Aug 5 08:50:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 5 08:50:42 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> Message-ID: <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> On 04/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/4/2006 9:13 AM: (snip) > > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome > > (into my first beer and fired up the grill), so I'd not trust myself > > further than that:-) > > > > Cheers > Tip one for us!!! My headache tells me that I tipped not only one, but several.... So... Feel duly saluted;-). Now where did I put that hangover rectification tool (HORT == aspirin;)... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From chrisgreen at hotmail.com Sat Aug 5 09:28:28 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 09:28:36 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> Message-ID: Billy Pumphrey wrote: > > >>My employees report that when they have the out of office turned on >they > > >>receive more spam..... > > > > > > > > >I don't know how the two are related. Most spam I see doesn't have a > > valid > > >reply address. > > > > > >My suggestion is to use a *nix based autoresponder. Have it only >reply to > > >addresses in your address book. Or better yet, ditch the >autoresponder. > > > > > Spam comes in and gets through filter > > Out Of Office AutoReply goes out > > Boiiiing! - NDR arrives in inbox > > Therefore spam, in the implied sense of the word, would double. > > > > It pollutes auto-whitelists too, but doesn't usually expose you to >more > > spam > > because bogus addresses are unlikely to be reused. > > > > > >Makes sense. I also assume that Outlook 2003's client side filter sends >out a Out of Office response to the filtered spam that ends up in the >junk mail folder. True? If you are using Exchange 2003 behind Outlook 2003 the spam detection is done at the server end rather than by Outlook, so spam that it successfully detects (which is nowhere near the detection rate for MailScanner) never hits your inbox at all. As per http://go.microsoft.com/fwlink/?LinkId=31729 "Rules and the Junk E-mail Filter Rules are now designed so that they do not act on messages that are moved to the Junk E-mail folder. This keeps e-mail you mark as junk in the correct place rather than moving it to another folder according to a rule that would otherwise apply." I can't be absolutely certain because it's tough to test it out, but I expect the OoO will not fire either as it seems to be a glorified rule itself - too illogical for Microsoft to miss this one. From chrisgreen at hotmail.com Sat Aug 5 09:41:00 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 09:41:08 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> Message-ID: Hi everyone, Hope the hangovers are wearing off nicely :-) That previous question about Outlook's out-of-office behaviour got me thinking, and Google doesn't seem to want to give me an answer. Does anyone know if it's possible to configure a Spam Action which would cause Outlook to move the email into the Junk E-mail folder without setting up a rule on every single users mailbox? A special header that would fire the Outlook filter perhaps? Chris From mailscanner at mango.zw Sat Aug 5 10:17:27 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Aug 5 10:19:15 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: On Fri, 4 Aug 2006, Golden, James wrote: > I've have been wasting my whole day trying to figure out how to do this. > Can anyone could help besides telling me to install Mailwatch (because > it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > seperatly from the message, is there a way to send this on without it > bieng scanned? Is there a way to get the attachement out of the > message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! I just use the following command: sendmail -i -Am user@domain < message as that will bypass MailScanner. Using -t may send the message to unwanted recipients, so I prefer to be explicit with the recipient address. The -i is just a precaution in case the message contains a single line with only a dot in it, which would otherwise be interpreted as the end of the message. For convenience I have the following alias in .bashrc: alias send='/usr/sbin/sendmail -i -Am' so I can just enter the command as: send user@domain < message Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at ecs.soton.ac.uk Sat Aug 5 11:42:58 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 5 11:43:16 2006 Subject: Envelope-To and Bcc In-Reply-To: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> Message-ID: <44D47632.4060104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 BG Mahesh wrote: > > # Do you want to add the Envelope-To: header? > # This can be useful for tracking spam destinations, but should be > # used with care due to possible privacy concerns with the use of > # Bcc: headers by users. > # This can also be the filename of a ruleset. > Add Envelope To Header = no > > Is there anyway to use the above feature without comprimising on > privacy? I see that bcc info is included in the Envelope-To line [as > clearly mentioned in the docs]. No. Top marks for understanding the problem though, most people miss the point completely :-) I just use the setting for testing rulesets. It includes the Bcc as that is just a list of extra recipients who happen not to appear in the headers. Otherwise they are perfectly normal recipients, just like the To and Cc lists are. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1HY0EfZZRxQVtlQRAqYzAKCmrVW3exEb88XGxSi7VgFRPU4zQACcC/QG PUP137gIvs9AHuP6h1xBqHc= =kS26 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From bgmahesh at gmail.com Sat Aug 5 13:51:24 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sat Aug 5 13:51:27 2006 Subject: Envelope-To and Bcc In-Reply-To: <44D47632.4060104@ecs.soton.ac.uk> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> <44D47632.4060104@ecs.soton.ac.uk> Message-ID: <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> On 8/5/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > BG Mahesh wrote: > > > > # Do you want to add the Envelope-To: header? > > # This can be useful for tracking spam destinations, but should be > > # used with care due to possible privacy concerns with the use of > > # Bcc: headers by users. > > # This can also be the filename of a ruleset. > > Add Envelope To Header = no > > > > Is there anyway to use the above feature without comprimising on > > privacy? I see that bcc info is included in the Envelope-To line [as > > clearly mentioned in the docs]. > > No. Top marks for understanding the problem though, most people miss the > point completely :-) > > I just use the setting for testing rulesets. > > It includes the Bcc as that is just a list of extra recipients who > happen not to appear in the headers. Otherwise they are perfectly normal > recipients, just like the To and Cc lists are. > > - - I somehow need sendmail to add another line like X-Rcpt-To which has just ONE email id and our other email server [mdaemon] that downloads the emails from a common pop account will use that field to deliver the email. Currently Mdaemon is getting totally confused on whom to deliver the email without this line :-( -- Mahesh -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060805/02c93af8/attachment.html From cconn at abacom.com Sat Aug 5 13:52:59 2006 From: cconn at abacom.com (Chris Conn) Date: Sat Aug 5 13:53:06 2006 Subject: ignored messeges In-Reply-To: <44D42C75.7000303@nkpanama.com> References: <44D36392.6000009@abacom.com> <44D42C75.7000303@nkpanama.com> Message-ID: <44D494AB.7000506@abacom.com> >> > Shouldn't it read... > > find ./ -daystart -ctime +1|xargs -r rm > > ... so that if there aren't any files to delete you won't get an error > message? =) Assuming there are sometimes no files to delete, yes =) Thanks, Chris From mike at vesol.com Sat Aug 5 15:39:02 2006 From: mike at vesol.com (Mike Kercher) Date: Sat Aug 5 15:39:14 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Green > Sent: Saturday, August 05, 2006 3:41 AM > To: mailscanner@lists.mailscanner.info > Subject: Triggering Outlook's Junk E-mail filter > > Hi everyone, > > Hope the hangovers are wearing off nicely :-) > > That previous question about Outlook's out-of-office > behaviour got me thinking, and Google doesn't seem to want to > give me an answer. > > Does anyone know if it's possible to configure a Spam Action > which would cause Outlook to move the email into the Junk > E-mail folder without setting up a rule on every single users > mailbox? A special header that would fire the Outlook filter perhaps? > > > Chris What would happen if a user had the Junk Filtering turned off? Mike From chrisgreen at hotmail.com Sat Aug 5 16:02:54 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 16:03:01 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: Mike Kercher wrote: > > > > Hi everyone, > > > > Hope the hangovers are wearing off nicely :-) > > > > That previous question about Outlook's out-of-office > > behaviour got me thinking, and Google doesn't seem to want to > > give me an answer. > > > > Does anyone know if it's possible to configure a Spam Action > > which would cause Outlook to move the email into the Junk > > E-mail folder without setting up a rule on every single users > > mailbox? A special header that would fire the Outlook filter perhaps? > >What would happen if a user had the Junk Filtering turned off? > They would be encouraged to turn it back on :-) I would expect that if they had gone in and changed this from the default they were either a) advanced users with alternative solutions; b) clever enough to realise it could result in more spam; or c) previously employed by Sainsbury's as the trolley-boy and found it a bit too mentally challenging. Apologies to all for forgetting to flag this OT. I have posted the same question on an Outlook discussion list and will share the answer here if I get one. From mailscanner at ecs.soton.ac.uk Sat Aug 5 21:13:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 5 21:13:33 2006 Subject: Envelope-To and Bcc In-Reply-To: <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> <44D47632.4060104@ecs.soton.ac.uk> <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> Message-ID: <44D4FBDB.2080702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 BG Mahesh wrote: > > > On 8/5/06, *Julian Field* > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > BG Mahesh wrote: > > > > # Do you want to add the Envelope-To: header? > > # This can be useful for tracking spam destinations, but should be > > # used with care due to possible privacy concerns with the use of > > # Bcc: headers by users. > > # This can also be the filename of a ruleset. > > Add Envelope To Header = no > > > > Is there anyway to use the above feature without comprimising on > > privacy? I see that bcc info is included in the Envelope-To line [as > > clearly mentioned in the docs]. > > No. Top marks for understanding the problem though, most people miss the > point completely :-) > > I just use the setting for testing rulesets. > > It includes the Bcc as that is just a list of extra recipients who > happen not to appear in the headers. Otherwise they are perfectly normal > recipients, just like the To and Cc lists are. > > - - > > > > I somehow need sendmail to add another line like X-Rcpt-To which has > just ONE email id and our other email server [mdaemon] that downloads > the emails from a common pop account will use that field to deliver the > email. Currently Mdaemon is getting totally confused on whom to deliver > the email without this line :-( There is no way of telling which recipient is more important than any other recipient. They are just a list. I can't help your totally broken software, sorry. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1PveEfZZRxQVtlQRAgKrAJ42dtHN6zUhBtOFahBJujZz72bEUQCg/x1k JmygxSo0m3pSY0t4tuwdEpc= =Ck3s -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From res at ausics.net Sun Aug 6 07:53:12 2006 From: res at ausics.net (Res) Date: Sun Aug 6 07:53:28 2006 Subject: Virus Updates noise levels Message-ID: Hi Julian, Any chance we can reduce the noise levels in this? update.virus.scanners: Found clamav installed update.virus.scanners: Running autoupdate for clamav ClamAV-autoupdate[12231]: ClamAV did not need updating update.virus.scanners: Found f-prot installed update.virus.scanners: Running autoupdate for f-prot F-Prot autoupdate[12255]: F-Prot did not need updating. ....perhaps reduce 4 lines into just 1 update.virus.scanners: Found clamav installed update.virus.scanners: Running autoupdate for clamav update.virus.scanners: Found f-prot installed update.virus.scanners: Running autoupdate for f-prot - INTO - update.virus.scanners: Found clamav f-prot installed. Running autoupdate -- Cheers Res From mike at vesol.com Sun Aug 6 15:12:24 2006 From: mike at vesol.com (Mike Kercher) Date: Sun Aug 6 15:12:37 2006 Subject: Virus Updates noise levels In-Reply-To: Message-ID: > > Hi Julian, > Any chance we can reduce the noise levels in this? > > update.virus.scanners: Found clamav installed > update.virus.scanners: Running autoupdate for clamav > ClamAV-autoupdate[12231]: ClamAV did not need updating > update.virus.scanners: Found f-prot installed > update.virus.scanners: Running autoupdate for f-prot F-Prot > autoupdate[12255]: F-Prot did not need updating. > > > ....perhaps reduce 4 lines into just 1 > > update.virus.scanners: Found clamav installed > update.virus.scanners: Running autoupdate for clamav > update.virus.scanners: Found f-prot installed > update.virus.scanners: Running autoupdate for f-prot > - INTO - > update.virus.scanners: Found clamav f-prot installed. Running > autoupdate > > Why? From akharin at zahav.net.il Sun Aug 6 15:55:50 2006 From: akharin at zahav.net.il (Irvin Jacobson) Date: Sun Aug 6 15:55:59 2006 Subject: Installation problems with stable release of 4.55 Message-ID: <20060806175550.ACZ36796@rachel.inter.net.il> Hi all, I had version 4.39 and removed it, I then installed 4.55, didn't get any error messages during installation, just post when attempting to start the service: MailScanner: Can't locate Filesys/Df.pm in @INC (@INC contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at /usr/sbin/MailScanner line 66. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 66. [ OK ] It reports that the status is ok, but it doesn't start. Any ideas/suggestions? Thanks, Irvin. From mailscanner at ecs.soton.ac.uk Sun Aug 6 19:27:45 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 6 19:28:04 2006 Subject: Installation problems with stable release of 4.55 In-Reply-To: <20060806175550.ACZ36796@rachel.inter.net.il> References: <20060806175550.ACZ36796@rachel.inter.net.il> Message-ID: <44D634A1.5040500@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That would indicate that the Filesys::Df module did not install successfully. Re-run install.sh and watch carefully when Filesys::Df tries to install. It's just after Time::HiRes towards the end (after DBI and DBD::SQLite). Note down why Filesys::Df did not install and let me know what it said. Otherwise, if it still won't install, do this: # perl -MCPAN -e shell > install Filesys::Df Ctrl-D and hopefully that will install it. What does "MailScanner --version" say? What version/release of Linux are you using? Please let us know how you get on resolving this problem. Irvin Jacobson wrote: > Hi all, > > I had version 4.39 and removed it, I then installed 4.55, > didn't get any error messages during installation, just post > when attempting to start the service: > > MailScanner: Can't locate Filesys/Df.pm in @INC (@INC > contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 > /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner > /usr/lib/perl5/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/5.8.3 > /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 > /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.3 > /usr/lib/perl5/vendor_perl/5.8.2 > /usr/lib/perl5/vendor_perl/5.8.1 > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 > /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at > /usr/sbin/MailScanner line 66. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner > line 66. > [ OK ] > > It reports that the status is ok, but it doesn't start. > > Any ideas/suggestions? > > Thanks, > Irvin. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1jSmEfZZRxQVtlQRAjMzAJ4hUy+JtuHSSzjoBSw1I6CnVJRpjwCcCKDD Va2B1jZ5tRRGIYdhHT89eUQ= =n9WY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jdp1024 at earthlink.net Sun Aug 6 22:15:39 2006 From: jdp1024 at earthlink.net (JDP) Date: Sun Aug 6 22:15:52 2006 Subject: MailScanner & Postfix Message-ID: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Hello, I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 (PDT) from unknown[192.168.20.160]; from=user@domian.com> to= proto=SMTP helo=<1243876> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 bytes Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic I think I have the relaying of domains set up correctly, but now i am not sure. Maybe the problem is here "how to invoke the MTA"; # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file #MTA = sendmail MTA = postfix # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/sbin/sendmail Many thanks in advance, ~James From jdp1024 at earthlink.net Sun Aug 6 22:36:43 2006 From: jdp1024 at earthlink.net (JDP) Date: Sun Aug 6 22:37:00 2006 Subject: MailScanner & Postfix Message-ID: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> >Hello, > >I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. > > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: >from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with >SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 >(PDT) from unknown[192.168.20.160]; from=user@domian.com> to= >proto=SMTP helo=<1243876> >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> >Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] >Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 >bytes >Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting >Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed >Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav >Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed >Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic > > >I think I have the relaying of domains set up correctly, but now i am not sure. > >Maybe the problem is here "how to invoke the MTA"; > > ># Set whether to use postfix, sendmail, exim or zmailer. ># If you are using postfix, then see the "SpamAssassin User State Dir" ># setting near the end of this file >#MTA = sendmail >MTA = postfix > ># Set how to invoke MTA when sending messages MailScanner has created ># (e.g. to sender/recipient saying "found a virus in your message") ># This can also be the filename of a ruleset. >Sendmail = /usr/sbin/sendmail > ># Sendmail2 is provided for Exim users. ># It is the command used to attempt delivery of outgoing cleaned/disinfected ># messages. ># This is not usually required for sendmail. ># This can also be the filename of a ruleset. >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf >#For sendmail users: Sendmail2 = /usr/sbin/sendmail >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf >Sendmail2 = /usr/sbin/sendmail > > >Many thanks in advance, > >~James Hello, Also, after starting mailScanner from ../init.d and then checking the status I get; postmaster:~ # /etc/init.d/MailScanner status Checking for service MailScanner: postfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) dead What is happening? Thank you, James From res at ausics.net Sun Aug 6 22:59:24 2006 From: res at ausics.net (Res) Date: Sun Aug 6 22:59:38 2006 Subject: Virus Updates noise levels In-Reply-To: References: Message-ID: On Sun, 6 Aug 2006, Mike Kercher wrote: >> >> Hi Julian, >> Any chance we can reduce the noise levels in this? >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> ClamAV-autoupdate[12231]: ClamAV did not need updating >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot F-Prot >> autoupdate[12255]: F-Prot did not need updating. >> >> >> ....perhaps reduce 4 lines into just 1 >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot >> - INTO - >> update.virus.scanners: Found clamav f-prot installed. Running >> autoupdate >> >> > > Why? i would imagine its obvious :) but for just for you : its more mailscanner overkill in logging that sort of stuff is fine for debugging, for operational mail servers, its pointless > -- Cheers Res From pete at enitech.com.au Mon Aug 7 00:31:05 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Aug 7 00:31:35 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <44D67BB9.7030905@enitech.com.au> Follow the guide in the wiki, triple check you have set it up EXACTLY as documented - my bet is your directory permissions are wrong, or the postfix user/group setting in mailscanner.conf is wrong. Also, does Postfix know were your exchange server is? If ALL of your mail is destined for Exchange use the Transport map, make life heaps easier. Pete JDP wrote: > >> Hello, >> >> I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. >> >> >> Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] >> Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] >> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: >>from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with >> SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 >> (PDT) from unknown[192.168.20.160]; from=user@domian.com> to= >> proto=SMTP helo=<1243876> >> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> >> Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] >> Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 >> bytes >> Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting >> Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed >> Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav >> Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed >> Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic >> >> >> I think I have the relaying of domains set up correctly, but now i am not sure. >> >> Maybe the problem is here "how to invoke the MTA"; >> >> >> # Set whether to use postfix, sendmail, exim or zmailer. >> # If you are using postfix, then see the "SpamAssassin User State Dir" >> # setting near the end of this file >> #MTA = sendmail >> MTA = postfix >> >> # Set how to invoke MTA when sending messages MailScanner has created >> # (e.g. to sender/recipient saying "found a virus in your message") >> # This can also be the filename of a ruleset. >> Sendmail = /usr/sbin/sendmail >> >> # Sendmail2 is provided for Exim users. >> # It is the command used to attempt delivery of outgoing cleaned/disinfected >> # messages. >> # This is not usually required for sendmail. >> # This can also be the filename of a ruleset. >> #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf >> #For sendmail users: Sendmail2 = /usr/sbin/sendmail >> #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf >> Sendmail2 = /usr/sbin/sendmail >> >> >> Many thanks in advance, >> >> ~James > Hello, > > Also, after starting mailScanner from ../init.d and then checking the status I get; > > postmaster:~ # /etc/init.d/MailScanner status > Checking for service MailScanner: postfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) > dead > What is happening? > > Thank you, > > James From jrudd at ucsc.edu Mon Aug 7 00:55:07 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Aug 7 00:55:33 2006 Subject: Virus Updates noise levels In-Reply-To: References: Message-ID: On Aug 6, 2006, at 7:12 AM, Mike Kercher wrote: >> >> Hi Julian, >> Any chance we can reduce the noise levels in this? >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> ClamAV-autoupdate[12231]: ClamAV did not need updating >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot F-Prot >> autoupdate[12255]: F-Prot did not need updating. >> >> >> ....perhaps reduce 4 lines into just 1 >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot >> - INTO - >> update.virus.scanners: Found clamav f-prot installed. Running >> autoupdate >> >> > > Why? I think the message subject said it all: to reduce noise level. Signal to noise level is incredibly important for anything that you plan to actually read ... like the logs of a production service when you're trying to track down a problem. The key to good communication is brevity: say what needs to be said, say it clearly, and say _nothing_ more. From chrisgreen at hotmail.com Mon Aug 7 01:49:38 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Mon Aug 7 01:49:42 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: JDP wrote: > ># Sendmail2 is provided for Exim users. > ># It is the command used to attempt delivery of outgoing >cleaned/disinfected > ># messages. > ># This is not usually required for sendmail. > ># This can also be the filename of a ruleset. > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > >Sendmail2 = /usr/sbin/sendmail I have been referencing instructions that tell me that even under Postfix the above line should read: Sendmail2 = /usr/sbin/sendmail -DOUTGOING I've always wondered whether this really makes a difference or not - but it works for me, so I've never spent any time looking into it . Chris From Andreas.Doerfler at kempten.de Mon Aug 7 07:36:36 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Mon Aug 7 07:39:07 2006 Subject: ignored messeges Message-ID: hey julian, thats good news, thank you :) greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Friday, August 04, 2006 3:47 PM > To: MailScanner discussion > Subject: Re: ignored messeges > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > df files without qf files are just left-over junk from things like > broken TCP connections and stuff like that. df files without > qf files > (or vice versa) can just be deleted. > > On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > > > hey there, > > > > i havent checked my mqueue.in for months .. because i tough > > everyting works fine. > > that more im scared to find about 200 undelivered mails in there > > > > short example: > > -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 > > ... > > -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 > > -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 > > -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 > > -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 > > -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 > > > > most of em are spam so i dont see a problem, but some are not. > > > > dont understand how this can happen because i deliver about > > 6000 mails everyday without any problems. > > some ignored mails from last year ... > > > > from the mail log i take these when restart MS: > > > > Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue > > directory /var/spool/mqueue.in/dfj1C64nMG031005 > > ... > > got this message multible times, but ive senn em first time, > > tried now more times but it wont come again in the logs > > > > i use sendmail, ms 4.55.9 on a suse 9.2 box > > > > greetings > > andy > > > > --free your mind, use open source > > http://www.mono-project.com > > > > ASCII ribbon campaign ( ) > > - against HTML email X > > & vCards / \ > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX > XMpMnj01s3jHrNv1vy+V69A= > =rXe0 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From stef at aoc-uk.com Mon Aug 7 09:39:29 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Mon Aug 7 09:39:32 2006 Subject: Envelope-To and Bcc... heading OT... Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Julian wrote: > BG Mahesh wrote: >> I somehow need sendmail to add another line like X-Rcpt-To which has >> just ONE email id and our other email server [mdaemon] that downloads >> the emails from a common pop account will use that field to deliver >> the email. Currently Mdaemon is getting totally confused on whom to >> deliver the email without this line :-( > > There is no way of telling which recipient is more important > than any other recipient. They are just a list. I can't help > your totally broken software, sorry. mdaemon isn't totally broken ;) at least it doesn't destroy headers like some *cough* exchange *cough* mailservers do. What's wrong with having the sendmail server deliver via SMTP to the mdaemon server? Mdaemon tries all kinds of ways to be clever at parsing email from a collective POP box to deduce the correct recipient, but is always going to be hindered by the intrisic brokenness of the method. It deals with SMTP perfectly well, however. regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From drew at themarshalls.co.uk Mon Aug 7 10:00:03 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Aug 7 10:00:30 2006 Subject: MailScanner & Postfix In-Reply-To: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink .net> References: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <60206.194.70.180.170.1154941203.squirrel@webmail.r-bit.net> On Sun, August 6, 2006 22:15, JDP wrote: > Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > bytes > Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > Some more log would be useful as the above bit is working fine, as you said yourself. We are missing the logs for the bit that's broken ;-) > > I think I have the relaying of domains set up correctly, but now i am not > sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing > cleaned/disinfected > # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > #For sendmail users: Sendmail2 = /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > Don't think so, that all looks fine At the bottom of MailScanner.conf there is an entry delivery method. Make sure this is batch for imediate delivery see here http://www.mailscanner.info/MailScanner.conf.index.html#Delivery%20Method Otherwise, start MailScanner in debug mode with a batch of messages in the queue and report any failures. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at mango.zw Mon Aug 7 10:15:15 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Aug 7 10:24:02 2006 Subject: Envelope-To and Bcc... heading OT... In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Message-ID: On Mon, 7 Aug 2006, Stef Morrell wrote: > > BG Mahesh wrote: > >> I somehow need sendmail to add another line like X-Rcpt-To which has > >> just ONE email id and our other email server [mdaemon] that downloads > >> the emails from a common pop account will use that field to deliver > >> the email. Currently Mdaemon is getting totally confused on whom to > >> deliver the email without this line :-( > > > > There is no way of telling which recipient is more important > > than any other recipient. They are just a list. I can't help > > your totally broken software, sorry. > > mdaemon isn't totally broken ;) at least it doesn't destroy headers like > some *cough* exchange *cough* mailservers do. > > What's wrong with having the sendmail server deliver via SMTP to the > mdaemon server? Mdaemon tries all kinds of ways to be clever at parsing > email from a collective POP box to deduce the correct recipient, but is > always going to be hindered by the intrisic brokenness of the method. It > deals with SMTP perfectly well, however. As you say, the concept of sending mail for various recipients to a collective POP account is by definition going to cause problems. A possible solution would be to look at the options for splitting the original message into separate messages for each recipient. Here is a reference for doing this with sendmail: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/169.html Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From glenn.steen at gmail.com Mon Aug 7 13:43:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 7 13:43:16 2006 Subject: MailScanner & Postfi In-Reply-To: References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> On 07/08/06, Chris Green wrote: > JDP wrote: > > > ># Sendmail2 is provided for Exim users. > > ># It is the command used to attempt delivery of outgoing > >cleaned/disinfected > > ># messages. > > ># This is not usually required for sendmail. > > ># This can also be the filename of a ruleset. > > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > > >Sendmail2 = /usr/sbin/sendmail > > I have been referencing instructions that tell me that even under Postfix > the above line should read: > > Sendmail2 = /usr/sbin/sendmail -DOUTGOING > > I've always wondered whether this really makes a difference or not - but it > works for me, so I've never spent any time looking into it . > -D isn't a known option, for PF 2.1 at least, and would land you with an error. So don't do that:-). What is needed here is the info Drew asked for, from the logs... The requeueing bit (which doesn't use the sendmail commands anyway). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:45:03 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:45:27 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. There are applications (event sinks) that are able to centrally move messages to folders based on header values. One is even free (search for Mailshell Exchange Plugin) Kind regards. From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:47:10 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:47:38 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040412i4311a64cj6b36335c9221732d@mail.gmail.com> Message-ID: On Friday, August 04, 2006 1:12 PM Glenn Steen wrote: > depends on your situation. BTW, 5 _days_ vacation? In total? If so, > you need another Union:-D. I am self-employed... :-) > But if you are away for only five days, > then surely there is nothing sent by email that just couldn't > wait...? Not 5 days in total:-) And there are always things sent to me that cannot wait for 5 days... :-) I have not yet had a vacation without such emergencies. > to limit the spread of OoO by use of MailScanner... and that has > perhaps some room for discussion left. Sure. From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:49:11 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:50:10 2006 Subject: blocking out-of-office In-Reply-To: <44D36049.40407@yeticomputers.com> Message-ID: On Friday, August 04, 2006 4:57 PM Rick Chadderdon wrote: > I wasn't referring to situations where the region's prevailing law > compels behavior, or where policy allows such use. I incorrectly > assumed that this was obvious in my post. For that, I apologize. To > clarify: If law allows one to set policy whereby personal email can > be disallowed, and such policy is set, I don't believe that those who > violate such policies should be tolerated or 'respected'. My BOFH part of the body agrees. My "try to get along with the people" part does not. :-) I know where your are getting at though. *g* From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:52:01 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:52:20 2006 Subject: blocking out-of-office discussions In-Reply-To: <20060804125505.C10038@defjam.cc.strath.ac.uk> Message-ID: On Friday, August 04, 2006 1:56 PM Jethro R Binks wrote: > Speaking perfectly frankly, that seems to be a common theme on this > list anyway. > > At least this discussion is mail-related and generically useful. That one gave me a good laugh. Thanks! :-) From drew at themarshalls.co.uk Mon Aug 7 14:06:21 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Aug 7 14:06:34 2006 Subject: MailScanner & Postfi In-Reply-To: <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> Message-ID: <61518.194.70.180.170.1154955981.squirrel@webmail.r-bit.net> On Mon, August 7, 2006 13:43, Glenn Steen wrote: > -D isn't a known option, for PF 2.1 at least, and would land you with > an error. So don't do that:-). I did wonder. I like to (try to) post accurate or true information but not being in front of a machine to break... ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From andoni.auzmendi at robertwalters.com Mon Aug 7 14:07:18 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Mon Aug 7 14:07:33 2006 Subject: Triggering Outlook's Junk E-mail filter Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B1F9@PAT.internal.robertwalters.com> MailShell plug-in looks interesting. Which version of Exchange are running it on? Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter Sent: 07 August 2006 13:45 To: MailScanner discussion Subject: RE: Triggering Outlook's Junk E-mail filter On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. There are applications (event sinks) that are able to centrally move messages to folders based on header values. One is even free (search for Mailshell Exchange Plugin) Kind regards. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From edward.prendergast at netring.co.uk Mon Aug 7 14:23:19 2006 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Aug 7 14:23:22 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: <200608071323.k77DNKOB010123@bkserver.blacknight.ie> On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. I think Chris' original point is still valid. A number of our users (primarily hosting customers have barely enough technical know-how to operating e-mails. Setting up individual rules in their e-mail client will likely prove beyond their grasp. Therefore some way of automating the delivery of messages that are potentially spam but only low-scoring to the end-user's Spam mailbox would be a useful feature indeed. Regards, Edward The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. From evanderleun at hal9000.nl Mon Aug 7 14:32:38 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Mon Aug 7 14:32:57 2006 Subject: gOCR SpamAssassin plugin Message-ID: Does anybody have (positive :> ) experiences with setting up a OCR scanner and image validator SA-plugin ? more info: http://www.nabble.com/GIF-Spam----Setting-up-the-%27OCR-scanner-and-image-validator-SA-plugin%27-tf2042373.html the patch: http://antispam.imp.ch/patches/patch-ocrtext Kind regards, Erik From michele at blacknight.ie Mon Aug 7 14:52:38 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Mon Aug 7 14:52:41 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: <44D745A6.1050007@blacknight.ie> The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jchezny at northcarolina.edu Mon Aug 7 15:14:46 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Mon Aug 7 15:14:53 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <1154960086.44d74ad6d57ca@webmail.northcarolina.edu> James, Have you defined an alias for root in /etc/postfix/aliases or /etc/aliases and run the appropriate command? -jc > > > >Hello, > > > >I am sooo close to getting this running, but somehow my test mail is not > getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, > Postfix, & ClamAV set up to scan mail and then pass it on to an internal > Exchange server. I can see the test message going through the system in > /var/log/mail.info, but it never makes it to the Exchange server. > > > > > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header > Received: > >from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) > with > >SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 > >(PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= > >proto=SMTP helo=<1243876> > >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > >Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] > >Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > >bytes > >Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > >Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > >Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > >Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > >Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > > > > > >I think I have the relaying of domains set up correctly, but now i am not > sure. > > > >Maybe the problem is here "how to invoke the MTA"; > > > > > ># Set whether to use postfix, sendmail, exim or zmailer. > ># If you are using postfix, then see the "SpamAssassin User State Dir" > ># setting near the end of this file > >#MTA = sendmail > >MTA = postfix > > > ># Set how to invoke MTA when sending messages MailScanner has created > ># (e.g. to sender/recipient saying "found a virus in your message") > ># This can also be the filename of a ruleset. > >Sendmail = /usr/sbin/sendmail > > > ># Sendmail2 is provided for Exim users. > ># It is the command used to attempt delivery of outgoing cleaned/disinfected > ># messages. > ># This is not usually required for sendmail. > ># This can also be the filename of a ruleset. > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > >Sendmail2 = /usr/sbin/sendmail > > > > > >Many thanks in advance, > > > >~James > Hello, > > Also, after starting mailScanner from ../init.d and then checking the status > I get; > > postmaster:~ # /etc/init.d/MailScanner status > Checking for service MailScanner: postfix/postfix-script: fatal: usage: > postfix start (or stop, reload, abort, flush, check, set-permissions, > upgrade-configuration) > dead > What is happening? > > Thank you, > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 15:31:49 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 15:32:11 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <200608071323.k77DNKOB010123@bkserver.blacknight.ie> Message-ID: On Monday, August 07, 2006 3:23 PM Edward Prendergast wrote: > I think Chris' original point is still valid. Using Outlooks own Junk-Mail folder/functionality --> No. > A number of our users > (primarily hosting customers have barely enough technical know-how to > operating e-mails. Setting up individual rules in their e-mail > client will likely prove beyond their grasp. Therefore some way of > automating the delivery of messages that are potentially spam but > only low-scoring to > the end-user's Spam mailbox would be a useful feature indeed. Thus the pointer to the plugin. From jchezny at northcarolina.edu Mon Aug 7 15:32:09 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Mon Aug 7 15:32:15 2006 Subject: MailScanner & Postfix In-Reply-To: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <1154961129.44d74ee935632@webmail.northcarolina.edu> James, Have you set your alias in either /etc/aliases and run the *newaliases* command? jc > Hello, > > I am sooo close to getting this running, but somehow my test mail is not > getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, > Postfix, & ClamAV set up to scan mail and then pass it on to an internal > Exchange server. I can see the test message going through the system in > /var/log/mail.info, but it never makes it to the Exchange server. > > > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header > Received: > from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) > with > SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 > (PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= > proto=SMTP helo=<1243876> > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] > Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > bytes > Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > > > I think I have the relaying of domains set up correctly, but now i am not > sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing cleaned/disinfected > # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > #For sendmail users: Sendmail2 = /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > > > Many thanks in advance, > > ~James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 15:31:59 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 15:32:19 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36301B1F9@PAT.internal.robertwalters.com> Message-ID: On Monday, August 07, 2006 3:07 PM Andoni Auzmendi wrote: > MailShell plug-in looks interesting. Which version of Exchange are > running it on? 2003 SP1 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/1a4dfb96/smime.bin From JeremyBlonde at grant.k12.ca.us Mon Aug 7 15:49:51 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 15:46:56 2006 Subject: MailScanner & Postfix Message-ID: James, I've got the same setup as you. Are you sure you have setup the Postfix "transport" file correctly? It should contain something like: Domain.com smtp:exchange.domain.com After creating that file you'd run "postmap transport" and "postfix reload". Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of jchezny@northcarolina.edu Sent: Monday, August 07, 2006 7:32 AM To: MailScanner discussion Subject: Re: MailScanner & Postfix James, Have you set your alias in either /etc/aliases and run the *newaliases* command? jc > Hello, > > I am sooo close to getting this running, but somehow my test mail is > not getting through. On a Suse 9.3 server I have MailScanner, > Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it > on to an internal Exchange server. I can see the test message going > through the system in /var/log/mail.info, but it never makes it to the Exchange server. > > > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] Aug 6 13:45:09 postmaster > postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: > header > Received: > from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com > (Postfix) with SMTP id 8E1D718548C??for ; Sun, 6 Aug > 2006 13:45:09 -0700 > (PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= proto=SMTP helo=<1243876> Aug 6 13:45:23 > postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] Aug 6 13:45:24 postmaster MailScanner[30318]: > New Batch: Scanning 1 messages, 683 bytes Aug 6 13:45:24 postmaster > MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav > installed Aug 6 13:46:55 postmaster update.virus.scanners: Running > autoupdate for clamav Aug 6 13:46:56 postmaster > update.virus.scanners: Found generic installed Aug 6 13:46:56 > postmaster update.virus.scanners: Running autoupdate for generic > > > I think I have the relaying of domains set up correctly, but now i am > not sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") # > This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing > cleaned/disinfected # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C > /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = > /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > > > Many thanks in advance, > > ~James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andoni.auzmendi at robertwalters.com Mon Aug 7 15:58:08 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Mon Aug 7 16:04:15 2006 Subject: Triggering Outlook's Junk E-mail filter Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B1FC@PAT.internal.robertwalters.com> Thanks. Does anyone have experience on running Mailshell on Exchange 2000? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter Sent: 07 August 2006 15:32 To: MailScanner discussion Subject: RE: Triggering Outlook's Junk E-mail filter On Monday, August 07, 2006 3:07 PM Andoni Auzmendi wrote: > MailShell plug-in looks interesting. Which version of Exchange are > running it on? 2003 SP1 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From gordon at itnt.co.za Mon Aug 7 16:41:12 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Aug 7 16:41:42 2006 Subject: setup filetype and filename rules per domain Message-ID: <068201c6ba37$eca93e80$0a02a8c0@Gordon> ITNT Banner CampaignIs there a way to setup filetype and filename rules per domain or user? I have some client domains and users that want to accept .mp3 and .wav files and others that don't Thanks Gordon Colyn From JeremyBlonde at grant.k12.ca.us Mon Aug 7 17:00:05 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 16:57:04 2006 Subject: setup filetype and filename rules per domain Message-ID: I've been having trouble stopping the attached message from getting thru mailscanner. I've got RBLs, Rulesdujour, and bayes (using MySQL). Bayes reports that there are 14,953 spam messages and 133,137 tokens in the database. To actually block the messages, I've had to add the URLs in the messages to MCP. I've been under the impression that bayes would be able to pick out the message details and score similar messages, but it seems they come across as new messages and their scores are 0. Perhaps, bayes is not working as well as it should be? Can I get some information on how others have blocked those types of messages? Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -------------- next part -------------- Hi, CdALIS from 3, 75 $ AMBdEN VdAGRA from 3, 35 $ VALdUM from 1, 25 $ http://www.filmogenka.com , , , , , even know the length of the day here. This watch, like the computer, is on ships time. Its been a good long time since they threw us out the gate. I squinted at the sky. And I dont think that sun has From steve.swaney at fsl.com Mon Aug 7 17:07:43 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 7 17:05:48 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <068201c6ba37$eca93e80$0a02a8c0@Gordon> Message-ID: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn > Sent: Monday, August 07, 2006 11:41 AM > To: mailscanner@lists.mailscanner.info > Subject: setup filetype and filename rules per domain > > ITNT Banner CampaignIs there a way to setup filetype and filename rules > per > domain or user? > > I have some client domains and users that want to accept .mp3 and .wav > files > and others that don't > > Thanks > Gordon Colyn You need to create a rule sets that uses different filename/filetype configuration files for mail from different domains for attachment filename and filetype checking. If you have a Red Hat, CentOS or SuSE system, the following paths will be correct. They will vary on other systems but the same principals will work. First create two files: /etc/MailScanner/filename.rules.xyz.conf /etc/MailScanner/filetype.rules.xyz.conf Copy these existing files to create the new files: cp /etc/MailScanner/filename.rules.conf \ /etc/MailScanner/filename.rules.xyz.conf cp /etc/MailScanner/filenatype.rules.conf \ /etc/MailScanner/filename.rules.xyz.conf Then edit both the new files to allow or deny the files for xyz.domain Then create the file /etc/MailScanner/rules/filename.rules. The contents of this file should be: # Allow certain filenames from xyz.com From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then create the file /etc/MailScanner/rules/filetype.rules. The contents of this file should be: # Allow certain filetypes from xyz.com From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting for Filename Rules to be: Filename Rules = %rules-dir%/filename.rules And change the setting for Filetype Rules to be: Filetype Rules = %rules-dir%/filetype.rules Then reload MailScanner. I hope this helps, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From steve.swaney at fsl.com Mon Aug 7 17:25:05 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 7 17:23:12 2006 Subject: setup filetype and filename rules per domain In-Reply-To: Message-ID: <190e01c6ba3e$0b0b0c90$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeremy Blonde > Sent: Monday, August 07, 2006 12:00 PM > To: MailScanner discussion > Subject: RE: setup filetype and filename rules per domain > > I've been having trouble stopping the attached message from getting thru > mailscanner. I've got RBLs, Rulesdujour, and bayes (using MySQL). > Bayes reports that there are 14,953 spam messages and 133,137 tokens in > the database. To actually block the messages, I've had to add the URLs > in the messages to MCP. I've been under the impression that bayes would > be able to pick out the message details and score similar messages, but > it seems they come across as new messages and their scores are 0. > Perhaps, bayes is not working as well as it should be? > > Can I get some information on how others have blocked those types of > messages? > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District We tagged your post to the list as spam :) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3560] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: filmogenka.com] 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: filmogenka.com] Just adding the message to the Bayes database is not enough. You need to use all the tools available: Razor DCC SpamAssassin plugins There are also some nifty milters available if you use sendmail (or now the latest postfix :). We're blocking a ton of stuff with a free milter, milter-limit available at www.snertsoft.com. Also please change the subject line when you reply to a list message and change the topic :) Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From root at doctor.nl2k.ab.ca Mon Aug 7 17:41:34 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 17:42:17 2006 Subject: MailScanner 4.56.1-1 and Sys-Syslog Message-ID: <20060807164134.GA14776@doctor.nl2k.ab.ca> I wonder if I should test MailScanner 4.56.1-1 with the current sys-syslog 0.17 . I THINK the auther just pulled this module and went back to Sys-syslog 0.16 . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Mon Aug 7 17:43:08 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 17:44:08 2006 Subject: sa-learn universal setting and spam only digested mailboxes Message-ID: <20060807164308.GB14776@doctor.nl2k.ab.ca> I will ask this question here. I have a spam - only mailbx in the mbox format and I am trying to get sa-learn to read and integrate this systemwide. How do I do this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From AHKAPLAN at PARTNERS.ORG Mon Aug 7 17:50:06 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Mon Aug 7 17:50:13 2006 Subject: Particular User's E-Mail Getting Virus Notifications on almost all incoming e-mail Message-ID: <9C63A4713C4E3342B90428CE44806A730267983E@PHSXMB5.partners.org> Hi there - We have MailScanner 4.54 running with ClamAV 0.88.1 and SpamAssassin 3.03 on an HP-UX 10.20 trusted system. One of our users is getting Virus Detected - Denial of Service Attack error messages on nearly all his e-mails. These e-mails are those coming from without and within our company's network. This problem is not affecting any of our other users. I suspect that his mailbox is corrupt, but before I go down that route I wanted to know if there are any other possibilities. If his mailbox is bad, I will probably delete the existing box and restore and older one from tape archive. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/4798186b/attachment.html From mailscanner at ecs.soton.ac.uk Mon Aug 7 17:58:50 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 17:59:21 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> References: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> Message-ID: <44D7714A.8030800@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn >> Sent: Monday, August 07, 2006 11:41 AM >> To: mailscanner@lists.mailscanner.info >> Subject: setup filetype and filename rules per domain >> >> ITNT Banner CampaignIs there a way to setup filetype and filename rules >> per >> domain or user? >> >> I have some client domains and users that want to accept .mp3 and .wav >> files >> and others that don't >> >> Thanks >> Gordon Colyn In recent versions (version 4.49 and onwards) there are some new configuration settings, Allow Filenames Deny Filenames Allow Filetypes Deny Filetypes These are not as flexible as the filename.rules.conf and filetype.rules.conf files, but you may find them easier to use and good enough for your requirements. For an example, let's say that domain xyz.com wants to be able to email files called "*.mp3" and "*.wav". You would still need to do similar setups to stop the "filetype.rules.conf" file trapping movies in general. But let's keep it simple for this example. 1) We need to tell MailScanner to create a ruleset for "Allow Filenames" so we can vary the value of this setting depending on where the mail is going to. In MailScanner.conf, set Allow Filenames = %rules-dir%/allow.filenames.rules 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for mail going to anyone@xyz.com. In /etc/MailScanner/rules/allow.filenames.rules, put To: xyz.com \.mov$ \.mp3$ Note that the text to the right of "xyz.com" is a space-separated list of regular expressions. You need to put the "\" before the "." as otherwise "." would just match any character, not just the actual "full stop" character. "$" matches the "end of line", ensuring that the ".mov" appears at the end of the filename. 3) Run the command "service MailScanner restart" to enable all of this. That's it! - ------------------------ Note for advanced users: The order of checking all of these settings is Allow Filenames Deny Filenames filename.rules.conf The first rule that matches is the result used. - ------------------------ > You need to create a rule sets that uses different filename/filetype > configuration files for mail from different domains for attachment filename > and filetype checking. If you have a Red Hat, CentOS or SuSE system, the > following paths will be correct. They will vary on other systems but the > same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.xyz.conf > /etc/MailScanner/filetype.rules.xyz.conf > > Copy these existing files to create the new files: > > cp /etc/MailScanner/filename.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > cp /etc/MailScanner/filenatype.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > Then edit both the new files to allow or deny the files for xyz.domain > > Then create the file /etc/MailScanner/rules/filename.rules. The contents of > this file should be: > > # Allow certain filenames from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents of > this file should be: > > # Allow certain filetypes from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > I hope this helps, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13FZEfZZRxQVtlQRAjI/AJ9QL/Glz1wAkjODkfnQ3DQoD/NY9QCfU6xt SzbgyRdd3lhVIdpvR9r0d3g= =lg1E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Kevin_Miller at ci.juneau.ak.us Mon Aug 7 18:13:05 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Aug 7 18:13:09 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <44D7714A.8030800@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > In recent versions (version 4.49 and onwards) there are some new > configuration settings, > Allow Filenames > Deny Filenames > Allow Filetypes > Deny Filetypes > These are not as flexible as the filename.rules.conf and > filetype.rules.conf files, but you may find them easier to use and > good enough for your requirements. > > For an example, let's say that domain xyz.com wants to be able to > email files called "*.mp3" and "*.wav". You would still need to do > similar setups to stop the "filetype.rules.conf" file trapping movies > in general. But let's keep it simple for this example. > > 1) We need to tell MailScanner to create a ruleset for "Allow > Filenames" so we can vary the value of this setting depending on > where the mail is going to. > In MailScanner.conf, set > Allow Filenames = %rules-dir%/allow.filenames.rules > > 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for > mail going to anyone@xyz.com. > In /etc/MailScanner/rules/allow.filenames.rules, put > To: xyz.com \.mov$ \.mp3$ > > Note that the text to the right of "xyz.com" is a space-separated list > of regular expressions. You need to put the "\" before the "." as > otherwise "." would just match any character, not just the actual > "full stop" character. "$" matches the "end of line", ensuring that > the ".mov" appears at the end of the filename. Thanks for the quickie tutorial Julian. Just a simple sanity check: I presume that in allow.filenames.rules that we can use the From: or FromOrTo: nomenclature as well as the To: tag? Are tab seperators required between operators? TIA... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dave.list at pixelhammer.com Mon Aug 7 18:25:22 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 7 18:25:44 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: Message-ID: <44D77782.2010604@pixelhammer.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > >> I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on >> FreeBSD 5.4 without any problems for over 1 year now. > > Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! I am very interested in moving to clamavmodule at the moment as I need something to relive the load on MailScanner boxes right now. My in queue is up over 600 at the moment as I have issues with URIDNSBL no completing lookups, so SA is very slow right now. (I've posted already on the SA list). Once switching to clamavmodule will there be a tell tale log message to let me know it is working? I have a bit too much processing going on to be flipping MailScanner on and off at the moment to send Eicars. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at ecs.soton.ac.uk Mon Aug 7 18:46:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 18:47:02 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 Message-ID: <44D77C7E.5010703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Mon Aug 7 18:54:43 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 18:54:58 2006 Subject: setup filetype and filename rules per domain In-Reply-To: References: Message-ID: <44D77E63.2090205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: > >> In recent versions (version 4.49 and onwards) there are some new >> configuration settings, >> Allow Filenames >> Deny Filenames >> Allow Filetypes >> Deny Filetypes >> These are not as flexible as the filename.rules.conf and >> filetype.rules.conf files, but you may find them easier to use and >> good enough for your requirements. >> >> For an example, let's say that domain xyz.com wants to be able to >> email files called "*.mp3" and "*.wav". You would still need to do >> similar setups to stop the "filetype.rules.conf" file trapping movies >> in general. But let's keep it simple for this example. >> >> 1) We need to tell MailScanner to create a ruleset for "Allow >> Filenames" so we can vary the value of this setting depending on >> where the mail is going to. >> In MailScanner.conf, set >> Allow Filenames = %rules-dir%/allow.filenames.rules >> >> 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for >> mail going to anyone@xyz.com. >> In /etc/MailScanner/rules/allow.filenames.rules, put >> To: xyz.com \.mov$ \.mp3$ >> >> Note that the text to the right of "xyz.com" is a space-separated list >> of regular expressions. You need to put the "\" before the "." as >> otherwise "." would just match any character, not just the actual >> "full stop" character. "$" matches the "end of line", ensuring that >> the ".mov" appears at the end of the filename. > > Thanks for the quickie tutorial Julian. Just a simple sanity check: I > presume that in allow.filenames.rules that we can use the From: or > FromOrTo: nomenclature as well as the To: tag? Yes. > > Are tab seperators required between operators? No. One of the main features that the filename.rules.conf file provides that is better than the method above, is that the matching regular expressions can include spaces, which the method above cannot. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE135pEfZZRxQVtlQRAvv4AJ9rr2DZLa6scIatzfHeIEVEhJtRlQCdHT3M SQiddMN+gfTozUTHKK4hF1o= =oziO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jflowers at ezo.net Mon Aug 7 19:26:30 2006 From: jflowers at ezo.net (Jim Flowers) Date: Mon Aug 7 19:26:44 2006 Subject: Bypass spam scan based on header Message-ID: <20060807174400.M14392@ezo.net> I pre-process email with another program before forwarding messages to MailScanner. This program adds a header on the fly when a message has been whitelisted. I want to configure MailScanner to bypass spam-scanning messages that contain this header to save the overhead. Virus-scanning is still required. Is there a way to do this other than using a Custom Function or by using a sendmail hack? If not, I'll probably hack the pre-processor to add/delete the whitelisted addresses into the MySQL database for SQLBlackWhiteList.pm to handle. But I thought: if anyone has already solved this problem, I should ask. Anyone? -- Jim Flowers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajos1 at onion.demon.co.uk Mon Aug 7 19:29:52 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 7 19:30:04 2006 Subject: gOCR SpamAssassin plugin Message-ID: - What a marvellous find... I am trying it now... Just one question... where would I stick in the plugin file? I am right in thinking it will be something like: /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin And not one of these: /usr/lib/MailScanner/CustomFunctions /usr/lib/MailScanner/plugins /etc/MailScanner/CustomFunctions /etc/MailScanner/plugins -----Original Message----- From: mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 14:52:38 +0100 The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo From ajos1 at onion.demon.co.uk Mon Aug 7 19:33:55 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 7 19:34:03 2006 Subject: gOCR SpamAssassin plugin Message-ID: - Interesting one here... I ALWAYS install the MailScanner from RPM... I notice that when searching for plugins... that I have two MailScanner systems... Did they switch over at some point? /usr/lib/perl5/site_perl has newer files than does /usr/lib/perl5/vendor_perl Just checking in case an error has slipped in over the last 12 months? [root@www perl5]# la /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin total 316 -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm -r--r--r-- 1 root root 13064 Jul 25 23:02 TextCat.pm -r--r--r-- 1 root root 10396 Jul 25 23:02 Pyzor.pm -r--r--r-- 1 root root 22445 Jul 25 23:02 DCC.pm -r--r--r-- 1 root root 14441 Jul 25 23:02 AWL.pm drwxr-xr-x 10 root root 4096 Jul 29 01:11 .. drwxr-xr-x 2 root root 4096 Jul 29 01:11 . [root@www perl5]# la /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin total 232 -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm From gordon at itnt.co.za Mon Aug 7 19:49:56 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Aug 7 19:50:13 2006 Subject: setup filetype and filename rules per domain References: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> <44D7714A.8030800@ecs.soton.ac.uk> Message-ID: <004001c6ba52$46f761e0$0d02a8c0@Gordon> Thanks! ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, August 07, 2006 6:58 PM Subject: Re: setup filetype and filename rules per domain -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn >> Sent: Monday, August 07, 2006 11:41 AM >> To: mailscanner@lists.mailscanner.info >> Subject: setup filetype and filename rules per domain >> >> ITNT Banner CampaignIs there a way to setup filetype and filename rules >> per >> domain or user? >> >> I have some client domains and users that want to accept .mp3 and .wav >> files >> and others that don't >> >> Thanks >> Gordon Colyn In recent versions (version 4.49 and onwards) there are some new configuration settings, Allow Filenames Deny Filenames Allow Filetypes Deny Filetypes These are not as flexible as the filename.rules.conf and filetype.rules.conf files, but you may find them easier to use and good enough for your requirements. For an example, let's say that domain xyz.com wants to be able to email files called "*.mp3" and "*.wav". You would still need to do similar setups to stop the "filetype.rules.conf" file trapping movies in general. But let's keep it simple for this example. 1) We need to tell MailScanner to create a ruleset for "Allow Filenames" so we can vary the value of this setting depending on where the mail is going to. In MailScanner.conf, set Allow Filenames = %rules-dir%/allow.filenames.rules 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for mail going to anyone@xyz.com. In /etc/MailScanner/rules/allow.filenames.rules, put To: xyz.com \.mov$ \.mp3$ Note that the text to the right of "xyz.com" is a space-separated list of regular expressions. You need to put the "\" before the "." as otherwise "." would just match any character, not just the actual "full stop" character. "$" matches the "end of line", ensuring that the ".mov" appears at the end of the filename. 3) Run the command "service MailScanner restart" to enable all of this. That's it! - ------------------------ Note for advanced users: The order of checking all of these settings is Allow Filenames Deny Filenames filename.rules.conf The first rule that matches is the result used. - ------------------------ > You need to create a rule sets that uses different filename/filetype > configuration files for mail from different domains for attachment > filename > and filetype checking. If you have a Red Hat, CentOS or SuSE system, the > following paths will be correct. They will vary on other systems but the > same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.xyz.conf > /etc/MailScanner/filetype.rules.xyz.conf > > Copy these existing files to create the new files: > > cp /etc/MailScanner/filename.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > cp /etc/MailScanner/filenatype.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > Then edit both the new files to allow or deny the files for xyz.domain > > Then create the file /etc/MailScanner/rules/filename.rules. The contents > of > this file should be: > > # Allow certain filenames from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents > of > this file should be: > > # Allow certain filetypes from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > I hope this helps, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13FZEfZZRxQVtlQRAjI/AJ9QL/Glz1wAkjODkfnQ3DQoD/NY9QCfU6xt SzbgyRdd3lhVIdpvR9r0d3g= =lg1E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From bpumphrey at WoodMacLaw.com Mon Aug 7 20:03:32 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 7 20:03:35 2006 Subject: blocking out-of-office discussions In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B4709@woodenex.woodmaclaw.local> > On Friday, August 04, 2006 1:56 PM Jethro R Binks wrote: > > > Speaking perfectly frankly, that seems to be a common theme on this > > list anyway. > > > > At least this discussion is mail-related and generically useful. > > That one gave me a good laugh. Thanks! :-) > -- To me that makes this list stand out from the rest. MailScanner covers so many areas. From bpumphrey at WoodMacLaw.com Mon Aug 7 20:07:12 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 7 20:07:16 2006 Subject: OT: Another Exchange 2003 and MailScanner question In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> Does anyone use the built in Exchange intelligent filters along with MailScanner? I currentl do not and have debated back and forth over time whether it would be good to turn it on or not. Does anyone recommend one way or the other? From mailscanner at ecs.soton.ac.uk Mon Aug 7 20:12:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 20:12:57 2006 Subject: Bypass spam scan based on header In-Reply-To: <20060807174400.M14392@ezo.net> References: <20060807174400.M14392@ezo.net> Message-ID: <44D7908F.2040304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A simple Custom Function would do it, but do be sure to remember that any header you can add can be easily added by the spammers as well! Don't trust _anything_ in the headers :-( Jim Flowers wrote: > I pre-process email with another program before forwarding messages to > MailScanner. This program adds a header on the fly when a message has been > whitelisted. > > I want to configure MailScanner to bypass spam-scanning messages that contain > this header to save the overhead. Virus-scanning is still required. Is there > a way to do this other than using a Custom Function or by using a sendmail hack? > > If not, I'll probably hack the pre-processor to add/delete the whitelisted > addresses into the MySQL database for SQLBlackWhiteList.pm to handle. > > But I thought: if anyone has already solved this problem, I should ask. > > Anyone? > > -- > Jim Flowers > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE15CoEfZZRxQVtlQRAm/pAJ4/NzLcP51DmWW+8QBJnM0aLjcKCgCfSlkR OrqOjExwkkJNR34DGm6cp4w= =bV4T -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From JeremyBlonde at grant.k12.ca.us Mon Aug 7 20:18:23 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 20:17:29 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 Message-ID: FYI I'm running Gentoo Linux w/ Postfix and MailScanner 4.55.6. I just tried installing version 4.55.10 (I've been running 4.55.6). After installing it via the install.sh script, postfix would generate the following error: "postfix: Process did not exit cleanly, returned 255 with signal 0". Postfix worked when it ran without MailScanner. I verified the permissions on the directories and everything looked good. I played with it a bit but couldn't get it work. I then linked back to the old version and everything worked again. P.S. Sorry about my previous post. I was interrupted and didn't realize I hadn't update the subject. Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: mailscanner-announce-bounces@lists.mailscanner.info [mailto:mailscanner-announce-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, August 07, 2006 10:47 AM To: MailScanner discussion; MailScanner announcements Subject: MailScanner ANNOUNCE: Revision to 4.55 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner-announce mailing list mailscanner-announce@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner-announce Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! From bbecken at aafp.org Mon Aug 7 20:17:40 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Mon Aug 7 20:17:57 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <44D74B7E.D87E.0068.3@aafp.org> Hi, Just for fun I upgraded from 4.55.9 to 4.55.10 on a Centos 4.3 box test box. I then ran MailScanner --lint and got the following. The configuration file /etc/MailScanner/MailScanner.conf is too new for this version of MailScanner. This is version 4.55.9 but the config file is for at least version 4.55.10 Easy fix is to modify the MailScanner.conf file and change the version to 4.55.9, but I thought you'd like to know. Thanks for MailScanner Julian. >>> mailscanner@ecs.soton.ac.uk 8/7/2006 12:46 PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Mon Aug 7 20:19:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 20:19:32 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: <44D79233.7050008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ajos1@onion.demon.co.uk wrote: > - > > Interesting one here... I ALWAYS install the MailScanner from RPM... I notice that when searching for plugins... that I have two MailScanner systems... > > Did they switch over at some point? The main MailScanner RPM distribution does not include anything to do with SpamAssassin. However, I do distribute an easy-to-install ClamAV+SpamAssassin distribution as well, which I strongly encourage users to install, as it does most of the setup and configuration for them too. The correct version put in by my distribution should be in site_perl and not vendor_perl. Beware that you might have a spamassassin rpm installed as well, which you should ideally remove before installing my distribution. > > /usr/lib/perl5/site_perl has newer files than does /usr/lib/perl5/vendor_perl > > Just checking in case an error has slipped in over the last 12 months? > > [root@www perl5]# la /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin > total 316 > -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm > -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm > -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm > -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm > -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm > -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm > -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm > -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm > -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm > -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm > -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm > -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm > -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm > -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm > -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm > -r--r--r-- 1 root root 13064 Jul 25 23:02 TextCat.pm > -r--r--r-- 1 root root 10396 Jul 25 23:02 Pyzor.pm > -r--r--r-- 1 root root 22445 Jul 25 23:02 DCC.pm > -r--r--r-- 1 root root 14441 Jul 25 23:02 AWL.pm > drwxr-xr-x 10 root root 4096 Jul 29 01:11 .. > drwxr-xr-x 2 root root 4096 Jul 29 01:11 . > > [root@www perl5]# la /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin > total 232 > -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm > -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm > -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm > -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm > -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm > -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm > -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm > -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm > -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm > -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm > -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm > -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm > -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm > -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm > -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE15I6EfZZRxQVtlQRAngdAKCqQktQqU8cq4IE2OD+WICOjGmzvQCfWL4y a6qxMRuqr7ysF8l77c0+C6s= =7QU2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rob at dido.ca Mon Aug 7 20:21:52 2006 From: rob at dido.ca (Rob Morin) Date: Mon Aug 7 20:21:59 2006 Subject: Remove these headers issue.. Message-ID: <44D792D0.4090705@dido.ca> OK so i am experimenting as per my manager to have internal emails that go out through our MS, have some info removed... so i have done the following.... created a file named remove.headers.rules added this line to MailScanner.conf Remove These Headers = %rules-dir%/remove.headers.rules This file contains the below... FromOrTo: default X-Mozilla-Status: X-Mozilla-Status2: Received: User-Agent: However the User agent still does not get removed?? The Received From gets removed, but not user agent I have restarted MS after making the changes Did i miss something? Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From root at doctor.nl2k.ab.ca Mon Aug 7 22:18:06 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 22:18:17 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <20060807211806.GB11620@doctor.nl2k.ab.ca> On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The author of the Sys::Syslog perl module has withdrawn it due to > problems including compatibility issues with some Linux distributions. > The most obvious effect is that the "make test" step may hang part-way > through the tests. > > As a result, I have had no alternative other than to reluctantly publish > a revision of the latest stable release of MailScanner. > > If you had problems installing 4.55.9 (notably on some CentOS systems) > then download and upgrade to 4.55.10. > > Download as usual from www.mailscanner.info > > Note that if you had no problems installing 4.55.9, there is no reason > to upgrade to 4.55.10. > > Sorry for this forced re-release. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Get your PCs and servers from Transtec.de, very well built and reliable! > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW > 24ByWh9/vqg8VFwMXAWtnvg= > =Ctux > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > How will this affect MailScanner 4.56 ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at camo-route.com Mon Aug 7 22:33:37 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Mon Aug 7 22:34:08 2006 Subject: SA-related: how to automate SA upgrades Message-ID: Hi, I was wondering if anyone heard of a way to feed the SpamAsssassin install with an e-mail address so that we don't get this prompt: Building and Installing... What email address or URL should be used in the suspected-spam report text for users who want more information on your filter installation? (In particular, ISPs should change this to a local Postmaster contact) default text: [the administrator of that system] Regards, Ugo From rgills at intratechsystems.com Mon Aug 7 22:44:09 2006 From: rgills at intratechsystems.com (Rob Gills) Date: Mon Aug 7 22:44:05 2006 Subject: install problem with 4.55.10 Message-ID: Hello, I have noticed one small install problem with Mailscanner 4.55.10 I just joined the lists so if someone else already mentioned this, I apologize. I have just done two clean installs today, not upgrades, both on Redhat. Each one gave me the following error: MailScanner: The configuration file /etc/MailScanner/MailScanner.conf is too new for this version of MailScanner. This is version 4.55.9 but the config file is for at least version 4.55.10 I simply edited the version number to 4.55.9 in Mailscan.conf, as a work around. Works fine. Cheers, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/91dd0b99/attachment.html From mike at vesol.com Mon Aug 7 22:54:13 2006 From: mike at vesol.com (Mike Kercher) Date: Mon Aug 7 22:54:24 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: Message-ID: The 'expect' command would probably come in handy here. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: Monday, August 07, 2006 4:34 PM > To: mailscanner@lists.mailscanner.info > Subject: SA-related: how to automate SA upgrades > > Hi, > > I was wondering if anyone heard of a way to feed the > SpamAsssassin install with an e-mail address so that we don't > get this prompt: > > Building and Installing... > What email address or URL should be used in the > suspected-spam report text for users who want more > information on your filter installation? > (In particular, ISPs should change this to a local Postmaster > contact) default text: [the administrator of that system] > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From brent.addis at pronet.co.nz Mon Aug 7 23:26:12 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Aug 7 23:27:10 2006 Subject: missing queue files? Message-ID: <44D7BE04.60606@pronet.co.nz> Hi. I have just migrated to a new machine (was exim 4.50, MailScanner-4.43.8) which has been humming along quite nicely for a long time. I am now running exim 4.62 along with Mailscanner-4.55.9. We are currently seeing occasional messages hitting mailscanner, being scanned, and only the Header file seemingly being inserted into the exim queue. EG: 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D not found envy:/var/log/exim4# ls -l /var/spool/exim4/input/ total 4 -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 1GADGn-0004tk-Kq-H I had a similar problem when I upgraded to 4.50, however I didn't have much time to look into it, so downgraded back to the above. Has anyone else seen a similar issue? From alex at nkpanama.com Mon Aug 7 23:35:18 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Aug 7 23:35:36 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: References: Message-ID: <44D7C026.5080005@nkpanama.com> IANAP, but could it be possibly done by doing: echo "me@myself.com" | perl -MCPAN -e 'install Mail::SpamAssassin' ? Ugo Bellavance wrote: > Hi, > > I was wondering if anyone heard of a way to feed the SpamAsssassin > install with an e-mail address so that we don't get this prompt: > > Building and Installing... > What email address or URL should be used in the suspected-spam report > text for users who want more information on your filter installation? > (In particular, ISPs should change this to a local Postmaster contact) > default text: [the administrator of that system] > > Regards, > > Ugo > From alex at nkpanama.com Mon Aug 7 23:39:14 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Aug 7 23:39:31 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: <44D7C026.5080005@nkpanama.com> References: <44D7C026.5080005@nkpanama.com> Message-ID: <44D7C112.7010202@nkpanama.com> Just tried it on a test machine and it worked. Alex Neuman van der Hans wrote: > IANAP, but could it be possibly done by doing: > > echo "me@myself.com" | perl -MCPAN -e 'install Mail::SpamAssassin' > > ? > > Ugo Bellavance wrote: >> Hi, >> >> I was wondering if anyone heard of a way to feed the >> SpamAsssassin install with an e-mail address so that we don't get >> this prompt: >> >> Building and Installing... >> What email address or URL should be used in the suspected-spam report >> text for users who want more information on your filter installation? >> (In particular, ISPs should change this to a local Postmaster contact) >> default text: [the administrator of that system] >> >> Regards, >> >> Ugo >> > From brent.addis at pronet.co.nz Mon Aug 7 23:58:31 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Aug 8 00:00:44 2006 Subject: missing queue files? In-Reply-To: <44D7BE04.60606@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> Message-ID: <44D7C597.5090201@pronet.co.nz> Brent Addis wrote: > Hi. > > I have just migrated to a new machine (was exim 4.50, > MailScanner-4.43.8) which has been humming along quite nicely for a > long time. > > I am now running exim 4.62 along with Mailscanner-4.55.9. > > We are currently seeing occasional messages hitting mailscanner, being > scanned, and only the Header file seemingly being inserted into the > exim queue. > > EG: > > 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D not > found > > envy:/var/log/exim4# ls -l /var/spool/exim4/input/ > total 4 > -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 > 1GADGn-0004tk-Kq-H > > > I had a similar problem when I upgraded to 4.50, however I didn't have > much time to look into it, so downgraded back to the above. > > Has anyone else seen a similar issue? > > > > > > Also: Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: Starting Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages Aug 8 10:08:45 envy MailScanner[15218]: Logging message 1GADGn-0004tk-Kq to SQL Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to MailWatch SQL envy:/var/log# /opt/MailScanner/bin/MailScanner -v Running on Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux This is Perl version 5.008004 (5.8.4) This is MailScanner version 4.55.9 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.02 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.72 File::Basename 2.07 File::Copy 2.01 FileHandle 1.06 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 1.2 Sys::Hostname::Long 0.17 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.808 DB_File 1.11 DBD::SQLite 1.50 DBI 1.06 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 0.44 Inline missing Mail::ClamAV 3.001004 Mail::SpamAssassin 1.997 Mail::SPF::Query 0.15 Net::CIDR::Lite 1.24 Net::IP 0.48 Net::DNS missing Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.40 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI The issue seems to be very random, and I have as yet been unable to replicate myself From jon.bates at summitmotors.com.au Tue Aug 8 00:25:41 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 8 00:25:56 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <200608041107.k74B6h9V001647@bkserver.blacknight.ie> Message-ID: <004401c6ba78$cce4daf0$5864a8c0@jonlaptop> Ahh! I don't know how I missed this!? Thank you very much to those that replied. It's working perfectly now. Cheers Jon > Use the file command. > do a search for #file in your MailScanner.conf Jon Bates wrote: >> >> I've got all audio and video type files being quarantined on my >> servers. Some users are now getting smart to the fact that they can >> simply change the extention on the file to bypass this system. >> >> Is there some way to filter attachments based on the attachment mime >> type or something? I've done a few hours searching and I havent come >> up with a suitable answer. >> >> Any guidance would be appreciated! From ssilva at sgvwater.com Tue Aug 8 01:00:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 8 01:00:38 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/5/2006 12:50 AM: > On 04/08/06, Scott Silva wrote: >> Glenn Steen spake the following on 8/4/2006 9:13 AM: > (snip) >> > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome >> > (into my first beer and fired up the grill), so I'd not trust myself >> > further than that:-) >> > >> > Cheers >> Tip one for us!!! > My headache tells me that I tipped not only one, but several.... So... > Feel duly saluted;-). > Now where did I put that hangover rectification tool (HORT == aspirin;)... HOTD = Hair of the dog! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.swaney at fsl.com Tue Aug 8 01:22:25 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 8 01:20:32 2006 Subject: FW: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz Message-ID: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> FYI. -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Monday, August 07, 2006 7:38 PM To: ClamAV Announce Cc: clamav-users@lists.clamav.net Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz Dear ClamAV users, Apparently there is a problem on SourceForge which makes download of clamav-0.88.4.tar.gz impossible. We temporarily made the source available from the following URLs: http://mirror.clamav.net/clamav-0.88.4.tar.gz http://mirror.clamav.net/clamav-0.88.4.tar.gz.sig Please note that once SourceForge file release system works again, we'll remove the above files. Always refer to our website for the latest download links. Regards, -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From chrisgreen at hotmail.com Tue Aug 8 03:34:00 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Tue Aug 8 03:34:12 2006 Subject: MailScanner & Postfi In-Reply-To: <61518.194.70.180.170.1154955981.squirrel@webmail.r-bit.net> Message-ID: Drew Marshall wrote: > > -D isn't a known option, for PF 2.1 at least, and would land you with > > an error. So don't do that:-). > >I did wonder. I like to (try to) post accurate or true information but not >being in front of a machine to break... ;-) > Thanks guys. You're right - I've just removed it and it works fine. I never did get an error either, so it looks like PF is very tolerant with novices. Maybe that's why I like it so much :-) From chrisgreen at hotmail.com Tue Aug 8 05:41:30 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Tue Aug 8 05:41:38 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: Jan-Peter Koopmann wrote: > > > I think Chris' original point is still valid. > >Using Outlooks own Junk-Mail folder/functionality --> No. > > > A number of our users > > (primarily hosting customers have barely enough technical know-how to > > operating e-mails. Setting up individual rules in their e-mail > > client will likely prove beyond their grasp. Therefore some way of > > automating the delivery of messages that are potentially spam but > > only low-scoring to > > the end-user's Spam mailbox would be a useful feature indeed. > >Thus the pointer to the plugin. >-- Jan-Peter, thanks for the plugin tip, that looks very useful. The reasoning behind my request is that if an anti-spam mechanism already exists in a product then why not exploit it? I'm a consultant to many different companies and there is no single solution that I can apply everywhere, nor do I have absolute authority to implement change. Leaving default configuration in place and using MailScanner would work best, and zero training requirement. It's not ideal, but it's pretty close. From MailScanner at ecs.soton.ac.uk Tue Aug 8 09:17:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 09:18:13 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <20060807211806.GB11620@doctor.nl2k.ab.ca> References: <44D77C7E.5010703@ecs.soton.ac.uk> <20060807211806.GB11620@doctor.nl2k.ab.ca> Message-ID: <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7 Aug 2006, at 22:18, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> The author of the Sys::Syslog perl module has withdrawn it due to >> problems including compatibility issues with some Linux >> distributions. >> The most obvious effect is that the "make test" step may hang part- >> way >> through the tests. >> >> As a result, I have had no alternative other than to reluctantly >> publish >> a revision of the latest stable release of MailScanner. >> >> If you had problems installing 4.55.9 (notably on some CentOS >> systems) >> then download and upgrade to 4.55.10. >> >> Download as usual from www.mailscanner.info >> >> Note that if you had no problems installing 4.55.9, there is no >> reason >> to upgrade to 4.55.10. >> >> Sorry for this forced re-release. >> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration >> help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Get your PCs and servers from Transtec.de, very well built and >> reliable! >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW >> 24ByWh9/vqg8VFwMXAWtnvg= >> =Ctux >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > > How will this affect MailScanner 4.56 ? It won't. 4.56 will continue to be developed as normal. - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2EiwEfZZRxQVtlQRAuTgAKDQvATwLygNoKEDnABtXnMWTPgtWwCfRdN8 FLdmyD2C7RheAT8/RFvHY/M= =KJd6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From MailScanner at ecs.soton.ac.uk Tue Aug 8 09:25:55 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 09:26:13 2006 Subject: install problem with 4.55.10 In-Reply-To: References: Message-ID: <9698ECB2-7977-42ED-8F4C-536F55543E85@ecs.soton.ac.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/fac6f7ae/PGP-0001.bin From brent.addis at pronet.co.nz Tue Aug 8 09:37:48 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Aug 8 09:38:29 2006 Subject: missing queue files? In-Reply-To: <44D7C597.5090201@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> Message-ID: <44D84D5C.7040000@pronet.co.nz> Seems to have been fixed by changing the lock type to posix from blank. Shouldn't this be done automatically? By looking at the documentation on this setting, one would assume that by default it means "set automatically". Thanks, Brent Addis wrote: > Brent Addis wrote: >> Hi. >> >> I have just migrated to a new machine (was exim 4.50, >> MailScanner-4.43.8) which has been humming along quite nicely for a >> long time. >> >> I am now running exim 4.62 along with Mailscanner-4.55.9. >> >> We are currently seeing occasional messages hitting mailscanner, >> being scanned, and only the Header file seemingly being inserted into >> the exim queue. >> >> EG: >> >> 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D >> not found >> >> envy:/var/log/exim4# ls -l /var/spool/exim4/input/ >> total 4 >> -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 >> 1GADGn-0004tk-Kq-H >> >> >> I had a similar problem when I upgraded to 4.50, however I didn't >> have much time to look into it, so downgraded back to the above. >> >> Has anyone else seen a similar issue? >> >> >> >> >> >> > Also: > > Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: > Starting > Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages > Aug 8 10:08:45 envy MailScanner[15218]: Logging message > 1GADGn-0004tk-Kq to SQL > Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to > MailWatch SQL > > envy:/var/log# /opt/MailScanner/bin/MailScanner -v > Running on > Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux > This is Perl version 5.008004 (5.8.4) > > This is MailScanner version 4.55.9 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.02 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.72 File::Basename > 2.07 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.2 Sys::Hostname::Long > 0.17 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.808 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.06 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > missing Mail::ClamAV > 3.001004 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.48 Net::DNS > missing Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.40 Test::Harness > 0.62 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > The issue seems to be very random, and I have as yet been unable to > replicate myself > > > > > > > > > > > From P.G.M.Peters at utwente.nl Tue Aug 8 09:49:26 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:49:31 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: References: Message-ID: <44D85016.4050303@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote on 7-8-2006 14:45: > On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > >> I would expect that if they had gone in and changed this from the >> default they were either a) advanced users with alternative >> solutions; b) clever enough to realise it could result in more >> spam; or c) previously employed by Sainsbury's as the trolley-boy >> and found it a bit too mentally challenging. > > d) chose to rely on MailScanner/SpamAssassin and therefore turned the > Outlook detection off which btw. is what we do at our customer sites > using group policy. Therefore your setup is not going to work all > that well. > > There are applications (event sinks) that are able to centrally move > messages to folders based on header values. One is even free (search > for Mailshell Exchange Plugin) Exchange 2003 has a spam-filter build in. It moves messages it thinks is spam to the Junk folder. This is a site wide configuration. So at least some of the spam will not trigger OOO's. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FAWelLo80lrIdIRAlVwAKCZKf7zX5Mg0zOtC8qvO+x6MpL/KQCgnx3k rpC5KHcJI6h4lqDXVoGZEzA= =GC7c -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 8 09:52:02 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:52:11 2006 Subject: Envelope-To and Bcc... heading OT... In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> References: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Message-ID: <44D850B2.2090405@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stef Morrell wrote on 7-8-2006 10:39: > mdaemon isn't totally broken ;) at least it doesn't destroy headers like > some *cough* exchange *cough* mailservers do. If you mean remove completly when you say remove I can confirm. IN the past when our student just used IMAP on a linux server I had them forward the message to me when they has question regarding SA rules that tagged the message as spam. Exchange, when asked to forward the whole message as attachment, removes all X-MailScanner headers. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FCyelLo80lrIdIRApxyAJ4+zLlQ0LheHh1RLLKNAl9yGjGhFQCfTGPf 53n3PtT8/87+1d04tlFCPVc= =QKaf -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 8 09:54:45 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:54:51 2006 Subject: OT: Another Exchange 2003 and MailScanner question In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> Message-ID: <44D85155.5020601@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Billy A. Pumphrey wrote on 7-8-2006 21:07: > Does anyone use the built in Exchange intelligent filters along with > MailScanner? I currentl do not and have debated back and forth over > time whether it would be good to turn it on or not. Does anyone > recommend one way or the other? Our Exchange administrators have turned it on. I haven't found any message in the Junk folder yet. But then again I use Thunderbird to connect to the Exchange server. Perhaps this only works with Outlook. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FFVelLo80lrIdIRAvBpAKCVom84S5LRF4l3zMaIASXhRuG34gCfewEU TL29fhJ6WyU+CazvTy19uyY= =+OtI -----END PGP SIGNATURE----- From t.d.lee at durham.ac.uk Tue Aug 8 10:46:56 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Aug 8 10:48:56 2006 Subject: missing queue files? In-Reply-To: <44D84D5C.7040000@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> <44D84D5C.7040000@pronet.co.nz> Message-ID: On Tue, 8 Aug 2006, Brent Addis wrote: > Seems to have been fixed by changing the lock type to posix from blank. > > Shouldn't this be done automatically? By looking at the documentation on > this setting, one would assume that by default it means "set automatically". In early June we had some discussion about this (Subject "lock type"). Indeed the documentation and behaviour contradicted each other, and (despite the documentation) an explicit "posix" was, indeed, necessary. Julian: Could you confirm, please, in what releases since then this mismatch has actually been rectified? (Getting the documentation and behaviour to match each other is the primary point; the actual behaviour is probably relatively secondary.) Thanks. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From evanderleun at hal9000.nl Tue Aug 8 12:42:01 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Aug 8 12:42:16 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: It works like a charm for me :) On Mon, 7 Aug 2006, ajos1@onion.demon.co.uk wrote: > - > > What a marvellous find... I am trying it now... > > Just one question... where would I stick in the plugin file? > > I am right in thinking it will be something like: > > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin > > > And not one of these: > > /usr/lib/MailScanner/CustomFunctions > /usr/lib/MailScanner/plugins > /etc/MailScanner/CustomFunctions > /etc/MailScanner/plugins > > > -----Original Message----- > From: mailscanner@lists.mailscanner.info > Subj: Re: gOCR SpamAssassin plugin > Date: Mon, 07 Aug 2006 14:52:38 +0100 > > The one that Dallas posted on the SA users group seems to work well: > > http://www.rulesemporium.com/plugins.htm#imageinfo > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From augustin.siaens at aquadev.org Tue Aug 8 13:59:21 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Tue Aug 8 13:59:24 2006 Subject: update problems Message-ID: <44D88AA9.6010601@aquadev.org> Hello, just because I spent the whole morning fixing this, I thought that It may interest some users. server: Fedora5 operation: update from 4.54.5-1 to 4.55.10-2 problem after upgrade. MailScanner won't work because of Spamassassin problem. Apparently something related to Syslog. After 2 hours, it appeared that the Perl module Sys::Syslog had to be upgraded. I used CPAN and now no problem. Too bad I lost the morning looking for the solution! cheers -- Augustin Siaens AQUADEV Rue des Carm?lites 151 Karmelietenstraat 1180 Bruxelles - Brussel Tel: +32 2 347 70 00 Fax: +32 2 347 00 36 -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. For all your IT requirements visit: http://www.transtec.co.uk From jgolden at ci.grand-rapids.mi.us Tue Aug 8 14:04:06 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Tue Aug 8 14:05:00 2006 Subject: Retreiving attachments In-Reply-To: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> References: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> Message-ID: <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> Thanks for the answer. Sorry for the long delay in the thanks departments. One more question here, Can I put more than one rules file in the Mailscanner.conf. Currently I am pointing to a ruleset already. Currently mine looks like this Filename Rules = %etc-dir%/filename.rules.conf so would it look like this? Filename Rules = %rules-dir%/filename.rules %etc-dir %/filename.rules.conf Or would I need to combine the .rules file into the .conf file Thanks for the help. James On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Golden, James > > Sent: Friday, August 04, 2006 5:10 PM > > To: MailScanner discussion > > Subject: Re: Retreiving attachments > > > > The attachments seem to be .doc or .xls or others and the client always > > seems to be Outlook. > > > > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > > > > > > Hello, > > > > I've have been wasting my whole day trying to figure out how to do > > this. Can anyone could help besides telling me to install Mailwatch > > (because it's not an option right now). > > > > I have messages that are being snagged by MailScanner because the > > attachment is too large. When I go to the directory the attachment is in > > binary in the message. > > > > I tried using a sendmail -t < message, but of course it gets snagged > > again by MS. Is there an option I'm missing to store the attachments > > separately from the message, is there a way to send this on without it > > being scanned? Is there a way to get the attachment out of the message? > > > > I need help soon as this is becoming a large issue today (about 6 > > end users) and my boss is hearing about it! > > > > Thanks, > > > > James > > You need to create a rule sets that exempt the localhost from attachment > filename and filetype checking. If you have a Red Hat, CentOS or SuSE > system, the following paths will be correct. They will vary on other systems > but the same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.allowall.conf > /etc/MailScanner/filetype.rules.allowall.conf > > The contents of each file will be identical: > > allow *. - - > > The spaces MUST be Tabs so the contents of both files is really: > > allow*.->Tab>- > > Then create the file /etc/MailScanner/rules/filename.rules. The contents of > this file should be: > > # Allow all filenames from localhost > From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents of > this file should be: > > # Allow all filetypes from localhost > From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > # Default entry > FromOrTo: default /etc/MailScanner/filetype.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > You should now be able to release the files using the `sendmail -t < > message` command without MailScanner re-quarantining the files. > > Have a nice weekend. > > Steve > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/e7b043c7/attachment.html From root at doctor.nl2k.ab.ca Tue Aug 8 14:32:19 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Aug 8 14:32:43 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <20060807211806.GB11620@doctor.nl2k.ab.ca> <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> Message-ID: <20060808133219.GB17398@doctor.nl2k.ab.ca> On Tue, Aug 08, 2006 at 09:17:51AM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 7 Aug 2006, at 22:18, Dave Shariff Yadallee - System Administrator > a.k.a. The Root of the Problem wrote: > > > On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> The author of the Sys::Syslog perl module has withdrawn it due to > >> problems including compatibility issues with some Linux > >> distributions. > >> The most obvious effect is that the "make test" step may hang part- > >> way > >> through the tests. > >> > >> As a result, I have had no alternative other than to reluctantly > >> publish > >> a revision of the latest stable release of MailScanner. > >> > >> If you had problems installing 4.55.9 (notably on some CentOS > >> systems) > >> then download and upgrade to 4.55.10. > >> > >> Download as usual from www.mailscanner.info > >> > >> Note that if you had no problems installing 4.55.9, there is no > >> reason > >> to upgrade to 4.55.10. > >> > >> Sorry for this forced re-release. > >> > >> - -- > >> Julian Field > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> MailScanner customisation, or any advanced system administration > >> help? > >> Contact me at Jules@MailScanner.biz > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> Get your PCs and servers from Transtec.de, very well built and > >> reliable! > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP SDK 3.7.0 > >> Charset: ISO-8859-1 > >> > >> wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW > >> 24ByWh9/vqg8VFwMXAWtnvg= > >> =Ctux > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> MailScanner thanks transtec Computers for their support. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> > > > > How will this affect MailScanner 4.56 ? > > It won't. 4.56 will continue to be developed as normal. > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > I thought the Sys::Syslog references would have to be removed. > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2EiwEfZZRxQVtlQRAuTgAKDQvATwLygNoKEDnABtXnMWTPgtWwCfRdN8 > FLdmyD2C7RheAT8/RFvHY/M= > =KJd6 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rob at dido.ca Tue Aug 8 14:35:05 2006 From: rob at dido.ca (Rob Morin) Date: Tue Aug 8 14:35:09 2006 Subject: Retreiving attachments In-Reply-To: <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> References: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <44D89309.5030308@dido.ca> On another note, has anyone come up with a way to retrieve quarantined attachments without the intervention of the sys admin? Meaning the end user can get them themselves? I thought i heard a while back of some app to do this? Have a good one! Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Golden, James wrote: > Thanks for the answer. Sorry for the long delay in the thanks > departments. > > One more question here, > > Can I put more than one rules file in the Mailscanner.conf. Currently > I am pointing to a ruleset already. > > Currently mine looks like this > > Filename Rules = %etc-dir%/filename.rules.conf > > so would it look like this? > > Filename Rules = %rules-dir%/filename.rules %etc-dir%/filename.rules.conf > > Or would I need to combine the .rules file into the .conf file > > Thanks for the help. > > James > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> > bounces@lists.mailscanner.info ] On Behalf Of Golden, James >> > Sent: Friday, August 04, 2006 5:10 PM >> > To: MailScanner discussion >> > Subject: Re: Retreiving attachments >> > >> > The attachments seem to be .doc or .xls or others and the client always >> > seems to be Outlook. >> > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: >> > >> > >> > Hello, >> > >> > I've have been wasting my whole day trying to figure out how to do >> > this. Can anyone could help besides telling me to install Mailwatch >> > (because it's not an option right now). >> > >> > I have messages that are being snagged by MailScanner because the >> > attachment is too large. When I go to the directory the attachment is in >> > binary in the message. >> > >> > I tried using a sendmail -t < message, but of course it gets snagged >> > again by MS. Is there an option I'm missing to store the attachments >> > separately from the message, is there a way to send this on without it >> > being scanned? Is there a way to get the attachment out of the message? >> > >> > I need help soon as this is becoming a large issue today (about 6 >> > end users) and my boss is hearing about it! >> > >> > Thanks, >> > >> > James >> >> You need to create a rule sets that exempt the localhost from attachment >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE >> system, the following paths will be correct. They will vary on other systems >> but the same principals will work. >> >> First create two files: >> >> /etc/MailScanner/filename.rules.allowall.conf >> /etc/MailScanner/filetype.rules.allowall.conf >> >> The contents of each file will be identical: >> >> allow *. - - >> >> The spaces MUST be Tabs so the contents of both files is really: >> >> allow*.->Tab>- >> >> Then create the file /etc/MailScanner/rules/filename.rules. The contents of >> this file should be: >> >> # Allow all filenames from localhost >> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf >> # Default entry >> FromOrTo: default /etc/MailScanner/filename.rules.conf >> >> Then create the file /etc/MailScanner/rules/filetype.rules. The contents of >> this file should be: >> >> # Allow all filetypes from localhost >> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf >> # Default entry >> FromOrTo: default /etc/MailScanner/filetype.rules.conf >> >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting >> for Filename Rules to be: >> >> Filename Rules = %rules-dir%/filename.rules >> >> And change the setting for Filetype Rules to be: >> >> Filetype Rules = %rules-dir%/filetype.rules >> >> Then reload MailScanner. >> >> You should now be able to release the files using the `sendmail -t < >> message` command without MailScanner re-quarantining the files. >> >> Have a nice weekend. >> >> Steve >> Stephen Swaney >> Fort Systems Ltd. >> stephen.swaney@fsl.com >> www.fsl.com >> >> >> From dnsadmin at 1bigthink.com Tue Aug 8 15:43:59 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Aug 8 15:44:13 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' Message-ID: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Hello All, T-Mobile's mailservers (tmodns.net) got black listed on numerous BLs. I have a handful of IMPORTANT mail users on my server sending mail with T-Mobile's servers right now. I have: Spam Lists To Be Spam = 3 in MailScanner.conf and T-Mobile's mail server makes four of my lists. They are good, long-used and trusted BLs. Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org spamhaus-XBL SORBS-S PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB SORBS-BLOCK NJ ABL I don't want to open the rest of my users to the amount of spam these BLs help protect from. I would like these T-Mobile users to be able to send without getting tagged as spam, however. How can I set up a ruleset like this for individual users or individual domains? #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count Thanks, Glenn From steve.swaney at fsl.com Tue Aug 8 14:52:34 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 8 15:50:49 2006 Subject: Retreiving attachments In-Reply-To: <44D89309.5030308@dido.ca> Message-ID: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: Tuesday, August 08, 2006 9:35 AM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > On another note, has anyone come up with a way to retrieve quarantined > attachments without the intervention of the sys admin? Meaning the end > user can get them themselves? > > I thought i heard a while back of some app to do this? > > Have a good one! > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Golden, James wrote: > > Thanks for the answer. Sorry for the long delay in the thanks > > departments. > > > > One more question here, > > > > Can I put more than one rules file in the Mailscanner.conf. Currently > > I am pointing to a ruleset already. > > > > Currently mine looks like this > > > > Filename Rules = %etc-dir%/filename.rules.conf > > > > so would it look like this? > > > > Filename Rules = %rules-dir%/filename.rules %etc- > dir%/filename.rules.conf > > > > Or would I need to combine the .rules file into the .conf file > > > > Thanks for the help. > > > > James > > > > > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >> > -----Original Message----- > >> > From: mailscanner-bounces@lists.mailscanner.info bounces@lists.mailscanner.info> [mailto:mailscanner- > >> > bounces@lists.mailscanner.info > ] On Behalf Of Golden, James > >> > Sent: Friday, August 04, 2006 5:10 PM > >> > To: MailScanner discussion > >> > Subject: Re: Retreiving attachments > >> > > >> > The attachments seem to be .doc or .xls or others and the client > always > >> > seems to be Outlook. > >> > > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >> > > >> > > >> > Hello, > >> > > >> > I've have been wasting my whole day trying to figure out how to do > >> > this. Can anyone could help besides telling me to install Mailwatch > >> > (because it's not an option right now). > >> > > >> > I have messages that are being snagged by MailScanner because the > >> > attachment is too large. When I go to the directory the attachment > is in > >> > binary in the message. > >> > > >> > I tried using a sendmail -t < message, but of course it gets snagged > >> > again by MS. Is there an option I'm missing to store the attachments > >> > separately from the message, is there a way to send this on without > it > >> > being scanned? Is there a way to get the attachment out of the > message? > >> > > >> > I need help soon as this is becoming a large issue today (about 6 > >> > end users) and my boss is hearing about it! > >> > > >> > Thanks, > >> > > >> > James > >> > >> You need to create a rule sets that exempt the localhost from > attachment > >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE > >> system, the following paths will be correct. They will vary on other > systems > >> but the same principals will work. > >> > >> First create two files: > >> > >> /etc/MailScanner/filename.rules.allowall.conf > >> /etc/MailScanner/filetype.rules.allowall.conf > >> > >> The contents of each file will be identical: > >> > >> allow *. - - > >> > >> The spaces MUST be Tabs so the contents of both files is really: > >> > >> allow*.->Tab>- > >> > >> Then create the file /etc/MailScanner/rules/filename.rules. The > contents of > >> this file should be: > >> > >> # Allow all filenames from localhost > >> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > >> # Default entry > >> FromOrTo: default /etc/MailScanner/filename.rules.conf > >> > >> Then create the file /etc/MailScanner/rules/filetype.rules. The > contents of > >> this file should be: > >> > >> # Allow all filetypes from localhost > >> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > >> # Default entry > >> FromOrTo: default /etc/MailScanner/filetype.rules.conf > >> > >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > >> for Filename Rules to be: > >> > >> Filename Rules = %rules-dir%/filename.rules > >> > >> And change the setting for Filetype Rules to be: > >> > >> Filetype Rules = %rules-dir%/filetype.rules > >> > >> Then reload MailScanner. > >> > >> You should now be able to release the files using the `sendmail -t < > >> message` command without MailScanner re-quarantining the files. > >> > >> Have a nice weekend. > >> > >> Steve > >> Stephen Swaney > >> Fort Systems Ltd. > >> stephen.swaney@fsl.com > >> www.fsl.com Open Source: MailWatch for MailScanner mailwatch.sourceforge.net Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com Please contact me off list for more information about either. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From MailScanner at ecs.soton.ac.uk Tue Aug 8 16:20:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 16:20:52 2006 Subject: update problems In-Reply-To: <44D88AA9.6010601@aquadev.org> References: <44D88AA9.6010601@aquadev.org> Message-ID: <0D26DBD8-B5DF-4DFD-9606-C91F74604FEF@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This seems impossible to solve. I get complaints with Sys::Syslog-0.17 where it won't even install on some systems. Hangs during "make test". And Sys::Syslog-0.16 doesn't log at all on some systems. What am I supposed to do? :-( Version 0.17 without the "make test" might be the best thing. Answers soon would be helpful. On 8 Aug 2006, at 13:59, Augustin Siaens wrote: > Hello, > > just because I spent the whole morning fixing this, I thought that > It may interest some users. > > server: Fedora5 > operation: update from 4.54.5-1 to 4.55.10-2 > > problem after upgrade. MailScanner won't work because of > Spamassassin problem. Apparently something related to Syslog. After > 2 hours, it appeared that the Perl module Sys::Syslog had to be > upgraded. I used CPAN and now no problem. Too bad I lost the > morning looking for the solution! > > cheers > > -- > Augustin Siaens > AQUADEV > Rue des Carm?lites 151 Karmelietenstraat > 1180 Bruxelles - Brussel > Tel: +32 2 347 70 00 > Fax: +32 2 347 00 36 > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > For all your IT requirements visit: http://www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2Ku/EfZZRxQVtlQRAl0pAKCtyrxGXIBIQ37zaL5CpQ9jR02MYgCgoPz2 09xL6/Ii5ltI9S685AAi8Pc= =NZDN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Tue Aug 8 17:09:41 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 17:10:01 2006 Subject: Bug In-Reply-To: <20060808104059.M40451@yatta-it.com> References: <20060808104059.M40451@yatta-it.com> Message-ID: <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately 0.17 isn't great either. On some systems, it hangs during the "make test" stage of building and installing it. What I have done is produce a new 4.55.10-3 release of MailScanner that uses Sys-Syslog-0.17 but skips the "make test" so that it will always install successfully. I have never seen that version actually fail a test (other than the one that hangs) so it should all be okay. The code which is being tested by the test that hangs is never used in real life anyway. On 8 Aug 2006, at 11:43, Filippo Dini wrote: > Hi all. > > You have downgraded sys-syslog package (from 0.17 to 0.16) in your > MailScanner_4.55.10- > 2 but MailScanned don't log anything now. > > I have removed the sys-syslog 0.16 rpm and installed the 0.17 one > to get all works > again. > > I have fedora core 4 installed. > > Best wishes > > Phil > - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2LdGEfZZRxQVtlQRAhF+AKCsjARfjCenIfJcmdlxgI7T4AzPxQCgzQIW B01xScMUtZ4e9xt5AWqXvec= =axFx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Jan-Peter.Koopmann at seceidos.de Tue Aug 8 18:05:15 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Tue Aug 8 18:05:35 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <44D85016.4050303@utwente.nl> Message-ID: On Tuesday, August 08, 2006 10:49 AM Peter Peters wrote: > Exchange 2003 has a spam-filter build in. It moves messages it thinks > is spam to the Junk folder. And how can you tune the rules? Or even take a look at it? Or train the spam filter (if there was such a training facility)? If you have to use it because MailScanner/SpamAssassin is not possible: Well it sure is better than nothing. I would advice against using both together though. Rather concentrate on getting one filter to do everything you want. Makes debugging a "bit" easier. > This is a site wide configuration. So at > least some of the spam will not trigger OOO's. I thought the original question was related to MailScanner and not how to find spam in Exchange? :-) Regards, JP -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/e56d8d65/smime.bin From sandrews at andrewscompanies.com Tue Aug 8 18:09:09 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:09:14 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Does anyone have an opinion on installing hylafax on a lightly loaded mailscanner pc? Normally, I'd toss another machine in for such a different application, but this customer is experiencing server "sprawl". Any thoughts? Thanks, Steve From mikes at hartwellcorp.com Tue Aug 8 18:13:11 2006 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue Aug 8 18:13:40 2006 Subject: Hylafax on a MailScanner pc Message-ID: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> How busy do you expect the fax server to be? -- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 10:09 AM > To: mailscanner@lists.mailscanner.info > Subject: Hylafax on a MailScanner pc > > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? > > Thanks, > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ka at pacific.net Tue Aug 8 18:22:09 2006 From: ka at pacific.net (Ken A) Date: Tue Aug 8 18:21:15 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Message-ID: <44D8C841.3030308@pacific.net> sandrews@andrewscompanies.com wrote: > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? So, you want MailScanner to fax high scoring spam? :-) Hylafax is pretty stable stuff. There shouldn't be any problems as long as you set your iptables rules to protect Hylafax's ports from the Internet. Ken A. Pacific.Net > Thanks, > > Steve From sandrews at andrewscompanies.com Tue Aug 8 18:23:30 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:23:33 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB2@winchester.andrewscompanies.com> Not seriously, but it's a small mortgage company so each fax could be 30+ pages. I'd expect 2 or 3 of those a day. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael St. Laurent Sent: Tuesday, August 08, 2006 1:13 PM To: 'MailScanner discussion' Subject: RE: Hylafax on a MailScanner pc How busy do you expect the fax server to be? -- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 10:09 AM > To: mailscanner@lists.mailscanner.info > Subject: Hylafax on a MailScanner pc > > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? > > Thanks, > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lshaw at emitinc.com Tue Aug 8 18:24:09 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Aug 8 18:24:22 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> Message-ID: On Tue, 8 Aug 2006, Michael St. Laurent wrote: > How busy do you expect the fax server to be? Unless you have dozens of modems, it's not like the load is going to be extremely significant. The load will be limited by the very slow bandwidth of the modem that faxes come in (and go out) over. I forget whether faxes can go faster than 14.4 kb/s, but even if they could go the full theoretical 56 kb/s that a phone line can (under limited conditions) provide, that's still not a log of bandwidth. The only performance issue I can think of is that the load from running MailScanner could slow down the fax software on the host to the point where it isn't ready to send or receive and can't keep up with the modem. Then you could end up having a longer phone call to deliver or receive a given message, or you could even get timeouts, I suppose. But on a modern machine that isn't running low on memory, I doubt this will even be a serious problem. So, I think the only question would be more of one of how easy it is to manage with two unrelated services on the same machine. - Logan From sandrews at andrewscompanies.com Tue Aug 8 18:24:35 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:24:38 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB3@winchester.andrewscompanies.com> We don't allow the mailscanner, let alone the hylafax to touch the internet by itself. System only has port 25 forwarded to it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Tuesday, August 08, 2006 1:22 PM To: MailScanner discussion Subject: Re: Hylafax on a MailScanner pc sandrews@andrewscompanies.com wrote: > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? So, you want MailScanner to fax high scoring spam? :-) Hylafax is pretty stable stuff. There shouldn't be any problems as long as you set your iptables rules to protect Hylafax's ports from the Internet. Ken A. Pacific.Net > Thanks, > > Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at vesol.com Tue Aug 8 18:29:43 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Aug 8 18:29:53 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB2@winchester.andrewscompanies.com> Message-ID: I usually install an HP Digital Sender at mortgage companies. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 12:24 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Hylafax on a MailScanner pc > > Not seriously, but it's a small mortgage company so each fax could be > 30+ pages. I'd expect 2 or 3 of those a day. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michael St. Laurent > Sent: Tuesday, August 08, 2006 1:13 PM > To: 'MailScanner discussion' > Subject: RE: Hylafax on a MailScanner pc > > How busy do you expect the fax server to be? > > -- > Michael St. Laurent > Hartwell Corporation > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > sandrews@andrewscompanies.com > > Sent: Tuesday, August 08, 2006 10:09 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Hylafax on a MailScanner pc > > > > Does anyone have an opinion on installing hylafax on a > lightly loaded > > mailscanner pc? Normally, I'd toss another machine in for such a > > different application, but this customer is experiencing server > > "sprawl". > > > > Any thoughts? > > > > Thanks, > > > > Steve > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jamesp at MusicReports.com Tue Aug 8 18:32:59 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Tue Aug 8 18:33:04 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F1F8@exchange.musicreports.com> Hello, I want to quarantine password-protected file attachments, actually, any file attachments that MailScanner determines as suspicious. After looking through mailscanner.conf I found; # Reports and Responses # --------------------- # # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes However, an attachment was deleted and not stored in /var/spool/MailScanner/quaratine/, according the text message; This is a message from MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail message contained potentially dangerous content, which has been removed for your safety. The content is dangerous as it is often used to spread viruses or to gain personal or confidential information from you, such as passwords or credit card numbers. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. The content filters found this: MailScanner: Message contained password-protected archive ~~~ Where in the conf can I fix this? Thank you in advance, James From sandrews at andrewscompanies.com Tue Aug 8 19:16:50 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 19:16:53 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB9@winchester.andrewscompanies.com> Yeah, they've got one of those...BUT, it doesn't like it when you mix 8.5x11 and 8.5x14 inbound faxes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, August 08, 2006 1:30 PM To: MailScanner discussion Subject: RE: Hylafax on a MailScanner pc I usually install an HP Digital Sender at mortgage companies. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 12:24 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Hylafax on a MailScanner pc > > Not seriously, but it's a small mortgage company so each fax could be > 30+ pages. I'd expect 2 or 3 of those a day. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Michael St. Laurent > Sent: Tuesday, August 08, 2006 1:13 PM > To: 'MailScanner discussion' > Subject: RE: Hylafax on a MailScanner pc > > How busy do you expect the fax server to be? > > -- > Michael St. Laurent > Hartwell Corporation > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > sandrews@andrewscompanies.com > > Sent: Tuesday, August 08, 2006 10:09 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Hylafax on a MailScanner pc > > > > Does anyone have an opinion on installing hylafax on a > lightly loaded > > mailscanner pc? Normally, I'd toss another machine in for such a > > different application, but this customer is experiencing server > > "sprawl". > > > > Any thoughts? > > > > Thanks, > > > > Steve > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Tue Aug 8 19:33:48 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 8 19:34:02 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <44D8C841.3030308@pacific.net> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: <44D8D90C.3050709@nkpanama.com> Ken A wrote: > > So, you want MailScanner to fax high scoring spam? :-) > Hylafax is pretty stable stuff. There shouldn't be any problems as > long as you set your iptables rules to protect Hylafax's ports from > the Internet. I have several hylafax+mailscanner setups. As long as you set up your rulesets correctly so you don't flag faxes as spam (they're usually a single image + a few lines of text), you should be OK. As to the hylafax ports being accessible, I go with Mr. Miyagi in Karate Kid II: "Remember, best block, no be there." - I usually only open the ports on localhost and on internal nets. From roman at rotmax.com Tue Aug 8 23:05:01 2006 From: roman at rotmax.com (Roman) Date: Tue Aug 8 22:04:51 2006 Subject: sendmail/MS multiple outbound queues ? Message-ID: <03e201c6bb36$b9e182f0$0500000a@blessin> Hi, I trying to setup MailScanner to work with multiple sendmail queues (low/high volume) with similar setup : FEATURE(`queuegroup')dnl QUEUE_GROUP(`slowmail', `Path=/var/spool/mqueue/slqueue, I=10m, J=100, N=10, R=2, F=f' )dnl but when I am starting Mailscanner it fails to start with message: NOQUEUE: SYSERR(root): QueuePath /var/spool/mqueue.in/slqueue not a subpath of QueueDirectory /var/spool/mqueue/: Mailscanner start a queuing queue in /var/spool/mqueue.in and outgoing queue /var/spool/mqueue and of course the slowmail queue is not a subpath of one of those. I wanted to know how did you setup your mailscanner and sendmail to work with multiple queues? Thank you in advance, Roman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060809/582af9b5/attachment.html From glauciusjunior at gmail.com Tue Aug 8 22:11:44 2006 From: glauciusjunior at gmail.com (glaucius junior) Date: Tue Aug 8 22:11:49 2006 Subject: mailscanner + mailwatch + postfix 2.3.2 Message-ID: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> Hi guys does anyone use postfix 2.3.2 and mailwatch ?? because, after upgrade my postfix from 2.2.8 to 2.3.2 my mailwatch stops to give me this information Today's Totals Processed: 0 b Clean: 0 % Viruses: 0 % Top Virus: None Blocked files: 0 % Others: 0 % Spam: 0 % High Scoring Spam: 0 % MCP: 0 % High Scoring MCP: 0 % can anyone help me ? best regards !! From brose at med.wayne.edu Wed Aug 9 00:18:16 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Aug 9 00:18:23 2006 Subject: MailScanner Revision to 4.55 and tnef bug? In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> Has anyone else had problems with particular messages that seem to get processed over and over by Mailscanner? I noticed some oddities in my stats and found the process loops in the logs. I switched to debug and when it hits one of the message it quits with the error read-open /var/spool/MailScanner/incoming/11016/k77EH304024456/ATT00004: No such file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm line 435. I thought it might be a tnef issue since the messages I was seeing had winmail.dats. I switched from the tnef command to internal and MailScanner processed the messages without a problem. I've been using the tnef command for years without a problem. I updated from 4.54 last week. -=Bobby From jaearick at colby.edu Wed Aug 9 02:35:58 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 02:42:13 2006 Subject: MailScanner Revision to 4.55 and tnef bug? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> References: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> Message-ID: Bobby, If you have the complete qf/df files for the offending message and can supply them to Julian, that might help him experiment/solve this. FWIW, I gave up on the external tnef a few months ago when 1.4 came out; it would not compile under Solaris 9/10. Checking Sourceforge however, I see that tnef-1.4.2 is available and claims to have fixed my compile problem. Maybe install tnef-1.4.2 and see if your problem messages still causes MailScanner to loop up??? Jeff Earickson Colby College On Tue, 8 Aug 2006, Rose, Bobby wrote: > Date: Tue, 8 Aug 2006 19:18:16 -0400 > From: "Rose, Bobby" > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: MailScanner Revision to 4.55 and tnef bug? > > > Has anyone else had problems with particular messages that seem to get > processed over and over by Mailscanner? I noticed some oddities in my > stats and found the process loops in the logs. I switched to debug and > when it hits one of the message it quits with the error read-open > /var/spool/MailScanner/incoming/11016/k77EH304024456/ATT00004: No such > file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm line > 435. > > I thought it might be a tnef issue since the messages I was seeing had > winmail.dats. I switched from the tnef command to internal and > MailScanner processed the messages without a problem. I've been using > the tnef command for years without a problem. I updated from 4.54 last > week. > > -=Bobby > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ajos1 at onion.demon.co.uk Wed Aug 9 03:16:59 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Aug 9 03:17:20 2006 Subject: gOCR SpamAssassin plugin Message-ID: - >> >>Beware that you might have a spamassassin rpm installed as well >> Now that sounds very likely... I will have a check into it... Thanks a-lot-o. -----Original Message----- From: MailScanner discussion mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 20:19:15 +0100 == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From jgolden at ci.grand-rapids.mi.us Wed Aug 9 03:56:55 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 9 03:58:21 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> Message-ID: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Sorry for being so stupid.? After looking through it again, I see what you were doing.? 4 hours sleep a night catches up with you after awhile. Thanks for all the help. We will be implementing the Barracuda's appliances here in the next 5 weeks or so, that is why I am trying to "skate" by with this setup for now.? I figure what I am learning here will still help out when we move to those appliances. Although I have to say with the exception of the file attachment thing, since I upgraded and setup everything correctly (I think) everyone has been noticing the difference here!? In fact the guy who handles the antivirus wasn't too happy with me, because now more viruses are being caught as spam first.? Our virus numbers in email went from 200 - 300 a day to 1 - 10! Thanks all (Julian?!) for this fantastic software combination!.? It ROCKS! Thanks all who have helped with replies (especially Stephen), and have put up with me! James Golden ----- Original Message ----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Stephen Swaney Sent: Tue, 8/8/2006 10:55am To: 'MailScanner discussion' Subject: RE: Retreiving attachments > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: Tuesday, August 08, 2006 9:35 AM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > On another note, has anyone come up with a way to retrieve quarantined > attachments without the intervention of the sys admin? Meaning the end > user can get them themselves? > > I thought i heard a while back of some app to do this? > > Have a good one! > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Golden, James wrote: > > Thanks for the answer.??Sorry for the long delay in the thanks > > departments. > > > > One more question here, > > > > Can I put more than one rules file in the Mailscanner.conf.??Currently > > I am pointing to a ruleset already. > > > > Currently mine looks like this > > > > Filename Rules = %etc-dir%/filename.rules.conf > > > > so would it look like this? > > > > Filename Rules = %rules-dir%/filename.rules %etc- > dir%/filename.rules.conf > > > > Or would I need to combine the .rules file into the .conf file > > > > Thanks for the help. > > > > James > > > > > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >> > -----Original Message----- > >> > From: mailscanner-bounces@lists.mailscanner.info bounces@lists.mailscanner.info> [mailto:mailscanner- > >> > bounces@lists.mailscanner.info > ] On Behalf Of Golden, James > >> > Sent: Friday, August 04, 2006 5:10 PM > >> > To: MailScanner discussion > >> > Subject: Re: Retreiving attachments > >> > > >> > The attachments seem to be .doc or .xls or others and the client > always > >> > seems to be Outlook. > >> > > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >> > > >> > > >> > ????Hello, > >> > > >> > ????I've have been wasting my whole day trying to figure out how to do > >> > this.??Can anyone could help besides telling me to install Mailwatch > >> > (because it's not an option right now). > >> > > >> > ????I have messages that are being snagged by MailScanner because the > >> > attachment is too large.??When I go to the directory the attachment > is in > >> > binary in the message. > >> > > >> > ????I tried using a sendmail -t < message, but of course it gets snagged > >> > again by MS.??Is there an option I'm missing to store the attachments > >> > separately from the message, is there a way to send this on without > it > >> > being scanned???Is there a way to get the attachment out of the > message? > >> > > >> > ????I need help soon as this is becoming a large issue today (about 6 > >> > end users) and my boss is hearing about it! > >> > > >> > ????Thanks, > >> > > >> > ????James > >> > >> You need to create a rule sets that exempt the localhost from > attachment > >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE > >> system, the following paths will be correct. They will vary on other > systems > >> but the same principals will work. > >> > >> First create two files: > >> > >> /etc/MailScanner/filename.rules.allowall.conf > >> /etc/MailScanner/filetype.rules.allowall.conf > >> > >> The contents of each file will be identical: > >> > >> allow????*.????-????- > >> > >> The spaces MUST be Tabs so the contents of both files is really: > >> > >> allow*.->Tab>- > >> > >> Then create the file /etc/MailScanner/rules/filename.rules. The > contents of > >> this file should be: > >> > >> # Allow all filenames from localhost > >> From: 127.0.0.0??/etc/MailScanner/filename.rules.allowall.conf > >> # Default entry > >> FromOrTo:?????? default???????? /etc/MailScanner/filename.rules.conf > >> > >> Then create the file /etc/MailScanner/rules/filetype.rules. The > contents of > >> this file should be: > >> > >> # Allow all filetypes from localhost > >> From: 127.0.0.0??/etc/MailScanner/filetype.rules.allowall.conf > >> # Default entry > >> FromOrTo:?????? default???????? /etc/MailScanner/filetype.rules.conf > >> > >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > >> for Filename Rules to be: > >> > >> Filename Rules = %rules-dir%/filename.rules > >> > >> And change the setting for Filetype Rules to be: > >> > >> Filetype Rules = %rules-dir%/filetype.rules > >> > >> Then reload MailScanner. > >> > >> You should now be able to release the files using the `sendmail -t < > >> message` command without MailScanner re-quarantining the files. > >> > >> Have a nice weekend. > >> > >> Steve > >> Stephen Swaney > >> Fort Systems Ltd. > >> stephen.swaney@fsl.com > >> www.fsl.com Open Source: MailWatch for MailScanner mailwatch.sourceforge.net Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com Please contact me off list for more information about either. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Wed Aug 9 04:51:49 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Wed Aug 9 04:52:36 2006 Subject: missing queue files? In-Reply-To: References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> <44D84D5C.7040000@pronet.co.nz> Message-ID: <44D95BD5.3050405@pronet.co.nz> Hi, setting to posix doesn't actually seem to have fixed it :/ Have just come in and noticed about fifteen "Spool file 1GAaoQ-0007I8-UG-D not found" obviously with different filenames. David Lee wrote: > On Tue, 8 Aug 2006, Brent Addis wrote: > > >> Seems to have been fixed by changing the lock type to posix from blank. >> >> Shouldn't this be done automatically? By looking at the documentation on >> this setting, one would assume that by default it means "set automatically". >> > > In early June we had some discussion about this (Subject "lock type"). > > Indeed the documentation and behaviour contradicted each other, and > (despite the documentation) an explicit "posix" was, indeed, necessary. > > Julian: Could you confirm, please, in what releases since then this > mismatch has actually been rectified? (Getting the documentation and > behaviour to match each other is the primary point; the actual behaviour > is probably relatively secondary.) Thanks. > > > From augustin.siaens at aquadev.org Wed Aug 9 08:36:10 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Wed Aug 9 08:36:17 2006 Subject: Bug In-Reply-To: <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> References: <20060808104059.M40451@yatta-it.com> <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> Message-ID: <44D9906A.8080702@aquadev.org> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Unfortunately 0.17 isn't great either. On some systems, it hangs > during the "make test" stage of building and installing it. > > What I have done is produce a new 4.55.10-3 release of MailScanner > that uses Sys-Syslog-0.17 but skips the "make test" so that it will > always install successfully. I have never seen that version actually > fail a test (other than the one that hangs) so it should all be okay. > > The code which is being tested by the test that hangs is never used > in real life anyway. > > On 8 Aug 2006, at 11:43, Filippo Dini wrote: > > >> Hi all. >> >> You have downgraded sys-syslog package (from 0.17 to 0.16) in your >> MailScanner_4.55.10- >> 2 but MailScanned don't log anything now. >> >> I have removed the sys-syslog 0.16 rpm and installed the 0.17 one >> to get all works >> again. >> >> I have fedora core 4 installed. >> >> Best wishes >> >> Phil >> >> > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2LdGEfZZRxQVtlQRAhF+AKCsjARfjCenIfJcmdlxgI7T4AzPxQCgzQIW > B01xScMUtZ4e9xt5AWqXvec= > =axFx > -----END PGP SIGNATURE----- > > What is strange, is that when I was testing MailScanner, it said that there was a problem with Spamassassin so I turned the Spamassassin option and the Spam filtering option off in MailScanner.conf but the problem persisted. Was Sys::Syslog affecting SA or MailScanner or both? -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From glenn.steen at gmail.com Wed Aug 9 08:45:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 9 08:45:41 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: References: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> Message-ID: <223f97700608090045q69a43ea0x796ad5351ac59356@mail.gmail.com> On 08/08/06, Logan Shaw wrote: (snip) > I forget whether faxes can go faster than 14.4 kb/s, but (snip) 14.4 it is. Even if it could go faster, in theory, I don't think either the ITU standards, nor the existing machines/modems allow more. Talk about dead technoligy still twitching along:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 9 09:11:43 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 09:12:06 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <96B97733-3A62-4EA1-B891-89CC62240015@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you like MailScanner that much, why are you going to deploy those Barracudas? A commercial setup of MailScanner (such as DefenderMX from www.fsl.com) will outperform Barracudas and is considerably cheaper. There is a detailed feature and price comparison on www.fsl.com. On 9 Aug 2006, at 03:56, Golden, James wrote: > Sorry for being so stupid. After looking through it again, I see > what you were doing. 4 hours sleep a night catches up with you > after awhile. > > Thanks for all the help. > > We will be implementing the Barracuda's appliances here in the next > 5 weeks or so, that is why I am trying to "skate" by with this > setup for now. I figure what I am learning here will still help > out when we move to those appliances. > > Although I have to say with the exception of the file attachment > thing, since I upgraded and setup everything correctly (I think) > everyone has been noticing the difference here! In fact the guy > who handles the antivirus wasn't too happy with me, because now > more viruses are being caught as spam first. Our virus numbers in > email went from 200 - 300 a day to 1 - 10! > > Thanks all (Julian?!) for this fantastic software combination!. It > ROCKS! > > Thanks all who have helped with replies (especially Stephen), and > have put up with me! > > James Golden > > > > ----- Original Message ----- > From: mailscanner-bounces@lists.mailscanner.info on behalf of > Stephen Swaney > Sent: Tue, 8/8/2006 10:55am > To: 'MailScanner discussion' > Subject: RE: Retreiving attachments > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >> Sent: Tuesday, August 08, 2006 9:35 AM >> To: MailScanner discussion >> Subject: Re: Retreiving attachments >> >> On another note, has anyone come up with a way to retrieve >> quarantined >> attachments without the intervention of the sys admin? Meaning the >> end >> user can get them themselves? >> >> I thought i heard a while back of some app to do this? >> >> Have a good one! >> >> Rob Morin >> Dido InterNet Inc. >> Montreal, Canada >> Http://www.dido.ca >> 514-990-4444 >> >> >> >> Golden, James wrote: >>> Thanks for the answer. Sorry for the long delay in the thanks >>> departments. >>> >>> One more question here, >>> >>> Can I put more than one rules file in the Mailscanner.conf. >>> Currently >>> I am pointing to a ruleset already. >>> >>> Currently mine looks like this >>> >>> Filename Rules = %etc-dir%/filename.rules.conf >>> >>> so would it look like this? >>> >>> Filename Rules = %rules-dir%/filename.rules %etc- >> dir%/filename.rules.conf >>> >>> Or would I need to combine the .rules file into the .conf file >>> >>> Thanks for the help. >>> >>> James >>> >>> >>> >>> On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: >>>>> -----Original Message----- >>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>> > bounces@lists.mailscanner.info> [mailto:mailscanner- >>>>> bounces@lists.mailscanner.info >> ] On Behalf Of Golden, James >>>>> Sent: Friday, August 04, 2006 5:10 PM >>>>> To: MailScanner discussion >>>>> Subject: Re: Retreiving attachments >>>>> >>>>> The attachments seem to be .doc or .xls or others and the client >> always >>>>> seems to be Outlook. >>>>> >>>>> On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: >>>>> >>>>> >>>>> Hello, >>>>> >>>>> I've have been wasting my whole day trying to figure out >>>>> how to do >>>>> this. Can anyone could help besides telling me to install >>>>> Mailwatch >>>>> (because it's not an option right now). >>>>> >>>>> I have messages that are being snagged by MailScanner >>>>> because the >>>>> attachment is too large. When I go to the directory the >>>>> attachment >> is in >>>>> binary in the message. >>>>> >>>>> I tried using a sendmail -t < message, but of course it >>>>> gets snagged >>>>> again by MS. Is there an option I'm missing to store the >>>>> attachments >>>>> separately from the message, is there a way to send this on >>>>> without >> it >>>>> being scanned? Is there a way to get the attachment out of the >> message? >>>>> >>>>> I need help soon as this is becoming a large issue today >>>>> (about 6 >>>>> end users) and my boss is hearing about it! >>>>> >>>>> Thanks, >>>>> >>>>> James >>>> >>>> You need to create a rule sets that exempt the localhost from >> attachment >>>> filename and filetype checking. If you have a Red Hat, CentOS or >>>> SuSE >>>> system, the following paths will be correct. They will vary on >>>> other >> systems >>>> but the same principals will work. >>>> >>>> First create two files: >>>> >>>> /etc/MailScanner/filename.rules.allowall.conf >>>> /etc/MailScanner/filetype.rules.allowall.conf >>>> >>>> The contents of each file will be identical: >>>> >>>> allow *. - - >>>> >>>> The spaces MUST be Tabs so the contents of both files is really: >>>> >>>> allow*.->Tab>- >>>> >>>> Then create the file /etc/MailScanner/rules/filename.rules. The >> contents of >>>> this file should be: >>>> >>>> # Allow all filenames from localhost >>>> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf >>>> # Default entry >>>> FromOrTo: default /etc/MailScanner/ >>>> filename.rules.conf >>>> >>>> Then create the file /etc/MailScanner/rules/filetype.rules. The >> contents of >>>> this file should be: >>>> >>>> # Allow all filetypes from localhost >>>> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf >>>> # Default entry >>>> FromOrTo: default /etc/MailScanner/ >>>> filetype.rules.conf >>>> >>>> Then edit /etc/MailScanner.conf to call the new rulesets. Change >>>> the >> setting >>>> for Filename Rules to be: >>>> >>>> Filename Rules = %rules-dir%/filename.rules >>>> >>>> And change the setting for Filetype Rules to be: >>>> >>>> Filetype Rules = %rules-dir%/filetype.rules >>>> >>>> Then reload MailScanner. >>>> >>>> You should now be able to release the files using the `sendmail - >>>> t < >>>> message` command without MailScanner re-quarantining the files. >>>> >>>> Have a nice weekend. >>>> >>>> Steve >>>> Stephen Swaney >>>> Fort Systems Ltd. >>>> stephen.swaney@fsl.com >>>> www.fsl.com > > Open Source: MailWatch for MailScanner mailwatch.sourceforge.net > Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com > > Please contact me off list for more information about either. > > Thanks, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2ZjAEfZZRxQVtlQRAtbQAKDSbEKggJwSMy75sFjxi8pPr2PYGgCaA0pu A+YoIVWhhVgszzkXQPHrq+A= =7c6C -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Wed Aug 9 09:25:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 9 09:25:41 2006 Subject: mailscanner + mailwatch + postfix 2.3.2 In-Reply-To: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> References: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> Message-ID: <223f97700608090125q7ee49c65y3d8afb9f96920ab7@mail.gmail.com> On 08/08/06, glaucius junior wrote: > Hi guys > > does anyone use postfix 2.3.2 and mailwatch ?? > > > because, after upgrade my postfix from 2.2.8 to 2.3.2 my mailwatch > stops to give me this information > > Today's Totals Processed: 0 b > Clean: 0 % > Viruses: 0 % > Top Virus: None > Blocked files: 0 % > Others: 0 % > Spam: 0 % > High Scoring Spam: 0 % > MCP: 0 % > High Scoring MCP: 0 % > > > can anyone help me ? > That just shows some totals as found in the database. Seems like you've got something up with the logging... Or perhaps with mail deliery... Is mail flowing through? Anything getting logged to the db (send something through and look at the recent messages page)? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From doron at crc.co.za Wed Aug 9 09:48:53 2006 From: doron at crc.co.za (Doron Shmaryahu) Date: Wed Aug 9 09:49:18 2006 Subject: Max message size Message-ID: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Hi, I am using the max message size for individual users and it works great. I just want to know how I sort of whitelist all local users sending mail to each other from being limited. The is the sort of config I am looking for: user@localdomain to user2@localdomain no message size limit Then apply all the other limits ie external mail limited to 500k. Thanks in advance Doron From prandal at herefordshire.gov.uk Wed Aug 9 09:49:59 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 09:56:25 2006 Subject: ClamAV 0.88.4 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Nudges Jules... Any schedule for an updated install-Clam-SA.tar.gz? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From MailScanner at ecs.soton.ac.uk Wed Aug 9 10:48:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 10:49:09 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Message-ID: <44D9AF7D.20307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What's out of date in it? Randal, Phil wrote: > Nudges Jules... > > Any schedule for an updated install-Clam-SA.tar.gz? > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf MLid8ASNZTzJPBDXyr18F/4= =WM2e -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From steve.freegard at fsl.com Wed Aug 9 11:19:37 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 9 11:19:46 2006 Subject: Max message size In-Reply-To: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> References: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Message-ID: <44D9B6B9.3040600@fsl.com> Doron Shmaryahu wrote: > Hi, > > > I am using the max message size for individual users and it works great. > I just want to know how I sort of whitelist all local users sending mail > to each other from being limited. The is the sort of config I am looking > for: > > user@localdomain to user2@localdomain no message size limit > > Then apply all the other limits ie external mail limited to 500k. > > How about: FromAndTo: *@localdomain.com 0 Cheers, Steve. From prandal at herefordshire.gov.uk Wed Aug 9 11:26:37 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 11:29:28 2006 Subject: ClamAV 0.88.4 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> http://www.clamav.net/security/0.88.4.html * CVE: CVE-2006-4018 * Status: Critical * Vulnerable: ClamAV 0.81 - 0.88.3 A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code. The problem is specifically located in the PE file rebuild function used by the UPX unpacker. Relevant code from libclamav/upx.c: memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf); cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); return 1; Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block. The problem has been fixed in 0.88.4. -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 09 August 2006 10:49 > To: MailScanner discussion > Subject: Re: ClamAV 0.88.4 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What's out of date in it? > > Randal, Phil wrote: > > Nudges Jules... > > > > Any schedule for an updated install-Clam-SA.tar.gz? > > > > Cheers, > > > > Phil > > > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf > MLid8ASNZTzJPBDXyr18F/4= > =WM2e > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Wed Aug 9 11:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 11:31:35 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > We temporarily made the source available from the following URLs: > > http://mirror.clamav.net/clamav-0.88.4.tar.gz Same problems downloading from there. Had anyone success? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From jaearick at colby.edu Wed Aug 9 11:52:19 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 11:56:42 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Yes, I got it from Sourceforge yesterday and installed it. Jeff Earickson Colby College On Wed, 9 Aug 2006, Kai Schaetzl wrote: > Date: Wed, 09 Aug 2006 12:31:18 +0200 > From: Kai Schaetzl > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz > > Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > >> We temporarily made the source available from the following URLs: >> >> http://mirror.clamav.net/clamav-0.88.4.tar.gz > > Same problems downloading from there. Had anyone success? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From support-lists at petdoctors.co.uk Wed Aug 9 12:18:03 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Aug 9 12:16:36 2006 Subject: Weird 'spam' Message-ID: <013901c6bba5$7c90a510$1465a8c0@support01> We get about 10 of these a day with random names, subjects (like: airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form on our Web site. They are not particularly troublesome but as they don't advertise anything I am wondering what the agenda is - anyone? ++++ This is an enquiry e-mail via [web site] from: Svetlana Thanks so very much for taking your time to create this very useful and informative site. I have learned a lot from your site. Thanks!! ++++ This is an enquiry e-mail via [web site] from: Meteor Nice site its very interesting site! your site is fantastic. ++++ This is an enquiry e-mail via [web site] from: Bill Looking for information and found it at this great site... From michele at blacknight.ie Wed Aug 9 12:32:58 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Wed Aug 9 12:33:00 2006 Subject: Weird 'spam' In-Reply-To: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: <011b01c6bba7$90e4bcc0$88c5c657@arthur> Nigel Kendrick wrote: > We get about 10 of these a day with random names, subjects (like: > airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form > on our Web site. They are not particularly troublesome but as they > don't advertise anything I am wondering what the agenda is - anyone? > > > ++++ > > This is an enquiry e-mail via [web site] from: > Svetlana > > Thanks so very much for taking your time to create this very useful > and informative site. I have learned a lot from your site. Thanks!! > > ++++ > > This is an enquiry e-mail via [web site] from: > Meteor > > Nice site its very interesting site! your site is fantastic. > > ++++ > > This is an enquiry e-mail via [web site] from: > Bill > > Looking for information and found it at this great site... It depends on your webform. The ones we get include a link to a splog Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From root at doctor.nl2k.ab.ca Wed Aug 9 12:42:17 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Aug 9 12:42:53 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: <20060809114217.GQ19584@doctor.nl2k.ab.ca> On Wed, Aug 09, 2006 at 12:31:18PM +0200, Kai Schaetzl wrote: > Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > > > We temporarily made the source available from the following URLs: > > > > http://mirror.clamav.net/clamav-0.88.4.tar.gz > > Same problems downloading from there. Had anyone success? > > Kai > I have it no prblems. I could make it available via ftp://ftp.nk.ca/ > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maillists at conactive.com Wed Aug 9 13:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 13:31:36 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Jeff A. Earickson wrote on Wed, 9 Aug 2006 06:52:19 -0400 (EDT): > Yes, I got it from Sourceforge yesterday and installed it. Do you remember the mirror? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 9 13:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 13:31:37 2006 Subject: Weird 'spam' In-Reply-To: <013901c6bba5$7c90a510$1465a8c0@support01> References: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > We get about 10 of these a day with random names, subjects (like: > airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form on our > Web site. They are not particularly troublesome but as they don't advertise > anything I am wondering what the agenda is - anyone? This is probably only the tip of the iceberg. That is what *you* get. They are trying to check out if your script can be abused. And since you are getting these so regularly it's possible that the trying phase is already over ... Check your outgoing mail queue. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Wed Aug 9 13:31:42 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 9 13:32:41 2006 Subject: [SOLVED] Retreiving attachments References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <004a01c6bbaf$c540ff80$0705000a@DDF5DW71> ----- Original Message ----- From: "Golden, James" To: "MailScanner discussion" Sent: Tuesday, August 08, 2006 10:56 PM Subject: RE: [SOLVED] Retreiving attachments > Although I have to say with the exception of the file attachment thing, > since I upgraded and setup everything correctly (I think) everyone has > been noticing the difference here! In fact the guy who handles the > antivirus wasn't too happy with me, because now more viruses are being > caught as spam first. Our virus numbers in email went from 200 - 300 a day > to 1 - 10! > > > James Golden > > > James, We used to run Symantec AntiVirus on two gateways in front of our mail servers. I put MS/SA on the mail servers, and the result was so impressive, that our company finally gave up on Symantec. It was never very configuration-friendly as far as individual preferences, and because it was a Windows application ....well, you can figure out the rest. Good luck with your project Steve Campbell campbell@cnpapers.com Charleston Newspapers From jaearick at colby.edu Wed Aug 9 13:36:00 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 13:36:27 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: In my case, probably Minnesota, since I'm in the US. On Wed, 9 Aug 2006, Kai Schaetzl wrote: > Date: Wed, 09 Aug 2006 14:31:18 +0200 > From: Kai Schaetzl > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz > > Jeff A. Earickson wrote on Wed, 9 Aug 2006 06:52:19 -0400 (EDT): > >> Yes, I got it from Sourceforge yesterday and installed it. > > Do you remember the mirror? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jan-Peter.Koopmann at seceidos.de Wed Aug 9 14:20:31 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Aug 9 14:20:48 2006 Subject: Huge Dcc logdir Message-ID: Hi, I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) Kind regards, JP From shuttlebox at gmail.com Wed Aug 9 14:29:53 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Aug 9 14:29:57 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <625385e30608090629ge1eb2a1u6c2af519c1e0fa67@mail.gmail.com> On 8/9/06, Koopmann, Jan-Peter wrote: > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) This is one of the reasons I stopped using dccifd, I didn't find an option to turn this off and had to use a simple cron entry to purge the log directory. It's probably something simple you and I have overlooked and someone will surely inform us of a solution. -- /peter From adrik at salesmanager.nl Wed Aug 9 14:33:49 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Wed Aug 9 14:33:52 2006 Subject: Huge Dcc logdir Message-ID: > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > Jan Peter, Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and DCCIFD_LOG_AT parameters. These control the 'bulkiness' after which messages get logged. You can also use the -t option of dccifd. Regards, Adri From dhawal at netmagicsolutions.com Wed Aug 9 14:33:54 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 14:34:16 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9E442.9090603@netmagicsolutions.com> Koopmann, Jan-Peter wrote: > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) See /var/dcc/libexec/cron-dccd - dhawal From dhawal at netmagicsolutions.com Wed Aug 9 14:38:01 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 14:38:06 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9E442.9090603@netmagicsolutions.com> References: <44D9E442.9090603@netmagicsolutions.com> Message-ID: <44D9E539.7000004@netmagicsolutions.com> Dhawal Doshy wrote: > Koopmann, Jan-Peter wrote: >> Hi, >> >> I just hunted down some wasted disk space and discovered huge amounts >> of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc >> decided to log every message. How can I turn this off? I am using >> dccifd with SpamAssassin. >> >> I know this is a bit OT. I am in a hurry, know that a lot of dcc and >> SpamAssassin people hang around here so please excuse this. :-) > > See /var/dcc/libexec/cron-dccd OR 'man 8 dbclean' > - dhawal > From bbecken at aafp.org Wed Aug 9 14:45:26 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Aug 9 14:45:44 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9A0A5.D87E.0068.3@aafp.org> Look at dcc_conf # days to keep files in DCC log directories DBCLEAN_LOGDAYS=14 <--- I think this is the default. The cron-dccd and cron-dcc jobs do the cleanup process. >>> adrik@salesmanager.nl 8/9/2006 8:33 AM >>> > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > Jan Peter, Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and DCCIFD_LOG_AT parameters. These control the 'bulkiness' after which messages get logged. You can also use the -t option of dccifd. Regards, Adri -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Wed Aug 9 14:47:03 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 9 14:47:21 2006 Subject: Weird 'spam' In-Reply-To: References: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: <44D9E757.6030706@nkpanama.com> Kai Schaetzl wrote: > Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > This is probably only the tip of the iceberg. That is what *you* get. They are > trying to check out if your script can be abused. And since you are getting > these so regularly it's possible that the trying phase is already over ... > Check your outgoing mail queue. ... and fix your form/server/whatever before you get blacklisted! :-) From prandal at herefordshire.gov.uk Wed Aug 9 14:50:15 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 14:58:31 2006 Subject: Huge Dcc logdir Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923860@isabella.herefordshire.gov.uk> check out /var/dcc/libexec/cron-dccd ln -s it into /etc/cron.daily and it should clean your dcc logs for you. Seems to work here. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: 09 August 2006 14:21 > To: MailScanner discussion > Subject: Huge Dcc logdir > > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > > > Kind regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Wed Aug 9 14:50:58 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 15:00:28 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: I raised this issue a while back on the dcc mailing list (check the archives). If you don't want dcc logging, your choices are: 1) Remove the log directory, and then live with the stat() complaints from dccifd at start time in the syslog directory. 2) Use the settings for the "-t" option. See the manpage: http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t The way to implement the "NEVER" feature for -t is to set: DCCM_LOG_AT=NEVER in your dcc_conf file, and then leave the log subdirectory alone. You will find occasional crud in the log directory, but nothing major will stack up. Jeff Earickson Colby College On Wed, 9 Aug 2006, Koopmann, Jan-Peter wrote: > Date: Wed, 9 Aug 2006 15:20:31 +0200 > From: "Koopmann, Jan-Peter" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Huge Dcc logdir > > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) > > > Kind regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jan-Peter.Koopmann at seceidos.de Wed Aug 9 15:01:35 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Aug 9 15:02:05 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9E442.9090603@netmagicsolutions.com> Message-ID: Thanks guys. I knew I could count on you. :-) > See /var/dcc/libexec/cron-dccd /usr/local/dcc/libexec/cron-dccd on FreeBSD. So setting DCCM_LOG_AT=50 DBCLEAN_LOGDAYS=1 and running cron-dccd daily should get rid of this? Does LOG_AT=50 and only one logday in some way influence the day to day operation or spam detection? I would not think so but you never know... :-) From dhawal at netmagicsolutions.com Wed Aug 9 15:12:36 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 15:12:54 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9ED54.6010707@netmagicsolutions.com> Jeff A. Earickson wrote: > I raised this issue a while back on the dcc mailing list (check the > archives). If you don't want dcc logging, your choices are: > > 1) Remove the log directory, and then live with the stat() complaints > from dccifd at start time in the syslog directory. > > 2) Use the settings for the "-t" option. See the manpage: > > http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t > > The way to implement the "NEVER" feature for -t is to set: > > DCCM_LOG_AT=NEVER Err.. isn't dccm the milter interface? and ideally should affect the daemon (dccd).. - dhawal From adrik at salesmanager.nl Wed Aug 9 15:13:48 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Wed Aug 9 15:13:52 2006 Subject: Huge Dcc logdir Message-ID: > Thanks guys. I knew I could count on you. :-) > > > See /var/dcc/libexec/cron-dccd > > > /usr/local/dcc/libexec/cron-dccd on FreeBSD. > > > So setting > > DCCM_LOG_AT=50 > DBCLEAN_LOGDAYS=1 > > and running cron-dccd daily should get rid of this? Does > LOG_AT=50 and only one logday in some way influence the day > to day operation or spam detection? I would not think so but > you never know... :-) Jan Peter, If you set DCCM_LOG_AT=50, then it will log messages with more then 50 hits in the log directory. DBCLEAN_LOGDAYS=1 will clean any logs older then 1 day. This should not affect the day to day operation or spam detection of dcc. Adri. From jaearick at colby.edu Wed Aug 9 15:27:05 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 15:32:17 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9ED54.6010707@netmagicsolutions.com> References: <44D9ED54.6010707@netmagicsolutions.com> Message-ID: Well, it seems to affect how dccifd gets launched too. If I do: % ps -ef | grep dcc dcc 755 1 0 Aug 04 ? 0:00 /opt/dcc-1.3.40/libexec/dccifd -tCMN,NEVER, -Linfo,mail.notice -Lerror,mail.not dcc 756 755 0 Aug 04 ? 8:09 /opt/dcc-1.3.40/libexec/dccifd -tCMN,NEVER, -Linfo,mail.notice -Lerror,mail.not Note the "-t". I don't specify the -t args anyplace explicitly. It matches the manpage info I referred to. Vernon Schryver referred to the DCCM_LOG_AT setting of NEVER as a "primordial feature". Back when DCC first crawled out of the swamp. :) Jeff Earickson Colby College On Wed, 9 Aug 2006, Dhawal Doshy wrote: > Date: Wed, 09 Aug 2006 19:42:36 +0530 > From: Dhawal Doshy > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Huge Dcc logdir > > Jeff A. Earickson wrote: >> I raised this issue a while back on the dcc mailing list (check the >> archives). If you don't want dcc logging, your choices are: >> >> 1) Remove the log directory, and then live with the stat() complaints >> from dccifd at start time in the syslog directory. >> >> 2) Use the settings for the "-t" option. See the manpage: >> >> http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t >> >> The way to implement the "NEVER" feature for -t is to set: >> >> DCCM_LOG_AT=NEVER > > Err.. isn't dccm the milter interface? and ideally should affect the daemon > (dccd).. > > - dhawal > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Wed Aug 9 15:36:30 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 9 15:36:58 2006 Subject: Wiki Submission Message-ID: <44D9F2EE.1010809@pixelhammer.com> All, I would like feed back on posting the following to the MailScanner Wiki. While this is not considered a bug by the SpamAssassin team, I do feel it is a it of a tripping hazard for users. I'd like to include the information for future reference. ------------------------------------------------------------- sa-update usage Note that sa-update has a configuration option to install updates in a directory of the administrators choosing. See http://spamassassin.apache.org/full/3.1.x/dist/doc/sa-update.html "--updatedir By default, sa-update will use the system-wide rules update directory: /home/jm/perl584/var/spamassassin/3.001005 If the updates should be stored in another location, specify it here." Note that simply using the --updatedir option is not enough without additional steps to ensure SpamAssassin is aware that rules need to be loaded from the specified location. This can cause a situation were updates are downloaded and never read by SpamAssassin. In fact installing the updates anywhere on your system other than the default location will have no effect, SpamAssassin will never read them. Using the --updatedir option will require the creation of a *cf file to tell SpamAssassin where to find the updated files. Unless, if the administrator installs updates to the site config dir (in my case /usr/local/etc/mail/spamassassin) the updates will be read, but the updates.spamassassin.org.cf will be read last, causing any changes made to the local.cf to be overridden. See http://spamassassin.apache.org/full/3.1.x/dist/doc/spamassassin.html ---------------------------------------------------------- This one caught me by surprise. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at yeticomputers.com Wed Aug 9 16:23:11 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Wed Aug 9 16:23:21 2006 Subject: Max message size In-Reply-To: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> References: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Message-ID: <44D9FDDF.1090500@yeticomputers.com> Doron Shmaryahu wrote: > Hi, > > > I am using the max message size for individual users and it works great. > I just want to know how I sort of whitelist all local users sending mail > to each other from being limited. The is the sort of config I am looking > for: > > user@localdomain to user2@localdomain no message size limit > > Then apply all the other limits ie external mail limited to 500k. > > > Thanks in advance > > Doron > If you're using Postfix, you'll also need to set a higher limit in your main.cf. Keep in mind that "unlimited" (or very high) message size can cause a lot of problems if you have users with no common sense or users who don't have at least a basic understanding of how email works. If you have a large number of users, you will have at least a few of each type. I made such an allowance once for one of my domains. Issues that showed up on the first day: 1. Local users sending *huge* attachments to each other - on the order of several hundred megabytes. 2. Users sending very large attachments to people on the same domain who checked their email from home or elsewhere. The receiving user would invariably think their email client had hung, close it and try again. This would cause a number of problems, depending on what the client was. 3. Users sending mail from home or elsewhere to other users on the same domain. This was worse than the above, because the upsteam bandwidth for even most broadband users is very low. It doesn't take a very large file for someone with, say, 256Kb of upstream bandwidth to make their mail client appear to have hung while sending. I had one user with about fifteen connections to the mail server waiting to time out because he'd kept killing and restarting his mail client. I ended up dropping the limit back down and setting up a personalized web repository for users who want to exchange large files. Email is not, and never has been, the way to transfer large files. Rick From jgolden at ci.grand-rapids.mi.us Wed Aug 9 04:15:20 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 9 16:24:04 2006 Subject: File Attachment size setting questions Message-ID: <19135140.1155093320010.JavaMail.root@dash.grand-rapids.mi.us> I am trying to accomplish 2 things.? In upgrading our MTA's (MailScanner, SA, ClamAV), I thought it would be best to block large attachment files here instead of on the mail server (conserve internal bandwidth).? In doing so there are 2 settings I can't figure out via my research. 1.? How can I NOT send the recipient the message at all?? I just want a message going to the sender. 2.? How do I not store that message locally.? Currently we store the mail (temporarily). Thanks, James Golden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/9216d2bb/attachment.html From steve.swaney at fsl.com Wed Aug 9 16:50:04 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 16:48:11 2006 Subject: File Attachment size setting questions In-Reply-To: <19135140.1155093320010.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Tuesday, August 08, 2006 11:15 PM > To: MailScanner discussion > Subject: File Attachment size setting questions > > I am trying to accomplish 2 things. In upgrading our MTA's (MailScanner, > SA, ClamAV), I thought it would be best to block large attachment files > here instead of on the mail server (conserve internal bandwidth). In > doing so there are 2 settings I can't figure out via my research. > > 1. How can I NOT send the recipient the message at all? I just want a > message going to the sender. > > 2. How do I not store that message locally. Currently we store the mail > (temporarily). > > Thanks, > > James Golden If you using sendmail or the latest Postfix that can use milters, look at: http://www.snertsoft.com/sendmail/milter-length/ Milter-lengtf is a free milter form Anthony Howe. It is a Sendmail utility milter that imposes message size limits by IP address, domain name, or sender address on a message body length, excluding the message headers. Sendmail's MaxMessageSize option only allows for a single global server wide message size limit, which is insufficient for some sites that would prefer finer granularity in the application of message size limits. This is particularly useful for mail hosts that manage several domains and/or a large number of users, such as an ISP. The MTA is the right place to block oversize messages, before acceptiong tem and then running them through MailScanner. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ugob at camo-route.com Wed Aug 9 17:25:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 9 17:26:12 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9A0A5.D87E.0068.3@aafp.org> References: <44D9A0A5.D87E.0068.3@aafp.org> Message-ID: Brad Beckenhauer wrote: > Look at dcc_conf > > # days to keep files in DCC log directories > DBCLEAN_LOGDAYS=14 <--- I think this is the default. And make sure you run the DCC cronjob. > > The cron-dccd and cron-dcc jobs do the cleanup process. > >>>> adrik@salesmanager.nl 8/9/2006 8:33 AM >>> >> Hi, >> >> I just hunted down some wasted disk space and discovered huge >> amounts of msg-* files in /usr/local/dcc/log which is DCCs >> logdir. Somehow dcc decided to log every message. How can I >> turn this off? I am using dccifd with SpamAssassin. >> >> I know this is a bit OT. I am in a hurry, know that a lot of >> dcc and SpamAssassin people hang around here so please excuse >> this. :-) >> > Jan Peter, > > Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and > DCCIFD_LOG_AT parameters. > These control the 'bulkiness' after which messages get logged. > You can also use the -t option of dccifd. > > Regards, > > Adri > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Wed Aug 9 17:46:26 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 17:46:44 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> Message-ID: <44DA1162.3070209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done. I should have read the Subject: line :-) Randal, Phil wrote: > http://www.clamav.net/security/0.88.4.html > > * CVE: CVE-2006-4018 > * Status: Critical > * Vulnerable: ClamAV 0.81 - 0.88.3 > > A heap overflow vulnerability was discovered in libclamav which could > cause a denial of service or allow the execution of arbitrary code. > > The problem is specifically located in the PE file rebuild function used > by the UPX unpacker. > > Relevant code from libclamav/upx.c: > > memcpy(dst, newbuf, foffset); > *dsize = foffset; > free(newbuf); > > cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); > return 1; > > Due to improper validation it is possible to overflow the above memcpy() > beyond the allocated memory block. > > The problem has been fixed in 0.88.4. > > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 09 August 2006 10:49 >> To: MailScanner discussion >> Subject: Re: ClamAV 0.88.4 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What's out of date in it? >> >> Randal, Phil wrote: >>> Nudges Jules... >>> >>> Any schedule for an updated install-Clam-SA.tar.gz? >>> >>> Cheers, >>> >>> Phil >>> >>> -- >>> Phil Randal >>> Network Engineer >>> Herefordshire Council >>> Hereford, UK >>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf >> MLid8ASNZTzJPBDXyr18F/4= >> =WM2e >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj4DBQFE2hFmEfZZRxQVtlQRAt9sAJ4y9FFCwx2AaOnKxtT5irDr3WVCbgCY54i2 yzJ7dSPCcp0SRfmRdSg4bg== =4Wue -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Wed Aug 9 17:47:28 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 17:48:24 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: <44DA11A0.4050600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have now upgraded my easy-to-install Clam+SA package. Jeff A. Earickson wrote: > Yes, I got it from Sourceforge yesterday and installed it. > > Jeff Earickson > Colby College > > On Wed, 9 Aug 2006, Kai Schaetzl wrote: > >> Date: Wed, 09 Aug 2006 12:31:18 +0200 >> From: Kai Schaetzl >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz >> >> Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: >> >>> We temporarily made the source available from the following URLs: >>> >>> http://mirror.clamav.net/clamav-0.88.4.tar.gz >> >> Same problems downloading from there. Had anyone success? >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2hGiEfZZRxQVtlQRAi3PAKCWuoklxqyEimvhunvRM9H2sturRgCfUpz7 aR+dP3WhmJZ6UZl0sjjOnuY= =VRqZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Wed Aug 9 18:16:30 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 18:16:44 2006 Subject: File Attachment size setting questions In-Reply-To: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> References: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> Message-ID: <44DA186E.8040603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Golden, James >> Sent: Tuesday, August 08, 2006 11:15 PM >> To: MailScanner discussion >> Subject: File Attachment size setting questions >> >> I am trying to accomplish 2 things. In upgrading our MTA's (MailScanner, >> SA, ClamAV), I thought it would be best to block large attachment files >> here instead of on the mail server (conserve internal bandwidth). In >> doing so there are 2 settings I can't figure out via my research. >> >> 1. How can I NOT send the recipient the message at all? I just want a >> message going to the sender. >> >> 2. How do I not store that message locally. Currently we store the mail >> (temporarily). >> >> Thanks, >> >> James Golden > > If you using sendmail or the latest Postfix that can use milters, look at: > http://www.snertsoft.com/sendmail/milter-length/ > > Milter-lengtf is a free milter form Anthony Howe. It is a Sendmail utility > milter that imposes message size limits by IP address, domain name, or > sender address on a message body length, excluding the message headers. > Sendmail's MaxMessageSize option only allows for a single global server wide > message size limit, which is insufficient for some sites that would prefer > finer granularity in the application of message size limits. This is > particularly useful for mail hosts that manage several domains and/or a > large number of users, such as an ISP. > > The MTA is the right place to block oversize messages, before acceptiong tem > and then running them through MailScanner. What error message does the Milter produce? One advantage in rejecting the message in MailScanner is that a full report message explaining the problem, including a message to both the sender and recipient telling them what happened and why their mail was rejected. I have expanded this functionality in the latest release. It used to treat the message as if it was infected, the only clue being in the "report line" in the middle. It now sends a completely different message in response to size problems with messages and attachments. This can also result in the oversized attachment being stored in the quarantine, giving the recipient an alternative, more efficient way of retrieving the attachment, provided you have some sort of web-based quarantine management and retrieval system in place, such as the excellent MailWatch or DefenderMX packages. Rejecting at the MTA is more efficient, but it doesn't have a chance to explain the reason in language that users might understand. And it doesn't notify the recipient at all, so they just see the message as having either never been sent, or just "lost en route", which is less than helpful. This behaviour will damage your business reputation with your customers as they will just see it lose messages for no apparent reason, making them conclude that you run an unreliable mail service. And then they tell all their friends that your service doesn't work. Not good for business. The max message size check is done early on in the processing of a message. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2hhxEfZZRxQVtlQRAgx/AKCbJGscU3XBkbyXLIjTqu32NBiPVwCgvfD0 /E7OAGK58h2pQYECjhybO1A= =qTxm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Jamesp at MusicReports.com Wed Aug 9 18:21:28 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 18:21:32 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> Hello, I want to quarantine password-protected file attachments, actually, any file attachments that MailScanner determines as suspicious. After looking through mailscanner.conf I found; # Reports and Responses # --------------------- # # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes However, an attachment was deleted and not stored in /var/spool/MailScanner/quaratine/, according the text message; This is a message from MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail message contained potentially dangerous content, which has been removed for your safety. The content is dangerous as it is often used to spread viruses or to gain personal or confidential information from you, such as passwords or credit card numbers. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. The content filters found this: MailScanner: Message contained password-protected archive ~~~ Where in the conf can I fix this? Hello, Still poking around in the MailScanner.conf and I can't find where to fix this. Can someone point me to a direct link in the wiki or in the documentation. Thank you in advance, ~James From Kevin_Miller at ci.juneau.ak.us Wed Aug 9 18:52:30 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 9 18:52:37 2006 Subject: ALLOW FILETYPES in MailScanner.conf Message-ID: I updated my MS to take advantage of the new Allow Filenames & Allow Filetypes functions and notice that the comments documenting filetypes seems to be a copy and paste of Allow Filenames with minor editing. I'm a bit confused by one thing; in the example it shows this for filetypes: # Allow Filetypes = \.txt$ \.pdf$ # Deny Filetypes = \.com$ \.exe$ \.cpl$ \.pif$ Shouldn't that rather be: # Allow Filetypes = text postscript and the like? Looking in the filetype.rules.conf I don't see any extensions - just things like text, postscript, MPEG, etc. Am I out to lunch? What I'm doing is setting up a particular user to be able to send my users .mp3 files, so I have the following files set up: %etc-dir%/allow.filenames.rules From: joe.blow@somedomain.com \.mp3$ %etc-dir%/allow.filetypes.rules From: joe.blow@somedomain.com MPEG Is that correct, or do I really need \.mp3$ in both the filename and filetype rule files? S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Wed Aug 9 18:58:24 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 18:58:47 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> References: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: Golden, James spake the following on 8/8/2006 7:56 PM: > Sorry for being so stupid. After looking through it again, I see what you were doing. 4 hours sleep a night catches up with you after awhile. > > Thanks for all the help. > > We will be implementing the Barracuda's appliances here in the next 5 weeks or so, that is why I am trying to "skate" by with this setup for now. I figure what I am learning here will still help out when we move to those appliances. > > Although I have to say with the exception of the file attachment thing, since I upgraded and setup everything correctly (I think) everyone has been noticing the difference here! In fact the guy who handles the antivirus wasn't too happy with me, because now more viruses are being caught as spam first. Our virus numbers in email went from 200 - 300 a day to 1 - 10! > > Thanks all (Julian?!) for this fantastic software combination!. It ROCKS! > > Thanks all who have helped with replies (especially Stephen), and have put up with me! > > James Golden Fortress's appliance will run circles around the barracuda's, and you could probably get 2 DefenderMX's for the cost of one Barracuda! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:01:52 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:05:14 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/7/2006 10:46 AM: > The author of the Sys::Syslog perl module has withdrawn it due to > problems including compatibility issues with some Linux distributions. > The most obvious effect is that the "make test" step may hang part-way > through the tests. > > As a result, I have had no alternative other than to reluctantly publish > a revision of the latest stable release of MailScanner. > > If you had problems installing 4.55.9 (notably on some CentOS systems) > then download and upgrade to 4.55.10. > > Download as usual from www.mailscanner.info > > Note that if you had no problems installing 4.55.9, there is no reason > to upgrade to 4.55.10. > > Sorry for this forced re-release. > Does anything change in MailScanner, or is it just the rollback of the Sys::Syslog module? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:17:32 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:17:43 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <44D8C841.3030308@pacific.net> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: Ken A spake the following on 8/8/2006 10:22 AM: > > > sandrews@andrewscompanies.com wrote: >> Does anyone have an opinion on installing hylafax on a lightly loaded >> mailscanner pc? Normally, I'd toss another machine in for such a >> different application, but this customer is experiencing server >> "sprawl". >> >> Any thoughts? > > So, you want MailScanner to fax high scoring spam? :-) > Hylafax is pretty stable stuff. There shouldn't be any problems as long > as you set your iptables rules to protect Hylafax's ports from the > Internet. Sounds like a new application ... FaxScanner .. Stops your junk faxes cold! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:22:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:23:28 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> Message-ID: James D. Parra spake the following on 8/9/2006 10:21 AM: > Hello, > > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? I have been just storing all messages for a short period of time. Then you can release anything you need to, and you can set up the system to kill after a set number of days. Mailwatch makes this even easier. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From maillists at conactive.com Wed Aug 9 19:31:19 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 19:31:23 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: Dnsadmin 1bigthink.com wrote on Tue, 08 Aug 2006 10:43:59 -0400: > They are good, long-used and trusted BLs. > > Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org > spamhaus-XBL SORBS-S > PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB > SORBS-BLOCK NJ > ABL long-trusted, reliable? And you use Spews? That's a contradiction. Also, it seems to me that you are duplicating RBLs. Inform yourself what these lists actually contain. You'll see that some of them are already part of others you use. Also, honestly, using umpteen lists doesn't give you any advantage over a few *really* carefully chosen ones. They are just duplicating their results. You gain something like 1% more accuracy with 5fold more ressource usage. > How can I set up a ruleset like this for individual users or > individual domains? > #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count I don't see how this would help you much. Why don't you whitelist those users? You apparently know them, so ... Or just whitelist those servers, I'm not aware that they are a source for much spam, they don't appear in my logs. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 9 19:31:19 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 19:31:25 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: <20060809114217.GQ19584@doctor.nl2k.ab.ca> References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> <20060809114217.GQ19584@doctor.nl2k.ab.ca> Message-ID: wrote on Wed, 9 Aug 2006 05:42:17 -0600: > I could make it available via ftp://ftp.nk.ca/ Thanks for the offer. It seems it is working now for me as well. I assume they pulled the alternative download once sf.net started working again, but it hadn't spread to my mirror yet. So I couldn't get it from both sites for a while. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Jamesp at MusicReports.com Wed Aug 9 19:38:50 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 19:38:53 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F215@exchange.musicreports.com> James D. Parra spake the following on 8/9/2006 10:21 AM: > Hello, > > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. I don't mind just storing/quarantine the attachments for retrieval later. Right now it is deleting the attachments and I don't want that. Where in the MailScanner.conf can I fix this? Many thanks, James From steve.swaney at fsl.com Wed Aug 9 20:05:58 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 20:04:04 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: Message-ID: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Wednesday, August 09, 2006 1:58 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: [SOLVED] Retreiving attachments > > Golden, James spake the following on 8/8/2006 7:56 PM: > > Sorry for being so stupid. After looking through it again, I see what > you were doing. 4 hours sleep a night catches up with you after awhile. > > > > Thanks for all the help. > > > > We will be implementing the Barracuda's appliances here in the next 5 > weeks or so, that is why I am trying to "skate" by with this setup for > now. I figure what I am learning here will still help out when we move to > those appliances. > > > > Although I have to say with the exception of the file attachment thing, > since I upgraded and setup everything correctly (I think) everyone has > been noticing the difference here! In fact the guy who handles the > antivirus wasn't too happy with me, because now more viruses are being > caught as spam first. Our virus numbers in email went from 200 - 300 a > day to 1 - 10! > > > > Thanks all (Julian?!) for this fantastic software combination!. It > ROCKS! > > > > Thanks all who have helped with replies (especially Stephen), and have > put up with me! > > > > James Golden > Fortress's appliance will run circles around the barracuda's, and you > could > probably get 2 DefenderMX's for the cost of one Barracuda! > {Start Commercial} And you don't need a separate appliance for incoming and outgoing e-mail. That halves the cost again :) We now support DefenderMX Dual-core x86-64 architectures so a fairly inexpensive system will process a HEAP of email. We have beaten barracuda and the rest of the competition at some sites that have run fairly sophisticated comparisons before buying DefenderMX. More information and references available are available. Please email me off-list. {End Commercial} Thanks for your patience on off topic material, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ssilva at sgvwater.com Wed Aug 9 20:34:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 20:34:49 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> References: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> Message-ID: Stephen Swaney spake the following on 8/9/2006 12:05 PM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Scott Silva >> Sent: Wednesday, August 09, 2006 1:58 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: [SOLVED] Retreiving attachments >> >> Golden, James spake the following on 8/8/2006 7:56 PM: >>> Sorry for being so stupid. After looking through it again, I see what >> you were doing. 4 hours sleep a night catches up with you after awhile. >>> Thanks for all the help. >>> >>> We will be implementing the Barracuda's appliances here in the next 5 >> weeks or so, that is why I am trying to "skate" by with this setup for >> now. I figure what I am learning here will still help out when we move to >> those appliances. >>> Although I have to say with the exception of the file attachment thing, >> since I upgraded and setup everything correctly (I think) everyone has >> been noticing the difference here! In fact the guy who handles the >> antivirus wasn't too happy with me, because now more viruses are being >> caught as spam first. Our virus numbers in email went from 200 - 300 a >> day to 1 - 10! >>> Thanks all (Julian?!) for this fantastic software combination!. It >> ROCKS! >>> Thanks all who have helped with replies (especially Stephen), and have >> put up with me! >>> James Golden >> Fortress's appliance will run circles around the barracuda's, and you >> could >> probably get 2 DefenderMX's for the cost of one Barracuda! >> > > {Start Commercial} > > And you don't need a separate appliance for incoming and outgoing e-mail. > That halves the cost again :) We now support DefenderMX Dual-core x86-64 > architectures so a fairly inexpensive system will process a HEAP of email. > > We have beaten barracuda and the rest of the competition at some sites that > have run fairly sophisticated comparisons before buying DefenderMX. More > information and references available are available. Please email me > off-list. > > {End Commercial} > > Thanks for your patience on off topic material, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > Hey Steve, Everybody has to eat! And your package is perfect for someone who needs a packaged solution. Many new admins (or at least new to Linux) are being asked to get something non-windows into production. Your package is great for that. I might even push it to my PHB's in a year or so. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jrudd at ucsc.edu Wed Aug 9 20:48:12 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Aug 9 20:48:48 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Message-ID: <52b3a0c5fff8a2c340b4038135aedb5d@ucsc.edu> On Aug 9, 2006, at 1:49 AM, Randal, Phil wrote: > Nudges Jules... > > Any schedule for an updated install-Clam-SA.tar.gz? > I was actually thinking, earlier today, about how hard/easy it would be to write something like the "MajorSophos" script, only for ClamAV (lets call it MajorClamav). That way it could probe the clamav servers 1/mo to look for an updated engine and see if it needs to install it (and then re-install the ClamAV perl module from CPAN, since the last time I did an engine update I needed to re-install the perl module to get it to recognize it). And, if a security announcement goes out, it'd just be a matter of re-running "MajorClamav" or something. From wintermutecx at gmail.com Wed Aug 9 22:19:22 2006 From: wintermutecx at gmail.com (Dave) Date: Wed Aug 9 22:19:25 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: <4443BEF2.8090509@avalonpub.com> References: <4443BEF2.8090509@avalonpub.com> Message-ID: I noticed these message today after I upgraded the latest Mailscanner. I went to the logs on my other server that I updated 2 days ago and they started occuringthen as well. Both servesr run CentOS3. From Jamesp at MusicReports.com Wed Aug 9 22:19:21 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 22:19:28 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. I don't mind just storing/quarantine the attachments for retrieval later. Right now it is deleting the attachments and I don't want that. Where in the MailScanner.conf can I fix this? ~~~ I found this on the web (its from an older mailscanner.conf file) attempting to figure out how to stop mail scanner from deleting attachments; # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep I don't see such an option in the mailscanner.conf I have. If I were to insert this in to the conf, would it work? Many thanks in advance, ~James From steve.swaney at fsl.com Wed Aug 9 22:32:49 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 22:32:52 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: Message-ID: <000001c6bbfb$5d381620$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dave > Sent: Wednesday, August 09, 2006 5:19 PM > To: MailScanner discussion > Subject: Re: Duplicate messages/Unlinking failed > > I noticed these message today after I upgraded the latest > Mailscanner. I went to the logs on my other server that I updated 2 > days ago and they started occuringthen as well. > > Both servesr run CentOS3. > -- Check your Lock Type = Doe sendmail 8.12 or earlier it should be se to flock, Dor sendmail8.13 it should be set to posix. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ajos1 at onion.demon.co.uk Wed Aug 9 22:43:51 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Aug 9 22:44:02 2006 Subject: gOCR SpamAssassin plugin Message-ID: - Removing could be interesting... [root@www ~/servers]# !rp rpm -e spamassassin-3.1.3-1.fc5 error: Failed dependencies: spamassassin is needed by (installed) evolution-2.6.2-1.fc5.5.i386 I will most probably just leave it... as the Perl Inc path suggests that it will use site_perl first before vendor_perl ... -----Original Message----- From: MailScanner discussion mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 20:19:15 +0100 Beware that you might have a spamassassin rpm installed as well, which you should ideally remove before installing my distribution. == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From wintermutecx at gmail.com Wed Aug 9 22:55:47 2006 From: wintermutecx at gmail.com (Dave) Date: Wed Aug 9 22:55:55 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: <000001c6bbfb$5d381620$287ba8c0@office.fsl> References: <000001c6bbfb$5d381620$287ba8c0@office.fsl> Message-ID: On 8/9/06, Stephen Swaney wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Dave > > Sent: Wednesday, August 09, 2006 5:19 PM > > To: MailScanner discussion > > Subject: Re: Duplicate messages/Unlinking failed > > > > I noticed these message today after I upgraded the latest > > Mailscanner. I went to the logs on my other server that I updated 2 > > days ago and they started occuringthen as well. > > > > Both servesr run CentOS3. > > -- > > Check your > > Lock Type = > > Doe sendmail 8.12 or earlier it should be se to flock, Dor sendmail8.13 it > should be set to posix. > Looks like the default as set to posix if left blank after looking in the logs. I set it to flock instead of blank. Thanks :). From steve.swaney at fsl.com Wed Aug 9 23:01:26 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 23:01:29 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: Message-ID: <003c01c6bbff$5c8013f0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of ajos1@onion.demon.co.uk > Sent: Wednesday, August 09, 2006 10:44 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: gOCR SpamAssassin plugin > > - > > Removing could be interesting... > > [root@www ~/servers]# !rp > rpm -e spamassassin-3.1.3-1.fc5 > error: Failed dependencies: > spamassassin is needed by (installed) evolution-2.6.2-1.fc5.5.i386 > > > I will most probably just leave it... as the Perl Inc path suggests that > it will use site_perl first before vendor_perl ... > > rpm --nodeps spamassassin Is probably a better idea :) Also I find thunderbird more to my liking :) Hope this helps Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From robert.isaac at volvoclub.org.uk Wed Aug 9 23:11:46 2006 From: robert.isaac at volvoclub.org.uk (Robert Isaac) Date: Wed Aug 9 23:11:50 2006 Subject: Installation issue Message-ID: <000101c6bc00$ce3a0a90$0300a8c0@250N> During installation of MailScanner 4.55 on my ProLiant DL360 G3 with RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: *** You are using a perl configured with threading enabled. *** You should be aware that using multiple threads is *** not recommended for production environments. What does this mean please, is there a problem? Bob ___________________________________________________ Robert Isaac Director/Web Admin www.volvoclub.org.uk Please include all previous text with reply All messages are scanned with an antivirus scanner. From sandrews at andrewscompanies.com Wed Aug 9 23:33:40 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Aug 9 23:33:43 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> Ahem...all faxes are junk faxes. It's the 21st century for christ's sake. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Wednesday, August 09, 2006 2:18 PM To: mailscanner@lists.mailscanner.info Subject: Re: Hylafax on a MailScanner pc Ken A spake the following on 8/8/2006 10:22 AM: > > > sandrews@andrewscompanies.com wrote: >> Does anyone have an opinion on installing hylafax on a lightly loaded >> mailscanner pc? Normally, I'd toss another machine in for such a >> different application, but this customer is experiencing server >> "sprawl". >> >> Any thoughts? > > So, you want MailScanner to fax high scoring spam? :-) Hylafax is > pretty stable stuff. There shouldn't be any problems as long as you > set your iptables rules to protect Hylafax's ports from the Internet. Sounds like a new application ... FaxScanner .. Stops your junk faxes cold! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From roman at rotmax.com Thu Aug 10 00:46:17 2006 From: roman at rotmax.com (Roman) Date: Wed Aug 9 23:46:11 2006 Subject: Multiple mqueue.in directories with priority Message-ID: <05b001c6bc0e$0b785f80$0500000a@blessin> I am trying to figure out how can I set up MailScanner & sendmail this way that I'll be able to have 2 separated mqueue.in directories. I have one email account through which I send news letters (20-40k emails) and other emails that I use for regular emails. The problem is when the newsletter being send out it fills mqueue.in and mail can not be delivered before MailScanner scans all 20-40k emails. I saw posts here that people were able to configure different outgoing queues (fast, slow) But I think that the bottleneck is SPAM and Virus scanning in Mailscanner. So I want to separate queues before it gets to MailScanner processing . What I would like to achieve is have a mqueue.in.normal and mqueue.in.slow so that regular mail goes to mqueue.in.normal and newsletter mail will go to mqueue.in.slow and have some mechanism to move messages from mqueue.in.normal and mqueue.in.slow to MailScanner mqueue.in for processing and delivery, or have MailScanner process both directories with some priority. This way regular mail won't stack in mqueue.in waiting to be delivered only after all newsletters have been delivered. Have anyone was able to achieve something similar to what I am trying to achieve. Am I missing something ? Any ideas ? Roman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060810/2d28a218/attachment.html From lshaw at emitinc.com Thu Aug 10 00:17:46 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 10 00:18:00 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: <05b001c6bc0e$0b785f80$0500000a@blessin> References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: On Thu, 10 Aug 2006, Roman wrote: > The problem is when the newsletter being send out it fills mqueue.in > and mail can not be delivered before MailScanner scans all 20-40k emails. > Any ideas ? Can you somehow whitelist the newsletter? It sounds like it's being sent from your site out to the rest of the world, so you should be able to trust that it isn't spam, at least. It wouldn't achieve the aim of truly making it lower priority, but it should pass through MailScanner quite quickly if it's whitelisted so that it doesn't have to be scanned at all. Just an idea, though. It might or might not be appropriate depending on whether you want need to scan the outgoing newsletter for viruses. (It might be one of those things where the chances of the newsletter containing a virus might be low, but the impact if it does have one is very high in terms of embarrassment, so maybe you do want to scan it...) Otherwise, if you really want lower priorities for the newsletter, the most obvious thing is to choose an additional port for incoming SMTP and have the newsletter sent to that port. Then you can have basically these four queue dirs with a corresponding instance of sendmail for each: /var/spool/mqueue.in /var/spool/mqueue /var/spool/mqueue.in.low-priority /var/spool/mqueue.low-priority And you'd have two instances of MailScanner, one moving messages from /var/spool/mqueue.in to /var/spool/mqueue and the other moving messages from /var/spool/mqueue.in.low-priority to /var/spool/mqueue.low-priority. You can, obviously, set the MailScanner that runs for the low-priority queue to have fewer children, which will in a sense reduce its priority. But if the objective is just to have regular mail still responsive and operational while the newsletter is delivered, putting them in separate queues should be enough, even if equal resources are devoted to both queues. - Logan From Jamesp at MusicReports.com Thu Aug 10 00:56:59 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 00:57:04 2006 Subject: quarantine attachments & Dangerous content Message-ID: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Hello, In my past installs of mailscanner, attachments considered 'suspect' for any various reason were put into quarantine for later retrieval. In the most recent install I made, these items are instead being deleted from the e-mail message with a note in the e-mail stating that attachment was removed. For example; The content filters found this: MailScanner: Message contained password-protected archive Where in the MailScanner.conf can I specify to have suspect attachments stored or quarantined and *not* deleted. If it is not in the mailscanner.conf file is the setting in another config file? Many thanks, James From Jamesp at MusicReports.com Thu Aug 10 01:24:27 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 01:24:31 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. Hello Scott, How do you set this up if you're not using mailwatch? Thank you, ~James From brent.addis at pronet.co.nz Thu Aug 10 01:55:46 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Aug 10 01:56:33 2006 Subject: missing queue files? In-Reply-To: <44D7C597.5090201@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> Message-ID: <44DA8412.7070001@pronet.co.nz> Has anyone seen this before, at all? I'm still seeing missing spool files, exim is set to use posix. Thanks! Brent Addis wrote: > Brent Addis wrote: >> Hi. >> >> I have just migrated to a new machine (was exim 4.50, >> MailScanner-4.43.8) which has been humming along quite nicely for a >> long time. >> >> I am now running exim 4.62 along with Mailscanner-4.55.9. >> >> We are currently seeing occasional messages hitting mailscanner, >> being scanned, and only the Header file seemingly being inserted into >> the exim queue. >> >> EG: >> >> 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D >> not found >> >> envy:/var/log/exim4# ls -l /var/spool/exim4/input/ >> total 4 >> -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 >> 1GADGn-0004tk-Kq-H >> >> >> I had a similar problem when I upgraded to 4.50, however I didn't >> have much time to look into it, so downgraded back to the above. >> >> Has anyone else seen a similar issue? >> >> >> >> >> >> > Also: > > Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: > Starting > Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages > Aug 8 10:08:45 envy MailScanner[15218]: Logging message > 1GADGn-0004tk-Kq to SQL > Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to > MailWatch SQL > > envy:/var/log# /opt/MailScanner/bin/MailScanner -v > Running on > Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux > This is Perl version 5.008004 (5.8.4) > > This is MailScanner version 4.55.9 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.02 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.72 File::Basename > 2.07 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.2 Sys::Hostname::Long > 0.17 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.808 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.06 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > missing Mail::ClamAV > 3.001004 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.48 Net::DNS > missing Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.40 Test::Harness > 0.62 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > The issue seems to be very random, and I have as yet been unable to > replicate myself > > > > > > > > > > > From ugob at camo-route.com Thu Aug 10 02:11:26 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 02:11:43 2006 Subject: [solution] Re: won't write sendmail.in.pid In-Reply-To: References: <44C7DB0F.4070301@marcsnet.com> <44C8C8B8.2010504@marcsnet.com> <44C8E946.1070703@pacific.net> <44C93C9B.4060205@pacific.net> <1154041678.44c9474e6a31f@perdition.cnpapers.net> Message-ID: Ugo Bellavance wrote: > Steve Campbell wrote: >> Quoting Ken A : >> > >> Before you revert back to 8.13.6, try the RPMs at >> >> http://www.city-fan.org/ftp/contrib/mail/ >> >> They have worked for me and fixed a recent problem with the pid file, although, >> I'm not sure it's the same. He has FC5 RPMs for 8.13.7-4. They are pretty close >> to RH configurations (so far, I haven't had to change anything after upgrading >> from RH (Tao & CentOS) rpms). >> >> > > I use to use them myself, but the 8.13.7-4 doesn't contain the patch for > the pid file problem... To my reques, Paul from city-fan.org built 8.13.7-5, including the 2 patches suggested on sendmail's web site. I'm testing it right now on some of my servers. Thanks paul! Ugo From chrisgreen at hotmail.com Thu Aug 10 04:32:03 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Thu Aug 10 04:32:09 2006 Subject: Installation issue In-Reply-To: <000101c6bc00$ce3a0a90$0300a8c0@250N> Message-ID: Robert Isaac wrote: >During installation of MailScanner 4.55 on my ProLiant DL360 G3 with >RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: > >*** You are using a perl configured with threading enabled. >*** You should be aware that using multiple threads is >*** not recommended for production environments. > >What does this mean please, is there a problem? > There is an in-depth article explaining threading here: http://www.xav.com/perl/lib/Pod/perlthrtut.html Essentially, threading is an experimental option that is switched on at compile-time. This means that if you are using an RPM distribution or equivalent you will not have the opportunity to choose whether to have threading enabled or not, the package author will have made that decision for you. Is there a problem? So far for me, No, but I'm sure someone else on this list might be able to enlighten us. My guess is that problems associated with threading are mainly due to logic errors in programs that use the threading feature, causing deadlocks and the like. Emphasis on the word 'guess' there.... Chris From ugob at camo-route.com Thu Aug 10 04:48:14 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 04:48:22 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: Logan Shaw wrote: > On Thu, 10 Aug 2006, Roman wrote: >> The problem is when the newsletter being send out it fills mqueue.in >> and mail can not be delivered before MailScanner scans all 20-40k emails. > >> Any ideas ? > > Can you somehow whitelist the newsletter? It sounds like > it's being sent from your site out to the rest of the world, > so you should be able to trust that it isn't spam, at least. Better than that, bypass spam scanning, using Spam Checks = or bypass all scanning altogether for the newsletter. From Jan-Peter.Koopmann at seceidos.de Thu Aug 10 08:12:30 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 10 08:12:49 2006 Subject: SORBS found by MTA but not by SA? Message-ID: Hi, this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? Kind regards, JP From augustin.siaens at aquadev.org Thu Aug 10 09:27:13 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Thu Aug 10 09:27:27 2006 Subject: log SpamAssassin Message-ID: <44DAEDE1.10102@aquadev.org> quick question, I often see this sentence in the logs "Aug 10 10:22:42 server1 MailScanner[24621]: Expired 4 records from the SpamAssassin cache" what does it mean exactly? thanks for the info -- Augustin Siaens AQUADEV Rue des Carm?lites 151 Karmelietenstraat 1180 Bruxelles - Brussel Tel: +32 2 347 70 00 Fax: +32 2 347 00 36 -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From support-lists at petdoctors.co.uk Thu Aug 10 09:36:59 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Aug 10 09:35:18 2006 Subject: Weird 'spam' In-Reply-To: <44D9E757.6030706@nkpanama.com> Message-ID: <011d01c6bc58$256381a0$1465a8c0@support01> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, August 09, 2006 2:47 PM To: MailScanner discussion Subject: Re: Weird 'spam' Kai Schaetzl wrote: > Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > This is probably only the tip of the iceberg. That is what *you* get. > They are trying to check out if your script can be abused. And since > you are getting these so regularly it's possible that the trying phase is already over ... > Check your outgoing mail queue. ... and fix your form/server/whatever before you get blacklisted! :-) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks to everyone for all the feedback. The contact form is from Joomla and the destination address is fixed and obscured from the sender so I am confident that mail cannot be sent anywhere else other than the address listed for the contact. Nigel From maillists at conactive.com Thu Aug 10 11:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Aug 10 11:31:24 2006 Subject: log SpamAssassin In-Reply-To: <44DAEDE1.10102@aquadev.org> References: <44DAEDE1.10102@aquadev.org> Message-ID: Augustin Siaens wrote on Thu, 10 Aug 2006 10:27:13 +0200: > what does it mean exactly? MS stores SA check results in a cache so results can be reused in case the same message drops in again. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dhawal at netmagicsolutions.com Thu Aug 10 11:34:01 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 10 11:34:16 2006 Subject: SORBS found by MTA but not by SA? In-Reply-To: References: Message-ID: <44DB0B99.10204@netmagicsolutions.com> Koopmann, Jan-Peter wrote: > Hi, > > this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? > > Kind regards, > JP Broken trusted_networks? can you post some more details on your trusted networks setting? - dhawal From dhawal at netmagicsolutions.com Thu Aug 10 11:37:40 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 10 11:37:45 2006 Subject: Installation issue In-Reply-To: References: Message-ID: <44DB0C74.2060004@netmagicsolutions.com> Chris Green wrote: > Robert Isaac wrote: >> During installation of MailScanner 4.55 on my ProLiant DL360 G3 with >> RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: >> >> *** You are using a perl configured with threading enabled. >> *** You should be aware that using multiple threads is >> *** not recommended for production environments. >> >> What does this mean please, is there a problem? If you notice closely.. this error occurs specifically while building the DBI rpm.. How it affects your setup / performance can be read on the below URL (as posted by Chris). - dhawal > There is an in-depth article explaining threading here: > > http://www.xav.com/perl/lib/Pod/perlthrtut.html > > Essentially, threading is an experimental option that is switched on at > compile-time. This means that if you are using an RPM distribution or > equivalent you will not have the opportunity to choose whether to have > threading enabled or not, the package author will have made that > decision for you. > > Is there a problem? So far for me, No, but I'm sure someone else on this > list might be able to enlighten us. My guess is that problems associated > with threading are mainly due to logic errors in programs that use the > threading feature, causing deadlocks and the like. Emphasis on the word > 'guess' there.... > > Chris From alex at nkpanama.com Thu Aug 10 14:51:54 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 14:52:15 2006 Subject: Weird 'spam' In-Reply-To: <011d01c6bc58$256381a0$1465a8c0@support01> References: <011d01c6bc58$256381a0$1465a8c0@support01> Message-ID: <44DB39FA.6040004@nkpanama.com> Nigel Kendrick wrote: > Thanks to everyone for all the feedback. The contact form is from Joomla and > the destination address is fixed and obscured from the sender so I am > confident that mail cannot be sent anywhere else other than the address > listed for the contact. > > Nigel > That isn't necessarily so. http://www.securephpwiki.com/index.php/Email_Injection From alex at nkpanama.com Thu Aug 10 14:56:16 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 14:56:37 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: <44DB3B00.90204@nkpanama.com> Kai Schaetzl wrote: >> #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count And, to my knowledge, rulesets should end with ".rules", right? From mailscanner at yeticomputers.com Thu Aug 10 15:40:43 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 15:40:56 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Message-ID: <44DB456B.5060002@yeticomputers.com> Perhaps password-protected zip files are identified as silent viruses? The settings to look at are: # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes # There is no point quarantining most viruses these days as the infected # messages contain no useful content, so if you set this to "no" then no # infections listed in your "Silent Viruses" setting will be quarantined, # even if you have chosen to quarantine infections in general. This is # currently set to "yes" so the behaviour is the same as it was in # previous versions. # This can also be the filename of a ruleset. Quarantine Silent Viruses = no With these settings, if password-protected files are recognized as silent viruses they will not be stored. This section handles what is treated as a silent virus: # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 5 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase/Data tags, when they are not allowed. # HTML-Script : inserting this will stop senders being warned about # HTML Script tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # Zip-Password : inserting this will stop senders being warned about # password-protected zip files, when they are not allowed. # This keyword is not needed if you include All-Viruses. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. This includes Zip-Password # so you don't need to include both. # # The default of "All-Viruses" means that no senders of viruses will be # notified (as the sender address is always forged these days anyway), # but anyone who sends a message that is blocked for other reasons will # still be notified. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame All-Viruses Hope this helps. Rick James D. Parra wrote: > Hello, > > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? > > Many thanks, > > James > From HancockS at morganco.com Thu Aug 10 15:43:49 2006 From: HancockS at morganco.com (Hancock, Scott) Date: Thu Aug 10 15:44:29 2006 Subject: SA timeout help. Message-ID: <7A6F9F7356141C42987075747C5B87D30310BA0D@wmail.int.morganco.com> I've been looking for a SA timeout issue for several days. Is the numberign supposed to start at 0 and not 1? From the mail log Aug 10 10:39:38 pebbles MailScanner[31668]: SpamAssassin timed out and was killed, failure 0 of 20 Aug 10 10:39:39 pebbles MailScanner[31668]: Message 1GBBdG-0002OT-Sq from 209.200.5.12 (3-5968161-morganco.com?narainv@intqw.turnedtheold22.com) to morganco.com is not spam, SpamAssassin (timed out) I did find several problems but now when I run check_mailscanner and scan the output, I notice only two issues. The first is check_mailscanner can take a over a minute to get past the line [24665] dbg: bayes: expiry max exponent: 9 in the following. [24665] dbg: bayes: expiry starting [24665] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [24665] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [24665] dbg: bayes: DB expiry: tokens in DB: 16432117, Expiry max size: 150000, Oldest atime: 1116109310, Newest atime: 1155039924, Last expire: 1116253906, Current time: 1155044021 [24665] dbg: bayes: expiry check keep size, 0.75 * max: 112500 [24665] dbg: bayes: token count: 16432117, final goal reduction size: 16319617 [24665] dbg: bayes: first pass? current: 1155044021, Last: 1116253906, atime: 144604, count: 36214, newdelta: 320, ratio: 450.643867012757, period: 43200 [24665] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [24665] dbg: bayes: expiry max exponent: 9 [25485] dbg: message: ---- MIME PARSER START ---- [25485] dbg: message: main message type: multipart/mixed [25485] dbg: message: parsing multipart, got boundary: ----=_NextPart_001_0000_01C6BAFD.3D6884F0 [25485] dbg: message: found part of type text/plain, boundary: ----=_NextPart_001_0000_01C6BAFD.3D6884F0 [25485] dbg: message: parsing normal part [25485] dbg: message: added part, type: text/plain [25485] dbg: message: ---- MIME PARSER END ---- The second problem is a permissions problem in the Bayes folder. The journal file is owned by root and the rest of the files are owned by mail. The mail process does not run as root. At other points in the check_mailscanner output, Bayes entries are entered successfully. check_mailscanner output does not pause at all when the permissions error appears. See line [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock bayes: bad permissions on journal, can't read: /var/lib/MailScanner/bayes_journal below [29627] dbg: bayes: opportunistic call found expiry due [29627] dbg: bayes: bayes journal sync starting [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock bayes: bad permissions on journal, can't read: /var/lib/MailScanner/bayes_journal [29627] dbg: bayes: bayes journal sync completed [29627] dbg: bayes: expiry starting [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: bayes: DB expiry: tokens in DB: 16432241, Expiry max size: 150000, Oldest atime: 1116109310, Newest atime: 1155211501, Last expire: 1116253906, Current time: 1155218450 [29627] dbg: bayes: expiry check keep size, 0.75 * max: 112500 [29627] dbg: bayes: token count: 16432241, final goal reduction size: 16319741 [29627] dbg: bayes: first pass? current: 1155218450, Last: 1116253906, atime: 144604, count: 36214, newdelta: 320, ratio: 450.647291102888, period: 43200 [29627] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [29627] dbg: bayes: expiry max exponent: 9 Could either of these issues result in SA timeouts? Any fix suggestions? Should this post be on the SA list? I have the same problem on two mailscanners. One is running the latest MS version from the tar package in /opt. The other running the latest Debian package. FWIW, I made an honest attempt at understanding the debain packaging system to make my own Debian package. Running from /opt was much more simple. Thanks for any help or pointers. Scott From mailscanner at yeticomputers.com Thu Aug 10 15:58:33 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 15:58:44 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Message-ID: <44DB4999.90303@yeticomputers.com> James D. Parra wrote: > Hello, > > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? > > Many thanks, > > James > Also: # Strings listed here will be searched for in the output of the virus scanners. # It works to achieve the opposite effect of the "Silent Viruses" listed above. # If a string here is found in the output of the virus scanners, then the # message will be treated as if it were not infected with a "Silent Virus". # If a message is detected as both a silent virus and a non-forging virus, # then the ___non-forging status will override the silent status.___ # In simple terms, you should list virus names (or parts of them) that you # know do *not* forge the From address. # A good example of this is a document macro virus or a Joke program. # Another word that can be put in this list is the special keyword # Zip-Password : inserting this will cause senders to be warned about # password-protected zip files, when they are not allowed. # This will over-ride the All-Viruses setting in the list # of "Silent Viruses" above. # Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar From ugob at camo-route.com Thu Aug 10 15:58:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 15:59:36 2006 Subject: Sendmail 8.13.8 is out Message-ID: http://www.sendmail.org/releases/8.13.8.html From mkettler at evi-inc.com Thu Aug 10 16:44:43 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 10 16:44:57 2006 Subject: SORBS found by MTA but not by SA? In-Reply-To: References: Message-ID: <44DB546B.90603@evi-inc.com> Koopmann, Jan-Peter wrote: > Hi, > > this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? What's your trusted_networks set to? If you don't have one, my guess is that SA is mis-judging where your network boundaries are. This is VERY common, particularly if your mailserver is behind a static-NAT or otherwise has a reserved IP address. By default, SA will guess at trusted_networks, and copy that to internal_networks. Any host in internal_networks is immune to RBL checks. See http://wiki.apache.org/spamassassin/TrustPath From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 19:32:00 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 19:32:05 2006 Subject: URIBL_BLACK/GREY lists Message-ID: Just updated an slightly older version of MS and noticed in spam.assassin.prefs.conf that Julian added a bunch of URIBL_BLACK/GREY lists but they're all commmented out. Any reason not to use them? Is there any further stuff that needs to happen to use them? I.e., URIBL plugins in SA or the like? If so, are they installed with the SA/Clam package? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Jamesp at MusicReports.com Thu Aug 10 19:48:04 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 19:48:09 2006 Subject: quarantine attachments & Dangerous content Message-ID: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? Hello Rick, Thank you for your response. I made the following changes. I'll post the results when the suspect mail is resent. >Quarantine Infections = yes Already set. >Quarantine Silent Viruses = no Also preset. >Silent Viruses = HTML-IFrame All-Viruses Changed this by removing All-Viruses & Zip-Password, but left all the HTML info. Thank you, ~James From mailscanner at yeticomputers.com Thu Aug 10 20:13:54 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 20:14:08 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> Message-ID: <44DB8572.8030300@yeticomputers.com> James D. Parra wrote: >> In my past installs of mailscanner, attachments considered 'suspect' for >> > any > >> various reason were put into quarantine for later retrieval. In the most >> recent install I made, these items are instead being deleted from the >> > e-mail > >> message with a note in the e-mail stating that attachment was removed. For >> example; >> >> The content filters found this: >> MailScanner: Message contained password-protected archive >> >> Where in the MailScanner.conf can I specify to have suspect attachments >> stored or quarantined and *not* deleted. If it is not in the >> mailscanner.conf file is the setting in another config file? >> > > Hello Rick, > > Thank you for your response. I made the following changes. I'll post the > results when the suspect mail is resent. > > >> Quarantine Infections = yes >> > > Already set. > > >> Quarantine Silent Viruses = no >> > > Also preset. > > >> Silent Viruses = HTML-IFrame All-Viruses >> > > Changed this by removing All-Viruses & Zip-Password, but left all the HTML > info. > > Thank you, > > ~James If I understand what you're trying to do, a better combination would be: Quarantine Infections = yes Quarantine Silent Viruses =yes Silent Viruses = HTML-IFrame All-Viruses My first post was just a cut/paste out of my own MailScanner.conf. I don't want password-protected zips quarantined. If you do, the above should do it for you. The changes you made will cause MailScanner to generate a lot of bogus virus warnings, and that's not something you want to do. At least it's not something I want you to do - not while following my advice. :) Don't forget that you can also use "Allow Password-Protected Archives = yes" if you just want to pass the things through. That has its own set of risks, though. Read through the comments for these options in the MailScanner.conf file - they're quite good, I think. Rick From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:55:46 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:55:55 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: References: Message-ID: <44DB8F42.5090003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > I updated my MS to take advantage of the new Allow Filenames & Allow > Filetypes functions and notice that the comments documenting filetypes > seems to be a copy and paste of Allow Filenames with minor editing. I'm > a bit confused by one thing; in the example it shows this for filetypes: > > # Allow Filetypes = \.txt$ \.pdf$ > # Deny Filetypes = \.com$ \.exe$ \.cpl$ \.pif$ > > Shouldn't that rather be: > > # Allow Filetypes = text postscript > > and the like? Yes it should. Well spotted. > > Looking in the filetype.rules.conf I don't see any extensions - just > things like text, postscript, MPEG, etc. > > Am I out to lunch? Not at all. For a beer, maybe, for not to lunch. > > What I'm doing is setting up a particular user to be able to send my > users .mp3 files, so I have the following files set up: > > %etc-dir%/allow.filenames.rules > From: joe.blow@somedomain.com \.mp3$ > > %etc-dir%/allow.filetypes.rules > From: joe.blow@somedomain.com MPEG > > Is that correct, or do I really need \.mp3$ in both the filename and > filetype rule files? No, you've got it absolutely correct. > > S'later... > > ...Kevin - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE249FEfZZRxQVtlQRAkbxAKCrag3nx9PE6Pbn+TKPOEkAq7Ci4QCeJr28 /TSkTFF3kmV5JJSHJHEFEfA= =6cWp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:57:56 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:58:05 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <44DB8FC4.8080302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Julian Field spake the following on 8/7/2006 10:46 AM: >> The author of the Sys::Syslog perl module has withdrawn it due to >> problems including compatibility issues with some Linux distributions. >> The most obvious effect is that the "make test" step may hang part-way >> through the tests. >> >> As a result, I have had no alternative other than to reluctantly publish >> a revision of the latest stable release of MailScanner. >> >> If you had problems installing 4.55.9 (notably on some CentOS systems) >> then download and upgrade to 4.55.10. >> >> Download as usual from www.mailscanner.info >> >> Note that if you had no problems installing 4.55.9, there is no reason >> to upgrade to 4.55.10. >> >> Sorry for this forced re-release. >> > Does anything change in MailScanner, or is it just the rollback of the > Sys::Syslog module? What I ended up doing in the end was shipping a version of Sys-Syslog 0.17 that skips the "make test" stage, which can lock-up. 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up on other systems. I wish the author of this could get his act together and produce some code which worked, it would make my life a whole lot easier :-( - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE24/GEfZZRxQVtlQRAo+xAJ9NFFUjvAuEbAibLopFJX3/uINKpACdEXpP ziRDRg3IIA2qm93Lk5H8HSg= =2+/Z -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:59:22 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:59:30 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: <44DB901A.5050301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don't use more than 2 or maybe 3 lists in the "Spam List" setting, it will grind your system to a crawl with serial DNS lookups. Kai Schaetzl wrote: > Dnsadmin 1bigthink.com wrote on Tue, 08 Aug 2006 10:43:59 -0400: > >> They are good, long-used and trusted BLs. >> >> Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org >> spamhaus-XBL SORBS-S >> PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB >> SORBS-BLOCK NJ >> ABL > > long-trusted, reliable? And you use Spews? That's a contradiction. Also, > it seems to me that you are duplicating RBLs. Inform yourself what these > lists actually contain. You'll see that some of them are already part of > others you use. Also, honestly, using umpteen lists doesn't give you any > advantage over a few *really* carefully chosen ones. They are just > duplicating their results. You gain something like 1% more accuracy with > 5fold more ressource usage. > >> How can I set up a ruleset like this for individual users or >> individual domains? >> #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count > > I don't see how this would help you much. Why don't you whitelist those > users? You apparently know them, so ... Or just whitelist those servers, > I'm not aware that they are a source for much spam, they don't appear in > my logs. > > > Kai > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE25AcEfZZRxQVtlQRAhAHAJ0UfM/xTUPZ3igUCv3XhZv3XmvpQACfQJb3 K3t3PT5xrW3FWFFcFUJy5XA= =xT+t -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 21:02:33 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 21:02:42 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> Message-ID: <44DB90D9.6040804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James D. Parra wrote: >> I want to quarantine password-protected file attachments, actually, any > file >> attachments that MailScanner determines as suspicious. After looking > through >> mailscanner.conf I found; >> >> >> # Reports and Responses >> # --------------------- >> # >> >> # Do you want to store copies of the infected attachments and messages? >> # This can also be the filename of a ruleset. >> Quarantine Infections = yes >> >> >> However, an attachment was deleted and not stored in >> /var/spool/MailScanner/quaratine/, according the text message; >> >> This is a message from MailScanner E-Mail Virus Protection Service >> ---------------------------------------------------------------------- >> The original e-mail message contained potentially dangerous content, >> which has been removed for your safety. >> >> The content is dangerous as it is often used to spread viruses or to gain >> personal or confidential information from you, such as passwords or credit >> card numbers. >> >> Due to limitations placed on us by the Regulation of Investigatory Powers >> Act 2000, we were unable to keep a copy of the original attachment. >> >> The content filters found this: >> MailScanner: Message contained password-protected archive >> ~~~ >> >> Where in the conf can I fix this? > >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > I don't mind just storing/quarantine the attachments for retrieval later. > Right now it is deleting the attachments and I don't want that. Where in the > MailScanner.conf can I fix this? > ~~~ > > I found this on the web (its from an older mailscanner.conf file) attempting > to figure out how to stop mail scanner from deleting attachments; Not from one that ever worked. > > # Set what to do with infected attachments or messages. > # keep ==> Store under the "Quarantine Dir" > # delete ==> Just delete them > #Action = delete > Action = keep The configuration setting "Action" does not and has never existed. Furthermore a "Spam Actions" keyword "keep" does not and has never existed. Try Spam Actions = store > > I don't see such an option in the mailscanner.conf I have. If I were to > insert this in to the conf, would it work? > > Many thanks in advance, > > ~James - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE25DbEfZZRxQVtlQRAqx3AJ9dFV0YCnDXlBGV/1Des27WINbcAACgyQZW Jpi/Bbne7GNVDcKos/r7Ttc= =UJWt -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 21:04:09 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 21:04:13 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: <44DB8F42.5090003@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> What I'm doing is setting up a particular user to be able to send my >> users .mp3 files, so I have the following files set up: >> >> %etc-dir%/allow.filenames.rules >> From: joe.blow@somedomain.com \.mp3$ >> >> %etc-dir%/allow.filetypes.rules >> From: joe.blow@somedomain.com MPEG >> >> Is that correct, or do I really need \.mp3$ in both the filename and >> filetype rule files? > > No, you've got it absolutely correct. Almost absolutely correct. Instead of %etc-dir% I meant to say %etc-dir%/rules/ but even better is %rules-dir%. Seems to be working a treat - nice feature Julian... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From daniel.maher at ubisoft.com Thu Aug 10 21:42:24 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 10 21:42:28 2006 Subject: gOCR SpamAssassin plugin Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > Blacknight.ie > Sent: August 7, 2006 9:53 AM > To: MailScanner discussion > Subject: Re: gOCR SpamAssassin plugin > > The one that Dallas posted on the SA users group seems to work well: > > http://www.rulesemporium.com/plugins.htm#imageinfo > > -- > Mr Michele Neylon > Blacknight Solutions > Quality Business Hosting & Colocation > http://www.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jrudd at ucsc.edu Thu Aug 10 21:47:54 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 10 21:48:27 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <326f147caa00180007a54679f18bed44@ucsc.edu> The who is developing it is still taking feature suggestions and bug reports over on the SA users list. You could always request it over there. On Aug 10, 2006, at 1:42 PM, Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. > Unfortunately, that SARE plugin appears to handle gif, png, and jpg > images only. Does anybody know of a plugin that will recognise bmp's > as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at nkpanama.com Thu Aug 10 21:48:25 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 21:48:53 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <44DB9B99.8080606@nkpanama.com> If you absolutely *MUST* allow BMP's, I can't help you. Otherwise you *could* set up a filetype rule to disallow BMP's. Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Thu Aug 10 21:50:40 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 10 21:50:44 2006 Subject: gOCR SpamAssassin plugin Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0B6@UBIMAIL1.ubisoft.org> Woops - as it turns out, the image spam doesn't use bitmaps. That's just what Outlook wants to save them as if you right-click. That's the last time I trust user input before verifying it myself! ;) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Maher > Sent: August 10, 2006 4:42 PM > To: MailScanner discussion > Subject: RE: gOCR SpamAssassin plugin > > I've noticed that a lot of the image spam uses bitmap (.bmp) images. > Unfortunately, that SARE plugin appears to handle gif, png, and jpg images > only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > > Blacknight.ie > > Sent: August 7, 2006 9:53 AM > > To: MailScanner discussion > > Subject: Re: gOCR SpamAssassin plugin > > > > The one that Dallas posted on the SA users group seems to work well: > > > > http://www.rulesemporium.com/plugins.htm#imageinfo > > > > -- > > Mr Michele Neylon > > Blacknight Solutions > > Quality Business Hosting & Colocation > > http://www.blacknight.ie/ > > Tel. 1850 927 280 > > Intl. +353 (0) 59 9183072 > > Direct Dial: +353 (0)59 9183090 > > Fax. +353 (0) 59 9164239 > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rcooper at dwford.com Thu Aug 10 21:53:50 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Aug 10 21:53:59 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Julian > Field > Sent: Thursday, August 10, 2006 3:58 PM > To: MailScanner discussion > Subject: Re: MailScanner ANNOUNCE: Revision to 4.55 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Scott Silva wrote: > > Julian Field spake the following on 8/7/2006 10:46 AM: > >> The author of the Sys::Syslog perl module has withdrawn it due to > >> problems including compatibility issues with some Linux distributions. > >> The most obvious effect is that the "make test" step may hang part-way > >> through the tests. > >> > >> As a result, I have had no alternative other than to > reluctantly publish > >> a revision of the latest stable release of MailScanner. > >> > >> If you had problems installing 4.55.9 (notably on some CentOS systems) > >> then download and upgrade to 4.55.10. > >> > >> Download as usual from www.mailscanner.info > >> > >> Note that if you had no problems installing 4.55.9, there is no reason > >> to upgrade to 4.55.10. > >> > >> Sorry for this forced re-release. > >> > > Does anything change in MailScanner, or is it just the rollback of the > > Sys::Syslog module? > > What I ended up doing in the end was shipping a version of Sys-Syslog > 0.17 that skips the "make test" stage, which can lock-up. > 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up > on other systems. > > I wish the author of this could get his act together and produce some > code which worked, it would make my life a whole lot easier :-( > > Is there a reason you need Sys::Syslog as opposed to Unix::Syslog? The biggest differences between them seem to be the fact that Unix::Syslog doesn't open a network connection to syslogd (which may well cause some of the problems on some linux systems), and Unix::Syslog uses numeric constants (parameters) in places that Sys::Syslog uses strings. Converting to Unix::Syslog might be a better long term answer. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:28:44 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:28:56 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: References: Message-ID: <44DBA50C.7010906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: >>> What I'm doing is setting up a particular user to be able to send my >>> users .mp3 files, so I have the following files set up: >>> >>> %etc-dir%/allow.filenames.rules >>> From: joe.blow@somedomain.com \.mp3$ >>> >>> %etc-dir%/allow.filetypes.rules >>> From: joe.blow@somedomain.com MPEG >>> >>> Is that correct, or do I really need \.mp3$ in both the filename and >>> filetype rule files? >> No, you've got it absolutely correct. > > Almost absolutely correct. Instead of %etc-dir% I meant to say > %etc-dir%/rules/ but even better is %rules-dir%. > > Seems to be working a treat - nice feature Julian... Thanks. I originally wrote it for automatic configuration generation systems, as it's simpler to control as it's just another ruleset. Tinkering with filename/filetype.rules.conf is a whole new chunk of code. But the advantage is you can put whitespace in the pattern-matches in filename/type.rules.conf. And you can intermingle allow and deny rules. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26UPEfZZRxQVtlQRAiQ3AJ4v+knH8VZid77zJQwuThB5iEf6qQCfctji 9WcYU7XwnKYkyrCjj9Skaak= =mdOc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:33:10 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:33:21 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <44DBA616.6000003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The solution to this that I have just deployed here is "greylisting". I have set the delay time to 10 minutes, and the whitelist-remember time to 32 days. No-one notices the 10 minutes delay on the first email in a conversation, and 32 days means that the monthly email reminder messages from mailing lists are whitelisted. My users are *really* fussy, and I ran a trial of greylisting for a week with a few selected users who opted in to the trial. I purposely didn't tell them what I was changing so I could run a proper blind test. Not one of them noticed the 10 minute delay time. So I have just deployed it out to all 2000 users I have, and there have been no complaints at all. It has got rid of the single-image stock adverts completely. :-) Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 XD/0cflE3euPCUqXSdxU6CI= =vULH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rpoe at plattesheriff.org Thu Aug 10 22:45:08 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Aug 10 22:45:31 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Message-ID: <44DB6297.65ED.00A2.0@plattesheriff.org> One of my clients has that .. works just dandy.. >>> 8/8/2006 12:09 PM >>> Does anyone have an opinion on installing hylafax on a lightly loaded mailscanner pc? Normally, I'd toss another machine in for such a different application, but this customer is experiencing server "sprawl". Any thoughts? Thanks, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ugob at camo-route.com Thu Aug 10 22:45:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 22:45:35 2006 Subject: weird spam, included in a word document Message-ID: Hi, I just received one funny spam. The subject is : "Bill Summary - Invoice #26820". The body is "Invoice Code Change to Invoice Identifier" And there is a word document attached. I scanned it with bitdefender, symantec, clamav, norman and AVG before opening it and it is... spam (software sellers). Anyone getting these? Ugo From rpoe at plattesheriff.org Thu Aug 10 22:47:38 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Aug 10 22:47:59 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: <44DB632C.65ED.00A2.0@plattesheriff.org> >>> Does anyone have an opinion on installing hylafax on a lightly loaded >>> mailscanner pc? Normally, I'd toss another machine in for such a >>> different application, but this customer is experiencing server >>> "sprawl". >>>Any thoughts? >>So, you want MailScanner to fax high scoring spam? :-) >>Hylafax is pretty stable stuff. There shouldn't be any problems as long >>as you set your iptables rules to protect Hylafax's ports from the >> Internet. >Sounds like a new application ... >FaxScanner .. Stops your junk faxes cold! With SA's image OCR module .. could probably be done! From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:50:54 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:51:08 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> Message-ID: <44DBAA3E.6070907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James D. Parra wrote: >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > Hello Scott, > > How do you set this up if you're not using mailwatch? To clean out your quarantine regularly, with a variable limit on how long you keep files, take a look in /etc/cron.daily/clean.quarantine. There are a couple of settings at the top that you might want to change. 1) $disabled = 1; Set this to 0 if you want to enable this process at all. 2) $days_to_keep = 30; This is, as it says, the number of days you want to keep in the quarantine. Just change those 2 numbers and save the file. It will enable itself, you don't need to type anything to make it go. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26pCEfZZRxQVtlQRAnCjAKCwWMVoA01oOE3loL0KGJ+sthlf5gCfSyB9 S5uqDdDdUTIhOGWXxmzaHZo= =7ga2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From alex at nkpanama.com Thu Aug 10 22:54:36 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 22:54:53 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DBA616.6000003@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> Message-ID: <44DBAB1C.1070009@nkpanama.com> I've set it to as little as 30 seconds with success. People notice it even less. May we inquire which of the many greylisting methods you used? Julian Field wrote: > The solution to this that I have just deployed here is "greylisting". I > have set the delay time to 10 minutes, and the whitelist-remember time > to 32 days. No-one notices the 10 minutes delay on the first email in a > conversation, and 32 days means that the monthly email reminder messages > from mailing lists are whitelisted. > > My users are *really* fussy, and I ran a trial of greylisting for a week > with a few selected users who opted in to the trial. I purposely didn't > tell them what I was changing so I could run a proper blind test. Not > one of them noticed the 10 minute delay time. So I have just deployed it > out to all 2000 users I have, and there have been no complaints at all. > > It has got rid of the single-image stock adverts completely. > :-) > > > Daniel Maher wrote: >> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator > >> Sentio aliquos togatos contra me conspirare. >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>> Blacknight.ie >>> Sent: August 7, 2006 9:53 AM >>> To: MailScanner discussion >>> Subject: Re: gOCR SpamAssassin plugin >>> >>> The one that Dallas posted on the SA users group seems to work well: >>> >>> http://www.rulesemporium.com/plugins.htm#imageinfo >>> >>> -- >>> Mr Michele Neylon >>> Blacknight Solutions >>> Quality Business Hosting & Colocation >>> http://www.blacknight.ie/ >>> Tel. 1850 927 280 >>> Intl. +353 (0) 59 9183072 >>> Direct Dial: +353 (0)59 9183090 >>> Fax. +353 (0) 59 9164239 >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! > From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:55:46 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:55:54 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: <05b001c6bc0e$0b785f80$0500000a@blessin> References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: <44DBAB62.9090308@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman wrote: > I am trying to figure out how can I set up MailScanner & sendmail this way > that I'll be able to have 2 separated mqueue.in directories. > > I have one email account through which I send news letters (20-40k emails) > and other emails that I use for regular emails. > > The problem is when the newsletter being send out it fills mqueue.in > and mail can not be delivered before MailScanner scans all 20-40k emails. > > I saw posts here that people were able to configure different outgoing > queues (fast, slow) > But I think that the bottleneck is SPAM and Virus scanning in > Mailscanner. So I want to separate > queues before it gets to MailScanner processing > . > What I would like to achieve is have a mqueue.in.normal and mqueue.in.slow > so that regular mail goes to mqueue.in.normal and newsletter mail will > go to mqueue.in.slow > and have some mechanism to move messages from mqueue.in.normal and > mqueue.in.slow to MailScanner mqueue.in for processing and delivery, or > have MailScanner process both directories with some priority. > This way regular mail won't stack in mqueue.in waiting to be delivered > only after all newsletters have been delivered. > > Have anyone was able to achieve something similar to what I am trying to > achieve. > Am I missing something ? > Any ideas ? You can tell MailScanner to use multiple incoming mqueue.in queues, that's easy, read the docs in MailScanner.conf where you set the mqueue.in directory location. However, that won't provide you with any priority over the 2 queues. To do that you will need some script that puts things from the low priority queue into MailScanner only when there is virtually nothing in the high priority queue. I could write this for you, but I would have to charge you for doing it, as I have to pay the bills just like anyone else. You guys get MailScanner for free, but you don't get the rest of my time for free, sorry. But it's not a very big job, so won't cost you a fortune. Let me know off-list if you are interested. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26tkEfZZRxQVtlQRAttpAKDDvB/5iQl83kiI3f267AZCLlYRzwCbBe1S dxdysjTFbQA88hZuTGFYVkc= =G3S2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 22:55:58 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 22:56:02 2006 Subject: weird spam, included in a word document In-Reply-To: Message-ID: Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo I got one. Thought it was mildly more novel than most spam but didn't give it any thought after that... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Jamesp at MusicReports.com Thu Aug 10 23:12:31 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 23:12:38 2006 Subject: releasing mail from quarantine -- postfix Message-ID: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> Hello, Followed the instructions from the link , but the message is a 'human-readable' file and not a 'raw mail queue file'. Can it still be sent to the user? There are embedded e-mails within it. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:pos tfix:how_to:release_quarantined_mail Here is the dir' the file is stored in; master:/var/spool/MailScanner/quarantine/20060810 # ls -lR 9D213185489.BA6DD/ 9D213185489.BA6DD/: total 892 drwx------ 2 postfix postfix 4096 Aug 10 06:28 . drwx------ 5 postfix postfix 4096 Aug 10 11:51 .. -rwx------ 1 postfix postfix 897418 Aug 10 06:28 message Postcat can view the file named 'message'. I ran 'chmod 700 message', then ran 'cp -p message /var/spool/postfic/incoming/9' which just sat there. After wards, I ran 'cp -p message /var/spool/postfic/incoming/9D213185489', which appeared to have went, but never made it to the user. What can I do to get this message to the user? Thank you, James From dave.list at pixelhammer.com Thu Aug 10 23:17:02 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 10 23:17:38 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DBB05E.1040204@pixelhammer.com> Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > I got a few for training, most went through with too low a score. The invoice number changes. Need some? I can spare a few hundred ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ka at pacific.net Thu Aug 10 23:28:43 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 10 23:27:47 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DBB31B.1070601@pacific.net> Just got subject: "August Payment Summary, Invoice #14677" Body was "ou MUST show the UCAR Invoice Number" back-to-school software sale spam in word doc... Ken A. Pacific.Net Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > From glenn.steen at gmail.com Fri Aug 11 00:14:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 11 00:14:19 2006 Subject: releasing mail from quarantine -- postfix In-Reply-To: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> Message-ID: <223f97700608101614s1c675203vbc9942f921ff261e@mail.gmail.com> On 11/08/06, James D. Parra wrote: > Hello, > > Followed the instructions from the link , but the message is a > 'human-readable' file and not a 'raw mail queue file'. Can it still be sent > to the user? There are embedded e-mails within it. No, you didn't follow it... not the right part at least... A bit further down there are perfectly good instructions for your case... (I know, since I wrote them:-). Here's a link (mind the wrapping) ---- http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail#releasing_mail_from_the_quarantine_-_message_files ---- > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:pos > tfix:how_to:release_quarantined_mail > > Here is the dir' the file is stored in; > > master:/var/spool/MailScanner/quarantine/20060810 # ls -lR > 9D213185489.BA6DD/ > 9D213185489.BA6DD/: > total 892 > drwx------ 2 postfix postfix 4096 Aug 10 06:28 . > drwx------ 5 postfix postfix 4096 Aug 10 11:51 .. > -rwx------ 1 postfix postfix 897418 Aug 10 06:28 message > > Postcat can view the file named 'message'. I ran 'chmod 700 message', then > ran 'cp -p message /var/spool/postfic/incoming/9' which just sat there. > After wards, I ran 'cp -p message /var/spool/postfic/incoming/9D213185489', > which appeared to have went, but never made it to the user. What can I do > to get this message to the user? Postcat just *looks* like it doing its job, but it really isn't... Postfix as such isn't fooled though, and has probably put that message file into its corrupted folder (correctly so, one might add:). Use the sendmail (convenience command) method as outlined in the wiki, and you'll be fine. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Jamesp at MusicReports.com Fri Aug 11 00:44:05 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Fri Aug 11 00:44:17 2006 Subject: releasing mail from quarantine -- postfix Message-ID: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> >Postcat just *looks* like it doing its job, but it really isn't... >Postfix as such isn't fooled though, and has probably put that message >file into its corrupted folder (correctly so, one might add:). >Use the sendmail (convenience command) method as outlined in the wiki, >and you'll be fine. Hello Glen, Thanks for info. I didn't install sendmail on this server so I didn't think the 'sendmail' command would work. Although, it did work, but with one oddity; the message went through Mailscanner as was quarantined again! Oh boy. How can I get the message through to postfix without it getting quarantined again? Error; {Dangerous Content} MailScanner: Too many attachments in message Many thanks, ~James From ugob at camo-route.com Fri Aug 11 01:40:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Aug 11 01:40:30 2006 Subject: releasing mail from quarantine -- postfix In-Reply-To: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> Message-ID: James D. Parra wrote: >> Postcat just *looks* like it doing its job, but it really isn't... >> Postfix as such isn't fooled though, and has probably put that message >> file into its corrupted folder (correctly so, one might add:). >> Use the sendmail (convenience command) method as outlined in the wiki, >> and you'll be fine. > > Hello Glen, > > Thanks for info. I didn't install sendmail on this server so I didn't think > the 'sendmail' command would work. Although, it did work, but with one > oddity; the message went through Mailscanner as was quarantined again! Oh > boy. > > How can I get the message through to postfix without it getting quarantined > again? > > Error; {Dangerous Content} > MailScanner: Too many attachments in message Create a ruleset so that messages from the apache user (apache on redhat servers, nobody if compiled from source. Or you can use 127.0.0.1 but that is riskier. > > Many thanks, > > ~James > From andoni.auzmendi at robertwalters.com Fri Aug 11 08:37:34 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Fri Aug 11 08:37:59 2006 Subject: weird spam, included in a word document Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B219@PAT.internal.robertwalters.com> My users only reported one of those yesterday but it may well be a new spamming trend. Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: 10 August 2006 23:29 To: MailScanner discussion Subject: Re: weird spam, included in a word document Just got subject: "August Payment Summary, Invoice #14677" Body was "ou MUST show the UCAR Invoice Number" back-to-school software sale spam in word doc... Ken A. Pacific.Net Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From a.peacock at chime.ucl.ac.uk Fri Aug 11 08:41:37 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 11 08:42:01 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DC34B1.2000507@chime.ucl.ac.uk> Hi, Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > Getting loads, but they are all getting caught scoring about 10 SA points. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From MailScanner at ecs.soton.ac.uk Fri Aug 11 08:46:00 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 08:46:25 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DBAB1C.1070009@nkpanama.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> <44DBAB1C.1070009@nkpanama.com> Message-ID: <44DC35B8.5080809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 milter-greylist on sendmail. I didn't realise there were different methods to use. Alex Neuman van der Hans wrote: > I've set it to as little as 30 seconds with success. People notice it > even less. > > May we inquire which of the many greylisting methods you used? > > Julian Field wrote: > >> The solution to this that I have just deployed here is "greylisting". I >> have set the delay time to 10 minutes, and the whitelist-remember time >> to 32 days. No-one notices the 10 minutes delay on the first email in a >> conversation, and 32 days means that the monthly email reminder messages >> from mailing lists are whitelisted. >> >> My users are *really* fussy, and I ran a trial of greylisting for a week >> with a few selected users who opted in to the trial. I purposely didn't >> tell them what I was changing so I could run a proper blind test. Not >> one of them noticed the 10 minute delay time. So I have just deployed it >> out to all 2000 users I have, and there have been no complaints at all. >> >> It has got rid of the single-image stock adverts completely. >> :-) >> >> >> Daniel Maher wrote: >> >>> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>>> Blacknight.ie >>>> Sent: August 7, 2006 9:53 AM >>>> To: MailScanner discussion >>>> Subject: Re: gOCR SpamAssassin plugin >>>> >>>> The one that Dallas posted on the SA users group seems to work well: >>>> >>>> http://www.rulesemporium.com/plugins.htm#imageinfo >>>> >>>> -- >>>> Mr Michele Neylon >>>> Blacknight Solutions >>>> Quality Business Hosting & Colocation >>>> http://www.blacknight.ie/ >>>> Tel. 1850 927 280 >>>> Intl. +353 (0) 59 9183072 >>>> Direct Dial: +353 (0)59 9183090 >>>> Fax. +353 (0) 59 9164239 >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3DW4EfZZRxQVtlQRAqpKAJ9N3IldUhrW8OzuYOUqf2sGaPAkDQCeLqsP D35wAkQEkChtpHFGUFGQZP4= =Pa10 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From t.d.lee at durham.ac.uk Fri Aug 11 10:06:14 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Aug 11 10:06:42 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DB8FC4.8080302@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: On Thu, 10 Aug 2006, Julian Field wrote: > What I ended up doing in the end was shipping a version of Sys-Syslog > 0.17 that skips the "make test" stage, which can lock-up. > 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up > on other systems. > > I wish the author of this could get his act together and produce some > code which worked, it would make my life a whole lot easier :-( Julian: Presumably you have informed the author, to alert him/her of the problems we have encountered? They might not be aware of any problems... If you have informed then, and if your request has fallen into a black hole, then perhaps someone here on the MailScanner list (especially, perhaps, if they are already a CPAN maintainer) might be persuaded (encouraged, cajoled, etc.) to adopt ownership of the module. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From mailscanner at mango.zw Fri Aug 11 10:31:07 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Aug 11 10:38:18 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DBA616.6000003@ecs.soton.ac.uk> Message-ID: On Thu, 10 Aug 2006, Julian Field wrote: > The solution to this that I have just deployed here is "greylisting". I > have set the delay time to 10 minutes, and the whitelist-remember time > to 32 days. No-one notices the 10 minutes delay on the first email in a > conversation, and 32 days means that the monthly email reminder messages > from mailing lists are whitelisted. > > My users are *really* fussy, and I ran a trial of greylisting for a week > with a few selected users who opted in to the trial. I purposely didn't > tell them what I was changing so I could run a proper blind test. Not > one of them noticed the 10 minute delay time. So I have just deployed it > out to all 2000 users I have, and there have been no complaints at all. I am puzzled to hear this, because the 10 minute delay time is set on your side - ie the delay time between connection attempts before your server will accept the connection. However it doesn't take into consideration the problem of the delay that will occur on the sending side between delivery attempts. Many systems will retry delivery only after a fairly long interval. The default for sendmail is 30 minutes, but some busy systems will have a default of as long as 4 hours. This means that in practice I would expect the real delay to be far longer than 10 minutes for many messages. Worse still, there are some systems that will treat a 451 error as a fatal error, and will not retry the mail. I have found this with Yahoo and Gmail, for example. (I was trying to force them to deliver to our secondary MX that has more bandwidth than we do because of their very annoying failure to implement the ESTMP "size" extension - meaning that we sometimes have to accept say 10 MB of traffic before we can then tell them that the message is too large.) Another concern is the impact that greylisting would have on the Internet if its adoption became widespread - it would mean that all mail servers would have to work twice as hard to deliver mail. I do find the delivery delays rather annoying as a sender of mail - seeing mail stuck in the mail queue waiting for some possibly unknown period of time before it gets accepted. That said, I am sure that greylisting does make a big impact on spam for those that implement it. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > It has got rid of the single-image stock adverts completely. :-) > Daniel Maher wrote: > > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > > > -- > > _ > > ?v? Daniel Maher > > /(_)\ Administrateur Syst?me Unix > > ^ ^ Unix System Administrator > > > > Sentio aliquos togatos contra me conspirare. > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > >> Blacknight.ie > >> Sent: August 7, 2006 9:53 AM > >> To: MailScanner discussion > >> Subject: Re: gOCR SpamAssassin plugin > >> > >> The one that Dallas posted on the SA users group seems to work well: > >> > >> http://www.rulesemporium.com/plugins.htm#imageinfo > >> > >> -- > >> Mr Michele Neylon > >> Blacknight Solutions > >> Quality Business Hosting & Colocation > >> http://www.blacknight.ie/ > >> Tel. 1850 927 280 > >> Intl. +353 (0) 59 9183072 > >> Direct Dial: +353 (0)59 9183090 > >> Fax. +353 (0) 59 9164239 > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Get your PCs and servers from Transtec.de, very well built and reliable! > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 > XD/0cflE3euPCUqXSdxU6CI= > =vULH > -----END PGP SIGNATURE----- > > From support-lists at petdoctors.co.uk Fri Aug 11 11:17:46 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Aug 11 11:16:03 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive Message-ID: <00c701c6bd2f$63f3ea40$1465a8c0@support01> Hi Folks, No doubt this has been asked before but I'm not having much luck searching for ideas so... I have to search and recover some emails from the MailScanner archive folders - are there any nice tools to do this before I start to do some scripting? Thanks Nigel Kendrick From MailScanner at ecs.soton.ac.uk Fri Aug 11 11:37:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 11:37:36 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: <44DC5DD1.5040004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Lee wrote: > On Thu, 10 Aug 2006, Julian Field wrote: > > >> What I ended up doing in the end was shipping a version of Sys-Syslog >> 0.17 that skips the "make test" stage, which can lock-up. >> 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up >> on other systems. >> >> I wish the author of this could get his act together and produce some >> code which worked, it would make my life a whole lot easier :-( >> > > Julian: Presumably you have informed the author, to alert him/her of the > problems we have encountered? They might not be aware of any problems... > I've got a To Do list as long as your arm at the moment. Is there any chance someone else could do this for me please? The make test was locking up on some CentOS systems. Steve Swaney knows more details, he is the person who informed me in the first place. > If you have informed then, and if your request has fallen into a black > hole, then perhaps someone here on the MailScanner list (especially, > perhaps, if they are already a CPAN maintainer) might be persuaded > (encouraged, cajoled, etc.) to adopt ownership of the module. > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3F3SEfZZRxQVtlQRAsVjAJ0dOo8VtV87bkPM/p5kKLVTQNX2kgCcCGvs ecaAgvoVXLfSJn9qVePbU/s= =4Wbh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Fri Aug 11 12:18:18 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Aug 11 12:18:27 2006 Subject: Problems on Solaris x86 Message-ID: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Hello, I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 system. The MTA is postfix and MailScanner is running as the postfix User. I have the following problems : - there are no logging - when I run MailScanner in debug mode, it works : # ../bin/MailScanner In Debugging mode, not forking... Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. and the mails which are in the queue are sent. - when I start MailScanner not in debug mode, it forks (until the limit), but nothing happens It's the same if I launch MailScanner in foreground : # ../bin/MailScanner MailScanner 4.55.10 starting in foreground mode - pid is [4162] About to fork child #1 of 10... Forked OK - new child is [4163] About to fork child #2 of 10... Forked OK - new child is [4164] ... About to fork child #10 of 10... Forked OK - new child is [4172] but nothing else. Of course, without any logging, it's not easy to find the problem Same problem with MailScanner 4.54-6 Any idea ? -- Pascal From MailScanner at ecs.soton.ac.uk Fri Aug 11 12:20:37 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 12:21:06 2006 Subject: OT - Greylisting In-Reply-To: References: Message-ID: <44DC6805.9040708@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Holland wrote: > On Thu, 10 Aug 2006, Julian Field wrote: > > >> The solution to this that I have just deployed here is "greylisting". I >> have set the delay time to 10 minutes, and the whitelist-remember time >> to 32 days. No-one notices the 10 minutes delay on the first email in a >> conversation, and 32 days means that the monthly email reminder messages >> from mailing lists are whitelisted. >> >> My users are *really* fussy, and I ran a trial of greylisting for a week >> with a few selected users who opted in to the trial. I purposely didn't >> tell them what I was changing so I could run a proper blind test. Not >> one of them noticed the 10 minute delay time. So I have just deployed it >> out to all 2000 users I have, and there have been no complaints at all. >> > > I am puzzled to hear this, because the 10 minute delay time is set on your > side - ie the delay time between connection attempts before your server > will accept the connection. However it doesn't take into consideration > the problem of the delay that will occur on the sending side between > delivery attempts. Many systems will retry delivery only after a fairly > long interval. The default for sendmail is 30 minutes, but some busy > systems will have a default of as long as 4 hours. This means that in > practice I would expect the real delay to be far longer than 10 minutes > for many messages. > > Worse still, there are some systems that will treat a 451 error as a fatal > error, and will not retry the mail. I have found this with Yahoo and > Gmail, for example. (I was trying to force them to deliver to our > secondary MX that has more bandwidth than we do because of their very > annoying failure to implement the ESTMP "size" extension - meaning that we > sometimes have to accept say 10 MB of traffic before we can then tell them > that the message is too large.) > There is a list of the known large sites that suffer this problem, you just put it in your greylist.conf file. The milter-greylist package comes with it already inserted for you. http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.12 > Another concern is the impact that greylisting would have on the Internet > if its adoption became widespread - it would mean that all mail servers > would have to work twice as hard to deliver mail. I do find the delivery > delays rather annoying as a sender of mail - seeing mail stuck in the mail > queue waiting for some possibly unknown period of time before it gets > accepted. > I agree with you. But in practice no-one appears to notice. After all, how many people sit there tail-ing their outgoing mail logs? > That said, I am sure that greylisting does make a big impact on spam for > those that implement it. > It certainly does. I quite agree that there are various aspects of greylisting with which I am not entirely happy, but the advantages for my users outweigh them substantially. My management, who are not PHB's at all, agree with me. I am in the lucky position of having bosses who I respect :-) >> It has got rid of the single-image stock adverts completely. :-) >> > > >> Daniel Maher wrote: >> >>> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>>> Blacknight.ie >>>> Sent: August 7, 2006 9:53 AM >>>> To: MailScanner discussion >>>> Subject: Re: gOCR SpamAssassin plugin >>>> >>>> The one that Dallas posted on the SA users group seems to work well: >>>> >>>> http://www.rulesemporium.com/plugins.htm#imageinfo >>>> >>>> -- >>>> Mr Michele Neylon >>>> Blacknight Solutions >>>> Quality Business Hosting & Colocation >>>> http://www.blacknight.ie/ >>>> Tel. 1850 927 280 >>>> Intl. +353 (0) 59 9183072 >>>> Direct Dial: +353 (0)59 9183090 >>>> Fax. +353 (0) 59 9164239 >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Get your PCs and servers from Transtec.de, very well built and reliable! >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 >> XD/0cflE3euPCUqXSdxU6CI= >> =vULH >> -----END PGP SIGNATURE----- >> >> >> > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3GgGEfZZRxQVtlQRAr9mAKCBl9c9OVzvCerwHzbgVoyWHQ1e2QCgsDLK BvSzpboCTRXZFWQZZokaIpw= =//bR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Fri Aug 11 13:30:14 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Aug 11 13:30:26 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC34B1.2000507@chime.ucl.ac.uk> References: <44DC34B1.2000507@chime.ucl.ac.uk> Message-ID: <44DC7856.9090504@pixelhammer.com> Anthony Peacock wrote: > Hi, > > Ugo Bellavance wrote: >> Hi, >> >> I just received one funny spam. The subject is : "Bill Summary - >> Invoice #26820". >> >> The body is "Invoice Code Change to Invoice Identifier" >> >> And there is a word document attached. I scanned it with bitdefender, >> symantec, clamav, norman and AVG before opening it and it is... spam >> (software sellers). >> >> Anyone getting these? >> >> Ugo >> > > Getting loads, but they are all getting caught scoring about 10 SA points. > Can you post your test results? Our SA is missing them completely. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jayesha_shinde at yahoo.com Fri Aug 11 13:34:04 2006 From: jayesha_shinde at yahoo.com (jay shi) Date: Fri Aug 11 13:34:07 2006 Subject: Rul set for Spam Subject Text ??? Message-ID: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Hi , I am using MailScanner 4.48.4 with multidomain sendmail. For low Score SPAM i am using this Spam Subject Text = {possible spam} as a tag One of my domain ask me, he dont't want this tag , but other domains are demanding this feature. i want to write rule set for above condition,i made the required rulset but it is not working.Is any one knows how to write this rule set ? Thanks & Regards Jayesh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From alex at nkpanama.com Fri Aug 11 13:35:19 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 13:35:34 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DC35B8.5080809@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> <44DBAB1C.1070009@nkpanama.com> <44DC35B8.5080809@ecs.soton.ac.uk> Message-ID: <44DC7987.3000605@nkpanama.com> Julian Field wrote: > milter-greylist on sendmail. I didn't realise there were different > methods to use. For one of the lists, you can see: http://projects.puremagic.com/greylisting/links.html From a.peacock at chime.ucl.ac.uk Fri Aug 11 13:39:28 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 11 13:40:03 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7856.9090504@pixelhammer.com> References: <44DC34B1.2000507@chime.ucl.ac.uk> <44DC7856.9090504@pixelhammer.com> Message-ID: <44DC7A80.8090104@chime.ucl.ac.uk> Hi, DAve wrote: > Anthony Peacock wrote: >> Hi, >> >> Ugo Bellavance wrote: >>> Hi, >>> >>> I just received one funny spam. The subject is : "Bill Summary - >>> Invoice #26820". >>> >>> The body is "Invoice Code Change to Invoice Identifier" >>> >>> And there is a word document attached. I scanned it with >>> bitdefender, symantec, clamav, norman and AVG before opening it and >>> it is... spam (software sellers). >>> >>> Anyone getting these? >>> >>> Ugo >>> >> >> Getting loads, but they are all getting caught scoring about 10 SA >> points. >> > > Can you post your test results? Our SA is missing them completely. One recent one: 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL Another one: 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL 1.95 RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From shuttlebox at gmail.com Fri Aug 11 13:48:43 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Aug 11 13:48:45 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060811123404.94338.qmail@web54407.mail.yahoo.com> References: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Message-ID: <625385e30608110548h3d5390i7ec88e7b5a29db10@mail.gmail.com> On 8/11/06, jay shi wrote: > Hi , > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain ask me, he dont't want this tag > , but other domains are demanding this feature. > i want to write rule set for above condition,i > made > the required rulset but it is not working.Is any one > knows how to write this rule set ? Use a ruleset with yes/no on this option: Spam Modify Subject = yes If it doesn't work, post your ruleset to help us help you. -- /peter From dave.list at pixelhammer.com Fri Aug 11 14:02:12 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Aug 11 14:02:19 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7A80.8090104@chime.ucl.ac.uk> References: <44DC34B1.2000507@chime.ucl.ac.uk> <44DC7856.9090504@pixelhammer.com> <44DC7A80.8090104@chime.ucl.ac.uk> Message-ID: <44DC7FD4.4020203@pixelhammer.com> Anthony Peacock wrote: > Hi, > > DAve wrote: >> Anthony Peacock wrote: >>> Hi, >>> >>> Ugo Bellavance wrote: >>>> Hi, >>>> >>>> I just received one funny spam. The subject is : "Bill Summary >>>> - Invoice #26820". >>>> >>>> The body is "Invoice Code Change to Invoice Identifier" >>>> >>>> And there is a word document attached. I scanned it with >>>> bitdefender, symantec, clamav, norman and AVG before opening it and >>>> it is... spam (software sellers). >>>> >>>> Anyone getting these? >>>> >>>> Ugo >>>> >>> >>> Getting loads, but they are all getting caught scoring about 10 SA >>> points. >>> >> >> Can you post your test results? Our SA is missing them completely. > > One recent one: > > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL > 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server > 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL > > Another one: > > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL > 1.95 RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP > 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address > 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server > 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL > Feeding Bayes this morning, can't use NJABL as we are an ISP, no SpamCop thanks, no DCC, XBL? well mine are certainly coming from different IP's than yours. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From pascal.maes at elec.ucl.ac.be Fri Aug 11 15:38:47 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Aug 11 15:39:00 2006 Subject: Fwd: Problems on Solaris x86 References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Message-ID: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> D?but du message r?exp?di? : > > Hello, > > > I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 > system. > The MTA is postfix and MailScanner is running as the postfix User. > > I have the following problems : > > - there are no logging In Log.pm we have : eval { if ($^O !~ /solaris|sunos|irix/i) { Sys::Syslog::setlogsock('unix'); } # else { # Sys::Syslog::setlogsock('stream'); # } It seems that for solaris, it should be 'inet' instead of 'unix' > - when I run MailScanner in debug mode, it works : > > # ../bin/MailScanner > In Debugging mode, not forking... > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > > and the mails which are in the queue are sent. > > - when I start MailScanner not in debug mode, it forks (until > the limit), but nothing happens > It's the same if I launch MailScanner in foreground : > > # ../bin/MailScanner > MailScanner 4.55.10 starting in foreground mode - pid is [4162] > About to fork child #1 of 10... > Forked OK - new child is [4163] > About to fork child #2 of 10... > Forked OK - new child is [4164] > ... > About to fork child #10 of 10... > Forked OK - new child is [4172] > > but nothing else. > > Of course, without any logging, it's not easy to find the problem > > Same problem with MailScanner 4.54-6 > > Any idea ? Now, when I start MailScanner I have the following lines in the logfile : Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results cache Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin cache database Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results cache Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin cache database but each mail remains in /var/spool/postfix/hold/ In debugging mode, I get : # /opt/MailScanner/bin/check_mailscanner Starting MailScanner... In Debugging mode, not forking... Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results cache Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin cache database Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results cache Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin cache database Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 messages, 1232 bytes Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting -- Pascal From t.d.lee at durham.ac.uk Fri Aug 11 15:39:08 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Aug 11 15:39:40 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DC5DD1.5040004@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> <44DC5DD1.5040004@ecs.soton.ac.uk> Message-ID: On Fri, 11 Aug 2006, Julian Field wrote: > [...] > I've got a To Do list as long as your arm at the moment. Is there any > chance someone else could do this for me please? > > The make test was locking up on some CentOS systems. Steve Swaney knows > more details, he is the person who informed me in the first place. > [...] OK. Although I'm piggy-in-the-middle, unaffected by this problem, I'm attempting to get it raised with the Sys::Syslog folk. Steve Swaney (or someone else): Could you provide me with a concise description of the problem (and relevant OS environments) about this Sys::Syslog 0.17 problem, please? Thanks. (Am I correct in understanding that this problem was new at 0.17?) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jflowers at ezo.net Fri Aug 11 16:36:06 2006 From: jflowers at ezo.net (Jim Flowers) Date: Fri Aug 11 16:36:20 2006 Subject: Bypass spam scan based on header Message-ID: <20060811153613.M23587@ezo.net> My solution was to add a small hack to the CreateList subroutine (line 112) in SQLBlackWhiteList.pm to add a list of names to the whitelist hash just before it returns. As written, these email addresses are whitelisted globally (for all users) in MailScanner. The same technique could be used for a per-domain or per-user basis with a bit more code. ----------------------------------------------------------------------------- if ($type eq 'whitelist') { my $fh = new FileHandle; my $filename = "/usr/local/share/assp/whitelist"; $fh->open("< $filename") or die "Cannot open config file $filename, $!"; while(<$fh>) { chomp; s/^#.*$//; s/^\s*//g; s/\s*$//g; next if /^$/; if(/^([^@]+@[^@]+\.[A-Za-z]{2,4}).*$/) { # validate and strip off trailing digits $BlackWhite->{'default'}{$1} = 1; } } close $fh; } ---------------------------------------------------------------------------- In this case the names in /usr/local/share/assp/whitelist are of the form username@domain.tld and also have a trailing ^B[0-9]* that is removed by the regexp. This expression may have to be modified to suit the file format. This subroutine is run on startup and at least every 15 minutes. -- Jim Flowers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lshaw at emitinc.com Fri Aug 11 16:52:07 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 11 16:52:17 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: On Fri, 11 Aug 2006, Jim Holland wrote: > Another concern is the impact that greylisting would have on the Internet > if its adoption became widespread - it would mean that all mail servers > would have to work twice as hard to deliver mail. Actually, it's only some mail servers. Greylisting lets known senders through without a delay. Mail servers that are mostly sending messages to recipients who recognize them would not see delays. Mail servers that are mostly sending messages to those who don't recognize them would see the delays. So, it makes mail servers up to twice as hard. Also, while I agree that it would increase the load, in general I think decreasing spam is worth some increased load. Sure, it's a slippery slope (one could imagine things getting so bloated that it takes 5 minutes of CPU time to deliver one message, if we keep on adding limitless spam-fighting strategy), but on the other hand, 10 seconds of CPU time spent catching spam automatically is cheaper than 10 seconds of a human's time deleting it manually. - Logan From mikej at rogers.com Fri Aug 11 17:01:30 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Aug 11 17:01:13 2006 Subject: MS unable to detect From address from DSN and failure notice emails Message-ID: <44DCA9DA.8030403@rogers.com> The other day i noticed that Always looked up last and the mailwatch logging script is not logging the From address on any DSN or failure type emails sent by the mailer-daemon@ or postmaster@. The problem is bigger than just logging itself, as this influences the scoring with the rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two example headers: Received: from mail.kanapure.net (unknown [61.211.239.203]) by mx1.fkpeterson.com (Postfix) with SMTP id D6E41172D1 for ; Thu, 27 Jul 2006 21:58:03 -0400 (EDT) Received: (qmail 19303 invoked for bounce); 28 Jul 2006 02:04:22 -0000 Date: 28 Jul 2006 02:04:22 -0000 From: MAILER-DAEMON@mail.kanapure.net To: yingrown8@fkpeterson.com Subject: failure notice Message-Id: <20060728015803.D6E41172D1@mx1.fkpeterson.com> Received: from mail.fkpeterson.com (unknown [192.168.0.1]) by mx1.fkpeterson.com (Postfix) with ESMTP id 6F85A17306 for ; Thu, 27 Jul 2006 21:44:37 -0400 (EDT) From: postmaster@fkpeterson.com To: anisimi@citizensbankia.com Date: Thu, 27 Jul 2006 21:46:16 -0400 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01C6AF6C96E49C7200000282mail.fkpeterson." X-DSNContext: 7ce717b1 - 1158 - 00000002 - 00000000 Message-ID: Subject: Delivery Status Notification (Failure) This got marked as spam, and the From field is never logged. Any ideas? postfix-2.2.11 p5-Mail-SpamAssassin-3.1.3 MailScanner-4.54.6 From mkettler at evi-inc.com Fri Aug 11 17:10:33 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Aug 11 17:10:48 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCA9DA.8030403@rogers.com> References: <44DCA9DA.8030403@rogers.com> Message-ID: <44DCABF9.6060903@evi-inc.com> Mike Jakubik wrote: > The other day i noticed that Always looked up last and the mailwatch > logging script is not logging the From address on any DSN or failure > type emails sent by the mailer-daemon@ or postmaster@. The problem is > bigger than just logging itself, as this influences the scoring with the > rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two > example headers: Most DSN's are sent with a From: HEADER that contains mailer-daemon, or postmaster. However by RFC requirements the ENVELOPE From is <> (empty or null address). This much should explain the logging, as MailScanner is logging the envelope from, not the content of the body-text From: header. Sendmail MTA's copy the envelope from to the "Return-Path" header upon delivery. I'm not sure what postfix does, but you might want to check it. To see what your MTA is using, this message should have an envelope from of "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. The NO_REAL_NAME bit does influence the score, but that alone shouldn't be causing these to be tagged as spam.. What other SA rules are firing off here? From matt at coders.co.uk Fri Aug 11 17:17:22 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Aug 11 17:17:08 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCA9DA.8030403@rogers.com> References: <44DCA9DA.8030403@rogers.com> Message-ID: <44DCAD92.3070105@coders.co.uk> > > This got marked as spam, and the From field is never logged. Any ideas? > > postfix-2.2.11 > p5-Mail-SpamAssassin-3.1.3 > MailScanner-4.54.6 > The From field that gets as far as MailWatch is from the Envelope and not from the message headers. The envelope will be from "<>" (the Null sender) and therefore there is nothing for MW to log. matt From drew at themarshalls.co.uk Fri Aug 11 17:21:46 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Fri Aug 11 17:22:00 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> Message-ID: <42275.194.70.180.170.1155313306.squirrel@webmail.r-bit.net> On Fri, August 11, 2006 15:38, Pascal Maes wrote: > Now, when I start MailScanner I have the following lines in the > logfile : > > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin > results cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to > SpamAssassin cache database > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin > results cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to > SpamAssassin cache database > > but each mail remains in /var/spool/postfix/hold/ > > In debugging mode, I get : > > # /opt/MailScanner/bin/check_mailscanner > Starting MailScanner... > In Debugging mode, not forking... > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin > results cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to > SpamAssassin cache database > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin > results cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to > SpamAssassin cache database > Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock > Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 > messages, 1232 bytes > Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting And no mention of delivery (Or completion of scanning)? At this log point the batch is only being scanned for spam and not viruses. Can you turn on SpamAssassin debugging in MailScanner.conf and re-run the debug, it may yield something such as a permissions error in one of the SA processes. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mikej at rogers.com Fri Aug 11 17:25:48 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Aug 11 17:25:32 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCABF9.6060903@evi-inc.com> References: <44DCA9DA.8030403@rogers.com> <44DCABF9.6060903@evi-inc.com> Message-ID: <44DCAF8C.2030102@rogers.com> Matt Kettler wrote: > Mike Jakubik wrote: > >> The other day i noticed that Always looked up last and the mailwatch >> logging script is not logging the From address on any DSN or failure >> type emails sent by the mailer-daemon@ or postmaster@. The problem is >> bigger than just logging itself, as this influences the scoring with the >> rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two >> example headers: >> > > Most DSN's are sent with a From: HEADER that contains mailer-daemon, or > postmaster. However by RFC requirements the ENVELOPE From is <> (empty or null > address). > > This much should explain the logging, as MailScanner is logging the envelope > from, not the content of the body-text From: header. Sendmail MTA's copy the > envelope from to the "Return-Path" header upon delivery. I'm not sure what > postfix does, but you might want to check it. To see what your MTA is using, > this message should have an envelope from of > "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. > > Thanks for the info, here is what i saw in the headers: Return-Path: X-MailScanner-From: mailscanner-bounces@lists.mailscanner.info Perhaps i should take this issue up on the postfix lists? But im sure as soon as i mention MailScanner, i wont get much help :P > The NO_REAL_NAME bit does influence the score, but that alone shouldn't be > causing these to be tagged as spam.. What other SA rules are firing off here? > > The server actually had a SPF problem caused by a firewall, so every email was failing. From drew at themarshalls.co.uk Fri Aug 11 17:45:29 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Fri Aug 11 17:45:50 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCAF8C.2030102@rogers.com> References: <44DCA9DA.8030403@rogers.com> <44DCABF9.6060903@evi-inc.com> <44DCAF8C.2030102@rogers.com> Message-ID: <42310.194.70.180.170.1155314729.squirrel@webmail.r-bit.net> On Fri, August 11, 2006 17:25, Mike Jakubik wrote: > Matt Kettler wrote: >> Most DSN's are sent with a From: HEADER that contains mailer-daemon, or >> postmaster. However by RFC requirements the ENVELOPE From is <> (empty >> or null >> address). >> >> This much should explain the logging, as MailScanner is logging the >> envelope >> from, not the content of the body-text From: header. Sendmail MTA's copy >> the >> envelope from to the "Return-Path" header upon delivery. I'm not sure >> what >> postfix does, but you might want to check it. To see what your MTA is >> using, >> this message should have an envelope from of >> "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. Postfix does exactly the same. The Null sender is usually just shown as Return-Path: <> in the headers, which would explain the MW logging. Sadly I agree about the postfix list, mention MailScanner and you tend to be on a looser :-( Having said that Weitse is usually pretty good about following RFCs so I am confident that Postfix will be properly behaved with DSNs. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mike at tc3net.com Fri Aug 11 18:05:18 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Aug 11 17:59:02 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <1155315918.31265.3.camel@mike-new2.tc3net.com> On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: > On Fri, 11 Aug 2006, Jim Holland wrote: > > Another concern is the impact that greylisting would have on the Internet > > if its adoption became widespread - it would mean that all mail servers > > would have to work twice as hard to deliver mail. > > Actually, it's only some mail servers. Greylisting lets known > senders through without a delay. Mail servers that are mostly > sending messages to recipients who recognize them would not > see delays. Mail servers that are mostly sending messages > to those who don't recognize them would see the delays. So, > it makes mail servers up to twice as hard. > > Also, while I agree that it would increase the load, in > general I think decreasing spam is worth some increased load. > Sure, it's a slippery slope (one could imagine things getting > so bloated that it takes 5 minutes of CPU time to deliver one > message, if we keep on adding limitless spam-fighting strategy), > but on the other hand, 10 seconds of CPU time spent catching > spam automatically is cheaper than 10 seconds of a human's > time deleting it manually. Greylisting decreases load immeasurably on a mailscanner system, the cost of greylisting is much less then allowing the message to go through the mailscanner sytem. I deployed it several months ago, it really is a good tool, and I've had very few complaints (10000 users). Regards Michael Baird From Kevin_Miller at ci.juneau.ak.us Fri Aug 11 18:09:58 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 11 18:10:03 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: Michael Baird wrote: > Greylisting decreases load immeasurably on a mailscanner system, the > cost of greylisting is much less then allowing the message to go > through the mailscanner sytem. I deployed it several months ago, it > really is a good tool, and I've had very few complaints (10000 users). I just use Sendmails greet pause which is 10 seconds to set up and works a treat - does greylisting add significant control or improvement over that? Anybody using them in tandom or is one or the other to be preferred? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at mikea.ath.cx Fri Aug 11 18:10:30 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 18:10:35 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <1155315918.31265.3.camel@mike-new2.tc3net.com>; from mike@tc3net.com on Fri, Aug 11, 2006 at 01:05:18PM -0400 References: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: <20060811121030.A64675@mikea.ath.cx> On Fri, Aug 11, 2006 at 01:05:18PM -0400, Michael Baird wrote: > On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: > > On Fri, 11 Aug 2006, Jim Holland wrote: > > > Another concern is the impact that greylisting would have on the Internet > > > if its adoption became widespread - it would mean that all mail servers > > > would have to work twice as hard to deliver mail. > > > > Actually, it's only some mail servers. Greylisting lets known > > senders through without a delay. Mail servers that are mostly > > sending messages to recipients who recognize them would not > > see delays. Mail servers that are mostly sending messages > > to those who don't recognize them would see the delays. So, > > it makes mail servers up to twice as hard. > > > > Also, while I agree that it would increase the load, in > > general I think decreasing spam is worth some increased load. > > Sure, it's a slippery slope (one could imagine things getting > > so bloated that it takes 5 minutes of CPU time to deliver one > > message, if we keep on adding limitless spam-fighting strategy), > > but on the other hand, 10 seconds of CPU time spent catching > > spam automatically is cheaper than 10 seconds of a human's > > time deleting it manually. > Greylisting decreases load immeasurably on a mailscanner system, the > cost of greylisting is much less then allowing the message to go through > the mailscanner sytem. I deployed it several months ago, it really is a > good tool, and I've had very few complaints (10000 users). My complaints have, almost without exception, come from users who think that E-mail should show up in their inboxes Right DamnIt _NOW_. There have been a few cases in which the sender's system has mishandled the retry or totally failed to retry; I've whitelisted some of those, and the rest were non-work-related and so could go hang[1]. [1] It's a corporate mailsystem, not an ISP, and the policy is that employees get to use it for personal purposes, but if their personal mail gets blocked as a result of our filters, that's just too bad. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From davidn at keymarkinc.com Fri Aug 11 18:16:37 2006 From: davidn at keymarkinc.com (David Nalley) Date: Fri Aug 11 18:16:33 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive Message-ID: <81214BB68B68BF4586FE1D82E7B3C472C0BE92@kmex01.keymark.dom> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, if you have MailWatch for MailScanner installed you can do quite a bit of searching based on just about anything other than the body of the email. Otherwise I think it's probably a job for grep and the like. Hope it hel > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Nigel Kendrick > Sent: Friday, August 11, 2006 6:18 AM > To: 'MailScanner discussion' > Subject: Searching and recovering mails from > /var/spool/mailScanner/archive > > Hi Folks, > > No doubt this has been asked before but I'm not having much > luck searching for ideas so... > > I have to search and recover some emails from the MailScanner > archive folders - are there any nice tools to do this before > I start to do some scripting? > > Thanks > > Nigel Kendrick > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFE3LtsU7rV35qFz0QRAmL2AJ9hwNmyPvqLDVlUSwmY8Q6XcVbYrwCcDPKq LtOrvfUqXJNrGMZY/GyU4fw= =bc4Y -----END PGP SIGNATURE----- From mikea at mikea.ath.cx Fri Aug 11 18:38:43 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 18:38:47 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: ; from Kevin_Miller@ci.juneau.ak.us on Fri, Aug 11, 2006 at 09:09:58AM -0800 References: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: <20060811123843.B64675@mikea.ath.cx> On Fri, Aug 11, 2006 at 09:09:58AM -0800, Kevin Miller wrote: > Michael Baird wrote: > > > Greylisting decreases load immeasurably on a mailscanner system, the > > cost of greylisting is much less then allowing the message to go > > through the mailscanner sytem. I deployed it several months ago, it > > really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? I use both. Greet-pause is set to 15 seconds, and catches an _awful_ lot of them: Date Count of greet-pause violations 710 133315 711 101527 712 88888 713 75372 714 59143 715 51436 716 46033 717 62931 718 76228 719 75158 720 63901 721 58222 722 47463 723 32425 724 52248 725 51581 726 55579 727 52790 728 48447 729 33630 730 31434 731 50976 801 61121 802 53625 803 120052 804 44719 805 34369 806 40633 807 55260 808 43413 809 44840 810 47917 Many of these are same-IP woodpeckers. I'll look at a way to display the actual number of unique IP addresses that violated greet-pause per day. Greylisting catches a lot more: the count of mails that actually got to MailScanner went down big-time when I turned greylisting on. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From Kevin_Miller at ci.juneau.ak.us Fri Aug 11 18:46:03 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 11 18:46:06 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811123843.B64675@mikea.ath.cx> Message-ID: mikea wrote: > I use both. > > Greet-pause is set to 15 seconds, and catches an _awful_ lot of them: > Date Count of greet-pause violations > 710 133315 ... > 810 47917 > > Many of these are same-IP woodpeckers. I'll look at a way to display > the actual number of unique IP addresses that violated greet-pause per > day. > > Greylisting catches a lot more: the count of mails that actually got > to MailScanner went down big-time when I turned greylisting on. Cool. How'd you generate the counts? Real Soon Now I'm going to implement milter-ahead (sleazy Exchange server on the back end, sigh) so maybe I'll get milter-gris at the same time. Killing spam is *so* much fun... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gmane at tippingmar.com Fri Aug 11 19:57:28 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Aug 11 19:57:47 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D18987.4070400@maddoc.net> References: <44D18987.4070400@maddoc.net> Message-ID: Doc Schneider wrote: > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. After about a week of running the new rule set I realized that in addition to catching more of those dang image spams, I was also getting a lot of false positives. We receive a lot of messages from persons who write in html and attach a small gif image in their signature (usually a company logo). In fact, lots of my users do the same in their signatures (don't get me started). Consequently, I have had to disable the gif rules in the rule set. Mark From alex at nkpanama.com Fri Aug 11 20:07:52 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 20:08:04 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DCD588.1050602@nkpanama.com> Kevin Miller wrote: > Michael Baird wrote: > >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go >> through the mailscanner sytem. I deployed it several months ago, it >> really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? > > > ...Kevin I use both *everywhere*. Now if I could have greet_pause auto-whitelist after a certain threshold... :-) From mikea at mikea.ath.cx Fri Aug 11 20:17:32 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 20:17:36 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DCD588.1050602@nkpanama.com>; from alex@nkpanama.com on Fri, Aug 11, 2006 at 02:07:52PM -0500 References: <44DCD588.1050602@nkpanama.com> Message-ID: <20060811141732.A65410@mikea.ath.cx> On Fri, Aug 11, 2006 at 02:07:52PM -0500, Alex Neuman van der Hans wrote: > Kevin Miller wrote: > > Michael Baird wrote: > > > >> Greylisting decreases load immeasurably on a mailscanner system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several months ago, it > >> really is a good tool, and I've had very few complaints (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and works > > a treat - does greylisting add significant control or improvement over > > that? Anybody using them in tandom or is one or the other to be > > preferred? > > > > > > ...Kevin > I use both *everywhere*. Now if I could have greet_pause auto-whitelist > after a certain threshold... :-) You could, if you were willing to dynamically edit your access file and then do a makemap hash. It probably could be rigged so that it wasn't terribly dangerous. One way might be to batch the updates, and run them every hour or so, saving the data to files with timestamp data as part of the name. Hmmmmmm ... . -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From alex at nkpanama.com Fri Aug 11 20:23:48 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 20:24:11 2006 Subject: OT - Greylisting In-Reply-To: <20060811141732.A65410@mikea.ath.cx> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> Message-ID: <44DCD944.7050003@nkpanama.com> mikea wrote: > > You could, if you were willing to dynamically edit your access file > and then do a makemap hash. It probably could be rigged so that it > wasn't terribly dangerous. One way might be to batch the updates, and > run them every hour or so, saving the data to files with timestamp > data as part of the name. Hmmmmmm ... . > Hmmm indeed... Sounds like a nice weekend project... but, alas, IANAP... :-( From jaearick at colby.edu Fri Aug 11 21:00:53 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 11 21:06:30 2006 Subject: nasty bug in SA.pm (I think) Message-ID: Julian, I've been intermittantly chasing this bug for several releases now, and I think that I may have it cornered. The problem: if I start MS with my /etc/init.d script, MS just loops and does nothing. If I start it via /opt/MailScanner/bin/check_mailscanner from cron, MailScanner works. The syslog output for a loop up looks like: MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... MailScanner[25980]: Read 748 hostnames from the phishing whitelist MailScanner[25980]: Config: calling custom init function IPBlock MailScanner[25980]: Initialising IP blocking MailScanner[25980]: Read 128 IP blocking entries from /etc/MailScanner/IPBlock.conf MailScanner[25980]: Using SpamAssassin results cache MailScanner[25980]: Connected to SpamAssassin cache database (repeat ad nauseum) So I started putting in info syslog messages into lib/MailScanner/SA.pm after the "cache database" message to trace what happened. Attached is my modified version of SA.pm. I never get anything after the info msg "got to here3". So I stared at SA.pm. You commented out line 287: #if (MailScanner::Config::Value('compilespamassassinonce')) { at some point, which commented out half of a curly-bracket block. I can't find where the right curly-bracket for this line is, and I think something is mis-aligned here. Using the power feature of vi whereby you put the cursor over a bracket, paren, etc and then hit "%", I don't find the closing curly bracket for line 72 ("sub initialise {"). This routine seems mangled and I think this is the root cause of the loop-up bug. But I can't figure out where the closing bracket for line 287 might be. Have I found this loopup bug in the mangled bracketing of initialise??? Jeff Earickson Colby College -------------- next part -------------- # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: SA.pm 3553 2006-05-09 19:51:10Z sysjkf $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # package MailScanner::SA; use strict 'vars'; use strict 'refs'; no strict 'subs'; # Allow bare words for parameter %'s #use English; # Needed for $PERL_VERSION to work in all versions of Perl use IO; use POSIX qw(:signal_h); # For Solaris 9 SIG bug workaround use DBI; use Compress::Zlib; use vars qw($VERSION); ### The package version, both in 1.23 style *and* usable by MakeMaker: $VERSION = substr q$Revision: 3553 $, 10; # Attributes are # # my($LOCK_SH) = 1; my($LOCK_EX) = 2; my($LOCK_NB) = 4; my($LOCK_UN) = 8; my $SAversion; # SpamAssassin version number my @SAsuccessqueue; # queue of failure history my $SAsuccessqsum; # current sum of history queue my($SAspamtest, $SABayesLock, $SABayesRebuildLock, $SpamAssassinInstalled); my($SQLiteInstalled, $cachedbh, $cachefilename, $NextCacheExpire); my $HamCacheLife = 30*60; # Lifetime of non-spam from first seen my $SpamCacheLife = 5*60; # Lifetime of low-scoring spam from first seen my $HighSpamCacheLife = 3*60*60; # Lifetime of high spam from last seen my $VirusesCacheLife = 48*60*60; # Lifetime of viruses from last seen my $ExpireFrequency = 10*60; # How often to run the expiry of the cache sub initialise { my($RebuildBayes, $WantLintOnly) = @_; # Start by rebuilding the Bayes database? my(%settings, $val, $val2, $prefs); # Initialise the class variables @SAsuccessqueue = (); $SAsuccessqsum = 0; # Can't just do this when sendmail.pl loads, as we are still running as # root then & spamassassin will get confused when we are later running # as something else. # Only do this if we want to use SpamAssassin and therefore have it installed. # Justin Mason advises only creating 1 Mail::SpamAssassin object, so I do it # here while we are starting up. # N.B. SpamAssassin will use home dir defined in ENV{HOME} # 'if $ENV{HOME} =~ /\//' # So, set ENV{HOME} to desired directory, or undef it to force it to get home # using getpwnam of $> (EUID) unless (MailScanner::Config::IsSimpleValue('usespamassassin') && !MailScanner::Config::Value('usespamassassin')) { $settings{dont_copy_prefs} = 1; # Removes need for home directory # This file is now read directly by SpamAssassin's normal startup code. #$prefs = MailScanner::Config::Value('spamassassinprefsfile'); #$settings{userprefs_filename} = $prefs if defined $prefs; $val = $MailScanner::SA::Debug; $settings{debug} = $val; # for unusual bayes and auto whitelist database locations $val = MailScanner::Config::Value('spamassassinuserstatedir'); $settings{userstate_dir} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassinlocalrulesdir'); $settings{LOCAL_RULES_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassinlocalstatedir'); $settings{LOCAL_STATE_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassindefaultrulesdir'); $settings{DEF_RULES_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassininstallprefix'); # For version 3 onwards, shouldn't cause problems with earlier code $val2 = MailScanner::Config::Value('spamassassinautowhitelist'); $settings{use_auto_whitelist} = $val2?1:0; $settings{save_pattern_hits} = 1; if ($val ne "") { # ie. if SAinstallprefix is set # for finding rules in the absence of the above settings $settings{PREFIX} = $val; # for finding the SpamAssassin libraries # Use unshift rather than push so that their given location is # always searched *first* and not last in the include path. #my $perl_vers = $PERL_VERSION < 5.006 ? $PERL_VERSION # : sprintf("%vd",$PERL_VERSION); my $perl_vers = $] < 5.006 ? $] : sprintf("%vd",$^V); unshift @INC, "$val/lib/perl5/site_perl/$perl_vers"; } # Now we have the path built, try to find the SpamAssassin modules unless (eval "require Mail::SpamAssassin") { MailScanner::Log::WarnLog("You want to use SpamAssassin but have not installed it."); MailScanner::Log::WarnLog("Please download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz and unpack it and run ./install.sh to install it, then restart MailScanner."); MailScanner::Log::WarnLog("I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin."); $SpamAssassinInstalled = 0; return; } # SpamAssassin "require"d okay. $SpamAssassinInstalled = 1; # Find the version number $SAversion = $Mail::SpamAssassin::VERSION + 0.0; # # Load the SQLite support for the SA data cache # $SQLiteInstalled = 0; unless (MailScanner::Config::IsSimpleValue('usesacache') && !MailScanner::Config::Value('usesacache')) { unless (eval "require DBD::SQLite") { MailScanner::Log::WarnLog("WARNING: You are trying to use the SpamAssassin cache but your DBI and/or DBD::SQLite Perl modules are not properly installed!"); $SQLiteInstalled = 0; } else { $SQLiteInstalled = 1; unless (eval "require Digest::MD5") { MailScanner::Log::WarnLog("WARNING: You are trying to use the SpamAssassin cache but your Digest::MD5 Perl module is not properly installed!"); $SQLiteInstalled = 0; } else { MailScanner::Log::InfoLog("Using SpamAssassin results cache"); $SQLiteInstalled = 1; # # # Put the SA cache database initialisation code here! # # $MailScanner::SA::cachefilename = MailScanner::Config::Value("sacache"); $MailScanner::SA::cachedbh = DBI->connect( "dbi:SQLite:$MailScanner::SA::cachefilename", "","",{PrintError=>0,InactiveDestroy=>1}); $NextCacheExpire = $ExpireFrequency+time; if ($MailScanner::SA::cachedbh) { MailScanner::Log::InfoLog("Connected to SpamAssassin cache database"); # Rebuild all the tables and indexes. The PrintError=>0 will make it # fail quietly if they already exist. $MailScanner::SA::cachedbh->do("CREATE TABLE cache (md5 TEXT, count INTEGER, last TIMESTAMP, first TIMESTAMP, sasaysspam INT, sahighscoring INT, sascore FLOAT, saheader BLOB, salongreport BLOB, virusinfected INT)"); $MailScanner::SA::cachedbh->do("CREATE UNIQUE INDEX md5_uniq ON cache(md5)"); $MailScanner::SA::cachedbh->do("CREATE INDEX last_seen_idx ON cache(last)"); $MailScanner::SA::cachedbh->do("CREATE INDEX first_seen_idx ON cache(first)"); $SQLiteInstalled = 1; SetCacheTimes(); # Now expire all the old tokens CacheExpire() unless $WantLintOnly; } else { MailScanner::Log::WarnLog("Could not create SpamAssassin cache database %s", $MailScanner::SA::cachefilename); $SQLiteInstalled = 0; print STDERR "Could not create SpamAssassin cache database $MailScanner::SA::cachefilename\n" if $WantLintOnly; } } } } MailScanner::Log::InfoLog("got to here"); $MailScanner::SA::SAspamtest = new Mail::SpamAssassin(\%settings); if ($WantLintOnly) { my $errors = $MailScanner::SA::SAspamtest->lint_rules(); if ($errors) { print STDERR "SpamAssassin reported an error.\n"; $MailScanner::SA::SAspamtest->debug_diagnostics(); } else { print STDERR "SpamAssassin reported no errors.\n"; } return; } MailScanner::Log::InfoLog("got to here2"); # Rebuild the Bayes database if it is due $MailScanner::SA::BayesRebuildLock = MailScanner::Config::Value( 'lockfiledir') . '/MS.bayes.rebuild.lock'; $MailScanner::SA::BayesRebuildStartLock = MailScanner::Config::Value('lockfiledir') . '/MS.bayes.starting.lock'; $MailScanner::SA::WaitForRebuild = MailScanner::Config::Value('bayeswait'); $MailScanner::SA::DoingBayesRebuilds = MailScanner::Config::Value('bayesrebuild'); if ($RebuildBayes) { #MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild preparing'); # Tell the other children that we are trying to start a rebuild my $RebuildStartH = new FileHandle; unless ($RebuildStartH->open("+>$MailScanner::SA::BayesRebuildStartLock")) { MailScanner::Log::WarnLog("Bayes rebuild process could not write to " . "%s to signal starting", $MailScanner::SA::BayesRebuildStartLock); } # Get an exclusive lock on the bayes rebuild lock file my $RebuildLockH = new FileHandle; if ($RebuildLockH->open("+>$MailScanner::SA::BayesRebuildLock")) { flock($RebuildLockH, $LOCK_EX) or MailScanner::Log::WarnLog("Failed to get exclusive lock on %s, %s", $MailScanner::SA::BayesRebuildLock, $!); # Do the actual expiry run $0 = 'MailScanner: rebuilding Bayes database'; MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild starting'); eval { $MailScanner::SA::SAspamtest->init(1) if $SAversion<3; $MailScanner::SA::SAspamtest->init_learner({ force_expire => 1, learn_to_journal => 0, wait_for_lock => 1, caller_will_untie => 1}); $MailScanner::SA::SAspamtest->rebuild_learner_caches({ verbose => 0, showdots => 0}); $MailScanner::SA::SAspamtest->finish_learner(); }; MailScanner::Log::WarnLog("SpamAssassin Bayes database rebuild " . "failed with error: %s", $@) if $@; # Unlock the bayes rebuild lock file unlink($MailScanner::SA::BayesRebuildLock); flock($RebuildLockH, $LOCK_UN); $RebuildLockH->close(); MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild completed'); } # Now the rebuild has properly finished, we let the other children back unlink $MailScanner::SA::BayesRebuildStartLock; $RebuildStartH->close(); } if (MailScanner::Config::Value('spamassassinautowhitelist')) { # JKF 14/6/2002 Enable the auto-whitelisting functionality MailScanner::Log::InfoLog("Enabling SpamAssassin auto-whitelist functionality..."); if ($SAversion<3) { require Mail::SpamAssassin::DBBasedAddrList; # create a factory for the persistent address list my $addrlistfactory = Mail::SpamAssassin::DBBasedAddrList->new(); $MailScanner::SA::SAspamtest->set_persistent_address_list_factory ($addrlistfactory); } } # If the Bayes database lock file is still present due to the process # being killed, we must delete it. The difficult bit is finding it. # Wrap this in an eval for those using old versions of SA which don't # have the Bayes engine at all. eval { my $t = $MailScanner::SA::SAspamtest; $MailScanner::SA::SABayesLock = $t->sed_path($t->{conf}->{bayes_path}) . '.lock'; #print STDERR "SA bayes lock is $MailScanner::SA::SABayesLock\n"; }; MailScanner::Log::InfoLog("got to here3"); #print STDERR "Bayes lock is at $MailScanner::SA::SABayesLock\n"; # JKF 7/1/2002 Commented out due to it causing false positives # JKF 7/6/2002 Now has a config switch # JKF 12/6/2002 Remember to read the prefs file #if (MailScanner::Config::Value('compilespamassassinonce')) { # Saves me recompiling all the modules every time # Need to delete lock file now or compile_now may never return unlink $MailScanner::SA::SABayesLock; # If they are using MCP at all, then we need to compile SA differently # here due to object clashes within SA. if (MailScanner::Config::IsSimpleValue('mcpchecks') && !MailScanner::Config::Value('mcpchecks')) { # They are definitely not using MCP $MailScanner::SA::SAspamtest->compile_now(); } else { # They are possibly using MCP somewhere # Next line should have a 0 parameter in it #$MailScanner::SA::SAspamtest->compile_now(0); $MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); } #print STDERR "In initialise, spam report is \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; #JKF$MailScanner::SA::SAspamtest->compile_now(); # Apparently this doesn't do anything after compile_now() #$MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); } MailScanner::Log::InfoLog("got to here4"); # Turn off warnings again, as SpamAssassin switches them on $^W = 0; MailScanner::Log::InfoLog("got to here5"); } # Set all the cache expiry timings from the cachetiming conf option sub SetCacheTimes { my $line = MailScanner::Config::Value('cachetiming'); $line =~ s/^\D+//; return unless $line; my @numbers = split /\D+/, $line; return unless @numbers; $HamCacheLife = $numbers[0] if $numbers[0]; $SpamCacheLife = $numbers[1] if $numbers[1]; $HighSpamCacheLife = $numbers[2] if $numbers[2]; $VirusesCacheLife = $numbers[3] if $numbers[3]; $ExpireFrequency = $numbers[4] if $numbers[4]; #print STDERR "Timings are \"" . join(' ',@numbers) . "\"\n"; } # Constructor. sub new { my $type = shift; my $this = {}; bless $this, $type; return $this; } # Do the SpamAssassin checks on the passed in message sub Checks { my $message = shift; # If they never actually installed SpamAssassin, then just bail out quietly. return (0,0,"",0,"") unless $SpamAssassinInstalled; my($dfhandle); my($dfilename, $dfile, @WholeMessage, $SAResult, $SAHitList); my($HighScoring, $SAScore, $maxsize, $SAReport, $GSHits); my $GotFromCache = undef; # Did the result come from the cache? $GSHits = $message->{gshits} || 0.0; # Bail out and fake a miss if too many consecutive SA checks failed my $maxfailures = MailScanner::Config::Value('maxspamassassintimeouts'); # If we get maxfailures consecutive timeouts, then disable the # SpamAssassin RBL checks in an attempt to get it working again. # If it continues to time out for another maxfailures consecutive # attempts, then disable it completely. if ($maxfailures>0) { if ($SAsuccessqsum>=2*$maxfailures) { return (0,0, sprintf(MailScanner::Config::LanguageValue($message,'sadisabled'), 2*$maxfailures), 0); } elsif ($SAsuccessqsum>$maxfailures) { $MailScanner::SA::SAspamtest->{conf}->{local_tests_only} = 1; } elsif ($SAsuccessqsum==$maxfailures) { $MailScanner::SA::SAspamtest->{conf}->{local_tests_only} = 1; MailScanner::Log::WarnLog("Disabling SpamAssassin network checks"); } } # If the Bayes rebuild is in progress, then either wait for it to # complete, or just bail out as we are busy. # Get a shared lock on the bayes rebuild lock file. # If we don't want to wait for it, then do a non-blocking call and # just return if it couldn't be locked. my $BayesIsLocked = 0; my($RebuildLockH, $Lockopen); if ($MailScanner::SA::DoingBayesRebuilds) { # If the lock file exists at all, do not try to get a lock on it. # Shared locks are handed out even when someone else is trying to # get an exclusive lock, so long as at least 1 other shared lock # already exists. if (-e $MailScanner::SA::BayesRebuildStartLock) { # Do we wait for Bayes rebuild to occur? if ($MailScanner::SA::WaitForRebuild) { $0 = 'MailScanner: waiting for Bayes rebuild'; # Wait quietly for the file to disappear # This must not take more than 1 hour or we are in trouble! #MailScanner::Log::WarnLog("Waiting for rebuild start request to disappear"); my $waiter = 0; for ($waiter = 0; $waiter<3600 && -e $MailScanner::SA::BayesRebuildStartLock; $waiter+=10) { sleep 10; #MailScanner::Log::WarnLog("Waiting for start request to disappear"); } # Did it take too long? unlink $MailScanner::SA::BayesRebuildStartLock if $waiter>=3590; #MailScanner::Log::WarnLog("Start request has disappeared"); $0 = 'MailScanner: checking with SpamAssassin'; } else { # Return saying we are skipping SpamAssassin this time return (0,0, 'SpamAssassin rebuilding', 0); } } $Lockopen = 0; $RebuildLockH = new FileHandle; if (open($RebuildLockH, "+>" . $MailScanner::SA::BayesRebuildLock)) { print $RebuildLockH "SpamAssassin Bayes database locked for use by " . "MailScanner $$\n"; #MailScanner::Log::InfoLog("Bayes lock is $RebuildLockH"); #MailScanner::Log::InfoLog("Bayes lock is read-write"); $Lockopen = 1; #The lock file already exists, so just open for reading } elsif (open($RebuildLockH, $MailScanner::SA::BayesRebuildLock)) { #MailScanner::Log::InfoLog("Bayes lock is $RebuildLockH"); #MailScanner::Log::InfoLog("Bayes lock is read-only"); $Lockopen = 1; } else { # Could not open the file at all $Lockopen = 0; MailScanner::Log::WarnLog("Could not open Bayes rebuild lock file %s, %s", $MailScanner::SA::BayesRebuildLock, $!); } if ($Lockopen) { #MailScanner::Log::InfoLog("Bayes lock is open"); if ($MailScanner::SA::WaitForRebuild) { # Do a normal lock and wait for it flock($RebuildLockH, $LOCK_SH) or MailScanner::Log::WarnLog("At start of SA checks could not get " . "shared lock on %s, %s", $MailScanner::SA::BayesRebuildLock, $!); $BayesIsLocked = 1; } else { #MailScanner::Log::InfoLog("Bayes lock2 is %s", $RebuildLockH); if (flock($RebuildLockH, ($LOCK_SH | $LOCK_NB))) { #MailScanner::Log::InfoLog("Got non-blocking shared lock on Bayes lock"); $BayesIsLocked = 1; } else { #MailScanner::Log::InfoLog("Skipping Bayes due to %s", $!); $RebuildLockH->close(); #MailScanner::Log::InfoLog("Skipping SpamAssassin while waiting for Bayes database to rebuild"); return (0,0, 'SpamAssassin rebuilding', 0); } } } else { MailScanner::Log::WarnLog("At start of SA checks could not open %s, %s", $MailScanner::SA::BayesRebuildLock, $!); } } $maxsize = MailScanner::Config::Value('maxspamassassinsize'); # Construct the array of lines of the header and body of the message # JKF 30/1/2002 Don't chop off the line endings. Thanks to Andreas Piper # for this. # For SpamAssassin 3 we add the "EnvelopeFrom" header to make SPF work my $fromheader = MailScanner::Config::Value('envfromheader', $message); $fromheader =~ s/:$//; # Build a list of all the headers, so we can remove any $fromheader that # is already in there. my @SAheaders = $global::MS->{mta}->OriginalMsgHeaders($message, "\n"); @SAheaders = grep !/^$fromheader\:/i, @SAheaders; @SAheaders = grep !/^\s*$/, @SAheaders; # ditch blank lines push(@WholeMessage, $fromheader . ': ' . $message->{from} . "\n") if $fromheader; #push(@WholeMessage, $global::MS->{mta}->OriginalMsgHeaders($message, "\n")); push(@WholeMessage, @SAheaders); #print STDERR "Headers are : " . join(', ', @WholeMessage) . "\n"; unless (@WholeMessage) { flock($RebuildLockH, $LOCK_UN) if $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; return (0,0, MailScanner::Config::LanguageValue($message, 'sanoheaders'), 0); } push(@WholeMessage, "\n"); my(@WholeBody); $message->{store}->ReadBody(\@WholeBody, $maxsize); push(@WholeMessage, @WholeBody); # Work out the MD5 sum of the body my($testcache,$md5,$md5digest); if ($SQLiteInstalled) { $testcache = MailScanner::Config::Value("usesacache",$message); $testcache = ($testcache =~ /1/)?1:0; $md5 = Digest::MD5->new; eval { $md5->add(@WholeBody) }; if ($@ ne "" || @WholeBody<=1) { # The eval failed $md5digest = "unknown"; $testcache = 0; } else { # The md5->add worked okay, so use the results # Get the MD5 digest of the message body $md5digest = $md5->hexdigest; } # Store it for later $message->{md5} = $md5digest; #print STDERR "MD5 digest is $md5digest\n"; } else { $testcache = 0; #print STDERR "Not going to use cache\n"; } # Now construct the SpamAssassin object for version < 3 my $spammail; $spammail = Mail::SpamAssassin::NoMailAudit->new('data'=>\@WholeMessage) if $SAversion<3; if ($testcache) { if (my $cachehash = CheckCache($md5digest)) { #print STDERR "Cache hit for " . $message->{id} . "\n"; MailScanner::Log::InfoLog("SpamAssassin cache hit for message %s", $message->{id}); # Read the cache result and update the timestamp ***** ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = ($cachehash->{sasaysspam}, $cachehash->{sahighscoring}, uncompress($cachehash->{saheader}), $cachehash->{sascore}, uncompress($cachehash->{salongreport})); # Log the fact we got it from the cache. Must not add the "cached" # word on the front here or it will be put into the cache itself! $GotFromCache = 1; #print STDERR "Cache results are $SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport\n"; # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } else { # Do the actual SpamAssassin call #print STDERR "Cache miss for " . $message->{id} . "\n"; # Test it for spam-ness if ($SAversion<3) { ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, $spammail, $message); } else { #print STDERR "Check 1, report template = \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, \@WholeMessage, $message); } # Log the fact we didn't get it from the cache. Must not add the # "not cached" word on the front here or it will be put into the # cache itself! $GotFromCache = 0; #MailScanner::Log::WarnLog("Done SAForkAndTest"); #print STDERR "SAResult = $SAResult\nHighScoring = $HighScoring\n" . # "SAHitList = $SAHitList\n"; # Write the record to the cache ***** CacheResult($md5digest, $SAResult, $HighScoring, compress($SAHitList), $SAScore, compress($SAReport)); # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } # Add the cached / not cached tag to $SAHitList if appropriate if (defined($GotFromCache)) { if ($GotFromCache) { $SAHitList = MailScanner::Config::LanguageValue($message, 'cached') . ', ' . $SAHitList; } else { $SAHitList = MailScanner::Config::LanguageValue($message, 'notcached') . ', ' . $SAHitList; } } } else { # No cache here # Test it for spam-ness if ($SAversion<3) { ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, $spammail, $message); } else { #print STDERR "Check 1, report template = \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, \@WholeMessage, $message); } #MailScanner::Log::WarnLog("Done SAForkAndTest"); #print STDERR "SAResult = $SAResult\nHighScoring = $HighScoring\n" . # "SAHitList = $SAHitList\n"; # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } return ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport); } # Look up the passed MD5 in the cache database and return true/false sub CheckCache { my $md5 = shift; my($sql, $sth); $sql = "SELECT md5, count, last, first, sasaysspam, sahighscoring, sascore, saheader, salongreport FROM cache WHERE md5=?"; my $hash = $MailScanner::SA::cachedbh->selectrow_hashref($sql,undef,$md5); if (defined($hash)) { # Cache hit! #print STDERR "Cache hit $hash!\n"; # Update the counter and timestamp $sql = "UPDATE cache SET count=count+1, last=strftime('%s','now') WHERE md5=?"; $sth = $MailScanner::SA::cachedbh->prepare($sql); $sth->execute($md5); return $hash; } else { # Cache miss... we'll create the cache record after SpamAssassin has run. #print STDERR "Cache miss!\n"; return undef; } } # Check to see if the cache should have an expiry run done, do it if so. sub CheckForCacheExpire { # Check to see if a cache expiry run is needed CacheExpire() if $NextCacheExpire<=time; # NextCacheExpire is updated by CacheExpire() so not needed here. } sub CacheResult { my ($md5, $SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = @_; my $dbh = $MailScanner::SA::cachedbh; #print STDERR "dbh is $dbh and cachedbh is $MailScanner::SA::cachedbh\n"; my $sql = "INSERT INTO cache (md5, count, last, first, sasaysspam, sahighscoring, sascore, saheader, salongreport) VALUES (?,?,?,?,?,?,?,?,?)"; my $sth = $dbh->prepare($sql); #print STDERR "$sth, $@\n"; my $now = time; $sth->execute($md5,1,$now,$now, $SAResult, $HighScoring, $SAScore, $SAHitList, $SAReport); } # Expire records from the cache database sub CacheExpire { my $expire1 = shift || $HamCacheLife; # non-spam my $expire2 = shift || $SpamCacheLife; # low-scoring spam my $expire3 = shift || $HighSpamCacheLife; # everything else except viruses my $expire4 = shift || $VirusesCacheLife; # viruses return unless $SQLiteInstalled; my $sth = $MailScanner::SA::cachedbh->prepare(" DELETE FROM cache WHERE ( (sasaysspam=0 AND virusinfected<1 AND first<=(strftime('%s','now')-?)) OR (sasaysspam>0 AND sahighscoring=0 AND virusinfected<1 AND first<=(strftime('%s','now')-?)) OR (sasaysspam>0 AND sahighscoring>0 AND virusinfected<1 AND last<=(strftime('%s','now')-?)) OR (virusinfected>=1 AND last<=(strftime('%s','now')-?)) )"); MailScanner::Log::DieLog("Database complained about this: %s. I suggest you delete your %s file and let me re-create it for you", $DBI::errstr, MailScanner::Config::Value("sacache")) unless $sth; my $rows = $sth->execute($expire1, $expire2, $expire3, $expire4); $sth->finish; MailScanner::Log::InfoLog("Expired %s records from the SpamAssassin cache", $rows) if $rows>0; # This is when we should do our next cache expiry (20 minutes from now) $NextCacheExpire = time + $ExpireFrequency; } # Add the virus information to the cache entry so we can keep infected # attachment details a lot longer than normal spam. sub AddVirusStats { my($message) = @_; #my $virus; return unless $message; return unless $SQLiteInstalled && MailScanner::Config::Value("usesacache",$message) =~ /1/; my $sth = $MailScanner::SA::cachedbh->prepare('UPDATE cache SET virusinfected=? WHERE md5=?'); ## Also print 1 line for each report about this message. These lines ## contain all the info above, + the attachment filename and text of ## each report. #my($file, $text, @report_array); #while(($file, $text) = each %{$message->{allreports}}) { # $file = "the entire message" if $file eq ""; # # Use the sanitised filename to avoid problems caused by people forcing # # logging of attachment filenames which contain nasty SQL instructions. # $file = $message->{file2safefile}{$file} or $file; # $text =~ s/\n/ /; # Make sure text report only contains 1 line # $text =~ s/\t/ /; # and no tab characters # push (@report_array, $text); #} # #my $reports = join(",",@report_array); ## This regexp only works for clamav #if ($reports =~ /(.+) contains (\S+)/) { $virus = $2; } $sth->execute($message->{virusinfected}, $message->{md5}) or MailScanner::Log::WarnLog($DBI::errstr); } # Fork and test with SpamAssassin. This implements a timeout on the execution # of the SpamAssassin checks, which occasionally take a *very* long time to # terminate due to regular expression backtracking and other nasties. sub SAForkAndTest { my($GSHits, $Test, $Mail, $Message) = @_; my($pipe); my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore, $AutoLearn); my($HighScoreVal, $pid2delete, $IncludeScores, $SAReport, $queuelength); my $PipeReturn = 0; #print STDERR "Check 2, is \"" . $Test->{conf}->{report_template} . "\"\n"; $IncludeScores = MailScanner::Config::Value('listsascores', $Message); $queuelength = MailScanner::Config::Value('satimeoutlen', $Message); $pipe = new IO::Pipe or MailScanner::Log::DieLog('Failed to create pipe, %s, try reducing ' . 'the maximum number of unscanned messages per batch', $!); #$readerfh = new FileHandle; #$writerfh = new FileHandle; #($readerfh, $writerfh) = FileHandle::pipe; my $pid = fork(); die "Can't fork: $!" unless defined($pid); if ($pid == 0) { # In the child my($spamness, $SAResult, $HitList, @HitNames, $Hit); $pipe->writer(); #close($readerfh); #POSIX::setsid(); #select($writerfh); #$| = 1; # Line buffering, not block buffering $pipe->autoflush(); # Do the actual tests and work out the integer result if ($SAversion<3) { $spamness = $Test->check($Mail); } else { my $mail = $Test->parse($Mail, 1); $spamness = $Test->check($mail); } print $pipe ($SAversion<3?$spamness->get_hits():$spamness->get_score()) . "\n"; $HitList = $spamness->get_names_of_tests_hit(); if ($IncludeScores) { @HitNames = split(/\s*,\s*/, $HitList); $HitList = ""; foreach $Hit (@HitNames) { $HitList .= ($HitList?', ':'') . $Hit . ' ' . sprintf("%1.2f", $spamness->{conf}->{scores}->{$Hit}); } } # Get the autolearn status if ($SAversion<3) { # Old code if (!defined $spamness->{auto_learn_status}) { $AutoLearn = "no"; } elsif ($spamness->{auto_learn_status}) { $AutoLearn = "spam"; } else { $AutoLearn = "not spam"; } } else { # New code $spamness->learn(); $AutoLearn = $spamness->{auto_learn_status}; $AutoLearn = 'no' if $AutoLearn eq 'failed' || $AutoLearn eq ""; $AutoLearn = 'not spam' if $AutoLearn eq 'ham'; } #if (!defined $spamness->{auto_learn_status} || $spamness->{auto_learn_status} eq 'no') { # $AutoLearn = "no"; #} elsif ($spamness->{auto_learn_status}) { # $AutoLearn = "spam"; #} else { # $AutoLearn = "not spam"; #} #sleep 30 if rand(3)>=2.0; print $pipe $AutoLearn . "\n"; print $pipe $HitList . "\n"; # JKF New code here to print out the full spam report $HitList = $spamness->get_report(); $HitList =~ tr/\n/\0/; print $pipe $HitList . "\n"; $spamness->finish(); $pipe->close(); $pipe = undef; exit 0; # $SAResult; } eval { $pipe->reader(); local $SIG{ALRM} = sub { die "Command Timed Out" }; alarm MailScanner::Config::Value('spamassassintimeout'); $SAHits = <$pipe>; #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; $AutoLearn = <$pipe>; $SAHitList = <$pipe>; $SAReport = <$pipe>; #print STDERR "Read SAHitList = $SAHitList " . scalar(localtime) . "\n"; # Not sure if next 2 lines should be this way round... waitpid $pid, 0; $pipe->close(); $PipeReturn = $?; alarm 0; $pid = 0; chomp $SAHits; chomp $AutoLearn; chomp $SAHitList; $SAHits = $SAHits + 0.0; #$safailures = 0; # This was successful so zero counter # We got a result so store a success push @SAsuccessqueue, 0; # Roll the queue along one $SAsuccessqsum += (shift @SAsuccessqueue)?1:-1 if @SAsuccessqueue>$queuelength; #print STDERR "Success: sum = $SAsuccessqsum\n"; $SAsuccessqsum = 0 if $SAsuccessqsum<0; }; alarm 0; # Workaround for bug in perl shipped with Solaris 9, # it doesn't unblock the SIGALRM after handling it. eval { my $unblockset = POSIX::SigSet->new(SIGALRM); sigprocmask(SIG_UNBLOCK, $unblockset) or die "Could not unblock alarm: $!\n"; }; # Construct the hit-list including the score we got. my($longHitList); $SAReqHits = MailScanner::Config::Value('reqspamassassinscore',$Message)+0.0; $longHitList = MailScanner::Config::LanguageValue($Message, 'score') . '=' . ($SAHits+0.0) . ', ' . MailScanner::Config::LanguageValue($Message, 'required') .' ' . $SAReqHits; $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; $longHitList .= ", $SAHitList" if $SAHitList; $SAHitList = $longHitList; # Note to self: I only close the KID in the parent, not in the child. # Catch failures other than the alarm MailScanner::Log::DieLog("SpamAssassin failed with real error: $@") if $@ and $@ !~ /Command Timed Out/; # In which case any failures must be the alarm #if ($@ or $pid>0) { if ($pid>0) { $pid2delete = $pid; my $maxfailures = MailScanner::Config::Value('maxspamassassintimeouts'); # Increment the "consecutive" counter #$safailures++; if ($maxfailures>0) { # We got a failure push @SAsuccessqueue, 1; $SAsuccessqsum++; # Roll the queue along one $SAsuccessqsum += (shift @SAsuccessqueue)?1:-1 if @SAsuccessqueue>$queuelength; #print STDERR "Failure: sum = $SAsuccessqsum\n"; $SAsuccessqsum = 0 if $SAsuccessqsum<0; if ($SAsuccessqsum>$maxfailures && @SAsuccessqueue>=$queuelength) { MailScanner::Log::WarnLog("SpamAssassin timed out (with no network" . " checks) and was killed, failure %d of %d", $SAsuccessqsum, $maxfailures*2); } else { MailScanner::Log::WarnLog("SpamAssassin timed out and was killed, " . "failure %d of %d", $SAsuccessqsum, $maxfailures); } } else { MailScanner::Log::WarnLog("SpamAssassin timed out and was killed"); } # Make the report say SA was killed $SAHitList = MailScanner::Config::LanguageValue($Message, 'satimedout'); $SAHits = 0; # Kill the running child process my($i); kill 15, $pid; # Was -15 # Wait for up to 10 seconds for it to die for ($i=0; $i<5; $i++) { sleep 1; waitpid($pid, &POSIX::WNOHANG); ($pid=0),last unless kill(0, $pid); kill 15, $pid; # Was -15 } # And if it didn't respond to 11 nice kills, we kill -9 it if ($pid) { kill 9, $pid; # Was -9 waitpid $pid, 0; # 2.53 } # As the child process must now be dead, remove the Bayes database # lock file if it exists. Only delete the lock file if it mentions # $pid2delete in its contents. if ($pid2delete && $MailScanner::SA::SABayesLock) { my $lockfh = new FileHandle; if ($lockfh->open($MailScanner::SA::SABayesLock)) { my $line = $lockfh->getline(); chomp $line; $line =~ /(\d+)$/; my $pidinlock = $1; if ($pidinlock =~ /$pid2delete/) { unlink $MailScanner::SA::SABayesLock; MailScanner::Log::InfoLog("Delete bayes lockfile for %s",$pid2delete); } $lockfh->close(); } } #unlink $MailScanner::SA::SABayesLock if $MailScanner::SA::SABayesLock; } #MailScanner::Log::WarnLog("8 PID is $pid"); # SpamAssassin is known to play with the umask umask 0077; # Safety net # The return from the pipe is a measure of how spammy it was MailScanner::Log::DebugLog("SpamAssassin returned $PipeReturn"); #$PipeReturn = $PipeReturn>>8; if ($SAHits && ($SAHits+$GSHits>=$SAReqHits)) { $IsItSpam = 1; } else { $IsItSpam = 0; } $HighScoreVal = MailScanner::Config::Value('highspamassassinscore',$Message); if ($SAHits && $HighScoreVal>0 && ($SAHits+$GSHits>=$HighScoreVal)) { $IsItHighScore = 1; } else { $IsItHighScore = 0; } #print STDERR "Check 3, is \"" . $Test->{conf}->{report_template} . "\"\n"; return ($IsItSpam, $IsItHighScore, $SAHitList, $SAHits, $SAReport); } sub SATest { my($GSHits, $Test, $Mail, $Message) = @_; my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore, $AutoLearn); my($HighScoreVal, $pid2delete, $IncludeScores, $SAReport, $queuelength); my $PipeReturn = 0; $IncludeScores = MailScanner::Config::Value('listsascores', $Message); $queuelength = MailScanner::Config::Value('satimeoutlen', $Message); my($spamness, $SAResult, $HitList, @HitNames, $Hit); # Do the actual tests and work out the integer result if ($SAversion<3) { $spamness = $Test->check($Mail); } else { my $mail = $Test->parse($Mail, 1); $spamness = $Test->check($mail); } # 1st output is get_hits or get_score \n $SAHits = ($SAversion<3?$spamness->get_hits():$spamness->get_score()) + 0.0; $HitList = $spamness->get_names_of_tests_hit(); if ($IncludeScores) { @HitNames = split(/\s*,\s*/, $HitList); $HitList = ""; foreach $Hit (@HitNames) { $HitList .= ($HitList?', ':'') . $Hit . ' ' . sprintf("%1.2f", $spamness->{conf}->{scores}->{$Hit}); } } # Get the autolearn status if ($SAversion<3) { # Old code if (!defined $spamness->{auto_learn_status}) { $AutoLearn = "no"; } elsif ($spamness->{auto_learn_status}) { $AutoLearn = "spam"; } else { $AutoLearn = "not spam"; } } else { # New code $spamness->learn(); $AutoLearn = $spamness->{auto_learn_status}; $AutoLearn = 'no' if $AutoLearn eq 'failed' || $AutoLearn eq ""; $AutoLearn = 'not spam' if $AutoLearn eq 'ham'; } # 3rd output is $HitList \n $SAHitList = $HitList; # JKF New code here to print out the full spam report $HitList = $spamness->get_report(); $HitList =~ tr/\n/\0/; # 4th output is $HitList \n which is now full spam report $SAReport = $HitList . "\n"; $spamness->finish(); #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; # Construct the hit-list including the score we got. my($longHitList); $SAReqHits = MailScanner::Config::Value('reqspamassassinscore',$Message)+0.0; $longHitList = MailScanner::Config::LanguageValue($Message, 'score') . '=' . ($SAHits+0.0) . ', ' . MailScanner::Config::LanguageValue($Message, 'required') .' ' . $SAReqHits; $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; $longHitList .= ", $SAHitList" if $SAHitList; $SAHitList = $longHitList; # SpamAssassin is known to play with the umask umask 0077; # Safety net if ($SAHits && ($SAHits+$GSHits>=$SAReqHits)) { $IsItSpam = 1; } else { $IsItSpam = 0; } $HighScoreVal = MailScanner::Config::Value('highspamassassinscore',$Message); if ($SAHits && $HighScoreVal>0 && ($SAHits+$GSHits>=$HighScoreVal)) { $IsItHighScore = 1; } else { $IsItHighScore = 0; } return ($IsItSpam, $IsItHighScore, $SAHitList, $SAHits, $SAReport); } 1; From jaearick at colby.edu Fri Aug 11 21:15:59 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 11 21:18:50 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: Julian, More input (late on a Friday afternoon)... I can't find the closing bracket for "sub SAForkAndTest {" (line 722) either. I notice another commented-out if at line whose curly bracket marries up with the closing bracket for SAForkAndTest at line 955. Methinks that multiple commented-out if brackets hid this bug well.... Jeff Earickson Colby College On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > Date: Fri, 11 Aug 2006 16:00:53 -0400 (EDT) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: mailscanner mailing list > Subject: nasty bug in SA.pm (I think) > > Julian, > > I've been intermittantly chasing this bug for several releases now, > and I think that I may have it cornered. The problem: if I start > MS with my /etc/init.d script, MS just loops and does nothing. If > I start it via /opt/MailScanner/bin/check_mailscanner from cron, > MailScanner works. > > The syslog output for a loop up looks like: > > MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 > starting... > MailScanner[25980]: Read 748 hostnames from the phishing whitelist > MailScanner[25980]: Config: calling custom init function IPBlock > MailScanner[25980]: Initialising IP blocking > MailScanner[25980]: Read 128 IP blocking entries from > /etc/MailScanner/IPBlock.conf > MailScanner[25980]: Using SpamAssassin results cache > MailScanner[25980]: Connected to SpamAssassin cache database > (repeat ad nauseum) > > So I started putting in info syslog messages into lib/MailScanner/SA.pm > after the "cache database" message to trace what happened. Attached > is my modified version of SA.pm. I never get anything after the info > msg "got to here3". > > So I stared at SA.pm. You commented out line 287: > > #if (MailScanner::Config::Value('compilespamassassinonce')) { > > at some point, which commented out half of a curly-bracket block. > I can't find where the right curly-bracket for this line is, and I > think something is mis-aligned here. > > Using the power feature of vi whereby you put the cursor over a > bracket, paren, etc and then hit "%", I don't find the closing curly bracket > for line 72 ("sub initialise {"). This routine seems > mangled and I think this is the root cause of the loop-up bug. > But I can't figure out where the closing bracket for line 287 might be. > Have I found this loopup bug in the mangled bracketing of initialise??? > > Jeff Earickson > Colby College From jgolden at ci.grand-rapids.mi.us Fri Aug 11 21:25:05 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 11 21:25:40 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <96B97733-3A62-4EA1-B891-89CC62240015@ecs.soton.ac.uk> References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> It wasn't my decision. I work on contract, and it was the employers decision. On Wed, 2006-08-09 at 09:11 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you like MailScanner that much, why are you going to deploy those > Barracudas? > A commercial setup of MailScanner (such as DefenderMX from > www.fsl.com) will outperform Barracudas and is considerably cheaper. > There is a detailed feature and price comparison on www.fsl.com. > > On 9 Aug 2006, at 03:56, Golden, James wrote: > > > Sorry for being so stupid. After looking through it again, I see > > what you were doing. 4 hours sleep a night catches up with you > > after awhile. > > > > Thanks for all the help. > > > > We will be implementing the Barracuda's appliances here in the next > > 5 weeks or so, that is why I am trying to "skate" by with this > > setup for now. I figure what I am learning here will still help > > out when we move to those appliances. > > > > Although I have to say with the exception of the file attachment > > thing, since I upgraded and setup everything correctly (I think) > > everyone has been noticing the difference here! In fact the guy > > who handles the antivirus wasn't too happy with me, because now > > more viruses are being caught as spam first. Our virus numbers in > > email went from 200 - 300 a day to 1 - 10! > > > > Thanks all (Julian?!) for this fantastic software combination!. It > > ROCKS! > > > > Thanks all who have helped with replies (especially Stephen), and > > have put up with me! > > > > James Golden > > > > > > > > ----- Original Message ----- > > From: mailscanner-bounces@lists.mailscanner.info on behalf of > > Stephen Swaney > > Sent: Tue, 8/8/2006 10:55am > > To: 'MailScanner discussion' > > Subject: RE: Retreiving attachments > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin > >> Sent: Tuesday, August 08, 2006 9:35 AM > >> To: MailScanner discussion > >> Subject: Re: Retreiving attachments > >> > >> On another note, has anyone come up with a way to retrieve > >> quarantined > >> attachments without the intervention of the sys admin? Meaning the > >> end > >> user can get them themselves? > >> > >> I thought i heard a while back of some app to do this? > >> > >> Have a good one! > >> > >> Rob Morin > >> Dido InterNet Inc. > >> Montreal, Canada > >> Http://www.dido.ca > >> 514-990-4444 > >> > >> > >> > >> Golden, James wrote: > >>> Thanks for the answer. Sorry for the long delay in the thanks > >>> departments. > >>> > >>> One more question here, > >>> > >>> Can I put more than one rules file in the Mailscanner.conf. > >>> Currently > >>> I am pointing to a ruleset already. > >>> > >>> Currently mine looks like this > >>> > >>> Filename Rules = %etc-dir%/filename.rules.conf > >>> > >>> so would it look like this? > >>> > >>> Filename Rules = %rules-dir%/filename.rules %etc- > >> dir%/filename.rules.conf > >>> > >>> Or would I need to combine the .rules file into the .conf file > >>> > >>> Thanks for the help. > >>> > >>> James > >>> > >>> > >>> > >>> On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >>>>> -----Original Message----- > >>>>> From: mailscanner-bounces@lists.mailscanner.info > >>>>> >> bounces@lists.mailscanner.info> [mailto:mailscanner- > >>>>> bounces@lists.mailscanner.info > >> ] On Behalf Of Golden, James > >>>>> Sent: Friday, August 04, 2006 5:10 PM > >>>>> To: MailScanner discussion > >>>>> Subject: Re: Retreiving attachments > >>>>> > >>>>> The attachments seem to be .doc or .xls or others and the client > >> always > >>>>> seems to be Outlook. > >>>>> > >>>>> On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >>>>> > >>>>> > >>>>> Hello, > >>>>> > >>>>> I've have been wasting my whole day trying to figure out > >>>>> how to do > >>>>> this. Can anyone could help besides telling me to install > >>>>> Mailwatch > >>>>> (because it's not an option right now). > >>>>> > >>>>> I have messages that are being snagged by MailScanner > >>>>> because the > >>>>> attachment is too large. When I go to the directory the > >>>>> attachment > >> is in > >>>>> binary in the message. > >>>>> > >>>>> I tried using a sendmail -t < message, but of course it > >>>>> gets snagged > >>>>> again by MS. Is there an option I'm missing to store the > >>>>> attachments > >>>>> separately from the message, is there a way to send this on > >>>>> without > >> it > >>>>> being scanned? Is there a way to get the attachment out of the > >> message? > >>>>> > >>>>> I need help soon as this is becoming a large issue today > >>>>> (about 6 > >>>>> end users) and my boss is hearing about it! > >>>>> > >>>>> Thanks, > >>>>> > >>>>> James > >>>> > >>>> You need to create a rule sets that exempt the localhost from > >> attachment > >>>> filename and filetype checking. If you have a Red Hat, CentOS or > >>>> SuSE > >>>> system, the following paths will be correct. They will vary on > >>>> other > >> systems > >>>> but the same principals will work. > >>>> > >>>> First create two files: > >>>> > >>>> /etc/MailScanner/filename.rules.allowall.conf > >>>> /etc/MailScanner/filetype.rules.allowall.conf > >>>> > >>>> The contents of each file will be identical: > >>>> > >>>> allow *. - - > >>>> > >>>> The spaces MUST be Tabs so the contents of both files is really: > >>>> > >>>> allow*.->Tab>- > >>>> > >>>> Then create the file /etc/MailScanner/rules/filename.rules. The > >> contents of > >>>> this file should be: > >>>> > >>>> # Allow all filenames from localhost > >>>> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > >>>> # Default entry > >>>> FromOrTo: default /etc/MailScanner/ > >>>> filename.rules.conf > >>>> > >>>> Then create the file /etc/MailScanner/rules/filetype.rules. The > >> contents of > >>>> this file should be: > >>>> > >>>> # Allow all filetypes from localhost > >>>> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > >>>> # Default entry > >>>> FromOrTo: default /etc/MailScanner/ > >>>> filetype.rules.conf > >>>> > >>>> Then edit /etc/MailScanner.conf to call the new rulesets. Change > >>>> the > >> setting > >>>> for Filename Rules to be: > >>>> > >>>> Filename Rules = %rules-dir%/filename.rules > >>>> > >>>> And change the setting for Filetype Rules to be: > >>>> > >>>> Filetype Rules = %rules-dir%/filetype.rules > >>>> > >>>> Then reload MailScanner. > >>>> > >>>> You should now be able to release the files using the `sendmail - > >>>> t < > >>>> message` command without MailScanner re-quarantining the files. > >>>> > >>>> Have a nice weekend. > >>>> > >>>> Steve > >>>> Stephen Swaney > >>>> Fort Systems Ltd. > >>>> stephen.swaney@fsl.com > >>>> www.fsl.com > > > > Open Source: MailWatch for MailScanner mailwatch.sourceforge.net > > Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com > > > > Please contact me off list for more information about either. > > > > Thanks, > > > > Steve > > > > Stephen Swaney > > Fort Systems Ltd. > > stephen.swaney@fsl.com > > www.fsl.com > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2ZjAEfZZRxQVtlQRAtbQAKDSbEKggJwSMy75sFjxi8pPr2PYGgCaA0pu > A+YoIVWhhVgszzkXQPHrq+A= > =7c6C > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060811/a8cb7f5d/attachment.html From ssilva at sgvwater.com Fri Aug 11 21:49:38 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 21:50:17 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: dnsadmin 1bigthink.com spake the following on 8/8/2006 7:43 AM: > Hello All, > > T-Mobile's mailservers (tmodns.net) got black listed on numerous BLs. I > have a handful of IMPORTANT mail users on my server sending mail with > T-Mobile's servers right now. > > I have: > Spam Lists To Be Spam = 3 > in MailScanner.conf and T-Mobile's mail server makes four of my lists. > They are good, long-used and trusted BLs. > > Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org spamhaus-XBL > SORBS-S > PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB > SORBS-BLOCK NJ > ABL I think SBL+XBL and spamhaus-XBL are redundant, as anything in the second would probably be in the first. > > I don't want to open the rest of my users to the amount of spam these > BLs help protect from. I would like these T-Mobile users to be able to > send without getting tagged as spam, however. > > How can I set up a ruleset like this for individual users or individual > domains? > #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count > > > Thanks, > Glenn > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Aug 11 22:01:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 22:01:27 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> Message-ID: sandrews@andrewscompanies.com spake the following on 8/9/2006 3:33 PM: > Ahem...all faxes are junk faxes. It's the 21st century for christ's > sake. > As long as a signed and faxed document is legally binding, it is a necessary evil. Someday, maybe a signed e-mail will be accepted as easily, but until then. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Aug 11 22:03:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 22:05:10 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> Message-ID: James D. Parra spake the following on 8/9/2006 5:24 PM: >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > Hello Scott, > > How do you set this up if you're not using mailwatch? > > Thank you, > > ~James MailScanner adds a cron job that you have to edit to enable this. I think it is in /etc/cron.daily -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From octaviomaiden at yahoo.com Fri Aug 11 22:45:07 2006 From: octaviomaiden at yahoo.com (Octavio) Date: Fri Aug 11 22:45:11 2006 Subject: agains mailscanner In-Reply-To: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Hi, as many of you Im on the postfix list too, I notice that most of the user of this list prefer amavis-new and recently I see that some of them dont recoment MailScanner with postfix because it has several fails like lost and damage messages? I use MailScanner in several severs without these kind of problems. do you have any idea why some people think so? Octavio __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate ya - http://correo.espanol.yahoo.com/ From lshaw at emitinc.com Fri Aug 11 23:26:57 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 11 23:27:09 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > So I stared at SA.pm. You commented out line 287: > > #if (MailScanner::Config::Value('compilespamassassinonce')) { > > at some point, which commented out half of a curly-bracket block. > I can't find where the right curly-bracket for this line is, and I > think something is mis-aligned here. > > Using the power feature of vi whereby you put the cursor over a > bracket, paren, etc and then hit "%", I don't find the closing curly bracket > for line 72 ("sub initialise {"). This routine seems > mangled and I think this is the root cause of the loop-up bug. Beware of using "%" in vi on Perl code. vi's "%" feature was written for C, and as you may have noticed, Perl's syntax is not exactly the same as C's. :-) (It is similar enough to make "%" work most of the time, though.) In particular, vi really doesn't understand braces that are commented out with Perl comments: while (1) { bar1(); # this brace will confuse vi ---> } bar2(); } Try putting your cursor on the "{" right after the "while" and hitting "%". You'll see it matching against the wrong brace. In fact, I think that's what is happening with SA.pm. An easy way to test it is to just delete the comment line with the brace that's confusing vi. We are probably at different MailScanner versions since the corresponding line on mine is at 285, but if you delete the line with 'compilespamassassinonce' on it, then try to match braces with "%", everything looks good. - Logan From ssilva at sgvwater.com Sat Aug 12 00:14:37 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Aug 12 00:14:49 2006 Subject: agains mailscanner In-Reply-To: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> References: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Message-ID: Octavio spake the following on 8/11/2006 2:45 PM: > Hi, as many of you Im on the postfix list too, I > notice that most of the user of this list prefer > amavis-new and recently I see that some of them dont > recoment MailScanner with postfix because it has > several fails like lost and damage messages? > > I use MailScanner in several severs without these kind > of problems. do you have any idea why some people > think so? > > Octavio > > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ?gratis! > Reg?strate ya - http://correo.espanol.yahoo.com/ Because that is the "party line" from the author of Postfix. He and Julian have been at odds for a long time as to how MailScanner works, and how it is against the way that Weitse wants programs to interact with postfix. Many people have resolved the early conflicts, but the story over at postfix.org hasn't changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From drew at themarshalls.co.uk Sat Aug 12 00:49:38 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sat Aug 12 00:49:58 2006 Subject: agains mailscanner In-Reply-To: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Message-ID: <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> On 11 Aug 2006, at 22:45, Octavio wrote: > Hi, as many of you Im on the postfix list too, I > notice that most of the user of this list prefer > amavis-new and recently I see that some of them dont > recoment MailScanner with postfix because it has > several fails like lost and damage messages? > > I use MailScanner in several severs without these kind > of problems. do you have any idea why some people > think so? I think this sums it up really http://wiki.mailscanner.info/doku.php? id=documentation:configuration:mta:postfix:politics It's all about 'That's not the way I intended it to work'. Followed by 'I'm right and you are wrong 'cause it's my code' type attitudes. Bottom line is it works and without mangling, truncating or causing the recipient to catch some nasty disease. Although much claimed, so far 2.3.x has not broken MS either... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From jaearick at colby.edu Sat Aug 12 01:59:56 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 12 02:03:47 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: I came to this realization after a good dinner tonight. Sigh. Jeff Earickson On Fri, 11 Aug 2006, Logan Shaw wrote: > Date: Fri, 11 Aug 2006 17:26:57 -0500 (CDT) > From: Logan Shaw > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: nasty bug in SA.pm (I think) > > On Fri, 11 Aug 2006, Jeff A. Earickson wrote: >> So I stared at SA.pm. You commented out line 287: >> >> #if (MailScanner::Config::Value('compilespamassassinonce')) { >> >> at some point, which commented out half of a curly-bracket block. >> I can't find where the right curly-bracket for this line is, and I >> think something is mis-aligned here. >> >> Using the power feature of vi whereby you put the cursor over a >> bracket, paren, etc and then hit "%", I don't find the closing curly >> bracket for line 72 ("sub initialise {"). This routine seems >> mangled and I think this is the root cause of the loop-up bug. > > Beware of using "%" in vi on Perl code. vi's "%" feature was > written for C, and as you may have noticed, Perl's syntax is > not exactly the same as C's. :-) (It is similar enough to make > "%" work most of the time, though.) > > In particular, vi really doesn't understand braces that are > commented out with Perl comments: > > while (1) > { > bar1(); > > # this brace will confuse vi ---> } > > bar2(); > } > > Try putting your cursor on the "{" right after the "while" and > hitting "%". You'll see it matching against the wrong brace. > > In fact, I think that's what is happening with SA.pm. An easy > way to test it is to just delete the comment line with the brace > that's confusing vi. We are probably at different MailScanner > versions since the corresponding line on mine is at 285, but > if you delete the line with 'compilespamassassinonce' on it, > then try to match braces with "%", everything looks good. > > - Logan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jaearick at colby.edu Sat Aug 12 01:58:57 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 12 02:03:51 2006 Subject: nasty bug in SA.pm (I think NOT) In-Reply-To: References: Message-ID: Julian, I need those brain cells back that I killed off in college drinking games. Once I made myself a copy of SA.pm with no comments in it, the curly brackets lined up like I would expect. I will continue attempting to corner this bug via syslog info msgs from the main bin/MailScanner code. Nevermind... Jeff Earickson Colby College On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > Date: Fri, 11 Aug 2006 16:15:59 -0400 (EDT) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: nasty bug in SA.pm (I think) > > Julian, > > More input (late on a Friday afternoon)... > > I can't find the closing bracket for "sub SAForkAndTest {" (line 722) > either. I notice another commented-out if at line whose curly > bracket marries up with the closing bracket for SAForkAndTest at line > 955. Methinks that multiple commented-out if brackets hid this bug > well.... > > Jeff Earickson > Colby College > > On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > >> Date: Fri, 11 Aug 2006 16:00:53 -0400 (EDT) >> From: Jeff A. Earickson >> Reply-To: MailScanner discussion >> To: mailscanner mailing list >> Subject: nasty bug in SA.pm (I think) >> >> Julian, >> >> I've been intermittantly chasing this bug for several releases now, >> and I think that I may have it cornered. The problem: if I start >> MS with my /etc/init.d script, MS just loops and does nothing. If >> I start it via /opt/MailScanner/bin/check_mailscanner from cron, >> MailScanner works. >> >> The syslog output for a loop up looks like: >> >> MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 >> starting... >> MailScanner[25980]: Read 748 hostnames from the phishing whitelist >> MailScanner[25980]: Config: calling custom init function IPBlock >> MailScanner[25980]: Initialising IP blocking >> MailScanner[25980]: Read 128 IP blocking entries from >> /etc/MailScanner/IPBlock.conf >> MailScanner[25980]: Using SpamAssassin results cache >> MailScanner[25980]: Connected to SpamAssassin cache database >> (repeat ad nauseum) >> >> So I started putting in info syslog messages into lib/MailScanner/SA.pm >> after the "cache database" message to trace what happened. Attached >> is my modified version of SA.pm. I never get anything after the info >> msg "got to here3". >> >> So I stared at SA.pm. You commented out line 287: >> >> #if (MailScanner::Config::Value('compilespamassassinonce')) { >> >> at some point, which commented out half of a curly-bracket block. >> I can't find where the right curly-bracket for this line is, and I >> think something is mis-aligned here. >> >> Using the power feature of vi whereby you put the cursor over a >> bracket, paren, etc and then hit "%", I don't find the closing curly >> bracket for line 72 ("sub initialise {"). This routine seems >> mangled and I think this is the root cause of the loop-up bug. >> But I can't figure out where the closing bracket for line 287 might be. >> Have I found this loopup bug in the mangled bracketing of initialise??? >> >> Jeff Earickson >> Colby College > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From doc at maddoc.net Sat Aug 12 03:30:33 2006 From: doc at maddoc.net (Doc Schneider) Date: Sat Aug 12 03:30:42 2006 Subject: 70_sare_stocks.cf In-Reply-To: References: <44D18987.4070400@maddoc.net> Message-ID: <44DD3D49.9070508@maddoc.net> Mark Nienberg wrote: > Doc Schneider wrote: >> I added a "tweak" to the rule set that should catch more of these dang >> image spams. >> >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. > > > After about a week of running the new rule set I realized that in > addition to catching more of those dang image spams, I was also getting > a lot of false positives. We receive a lot of messages from persons who > write in html and attach a small gif image in their signature (usually a > company logo). In fact, lots of my users do the same in their > signatures (don't get me started). Consequently, I have had to disable > the gif rules in the rule set. > > Mark > Mark, You got more problems than the SARE_GIF_ATTACH if simple small images are being caught and FP mails. Since it only has a score of 0.75 which shouldn't be FP anything. But of course as with anything YMMV. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From mike at tc3net.com Sat Aug 12 04:18:30 2006 From: mike at tc3net.com (Michael Baird) Date: Sat Aug 12 04:18:45 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <1155352710.4625.7.camel@localhost.localdomain> On Fri, 2006-08-11 at 09:09 -0800, Kevin Miller wrote: > Michael Baird wrote: > > > Greylisting decreases load immeasurably on a mailscanner system, the > > cost of greylisting is much less then allowing the message to go > > through the mailscanner sytem. I deployed it several months ago, it > > really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? Yes it does, I also use greet pause, they really are two entirely different ideas. Sendmail's greet pause is looking for smtp clients that don't follow RFC properly (send data without waiting for acknowledgement), while Greylisting relies on receiving mail from proper smtp servers (they are told to retry delivery in a time period). Most of the rogue dictionary attacking virus spambots will ignore this, and will get caught in the greylist. It's an easy setup and low impact, hardly noticeable by clients (I set my greylist time to 1 minute, with a 7 day whitelist). Just give it a try, I've been really impressed with the results since I've been running it. I use the one from http://hcpnet.free.fr/milter-greylist/, with SPF checks enabled. Regards Michael Baird From pascal.maes at elec.ucl.ac.be Sat Aug 12 07:37:11 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 07:37:24 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> Message-ID: <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> > > Message: 16 > Date: Fri, 11 Aug 2006 17:21:46 +0100 (BST) > From: "Drew Marshall" > Subject: Re: Fwd: Problems on Solaris x86 > To: "MailScanner discussion" > Message-ID: > <42275.194.70.180.170.1155313306.squirrel@webmail.r-bit.net> > Content-Type: text/plain;charset=iso-8859-1 > > On Fri, August 11, 2006 15:38, Pascal Maes wrote: >> Now, when I start MailScanner I have the following lines in the >> logfile : >> >> [...] > > And no mention of delivery (Or completion of scanning)? At this log > point > the batch is only being scanned for spam and not viruses. Can you > turn on > SpamAssassin debugging in MailScanner.conf and re-run the debug, it > may > yield something such as a permissions error in one of the SA > processes. > > Drew > Well I didn't send all the stuff because it's long. Here it is 1) in debugging mode 1.a) the message is stored in /var/spool/postfix/hold/ Aug 12 08:14:02 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:27 smtp-2-3 clamsmtpd: [ID 738258 mail.info] 100010: accepted connection from: 127.0.0.1 Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] EA0A918F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:50 smtp-2-3 postfix/cleanup[8761]: [ID 197553 mail.info] EA0A918F9B: hold: header Received: from smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id EA0A918F9B??for ; Sat, 12 Aug 2006 08:14:27 +0200 (CEST) from gaia.elec.ucl.ac.be[130.104.236.1]; from= to= proto=SMTP helo= Aug 12 08:14:50 smtp-2-3 postfix/cleanup[8761]: [ID 197553 mail.info] EA0A918F9B: message- id=<20060812061427.EA0A918F9B@smtp-2.dynsipr.ucl.ac.be> Aug 12 08:14:50 smtp-2-3 clamsmtpd: [ID 842912 mail.info] 100010: from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN Aug 12 08:14:50 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Aug 12 08:14:51 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] 1.b) MailScanner is launched in debugging mode # /opt/MailScanner/bin/MailScanner In Debugging mode, not forking... Aug 12 08:16:00 localhost MailScanner[8763]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... [8763] dbg: logger: adding facilities: all [8763] dbg: logger: logging level is DBG [8763] dbg: generic: SpamAssassin version 3.1.4 [8763] dbg: config: score set 0 chosen. [8763] dbg: util: running in taint mode? no [8763] dbg: message: ---- MIME PARSER START ---- [8763] dbg: message: main message type: text/plain [8763] dbg: message: parsing normal part [8763] dbg: message: added part, type: text/plain [8763] dbg: message: ---- MIME PARSER END ---- [8763] dbg: dns: is Net::DNS::Resolver available? yes [8763] dbg: dns: Net::DNS version: 0.58 [8763] dbg: ignore: test message to precompile patterns and load modules [8763] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [8763] dbg: config: read file /etc/mail/spamassassin/init.pre [8763] dbg: config: read file /etc/mail/spamassassin/v310.pre [8763] dbg: config: read file /etc/mail/spamassassin/v312.pre [8763] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [8763] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [8763] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_advance_fee.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_anti_ratware.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_body_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_compensate.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_dnsbl_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_fake_helo_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_head_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_html_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_meta_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_net_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_phrases.cf [8763] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_ratware.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_uri_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_accessdb.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_antivirus.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_body_tests_es.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_body_tests_pl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_domainkeys.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_hashcash.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_replace.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_textcat.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_de.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_fr.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_it.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_nl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_pl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_pt_br.cf [8763] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [8763] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_dkim.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_spf.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_subject.cf [8763] dbg: config: using "/etc/mail/spamassassin" for site rules dir [8763] dbg: config: read file /etc/mail/spamassassin/local.cf [8763] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf Aug 12 08:16:02 localhost MailScanner[8763]: Using SpamAssassin results cache Aug 12 08:16:02 localhost MailScanner[8763]: Connected to SpamAssassin cache database [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x81bd304) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9c9aea0) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH (0x9cbaa00) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [8763] dbg: dcc: network tests on, registering DCC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH (0x9c9de74) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [8763] dbg: razor2: razor2 is available, version 2.61 [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH (0x9ca007c) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [8763] dbg: reporter: network tests on, attempting SpamCop [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa0aa358) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH (0xa0db39c) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa0e13d8) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC [8763] dbg: textcat: loading languages file... [8763] dbg: textcat: loaded 73 language models [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::TextCat=HASH(0xa0c4658) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xaac7418) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xaae6eb4) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xaaea380) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xaaed5ac) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d8cf94), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9d8cf64), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0xaaea578), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::DKIM=HASH (0xab309bc) ... lot of stuff [8763] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH (0xaaea380) implements 'finish_parsing_end' [8763] dbg: replacetags: replacing tags [8763] dbg: replacetags: done replacing tags [8763] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/ bayes_toks [8763] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/ bayes_seen [8763] dbg: bayes: found bayes db version 3 [8763] dbg: bayes: DB journal sync: last sync: 1155304906 [8763] dbg: config: score set 3 chosen. [8763] dbg: message: ---- MIME PARSER START ---- [8763] dbg: message: main message type: text/plain [8763] dbg: message: parsing normal part [8763] dbg: message: added part, type: text/plain [8763] dbg: message: ---- MIME PARSER END ---- ... and a lot of info from Spamassassin [8766] dbg: learn: auto-learn? ham=0.1, spam=8, body-points=0, head- points=1.477, learned-points=-0.74 [8766] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam Ignore errors about failing to find EOCD signature Aug 12 08:16:18 localhost MailScanner[8763]: Message EA0A918F9B.9CB24 from 127.0.0.1 (mp@elec.ucl.ac.be) to uclouvain.be is n'est pas un polluriel, SpamAssassin (score=1.612, requis 5, BAYES_20 -0.74, MSGID_FROM_MTA_ID 1.39, NO_REAL_NAME 0.96, SPF_HELO_PASS -0.00, SPF_PASS -0.00) Aug 12 08:16:18 localhost MailScanner[8763]: Virus and Content Scanning: Starting Stopping now as you are debugging me. # Aug 12 08:16:27 localhost MailScanner[8763]: Requeue: EA0A918F9B. 9CB24 to 7754518F9C Aug 12 08:16:27 localhost MailScanner[8763]: Uninfected: Delivered 1 messages Aug 12 08:16:27 smtp-2-3 postfix/qmgr[6626]: [ID 197553 mail.info] 7754518F9C: from=, size=1134, nrcpt=1 (queue active) Aug 12 08:16:27 localhost MailScanner[8763]: MailScanner child dying of old age Aug 12 08:16:27 smtp-2-3 postfix/smtp[8773]: [ID 197553 mail.info] 7754518F9C: to=, orig_to=, relay=gaia.elec.ucl.ac.be [130.104.236.1]:25, delay=120, delays=119/0.01/0.04/0.27, dsn=2.0.0, status=sent (250 2.0.0 k7C6H0RQ011339 Message accepted for delivery) Aug 12 08:16:27 smtp-2-3 postfix/qmgr[6626]: [ID 197553 mail.info] 7754518F9C: removed As you see, the message is sent. 2) in "real" mode 2.a) MailScanner is launched (only one child) # /opt/MailScanner/bin/MailScanner Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin results cache Aug 12 08:24:28 localhost MailScanner[8820]: Connected to SpamAssassin cache database 2.b) a message has been sent Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: accepted connection from: 127.0.0.1 Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 mail.info] CA55418F9B: hold: header Received: from smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) from gaia.elec.ucl.ac.be[130.104.236.1]; from= to= proto=SMTP helo= Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 mail.info] CA55418F9B: message- id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] # ps -ef | grep MailScanner postfix 8835 2400 0 08:26:59 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 8836 8835 34 08:26:59 ? 0:25 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner but the message remains in the queue # ls -l /var/spool/postfix/hold/C total 4 -rwx------ 1 postfix postfix 1212 Aug 12 08:25 CA55418F9B* Another strange thing is that MailScanner is comsumming CPU : # date ; ps -ef | grep MailScanner Sat Aug 12 08:34:23 CEST 2006 root 8860 8715 0 08:34:24 pts/4 0:00 grep MailScanner postfix 8835 2400 0 08:26:59 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 8836 8835 50 08:26:59 ? 7:23 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner # top load averages: 1.71, 75.23, 74.48 08:34:40 45 processes: 42 sleeping, 3 on cpu CPU states: 49.4% idle, 50.2% user, 0.4% kernel, 0.0% iowait, 0.0% swap Memory: 2047M real, 1140M free, 647M swap in use, 2854M swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 8836 postfix 1 10 0 85M 73M cpu/1 7:40 49.91% MailScanner 8861 root 1 59 0 3176K 1216K cpu/0 0:00 0.02% top -- Pascal From chris at kimptoc.net Sat Aug 12 11:41:09 2006 From: chris at kimptoc.net (Chris Kimpton) Date: Sat Aug 12 11:45:07 2006 Subject: New MS on Gentoo Linux References: Message-ID: Hi Erik, Erik van der Leun hal9000.nl> writes: > > Hi hi, > > On gentoo linux, I choose to use the perl thingies from portage, instead > of the perl modules delivered with MailScanner... > > This ends up with the wrong name for the module needed when starting > MailScanner, namelijk DiskSpace.pm in stead of Df.pm. I fixed it quickly > by creating a simple symlink. > Thanks for this - do you know which is correct Df or DiskSpace - that is, who needs to fix it MailScanner or Gentoo... Thanks, Chris From drew at themarshalls.co.uk Sat Aug 12 12:46:17 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sat Aug 12 12:46:36 2006 Subject: Problems on Solaris x86 In-Reply-To: <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> Message-ID: <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> On 12 Aug 2006, at 07:37, Pascal Maes wrote: > > Well I didn't send all the stuff because it's long. > > # /opt/MailScanner/bin/MailScanner > Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail > Virus Scanner version 4.55.10 starting... > Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin > results cache > Aug 12 08:24:28 localhost MailScanner[8820]: Connected to > SpamAssassin cache database > > 2.b) a message has been sent > > Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > connect from gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: > accepted connection from: 127.0.0.1 > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > connect from localhost[127.0.0.1] > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 > mail.info] CA55418F9B: hold: header Received: from > smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by > smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for > ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) > from gaia.elec.ucl.ac.be[130.104.236.1]; from= > to= proto=SMTP helo= > Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 > mail.info] CA55418F9B: message- > id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> > Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: > from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN > Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > disconnect from localhost[127.0.0.1] > Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > disconnect from gaia.elec.ucl.ac.be[130.104.236.1] And there no MailScanner log entry below this? I notice you are running hashed queues. Have you followed this http:// wiki.mailscanner.info/doku.php? id=documentation:configuration:mta:postfix:installation#problems_or_erro rs particularly the hashed queue bit? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:39:18 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:39:29 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive In-Reply-To: <00c701c6bd2f$63f3ea40$1465a8c0@support01> References: <00c701c6bd2f$63f3ea40$1465a8c0@support01> Message-ID: <44DDDA06.2060503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MailWatch. Nigel Kendrick wrote: > Hi Folks, > > No doubt this has been asked before but I'm not having much luck searching > for ideas so... > > I have to search and recover some emails from the MailScanner archive > folders - are there any nice tools to do this before I start to do some > scripting? > > Thanks > > Nigel Kendrick > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3doIEfZZRxQVtlQRAqowAKCTVvmVBkQYbyzIt8VydN1/mdIRrQCfUJB1 m88kC2Dvmpffq12uMhyT358= =PQPV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:41:24 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:41:32 2006 Subject: Problems on Solaris x86 In-Reply-To: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Message-ID: <44DDDA84.5060109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > Hello, > > > I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 system. > The MTA is postfix and MailScanner is running as the postfix User. > > I have the following problems : > > - there are no logging Either download my latest version of MailScanner 4.55 or install Sys::Syslog 0.17. And skip the "make test" bit when installing that module, it hangs on some systems. > - when I run MailScanner in debug mode, it works : > > # ../bin/MailScanner > In Debugging mode, not forking... > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > > and the mails which are in the queue are sent. > > - when I start MailScanner not in debug mode, it forks (until the > limit), but nothing happens > It's the same if I launch MailScanner in foreground : > > # ../bin/MailScanner > MailScanner 4.55.10 starting in foreground mode - pid is [4162] > About to fork child #1 of 10... > Forked OK - new child is [4163] > About to fork child #2 of 10... > Forked OK - new child is [4164] > ... > About to fork child #10 of 10... > Forked OK - new child is [4172] > > but nothing else. > > Of course, without any logging, it's not easy to find the problem > > Same problem with MailScanner 4.54-6 Check the "Lock Type" you are using. You should be able to leave it blank for Postfix. > > Any idea ? > > -- > Pascal > > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dqGEfZZRxQVtlQRAuaJAJ4pCnXRJAuMF1gFKioT5VRkSt2BYQCgraOS OKaSIdHGP8qqivTa3p6qFVU= =KZee -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:44:16 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:44:26 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060811123404.94338.qmail@web54407.mail.yahoo.com> References: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Message-ID: <44DDDB30.9060802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Write a ruleset called something like /etc/MailScanner/spam.tag.rules containing FromOrTo: domain1.com no FromOrTo: default yes and then put Spam Modify Subject = %rules-dir%/spam.tag.rules in MailScanner.conf. Then restart MailScanner. jay shi wrote: > Hi , > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain ask me, he dont't want this tag > , but other domains are demanding this feature. > i want to write rule set for above condition,i > made > the required rulset but it is not working.Is any one > knows how to write this rule set ? > > Thanks & Regards > Jayesh > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dsyEfZZRxQVtlQRAmlmAKDpAUdAkPQct7VGZv0SxRJ/cPakpgCg2ntP 0eRYTK+1yi63JqByw67pGW4= =qFZD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 14:46:27 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 14:46:36 2006 Subject: Problems on Solaris x86 In-Reply-To: <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> Message-ID: Le 12 ao?t 06 ? 13:46, Drew Marshall a ?crit : > On 12 Aug 2006, at 07:37, Pascal Maes wrote: > >> >> Well I didn't send all the stuff because it's long. > >> >> # /opt/MailScanner/bin/MailScanner >> Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail >> Virus Scanner version 4.55.10 starting... >> Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin >> results cache >> Aug 12 08:24:28 localhost MailScanner[8820]: Connected to >> SpamAssassin cache database >> >> 2.b) a message has been sent >> >> Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: >> accepted connection from: 127.0.0.1 >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] connect from localhost[127.0.0.1] >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 >> mail.info] CA55418F9B: hold: header Received: from >> smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by >> smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for >> ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) >> from gaia.elec.ucl.ac.be[130.104.236.1]; from= >> to= proto=SMTP helo= >> Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 >> mail.info] CA55418F9B: message- >> id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> >> Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: >> from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN >> Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] disconnect from localhost[127.0.0.1] >> Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] > > And there no MailScanner log entry below this? No, just what you see below 2.a > > I notice you are running hashed queues. Have you followed this > http://wiki.mailscanner.info/doku.php? > id=documentation:configuration:mta:postfix:installation#problems_or_er > rors particularly the hashed queue bit? > I' m using postfix 2.3.2 and didn't made anything about the queues. The same configuration is working on a linux box and it works in debugging mode. -- Pascal From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:47:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:47:47 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> Message-ID: <44DDDBFA.9020503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > > > D?but du message r?exp?di? : > >> >> Hello, >> >> >> I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 >> system. >> The MTA is postfix and MailScanner is running as the postfix User. >> >> I have the following problems : >> >> - there are no logging > > In Log.pm we have : > > eval { > if ($^O !~ /solaris|sunos|irix/i) { > Sys::Syslog::setlogsock('unix'); > } # else { > # Sys::Syslog::setlogsock('stream'); > # } > > It seems that for solaris, it should be 'inet' instead of 'unix' The latest news is that I should remove the setlogsock call completely, I will be asking the beta-testers group to test this for me. The Log.pm code may undergo quite a few changes in the next month or two. > > >> - when I run MailScanner in debug mode, it works : >> >> # ../bin/MailScanner >> In Debugging mode, not forking... >> Ignore errors about failing to find EOCD signature >> Stopping now as you are debugging me. >> >> and the mails which are in the queue are sent. >> >> - when I start MailScanner not in debug mode, it forks (until the >> limit), but nothing happens >> It's the same if I launch MailScanner in foreground : >> >> # ../bin/MailScanner >> MailScanner 4.55.10 starting in foreground mode - pid is [4162] >> About to fork child #1 of 10... >> Forked OK - new child is [4163] >> About to fork child #2 of 10... >> Forked OK - new child is [4164] >> ... >> About to fork child #10 of 10... >> Forked OK - new child is [4172] >> >> but nothing else. >> >> Of course, without any logging, it's not easy to find the problem >> >> Same problem with MailScanner 4.54-6 >> >> Any idea ? > > > Now, when I start MailScanner I have the following lines in the logfile : > > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results > cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin > cache database > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results > cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin > cache database > > but each mail remains in /var/spool/postfix/hold/ > > In debugging mode, I get : > > # /opt/MailScanner/bin/check_mailscanner > Starting MailScanner... > In Debugging mode, not forking... > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results > cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin > cache database > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results > cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin > cache database > Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock > Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 > messages, 1232 bytes > Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting > > > > > -- > Pascal > > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dv8EfZZRxQVtlQRAiYFAJ996I8JuSbPL6VSJwnArucGwq3regCgkVDq qHN9cafc5WhC6wz+xIHQVwI= =jLsF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:59:40 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:59:50 2006 Subject: agains mailscanner In-Reply-To: <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> Message-ID: <44DDDECC.6030604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drew Marshall wrote: > On 11 Aug 2006, at 22:45, Octavio wrote: > >> Hi, as many of you Im on the postfix list too, I >> notice that most of the user of this list prefer >> amavis-new and recently I see that some of them dont >> recoment MailScanner with postfix because it has >> several fails like lost and damage messages? >> >> I use MailScanner in several severs without these kind >> of problems. do you have any idea why some people >> think so? > > I think this sums it up really > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:politics > > > It's all about 'That's not the way I intended it to work'. Followed by > 'I'm right and you are wrong 'cause it's my code' type attitudes. > > Bottom line is it works and without mangling, truncating or causing the > recipient to catch some nasty disease. Although much claimed, so far > 2.3.x has not broken MS either... MailScanner works just fine with Postfix. When I first designed MailScanner, and its support for Postfix, I dared to "think outside the box" and create a novel way of integrating with Postfix. Wietse didn't like that as he didn't think of it first :-) So he has been battling ever since to stop people using MailScanner with Postfix, with some success, despite the fact that it works perfectly well and won't lose or corrupt any of your mail. If you don't believe me, then try it and convince yourself. People have done things with MailScanner that I never dreamt of either, such as using it to filter web traffic, and using it to filter illicit images from mobile phone MMS text/picture messages on huge international mobile phone networks. I think that's fantastic and huge credit is due to them for create novel solutions to problems of their own! I can't say I have very much respect for the guy, but that's my personal opinion. On the subject of illicit image detection, particularly on mobile phone networks, I hope to contact one or two of you in the next day or two to see if you would be interested in joining development of this facility. And yes, MailScanner is used to filter MMS messages sent between phones on one of the largest multi-national mobile phone networks on the planet. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3d7PEfZZRxQVtlQRAmn5AKCc+U6R2fcQk3/I/VeTntgv/EYInwCg25N0 yFu+dlUCWDkV3Vhtui+9Q44= =bBgp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mike at tc3net.com Sat Aug 12 15:02:44 2006 From: mike at tc3net.com (Michael Baird) Date: Sat Aug 12 15:02:56 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive In-Reply-To: <44DDDA06.2060503@ecs.soton.ac.uk> References: <00c701c6bd2f$63f3ea40$1465a8c0@support01> <44DDDA06.2060503@ecs.soton.ac.uk> Message-ID: <1155391365.4625.11.camel@localhost.localdomain> > MailWatch. > > Nigel Kendrick wrote: > > Hi Folks, > > > > No doubt this has been asked before but I'm not having much luck searching > > for ideas so... > > > > I have to search and recover some emails from the MailScanner archive > > folders - are there any nice tools to do this before I start to do some > > scripting? > > > > Thanks > > > > Nigel Kendrick > > > How with MailWatch? I've seen that answer before, is there documentation on how to use MailWatch to restore individual users from MailScanner archive directories? Or do we need to write our own scripting to find the message id's from MailWatch's database. Regards Michael Baird From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:03:58 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:04:15 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: <44DDDFCE.3080707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If there had been mis-matching brackets, then perl -c SA.pm would have failed. Remember that Perl compiles all the code before it starts running it, it isn't an interpreted scripting language, it's a compiled one. So the syntax basically has to be right before it will start executing anything (apart from things like eval "" code and stuff like that). Jeff A. Earickson wrote: > I came to this realization after a good dinner tonight. Sigh. > > Jeff Earickson > > On Fri, 11 Aug 2006, Logan Shaw wrote: > >> Date: Fri, 11 Aug 2006 17:26:57 -0500 (CDT) >> From: Logan Shaw >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: nasty bug in SA.pm (I think) >> >> On Fri, 11 Aug 2006, Jeff A. Earickson wrote: >>> So I stared at SA.pm. You commented out line 287: >>> >>> #if (MailScanner::Config::Value('compilespamassassinonce')) { >>> >>> at some point, which commented out half of a curly-bracket block. >>> I can't find where the right curly-bracket for this line is, and I >>> think something is mis-aligned here. >>> >>> Using the power feature of vi whereby you put the cursor over a >>> bracket, paren, etc and then hit "%", I don't find the closing curly >>> bracket for line 72 ("sub initialise {"). This routine seems >>> mangled and I think this is the root cause of the loop-up bug. >> >> Beware of using "%" in vi on Perl code. vi's "%" feature was >> written for C, and as you may have noticed, Perl's syntax is >> not exactly the same as C's. :-) (It is similar enough to make >> "%" work most of the time, though.) >> >> In particular, vi really doesn't understand braces that are >> commented out with Perl comments: >> >> while (1) >> { >> bar1(); >> >> # this brace will confuse vi ---> } >> >> bar2(); >> } >> >> Try putting your cursor on the "{" right after the "while" and >> hitting "%". You'll see it matching against the wrong brace. >> >> In fact, I think that's what is happening with SA.pm. An easy >> way to test it is to just delete the comment line with the brace >> that's confusing vi. We are probably at different MailScanner >> versions since the corresponding line on mine is at 285, but >> if you delete the line with 'compilespamassassinonce' on it, >> then try to match braces with "%", everything looks good. >> >> - Logan >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3d/QEfZZRxQVtlQRApuXAJ9QcjEohJ3d3t0qDcbbQA+mZjAy0gCePcxd Vy3ILt5jNc9BfLMFwtLXvjY= =QAPx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 15:06:07 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 15:06:10 2006 Subject: Problems on Solaris x86 In-Reply-To: <44DDDA84.5060109@ecs.soton.ac.uk> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> Message-ID: Le 12 ao?t 06 ? 15:41, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Pascal Maes wrote: >> Hello, >> >> >> I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 >> system. >> The MTA is postfix and MailScanner is running as the postfix User. >> >> I have the following problems : >> >> - there are no logging > > Either download my latest version of MailScanner 4.55 or install > Sys::Syslog 0.17. > And skip the "make test" bit when installing that module, it hangs on > some systems. I have MailScanner 4.55.10-3 and Sys::Syslog is up to date (0.17). > >> - when I run MailScanner in debug mode, it works : >> >> # ../bin/MailScanner >> In Debugging mode, not forking... >> Ignore errors about failing to find EOCD signature >> Stopping now as you are debugging me. >> >> and the mails which are in the queue are sent. >> >> - when I start MailScanner not in debug mode, it forks (until the >> limit), but nothing happens >> It's the same if I launch MailScanner in foreground : >> >> # ../bin/MailScanner >> MailScanner 4.55.10 starting in foreground mode - pid is [4162] >> About to fork child #1 of 10... >> Forked OK - new child is [4163] >> About to fork child #2 of 10... >> Forked OK - new child is [4164] >> ... >> About to fork child #10 of 10... >> Forked OK - new child is [4172] >> >> but nothing else. >> >> Of course, without any logging, it's not easy to find the problem >> >> Same problem with MailScanner 4.54-6 > > Check the "Lock Type" you are using. You should be able to leave it > blank for Postfix. in MailScanner.conf : Lock Type = -- Pascal From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:11:33 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:11:42 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DDE195.3060001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Michael Baird wrote: > >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go >> through the mailscanner sytem. I deployed it several months ago, it >> really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? I use both, and I have had to turn the greetpause setting down to about 2 or 3 seconds, as some systems (such as NTMail) don't check properly for the welcome message before sending the HELO or EHLO. At that sort of setting, it has little benefit. And there is no easy way to set up a whitelist with greetpause. Greylisting (using milter-greylist) has a superb little whitelist facility, and shares the current greylist database between multiple MX's with minimal effort, using a TCP connection between each one. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eGWEfZZRxQVtlQRArXDAKCYHIHC+TwJPEGC9nTeYYCWKH9klwCgw8X/ Ox37MnqEyfYuTaJ52Ju6sEk= =rBze -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:19:20 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:19:30 2006 Subject: New MS on Gentoo Linux In-Reply-To: References: Message-ID: <44DDE368.3090707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Kimpton wrote: > Hi Erik, > > Erik van der Leun hal9000.nl> writes: > >> Hi hi, >> >> On gentoo linux, I choose to use the perl thingies from portage, instead >> of the perl modules delivered with MailScanner... >> >> This ends up with the wrong name for the module needed when starting >> MailScanner, namelijk DiskSpace.pm in stead of Df.pm. I fixed it quickly >> by creating a simple symlink. >> > > Thanks for this - do you know which is correct Df or DiskSpace - that is, who > needs to fix it MailScanner or Gentoo... Message.pm contains: use Filesys::Df; in the latest code. And that is what is installed by the installation script install.sh. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eNrEfZZRxQVtlQRAgkUAKCWo9VLvp7HSa7ns1iv2Wax5U0hpgCgqZVa Ioh4ClX/YOkbPVGn6B7VvYE= =9CW3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:28:51 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:28:58 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811121030.A64675@mikea.ath.cx> References: <1155315918.31265.3.camel@mike-new2.tc3net.com> <20060811121030.A64675@mikea.ath.cx> Message-ID: <44DDE5A3.2050607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mikea wrote: > On Fri, Aug 11, 2006 at 01:05:18PM -0400, Michael Baird wrote: >> On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: >>> On Fri, 11 Aug 2006, Jim Holland wrote: >>>> Another concern is the impact that greylisting would have on the Internet >>>> if its adoption became widespread - it would mean that all mail servers >>>> would have to work twice as hard to deliver mail. >>> Actually, it's only some mail servers. Greylisting lets known >>> senders through without a delay. Mail servers that are mostly >>> sending messages to recipients who recognize them would not >>> see delays. Mail servers that are mostly sending messages >>> to those who don't recognize them would see the delays. So, >>> it makes mail servers up to twice as hard. >>> >>> Also, while I agree that it would increase the load, in >>> general I think decreasing spam is worth some increased load. >>> Sure, it's a slippery slope (one could imagine things getting >>> so bloated that it takes 5 minutes of CPU time to deliver one >>> message, if we keep on adding limitless spam-fighting strategy), >>> but on the other hand, 10 seconds of CPU time spent catching >>> spam automatically is cheaper than 10 seconds of a human's >>> time deleting it manually. >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go through >> the mailscanner sytem. I deployed it several months ago, it really is a >> good tool, and I've had very few complaints (10000 users). > > My complaints have, almost without exception, come from users who think > that E-mail should show up in their inboxes Right DamnIt _NOW_. I have 2000 users who are just like that, they use email instead of the phone quite a lot of the time. And why not, after all, it's pretty instant and they get to re-phrase what they say before the recipient gets it. I do it myself. So I set the delay to 10 minutes, with the memory time set to 32 days. 32 days means you effectively whitelist all the monthly emails from mailing list servers, as I don't want to make list servers' lives any harder than they are already. I talked to some of my fussiest users, and to my top management, and persuaded them to take part in an email spam fight test for a week. I refused to tell them what I was doing, just that they wouldn't lose any real mail and were quite safe. After the test, I asked them for the experiences, particularly any "hunches" or "feelings" they had about what had happened in the past week. Not *one* person commented about any delay. I have now deployed it across the entire place, and they love it. So do a totally blind test with your fussiest users, like I did. And then go for it! :-) - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eWkEfZZRxQVtlQRAhoaAJ48Z0GIAA3sRuveD6qDeydhbLAXCwCffeSd U/0J395fdnqo+F8y6bqYETE= =uMcd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 16:03:50 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 16:03:54 2006 Subject: Problems on Solaris x86 In-Reply-To: References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> Message-ID: <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Le 12 ao?t 06 ? 16:06, Pascal Maes a ?crit : >> >> Check the "Lock Type" you are using. You should be able to leave it >> blank for Postfix. > > in MailScanner.conf : > > Lock Type = > > I have copied /opt/MailScanner from the Solaris 10 x86 on a Solaris 9 Sparc box. It's the same configuration (with Lock Type = ) On the Solaris 9 (sparc) box, I have : # /opt/MailScanner/bin/MailScanner Aug 12 16:59:23 smtp1e MailScanner[29806]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 16:59:28 smtp1 MailScanner[29806]: Using SpamAssassin results cache Aug 12 16:59:28 smtp1 MailScanner[29806]: Connected to SpamAssassin cache database Aug 12 16:59:35 smtp1 MailScanner[29806]: Using locktype = flock On the Solaris 10 (x86), in debugging mode, I have : # /opt/MailScanner/bin/MailScanner In Debugging mode, not forking... Aug 12 17:00:51 localhost MailScanner[19018]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 17:00:52 localhost MailScanner[19018]: Using SpamAssassin results cache Aug 12 17:00:52 localhost MailScanner[19018]: Connected to SpamAssassin cache database Aug 12 17:00:54 localhost MailScanner[19018]: Using locktype = flock but in "normal"" mode : # /opt/MailScanner/bin/MailScanner Aug 12 17:02:11 localhost MailScanner[19025]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 17:02:11 localhost MailScanner[19025]: Using SpamAssassin results cache Aug 12 17:02:11 localhost MailScanner[19025]: Connected to SpamAssassin cache database the line "Using locktype = flock" doesn't come -- Pascal From denis at croombs.org Sat Aug 12 16:03:48 2006 From: denis at croombs.org (Denis Croombs) Date: Sat Aug 12 16:04:14 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DDE195.3060001@ecs.soton.ac.uk> Message-ID: <200608121505.k7CF5uWA020918@rack2.justlinux1.net> > >> Greylisting decreases load immeasurably on a mailscanner > system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several > months ago, it > >> really is a good tool, and I've had very few complaints > (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > works a treat - does greylisting add significant control or > > improvement over that? Anybody using them in tandom or is > one or the > > other to be preferred? > > I use both, and I have had to turn the greetpause setting > down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check > properly for the welcome message before sending the HELO or > EHLO. At that sort of setting, it has little benefit. And > there is no easy way to set up a whitelist with greetpause. > > Greylisting (using milter-greylist) has a superb little > whitelist facility, and shares the current greylist database > between multiple MX's with minimal effort, using a TCP > connection between each one. I have been trying to install milter-greylist all day on my sendmail 8.12 & 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking for smfi_register in -lmilter -lsm... no checking for smfi_register in -lmilter -lsmutil... no Required libmilter not found. Use --with-libmilter" I have tried google, but as yet have not found the answer, has any kind person give me a clue ? Thanks Denis From mailscanner at mango.zw Sat Aug 12 16:27:02 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Aug 12 16:33:18 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DDE195.3060001@ecs.soton.ac.uk> Message-ID: On Sat, 12 Aug 2006, Julian Field wrote: > Kevin Miller wrote: > > Michael Baird wrote: > > > >> Greylisting decreases load immeasurably on a mailscanner system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several months ago, it > >> really is a good tool, and I've had very few complaints (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and works > > a treat - does greylisting add significant control or improvement over > > that? Anybody using them in tandom or is one or the other to be > > preferred? > > I use both, and I have had to turn the greetpause setting down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check properly > for the welcome message before sending the HELO or EHLO. At that sort of > setting, it has little benefit. And there is no easy way to set up a > whitelist with greetpause. I just put "GreetPause: 0" entries in the access file before the default entry. See sendmail notes: If FEATURE(`access_db') is enabled, an access database lookup with the GreetPause tag is done using client hostname, domain, IP address, or subnet to determine the pause time: GreetPause:my.domain 0 GreetPause:example.com 5000 GreetPause:10.1.2 2000 GreetPause:127.0.0.1 0 Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From pascal.maes at elec.ucl.ac.be Sat Aug 12 16:37:24 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 16:37:27 2006 Subject: Problems on Solaris x86 In-Reply-To: <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Message-ID: Le 12 ao?t 06 ? 17:03, Pascal Maes a ?crit : > > > > but in "normal"" mode : > > # /opt/MailScanner/bin/MailScanner > Aug 12 17:02:11 localhost MailScanner[19025]: MailScanner E-Mail > Virus Scanner version 4.55.10 starting... > Aug 12 17:02:11 localhost MailScanner[19025]: Using SpamAssassin > results cache > Aug 12 17:02:11 localhost MailScanner[19025]: Connected to > SpamAssassin cache database > > the line "Using locktype = flock" doesn't come > I add some InfoLog in MailScanner to see where the process is blocked. In lib/MailScanner/SA.pm : # If they are using MCP at all, then we need to compile SA differently # here due to object clashes within SA. if (MailScanner::Config::IsSimpleValue('mcpchecks') && !MailScanner::Config::Value('mcpchecks')) { # They are definitely not using MCP MailScanner::Log::InfoLog("7"); $MailScanner::SA::SAspamtest->compile_now(); MailScanner::Log::InfoLog("8"); I see the 7 but never the 8 Why $MailScanner::SA::SAspamtest->compile_now() dosen't finish ? -- Pascal From mikea at mikea.ath.cx Sat Aug 12 17:26:53 2006 From: mikea at mikea.ath.cx (mikea) Date: Sat Aug 12 17:26:57 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <200608121505.k7CF5uWA020918@rack2.justlinux1.net>; from denis@croombs.org on Sat, Aug 12, 2006 at 04:03:48PM +0100 References: <44DDE195.3060001@ecs.soton.ac.uk> <200608121505.k7CF5uWA020918@rack2.justlinux1.net> Message-ID: <20060812112653.A71763@mikea.ath.cx> On Sat, Aug 12, 2006 at 04:03:48PM +0100, Denis Croombs wrote: > > >> Greylisting decreases load immeasurably on a mailscanner > > system, the > > >> cost of greylisting is much less then allowing the message to go > > >> through the mailscanner sytem. I deployed it several > > months ago, it > > >> really is a good tool, and I've had very few complaints > > (10000 users). > > > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > > works a treat - does greylisting add significant control or > > > improvement over that? Anybody using them in tandom or is > > one or the > > > other to be preferred? > > > > I use both, and I have had to turn the greetpause setting > > down to about > > 2 or 3 seconds, as some systems (such as NTMail) don't check > > properly for the welcome message before sending the HELO or > > EHLO. At that sort of setting, it has little benefit. And > > there is no easy way to set up a whitelist with greetpause. > > > > Greylisting (using milter-greylist) has a superb little > > whitelist facility, and shares the current greylist database > > between multiple MX's with minimal effort, using a TCP > > connection between each one. > > I have been trying to install milter-greylist all day on my sendmail 8.12 & > 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking > for smfi_register in -lmilter -lsm... no > checking for smfi_register in -lmilter -lsmutil... no > Required libmilter not found. Use --with-libmilter" > > I have tried google, but as yet have not found the answer, has any kind > person give me a clue ? You have to download and install libmilter to get pretty much any of Anthony Howe's milters to run. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From lday at txk.k12.ar.us Sat Aug 12 17:40:12 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Aug 12 17:40:16 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DE046C.6010507@txk.k12.ar.us> How can I tell if Sendmail's greetpause is working? I don't see any evidence in the log files.. Thanks, Lynn Jim Holland wrote: > On Sat, 12 Aug 2006, Julian Field wrote: > > >> Kevin Miller wrote: >> >>> Michael Baird wrote: >>> >>> >>>> Greylisting decreases load immeasurably on a mailscanner system, the >>>> cost of greylisting is much less then allowing the message to go >>>> through the mailscanner sytem. I deployed it several months ago, it >>>> really is a good tool, and I've had very few complaints (10000 users). >>>> >>> I just use Sendmails greet pause which is 10 seconds to set up and works >>> a treat - does greylisting add significant control or improvement over >>> that? Anybody using them in tandom or is one or the other to be >>> preferred? >>> >> I use both, and I have had to turn the greetpause setting down to about >> 2 or 3 seconds, as some systems (such as NTMail) don't check properly >> for the welcome message before sending the HELO or EHLO. At that sort of >> setting, it has little benefit. And there is no easy way to set up a >> whitelist with greetpause. >> > > I just put "GreetPause: 0" entries in the access file before > the default entry. See sendmail notes: > > If FEATURE(`access_db') is enabled, an access database > lookup with the GreetPause tag is done using client > hostname, domain, IP address, or subnet to determine the > pause time: > > GreetPause:my.domain 0 > GreetPause:example.com 5000 > GreetPause:10.1.2 2000 > GreetPause:127.0.0.1 0 > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > From mailscanner at ecs.soton.ac.uk Sat Aug 12 17:47:59 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 17:48:12 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DE046C.6010507@txk.k12.ar.us> References: <44DE046C.6010507@txk.k12.ar.us> Message-ID: <44DE063F.6060108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 telnet port 25 and time the gap between the connection opening and the greeting text appearing. James L. Day wrote: > How can I tell if Sendmail's greetpause is working? I don't see any > evidence in the log files.. > > Thanks, > Lynn > > Jim Holland wrote: >> On Sat, 12 Aug 2006, Julian Field wrote: >> >> >>> Kevin Miller wrote: >>> >>>> Michael Baird wrote: >>>> >>>> >>>>> Greylisting decreases load immeasurably on a mailscanner system, the >>>>> cost of greylisting is much less then allowing the message to go >>>>> through the mailscanner sytem. I deployed it several months ago, it >>>>> really is a good tool, and I've had very few complaints (10000 users). >>>>> >>>> I just use Sendmails greet pause which is 10 seconds to set up and works >>>> a treat - does greylisting add significant control or improvement over >>>> that? Anybody using them in tandom or is one or the other to be >>>> preferred? >>>> >>> I use both, and I have had to turn the greetpause setting down to about >>> 2 or 3 seconds, as some systems (such as NTMail) don't check properly >>> for the welcome message before sending the HELO or EHLO. At that sort of >>> setting, it has little benefit. And there is no easy way to set up a >>> whitelist with greetpause. >>> >> I just put "GreetPause: 0" entries in the access file before >> the default entry. See sendmail notes: >> >> If FEATURE(`access_db') is enabled, an access database >> lookup with the GreetPause tag is done using client >> hostname, domain, IP address, or subnet to determine the >> pause time: >> >> GreetPause:my.domain 0 >> GreetPause:example.com 5000 >> GreetPause:10.1.2 2000 >> GreetPause:127.0.0.1 0 >> >> Regards >> >> Jim Holland >> System Administrator >> MANGO - Zimbabwe's non-profit e-mail service >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3gZCEfZZRxQVtlQRAgCIAKDxvomKghdRbauMzRHOFBKt3lPoKACeJwzB C+Db1gdoooFhV/9x5CJbcX0= =e5ab -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Sat Aug 12 17:53:36 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Sat Aug 12 17:53:41 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DE046C.6010507@txk.k12.ar.us> Message-ID: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James L. Day > Sent: Saturday, August 12, 2006 12:40 PM > To: MailScanner discussion > Subject: Re: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) > > How can I tell if Sendmail's greetpause is working? I don't see any > evidence in the log files.. > > Thanks, > Lynn > You'll see tons of messages similar to: Aug 6 11:25:00 mta10 sendmail[7675]: k76FP0mR007675: rejecting commands from dsl-201-102-42-43.prod-infinitum.com.mx [201.102.42.43] due to pre-greeting traffic Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com > Jim Holland wrote: > > On Sat, 12 Aug 2006, Julian Field wrote: > > > > > >> Kevin Miller wrote: > >> > >>> Michael Baird wrote: > >>> > >>> > >>>> Greylisting decreases load immeasurably on a mailscanner system, the > >>>> cost of greylisting is much less then allowing the message to go > >>>> through the mailscanner sytem. I deployed it several months ago, it > >>>> really is a good tool, and I've had very few complaints (10000 > users). > >>>> > >>> I just use Sendmails greet pause which is 10 seconds to set up and > works > >>> a treat - does greylisting add significant control or improvement over > >>> that? Anybody using them in tandom or is one or the other to be > >>> preferred? > >>> > >> I use both, and I have had to turn the greetpause setting down to about > >> 2 or 3 seconds, as some systems (such as NTMail) don't check properly > >> for the welcome message before sending the HELO or EHLO. At that sort > of > >> setting, it has little benefit. And there is no easy way to set up a > >> whitelist with greetpause. > >> > > > > I just put "GreetPause: 0" entries in the access file before > > the default entry. See sendmail notes: > > > > If FEATURE(`access_db') is enabled, an access database > > lookup with the GreetPause tag is done using client > > hostname, domain, IP address, or subnet to determine the > > pause time: > > > > GreetPause:my.domain 0 > > GreetPause:example.com 5000 > > GreetPause:10.1.2 2000 > > GreetPause:127.0.0.1 0 > > > > Regards > > > > Jim Holland > > System Administrator > > MANGO - Zimbabwe's non-profit e-mail service > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From lday at txk.k12.ar.us Sat Aug 12 18:22:59 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Aug 12 18:23:02 2006 Subject: OT - Greylisting In-Reply-To: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> References: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> Message-ID: <44DE0E73.7030009@txk.k12.ar.us> Steve, I ran the test that Julian sent and the welcome prompt was delayed about 5 seconds. When I added the host I ran the test from to "access.db", the prompt appeared almost immediately. So, greet_delay does appear to work. I ran the following two commands and came up empty: MailFilter:/var/log# grep "rejecting commands" * MailFilter:/var/log# grep greeting * I have Sendmail checking against a couple of blacklists in rbldnsd and that has been blocking about 98% of what comes in. Is it possible that Sendmail is doing the RBL lookup and refusing the message before greet_delay kicks in? Thanks, Lynn Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of James L. Day >> Sent: Saturday, August 12, 2006 12:40 PM >> To: MailScanner discussion >> Subject: Re: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) >> >> How can I tell if Sendmail's greetpause is working? I don't see any >> evidence in the log files.. >> >> Thanks, >> Lynn >> >> > > You'll see tons of messages similar to: > > Aug 6 11:25:00 mta10 sendmail[7675]: k76FP0mR007675: rejecting commands > from dsl-201-102-42-43.prod-infinitum.com.mx [201.102.42.43] due to > pre-greeting traffic > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > From David.While at uce.ac.uk Sat Aug 12 18:17:33 2006 From: David.While at uce.ac.uk (David While) Date: Sat Aug 12 18:24:41 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) References: <200608121505.k7CF5uWA020918@rack2.justlinux1.net> Message-ID: <294B4B3243E76C4BA4FF7F54003B3BE10116ABB3@exchangea.staff.uce.ac.uk> For the Redhat make sure that you have the sendmail-devel rpm installed. the libmilter is not part of the sendmail rpm but the sendmail development rpm. David While -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Denis Croombs Sent: Sat 12/08/2006 16:03 To: 'MailScanner discussion' Cc: Subject: RE: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) > >> Greylisting decreases load immeasurably on a mailscanner > system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several > months ago, it > >> really is a good tool, and I've had very few complaints > (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > works a treat - does greylisting add significant control or > > improvement over that? Anybody using them in tandom or is > one or the > > other to be preferred? > > I use both, and I have had to turn the greetpause setting > down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check > properly for the welcome message before sending the HELO or > EHLO. At that sort of setting, it has little benefit. And > there is no easy way to set up a whitelist with greetpause. > > Greylisting (using milter-greylist) has a superb little > whitelist facility, and shares the current greylist database > between multiple MX's with minimal effort, using a TCP > connection between each one. I have been trying to install milter-greylist all day on my sendmail 8.12 & 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking for smfi_register in -lmilter -lsm... no checking for smfi_register in -lmilter -lsmutil... no Required libmilter not found. Use --with-libmilter" I have tried google, but as yet have not found the answer, has any kind person give me a clue ? Thanks Denis -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6190 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060812/b2ba29d1/attachment-0001.bin From gmane at tippingmar.com Sat Aug 12 19:07:51 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Sat Aug 12 19:08:05 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44DD3D49.9070508@maddoc.net> References: <44D18987.4070400@maddoc.net> <44DD3D49.9070508@maddoc.net> Message-ID: Doc Schneider wrote: > Mark Nienberg wrote: >> Doc Schneider wrote: >>> I added a "tweak" to the rule set that should catch more of these >>> dang image spams. >>> >>> For those of you running "SARE_STOCK" please let me know if these are >>> now being caught. >> >> >> After about a week of running the new rule set I realized that in >> addition to catching more of those dang image spams, I was also >> getting a lot of false positives. We receive a lot of messages from >> persons who write in html and attach a small gif image in their >> signature (usually a company logo). In fact, lots of my users do the >> same in their signatures (don't get me started). Consequently, I have >> had to disable the gif rules in the rule set. > Mark, > > You got more problems than the SARE_GIF_ATTACH if simple small images > are being caught and FP mails. Since it only has a score of 0.75 which > shouldn't be FP anything. But of course as with anything YMMV. It often triggers in combination with the meta rule SARE_GIF_STOX for a total of (0.75 + 1.66= 2.41). I'm not saying that many messages are pushed from non-spam to spam by the additional points, but in our mix of mail the points are added to many messages that are not spam, so the rule is not a very good indication of spaminess (again, in our mix of mail). I'm still using the rest of the ruleset though, with some success. Mark From alex at nkpanama.com Sat Aug 12 20:54:41 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Aug 12 20:54:57 2006 Subject: agains mailscanner In-Reply-To: <44DDDECC.6030604@ecs.soton.ac.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> Message-ID: <44DE3201.3020108@nkpanama.com> Julian Field wrote: > People have done things with MailScanner that I never dreamt of either, > such as using it to filter web traffic, and using it to filter illicit > images from mobile phone MMS text/picture messages on huge international > mobile phone networks. I think that's fantastic and huge credit is due > to them for create novel solutions to problems of their own! How does one go about filtering web traffic with MailScanner? > > On the subject of illicit image detection, particularly on mobile phone > networks, I hope to contact one or two of you in the next day or two to > see if you would be interested in joining development of this facility. I'd like to help in any way I can... > > And yes, MailScanner is used to filter MMS messages sent between phones > on one of the largest multi-national mobile phone networks on the planet. I'm not surprised. From gordon at itnt.co.za Sun Aug 13 07:13:53 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sun Aug 13 07:37:37 2006 Subject: gOCR SpamAssassin plugin References: <44D745A6.1050007@blacknight.ie> Message-ID: <003401c6bea2$ef2c6000$0d02a8c0@Gordon> I get this error after installing the plugin.... Any ideas, have copied the pm file to both perland site vendor dir's plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.7/i386-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/5.8.7/i386-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 33) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::ImageInfo" at (eval 34) line 1. Thansk Gordon ----- Original Message ----- From: "Michele Neylon:: Blacknight.ie" To: "MailScanner discussion" Sent: Monday, August 07, 2006 3:52 PM Subject: Re: gOCR SpamAssassin plugin The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pascal.maes at elec.ucl.ac.be Sun Aug 13 08:06:38 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sun Aug 13 08:06:46 2006 Subject: Problems on Solaris x86 In-Reply-To: References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Message-ID: <30173709-B06A-4C10-884F-9F0AF48984EA@elec.ucl.ac.be> Le 12 ao?t 06 ? 17:37, Pascal Maes a ?crit : > > Le 12 ao?t 06 ? 17:03, Pascal Maes a ?crit : > > > I add some InfoLog in MailScanner to see where the process is blocked. > > In lib/MailScanner/SA.pm : > > # If they are using MCP at all, then we need to compile SA > differently > # here due to object clashes within SA. > if (MailScanner::Config::IsSimpleValue('mcpchecks') && > !MailScanner::Config::Value('mcpchecks')) { > # They are definitely not using MCP > MailScanner::Log::InfoLog("7"); > $MailScanner::SA::SAspamtest->compile_now(); > MailScanner::Log::InfoLog("8"); > > > I see the 7 but never the 8 > > Why $MailScanner::SA::SAspamtest->compile_now() dosen't finish ? > > -- > Pascal > Finaly, it's the line $self->do_full_eval_tests($priority, \$fulltext); in SpamAssassin/PerMsgStatus.pm which blocks the process. When I put this line in comment, all is going "fine" Any idea ? -- Pascal From pravin.rane at gmail.com Sun Aug 13 10:50:39 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Sun Aug 13 10:50:41 2006 Subject: Insert New line at the end of mail Message-ID: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> How do I tell Mailscanner to insert new line at the end of mails who do not contain new line at the end. -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060813/bc121d6d/attachment.html From gordon at itnt.co.za Sun Aug 13 12:13:42 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sun Aug 13 12:22:13 2006 Subject: gOCR SpamAssassin plugin References: <44D745A6.1050007@blacknight.ie> <003401c6bea2$ef2c6000$0d02a8c0@Gordon> Message-ID: <006101c6beca$b1943830$0d02a8c0@Gordon> Don't worry, fixed the problem, copied the file into the wrong directory... ----- Original Message ----- From: "Gordon Colyn" To: "MailScanner discussion" Sent: Sunday, August 13, 2006 8:13 AM Subject: Re: gOCR SpamAssassin plugin I get this error after installing the plugin.... Any ideas, have copied the pm file to both perland site vendor dir's plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.7/i386-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/5.8.7/i386-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 33) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::ImageInfo" at (eval 34) line 1. Thansk Gordon ----- Original Message ----- From: "Michele Neylon:: Blacknight.ie" To: "MailScanner discussion" Sent: Monday, August 07, 2006 3:52 PM Subject: Re: gOCR SpamAssassin plugin The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Sun Aug 13 17:12:52 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 13 17:13:08 2006 Subject: agains mailscanner In-Reply-To: <44DE3201.3020108@nkpanama.com> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> <44DE3201.3020108@nkpanama.com> Message-ID: <44DF4F84.2080802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Julian Field wrote: >> People have done things with MailScanner that I never dreamt of >> either, such as using it to filter web traffic, and using it to filter >> illicit images from mobile phone MMS text/picture messages on huge >> international mobile phone networks. I think that's fantastic and huge >> credit is due to them for create novel solutions to problems of their >> own! > How does one go about filtering web traffic with MailScanner? Do a Google search for it, there certainly was an Apache module that used the MailScanner engine on web traffic. I can't remember the name, sorry. >> >> On the subject of illicit image detection, particularly on mobile >> phone networks, I hope to contact one or two of you in the next day or >> two to see if you would be interested in joining development of this >> facility. > I'd like to help in any way I can... I need people who do a minimum of 250,000 messages per day. >> >> And yes, MailScanner is used to filter MMS messages sent between >> phones on one of the largest multi-national mobile phone networks on >> the planet. > I'm not surprised. Thanks! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE30+LEfZZRxQVtlQRAmi0AKCZ8va89WyCbT3rc7DS8F76dhb2CgCghxva 3JTRt1dzPKuAtp3+LE8Rb5w= =rLlD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sun Aug 13 17:14:53 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 13 17:15:08 2006 Subject: Insert New line at the end of mail In-Reply-To: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> References: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> Message-ID: <44DF4FFD.8050301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could do it by adding a blank line in "Sign Clean Messages". Pravin Rane wrote: > How do I tell Mailscanner to insert new line at the end of mails who do > not contain new line at the end. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE31ACEfZZRxQVtlQRAq3RAJ9UouqJSMMwme1soAbMmcb4fRGMZwCdFZ38 n5n1XKKcDp2Sg8IvjOuYrqM= =5msO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pravin.rane at gmail.com Mon Aug 14 04:00:09 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Mon Aug 14 04:00:11 2006 Subject: Insert New line at the end of mail In-Reply-To: <44DF4FFD.8050301@ecs.soton.ac.uk> References: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> <44DF4FFD.8050301@ecs.soton.ac.uk> Message-ID: <13c021a90608132000j1414c3a9h465ee37bdd3aed30@mail.gmail.com> Many Thanks Julian On 8/13/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You could do it by adding a blank line in "Sign Clean Messages". > > Pravin Rane wrote: > > How do I tell Mailscanner to insert new line at the end of mails who do > > not contain new line at the end. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE31ACEfZZRxQVtlQRAq3RAJ9UouqJSMMwme1soAbMmcb4fRGMZwCdFZ38 > n5n1XKKcDp2Sg8IvjOuYrqM= > =5msO > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060814/9c1fb92d/attachment.html From pascal.maes at elec.ucl.ac.be Mon Aug 14 09:20:52 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Mon Aug 14 09:29:04 2006 Subject: Problems on Solaris x86 In-Reply-To: References: Message-ID: Le 13 ao?t 06 ? 10:14, Pascal Maes a ?crit : > Hello, > > I have installed MailScanner (4.55.10-3) on a solaris 10 (x86) box. > MailScanner is using SpamAssassin 3.1.4 > > I'm also using postfix and MailScanner is running as the user postfix. > > MailScanner, in debugging mode, is going fine. > When I run spamassassin -D --lint (as user postfix) all is going > fine too. > > But when I launch MailScanner in "normal" mode (with fork), the > call to > > $self->do_full_eval_tests($priority, \$fulltext); > > never finish; > > In MailScanner, we have > > $MailScanner::SA::SAspamtest = new Mail::SpamAssassin(\%settings); > $MailScanner::SA::SAspamtest->compile_now(); > > That's this last call which never finish except if the line > $self->do_full_eval_tests($priority, \$fulltext); > is commented. > > > Everything is going fine with the same config on a linux box or on > a solaris 9 sparc box > > > Any idea ? > I have made some other tests : - reactivate the line do_full_eval_tests - suppress everything except local.cf, init.pre, v310.pre anfd v312.pre from /etc/mail/spamassassin and comment all lines in this files. Restarting MailScanner and commenting out one line at a time, I found that the problem is with loadplugin Mail::SpamAssassin::Plugin::Razor2 When I test spamassassin, all is working fine : # spamassassin -D < sample-nonspam.txt |& grep -i razor [12725] dbg: config: read file /usr/local/share/spamassassin/ 25_razor2.cf [12725] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [12725] dbg: razor2: razor2 is available, version 2.82 [12725] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24) [12725] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) [12725] dbg: razor2: part=0 engine=4 contested=0 confidence=-17 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: results: spam? 0 [12725] dbg: razor2: results: engine 8, highest cf score: 0 [12725] dbg: razor2: results: engine 4, highest cf score: 0 [12725] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) but when the compile_now() function is called from the main MailScanner process, it doesn't finish and comsummes high CPU # ps -ef | grep MailScanner root 12755 1099 0 10:18:29 pts/5 0:00 grep MailScanner postfix 12714 12713 50 10:13:31 ? 4:57 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 12713 2400 0 10:13:31 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner #top load averages: 1.04, 1.05, 1.02 10:18:12 50 processes: 47 sleeping, 3 on cpu CPU states: 49.5% idle, 50.2% user, 0.3% kernel, 0.0% iowait, 0.0% swap Memory: 2047M real, 1146M free, 680M swap in use, 2820M swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 12714 postfix 1 20 0 53M 41M cpu/1 4:40 49.92% MailScanner 12749 root 1 59 0 3184K 1220K cpu/0 0:00 0.01% top -- Pascal From P.G.M.Peters at utwente.nl Mon Aug 14 10:30:19 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Aug 14 10:30:25 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811141732.A65410@mikea.ath.cx> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> Message-ID: <44E042AB.3090306@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mikea wrote on 11-8-2006 21:17: >> I use both *everywhere*. Now if I could have greet_pause auto-whitelist >> after a certain threshold... :-) > > You could, if you were willing to dynamically edit your access file > and then do a makemap hash. It probably could be rigged so that it > wasn't terribly dangerous. One way might be to batch the updates, and > run them every hour or so, saving the data to files with timestamp > data as part of the name. Hmmmmmm ... . With some extra effort you could update both the access file as well as the database. I believe one of MailScanner's CustomFunctions does something like that. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4EKrelLo80lrIdIRArBvAKCm8wks0qc6d91kXIpL0qmzW+8iWgCfdvOQ h8MzS6+PsyasiYZ0H73P9lk= =0cG7 -----END PGP SIGNATURE----- From jayesha_shinde at yahoo.com Mon Aug 14 10:30:52 2006 From: jayesha_shinde at yahoo.com (jay shi) Date: Mon Aug 14 10:31:01 2006 Subject: Rul set for Spam Subject Text ??? Message-ID: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Hi Thanks Peter for ur quick response. I am using MailScanner 4.48.4 with multidomain sendmail. For low Score SPAM i am using this Spam Subject Text = {possible spam} as a tag One of my domain (abc.com) ask me, he dont't want this tag , but other domains ( xyz.com,pqr.com ) are demanding this feature. i want to write rule set for above condition, Here is my rules for it in MailScanner.conf :-- Spam Modify Subject = yes Spam Subject Text = %rules-dir%/spam.subject.rules cat /etc/MailScanner/rules/spam.subject.rules From: @abc.com From: @xyz.com {possible spam} From: @pqr.com {possible spam} service MailScanner restart I may be wrong, if it plz correct me. Thanks & Regards Jayesh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From martinh at solid-state-logic.com Mon Aug 14 10:54:10 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 14 10:54:24 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060814093054.87090.qmail@web54402.mail.yahoo.com> References: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Message-ID: <44E04842.4060606@solid-state-logic.com> jay shi wrote: > Hi > Thanks Peter for ur quick response. > > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain (abc.com) ask me, he dont't > want this tag > , but other domains ( xyz.com,pqr.com ) are demanding > this feature. > i want to write rule set for above condition, > Here is my rules for it in MailScanner.conf :-- > > Spam Modify Subject = yes > Spam Subject Text = %rules-dir%/spam.subject.rules > > cat /etc/MailScanner/rules/spam.subject.rules > From: @abc.com > From: @xyz.com {possible spam} > From: @pqr.com {possible spam} > > service MailScanner restart > > I may be wrong, if it plz correct me. > > Thanks & Regards > Jayesh > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com close should be... To: @abc.com To: @xyz.com {possible spam} To: @pqr.com {possible spam} FromOrTo: Default {possible spam} or even To: @abc.com FromOrTo: Default {possible spam} -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at colby.edu Mon Aug 14 15:23:24 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Aug 14 15:29:50 2006 Subject: /etc/init.d script for Solaris? Message-ID: Hi, Could some kind Solaris 10 (or 9) MailScanner user, using a recent version of MailScanner, please send me their /etc/init.d start script for MailScanner? Offlist? Thanks, Jeff Earickson Colby College From edwardbruce at sbcglobal.net Mon Aug 14 16:44:26 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Aug 14 16:44:31 2006 Subject: agains mailscanner In-Reply-To: <44DF4F84.2080802@ecs.soton.ac.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> <44DE3201.3020108@nkpanama.com> <44DF4F84.2080802@ecs.soton.ac.uk> Message-ID: <44E09A5A.6000703@sbcglobal.net> Julian Field wrote: > > I need people who do a minimum of 250,000 messages per day. I can't type that fast :) From john at katy.com Mon Aug 14 17:36:57 2006 From: john at katy.com (John Schmerold) Date: Mon Aug 14 17:36:59 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E042AB.3090306@utwente.nl> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> Message-ID: <44E0A6A9.6010303@katy.com> I'm looking for a solution to the problem of large (often duplicated) email attachments. It seems to me that a simple solution to the problem is to have a specially configured outbound mail server that detaches attachments from any email greater than 50K, generates an ftp account and inerts a message at top of the email saying "go to ftp://un:pw@ftpserver.com for attachment referenced in this email. If the server was really smart, it would generate a CRC of each outbound attachment so duplicates could be stored as one file. Anyone see anything like this? I've been doing some Googling, without great success. John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f From bpumphrey at WoodMacLaw.com Mon Aug 14 18:50:49 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 14 18:50:53 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7FD4.4020203@pixelhammer.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D15018155F1@woodenex.woodmaclaw.local> Mine did not show some of the hits as yours but I have the rules for them. I also have DCC installed too, obviously mine is out of date or something. Here are a few. I received 7 total thus far. 5 were caught as spam because of the RBL. Bayes is incorrectly being taught also, it looks like. Spam: Y Action(s): store, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: Y (not spam) SpamAssassin Score: -0.80 Spam Report: Score Matching Rule Description -1.80 ALL_TRUSTED Passed through trusted hosts only via SMTP 1.00 BAYES_60 Bayesian spam probability is 60 to 80% Spam: Y Action(s): store, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: Y (not spam) SpamAssassin Score: -1.17 Spam Report: Score Matching Rule Description -1.80 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.00 BAYES_50 Bayesian spam probability is 40 to 60% 0.63 SARE_RECV_IP_218216 Passed through possible spammer relay or source From mailscanner at ecs.soton.ac.uk Mon Aug 14 19:34:25 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 14 19:34:42 2006 Subject: /etc/init.d script for Solaris? In-Reply-To: References: Message-ID: <44E0C231.8070009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PATH=/usr/bin:/bin SENDMAIL=/opt/sendmail/current MAILSCANNER=/opt/MailScanner case $1 in 'start') $SENDMAIL/bin/start.sendmail $MAILSCANNER/bin/check_mailscanner ;; 'stop') pid=`head -1 $SENDMAIL/etc/sendmail.pid` echo 'Stopping sendmail (out)...' kill $pid pid=`head -1 $SENDMAIL/etc/sendmail.in.pid` echo 'Stopping sendmail (in)...' kill $pid pid=`head -1 $MAILSCANNER/var/MailScanner.pid` /bin/kill $pid ;; *) echo "usage: /etc/rc2.d/S88sendmail.ecs {start|stop}" ;; esac =========================== and start.sendmail is this: =========================== #!/bin/sh # JKF 13/7/98 Start up sendmail. # Cleans up the queue directory as instructed in the # "Sendmail Installation and Operation Guide" before # starting the daemon. # JKF 15/6/99 Added hook to install my ECS sendmail setup automatically. SENDMAIL=/opt/sendmail/current QUEUE=/var/spool/mqueue INQUEUE=/var/spool/mqueue.in CF=$SENDMAIL/etc/sendmail.cf # Install everything if necessary (needed after careless Sun patching) [ -x $SENDMAIL/bin/install.sendmail ] && $SENDMAIL/bin/install.sendmail # Make placeholders for status files [ -d $SENDMAIL/var/status ] || mkdir $SENDMAIL/var/status [ -f $SENDMAIL/var/sendmail.st ] || touch $SENDMAIL/var/sendmail.st echo "Starting sendmail:\c" echo " clean up queue\c" for queuedir in $QUEUE $INQUEUE do cd $queuedir # remove zero length qf files for qffile in qf* do if [ -r $qffile ]; then if [ ! -s $qffile ]; then rm -f $qffile fi fi done # rename tf files to be qf if the qf does not exist for tffile in tf* do qffile=`echo $tffile | sed 's/t/q/'` # JKF 15/7/98 Put $qffile in quotes in case tffile = 'tf*' if [ -r $tffile -a ! -f "$qffile" ]; then mv $tffile $qffile else if [ -f $tffile ]; then rm -f $tffile fi fi done # remove df files with no corresponding qf files for dffile in df* do qffile=`echo $dffile | sed 's/d/q/'` if [ -r $dffile -a ! -f $qffile ]; then mv $dffile `echo $dffile | sed 's/d/D/'` fi done # announce files that have been saved during disaster recovery for xffile in [A-Z]f* do if [ -f $xffile ]; then echo " \c" fi done done # Now actually start the damn thing... $SENDMAIL/bin/sendmail -q15m $SENDMAIL/bin/sendmail -bd -OPrivacyOptions=noetrn - -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in #$SENDMAIL/bin/sendmail.in -bd -C $INCF echo ", sendmail" Jeff A. Earickson wrote: > Hi, > > Could some kind Solaris 10 (or 9) MailScanner user, using a recent > version of MailScanner, please send me their /etc/init.d > start script for MailScanner? Offlist? > > Thanks, > Jeff Earickson > Colby College - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4MI5EfZZRxQVtlQRAmq9AKC4JQJvZoeYXaXaMqVU74rVAa3QfwCfV/ke L7cbrrMNHeBWptymiVQwCkA= =5JfV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Mon Aug 14 21:49:32 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 14 21:50:22 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: <20060814204932.GB26850@doctor.nl2k.ab.ca> On Mon, Aug 14, 2006 at 11:36:57AM -0500, John Schmerold wrote: > I'm looking for a solution to the problem of large (often duplicated) > email attachments. It seems to me that a simple solution to the problem > is to have a specially configured outbound mail server that detaches > attachments from any email greater than 50K, generates an ftp account > and inerts a message at top of the email saying "go to > ftp://un:pw@ftpserver.com for attachment referenced in this email. > > If the server was really smart, it would generate a CRC of each outbound > attachment so duplicates could be stored as one file. > > Anyone see anything like this? I've been doing some Googling, without > great success. > FTP By Mail used to exist but was a bit unpopular. > John Schmerold > > Katy Computer & Wireless > 20 Meramec Station Rd > Valley Park MO 63088 > 636-861-6900 v > 775-227-6947 f > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at erus.co.uk Mon Aug 14 22:18:29 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Mon Aug 14 22:09:24 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> Message-ID: On 14/8/2006, "John Schmerold" wrote: >I'm looking for a solution to the problem of large (often duplicated) >email attachments. It seems to me that a simple solution to the problem >is to have a specially configured outbound mail server that detaches >attachments from any email greater than 50K, generates an ftp account >and inerts a message at top of the email saying "go to >ftp://un:pw@ftpserver.com for attachment referenced in this email. > >If the server was really smart, it would generate a CRC of each When I asked about a similar sort of thing a few months ago Julian pointed me in the direction of his collegue. I quote: "Sounds like you need the quarantine management system one of my colleagues has written. Whenever it gets attachments that have been removed by MailScanner, the Attachment-Warning.txt gets a link in it which submits a request to the system to go and fetch the attachments from the appropriate mail server (it's designed to work with multiple MailScanners). We then require that a sysadmin looks at the request and, if appropriate, releases the attachments to the recipients by mailing them a link to a directory on the web server containing their attachments. You could always bypass the bit requiring the sysadmin to look at it. Saves a lot of mailstore space. Drop him a line at apl ecs.soton.ac.uk (Andy Landells)." I havn't had time to follow this suggestion up yet but it sounds promising. The alternative seems to be something along the lines of mailwatch+ mail size limits + quarantine, but this would only work for known local users. Should you solve this, please post here as myself (and probably a few others) would be interested to know how you got on. Regards, Alex From lshaw at emitinc.com Mon Aug 14 22:43:09 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 14 22:43:24 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <20060814204932.GB26850@doctor.nl2k.ab.ca> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> <20060814204932.GB26850@doctor.nl2k.ab.ca> Message-ID: On Mon, 14 Aug 2006, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Aug 14, 2006 at 11:36:57AM -0500, John Schmerold wrote: >> I'm looking for a solution to the problem of large (often duplicated) >> email attachments. It seems to me that a simple solution to the problem >> is to have a specially configured outbound mail server that detaches >> attachments from any email greater than 50K, generates an ftp account >> and inerts a message at top of the email saying "go to >> ftp://un:pw@ftpserver.com for attachment referenced in this email. >> >> If the server was really smart, it would generate a CRC of each outbound >> attachment so duplicates could be stored as one file. >> >> Anyone see anything like this? I've been doing some Googling, without >> great success. > FTP By Mail used to exist but was a bit unpopular. Wouldn't this be more like Mail By FTP? - Logan From jose.gonzalez at compac.com.mx Mon Aug 14 22:50:29 2006 From: jose.gonzalez at compac.com.mx (Jose Gonzalez) Date: Mon Aug 14 22:51:10 2006 Subject: About forwarding mail Message-ID: <44E0F025.7010002@compac.com.mx> Hello all. Something no common is happening with my mail server. Mail forwarding via .forward files was working fine, but recently, I think after install MailScanner, .forward files doesn't work any more, are silently ignored. Is there a relation between the use of MailScanner and .forward files? I'm using CentOS 4.3, mailscanner-4.55.10-3, sendmail-8.13, procmail-3.22-14, and f-prot + clamav antivirus. Thanks. From lshaw at emitinc.com Mon Aug 14 22:52:51 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 14 22:53:02 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: On Mon, 14 Aug 2006, John Schmerold wrote: > I'm looking for a solution to the problem of large (often duplicated) email > attachments. It seems to me that a simple solution to the problem is to have > a specially configured outbound mail server that detaches attachments from > any email greater than 50K, generates an ftp account and inerts a message at > top of the email saying "go to ftp://un:pw@ftpserver.com for attachment > referenced in this email. > > If the server was really smart, it would generate a CRC of each outbound > attachment so duplicates could be stored as one file. I believe some versions of Lotus Notes used to do this, or so a friend of mine (who was a big Notes advocate) used to say. But, it only did it within the intranet. Still, could be valuable within a large corporation. My general thoughts on this idea are: 1) Breaks PGP, S/MIME, and anything else that signs message content (at least things that sign content at the MUA stage of things). This could be fixed if you're willing to change SMTP and let the MUA send attachments out of band (of the message body). 2) Breaks the ability to take your laptop somewhere with internet access in the airport lounge, download your e-mail, and run, and know that you got everything. Or at least it would until it were widespread enough that mail clients could be set up to fetch attachments automatically. 3) Makes firewall issues more complex, because delivery mechanisms for attachments are different than for the messages themselves. (Can every host your mail reach also reach your server later to download attachments?) 4) As a protocol, FTP sucks rocks, so avoid it like the plague. Use something sane, like HTTP, instead. HTTPS might be better. 5) Done properly, this could make it easier for users to send arbitrarily large attachments without causing problems. - Logan From raymond at prolocation.net Mon Aug 14 22:57:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Aug 14 22:57:04 2006 Subject: About forwarding mail In-Reply-To: <44E0F025.7010002@compac.com.mx> References: <44E0F025.7010002@compac.com.mx> Message-ID: Hi! > Something no common is happening with my mail server. Mail forwarding via > .forward files was working fine, but recently, I think after install > MailScanner, .forward files doesn't work any more, are silently ignored. Is > there a relation between the use of MailScanner and .forward files? > > I'm using CentOS 4.3, mailscanner-4.55.10-3, sendmail-8.13, procmail-3.22-14, > and f-prot + clamav antivirus. A .forward should be a procmail/sendmail issue. MailScanner doesnt even know about any .forward... So i think, in short, no! Bye, Raymond. From x72m35 at gmail.com Tue Aug 15 04:46:35 2006 From: x72m35 at gmail.com (Lasantha Marian) Date: Tue Aug 15 04:49:41 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? Message-ID: <44E1439B.9030909@gmail.com> Dear All, Is there a way to individualize the Filename and Filetype rules based on e-mail addresses ? If YES, a brief explanation is much appreciated. Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk can only receive PDF (*.pdf). Thanks in advance, Lasantha. From jon.bates at summitmotors.com.au Tue Aug 15 07:46:10 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 15 07:46:35 2006 Subject: OT - Multiple Virus Scanners Message-ID: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Hi, I was just wondering what peoples opinions were on running multiple virus scanners with MailScanner. I'm currently only running ClamAV, and I was thinking about running one or two more. Could someone recommend what other scanner/s to use? My main concern is system resources. I would like something that doesn't load up the server too much more as ClamAV is quite light on resources from my experience with it. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060815/830e7943/attachment.html From michele at blacknight.ie Tue Aug 15 07:58:07 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Tue Aug 15 07:58:28 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E1707F.3070103@blacknight.ie> Jon Bates wrote: > > Hi, > > I was just wondering what peoples opinions were on running multiple > virus scanners with MailScanner. I'm currently only running ClamAV, and > I was thinking about running one or two more. > Could someone recommend what other scanner/s to use? My main concern is > system resources. I would like something that doesn't load up the server > too much more as ClamAV is quite light on resources from my experience > with it. > > - Jon > F-prot is good... BitDefender - has its moments... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jrudd at ucsc.edu Tue Aug 15 08:26:33 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Aug 15 08:27:02 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: On Aug 14, 2006, at 11:46 PM, Jon Bates wrote: > ? > Hi, > ? > I was just wondering what peoples opinions were on running multiple > virus scanners with MailScanner. I'm currently only running ClamAV, > and I was thinking about running one or two more. > Could someone recommend what other scanner/s to use??My main concern > is system resources. I would like something that doesn't load up the > server too much more as ClamAV is quite light on resources from my > experience with it. > ? My opinion is: if you can run 2, do it. Always good to have an extra layer of defense, but don't cause more overhead than you need to. ClamAV is a _great_ choice for your first pass. From there, I remember an article that Kaspersky was very highly rated for protection ... but it's not available on a diverse set of platforms. If you can get it, go with them for your second layer. We use sophos, but we get a good price break (edu discount), and because we're a university, we're going to have put a big budget into whatever we get (due to our # of users). For other people, sophos is probably pretty pricey. Not sure who else to mention. I suppose it's worth looking at McAfee or something. From P.G.M.Peters at utwente.nl Tue Aug 15 08:44:07 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 15 08:45:08 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: <44E17B47.7080902@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Logan Shaw wrote on 14-8-2006 23:52: > My general thoughts on this idea are: > 2) Breaks the ability to take your laptop somewhere with internet > access in the airport lounge, download your e-mail, and run, > and know that you got everything. Or at least it would until > it were widespread enough that mail clients could be set up > to fetch attachments automatically. At least Thunderbird can fetch attachments automatically. There is a MIME type for that. But it is blocked by our MailScanner configuration. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4XtHelLo80lrIdIRAuuDAKCbBijmq3oKdexVojafjmkuvvKcEwCfY+nT wv85z9Gg49TJ98EmmJe6fG8= =orT8 -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 15 08:55:33 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 15 08:55:37 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E17DF5.3010402@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Rudd wrote on 15-8-2006 9:26: > My opinion is: if you can run 2, do it. Always good to have an extra > layer of defense, but don't cause more overhead than you need to. > > ClamAV is a _great_ choice for your first pass. Until recently we only had F-prot. Since this month we also use ClamAV. ClamAV gets more viruses than F-prot but they are mainly phishing attacks. Like this: ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 Other viruses are detected by both but F-prot often doesn't know what virus it is: F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a suspicious file (encrypted program in archive) While ClamAV mentions: ClamAV Module: msg-9011-774.html was infected: Worm.Bagle When only F-prot finds one it is usually an unknown virus too: F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe could be infected with an unknown virus Of the 106 viruses detected today on one of our systems 56 were detected by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by only ClamAV only 1 was not a phishing attack. That one was infected with Worm.Lovgate.X (ClamAV name). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4X31elLo80lrIdIRAr++AKCFNFLmaC4n+Fk/34vD5tiGuPOHdwCcDO3a yiyzORGXZ5t612qmjuW4YEs= =jeAj -----END PGP SIGNATURE----- From shuttlebox at gmail.com Tue Aug 15 08:58:48 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Aug 15 08:58:51 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <625385e30608150058o52a8b30hd6a027defa972b90@mail.gmail.com> On 8/15/06, Jon Bates wrote: > Could someone recommend what other scanner/s to use? My main concern is > system resources. I would like something that doesn't load up the server too > much more as ClamAV is quite light on resources from my experience with it. I use between one and three scanners (Clam, eTrust, Trend) on my systems and I don't see much difference in performance. SA is the part that uses the most resources. -- /peter From MailScanner at ecs.soton.ac.uk Tue Aug 15 09:50:26 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 09:51:00 2006 Subject: www.mailscanner.info Message-ID: <44E18AD2.7070002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It will come back up as soon as the DNS updates happen. In the mean time, please use www.emailscanner.info as that is a mirror of the site. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4YrTEfZZRxQVtlQRAnXkAJoDEnBRIBD1P3YKx0r6TM40qVfrRQCgqXCN ob5Pzb2ccCvXX9SiCq+A3zY= =zF4F -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From anwarsanusi at gmail.com Tue Aug 15 10:18:26 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 10:18:39 2006 Subject: MailScanner is not working Message-ID: <44E19162.5040106@gmail.com> Dear All, Please help me to fix my problem. We can not send or receive email because our email just stay at Incoming Queue Directory "/var/spool/mqueue.in". Please help me how to solve this problem ? Thanks & regards anwar From martinh at solid-state-logic.com Tue Aug 15 10:31:00 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 10:31:15 2006 Subject: MailScanner is not working In-Reply-To: <44E19162.5040106@gmail.com> References: <44E19162.5040106@gmail.com> Message-ID: <44E19454.6010509@solid-state-logic.com> Anwar Sanusi wrote: > Dear All, > > Please help me to fix my problem. > We can not send or receive email because our email just stay at Incoming > Queue Directory "/var/spool/mqueue.in". Please help me how to solve this > problem ? > > Thanks & regards > anwar > Anything in the maillog file to indicate any problems.. have you run MailScanner in Debug mode to see if there are any problems showing there? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From anwarsanusi at gmail.com Tue Aug 15 10:35:00 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 10:35:05 2006 Subject: MailScanner is not working In-Reply-To: <44E19454.6010509@solid-state-logic.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> Message-ID: <44E19544.7090009@gmail.com> Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Dear All, >> >> Please help me to fix my problem. >> We can not send or receive email because our email just stay at >> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >> to solve this problem ? >> >> Thanks & regards >> anwar >> > Anything in the maillog file to indicate any problems.. > > have you run MailScanner in Debug mode to see if there are any > problems showing there? > i am new commer in Linux and Mail server ? can you advise where i can see maillog file ? and how to run debug mode ? thks for your advise Anwar From uxbod at splatnix.net Tue Aug 15 10:44:59 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Aug 15 10:45:15 2006 Subject: MailScanner is not working In-Reply-To: <44E19544.7090009@gmail.com> References: <44E19544.7090009@gmail.com> Message-ID: <84f42fac8d3f0da4f49b6a5b5a4d79e6@localhost> tail /var/log/messages On Tue, 15 Aug 2006 16:35:00 +0700, Anwar Sanusi wrote: > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Dear All, >>> >>> Please help me to fix my problem. >>> We can not send or receive email because our email just stay at >>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>> to solve this problem ? >>> >>> Thanks & regards >>> anwar >>> >> Anything in the maillog file to indicate any problems.. >> >> have you run MailScanner in Debug mode to see if there are any >> problems showing there? >> > i am new commer in Linux and Mail server ? can you advise where i can > see maillog file ? > and how to run debug mode ? > thks for your advise > Anwar > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solid-state-logic.com Tue Aug 15 10:50:30 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 10:50:36 2006 Subject: MailScanner is not working In-Reply-To: <44E19544.7090009@gmail.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com> Message-ID: <44E198E6.1050806@solid-state-logic.com> Anwar Sanusi wrote: > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Dear All, >>> >>> Please help me to fix my problem. >>> We can not send or receive email because our email just stay at >>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>> to solve this problem ? >>> >>> Thanks & regards >>> anwar >>> >> Anything in the maillog file to indicate any problems.. >> >> have you run MailScanner in Debug mode to see if there are any >> problems showing there? >> > i am new commer in Linux and Mail server ? can you advise where i can > see maillog file ? > and how to run debug mode ? > thks for your advise > Anwar > > Hi Normally it's in /var/log/maillog for debug mode, stop mailscanner, edit the MailScanner.conf and change BOTH debug options to 'yes' then run check_mailscanner. this output can be quite large and you may have to search the output quite carefully for any problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From anwarsanusi at gmail.com Tue Aug 15 11:09:00 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 11:09:07 2006 Subject: MailScanner is not working In-Reply-To: <44E198E6.1050806@solid-state-logic.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com> <44E198E6.1050806@solid-state-logic.com> Message-ID: <44E19D3C.7010302@gmail.com> Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Martin Hepworth wrote: >> >>> Anwar Sanusi wrote: >>> >>>> Dear All, >>>> >>>> Please help me to fix my problem. >>>> We can not send or receive email because our email just stay at >>>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>>> to solve this problem ? >>>> >>>> Thanks & regards >>>> anwar >>>> >>> Anything in the maillog file to indicate any problems.. >>> >>> have you run MailScanner in Debug mode to see if there are any >>> problems showing there? >>> >> i am new commer in Linux and Mail server ? can you advise where i can >> see maillog file ? >> and how to run debug mode ? >> thks for your advise >> Anwar >> >> > Hi > > Normally it's in /var/log/maillog > > for debug mode, stop mailscanner, edit the MailScanner.conf and change > BOTH debug options to 'yes' then run check_mailscanner. > > this output can be quite large and you may have to search the output > quite carefully for any problems. > Thanks all our problem is seemly solved From sandrews at andrewscompanies.com Tue Aug 15 11:42:49 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 15 11:42:54 2006 Subject: MailScanner is not working Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1B76@winchester.andrewscompanies.com> If you're a newcomer, I'd guess you made the same mistake I did and didn't config sendmail properly. If you don't remember doing anything with sendmail; let me know and I'll dig up the config I used. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anwar Sanusi Sent: Tuesday, August 15, 2006 5:35 AM To: MailScanner discussion Subject: Re: MailScanner is not working Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Dear All, >> >> Please help me to fix my problem. >> We can not send or receive email because our email just stay at >> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >> to solve this problem ? >> >> Thanks & regards >> anwar >> > Anything in the maillog file to indicate any problems.. > > have you run MailScanner in Debug mode to see if there are any > problems showing there? > i am new commer in Linux and Mail server ? can you advise where i can see maillog file ? and how to run debug mode ? thks for your advise Anwar -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jon.bates at summitmotors.com.au Tue Aug 15 12:31:02 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 15 12:31:18 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> Message-ID: <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> > Until recently we only had F-prot. Since this month we also use ClamAV. > ClamAV gets more viruses than F-prot but they are mainly phishing > attacks. Like this: > ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 > Other viruses are detected by both but F-prot often doesn't know what > virus it is: > F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a > suspicious file (encrypted program in archive) > While ClamAV mentions: > ClamAV Module: msg-9011-774.html was infected: Worm.Bagle > When only F-prot finds one it is usually an unknown virus too: > F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe > could be infected with an unknown virus > Of the 106 viruses detected today on one of our systems 56 were detected > by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by > only ClamAV only 1 was not a phishing attack. That one was infected > with Worm.Lovgate.X (ClamAV name). Wonderful. Thanks very much for your input guys. You've put me on the right track. I think I'll weigh up the cost of implementing the ones that you've mentioned and go from there. I've been spoiled by ClamAV - not having to pay a cent for excellent protection on my mail servers (although we've since made a donation as a token of thanks for an awesome product!). Unfortunately though, there isn't many other decent free alternatives to use as a secondary scanner. Oh well! Thanks again. Jon From glenn.steen at gmail.com Tue Aug 15 13:39:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 15 13:39:29 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> Message-ID: <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> On 15/08/06, Jon Bates wrote: > > > Until recently we only had F-prot. Since this month we also use ClamAV. > > ClamAV gets more viruses than F-prot but they are mainly phishing > > attacks. Like this: > > ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 > > > Other viruses are detected by both but F-prot often doesn't know what > > virus it is: > > F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a > > suspicious file (encrypted program in archive) > > While ClamAV mentions: > > ClamAV Module: msg-9011-774.html was infected: Worm.Bagle > > > When only F-prot finds one it is usually an unknown virus too: > > F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe > > could be infected with an unknown virus > > > Of the 106 viruses detected today on one of our systems 56 were detected > > by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by > > only ClamAV only 1 was not a phishing attack. That one was infected > > with Worm.Lovgate.X (ClamAV name). > > > Wonderful. Thanks very much for your input guys. You've put me on the right > track. > I think I'll weigh up the cost of implementing the ones that you've > mentioned and go from there. > I've been spoiled by ClamAV - not having to pay a cent for excellent > protection on my mail servers (although we've since made a donation as a > token of thanks for an awesome product!). Unfortunately though, there isn't > many other decent free alternatives to use as a secondary scanner. Oh well! > > Thanks again. > > Jon > That rather depends on the definition of "decent":-). If you run linux (or freebsd) there are at least BitDefender Command line. Sure, it's not as light as ClamAV, but not that bad either (all depends, of course:). And the price is right (free). If you have a site license for a commercial AV, you might be entiteled to download/use/update their *nix priduct too. This is true for at least McAfee. And finally there is Panda, which is not that great, but... not absolutely horrid (as it used to be). The download is free (freeware...), but you need a license to be able to download the signature updates. Check http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:bitdefender:install http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:mcafee:install http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:panda:install for more details. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Aug 15 13:54:40 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Aug 15 13:54:51 2006 Subject: MailScanner is not working References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com><44E198E6.1050806@solid-state-logic.com> <44E19D3C.7010302@gmail.com> Message-ID: <007701c6c069$f9180d80$0705000a@DDF5DW71> Damn, you guys are good at fixing problems. Steve ----- Original Message ----- From: "Anwar Sanusi" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 6:09 AM Subject: Re: MailScanner is not working > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Martin Hepworth wrote: >>> >>>> Anwar Sanusi wrote: >>>> >>>>> Dear All, >>>>> >>>>> Please help me to fix my problem. >>>>> We can not send or receive email because our email just stay at >>>>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>>>> to solve this problem ? >>>>> >>>>> Thanks & regards >>>>> anwar >>>>> >>>> Anything in the maillog file to indicate any problems.. >>>> >>>> have you run MailScanner in Debug mode to see if there are any >>>> problems showing there? >>>> >>> i am new commer in Linux and Mail server ? can you advise where i can >>> see maillog file ? >>> and how to run debug mode ? >>> thks for your advise >>> Anwar >>> >>> >> Hi >> >> Normally it's in /var/log/maillog >> >> for debug mode, stop mailscanner, edit the MailScanner.conf and change >> BOTH debug options to 'yes' then run check_mailscanner. >> >> this output can be quite large and you may have to search the output >> quite carefully for any problems. >> > Thanks all our problem is seemly solved > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From drew at themarshalls.co.uk Tue Aug 15 14:06:11 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Aug 15 14:06:52 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> Message-ID: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> On Tue, August 15, 2006 13:39, Glenn Steen wrote: > If you run linux (or freebsd) there are at least BitDefender Command > line. Sure, it's not as light as ClamAV, but not that bad either (all > depends, of course:). And the price is right (free). I am not sure it is any more. On my to-do list (A fair way down :-( ) is to e-mail and formally ask them but looking at their curent site, I would suggest the BitDefender licence would appear to have changed... http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html (Check the bottom paragraph) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From steve.swaney at fsl.com Tue Aug 15 14:27:22 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 15 14:27:25 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> Message-ID: <14c901c6c06e$8a641c30$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew Marshall > Sent: Tuesday, August 15, 2006 9:06 AM > To: MailScanner discussion > Subject: Re: OT - Multiple Virus Scanners > > On Tue, August 15, 2006 13:39, Glenn Steen wrote: > > If you run linux (or freebsd) there are at least BitDefender Command > > line. Sure, it's not as light as ClamAV, but not that bad either (all > > depends, of course:). And the price is right (free). > > I am not sure it is any more. On my to-do list (A fair way down :-( ) is > to e-mail and formally ask them but looking at their curent site, I would > suggest the BitDefender licence would appear to have changed... > > http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner- > for-Unices.html > (Check the bottom paragraph) > > Drew I mentioned a few weeks back that the Download link to the free Linux version was broken so this is no surprise. Anyone using AVG. The Linux file server version is $70 (US) for 5 servers for 2 years. I didn't see any license restrictions against using on an email gateway. I'll probably test against ClamAV. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From glenn.steen at gmail.com Tue Aug 15 14:45:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 15 14:45:30 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> Message-ID: <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> On 15/08/06, Drew Marshall wrote: > On Tue, August 15, 2006 13:39, Glenn Steen wrote: > > If you run linux (or freebsd) there are at least BitDefender Command > > line. Sure, it's not as light as ClamAV, but not that bad either (all > > depends, of course:). And the price is right (free). > > I am not sure it is any more. On my to-do list (A fair way down :-( ) is > to e-mail and formally ask them but looking at their curent site, I would > suggest the BitDefender licence would appear to have changed... > > http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html > (Check the bottom paragraph) > > Drew > How very annoying. IIRC I checked before sometime around April - May, and could still find/download the free version. Oh well, guess I'll have to keep my copy close then:-). Note that the "(previously) free version" is not the same as the one you cite above, so what they seem to have done is to have removed the "pure commandline version" (where freebsd was a beta level release) and added this "new" package with full support for freebsd (that is, provided I do remember correctly... they seem to have removed everything from their ftp server too. Sigh). Hm. Means I'll have to do something about that wiki-page, now doesn't it?-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at ialex.net Tue Aug 15 14:28:54 2006 From: alex at ialex.net (Alex Short) Date: Tue Aug 15 14:58:15 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails Message-ID: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> We are having issues with a particular user that never seems to get his winmail.dat files from a partner. Here is the strange thing. Partner emails user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends user1 the word documents within but doesn't send to user2. In the logs it just says -- Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat that cannot be analysed in message k7DHonGJ024825 -- Version we are running -- MailScanner E-Mail Virus Scanner version 4.52.2 -- There is a great deal of correspondance between partner and user1&user2 and this has occured on the last 15 emails (user1 gets, user2 denied) Please help! From sandrews at andrewscompanies.com Tue Aug 15 15:22:05 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 15 15:22:12 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> 4.55.9-1 addressed some tnef issues re the exteneral tnef decompressor. Might want to have a try with that. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Short Sent: Tuesday, August 15, 2006 9:29 AM To: mailscanner@lists.mailscanner.info Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails We are having issues with a particular user that never seems to get his winmail.dat files from a partner. Here is the strange thing. Partner emails user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends user1 the word documents within but doesn't send to user2. In the logs it just says -- Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat that cannot be analysed in message k7DHonGJ024825 -- Version we are running -- MailScanner E-Mail Virus Scanner version 4.52.2 -- There is a great deal of correspondance between partner and user1&user2 and this has occured on the last 15 emails (user1 gets, user2 denied) Please help! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Tue Aug 15 15:24:24 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 15:24:59 2006 Subject: Nod32 installation Message-ID: <04c501c6c076$859de7f0$0a02a8c0@Gordon> ITNT Banner CampaignCan someone confirm what version of nod32 works with Mailscanner, I have tried to install nod32 for mail server but it doesn't get picked up by Mailscanner. Thanks Gordon Colyn From uxbod at splatnix.net Tue Aug 15 15:45:07 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Aug 15 15:45:22 2006 Subject: Nod32 installation In-Reply-To: <04c501c6c076$859de7f0$0a02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> Message-ID: <3435f0a399dc1bdbe15214111e995401@localhost> I believe that it is the Linux File Server edition On Tue, 15 Aug 2006 16:24:24 +0200, "Gordon Colyn" wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Aug 15 15:52:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 15:52:47 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? In-Reply-To: <44E1439B.9030909@gmail.com> References: <44E1439B.9030909@gmail.com> Message-ID: <44E1DF9C.5020709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes. Read up on it at wiki.mailscanner.info. It is documented in there, and in the book, is quite some detail. Lasantha Marian wrote: > Dear All, > > Is there a way to individualize the Filename and Filetype rules based > on e-mail addresses ? If YES, a brief explanation is much appreciated. > > Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk > can only receive PDF (*.pdf). > > Thanks in advance, > > Lasantha. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4d+dEfZZRxQVtlQRAr3dAJ0du+c3OtTKy8eq+Du8b0DJswV5LQCg6uNh l7QdRLYaPOLZc2Znx2RkoMQ= =N3pD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 15 15:57:47 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 15:58:35 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> Message-ID: <44E1E0EB.1050402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also you could try the internal TNEF expander. Read the comments in MailScanner.conf for how to use it. sandrews@andrewscompanies.com wrote: > 4.55.9-1 addressed some tnef issues re the exteneral tnef decompressor. > Might want to have a try with that. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Short > Sent: Tuesday, August 15, 2006 9:29 AM > To: mailscanner@lists.mailscanner.info > Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails > > We are having issues with a particular user that never seems to get his > winmail.dat files from a partner. > > Here is the strange thing. Partner emails > user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends > user1 the word documents within but doesn't send to user2. In the logs > it just says > > -- > Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat > that cannot be analysed in message k7DHonGJ024825 > -- > > Version we are running > > -- > MailScanner E-Mail Virus Scanner version 4.52.2 > -- > > There is a great deal of correspondance between partner and user1&user2 > and this has occured on the last 15 emails (user1 gets, user2 denied) > > Please help! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eDsEfZZRxQVtlQRAn3yAKDkXugyvV+pk/aecLHWCQ17BcHt5gCfVYxB w8FnCJGdy0SxI3aA1guDlEg= =CusO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 15 16:00:22 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 16:00:57 2006 Subject: Nod32 installation In-Reply-To: <04c501c6c076$859de7f0$0a02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> Message-ID: <44E1E186.1000506@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you install Nod32? MailScanner assumes /usr/sbin unless you have it somewhere else. And you are using Virus Scanners = nod32-1.99 aren't you? Virus Scanners = nod32 is for old versions (this is documented in MailScanner.conf immediately above the "Virus Scanners" setting). If you have installed it elsewhere, then you need to tell MailScanner where it is by editing /etc/MailScanner/virus.scanners.conf Gordon Colyn wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eGHEfZZRxQVtlQRAqozAKDwfWSO0HI+9YtAiFhft3IApzzdFQCcCaw2 tGkkzH+clULgvNNDoEvDjmc= =twat -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 16:12:36 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 16:12:41 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? In-Reply-To: <44E1DF9C.5020709@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Yes. > Read up on it at wiki.mailscanner.info. It is documented in there, and > in the book, is quite some detail. > > Lasantha Marian wrote: >> >> Is there a way to individualize the Filename and Filetype rules based >> on e-mail addresses ? If YES, a brief explanation is much >> appreciated. >> >> Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk >> can only receive PDF (*.pdf). You might also look through the archives (we still have archives, right?) for a thread with the subject "filename/type exceptions" . Last week I ask a similar question and got some good replies... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Tue Aug 15 16:58:54 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 16:59:34 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> Message-ID: I'Glenn Steen spake the following on 8/15/2006 6:45 AM: > On 15/08/06, Drew Marshall wrote: >> On Tue, August 15, 2006 13:39, Glenn Steen wrote: >> > If you run linux (or freebsd) there are at least BitDefender Command >> > line. Sure, it's not as light as ClamAV, but not that bad either (all >> > depends, of course:). And the price is right (free). >> >> I am not sure it is any more. On my to-do list (A fair way down :-( ) is >> to e-mail and formally ask them but looking at their curent site, I would >> suggest the BitDefender licence would appear to have changed... >> >> http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html >> >> (Check the bottom paragraph) >> >> Drew >> > How very annoying. IIRC I checked before sometime around April - May, > and could still find/download the free version. Oh well, guess I'll > have to keep my copy close then:-). > Note that the "(previously) free version" is not the same as the one > you cite above, so what they seem to have done is to have removed the > "pure commandline version" (where freebsd was a beta level release) > and added this "new" package with full support for freebsd (that is, > provided I do remember correctly... they seem to have removed > everything from their ftp server too. Sigh). > > Hm. Means I'll have to do something about that wiki-page, now doesn't it?-) > I'm glad I downloaded it all a few months ago! ;-) Now to back it up to as many places as I can! I just sent an e-mail to get some idea of when it might stop working... We'll see if I get a response. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From listas at pegaso.fisica.unam.mx Tue Aug 15 17:21:22 2006 From: listas at pegaso.fisica.unam.mx (Javier Martinez) Date: Tue Aug 15 17:10:01 2006 Subject: no check for a user Message-ID: <20060815162122.GA9977@pegaso.fisica.unam.mx> Hi everybody, I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use mailscanner for all my users and don't check email for this user?? Thanks a lot. Javier From ssilva at sgvwater.com Tue Aug 15 17:33:44 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 17:34:43 2006 Subject: MailScanner is not working In-Reply-To: <007701c6c069$f9180d80$0705000a@DDF5DW71> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com><44E198E6.1050806@solid-state-logic.com> <44E19D3C.7010302@gmail.com> <007701c6c069$f9180d80$0705000a@DDF5DW71> Message-ID: Steve Campbell spake the following on 8/15/2006 5:54 AM: > Damn, you guys are good at fixing problems. > > Steve It sometimes happens when the children know you are calling "dad"! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Aug 15 17:35:26 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 17:40:12 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails In-Reply-To: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> References: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> Message-ID: Alex Short spake the following on 8/15/2006 6:28 AM: > We are having issues with a particular user that never seems to get his > winmail.dat files from a partner. > > Here is the strange thing. Partner emails > user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends > user1 the word documents within but doesn't send to user2. In the logs it > just says > > -- > Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat > that cannot be analysed in message k7DHonGJ024825 > -- > > Version we are running > > -- > MailScanner E-Mail Virus Scanner version 4.52.2 > -- > > There is a great deal of correspondance between partner and user1&user2 > and this has occured on the last 15 emails (user1 gets, user2 denied) > > Please help! Which tnef are you using? The internal or external? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at ecs.soton.ac.uk Tue Aug 15 17:41:42 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 17:41:57 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: <44E1F946.5050609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can use a ruleset on the "Scan Messages" setting. Rulesets are the most commonly asked question here, usually several times every day :-) Check in the wiki or in the book, they are documented all over the place. However, what I would advise is that you get a policy in place that forces people to have all their email scanned by MailScanner. What happens when this guy gets a virus and infects your network? When I first imposed MailScanner on my department, I had a couple of users who objected loudly, saying that there was no way they could get a virus. Within the first couple of months, both of them had come to me to apologise as MailScanner had saved them more than once! This is a management job. Don't let people say that they aren't going to have their email scanned. However, if you have to do it, here is how: In MailScanner.conf, put Scan Messages = %rules-dir%/scan.messages.rules In /etc/MailScanner/rules/scan.messages.rules put this To: awkward.sod@domain.com no FromOrTo: default yes Then do a service MailScanner reload to make it re-read the configuration, and from then on the user awkward.sod@domain.com will not have their mail scanned, but everyone else will. Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4flJEfZZRxQVtlQRAjP3AJ9enhkablrr4FxJGohVaivWFP3DbgCg2ZX6 DbFcHRPDe7rRyWp3sLEFUZw= =t4yl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From andoni.auzmendi at robertwalters.com Tue Aug 15 17:41:48 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Tue Aug 15 17:42:32 2006 Subject: no check for a user Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E520@PAT.internal.robertwalters.com> Javier, In MailScanner.conf change Use SpamAssassin = yes to %rules-dir%/opt-out.rules. In the rules directory create opt-out.rules file with the following content: To: grumpyuser1@domain no To: grumpyuser2@domain no FromOrTo: default yes Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Javier Martinez Sent: 15 August 2006 17:21 To: mailscanner@lists.mailscanner.info Subject: no check for a user Hi everybody, I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use mailscanner for all my users and don't check email for this user?? Thanks a lot. Javier -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From gborders at jlewiscooper.com Tue Aug 15 17:55:41 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Tue Aug 15 17:56:38 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: <44E1FC8D.30205@jlewiscooper.com> I just did something very similar to this for one of my users. You can use a couple of rules to deliver the messages for the specific user. Here's mine. in the MailScaner/rules directory, create a file highscoring.spam.actions.rules In that, add rules for users To: picky@example.com deliver store header "X-Spam-Status: Yes" To: finiky@* deliver store header "X-Spam-Status: Yes" FromOrTo: default delete store then make another rule file: non.spam.actions.rules In that, add rules for users To: picky@example.com deliver store header "X-Spam-Status: No" To: finiky@* deliver store header "X-Spam-Status: No" FromOrTo: default deliver store Then in the MailScanner.conf file, update the settings for spam to point to the new rules. High Scoring Spam Actions = %rules-dir%/highscoring.spam.actions.rules and Non Spam Actions = %rules-dir%/non.spam.actions.rules Restart MailScanner, and now your picky and finiky users will get all their mail delivered and only virus laden mails are slain. With the extra header spam status, Thunderbird clients can filter them to the users junk folder automatically, and then leave the house keeping to them. This method will allow you to still scan messages, and deliver them selectively. You can also tweak the other options as you see fit. Good luck! Greg. Borders Sys. Admin. JLC Co. Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier > -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nfeasey at utpress.utoronto.ca Tue Aug 15 18:06:17 2006 From: nfeasey at utpress.utoronto.ca (Feasey, Nicholas) Date: Tue Aug 15 18:06:36 2006 Subject: Specific From and To check rule In-Reply-To: <44E1F946.5050609@ecs.soton.ac.uk> Message-ID: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> Forgive me if this has been discussed before... Is there a simple method in which MailScanner can be told to check the >From and the To address and, if it's from the same person, reject it. I want to stop those messages that state: From: @ To: @ ...which are really annoying. N From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 18:22:37 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 18:22:52 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and > spamassassin, but my user is complaining all time about his email. Is > any posibility to use mailscanner for all my users and don't check > email for this user?? What is he complaining about? You could turn it off or on and he wouldn't see the difference. Well, except he'd get a lot more spam. But it doesn't slow delivery down noticably or anything. What does he think the problem is? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gordon at itnt.co.za Tue Aug 15 18:43:14 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 18:44:16 2006 Subject: Nod32 installation References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk> Message-ID: <005401c6c092$612c28c0$0d02a8c0@Gordon> Yep, installed in correct path and updated config to specified nod32-1.99. Looked in the files and picked up I don't have the file nod32 only have; nod32_update nod32d nod32mda nod32smtp nod32smfi nod32cli Gordon ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 5:00 PM Subject: Re: Nod32 installation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you install Nod32? MailScanner assumes /usr/sbin unless you have it somewhere else. And you are using Virus Scanners = nod32-1.99 aren't you? Virus Scanners = nod32 is for old versions (this is documented in MailScanner.conf immediately above the "Virus Scanners" setting). If you have installed it elsewhere, then you need to tell MailScanner where it is by editing /etc/MailScanner/virus.scanners.conf Gordon Colyn wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eGHEfZZRxQVtlQRAqozAKDwfWSO0HI+9YtAiFhft3IApzzdFQCcCaw2 tGkkzH+clULgvNNDoEvDjmc= =twat -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Tue Aug 15 19:16:57 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 19:17:08 2006 Subject: Nod32 installation In-Reply-To: <005401c6c092$612c28c0$0d02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk> <005401c6c092$612c28c0$0d02a8c0@Gordon> Message-ID: <44E20F99.4060205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The program (the binary) should have been called nod32, but they might have changed that. Try this: cd /usr/sbin ln -s new32cli nod32 and then run MailScanner again. Gordon Colyn wrote: > Yep, installed in correct path and updated config to specified nod32-1.99. > Looked in the files and picked up I don't have the file nod32 only have; > > nod32_update > nod32d > nod32mda > nod32smtp > nod32smfi > nod32cli > > Gordon > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 5:00 PM > Subject: Re: Nod32 installation > > > > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > > Where did you install Nod32? MailScanner assumes /usr/sbin unless you > have it somewhere else. And you are using > Virus Scanners = nod32-1.99 > aren't you? > Virus Scanners = nod32 > is for old versions (this is documented in MailScanner.conf immediately > above the "Virus Scanners" setting). > > If you have installed it elsewhere, then you need to tell MailScanner > where it is by editing /etc/MailScanner/virus.scanners.conf > > Gordon Colyn wrote: >> ITNT Banner CampaignCan someone confirm what version of nod32 works with >> Mailscanner, I have tried to install nod32 for mail server but it doesn't >> get picked up by Mailscanner. >> >> Thanks >> >> Gordon Colyn >> >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4g+aEfZZRxQVtlQRArCCAJ9eNBU/DO+KjNZ0fm87YBmbI6bSngCfbGPK nQBPfmoZG8skMTJlJLX4l4c= =Us3M -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From JeremyBlonde at grant.k12.ca.us Tue Aug 15 19:26:45 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Tue Aug 15 19:25:07 2006 Subject: MailScanner load Message-ID: I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District From gordon at itnt.co.za Tue Aug 15 19:28:22 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 19:28:42 2006 Subject: Nod32 installation References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk><005401c6c092$612c28c0$0d02a8c0@Gordon> <44E20F99.4060205@ecs.soton.ac.uk> Message-ID: <00ff01c6c098$96d1c650$0d02a8c0@Gordon> ok, will give it a bash, just got a demo version of nod32 fileserver version from nod seems that the file version scanner uses nod32, the files I mentioned below are for the mail server... ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 8:16 PM Subject: Re: Nod32 installation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The program (the binary) should have been called nod32, but they might have changed that. Try this: cd /usr/sbin ln -s new32cli nod32 and then run MailScanner again. Gordon Colyn wrote: > Yep, installed in correct path and updated config to specified nod32-1.99. > Looked in the files and picked up I don't have the file nod32 only have; > > nod32_update > nod32d > nod32mda > nod32smtp > nod32smfi > nod32cli > > Gordon > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 5:00 PM > Subject: Re: Nod32 installation > > > > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > > Where did you install Nod32? MailScanner assumes /usr/sbin unless you > have it somewhere else. And you are using > Virus Scanners = nod32-1.99 > aren't you? > Virus Scanners = nod32 > is for old versions (this is documented in MailScanner.conf immediately > above the "Virus Scanners" setting). > > If you have installed it elsewhere, then you need to tell MailScanner > where it is by editing /etc/MailScanner/virus.scanners.conf > > Gordon Colyn wrote: >> ITNT Banner CampaignCan someone confirm what version of nod32 works with >> Mailscanner, I have tried to install nod32 for mail server but it doesn't >> get picked up by Mailscanner. >> >> Thanks >> >> Gordon Colyn >> >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4g+aEfZZRxQVtlQRArCCAJ9eNBU/DO+KjNZ0fm87YBmbI6bSngCfbGPK nQBPfmoZG8skMTJlJLX4l4c= =Us3M -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Tue Aug 15 19:36:26 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 19:36:45 2006 Subject: MailScanner load References: Message-ID: <010401c6c099$b74e5050$0d02a8c0@Gordon> I had the same problem with my box, maxed the load at about 5-6 doing 20k messages per day. Just increased my ram to 4gb and have seen the load drop to between 0.50 and 1.50 max when looking at stats with mailscanner! Now doing 25k and growing to 30k and the load is sitting at approx .75 to 1.5. Gordon ----- Original Message ----- From: "Jeremy Blonde" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 8:26 PM Subject: MailScanner load I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Tue Aug 15 19:38:43 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Aug 15 19:39:08 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <44E1CE66.65ED.00A2.0@plattesheriff.org> What's your swap utilization? 1gig of ram using tempfs and MailScanner sounds like too little ram... >>> "Jeremy Blonde" 8/15/2006 1:26 PM >>> I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From JeremyBlonde at grant.k12.ca.us Tue Aug 15 19:46:21 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Tue Aug 15 19:43:24 2006 Subject: MailScanner load Message-ID: The box reports that 500 k of swap is being used. I rarely have less than 200,000 k free of RAM with the average being 300,000 k. Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: Rob Poe [mailto:rpoe@plattesheriff.org] Sent: Tuesday, August 15, 2006 11:39 AM To: Jeremy Blonde; MailScanner discussion Subject: Re: MailScanner load What's your swap utilization? 1gig of ram using tempfs and MailScanner sounds like too little ram... >>> "Jeremy Blonde" 8/15/2006 1:26 PM >>> I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solid-state-logic.com Tue Aug 15 19:48:01 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 19:48:22 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <44E216E1.9020808@solid-state-logic.com> Jeremy Blonde wrote: > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District Jeremy do you process ALL email or drop stuff on the inbound MTA? If you can do a check on valid email addresses and drop invalid ones you'll drop your processing by over 50% in my experience. Also what SA rules are you running above the default ones - ie whats in /etc/mail/spamassassin. Do you run a local caching nameserver on the MS box? have you looked at the tuning stuff on the wiki - that box should be able to cope with 50-60k emails a day easy. BTW load average doesn't mean much - just X processes waiting for resources. As long as email is traversing MailScanner quickly (sub 30 seconds) load Ave doesn't mean much. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From daniel.maher at ubisoft.com Tue Aug 15 19:53:05 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 15 19:53:07 2006 Subject: MailScanner load Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0D7@UBIMAIL1.ubisoft.org> I had three machines running MailScanner, doing around 500,000 mails per day across the group. Load was constantly around 20, and mail delays were rampant. Then I subscribed to the TrendMicro RBL, and integrated LDAP for destination verification at the MTA layer. The amount of mail that actually reaches MailScanner has been reduced by about 92% (not a typo, actual tracked statistic). The moral of the story is this: Adding more hardware is one thing. Tweaking MailScanner is another. But actually taking steps to eliminate spam at the earliest possible point - that's where you'll find real performance improvements. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn > Sent: August 15, 2006 2:36 PM > To: MailScanner discussion > Subject: Re: MailScanner load > > I had the same problem with my box, maxed the load at about 5-6 doing 20k > messages per day. Just increased my ram to 4gb and have seen the load > drop > to between 0.50 and 1.50 max when looking at stats with mailscanner! Now > doing 25k and growing to 30k and the load is sitting at approx .75 to 1.5. > > Gordon > > > > ----- Original Message ----- > From: "Jeremy Blonde" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 8:26 PM > Subject: MailScanner load > > > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 20:46:28 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 20:46:36 2006 Subject: MailScanner load In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0D7@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher wrote: > I had three machines running MailScanner, doing around 500,000 mails > per day across the group. Load was constantly around 20, and mail > delays were rampant. > > Then I subscribed to the TrendMicro RBL, and integrated LDAP for > destination verification at the MTA layer. The amount of mail that > actually reaches MailScanner has been reduced by about 92% (not a > typo, actual tracked statistic). > > The moral of the story is this: Adding more hardware is one thing. > Tweaking MailScanner is another. But actually taking steps to > eliminate spam at the earliest possible point - that's where you'll > find real performance improvements. I agree with Daniel here. Not sure if the OP is running Postfix or sendmail (too lazy to go back and look) but I saw a tremendous drop in the number of inbound messages getting past my MTA just turning on greet_pause in sendmail. Anything that can stop the spam messages during the handshaking will lighten the load on your servers considerably... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Tue Aug 15 20:51:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 20:52:00 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: Javier Martinez spake the following on 8/15/2006 9:21 AM: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier Why not just make sure his messages aren't signed or the subject lines aren't modified. Then he might just happily think you caved in to him. ;-) Then you are still protecting the rest of your users from his foolishness. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Aug 15 20:58:49 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 20:59:27 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: Jeremy Blonde spake the following on 8/15/2006 11:26 AM: > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District If you are using the default of 5 children per cpu with that little ram, you will probably swap. And a hyper-threaded proc isn't exactly the same as 2 processors. If you can't add ram, try backing off with the number of children, probably one at a time, until you get to the point of stabilization. You should be able to process that load with 2 - 3 children if the mail comes in evenly. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mike at tc3net.com Tue Aug 15 21:07:04 2006 From: mike at tc3net.com (Michael Baird) Date: Tue Aug 15 21:00:32 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <1155672424.14194.10.camel@mike-new2.tc3net.com> On Tue, 2006-08-15 at 11:46 -0800, Kevin Miller wrote: > Daniel Maher wrote: > > I had three machines running MailScanner, doing around 500,000 mails > > per day across the group. Load was constantly around 20, and mail > > delays were rampant. > > > > Then I subscribed to the TrendMicro RBL, and integrated LDAP for > > destination verification at the MTA layer. The amount of mail that > > actually reaches MailScanner has been reduced by about 92% (not a > > typo, actual tracked statistic). > > > > The moral of the story is this: Adding more hardware is one thing. > > Tweaking MailScanner is another. But actually taking steps to > > eliminate spam at the earliest possible point - that's where you'll > > find real performance improvements. > > I agree with Daniel here. Not sure if the OP is running Postfix or > sendmail (too lazy to go back and look) but I saw a tremendous drop in > the number of inbound messages getting past my MTA just turning on > greet_pause in sendmail. Anything that can stop the spam messages > during the handshaking will lighten the load on your servers > considerably... To beat a dead horse from another recent thread, check out greylist-milter, on my system it had a bigger impact then sendmail's greet_pause, took the load down a nicely. Regards Michael Baird From bbecken at aafp.org Tue Aug 15 21:10:46 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Tue Aug 15 21:11:07 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E1E3F4.D87E.0068.3@aafp.org> >>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> > >Hi, > >I was just wondering what peoples opinions were on running multiple virus >scanners with MailScanner. I'm currently only running ClamAV, and I was >thinking about running one or two more. >Could someone recommend what other scanner/s to use? My main concern is >system resources. I would like something that doesn't load up the server too >much more as ClamAV is quite light on resources from my experience with it. > >- Jon Which of these Anti-virus products can run headless without any X or GUI installed? From daniel.maher at ubisoft.com Tue Aug 15 21:34:40 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 15 21:34:44 2006 Subject: OT - Multiple Virus Scanners Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0DB@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer > Sent: August 15, 2006 4:11 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: OT - Multiple Virus Scanners > > Which of these Anti-virus products can run headless without any X or > GUI installed? We use ClamAV on our incoming mail relays, which are 1U servers stacked into a cabinet at our data centre a few kilometers away. Needless to say, they are headless, and don't have X capabilities. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From alex at nkpanama.com Tue Aug 15 21:38:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:38:37 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E1E3F4.D87E.0068.3@aafp.org> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <44E1E3F4.D87E.0068.3@aafp.org> Message-ID: <44E230B5.3050701@nkpanama.com> Brad Beckenhauer wrote: >>>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> >> Hi, >> >> I was just wondering what peoples opinions were on running multiple > virus >> scanners with MailScanner. I'm currently only running ClamAV, and I > was >> thinking about running one or two more. >> Could someone recommend what other scanner/s to use? My main concern > is >> system resources. I would like something that doesn't load up the > server too >> much more as ClamAV is quite light on resources from my experience > with it. >> - Jon > > Which of these Anti-virus products can run headless without any X or > GUI installed? All of them IIRC... From alex at nkpanama.com Tue Aug 15 21:41:29 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:41:39 2006 Subject: MailScanner load In-Reply-To: <44E1CE66.65ED.00A2.0@plattesheriff.org> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> Message-ID: <44E23179.5070009@nkpanama.com> You *do* know that MailScanner causes swap, don't you? ;-) Rob Poe wrote: > What's your swap utilization? 1gig of ram using tempfs and MailScanner > sounds like too little ram... > > > >>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>> > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty > well, > we're filtering between 75-80% of our mail as spam. The box however, > is > hammered, it's running around 5-6 with spikes to 8-9. I've just > turned > off bayes and I'll see how the load is once it's processed all the > back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running > on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at nkpanama.com Tue Aug 15 21:43:35 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:43:45 2006 Subject: Specific From and To check rule In-Reply-To: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> References: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> Message-ID: <44E231F7.1060203@nkpanama.com> Feasey, Nicholas wrote: > Forgive me if this has been discussed before... > > Is there a simple method in which MailScanner can be told to check the >>From and the To address and, if it's from the same person, reject it. > > I want to stop those messages that state: > > From: @ > To: @ > > ...which are really annoying. > > N Create a ruleset: in %rules-dir%/spam.blacklist.rules FromOrTo: default no From:user1@domain.com and To:user1@domain.com yes ... ... ... From:user99@domain.com and To:user99@domain.com yes Sounds silly, and resource-wasteful, but it should get the job done, I think. From alex at nkpanama.com Tue Aug 15 21:50:24 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:50:34 2006 Subject: OT: Misconfigured SA in SpamAssassin (ALL_TRUSTED) Message-ID: <44E23390.7090909@nkpanama.com> If someone here knows who the admin is for "netnation.nl" or "rinexpro.com" or "hostingconcepts", let them know that their ALL_TRUSTED is misfiring and letting an advance_fee message through their servers and getting them blacklisted. Check headers at "http://pastebin.ca/133329" if you need more info. From ssilva at sgvwater.com Tue Aug 15 21:59:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 22:00:30 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E1E3F4.D87E.0068.3@aafp.org> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <44E1E3F4.D87E.0068.3@aafp.org> Message-ID: Brad Beckenhauer spake the following on 8/15/2006 1:10 PM: >>>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> >> Hi, >> >> I was just wondering what peoples opinions were on running multiple > virus >> scanners with MailScanner. I'm currently only running ClamAV, and I > was >> thinking about running one or two more. >> Could someone recommend what other scanner/s to use? My main concern > is >> system resources. I would like something that doesn't load up the > server too >> much more as ClamAV is quite light on resources from my experience > with it. >> - Jon > > Which of these Anti-virus products can run headless without any X or > GUI installed? MailScanner uses the command-line version of anti-virus products, so all of them if they still sell or have a command-line version available. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mauriciopcavalcanti at hotmail.com Tue Aug 15 22:03:16 2006 From: mauriciopcavalcanti at hotmail.com (Mauricio) Date: Tue Aug 15 22:05:15 2006 Subject: OT: Sendmail Violence In-Reply-To: Message-ID: Hi, I?m using Gentoo, sendmail and MS 4.56.1 and it was made to filter SPAM e redirect to an internal Exchange. I use ForkEachJob=true in sendmail. At this morning, my internal exchange crashes and made my queue (not mqueue.in) grows rapidly. When it Exchange returns, I use sendmail -q command and my load grows to 400. After that, I could not work and everything seems to be stopped what about 1 minute. When my server waked up (after this sendmail violence), I have no queue and no load. Anyone knows an issue to limit sendmail to not make a DOS on itself? Thanks in advance and sorry for OT, Mauricio. From ssilva at sgvwater.com Tue Aug 15 22:01:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 22:05:20 2006 Subject: MailScanner load In-Reply-To: <44E23179.5070009@nkpanama.com> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 8/15/2006 1:41 PM: > You *do* know that MailScanner causes swap, don't you? ;-) > Some things never die! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From akostocker at gmail.com Tue Aug 15 23:04:06 2006 From: akostocker at gmail.com (Tony Stocker) Date: Tue Aug 15 23:04:09 2006 Subject: Whitelisting doesn't appear to work Message-ID: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Hello All, I've set some entries in /etc/MailScanner/rules/spam.whitelist.rules because I have had several messages marked as spam that were actually the MailScanner "Virus Detected" messages. I'm modifying the addresses slightly to protect myself, but let's say that my mailserver's address is "197.100.235.132", this then is the entry that I have in the spam.whitelist.rules file: From: 197.100.235. yes However, I am still getting "Virus Detected" messages marked as spam, (see slightly munged example below) even with this entry. What am I doing wrong? -------------------------------------------------------------------------------------------------------------------------- Return-Path: X-Original-To: postmaster Delivered-To: tony.stocker@pps-mail.example.com Received: by pps-mail.example.com (Postfix, from userid 89) id 82E008EA9A; Tue, 15 Aug 2006 17:49:21 -0400 (EDT) From: "MailScanner" To: postmaster@pps-mail.example.com Subject: { SPAM } Virus Detected Content-type: text/plain; charset=ISO-8859-1 Message-Id: <20060815214921.82E008EA9A@pps-mail.example.com> Date: Tue, 15 Aug 2006 17:49:21 -0400 (EDT) MIME-Version: 1.0 X-PPS-MailScanner-Information: Please contact the ISP for more information X-PPS-MailScanner: Found to be clean X-PPS-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=3.723, required 3, BAYES_50 0.00, INFO_TLD 1.27, NO_RELAYS -0.00, SPOOF_COM2COM 2.45) X-PPS-MailScanner-SpamScore: sss X-PPS-MailScanner-From: postmaster@pps-mail.example.com X-Spam-Status: Yes The following e-mails were found to have: Virus Detected Sender: supprefnum48150724253494id@53.com IP Address: 197.100.235.38 Recipient: john.smithson@pps-mail.example.com Subject: Important Banking Mail From Fifth Third Bank MessageID: 86EEE8EA30.069FE Quarantine: Report: ClamAV Module: msg-30327-71.html was infected: HTML.Phishing.Bank-627 -------------------------------------------------------------------------------------------------------------------------- From alex at nkpanama.com Tue Aug 15 23:12:25 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 23:12:37 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> References: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Message-ID: <44E246C9.4080302@nkpanama.com> Then your server probably didn't mark it as SPAM, somebody else's did. Did you restart/reload MailScanner after the change? Tony Stocker wrote: > Hello All, > > I've set some entries in /etc/MailScanner/rules/spam.whitelist.rules > because I have had several messages marked as spam that were actually > the MailScanner "Virus Detected" messages. I'm modifying the > addresses slightly to protect myself, but let's say that my > mailserver's address is "197.100.235.132", this then is the entry that > I have in the spam.whitelist.rules file: > > From: 197.100.235. yes > > However, I am still getting "Virus Detected" messages marked as spam, > (see slightly munged example below) even with this entry. What am I > doing wrong? > > -------------------------------------------------------------------------------------------------------------------------- > > Return-Path: > X-Original-To: postmaster > Delivered-To: tony.stocker@pps-mail.example.com > Received: by pps-mail.example.com (Postfix, from userid 89) > id 82E008EA9A; Tue, 15 Aug 2006 17:49:21 -0400 (EDT) > From: "MailScanner" > To: postmaster@pps-mail.example.com > Subject: { SPAM } Virus Detected > Content-type: text/plain; charset=ISO-8859-1 > Message-Id: <20060815214921.82E008EA9A@pps-mail.example.com> > Date: Tue, 15 Aug 2006 17:49:21 -0400 (EDT) > MIME-Version: 1.0 > X-PPS-MailScanner-Information: Please contact the ISP for more information > X-PPS-MailScanner: Found to be clean > X-PPS-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=3.723, > required 3, BAYES_50 0.00, INFO_TLD 1.27, NO_RELAYS -0.00, > SPOOF_COM2COM 2.45) > X-PPS-MailScanner-SpamScore: sss > X-PPS-MailScanner-From: postmaster@pps-mail.example.com > X-Spam-Status: Yes > > The following e-mails were found to have: Virus Detected > > Sender: supprefnum48150724253494id@53.com > IP Address: 197.100.235.38 > Recipient: john.smithson@pps-mail.example.com > Subject: Important Banking Mail From Fifth Third Bank > MessageID: 86EEE8EA30.069FE > Quarantine: > Report: ClamAV Module: msg-30327-71.html was infected: > HTML.Phishing.Bank-627 > > -------------------------------------------------------------------------------------------------------------------------- > From akostocker at gmail.com Tue Aug 15 23:17:21 2006 From: akostocker at gmail.com (Tony Stocker) Date: Tue Aug 15 23:17:22 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <44E246C9.4080302@nkpanama.com> References: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> <44E246C9.4080302@nkpanama.com> Message-ID: <7801ad8f0608151517n4cb98a13w75375450e33414c2@mail.gmail.com> Yes I did reload after making the change, and it definitely is my server marking it as spam. On 8/15/06, Alex Neuman van der Hans wrote: > Then your server probably didn't mark it as SPAM, somebody else's did. > > Did you restart/reload MailScanner after the change? > > > Tony Stocker wrote: > > Hello All, > > > > I've set some entries in /etc/MailScanner/rules/spam.whitelist.rules > > because I have had several messages marked as spam that were actually > > the MailScanner "Virus Detected" messages. I'm modifying the > > addresses slightly to protect myself, but let's say that my > > mailserver's address is "197.100.235.132", this then is the entry that > > I have in the spam.whitelist.rules file: > > > > From: 197.100.235. yes > > > > However, I am still getting "Virus Detected" messages marked as spam, > > (see slightly munged example below) even with this entry. What am I > > doing wrong? > > > > -------------------------------------------------------------------------------------------------------------------------- > > > > Return-Path: > > X-Original-To: postmaster > > Delivered-To: tony.stocker@pps-mail.example.com > > Received: by pps-mail.example.com (Postfix, from userid 89) > > id 82E008EA9A; Tue, 15 Aug 2006 17:49:21 -0400 (EDT) > > From: "MailScanner" > > To: postmaster@pps-mail.example.com > > Subject: { SPAM } Virus Detected > > Content-type: text/plain; charset=ISO-8859-1 > > Message-Id: <20060815214921.82E008EA9A@pps-mail.example.com> > > Date: Tue, 15 Aug 2006 17:49:21 -0400 (EDT) > > MIME-Version: 1.0 > > X-PPS-MailScanner-Information: Please contact the ISP for more information > > X-PPS-MailScanner: Found to be clean > > X-PPS-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=3.723, > > required 3, BAYES_50 0.00, INFO_TLD 1.27, NO_RELAYS -0.00, > > SPOOF_COM2COM 2.45) > > X-PPS-MailScanner-SpamScore: sss > > X-PPS-MailScanner-From: postmaster@pps-mail.example.com > > X-Spam-Status: Yes > > > > The following e-mails were found to have: Virus Detected > > > > Sender: supprefnum48150724253494id@53.com > > IP Address: 197.100.235.38 > > Recipient: john.smithson@pps-mail.example.com > > Subject: Important Banking Mail From Fifth Third Bank > > MessageID: 86EEE8EA30.069FE > > Quarantine: > > Report: ClamAV Module: msg-30327-71.html was infected: > > HTML.Phishing.Bank-627 > > > > -------------------------------------------------------------------------------------------------------------------------- > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 23:31:41 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 23:31:46 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Message-ID: Tony Stocker wrote: > Hello All, > > I've set some entries in /etc/MailScanner/rules/spam.whitelist.rules > because I have had several messages marked as spam that were actually > the MailScanner "Virus Detected" messages. I'm modifying the > addresses slightly to protect myself, but let's say that my > mailserver's address is "197.100.235.132", this then is the entry that > I have in the spam.whitelist.rules file: > > From: 197.100.235. yes Toss in this line for good measure too: From: 127.0.0. yes > However, I am still getting "Virus Detected" messages marked as spam, > (see slightly munged example below) even with this entry. What am I > doing wrong? What else is in spam.whitelist.rules? I.e., do you have a default entry as the *last* line? It should be: FromOrTo: default no In MailScanner.conf do you have the following line? Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at ecs.soton.ac.uk Wed Aug 16 00:08:04 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 00:08:16 2006 Subject: MailScanner load In-Reply-To: <44E23179.5070009@nkpanama.com> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com> Message-ID: <44E253D4.1010406@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also, a load of 10-15 is not uncommon. The load average means very little. Most of it can be caused by network DNS lookups. Watching how much you swap is far more important. Many of my MailScanner systems run with a load average of 10-15. I recommend 1Gb of RAM per CPU (Max Children=5*number of CPUs). Alex Neuman van der Hans wrote: > You *do* know that MailScanner causes swap, don't you? ;-) > > Rob Poe wrote: >> What's your swap utilization? 1gig of ram using tempfs and MailScanner >> sounds like too little ram... >> >> >> >>>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>>> >> I've been wanting to use Bayes for our mailscanner system, but I'm >> wondering now if the overhead is worth it. We have a new mailscanner >> box running with Postfix (under Gentoo Linux) and it works pretty >> well, >> we're filtering between 75-80% of our mail as spam. The box however, >> is >> hammered, it's running around 5-6 with spikes to 8-9. I've just >> turned >> off bayes and I'll see how the load is once it's processed all the >> back >> logged messages. We're averaging about 15,000-20,000 messages a day >> (probably more once the school year starts). Mailscanner is running >> on >> an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. >> >> Is that normal for using bayes with mailscanner or do I need to tweak >> some things? >> >> (I'm already using tmpfs for a little bit of a speed up). >> >> Jeremy Blonde >> Instructional Technology - Server Support >> Grant Joint Union School District >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> Before posting, read http://wiki.mailscanner.info/posting >> Support MailScanner development - buy the book off the website! > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4lPWEfZZRxQVtlQRAnEoAKChDVuyyPY16zpxK+vnYEpkpCyaIwCfdLaA P+ePX4x2qxUY0/l8m6AUtnA= =qv+V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From taz at taz-mania.com Wed Aug 16 00:15:21 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Aug 16 00:15:27 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Message-ID: If you're not going to mark the email, why scan it at all? Why not make a rule that skips scanning for that one domain? Not only will it not get marked, but it will reduce server load (maybe not much, but every little bit helps). On Mon, 14 Aug 2006 02:30:52 -0700 (PDT) jay shi wrote: >Hi > Thanks Peter for ur quick response. > > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain (abc.com) ask me, he dont't >want this tag > , but other domains ( xyz.com,pqr.com ) are demanding >this feature. > i want to write rule set for above condition, >Here is my rules for it in MailScanner.conf :-- > >Spam Modify Subject = yes >Spam Subject Text = %rules-dir%/spam.subject.rules > >cat /etc/MailScanner/rules/spam.subject.rules >From: @abc.com >From: @xyz.com {possible spam} >From: @pqr.com {possible spam} > >service MailScanner restart > > I may be wrong, if it plz correct me. > >Thanks & Regards >Jayesh > > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From james at grayonline.id.au Wed Aug 16 01:30:03 2006 From: james at grayonline.id.au (James Gray) Date: Wed Aug 16 01:30:40 2006 Subject: Wiki is sick... Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060816/cfccfac3/PGP-0001.bin From chris at tac.esi.net Wed Aug 16 04:27:30 2006 From: chris at tac.esi.net (Chris Hammond) Date: Wed Aug 16 04:15:53 2006 Subject: Stopping messages with the "Re: ??" Subject Message-ID: <44E25862.B662.0038.0@tac.esi.net> The MailScanner server that I maintain get's hit with 3k-5k of of these messages a day. They are all spam and the subject is in the form of the Re: with a space and two letters. The first letter can be any from a to z, while the second letter is either a e i o u or y. I created the following rule as a Postfix header check as I want to flat out reject these messages. /^Subject: (Re: [a-z][aeiouy])/ REJECT Spam 30-25. - First attempt /^Subject: Re: [a-z][aeiouy]/ REJECT Spam 30-25. - Second attempt /^Subject: (Re:) [a-z][aeiouy]/ REJECT Spam 30-25. - Third attemp The problem that I am having is that it doesn't stop after the two letters. If a word after Re: that matches one of the two letter combinations comes up, it fires on that also. What am I doing wrong with the rule. I only want it to fire on the Re: and the two letters. Nothing more. Thanks Chris From x72m35 at gmail.com Wed Aug 16 04:32:32 2006 From: x72m35 at gmail.com (Lasantha Marian) Date: Wed Aug 16 04:35:43 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? In-Reply-To: References: Message-ID: <44E291D0.3040205@gmail.com> Dear Julian/Kevin, Thanks for the leads. Now I am working on it. Best regards, Lasantha. -------- Original Message -------- From: Kevin Miller Date: 15/08/2006 08:42 p > Julian Field wrote: > > >> Yes. >> Read up on it at wiki.mailscanner.info. It is documented in there, and >> in the book, is quite some detail. >> >> Lasantha Marian wrote: >> >>> Is there a way to individualize the Filename and Filetype rules based >>> on e-mail addresses ? If YES, a brief explanation is much >>> appreciated. >>> >>> Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk >>> can only receive PDF (*.pdf). >>> > > You might also look through the archives (we still have archives, > right?) for a thread with the subject "filename/type exceptions" . Last > week I ask a similar question and got some good replies... > > > ...Kevin > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060816/af240804/attachment.html From james at grayonline.id.au Wed Aug 16 05:23:31 2006 From: james at grayonline.id.au (James Gray) Date: Wed Aug 16 05:23:59 2006 Subject: Stopping messages with the "Re: ??" Subject In-Reply-To: <44E25862.B662.0038.0@tac.esi.net> References: <44E25862.B662.0038.0@tac.esi.net> Message-ID: <811D6493-85B1-459F-8218-CDD0084E815B@grayonline.id.au> On 16/08/2006, at 1:27 PM, Chris Hammond wrote: > The MailScanner server that I maintain get's hit with 3k-5k of of > these messages a day. They are all spam and the subject is in the > form of the Re: with a space and two letters. The first letter can > be any from a to z, while the second letter is either a e i o u or > y. I created the following rule as a Postfix header check as I > want to flat out reject these messages. > > /^Subject: (Re: [a-z][aeiouy])/ REJECT Spam 30-25. - First > attempt > /^Subject: Re: [a-z][aeiouy]/ REJECT Spam 30-25. - Second > attempt > /^Subject: (Re:) [a-z][aeiouy]/ REJECT Spam 30-25. - Third > attemp > > The problem that I am having is that it doesn't stop after the two > letters. If a word after Re: that matches one of the two letter > combinations comes up, it fires on that also. What am I doing > wrong with the rule. I only want it to fire on the Re: and the two > letters. Nothing more. > > Thanks > Chris Have you tried anchoring the regex to match the end of the line: /^Subject: Re: [a-z][aeiouy]$/ REJECT Spam 30-25 Or maybe even anchor after an arbitary amount of white space (and only white space): /^Subject: Re: [a-z][aeiouy]\s*$/ REJECT Spam 30-25 "$" is a special character in both POSIX and Perl regex which means "end of line". Maybe that will help? Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2440 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060816/f0b43b82/smime.bin From casey at deccio.net Wed Aug 16 05:53:06 2006 From: casey at deccio.net (Casey T. Deccio) Date: Wed Aug 16 05:54:43 2006 Subject: Training spamassassin Bayes Message-ID: I'm using a Debian system with Exim4/MailScanner/Spamassassin/Courier-imap. Using the default Spamassassin settings (including auto-learn), about half of the SPAM emails were incorrectly classified as ham. I recently created a script (see below) to run daily as a cron job, but the Spam classification has only gotten worse since then. Any ideas? Thanks, Casey #!/bin/sh SALEARN=/usr/bin/sa-learn PREFS=/etc/MailScanner/spam.assassin.prefs.conf JUNK=.Junk HAM=`mktemp` SPAM=`mktemp` OLDSPAM=`mktemp` if [ ! -x $SALEARN ]; then exit 1 fi # Learn HAM for dir in /home/*/Maildir/cur; do find $dir -type f -daystart -ctime -7 -ctime +0 >> $HAM done [ -s $HAM ] && sa-learn -p $PREFS --ham -f $HAM rm $HAM # Learn SPAM for dir in /home/*/Maildir/$JUNK/{cur,new}; do find $dir -type f -daystart -ctime +0 >> $SPAM # Delete old spam (a week or older) find $dir -type f -daystart -ctime +6 >> $OLDSPAM done [ -s $SPAM ] && sa-learn -p $PREFS --spam -f $SPAM rm $SPAM [ -s $OLDSPAM ] && xargs rm < $OLDSPAM rm $OLDSPAM From garry at glendown.de Wed Aug 16 07:10:43 2006 From: garry at glendown.de (Garry Glendown) Date: Wed Aug 16 07:09:42 2006 Subject: Filtering EBay Invoice spam Message-ID: <44E2B6E3.9020101@glendown.de> Many of our users have been hit with the ebay invoice spam/virus/worm mails. Though the attachment is filtered out nicely already, we were wondering if there is a way to block the whole mail? Tnx, -gg From michele at blacknight.ie Wed Aug 16 08:13:55 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Wed Aug 16 08:13:58 2006 Subject: Filtering EBay Invoice spam In-Reply-To: <44E2B6E3.9020101@glendown.de> References: <44E2B6E3.9020101@glendown.de> Message-ID: <44E2C5B3.6030207@blacknight.ie> Garry Glendown wrote: > Many of our users have been hit with the ebay invoice spam/virus/worm > mails. Though the attachment is filtered out nicely already, we were > wondering if there is a way to block the whole mail? > > Tnx, -gg You could bump your SPF scores? -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From glenn.steen at gmail.com Wed Aug 16 08:31:43 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 08:31:47 2006 Subject: Specific From and To check rule In-Reply-To: <44E231F7.1060203@nkpanama.com> References: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> <44E231F7.1060203@nkpanama.com> Message-ID: <223f97700608160031k27f1cfe1qcc0959178f83daa6@mail.gmail.com> On 15/08/06, Alex Neuman van der Hans wrote: > Feasey, Nicholas wrote: > > Forgive me if this has been discussed before... > > > > Is there a simple method in which MailScanner can be told to check the > >>From and the To address and, if it's from the same person, reject it. > > > > I want to stop those messages that state: > > > > From: @ > > To: @ > > > > ...which are really annoying. > > > > N > Create a ruleset: > in %rules-dir%/spam.blacklist.rules > > FromOrTo: default no > From:user1@domain.com and To:user1@domain.com yes > ... > ... > ... > From:user99@domain.com and To:user99@domain.com yes > > Sounds silly, and resource-wasteful, but it should get the job done, I > think. That should work splendidly, but... I handle this type of thing in the MTA, so that I can reject the message (not handling a bogus message is always better than accepting (the responsibility for it) and having to handle it). You might not be able to do exactly this in your MTA (I use Postfix), but something similar... For example: I reject all mail with an envelope sender looking to be from our domain, and place that restriction so that the permit_mynetworks "restriction" overrides it. Then I also reject all unknown recipients. Takes care of a lot, if not all, of these messages, since they can only send to real recipients in my domain but cannot claim to be sending it from that domain, unless the sender is really sending it from the allowed servers. This might not work that well with roadrunners though:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 16 09:09:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 09:10:21 2006 Subject: Wiki is sick... In-Reply-To: References: Message-ID: <44E2D2C9.5030306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have just had to tighten up our web server in response to an attempted hack last week. I'm working on this one... James Gray wrote: > Julian, > > Just a heads-up :) > > ------------------------------------------------------------------------ > > > Was digging around the MailScanner wiki today and kept getting errors > like these at the top of every page: > > Writing > /.automount/gaia/disk/export/ecsxlv3/www/sites/www.mailscanner/wiki/data/cache/9/93001a343a444afe4fce780010f46a7b.i > failed > Writing > /.automount/gaia/disk/export/ecsxlv3/www/sites/www.mailscanner/wiki/data/cache/9/93001a343a444afe4fce780010f46a7b.xhtml > failed > > Also attached screenshot. > > Cheers, > > James > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4tLKEfZZRxQVtlQRAq4KAJ0RwusUAlKFF8qipstgT9K7OQcNhQCfcCRN ggOLntIdTwgoz59aVoj4LBw= =7aFx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From tchamtieh at nayzak.com Wed Aug 16 09:42:38 2006 From: tchamtieh at nayzak.com (Thomas Chamtieh) Date: Wed Aug 16 09:41:42 2006 Subject: MailScanner is not working Message-ID: <9EF54EC4D23F874F9034C2A245622AC506E8BC@ad.hosting.farm> Salam Anwar, If you have problems in the future, email me. Thanks, -Thomas (Nazih) ________________________________________ Thomas Chamtieh Senior Accounts Executive Nayzak, Inc. P.O. Box 997 Lake Forest, CA 92609 P: 877-520-8384 F: 949-707-1350 W: www.nayzak.com E: tchamtieh@nayzak.com > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anwar Sanusi > Sent: Tuesday, August 15, 2006 3:09 AM > To: MailScanner discussion > Subject: Re: MailScanner is not working > > Martin Hepworth wrote: > > > Anwar Sanusi wrote: > > > >> Martin Hepworth wrote: > >> > >>> Anwar Sanusi wrote: > >>> > >>>> Dear All, > >>>> > >>>> Please help me to fix my problem. > >>>> We can not send or receive email because our email just stay at > >>>> Incoming Queue Directory "/var/spool/mqueue.in". Please > help me how > >>>> to solve this problem ? > >>>> > >>>> Thanks & regards > >>>> anwar > >>>> > >>> Anything in the maillog file to indicate any problems.. > >>> > >>> have you run MailScanner in Debug mode to see if there are any > >>> problems showing there? > >>> > >> i am new commer in Linux and Mail server ? can you advise > where i can > >> see maillog file ? > >> and how to run debug mode ? > >> thks for your advise > >> Anwar > >> > >> > > Hi > > > > Normally it's in /var/log/maillog > > > > for debug mode, stop mailscanner, edit the MailScanner.conf > and change > > BOTH debug options to 'yes' then run check_mailscanner. > > > > this output can be quite large and you may have to search > the output > > quite carefully for any problems. > > > Thanks all our problem is seemly solved > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From michele at blacknight.ie Wed Aug 16 10:21:02 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Wed Aug 16 10:21:10 2006 Subject: Wiki is sick... In-Reply-To: <44E2D2C9.5030306@ecs.soton.ac.uk> Message-ID: <027d01c6c115$4e2a0b10$88c5c657@arthur> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We have just had to tighten up our web server in response to an > attempted hack last week. I'm working on this one... Maybe it would be time to move to a nicer wiki system ? :) Michele - who has always hated Julian's choice of wiki software Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From P.G.M.Peters at utwente.nl Wed Aug 16 10:26:15 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 16 10:26:26 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> Message-ID: <44E2E4B7.6020900@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 15-8-2006 14:39: > If you have a site license for a commercial AV, you might be entiteled > to download/use/update their *nix priduct too. This is true for at > least McAfee. We do. But we explicitly have decided against using that on our main servers. It is already running on the clients and Exchange. I want to use another scanner to protect from mistakes that might show up on one of the scanners. It will be picked up by the other scanners. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4uS3elLo80lrIdIRAqjHAJ9Tg7fzX0dfUATd0jbTCprvd+htrQCgi+gc hYmMVk9BH0J0StA5G0fyWoc= =D3VN -----END PGP SIGNATURE----- From glenn.steen at gmail.com Wed Aug 16 10:35:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 10:35:18 2006 Subject: Wiki is sick... In-Reply-To: <027d01c6c115$4e2a0b10$88c5c657@arthur> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> Message-ID: <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> On 16/08/06, Michele Neylon :: Blacknight Solutions wrote: > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > We have just had to tighten up our web server in response to an > > attempted hack last week. I'm working on this one... > > Maybe it would be time to move to a nicer wiki system ? :) > > Michele - who has always hated Julian's choice of wiki software > And go through the conversion process again, just for the fun of it? Sure, it should be relatively trivial to script for most tags, but..... :-) Count my vote against switching away from DW;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Wed Aug 16 10:46:43 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 16 10:47:20 2006 Subject: OT - Multiple Virus Scanners Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6ABBF@isabella.herefordshire.gov.uk> Peter Peters wrote: > Glenn Steen wrote on 15-8-2006 14:39: > > > If you have a site license for a commercial AV, you might > be entiteled > > to download/use/update their *nix priduct too. This is true for at > > least McAfee. > > We do. But we explicitly have decided against using that on our main > servers. It is already running on the clients and Exchange. I want to > use another scanner to protect from mistakes that might show up on one > of the scanners. It will be picked up by the other scanners. I don't think that's the best strategy. We use McAfee corporately, and I run their uvscan on our MailScanner box too, for one simple reason. If one of the email servers or desktop PCs starts screaming about a virus, I can be very confident that it hasn't got in via email, and has thus probably come in via the web or an infected laptop. Block as much as possible at the border. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From glenn.steen at gmail.com Wed Aug 16 10:49:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 10:49:24 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E2E4B7.6020900@utwente.nl> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <44E2E4B7.6020900@utwente.nl> Message-ID: <223f97700608160249t5ff7f24dk54601530beca7e11@mail.gmail.com> On 16/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 15-8-2006 14:39: > > > If you have a site license for a commercial AV, you might be entiteled > > to download/use/update their *nix priduct too. This is true for at > > least McAfee. > > We do. But we explicitly have decided against using that on our main > servers. It is already running on the clients and Exchange. I want to > use another scanner to protect from mistakes that might show up on one > of the scanners. It will be picked up by the other scanners. > Oh yes, very true. But if you (as we have had in the past) have a somewhat quirky GSE that sometime fail to get updated, and have the resources to spare, on the gateway.... Then adding it into the mix isn't a bad idea either. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Wed Aug 16 10:53:08 2006 From: res at ausics.net (Res) Date: Wed Aug 16 10:53:23 2006 Subject: Wiki is sick... In-Reply-To: <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> Message-ID: On Wed, 16 Aug 2006, Glenn Steen wrote: > On 16/08/06, Michele Neylon :: Blacknight Solutions > wrote: >> Julian Field wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > We have just had to tighten up our web server in response to an >> > attempted hack last week. I'm working on this one... >> >> Maybe it would be time to move to a nicer wiki system ? :) >> >> Michele - who has always hated Julian's choice of wiki software >> > And go through the conversion process again, just for the fun of it? > Sure, it should be relatively trivial to script for most tags, but..... :-) > Count my vote against switching away from DW;) my vote is for anything that works faster, its painfull waiting as long as we do, and its always been that way, I recall 386's responding faster > > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From Andreas.Doerfler at kempten.de Wed Aug 16 12:10:35 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Wed Aug 16 12:10:59 2006 Subject: Wiki is sick... Message-ID: dokuwiki is the best 1-10. commandment: dont have any other wiki beside to it > Maybe it would be time to move to a nicer wiki system ? :) From glenn.steen at gmail.com Wed Aug 16 12:11:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 12:11:09 2006 Subject: Wiki is sick... In-Reply-To: References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> Message-ID: <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> On 16/08/06, Res wrote: > On Wed, 16 Aug 2006, Glenn Steen wrote: > > > On 16/08/06, Michele Neylon :: Blacknight Solutions > > wrote: > >> Julian Field wrote: > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > We have just had to tighten up our web server in response to an > >> > attempted hack last week. I'm working on this one... > >> > >> Maybe it would be time to move to a nicer wiki system ? :) > >> > >> Michele - who has always hated Julian's choice of wiki software > >> > > And go through the conversion process again, just for the fun of it? > > Sure, it should be relatively trivial to script for most tags, but..... :-) > > Count my vote against switching away from DW;) > > > my vote is for anything that works faster, its painfull waiting as long as > we do, and its always been that way, I recall 386's responding faster > :-) IMO, most wikis are quite slow. Especially if they are more ... "featureful" (tikiwiki comes to mind). And most relies on a database, which DW doesn't. A case of choosing between the plague and cholera... I say stay with the sickness you know:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Wed Aug 16 12:45:48 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 16 12:50:02 2006 Subject: Wiki is sick... Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6AC0F@isabella.herefordshire.gov.uk> D?rfler Andreas wrote: > dokuwiki is the best > > 1-10. commandment: > > dont have any other wiki beside to it I'm rather fond of PmWiki, myself. But it's Julian's call, not ours. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From campbell at cnpapers.com Wed Aug 16 13:26:11 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 16 13:26:42 2006 Subject: MailScanner load References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com> Message-ID: <000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> ----- Original Message ----- From: "Alex Neuman van der Hans" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 4:41 PM Subject: Re: MailScanner load > You *do* know that MailScanner causes swap, don't you? ;-) When did this start happening???????? Steve > > Rob Poe wrote: >> What's your swap utilization? 1gig of ram using tempfs and MailScanner >> sounds like too little ram... >> >> >> >>>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>>> >> I've been wanting to use Bayes for our mailscanner system, but I'm >> wondering now if the overhead is worth it. We have a new mailscanner >> box running with Postfix (under Gentoo Linux) and it works pretty >> well, >> we're filtering between 75-80% of our mail as spam. The box however, >> is >> hammered, it's running around 5-6 with spikes to 8-9. I've just >> turned >> off bayes and I'll see how the load is once it's processed all the >> back >> logged messages. We're averaging about 15,000-20,000 messages a day >> (probably more once the school year starts). Mailscanner is running >> on >> an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. >> >> Is that normal for using bayes with mailscanner or do I need to tweak >> some things? >> >> (I'm already using tmpfs for a little bit of a speed up). >> >> Jeremy Blonde >> Instructional Technology - Server Support >> Grant Joint Union School District >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From chris at tac.esi.net Wed Aug 16 13:30:13 2006 From: chris at tac.esi.net (Chris Hammond) Date: Wed Aug 16 13:30:31 2006 Subject: Stopping messages with the "Re: ??" Subject In-Reply-To: <811D6493-85B1-459F-8218-CDD0084E815B@grayonline.id.au> References: <44E25862.B662.0038.0@tac.esi.net> <811D6493-85B1-459F-8218-CDD0084E815B@grayonline.id.au> Message-ID: <44E2D7F0.B662.0038.0@tac.esi.net> Thanks James. That was the ticket. It is working like a champ. Thanks!! Chris >>> James Gray 08/16/06 12:23 AM >>> On 16/08/2006, at 1:27 PM, Chris Hammond wrote: > The MailScanner server that I maintain get's hit with 3k-5k of of > these messages a day. They are all spam and the subject is in the > form of the Re: with a space and two letters. The first letter can > be any from a to z, while the second letter is either a e i o u or > y. I created the following rule as a Postfix header check as I > want to flat out reject these messages. > > /^Subject: (Re: [a-z][aeiouy])/ REJECT Spam 30-25. - First > attempt > /^Subject: Re: [a-z][aeiouy]/ REJECT Spam 30-25. - Second > attempt > /^Subject: (Re:) [a-z][aeiouy]/ REJECT Spam 30-25. - Third > attemp > > The problem that I am having is that it doesn't stop after the two > letters. If a word after Re: that matches one of the two letter > combinations comes up, it fires on that also. What am I doing > wrong with the rule. I only want it to fire on the Re: and the two > letters. Nothing more. > > Thanks > Chris Have you tried anchoring the regex to match the end of the line: /^Subject: Re: [a-z][aeiouy]$/ REJECT Spam 30-25 Or maybe even anchor after an arbitary amount of white space (and only white space): /^Subject: Re: [a-z][aeiouy]\s*$/ REJECT Spam 30-25 "$" is a special character in both POSIX and Perl regex which means "end of line". Maybe that will help? Cheers, James From bbecken at aafp.org Wed Aug 16 14:25:35 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Aug 16 14:25:54 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <44E1E3F4.D87E.0068.3@aafp.org> Message-ID: <44E2D67E.D87E.0068.3@aafp.org> >>>> ssilva@sgvwater.com 8/15/2006 3:59 PM >>> >Brad Beckenhauer spake the following on 8/15/2006 1:10 PM: >>>>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> >>> Hi, >>> >>> I was just wondering what peoples opinions were on running multiple >>> virus >>> scanners with MailScanner. I'm currently only running ClamAV, and I >>> was >>> thinking about running one or two more. >>> Could someone recommend what other scanner/s to use? My main concern >>> is >>> system resources. I would like something that doesn't load up the >>> server too >>> much more as ClamAV is quite light on resources from my experience >>> with it. >>> - Jon >> >> Which of these Anti-virus products can run headless without any X or >> GUI installed? >MailScanner uses the command-line version of anti-virus products, so all of >them if they still sell or have a command-line version available. What I'm finding is that some of the A/V products (Norman for example) require a GUI if you want to use the exclusion list. It appears that Norman also needs the GUI to enter the License key (They mention a command line way to install the key, but have not offered it up yet). BTW: Does anyone have the command line option for installing the Norman license key? I have a valid/legal key. thanks -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From akostocker at gmail.com Wed Aug 16 14:51:25 2006 From: akostocker at gmail.com (Tony Stocker) Date: Wed Aug 16 14:51:30 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: References: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Message-ID: <7801ad8f0608160651u4c03d8d6m7277b5a9206fc2ef@mail.gmail.com> On 8/15/06, Kevin Miller wrote: > > I have in the spam.whitelist.rules file: > > > > From: 197.100.235. yes > > Toss in this line for good measure too: > > From: 127.0.0. yes Okay, I've added that line. > What else is in spam.whitelist.rules? I.e., do you have a default entry > as the *last* line? It should be: > > FromOrTo: default no I do have this line, other than the two lines mentioned above I have nothing else in this file. > In MailScanner.conf do you have the following line? > > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Yes, I do have this. > HTH... Me too! :) Thanks for the ideas! Tony From mkellermann at net-com.de Wed Aug 16 15:53:43 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Wed Aug 16 15:53:34 2006 Subject: Problem with X-headers displayed in body Message-ID: <44E33177.7050809@net-com.de> no not spam (whitelisted), SpamAssassin (Wertung=3.701, benoetigt 6, RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99) X-net-Com-AG-MailScanner-From: mkellermann@net-com.de Hello, I've setup MailScanner on a Debian box with Postfix as MTA. Everything works great except the header tagging of emails. Some Email clients display parts of the x-headers in the message. The full x-header added by MailScanner of an email that is not spam: X-net-Com-AG-MailScanner: Found to be clean no not spam (whitelisted), SpamAssassin (Wertung=3.791, benoetigt 6, RCVD_IN_NJABL_DUL 1.71, SPF_HELO_SOFTFAIL 2.08) X-net-Com-AG-MailScanner-From: someone@somewhere.de The x-header added by MailScanner of a spam mail: X-net-Com-AG-MailScanner: Found to be clean no spam, SpamAssassin (Wertung=17.321, benoetigt 6, HELO_DYNAMIC_DHCP 2.66, HTML_IMAGE_ONLY_08 2.44, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_1 0.28, MIME_HTML_MOSTLY 0.70, MPART_ALT_DIFF 0.14, URIBL_JP_SURBL 3.36, URIBL_OB_SURBL 2.62, URIBL_SC_SURBL 3.60, URIBL_WS_SURBL 1.53) X-net-Com-AG-MailScanner-SpamScore: sssssssssssssssss X-net-Com-AG-MailScanner-From: miranda@shinbiro.com I think the problem is the part "no spam" or "no not spam" becauser there ist no X- in front of it. How can i fix the header so all email clients display the message correctly? Thanks in advance. Best regards, Matthias From Denis.Beauchemin at USherbrooke.ca Wed Aug 16 16:02:28 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 16 16:02:47 2006 Subject: Problem with X-headers displayed in body In-Reply-To: <44E33177.7050809@net-com.de> References: <44E33177.7050809@net-com.de> Message-ID: <44E33384.6050507@USherbrooke.ca> Matthias Kellermann a ?crit : > no not spam (whitelisted), SpamAssassin (Wertung=3.701, benoetigt 6, > RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99) > X-net-Com-AG-MailScanner-From: mkellermann@net-com.de > > Hello, > > I've setup MailScanner on a Debian box with Postfix as MTA. > Everything works great except the header tagging of emails. > > Some Email clients display parts of the x-headers in the message. > The full x-header added by MailScanner of an email that is not spam: > > X-net-Com-AG-MailScanner: Found to be clean > no not spam (whitelisted), SpamAssassin (Wertung=3.791, benoetigt 6, > RCVD_IN_NJABL_DUL 1.71, SPF_HELO_SOFTFAIL 2.08) > X-net-Com-AG-MailScanner-From: someone@somewhere.de > > The x-header added by MailScanner of a spam mail: > > X-net-Com-AG-MailScanner: Found to be clean > no spam, SpamAssassin (Wertung=17.321, benoetigt 6, HELO_DYNAMIC_DHCP > 2.66, > HTML_IMAGE_ONLY_08 2.44, HTML_MESSAGE 0.00, > HTML_SHORT_LINK_IMG_1 0.28, MIME_HTML_MOSTLY 0.70, > MPART_ALT_DIFF 0.14, URIBL_JP_SURBL 3.36, URIBL_OB_SURBL 2.62, > URIBL_SC_SURBL 3.60, URIBL_WS_SURBL 1.53) > X-net-Com-AG-MailScanner-SpamScore: sssssssssssssssss > X-net-Com-AG-MailScanner-From: miranda@shinbiro.com > > I think the problem is the part "no spam" or "no not spam" becauser > there ist no X- in front of it. > How can i fix the header so all email clients display the message > correctly? > > Thanks in advance. > > Best regards, > Matthias Matthias, What do you have in MailScanner.conf for: Spam Header = You should have a X- something in there. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x2252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060816/6211b906/smime.bin From alex at nkpanama.com Wed Aug 16 16:14:12 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 16 16:14:30 2006 Subject: Specific From and To check rule In-Reply-To: <223f97700608160031k27f1cfe1qcc0959178f83daa6@mail.gmail.com> References: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> <44E231F7.1060203@nkpanama.com> <223f97700608160031k27f1cfe1qcc0959178f83daa6@mail.gmail.com> Message-ID: <44E33644.5030504@nkpanama.com> Glenn Steen wrote: > This might not work that well with roadrunners though:-) Unless they happen to log in from within a VPN, which is a good thing when you can have it. From uxbod at splatnix.net Wed Aug 16 16:16:57 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Aug 16 16:17:10 2006 Subject: New Installation @ Work Message-ID: <7d5ab205921ba931f58d1777f2a32be1@localhost> Hi, I have just started a six month contract for a company, and after discussions with the other sys admin we have decided to run a POC to replace the current anti-viri/spam appliance with MailScanner. What I would be grateful with some help on is how I can create a second stream of the companies email to MailScanner from the existing SendMail installation so that we can see how it performs, without effecting the current mail implementation. I have heard that there is a milter which will allow this, but are there any other methods. We can then use the results to form part of the business case, and hopefully get a full solution implemented. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at dido.ca Wed Aug 16 16:22:27 2006 From: rob at dido.ca (Rob Morin) Date: Wed Aug 16 16:22:33 2006 Subject: Mail Queue monitor? Message-ID: <44E33833.1080007@dido.ca> Is ther a script i can use to monitor teh mail queue on my postfix system, and i fits over a certain amount email me or page me.... So every 5 or 10 mins this script would run and if the email in the queue is over 100 send an email to a pager... I guess i would have to run this command from an external machine via ssh as i figure if i run it locally and the queue is big i would never get the email? :) Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From lshaw at emitinc.com Wed Aug 16 16:42:10 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Aug 16 16:42:20 2006 Subject: Filtering EBay Invoice spam In-Reply-To: <44E2B6E3.9020101@glendown.de> References: <44E2B6E3.9020101@glendown.de> Message-ID: On Wed, 16 Aug 2006, Garry Glendown wrote: > Many of our users have been hit with the ebay invoice spam/virus/worm mails. > Though the attachment is filtered out nicely already, we were wondering if > there is a way to block the whole mail? I find that clamav does a good job of catching lots of bank-related phishing e-mails. We don't get many of the eBay ones, but I wouldn't be surprised if it is also pretty effective at blocking those well. - Logan From daniel.maher at ubisoft.com Wed Aug 16 16:54:49 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 16 16:54:53 2006 Subject: Mail Queue monitor? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0E9@UBIMAIL1.ubisoft.org> If you've already got SNMP deployed, you can query it using any number of open source network monitoring tools (such as Nagios or Big Brother). In order to obtain the result in the first place, though, you'll need a script to generate a number that SNMP can report. Consider the attached script, in fact, which can check either the "hold" or "incoming" queues, as you like. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: August 16, 2006 11:22 AM > To: MailScanner discussion > Subject: Mail Queue monitor? > > Is ther a script i can use to monitor teh mail queue on my postfix > system, and i fits over a certain amount email me or page me.... > > So every 5 or 10 mins this script would run and if the email in the > queue is over 100 send an email to a pager... > > I guess i would have to run this command from an external machine via > ssh as i figure if i run it locally and the queue is big i would never > get the email? > > :) > > Thanks... > > -- > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: snmp-checkqueues.sh Type: application/octet-stream Size: 442 bytes Desc: snmp-checkqueues.sh Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060816/ba0af640/snmp-checkqueues.obj From steve.swaney at fsl.com Wed Aug 16 16:56:11 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 16 16:56:14 2006 Subject: New Installation @ Work In-Reply-To: <7d5ab205921ba931f58d1777f2a32be1@localhost> Message-ID: <237b01c6c14c$7f016170$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: Wednesday, August 16, 2006 11:17 AM > To: mailscanner@lists.mailscanner.info > Subject: New Installation @ Work > > Hi, > > I have just started a six month contract for a company, and after > discussions with the other sys admin we have decided to run a POC to > replace the current anti-viri/spam appliance with MailScanner. > > What I would be grateful with some help on is how I can create a second > stream of the companies email to MailScanner from the existing SendMail > installation so that we can see how it performs, without effecting the > current mail implementation. I have heard that there is a milter which > will allow this, but are there any other methods. > > We can then use the results to form part of the business case, and > hopefully get a full solution implemented. > > Cheers, > > --[ UxBoD ]-- > Just the tool, Anthony Howe's Roundhouse: http://www.snertsoft.com/sendmail/roundhouse/ This is an SMTP multiplexer, which takes the input from an SMTP client connection and copies it to one or more SMTP servers. Intended as means to debug and test different mail server configurations using a production mail server's live data stream. And it's free :). Take a look at the milter while you?re there. You should consider: Milter-ahead (90? for site license and free updates) Milter-link (Free) Milter-gris (Free) I hope this helps, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From rob at dido.ca Wed Aug 16 17:02:54 2006 From: rob at dido.ca (Rob Morin) Date: Wed Aug 16 17:02:58 2006 Subject: Mail Queue monitor? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0E9@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0E9@UBIMAIL1.ubisoft.org> Message-ID: <44E341AE.3050001@dido.ca> Thats a cool script, however i wanted to NOT use Nagios and such, as i need to run this on a remote machine, as Nagios uses my mailserver to send email, if mail is backed up i will not get the alert.... so i figure i have a secondary email server that i would run an ssh command and check the queue on the primary, if it does not respond or is high i would then email to a pager on that remote machine that the queue is high... am i confusing anyone yet? :) Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Daniel Maher wrote: > If you've already got SNMP deployed, you can query it using any number of open source network monitoring tools (such as Nagios or Big Brother). > > In order to obtain the result in the first place, though, you'll need a script to generate a number that SNMP can report. Consider the attached script, in fact, which can check either the "hold" or "incoming" queues, as you like. > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >> Sent: August 16, 2006 11:22 AM >> To: MailScanner discussion >> Subject: Mail Queue monitor? >> >> Is ther a script i can use to monitor teh mail queue on my postfix >> system, and i fits over a certain amount email me or page me.... >> >> So every 5 or 10 mins this script would run and if the email in the >> queue is over 100 send an email to a pager... >> >> I guess i would have to run this command from an external machine via >> ssh as i figure if i run it locally and the queue is big i would never >> get the email? >> >> :) >> >> Thanks... >> >> -- >> >> Rob Morin >> Dido InterNet Inc. >> Montreal, Canada >> Http://www.dido.ca >> 514-990-4444 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > From mikea at mikea.ath.cx Wed Aug 16 17:29:58 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Aug 16 17:30:05 2006 Subject: Mail Queue monitor? In-Reply-To: <44E33833.1080007@dido.ca>; from rob@dido.ca on Wed, Aug 16, 2006 at 11:22:27AM -0400 References: <44E33833.1080007@dido.ca> Message-ID: <20060816112958.C8422@mikea.ath.cx> On Wed, Aug 16, 2006 at 11:22:27AM -0400, Rob Morin wrote: > Is ther a script i can use to monitor teh mail queue on my postfix > system, and i fits over a certain amount email me or page me.... > > So every 5 or 10 mins this script would run and if the email in the > queue is over 100 send an email to a pager... > > I guess i would have to run this command from an external machine via > ssh as i figure if i run it locally and the queue is big i would never > get the email? : #! /bin/sh : # : # mq - display inbound and outbound mail queue once : # : echo inbound queue : sudo sendmail -v -bp -OQueueDirectory=/var/spool/mqueue.in : echo ======================== : echo outbound queue : sudo mailq -v You'll get lots of entries like this: k7BIfApo069090 470102 Fri Aug 11 13:41 References: <1E293D3FF63A3740B10AD5AAD88535D20226D0E9@UBIMAIL1.ubisoft.org> <44E341AE.3050001@dido.ca> Message-ID: <44E34A28.5040001@pixelhammer.com> Rob Morin wrote: > Thats a cool script, however i wanted to NOT use Nagios and such, as i > need to run this on a remote machine, as Nagios uses my mailserver to > send email, if mail is backed up i will not get the alert.... so i > figure i have a secondary email server that i would run an ssh command > and check the queue on the primary, if it does not respond or is high i > would then email to a pager on that remote machine that the queue is > high... > > am i confusing anyone yet? > > :) We had the same issue, only we didn't see it coming as you have so my mail went down and I got the pages afterward ;^) We now have Nagios set to email a notification normally, and send a page to our third party paging service directly. So if the mail servers fail to respond again, I'll get the page immediately and the notification email after the fact. (Only because I don't have a seperate group for email servers). DAve > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Daniel Maher wrote: >> If you've already got SNMP deployed, you can query it using any number >> of open source network monitoring tools (such as Nagios or Big Brother). >> >> In order to obtain the result in the first place, though, you'll need >> a script to generate a number that SNMP can report. Consider the >> attached script, in fact, which can check either the "hold" or >> "incoming" queues, as you like. >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >>> Sent: August 16, 2006 11:22 AM >>> To: MailScanner discussion >>> Subject: Mail Queue monitor? >>> >>> Is ther a script i can use to monitor teh mail queue on my postfix >>> system, and i fits over a certain amount email me or page me.... >>> >>> So every 5 or 10 mins this script would run and if the email in the >>> queue is over 100 send an email to a pager... >>> >>> I guess i would have to run this command from an external machine via >>> ssh as i figure if i run it locally and the queue is big i would never >>> get the email? >>> >>> :) >>> >>> Thanks... -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Wed Aug 16 17:41:05 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 17:42:26 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: References: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Message-ID: Dennis Willson spake the following on 8/15/2006 4:15 PM: > If you're not going to mark the email, why scan it at all? Why not make > a rule that skips scanning for that one domain? Not only will it not get > marked, but it will reduce server load (maybe not much, but every little > bit helps). > But maybe the user does want high scoring spam stopped, but just doesn't want to have the subjects modified. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 16 17:52:30 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 17:53:48 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E2E4B7.6020900@utwente.nl> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <44E2E4B7.6020900@utwente.nl> Message-ID: Peter Peters spake the following on 8/16/2006 2:26 AM: > Glenn Steen wrote on 15-8-2006 14:39: > >>> If you have a site license for a commercial AV, you might be entiteled >>> to download/use/update their *nix priduct too. This is true for at >>> least McAfee. > > We do. But we explicitly have decided against using that on our main > servers. It is already running on the clients and Exchange. I want to > use another scanner to protect from mistakes that might show up on one > of the scanners. It will be picked up by the other scanners. > > -- > Peter Peters, senior beheerder (Security) > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe But MailScanner updates the virus scanners every hour, and your desktops probably only check once a day or even less often. That extra few hours can make a LOT of difference on the zero day of a new virus. I have McAfee on the gateway and on the desktops (along with Bitdefender and clam-av) and one of them will always start hitting a new virus before the rest catch up. Think of multiple virus scanners as having a backup parachute. The day you need it, you will be glad it was there. Even bitdefender, which isn't the best scanner, has saved the day with some new threat. And the load from virus scanning is much less than the load from spamassassin. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 16 17:59:37 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 17:59:56 2006 Subject: Wiki is sick... In-Reply-To: <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/16/2006 4:11 AM: > On 16/08/06, Res wrote: >> On Wed, 16 Aug 2006, Glenn Steen wrote: >> >> > On 16/08/06, Michele Neylon :: Blacknight Solutions >> > wrote: >> >> Julian Field wrote: >> >> > -----BEGIN PGP SIGNED MESSAGE----- >> >> > Hash: SHA1 >> >> > >> >> > We have just had to tighten up our web server in response to an >> >> > attempted hack last week. I'm working on this one... >> >> >> >> Maybe it would be time to move to a nicer wiki system ? :) >> >> >> >> Michele - who has always hated Julian's choice of wiki software >> >> >> > And go through the conversion process again, just for the fun of it? >> > Sure, it should be relatively trivial to script for most tags, >> but..... :-) >> > Count my vote against switching away from DW;) >> >> >> my vote is for anything that works faster, its painfull waiting as >> long as >> we do, and its always been that way, I recall 386's responding faster >> > :-) > IMO, most wikis are quite slow. Especially if they are more ... > "featureful" (tikiwiki comes to mind). And most relies on a database, > which DW doesn't. A case of choosing between the plague and cholera... > I say stay with the sickness you know:-) > I choose hangover! ;-) Not fun to have, more fun to get, but you only WISH you died from it! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 16 18:06:33 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 18:07:02 2006 Subject: Filtering EBay Invoice spam In-Reply-To: References: <44E2B6E3.9020101@glendown.de> Message-ID: Logan Shaw spake the following on 8/16/2006 8:42 AM: > On Wed, 16 Aug 2006, Garry Glendown wrote: >> Many of our users have been hit with the ebay invoice spam/virus/worm >> mails. Though the attachment is filtered out nicely already, we were >> wondering if there is a way to block the whole mail? > > I find that clamav does a good job of catching lots of > bank-related phishing e-mails. We don't get many of the > eBay ones, but I wouldn't be surprised if it is also pretty > effective at blocking those well. > > - Logan It hits them just as well! Are you using a distributed checksum system like DCC or Razor? I hit the first few with clam-av, and then as they get reported, the rest get stopped with DCC and razor scores. Until they re-tool and re-run their crap-flingers, then clam hits them again. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Wed Aug 16 18:20:35 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 16 18:21:05 2006 Subject: Fraud and Phishing detection Message-ID: <44E353E3.2010708@pixelhammer.com> I have looked through the wiki and the website. I found http://www.mailscanner.info/support.html#phishing but nothing more. Can anyone tell the rules/logic used for detecting Fraud and Phishing attempts in a message? Or is this a read the source moment? Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From michele at blacknight.ie Wed Aug 16 18:41:23 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Wed Aug 16 18:41:37 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E353E3.2010708@pixelhammer.com> References: <44E353E3.2010708@pixelhammer.com> Message-ID: <44E358C3.7080507@blacknight.ie> DAve wrote: > I have looked through the wiki and the website. I found > http://www.mailscanner.info/support.html#phishing but nothing more. > > Can anyone tell the rules/logic used for detecting Fraud and Phishing > attempts in a message? Or is this a read the source moment? > > Thanks, > > DAve If you enable it and watch what it does to a phishing email it'll make more sense :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From mailscanner at ecs.soton.ac.uk Wed Aug 16 19:19:20 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 19:19:31 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608160249t5ff7f24dk54601530beca7e11@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <44E2E4B7.6020900@utwente.nl> <223f97700608160249t5ff7f24dk54601530beca7e11@mail.gmail.com> Message-ID: <44E361A8.9060104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 16/08/06, Peter Peters wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote on 15-8-2006 14:39: >> >> > If you have a site license for a commercial AV, you might be entiteled >> > to download/use/update their *nix priduct too. This is true for at >> > least McAfee. >> >> We do. But we explicitly have decided against using that on our main >> servers. It is already running on the clients and Exchange. I want to >> use another scanner to protect from mistakes that might show up on one >> of the scanners. It will be picked up by the other scanners. >> > Oh yes, very true. > But if you (as we have had in the past) have a somewhat quirky GSE > that sometime fail to get updated, and have the resources to spare, on > the gateway.... Then adding it into the mix isn't a bad idea either. As you might imagine, I have a PC with rather a lot of viruses on it, for testing stuff, and all sorts of virus-laden email. A lot of the time, I don't use any anti-virus software at all, as it just gets in the way. But when I do, I use different software (F-Prot) than the one we have a site licence for (Sophos). I think running different AV on the gateway from what you run on the desktop (if you are limited by financial constraints, and cannot run 3 on the gateway) is a very good idea. If Sophos is a bit late in getting the detector update for the latest new worm, then you don't want all your layers of protection failing together. If you run the same software everywhere, it will all fail at the same time, demolishing your defences. You want multiple, different, layers of defence. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE42GqEfZZRxQVtlQRAqJ/AJ0Y7sn5GST7HqrvvKNkGigYNXn3iQCg2rWV d0bN6ahADXrstJaj15DMyCM= =O17n -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 16 19:23:24 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 19:23:31 2006 Subject: Wiki is sick... In-Reply-To: References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> Message-ID: <44E3629C.2070908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote: > On Wed, 16 Aug 2006, Glenn Steen wrote: > >> On 16/08/06, Michele Neylon :: Blacknight Solutions >> wrote: >>> Julian Field wrote: >>> > -----BEGIN PGP SIGNED MESSAGE----- >>> > Hash: SHA1 >>> > >>> > We have just had to tighten up our web server in response to an >>> > attempted hack last week. I'm working on this one... >>> >>> Maybe it would be time to move to a nicer wiki system ? :) >>> >>> Michele - who has always hated Julian's choice of wiki software >>> >> And go through the conversion process again, just for the fun of it? >> Sure, it should be relatively trivial to script for most tags, >> but..... :-) >> Count my vote against switching away from DW;) > > > my vote is for anything that works faster, its painfull waiting as long > as we do, and its always been that way, I recall 386's responding faster We have been having major load problems on our web servers recently. We are about to split them out into clusters so performance should improve. For a world-leading department, our web service is pretty crap at the moment. Many thanks for Blacknight Solutions (www.blacknightsolutions.com) and Michele for hosting www.mailscanner.info along with all my other domains, except for wiki.mailscanner.info. If any Docuwiki experts out there want to tell me how to move the entire wiki and all its contents onto a new server, please let me know! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE42KeEfZZRxQVtlQRAvZIAJ9sJdslXc5Uh+GthU2bG88qpE5OygCgtTSx VKzFCEgcroVf3T5bbm7XO9U= =/CQS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 16 19:26:19 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 19:26:25 2006 Subject: Wiki is sick... In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580ED6AC0F@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580ED6AC0F@isabella.herefordshire.gov.uk> Message-ID: <44E3634B.1090105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randal, Phil wrote: > D?rfler Andreas wrote: > >> dokuwiki is the best >> >> 1-10. commandment: >> >> dont have any other wiki beside to it > > I'm rather fond of PmWiki, myself. But it's Julian's call, not ours. Indeed. And I sure ain't gonna switch to a different one. One thing wikis desperately need is an easy migration system from one wiki to another. Anyone want to start the project of writing such a system? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE42NOEfZZRxQVtlQRAq2MAJ9fh8OfYgLUBtMRvWSCNMah4R7wVwCfTznu Tzsr0NDL3Y3JP3IgubbPVfs= =QfzF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 16 19:27:31 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 19:27:40 2006 Subject: MailScanner load In-Reply-To: <000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com> <000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> Message-ID: <44E36393.8020601@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: > > ----- Original Message ----- From: "Alex Neuman van der Hans" > > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 4:41 PM > Subject: Re: MailScanner load > > >> You *do* know that MailScanner causes swap, don't you? ;-) > > When did this start happening???????? Like any other package, it will start to swap if you run out of RAM. It does not "cause" swap. > > Steve > >> >> Rob Poe wrote: >>> What's your swap utilization? 1gig of ram using tempfs and MailScanner >>> sounds like too little ram... >>> >>> >>> >>>>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>>>> >>> I've been wanting to use Bayes for our mailscanner system, but I'm >>> wondering now if the overhead is worth it. We have a new mailscanner >>> box running with Postfix (under Gentoo Linux) and it works pretty >>> well, >>> we're filtering between 75-80% of our mail as spam. The box however, >>> is >>> hammered, it's running around 5-6 with spikes to 8-9. I've just >>> turned >>> off bayes and I'll see how the load is once it's processed all the >>> back >>> logged messages. We're averaging about 15,000-20,000 messages a day >>> (probably more once the school year starts). Mailscanner is running >>> on >>> an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. >>> >>> Is that normal for using bayes with mailscanner or do I need to tweak >>> some things? >>> >>> (I'm already using tmpfs for a little bit of a speed up). >>> >>> Jeremy Blonde >>> Instructional Technology - Server Support >>> Grant Joint Union School District >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> Before posting, read http://wiki.mailscanner.info/posting >>> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE42OWEfZZRxQVtlQRAmNjAJkB+Fq7ZadrbQ3K4P8mEJP1zlXodwCgpmAE tHfot+wF7ClrHrtUYpA6KgQ= =qlb8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 16 19:37:48 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 19:37:55 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: References: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Message-ID: <44E365FC.3000101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Dennis Willson spake the following on 8/15/2006 4:15 PM: >> If you're not going to mark the email, why scan it at all? Why not make >> a rule that skips scanning for that one domain? Not only will it not get >> marked, but it will reduce server load (maybe not much, but every little >> bit helps). >> > But maybe the user does want high scoring spam stopped, but just doesn't want > to have the subjects modified. Just put a ruleset on this as well. Spam Modify Subject = %rules-dir%/spam.modify.subject.rules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE42X+EfZZRxQVtlQRAkKHAJ9dLtwafMzmkFoJf+eDhB5lOc7MowCfTeWb ZqzWk8eRQYnQYop8EgfCwRY= =9tIJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Wed Aug 16 19:47:49 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 16 19:48:21 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E358C3.7080507@blacknight.ie> References: <44E353E3.2010708@pixelhammer.com> <44E358C3.7080507@blacknight.ie> Message-ID: <44E36855.5020100@pixelhammer.com> Michele Neylon:: Blacknight.ie wrote: > DAve wrote: >> I have looked through the wiki and the website. I found >> http://www.mailscanner.info/support.html#phishing but nothing more. >> >> Can anyone tell the rules/logic used for detecting Fraud and Phishing >> attempts in a message? Or is this a read the source moment? >> >> Thanks, >> >> DAve > If you enable it and watch what it does to a phishing email it'll make > more sense :) > I did, and I have. But I only get to see the page *after* MS has disabled it. I have clients asking "Why?". They are not complaining, just asking how it works, they are glad we are disabling suspected fraud. I would like to say what the system is looking for and provide a valid example in before and after states. The bottom line, it works, and works well. But I don't want to sound stooopid because I can't explain how it works with confidence. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From Kevin_Miller at ci.juneau.ak.us Wed Aug 16 20:19:10 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 16 20:19:20 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E36855.5020100@pixelhammer.com> Message-ID: DAve wrote: > I did, and I have. But I only get to see the page *after* MS has > disabled it. > > I have clients asking "Why?". They are not complaining, just asking > how it works, they are glad we are disabling suspected fraud. I would > like to say what the system is looking for and provide a valid > example in before and after states. > > The bottom line, it works, and works well. But I don't want to sound > stooopid because I can't explain how it works with confidence. In a nutshell it compares the purported URL with the underlying one, and if they're different it flags it unless it's in the whitelist. For example www.mybank.com might point to w3.someservername.mybank.com; whatever they're using for a web or mail server. It's probably legitimate. Or it may be a message that says www.ebay.com but points to some server in Russia. MS will ding that one. I'm sure it's much more complicated than that under the hood, but if you're trying to explain it to non-technical users, that's the gist of it. I think... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at ecs.soton.ac.uk Wed Aug 16 20:28:29 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 20:28:41 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E36855.5020100@pixelhammer.com> References: <44E353E3.2010708@pixelhammer.com> <44E358C3.7080507@blacknight.ie> <44E36855.5020100@pixelhammer.com> Message-ID: <44E371DD.4030205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See www.phishingnet.info, it will give you an introductory idea of what goes on. I will try to update it at some point in the near future. DAve wrote: > Michele Neylon:: Blacknight.ie wrote: >> DAve wrote: >>> I have looked through the wiki and the website. I found >>> http://www.mailscanner.info/support.html#phishing but nothing more. >>> >>> Can anyone tell the rules/logic used for detecting Fraud and Phishing >>> attempts in a message? Or is this a read the source moment? >>> >>> Thanks, >>> >>> DAve >> If you enable it and watch what it does to a phishing email it'll make >> more sense :) >> > > I did, and I have. But I only get to see the page *after* MS has > disabled it. > > I have clients asking "Why?". They are not complaining, just asking how > it works, they are glad we are disabling suspected fraud. I would like > to say what the system is looking for and provide a valid example in > before and after states. > > The bottom line, it works, and works well. But I don't want to sound > stooopid because I can't explain how it works with confidence. > > DAve > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE43HhEfZZRxQVtlQRAnL6AKCU2ijbZbbepdxmKKdcIan0pG4S+gCfV4Ks YIBRPBNjcHHkqaIJtI6SnzM= =bFZf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Wed Aug 16 20:41:06 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 16 20:41:38 2006 Subject: Fraud and Phishing detection In-Reply-To: References: Message-ID: <44E374D2.4040909@pixelhammer.com> Kevin Miller wrote: > DAve wrote: >> I did, and I have. But I only get to see the page *after* MS has >> disabled it. >> >> I have clients asking "Why?". They are not complaining, just asking >> how it works, they are glad we are disabling suspected fraud. I would >> like to say what the system is looking for and provide a valid >> example in before and after states. >> >> The bottom line, it works, and works well. But I don't want to sound >> stooopid because I can't explain how it works with confidence. > > In a nutshell it compares the purported URL with the underlying one, and > if they're different it flags it unless it's in the whitelist. For > example www.mybank.com might point to w3.someservername.mybank.com; > whatever they're using for a web or mail server. It's probably > legitimate. Or it may be a message that says www.ebay.com but points to > some server in Russia. MS will ding that one. > > I'm sure it's much more complicated than that under the hood, but if > you're trying to explain it to non-technical users, that's the gist of > it. I think... > > ...Kevin That is what I'm been saying after a "very quick" glance at the source code and a few messages. I have one example I use, I wasn't sure if MS would catch more that this. http://thisurlisdifferent.com Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at ecs.soton.ac.uk Wed Aug 16 20:59:02 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 20:59:12 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E36855.5020100@pixelhammer.com> References: <44E353E3.2010708@pixelhammer.com> <44E358C3.7080507@blacknight.ie> <44E36855.5020100@pixelhammer.com> Message-ID: <44E37906.1050809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DAve wrote: > Michele Neylon:: Blacknight.ie wrote: >> DAve wrote: >>> I have looked through the wiki and the website. I found >>> http://www.mailscanner.info/support.html#phishing but nothing more. >>> >>> Can anyone tell the rules/logic used for detecting Fraud and Phishing >>> attempts in a message? Or is this a read the source moment? >>> >>> Thanks, >>> >>> DAve >> If you enable it and watch what it does to a phishing email it'll make >> more sense :) >> > > I did, and I have. But I only get to see the page *after* MS has > disabled it. > > I have clients asking "Why?". They are not complaining, just asking how > it works, they are glad we are disabling suspected fraud. I would like > to say what the system is looking for and provide a valid example in > before and after states. > > The bottom line, it works, and works well. But I don't want to sound > stooopid because I can't explain how it works with confidence. I have just updated www.phishingnet.info to contain a pretty accurate description of the latest version of the net, along with an explanation of how the "less strict" version of the net works. I strongly recommend you take a look at it. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE43kJEfZZRxQVtlQRAsMpAJ4mmnK6Y1q7u2ovkv7U6S8X9BgHugCg3QE1 /taL73WsRrcwWduGJz4Peeo= =nCWh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Aug 16 21:01:20 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 21:01:24 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E361A8.9060104@ecs.soton.ac.uk> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <44E2E4B7.6020900@utwente.nl> <223f97700608160249t5ff7f24dk54601530beca7e11@mail.gmail.com> <44E361A8.9060104@ecs.soton.ac.uk> Message-ID: <223f97700608161301t5d5f1424s4261bd84148ed851@mail.gmail.com> On 16/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 16/08/06, Peter Peters wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Glenn Steen wrote on 15-8-2006 14:39: > >> > >> > If you have a site license for a commercial AV, you might be entiteled > >> > to download/use/update their *nix priduct too. This is true for at > >> > least McAfee. > >> > >> We do. But we explicitly have decided against using that on our main > >> servers. It is already running on the clients and Exchange. I want to > >> use another scanner to protect from mistakes that might show up on one > >> of the scanners. It will be picked up by the other scanners. > >> > > Oh yes, very true. > > But if you (as we have had in the past) have a somewhat quirky GSE > > that sometime fail to get updated, and have the resources to spare, on > > the gateway.... Then adding it into the mix isn't a bad idea either. > > As you might imagine, I have a PC with rather a lot of viruses on it, > for testing stuff, and all sorts of virus-laden email. A lot of the > time, I don't use any anti-virus software at all, as it just gets in the > way. But when I do, I use different software (F-Prot) than the one we > have a site licence for (Sophos). > > I think running different AV on the gateway from what you run on the > desktop (if you are limited by financial constraints, and cannot run 3 > on the gateway) is a very good idea. If Sophos is a bit late in getting > the detector update for the latest new worm, then you don't want all > your layers of protection failing together. If you run the same software > everywhere, it will all fail at the same time, demolishing your > defences. You want multiple, different, layers of defence. > No argument, but... as some have mentioned, there are good reasons to have it (at least mcafee) on both (in the mcafee case you likely emply EPO, which will use a completely different path for getting the updates.... and with their track record, you really want more than one path, so that at least one subsustem is updated asap;). And all the theorizing has been from the standpoint that one should always have more than one AV on the MS gateway. Apart from that, we're in complete agreement:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Wed Aug 16 21:01:13 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 16 21:02:08 2006 Subject: Wiki is sick... In-Reply-To: <44E3629C.2070908@ecs.soton.ac.uk> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <44E3629C.2070908@ecs.soton.ac.uk> Message-ID: > > If any Docuwiki experts out there want to tell me how to move the entire > wiki and all its contents onto a new server, please let me know! Should be pretty easy, it is all text-based. Just copy the directory to the other server. From ugob at camo-route.com Wed Aug 16 21:02:55 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 16 21:05:20 2006 Subject: Mail Queue monitor? In-Reply-To: <44E341AE.3050001@dido.ca> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0E9@UBIMAIL1.ubisoft.org> <44E341AE.3050001@dido.ca> Message-ID: Rob Morin wrote: > Thats a cool script, however i wanted to NOT use Nagios and such, as i > need to run this on a remote machine, as Nagios uses my mailserver to > send email, if mail is backed up i will not get the alert.... so i > figure i have a secondary email server that i would run an ssh command > and check the queue on the primary, if it does not respond or is high i > would then email to a pager on that remote machine that the queue is > high... Use the escalation feature of nagios to send to your pager. Please contact me directly if you need help. I also have a custom plugin for checking inbound mail queue length. Ugo > > am i confusing anyone yet? > > :) > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Daniel Maher wrote: >> If you've already got SNMP deployed, you can query it using any number >> of open source network monitoring tools (such as Nagios or Big Brother). >> >> In order to obtain the result in the first place, though, you'll need >> a script to generate a number that SNMP can report. Consider the >> attached script, in fact, which can check either the "hold" or >> "incoming" queues, as you like. >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >>> Sent: August 16, 2006 11:22 AM >>> To: MailScanner discussion >>> Subject: Mail Queue monitor? >>> >>> Is ther a script i can use to monitor teh mail queue on my postfix >>> system, and i fits over a certain amount email me or page me.... >>> >>> So every 5 or 10 mins this script would run and if the email in the >>> queue is over 100 send an email to a pager... >>> >>> I guess i would have to run this command from an external machine via >>> ssh as i figure if i run it locally and the queue is big i would never >>> get the email? >>> >>> :) >>> >>> Thanks... >>> >>> -- >>> >>> Rob Morin >>> Dido InterNet Inc. >>> Montreal, Canada >>> Http://www.dido.ca >>> 514-990-4444 >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> From campbell at cnpapers.com Wed Aug 16 21:05:27 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 16 21:05:43 2006 Subject: MailScanner load References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> Message-ID: <004701c6c16f$5119be10$0705000a@DDF5DW71> Sorry, Julian, I forgot to put the smiley face thingy at the end of my statement. Well aware of the problems that thread caused. Steve ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, August 16, 2006 2:27 PM Subject: Re: MailScanner load > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Steve Campbell wrote: >> >> ----- Original Message ----- From: "Alex Neuman van der Hans" >> >> To: "MailScanner discussion" >> Sent: Tuesday, August 15, 2006 4:41 PM >> Subject: Re: MailScanner load >> >> >>> You *do* know that MailScanner causes swap, don't you? ;-) >> >> When did this start happening???????? > > Like any other package, it will start to swap if you run out of RAM. It > does not "cause" swap. > >> >> Steve >> >>> >>> Rob Poe wrote: >>>> What's your swap utilization? 1gig of ram using tempfs and MailScanner >>>> sounds like too little ram... >>>> >>>> >>>> >>>>>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>>>>> >>>> I've been wanting to use Bayes for our mailscanner system, but I'm >>>> wondering now if the overhead is worth it. We have a new mailscanner >>>> box running with Postfix (under Gentoo Linux) and it works pretty >>>> well, >>>> we're filtering between 75-80% of our mail as spam. The box however, >>>> is >>>> hammered, it's running around 5-6 with spikes to 8-9. I've just >>>> turned >>>> off bayes and I'll see how the load is once it's processed all the >>>> back >>>> logged messages. We're averaging about 15,000-20,000 messages a day >>>> (probably more once the school year starts). Mailscanner is running >>>> on >>>> an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. >>>> >>>> Is that normal for using bayes with mailscanner or do I need to tweak >>>> some things? >>>> >>>> (I'm already using tmpfs for a little bit of a speed up). >>>> >>>> Jeremy Blonde >>>> Instructional Technology - Server Support >>>> Grant Joint Union School District >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE42OWEfZZRxQVtlQRAmNjAJkB+Fq7ZadrbQ3K4P8mEJP1zlXodwCgpmAE > tHfot+wF7ClrHrtUYpA6KgQ= > =qlb8 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mailscanner at ecs.soton.ac.uk Wed Aug 16 21:06:45 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 16 21:06:55 2006 Subject: Fraud and Phishing detection In-Reply-To: <44E374D2.4040909@pixelhammer.com> References: <44E374D2.4040909@pixelhammer.com> Message-ID: <44E37AD5.7040808@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DAve wrote: > Kevin Miller wrote: >> DAve wrote: >>> I did, and I have. But I only get to see the page *after* MS has >>> disabled it. >>> >>> I have clients asking "Why?". They are not complaining, just asking >>> how it works, they are glad we are disabling suspected fraud. I would >>> like to say what the system is looking for and provide a valid >>> example in before and after states. >>> >>> The bottom line, it works, and works well. But I don't want to sound >>> stooopid because I can't explain how it works with confidence. >> >> In a nutshell it compares the purported URL with the underlying one, and >> if they're different it flags it unless it's in the whitelist. For >> example www.mybank.com might point to w3.someservername.mybank.com; >> whatever they're using for a web or mail server. It's probably >> legitimate. Or it may be a message that says www.ebay.com but points to >> some server in Russia. MS will ding that one. >> >> I'm sure it's much more complicated than that under the hood, but if >> you're trying to explain it to non-technical users, that's the gist of >> it. I think... >> >> ...Kevin > > That is what I'm been saying after a "very quick" glance at the source > code and a few messages. > > I have one example I use, I wasn't sure if MS would catch more that this. > > http://thisurlisdifferent.com See the newly updated www.phishingnet.info site. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE43rYEfZZRxQVtlQRAkPEAKCaLCvSYm8v9VpXYlZqGk8GxuZ/7ACdEyUe K/PVwxNpigqE5sRW6HTtDzE= =Rota -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Aug 16 21:12:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 21:12:50 2006 Subject: Wiki is sick... In-Reply-To: <44E3629C.2070908@ecs.soton.ac.uk> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <44E3629C.2070908@ecs.soton.ac.uk> Message-ID: <223f97700608161312v297f8d59l74ee29a1caa74e58@mail.gmail.com> On 16/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Res wrote: > > On Wed, 16 Aug 2006, Glenn Steen wrote: > > > >> On 16/08/06, Michele Neylon :: Blacknight Solutions > >> wrote: > >>> Julian Field wrote: > >>> > -----BEGIN PGP SIGNED MESSAGE----- > >>> > Hash: SHA1 > >>> > > >>> > We have just had to tighten up our web server in response to an > >>> > attempted hack last week. I'm working on this one... > >>> > >>> Maybe it would be time to move to a nicer wiki system ? :) > >>> > >>> Michele - who has always hated Julian's choice of wiki software > >>> > >> And go through the conversion process again, just for the fun of it? > >> Sure, it should be relatively trivial to script for most tags, > >> but..... :-) > >> Count my vote against switching away from DW;) > > > > > > my vote is for anything that works faster, its painfull waiting as long > > as we do, and its always been that way, I recall 386's responding faster > > We have been having major load problems on our web servers recently. We > are about to split them out into clusters so performance should improve. > For a world-leading department, our web service is pretty crap at the > moment. > > Many thanks for Blacknight Solutions (www.blacknightsolutions.com) and > Michele for hosting www.mailscanner.info along with all my other > domains, except for wiki.mailscanner.info. > > If any Docuwiki experts out there want to tell me how to move the entire > wiki and all its contents onto a new server, please let me know! > Ehm, tar it up on source, untar it on destination. More or less. You could remove the caches, if you'd like to reduce the sice of the tarball, but it isn't necessary. When you have it in place on the new server, point your browser to it and do a "/doku.php?do=check" to see any problems. Should work without remake. Note that this "magic" is why one shouldn't use external links to internal stuff in a DW. Internal links are so much cleaner:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Wed Aug 16 21:20:12 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 16 21:20:36 2006 Subject: MailScanner load References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> Message-ID: <004e01c6c171$611d1940$0705000a@DDF5DW71> Decided to make an intelligent statement this time: One thing I did find to lower my load average, though, was MimeDefang in a look-ahead environment. Before installing MimeDefang, I was receiving about 25K messages a day per server. Most of those were secondary MX relays, that is, mail sent to the secondary MX by spammers, and then relayed to the primary MX or mail store. I just use the look-ahead function in MD, nothing else. The load average was slowly climbing into the 8+ range and higher as a norm. After the install, my message count dropped to around 10K a day, and the load average dropped to around 2-3 as a norm. It still shoots up once in a while, but nothing like before MD. Obviously, running MD will add overhead, but the drop of about 60% emails needing to be scanned more than made up for that. I then was better able to detect more hosts/IP to add to my MTA access file, which made things even better. Another thing to mention is that before and after, mail ran smoothly. It just took a little bit longer before installing MD as there were always more processes (sendmail) trying to deliver DSN mail and the likes. This is not an answer for all systems - it's just that I use my MXs in a bazaar way (I think). My primary MX for one domain is a secondary MX for another domain. The primaries hold the mailboxes for their domain. No smiley face statements here. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, August 16, 2006 2:27 PM Subject: Re: MailScanner load > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Steve Campbell wrote: >> >> ----- Original Message ----- From: "Alex Neuman van der Hans" >> >> To: "MailScanner discussion" >> Sent: Tuesday, August 15, 2006 4:41 PM >> Subject: Re: MailScanner load >> >> >>> You *do* know that MailScanner causes swap, don't you? ;-) >> >> When did this start happening???????? > > Like any other package, it will start to swap if you run out of RAM. It > does not "cause" swap. > >> >> Steve >> >>> >>> Rob Poe wrote: >>>> What's your swap utilization? 1gig of ram using tempfs and MailScanner >>>> sounds like too little ram... >>>> >>>> >>>> >>>>>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>>>>> >>>> I've been wanting to use Bayes for our mailscanner system, but I'm >>>> wondering now if the overhead is worth it. We have a new mailscanner >>>> box running with Postfix (under Gentoo Linux) and it works pretty >>>> well, >>>> we're filtering between 75-80% of our mail as spam. The box however, >>>> is >>>> hammered, it's running around 5-6 with spikes to 8-9. I've just >>>> turned >>>> off bayes and I'll see how the load is once it's processed all the >>>> back >>>> logged messages. We're averaging about 15,000-20,000 messages a day >>>> (probably more once the school year starts). Mailscanner is running >>>> on >>>> an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. >>>> >>>> Is that normal for using bayes with mailscanner or do I need to tweak >>>> some things? >>>> >>>> (I'm already using tmpfs for a little bit of a speed up). >>>> >>>> Jeremy Blonde >>>> Instructional Technology - Server Support >>>> Grant Joint Union School District >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE42OWEfZZRxQVtlQRAmNjAJkB+Fq7ZadrbQ3K4P8mEJP1zlXodwCgpmAE > tHfot+wF7ClrHrtUYpA6KgQ= > =qlb8 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Aug 16 21:27:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 16 21:27:31 2006 Subject: Wiki is sick... In-Reply-To: <44E3634B.1090105@ecs.soton.ac.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580ED6AC0F@isabella.herefordshire.gov.uk> <44E3634B.1090105@ecs.soton.ac.uk> Message-ID: <223f97700608161327i385bff59j43c08466aa7fe1d1@mail.gmail.com> On 16/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Randal, Phil wrote: > > D?rfler Andreas wrote: > > > >> dokuwiki is the best > >> > >> 1-10. commandment: > >> > >> dont have any other wiki beside to it > > > > I'm rather fond of PmWiki, myself. But it's Julian's call, not ours. > > Indeed. And I sure ain't gonna switch to a different one. One thing > wikis desperately need is an easy migration system from one wiki to another. > > Anyone want to start the project of writing such a system? > There already exist at least one web-app that do this for some wikis (DW and mediawiki and some others). The real problems stem from the different wikis capabilities not matching particularly well, so any such script can only do a very basic conversion. No, I don't remember the adress, sorry. Wasn't worth it:-). And there is the wikiconverter cpan module.... Haven't used that one though:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Aug 16 22:01:28 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 22:02:11 2006 Subject: MailScanner load In-Reply-To: <004e01c6c171$611d1940$0705000a@DDF5DW71> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> Message-ID: Steve Campbell spake the following on 8/16/2006 1:20 PM: > Decided to make an intelligent statement this time: > > One thing I did find to lower my load average, though, was MimeDefang in > a look-ahead environment. > > Before installing MimeDefang, I was receiving about 25K messages a day > per server. Most of those were secondary MX relays, that is, mail sent > to the secondary MX by spammers, and then relayed to the primary MX or > mail store. I just use the look-ahead function in MD, nothing else. The > load average was slowly climbing into the 8+ range and higher as a norm. > After the install, my message count dropped to around 10K a day, and the > load average dropped to around 2-3 as a norm. It still shoots up once in > a while, but nothing like before MD. > > Obviously, running MD will add overhead, but the drop of about 60% > emails needing to be scanned more than made up for that. I then was > better able to detect more hosts/IP to add to my MTA access file, which > made things even better. > > Another thing to mention is that before and after, mail ran smoothly. It > just took a little bit longer before installing MD as there were always > more processes (sendmail) trying to deliver DSN mail and the likes. > > This is not an answer for all systems - it's just that I use my MXs in a > bazaar way (I think). My primary MX for one domain is a secondary MX for > another domain. The primaries hold the mailboxes for their domain. > > No smiley face statements here. > That is how I have been doing it. My PHB's will only spring for a single T-1 line to each site, so to get some decent fallback I had to do it that way. Doesn't make much sense to put your secondary on the same end of a failure. I was looking at milter-ahead until it stopped being free. I have been looking for a clear howto for MD to do just what you have. Do you have a good example or link to one? I don't want MD to do anything except the look-ahead. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From richard.thomas at psysolutions.com Wed Aug 16 22:12:18 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Aug 16 22:11:55 2006 Subject: Ruleset confusion Message-ID: <44E38A32.5060709@psysolutions.com> I have set a ruleset as the option for "Archive Email". However, mailscanner seems to be taking the ruleset for an mbox file and is trying to append the emails to it. I am sure I am missing something obvious but would appreciate a pointer. MainScanner.conf contains Archive Mail = %rules-dir%/archive.rules.conf And the archive.rules.conf so far is simply FromOrTo: default /email/archive Logs show Aug 16 16:11:30 mail MailScanner[27764]: Failed to append message to pre-existing mbox file /etc/MailScanner/rules/archive.rules.conf Thanks Rich From dave.list at pixelhammer.com Wed Aug 16 22:19:35 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 16 22:20:07 2006 Subject: MailScanner load In-Reply-To: References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> Message-ID: <44E38BE7.2020802@pixelhammer.com> Scott Silva wrote: > Steve Campbell spake the following on 8/16/2006 1:20 PM: >> Decided to make an intelligent statement this time: >> >> One thing I did find to lower my load average, though, was MimeDefang in >> a look-ahead environment. >> >> Before installing MimeDefang, I was receiving about 25K messages a day >> per server. Most of those were secondary MX relays, that is, mail sent >> to the secondary MX by spammers, and then relayed to the primary MX or >> mail store. I just use the look-ahead function in MD, nothing else. The >> load average was slowly climbing into the 8+ range and higher as a norm. >> After the install, my message count dropped to around 10K a day, and the >> load average dropped to around 2-3 as a norm. It still shoots up once in >> a while, but nothing like before MD. >> >> Obviously, running MD will add overhead, but the drop of about 60% >> emails needing to be scanned more than made up for that. I then was >> better able to detect more hosts/IP to add to my MTA access file, which >> made things even better. >> >> Another thing to mention is that before and after, mail ran smoothly. It >> just took a little bit longer before installing MD as there were always >> more processes (sendmail) trying to deliver DSN mail and the likes. >> >> This is not an answer for all systems - it's just that I use my MXs in a >> bazaar way (I think). My primary MX for one domain is a secondary MX for >> another domain. The primaries hold the mailboxes for their domain. >> >> No smiley face statements here. >> > That is how I have been doing it. My PHB's will only spring for a single T-1 > line to each site, so to get some decent fallback I had to do it that way. > Doesn't make much sense to put your secondary on the same end of a failure. > I was looking at milter-ahead until it stopped being free. > I have been looking for a clear howto for MD to do just what you have. Do you > have a good example or link to one? > I don't want MD to do anything except the look-ahead. It's only $115 USD, far cheaper than the cost of the hardware it would take to reduce the load the same amount. We currently use the old-free version. But as soon as we need the accessdb configurations we will purchase the new version. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From richard.thomas at psysolutions.com Wed Aug 16 22:21:13 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Aug 16 22:25:48 2006 Subject: Ruleset unconfusion Message-ID: <44E38C49.8070109@psysolutions.com> OK, so it was the naming. I would suggest that the wording of ruleset files end in ?.rules?. This is usually not absolutely necessary, but will avoid a few. problems in specific situations from the book and Ruleset files should all be put in [...] and their filename should end in ".rules" wherever possible. from the man page could possibly do with some tweaking. Rich From ssilva at sgvwater.com Wed Aug 16 23:26:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 16 23:26:32 2006 Subject: MailScanner load In-Reply-To: <44E38BE7.2020802@pixelhammer.com> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> <44E38BE7.2020802@pixelhammer.com> Message-ID: DAve spake the following on 8/16/2006 2:19 PM: > Scott Silva wrote: >> Steve Campbell spake the following on 8/16/2006 1:20 PM: >>> Decided to make an intelligent statement this time: >>> >>> One thing I did find to lower my load average, though, was MimeDefang in >>> a look-ahead environment. >>> >>> Before installing MimeDefang, I was receiving about 25K messages a day >>> per server. Most of those were secondary MX relays, that is, mail sent >>> to the secondary MX by spammers, and then relayed to the primary MX or >>> mail store. I just use the look-ahead function in MD, nothing else. The >>> load average was slowly climbing into the 8+ range and higher as a norm. >>> After the install, my message count dropped to around 10K a day, and the >>> load average dropped to around 2-3 as a norm. It still shoots up once in >>> a while, but nothing like before MD. >>> >>> Obviously, running MD will add overhead, but the drop of about 60% >>> emails needing to be scanned more than made up for that. I then was >>> better able to detect more hosts/IP to add to my MTA access file, which >>> made things even better. >>> >>> Another thing to mention is that before and after, mail ran smoothly. It >>> just took a little bit longer before installing MD as there were always >>> more processes (sendmail) trying to deliver DSN mail and the likes. >>> >>> This is not an answer for all systems - it's just that I use my MXs in a >>> bazaar way (I think). My primary MX for one domain is a secondary MX for >>> another domain. The primaries hold the mailboxes for their domain. >>> >>> No smiley face statements here. >>> >> That is how I have been doing it. My PHB's will only spring for a >> single T-1 >> line to each site, so to get some decent fallback I had to do it that >> way. >> Doesn't make much sense to put your secondary on the same end of a >> failure. >> I was looking at milter-ahead until it stopped being free. >> I have been looking for a clear howto for MD to do just what you have. >> Do you >> have a good example or link to one? >> I don't want MD to do anything except the look-ahead. > > It's only $115 USD, far cheaper than the cost of the hardware it would > take to reduce the load the same amount. > > We currently use the old-free version. But as soon as we need the > accessdb configurations we will purchase the new version. > > DAve > I think I have the old free version around. You need it and the libsnert from the same time, correct? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Thu Aug 17 01:52:15 2006 From: res at ausics.net (Res) Date: Thu Aug 17 01:52:27 2006 Subject: Wiki is sick... In-Reply-To: <44E3629C.2070908@ecs.soton.ac.uk> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <44E3629C.2070908@ecs.soton.ac.uk> Message-ID: On Wed, 16 Aug 2006, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > We have been having major load problems on our web servers recently. We > are about to split them out into clusters so performance should improve. > For a world-leading department, our web service is pretty crap at the > moment. That explains it :) > > Many thanks for Blacknight Solutions (www.blacknightsolutions.com) and > Michele for hosting www.mailscanner.info along with all my other > domains, except for wiki.mailscanner.info. > > If any Docuwiki experts out there want to tell me how to move the entire > wiki and all its contents onto a new server, please let me know! > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Aug 17 01:53:55 2006 From: res at ausics.net (Res) Date: Thu Aug 17 01:54:06 2006 Subject: Wiki is sick... In-Reply-To: References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> Message-ID: On Wed, 16 Aug 2006, Scott Silva wrote: >>> my vote is for anything that works faster, its painfull waiting as >> IMO, most wikis are quite slow. Especially if they are more ... >> "featureful" (tikiwiki comes to mind). And most relies on a database, >> which DW doesn't. A case of choosing between the plague and cholera... >> I say stay with the sickness you know:-) >> > I choose hangover! ;-) > Not fun to have, more fun to get, but you only WISH you died from it! I'll pay that one lol Hmmm on a side note I seem to have lost the responses to my post, this is the first... Michele can you tell me if any list posts to me are bouncing? -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From dave.list at pixelhammer.com Thu Aug 17 04:26:50 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 17 04:27:22 2006 Subject: MailScanner load In-Reply-To: References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> <44E38BE7.2020802@pixelhammer.com> Message-ID: <44E3E1FA.7020506@pixelhammer.com> Scott Silva wrote: > DAve spake the following on 8/16/2006 2:19 PM: >> Scott Silva wrote: >>> Steve Campbell spake the following on 8/16/2006 1:20 PM: >>>> Decided to make an intelligent statement this time: >>>> >>>> One thing I did find to lower my load average, though, was MimeDefang in >>>> a look-ahead environment. >>>> >>>> Before installing MimeDefang, I was receiving about 25K messages a day >>>> per server. Most of those were secondary MX relays, that is, mail sent >>>> to the secondary MX by spammers, and then relayed to the primary MX or >>>> mail store. I just use the look-ahead function in MD, nothing else. The >>>> load average was slowly climbing into the 8+ range and higher as a norm. >>>> After the install, my message count dropped to around 10K a day, and the >>>> load average dropped to around 2-3 as a norm. It still shoots up once in >>>> a while, but nothing like before MD. >>>> >>>> Obviously, running MD will add overhead, but the drop of about 60% >>>> emails needing to be scanned more than made up for that. I then was >>>> better able to detect more hosts/IP to add to my MTA access file, which >>>> made things even better. >>>> >>>> Another thing to mention is that before and after, mail ran smoothly. It >>>> just took a little bit longer before installing MD as there were always >>>> more processes (sendmail) trying to deliver DSN mail and the likes. >>>> >>>> This is not an answer for all systems - it's just that I use my MXs in a >>>> bazaar way (I think). My primary MX for one domain is a secondary MX for >>>> another domain. The primaries hold the mailboxes for their domain. >>>> >>>> No smiley face statements here. >>>> >>> That is how I have been doing it. My PHB's will only spring for a >>> single T-1 >>> line to each site, so to get some decent fallback I had to do it that >>> way. >>> Doesn't make much sense to put your secondary on the same end of a >>> failure. >>> I was looking at milter-ahead until it stopped being free. >>> I have been looking for a clear howto for MD to do just what you have. >>> Do you >>> have a good example or link to one? >>> I don't want MD to do anything except the look-ahead. >> It's only $115 USD, far cheaper than the cost of the hardware it would >> take to reduce the load the same amount. >> >> We currently use the old-free version. But as soon as we need the >> accessdb configurations we will purchase the new version. >> >> DAve >> > I think I have the old free version around. You need it and the libsnert from > the same time, correct? > > Yes, we run libsnert-1.40 and milter-ahead-0.8 on two mail gateways. Running now at 100k to 120+k refused connections a day with zero problems. We don't have any rules in accessdb and we didn't change anything except the cache timeout. Overquota mailboxes can bite you when the client empties their mailbox and mail is still refused all day. We expire the cache quite rapidly now with no ill effects. Once we upgrade the gateways we will purchase the full version as I will have need of some of the paid for features. Money worth spending IMO, it's been trouble free. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mkellermann at net-com.de Thu Aug 17 07:10:04 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Thu Aug 17 07:09:37 2006 Subject: Problem with X-headers displayed in body In-Reply-To: <44E33384.6050507@USherbrooke.ca> References: <44E33177.7050809@net-com.de> <44E33384.6050507@USherbrooke.ca> Message-ID: <44E4083C.6020500@net-com.de> Denis Beauchemin schrieb: > Matthias Kellermann a ?crit : >> no not spam (whitelisted), SpamAssassin (Wertung=3.701, benoetigt 6, >> RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99) >> X-net-Com-AG-MailScanner-From: mkellermann@net-com.de >> >> Hello, >> >> I've setup MailScanner on a Debian box with Postfix as MTA. >> Everything works great except the header tagging of emails. >> >> Some Email clients display parts of the x-headers in the message. >> The full x-header added by MailScanner of an email that is not spam: >> >> X-net-Com-AG-MailScanner: Found to be clean >> no not spam (whitelisted), SpamAssassin (Wertung=3.791, benoetigt 6, >> RCVD_IN_NJABL_DUL 1.71, SPF_HELO_SOFTFAIL 2.08) >> X-net-Com-AG-MailScanner-From: someone@somewhere.de >> >> The x-header added by MailScanner of a spam mail: >> >> X-net-Com-AG-MailScanner: Found to be clean >> no spam, SpamAssassin (Wertung=17.321, benoetigt 6, HELO_DYNAMIC_DHCP >> 2.66, >> HTML_IMAGE_ONLY_08 2.44, HTML_MESSAGE 0.00, >> HTML_SHORT_LINK_IMG_1 0.28, MIME_HTML_MOSTLY 0.70, >> MPART_ALT_DIFF 0.14, URIBL_JP_SURBL 3.36, URIBL_OB_SURBL 2.62, >> URIBL_SC_SURBL 3.60, URIBL_WS_SURBL 1.53) >> X-net-Com-AG-MailScanner-SpamScore: sssssssssssssssss >> X-net-Com-AG-MailScanner-From: miranda@shinbiro.com >> >> I think the problem is the part "no spam" or "no not spam" becauser >> there ist no X- in front of it. >> How can i fix the header so all email clients display the message >> correctly? >> >> Thanks in advance. >> >> Best regards, >> Matthias > Matthias, > > What do you have in MailScanner.conf for: > Spam Header = > > You should have a X- something in there. > > Denis > Hi Denis, thats it! There only was a simple "yes". Now I've added a X-something header and it works like a charme. Thank you! Best regards, Matthias From mikea at mikea.ath.cx Wed Aug 16 17:22:59 2006 From: mikea at mikea.ath.cx (mikea) Date: Thu Aug 17 08:01:30 2006 Subject: New Installation @ Work In-Reply-To: <7d5ab205921ba931f58d1777f2a32be1@localhost>; from uxbod@splatnix.net on Wed, Aug 16, 2006 at 04:16:57PM +0100 References: <7d5ab205921ba931f58d1777f2a32be1@localhost> Message-ID: <20060816112259.B8422@mikea.ath.cx> On Wed, Aug 16, 2006 at 04:16:57PM +0100, --[ UxBoD ]-- wrote: > Hi, > > I have just started a six month contract for a company, and after discussions with the other sys admin we have decided to run a POC to replace the current anti-viri/spam appliance with MailScanner. > > What I would be grateful with some help on is how I can create a second stream of the companies email to MailScanner from the existing SendMail installation so that we can see how it performs, without effecting the current mail implementation. I have heard that there is a milter which will allow this, but are there any other methods. > > We can then use the results to form part of the business case, and hopefully get a full solution implemented. Anthony Howe's "roundhouse" will do that very nicely indeed. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From glenn.steen at gmail.com Thu Aug 17 09:42:04 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 17 09:42:07 2006 Subject: Wiki is sick... In-Reply-To: References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> Message-ID: <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> On 17/08/06, Res wrote: > On Wed, 16 Aug 2006, Scott Silva wrote: > > >>> my vote is for anything that works faster, its painfull waiting as > > >> IMO, most wikis are quite slow. Especially if they are more ... > >> "featureful" (tikiwiki comes to mind). And most relies on a database, > >> which DW doesn't. A case of choosing between the plague and cholera... > >> I say stay with the sickness you know:-) > >> > > I choose hangover! ;-) > > Not fun to have, more fun to get, but you only WISH you died from it! > > I'll pay that one lol Selfinduced sickness..... I always prefer the part before the sickness arrives:-). If you swing by Stockholm, I'll chip in too, for some practical experimentation;-) > Hmmm on a side note I seem to have lost the responses to my post, this is > the first... Michele can you tell me if any list posts to me are bouncing? > Strange. See them in gmane? Amyway, a further sidenote... Wiki seems to be on the mend. Rather snappy ATM, and no errors... Did you move it Jules? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard at e-Dict.co.uk Thu Aug 17 12:50:47 2006 From: richard at e-Dict.co.uk (Richard Sidlin) Date: Thu Aug 17 12:51:03 2006 Subject: Hyperlinks Message-ID: <542C4BC20D8CCB49B060ACEBA06A18FBB1571C@exchange.stevenage.local> Hi I am running MailScanner 4.54.4. When emails come in with hyperlinks on, MailScanner puts an extra www at the end of it. How can I stop this doing it please? TIA Richard -- This message has been scanned for viruses and dangerous content by the Help Internet MailScanner, and is believed to be clean. ******************************************* For more information call the Help Internet sales team now on 08707 446239. ******************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060817/36625931/attachment.html From bpumphrey at WoodMacLaw.com Thu Aug 17 14:11:51 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 17 14:11:54 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <44E4083C.6020500@net-com.de> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Does anyone only accept email that will do a reverse lookup? Does anyone recommend it? Thank you From jaearick at colby.edu Thu Aug 17 14:44:20 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 17 14:55:14 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Message-ID: Hi, I have tried this with sendmail using the require_rdns.m4 hack from Neil Rickert a couple of times in the past, for brief periods (less than one day). The damage was too great IMHO. I tried it once a couple of years ago, and then again a few months ago shortly after AOL announced that they would enforce this in their email policies. After a few months of AOL beating the world into shape, maybe it is time to revisit this issue again... Jeff Earickson Colby College On Thu, 17 Aug 2006, Billy A. Pumphrey wrote: > Date: Thu, 17 Aug 2006 09:11:51 -0400 > From: Billy A. Pumphrey > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Could Be OT: How many people only accept reverse DNS lookup mail? > > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? > > Thank you > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Thu Aug 17 15:04:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 17 15:04:25 2006 Subject: Some more on AV scanners. Message-ID: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> Since bdc has turned into payware, I'm thinking about the alternatives. Today I run with ClamAV, McAfee and BitDefender. Looking at the list of supported scanners, I'm leaning either toward implementing AVG or Norman. Does anyone have any experience with these two they'd care to share? Or perhaps F-secure or Antivir... same there, what's your experience? Or how about Kaspersky or DrWeb? The cheapest alternative is likely Panda (buy their cheapest product so that you can get at the updates), but .... I've never particularly liked that one:). Sophos, vexira, f-prot and nod32 seemed a bit steep, which would likely cull them from my list (tightfisted PHB:-). And I just detest Trend, Symantec and CA, so those went out before the start:-). Going through the list of supported scanners in MailScanner.conf I noted that the URL for Norman points to their German site, which is a bit strange considering they are Norwegian... www.norman.com or www.norman.no would be better... And the link to Command just doesn't seem to work at all. Does it still exist? BTW, I suppose Jules could cull RAV from the list pretty soon too... It's "Microsoft" nowadays, and I couldn't find any *nix scanner at all at their site (rather unsurprising:-). I've also noted that there are a few(!) scanners we don't support... Would there be any interest in getting a wrapper going for Avast!, Una or some other AV? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From akostocker at gmail.com Thu Aug 17 15:10:19 2006 From: akostocker at gmail.com (Tony Stocker) Date: Thu Aug 17 15:10:21 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <7801ad8f0608160651u4c03d8d6m7277b5a9206fc2ef@mail.gmail.com> References: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> <7801ad8f0608160651u4c03d8d6m7277b5a9206fc2ef@mail.gmail.com> Message-ID: <7801ad8f0608170710h29f694al93435167958da5eb@mail.gmail.com> On 8/16/06, Tony Stocker wrote: > On 8/15/06, Kevin Miller wrote: > > > I have in the spam.whitelist.rules file: > > > > > > From: 197.100.235. yes > > > > Toss in this line for good measure too: > > > > From: 127.0.0. yes > > Okay, I've added that line. > This seemed to be the trick, thanks very much for the help! From mike at tc3net.com Thu Aug 17 15:23:48 2006 From: mike at tc3net.com (Michael Baird) Date: Thu Aug 17 15:16:52 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Message-ID: <1155824628.18212.10.camel@mike-new2.tc3net.com> On Thu, 2006-08-17 at 09:11 -0400, Billy A. Pumphrey wrote: > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? I use it on all my inbound MX's, it's pretty standard, you won't see any problems using it, all the bigger ISP's implemented it some time ago, and brought the smaller guys into line. I've been testing http://smfs.sourceforge.net/smf-sav.html this milter as well, on a lower pref MX (Spam Catcher). It goes further then just checking reverse DNS, it also checks whether the domain actually accepts mail, and if it accepts mail for the specified sender. Regards Michael Baird From bbecken at aafp.org Thu Aug 17 15:28:58 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Thu Aug 17 15:29:15 2006 Subject: Some more on AV scanners. In-Reply-To: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> Message-ID: <44E436DA.D87E.0068.3@aafp.org> I install Norman yesterday. The rpm install was straight forward (rpm -ivh style) and after registering the license key (via command line) you can get the dat file updates. I posted the needed changes for mailwatch to the mailwatch forum yesterday. I'd like to hear comments from anyone who has been running Norman for a longer period. Kaspersky... I also have it installed & configured, but I cannot get MailScanner 4.54.6 to use it. This test works and it detects the eicar virus in the tmp directory. /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix /tmp MailScanner in debug mode has given me nothing informational either. Any suggestions are welcome to troubleshoot this further. >>> glenn.steen@gmail.com 8/17/2006 9:04 AM >>> Since bdc has turned into payware, I'm thinking about the alternatives. Today I run with ClamAV, McAfee and BitDefender. Looking at the list of supported scanners, I'm leaning either toward implementing AVG or Norman. Does anyone have any experience with these two they'd care to share? Or perhaps F-secure or Antivir... same there, what's your experience? Or how about Kaspersky or DrWeb? The cheapest alternative is likely Panda (buy their cheapest product so that you can get at the updates), but .... I've never particularly liked that one:). Sophos, vexira, f-prot and nod32 seemed a bit steep, which would likely cull them from my list (tightfisted PHB:-). And I just detest Trend, Symantec and CA, so those went out before the start:-). Going through the list of supported scanners in MailScanner.conf I noted that the URL for Norman points to their German site, which is a bit strange considering they are Norwegian... www.norman.com or www.norman.no would be better... And the link to Command just doesn't seem to work at all. Does it still exist? BTW, I suppose Jules could cull RAV from the list pretty soon too... It's "Microsoft" nowadays, and I couldn't find any *nix scanner at all at their site (rather unsurprising:-). I've also noted that there are a few(!) scanners we don't support... Would there be any interest in getting a wrapper going for Avast!, Una or some other AV? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Thu Aug 17 15:36:18 2006 From: res at ausics.net (Res) Date: Thu Aug 17 15:36:29 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: On Thu, 2006-08-17 at 09:11 -0400, Billy A. Pumphrey wrote: > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? Yes and yes, the spam/virus levels dropped 90% once we used it, I have used it for over 7 years with no noticable collateral damage, one complaint every few months, usually its for some Aust Govt dept who has useless sysadmin at their hosting providor. tcpserver use -p and sendmail http://support.ausics.net/require_rdns.m4 -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From MailScanner at ecs.soton.ac.uk Thu Aug 17 15:43:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 17 15:43:43 2006 Subject: Wiki is sick... In-Reply-To: <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> Message-ID: <44E48077.7070306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 17/08/06, Res wrote: >> On Wed, 16 Aug 2006, Scott Silva wrote: >> >> >>> my vote is for anything that works faster, its painfull waiting as >> >> >> IMO, most wikis are quite slow. Especially if they are more ... >> >> "featureful" (tikiwiki comes to mind). And most relies on a database, >> >> which DW doesn't. A case of choosing between the plague and >> cholera... >> >> I say stay with the sickness you know:-) >> >> >> > I choose hangover! ;-) >> > Not fun to have, more fun to get, but you only WISH you died from it! >> >> I'll pay that one lol > > Selfinduced sickness..... I always prefer the part before the sickness > arrives:-). > If you swing by Stockholm, I'll chip in too, for some practical > experimentation;-) > >> Hmmm on a side note I seem to have lost the responses to my post, >> this is >> the first... Michele can you tell me if any list posts to me are >> bouncing? >> > Strange. See them in gmane? > > Amyway, a further sidenote... Wiki seems to be on the mend. Rather > snappy ATM, and no errors... Did you move it Jules? > A few db-heavy pages on the WWW2006 conference (which has now finished anyway) have been replaced by static copies of the same information. That helped quite a bit. www.mailscanner.info is now going to stay at Blacknight Solutions (thanks Michele!). I am probably going to move wiki.mailscanner.info there as well, as his service is rather more reliable than our own (but please don't tell our webmaster this, I don't think he would like it very much!). The next time we have web server trouble here, I will move it all then. I already have some scripts which need updates and tweaks to them to upload everything to the new site, and switch the rsync to the other way, so that it uses Blacknight as the primary and ECS as the mirror for use in emergencies. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5IB4EfZZRxQVtlQRApOMAJ9vLLwIwiAcbjlsxhKETWC0VCmkRACfY4Op Zt8R227/tH1pMwv2TIOVvfE= =OViT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 17 16:05:00 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 17 16:05:42 2006 Subject: Hyperlinks In-Reply-To: <542C4BC20D8CCB49B060ACEBA06A18FBB1571C@exchange.stevenage.local> References: <542C4BC20D8CCB49B060ACEBA06A18FBB1571C@exchange.stevenage.local> Message-ID: <44E4859C.6010006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you can zip or gzip a copy of the email in question, preferably raw queue files if you can, I'll try it on the latest code for you. Note that I have updated www.phishingnet.info so that it contains the latest description of both of the phishing nets. Richard Sidlin wrote: > Hi > > I am running MailScanner 4.54.4. When emails come in with hyperlinks > on, MailScanner puts an extra www at the end of it. How can I stop > this doing it please? > > TIA > > > Richard > > -- > This message has been scanned for viruses and > dangerous content by *Help Internet MailScanner* > , and is > believed to be clean. > For more information call the Help Internet > sales team now on 08707 446239. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5IWdEfZZRxQVtlQRArNTAKCZSwiZ4AsYlLfGnpFoGyV6zNnwCwCg4LFN z/5Yee3fo/MspvgQE/XouTY= =tgEM -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 17 16:11:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 17 16:11:56 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: <44E48714.9050503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Baird wrote: > > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > as well, on a lower pref MX (Spam Catcher). It goes further then just > checking reverse DNS, it also checks whether the domain actually accepts > mail, and if it accepts mail for the specified sender. > When it checks to see if the domain accepts mail, does it try the host that sent out the mail, or does it properly look up the MX record of that domain and check there? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5IcUEfZZRxQVtlQRAkH6AJ9BjWl3wBrHJ8BHznYNa+ZQGGseZQCg2BfT WeNULZl65cGZBg7gQgwdqFw= =99XZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Kevin_Miller at ci.juneau.ak.us Thu Aug 17 16:13:55 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 17 16:13:59 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <7801ad8f0608170710h29f694al93435167958da5eb@mail.gmail.com> Message-ID: Tony Stocker wrote: > On 8/16/06, Tony Stocker wrote: >> On 8/15/06, Kevin Miller wrote: >>>> I have in the spam.whitelist.rules file: >>>> >>>> From: 197.100.235. yes >>> >>> Toss in this line for good measure too: >>> >>> From: 127.0.0. yes >> >> Okay, I've added that line. >> > > This seemed to be the trick, thanks very much for the help! Excellent. My good deed for the week. Can I go home now? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From casey at deccio.net Thu Aug 17 16:21:05 2006 From: casey at deccio.net (Casey T. Deccio) Date: Thu Aug 17 16:21:32 2006 Subject: Training spamassassin Bayes In-Reply-To: References: Message-ID: <1155828065.21022.9.camel@boomerang.ran.sandia.gov> On Tue, 2006-08-15 at 21:53 -0700, Casey T. Deccio wrote: > I'm using a Debian system with > Exim4/MailScanner/Spamassassin/Courier-imap. Using the default > Spamassassin settings (including auto-learn), about half of the SPAM > emails were incorrectly classified as ham. I recently created a script > (see below) to run daily as a cron job, but the Spam classification has > only gotten worse since then. Any ideas? Okay, let me simplify. Should there be any problem with me doing training using sa-learn as root while also doing auto training (turned on by default--at least in Debian)? Spam classification has gotten extremely poor sincne I began doing that. Casey From damian at workgroupsolutions.com Thu Aug 17 16:28:13 2006 From: damian at workgroupsolutions.com (Damian Mendoza) Date: Thu Aug 17 16:28:18 2006 Subject: Best RBL to use? Message-ID: <0C941442AC84A8449448BA2207DD4F4D126BD4@core01.workgroupsolutions.com> Hi, I would like to stop more of the junk messages at the RBL level (via sendmail.mc). I use SpamCop and Spamhaus SBL+XBL currently but they have had false positives from time to time. Do the paid subscriptions like Trend Micro RBL+ work better? I know they are very expensive for 1,000 mailboxes. Any others I should be using? Thanks, Damian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060817/e1829e1b/attachment.html From edwardbruce at sbcglobal.net Thu Aug 17 16:42:57 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Aug 17 16:43:02 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Message-ID: <44E48E81.2040006@sbcglobal.net> Billy A. Pumphrey wrote: > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? > > Thank you > I had this on for awhile, using Postfix, and turned it off. Many of our most important customers have mis-configured MTAs (Exchange of course) using their internal name (always something like exchange.clueless.local). I only use reject invalid and non-FQDN on HELO and unknown sender domains (they need at least a valid domain in their reply to address). From bpumphrey at WoodMacLaw.com Thu Aug 17 16:42:59 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 17 16:43:06 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E610@woodenex.woodmaclaw.local> > -----Original Message----- > From: Michael Baird [mailto:mike@tc3net.com] > Sent: Thursday, August 17, 2006 10:24 AM > To: MailScanner discussion > Subject: Re: Could Be OT: How many people only accept reverse DNS > lookupmail? > > On Thu, 2006-08-17 at 09:11 -0400, Billy A. Pumphrey wrote: > > Does anyone only accept email that will do a reverse lookup? Does > > anyone recommend it? > > I use it on all my inbound MX's, it's pretty standard, you won't see any > problems using it, all the bigger ISP's implemented it some time ago, > and brought the smaller guys into line. > > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > as well, on a lower pref MX (Spam Catcher). It goes further then just > checking reverse DNS, it also checks whether the domain actually accepts > mail, and if it accepts mail for the specified sender. > > Regards > Michael Baird > > -- Thank you for everyone's input. I was configuring my Exchange box some and ran across that setting and it came to mind. Sounds like this setting is in the sendmail configuration. I am going to go ahead and configure it. Do you think I should put this setting in sendmail or exchange or both? From Kevin_Miller at ci.juneau.ak.us Thu Aug 17 16:44:31 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 17 16:44:35 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: Michael Baird wrote: > On Thu, 2006-08-17 at 09:11 -0400, Billy A. Pumphrey wrote: >> Does anyone only accept email that will do a reverse lookup? Does >> anyone recommend it? > > I use it on all my inbound MX's, it's pretty standard, you won't see > any problems using it, all the bigger ISP's implemented it some time > ago, and brought the smaller guys into line. Are we talking a milter here, or a sendmail built-in? If it's already in sendmail, what's it called? > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > as well, on a lower pref MX (Spam Catcher). It goes further then just > checking reverse DNS, it also checks whether the domain actually > accepts mail, and if it accepts mail for the specified sender. Interesting. It's not clear to me from the web page what I need for that. At the bottom is lists "smf-sav v1.2.0 (Aug 15 2006)" and "milter-spamblocker v2.0 (smart Anti Zombie + smart GreyList + cache engine)". Do I need both? Looks like milter-spamblocker is $50 which is not a problem (just an extra hoop to jump through). How does the milter-spamblocker compare with the equivilant snertsoft offerings? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dave.list at pixelhammer.com Thu Aug 17 16:49:56 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 17 16:50:34 2006 Subject: Training spamassassin Bayes In-Reply-To: <1155828065.21022.9.camel@boomerang.ran.sandia.gov> References: <1155828065.21022.9.camel@boomerang.ran.sandia.gov> Message-ID: <44E49024.2060303@pixelhammer.com> Casey T. Deccio wrote: > On Tue, 2006-08-15 at 21:53 -0700, Casey T. Deccio wrote: >> I'm using a Debian system with >> Exim4/MailScanner/Spamassassin/Courier-imap. Using the default >> Spamassassin settings (including auto-learn), about half of the SPAM >> emails were incorrectly classified as ham. I recently created a script >> (see below) to run daily as a cron job, but the Spam classification has >> only gotten worse since then. Any ideas? > > Okay, let me simplify. Should there be any problem with me doing > training using sa-learn as root while also doing auto training (turned > on by default--at least in Debian)? Spam classification has gotten > extremely poor sincne I began doing that. > > Casey > > That is how I have been doing it and no problems so far. Spam tagging is better than ever. This is the first time I've used Bayes and it hasn't been more trouble than it is worth, so I am very happy. I am configured like so, though I will be moving my bayes onto my ramdisk soon. MailScanner.conf; Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = no spam.assassin.prefs.conf; bayes_path /usr/local/etc/MailScanner/bayes/bayes bayes_file_mode 0770 bayes_auto_learn 1 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_ignore_header X-MailScanner-Information bayes_ignore_header X-Account_key bayes_ignore_header X-UIDL bayes_ignore_header X-Mozilla-Status bayes_ignore_header X-Mozilla-Status2 Perms are, bash-2.05b# ls -la | less total 2462018 drwxr-xr-x 2 root cvs 38912 Aug 17 11:43 . dr-xr-xr-x 8 root cvs 1024 Aug 8 14:36 .. -rw----rw- 1 root cvs 10632 Aug 17 11:45 bayes.mutex -rw-rw---- 1 root cvs 78120 Aug 17 11:45 bayes_journal -rw-rw---- 1 root cvs 10190848 Aug 17 11:45 bayes_seen -rw-rw---- 1 root cvs 10174464 Aug 17 11:45 bayes_toks What does your reporting say? If you train a "insert favorite spam here" message and then see more of them come through later are they showing Bayes scores? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mike at tc3net.com Thu Aug 17 16:58:37 2006 From: mike at tc3net.com (Michael Baird) Date: Thu Aug 17 16:51:43 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <44E48714.9050503@ecs.soton.ac.uk> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> <1155824628.18212.10.camel@mike-new2.tc3net.com> <44E48714.9050503@ecs.soton.ac.uk> Message-ID: <1155830317.18212.27.camel@mike-new2.tc3net.com> On Thu, 2006-08-17 at 16:11 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael Baird wrote: > > > > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > > as well, on a lower pref MX (Spam Catcher). It goes further then just > > checking reverse DNS, it also checks whether the domain actually accepts > > mail, and if it accepts mail for the specified sender. > > > When it checks to see if the domain accepts mail, does it try the host > that sent out the mail, or does it properly look up the MX record of > that domain and check there? >From The author's site. It's a lite alternative for the spamilter, milter-sender and milter-ahead milters. It's written in C. ? external configuration file; ? friendly hosts/networks whitelist; ? SMTP AUTH support; ? strictly RFC-2821 compliant MX callback engine; ? tolerance against non RFC-2821 compliant e-Mail servers; ? blocking of e-Mail messages with a spoofed sender's e-Mail address; ? recipient's e-Mail address verification with an authoritative e-Mail store; ? slow down of recipient's e-Mail address brute force attacks; ? Sendmail virtusertable and mailertable features support. It is very new, I've only been running it 2 days. It has rejected approximately 40% of the inbound mails on my test/spamtrap box, running after greylist-milter. It also can test your own relays if you wanted to use instead of milter-ahead. Essentially it serves the same purpose as milter-sender/milter-ahead, in one small simple milter. Regards Michael Baird From glenn.steen at gmail.com Thu Aug 17 16:54:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 17 16:54:31 2006 Subject: Some more on AV scanners. In-Reply-To: <44E436DA.D87E.0068.3@aafp.org> References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> <44E436DA.D87E.0068.3@aafp.org> Message-ID: <223f97700608170854p1c1663b7g2d65931604b97388@mail.gmail.com> On 17/08/06, Brad Beckenhauer wrote: > I install Norman yesterday. The rpm install was straight forward (rpm > -ivh style) and after registering the license key (via command line) you > can get the dat file updates. I posted the needed changes for mailwatch > to the mailwatch forum yesterday. I'd like to hear comments from anyone > who has been running Norman for a longer period. Good info, thanks. I too am most interested in a bit of "long term use" stories. > Kaspersky... I also have it installed & configured, but I cannot get > MailScanner 4.54.6 to use it. > > This test works and it detects the eicar virus in the tmp directory. > /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix /tmp > > MailScanner in debug mode has given me nothing informational either. > Any suggestions are welcome to troubleshoot this further. > Can't really help you there, since I've never used Kaspersky. I suppose you've looked at the wiki page(s) for it? Also, if MS uses any command line options, you should tag them on last on the commandline for the wrapper. I'm not at work (and too lazy to connect and check:-) so I can't really tell if it does. Look through SweepViruses.pm for the init function for kav.... Should detail any options. > >>> glenn.steen@gmail.com 8/17/2006 9:04 AM >>> > Since bdc has turned into payware, I'm thinking about the > alternatives. > Today I run with ClamAV, McAfee and BitDefender. > > Looking at the list of supported scanners, I'm leaning either toward > implementing AVG or Norman. Does anyone have any experience with these > two they'd care to share? > Or perhaps F-secure or Antivir... same there, what's your experience? > Or how about Kaspersky or DrWeb? > > The cheapest alternative is likely Panda (buy their cheapest product > so that you can get at the updates), but .... I've never particularly > liked that one:). > > Sophos, vexira, f-prot and nod32 seemed a bit steep, which would > likely cull them from my list (tightfisted PHB:-). And I just detest > Trend, Symantec and CA, so those went out before the start:-). > > Going through the list of supported scanners in MailScanner.conf I > noted that the URL for Norman points to their German site, which is a > bit strange considering they are Norwegian... www.norman.com or > www.norman.no would be better... And the link to Command just doesn't > seem to work at all. Does it still exist? > BTW, I suppose Jules could cull RAV from the list pretty soon too... > It's "Microsoft" nowadays, and I couldn't find any *nix scanner at all > at their site (rather unsurprising:-). > > I've also noted that there are a few(!) scanners we don't support... > Would there be any interest in getting a wrapper going for Avast!, Una > or some other AV? > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Thu Aug 17 16:58:25 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 17 16:58:28 2006 Subject: Best RBL to use? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0F4@UBIMAIL1.ubisoft.org> We use TrendMicro's RBL service here. It costs a little more than a dollar (USD) per mailbox, per year, though you can use it from as many MX servers as you want. We've found it to be quite reliable. To be honest, I don't think that we'd go back to using a free service at this point. Of course, that's just our experience - ymmv. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Damian Mendoza Sent: August 17, 2006 11:28 AM To: mailscanner@lists.mailscanner.info Subject: Best RBL to use? Hi, I would like to stop more of the junk messages at the RBL level (via sendmail.mc). I use SpamCop and Spamhaus SBL+XBL currently but they have had false positives from time to time. Do the paid subscriptions like Trend Micro RBL+ work better? I know they are very expensive for 1,000 mailboxes. Any others I should be using? Thanks, Damian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060817/28a1ddf0/attachment.html From jaearick at colby.edu Thu Aug 17 16:53:20 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 17 16:59:53 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E610@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E610@woodenex.woodmaclaw.local> Message-ID: I put require_rdns.m4 back into my sendmail .cf files this morning and turned this back on. My previous test was on 6/6/2005, over a year ago. I warned our Helpdesk and I'm waiting for my phone to start screaming... Jeff Earickson Colby College On Thu, 17 Aug 2006, Billy A. Pumphrey wrote: > Date: Thu, 17 Aug 2006 11:42:59 -0400 > From: Billy A. Pumphrey > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Could Be OT: How many people only accept reverse DNS lookupmail? > > >> -----Original Message----- >> From: Michael Baird [mailto:mike@tc3net.com] >> Sent: Thursday, August 17, 2006 10:24 AM >> To: MailScanner discussion >> Subject: Re: Could Be OT: How many people only accept reverse DNS >> lookupmail? >> >> On Thu, 2006-08-17 at 09:11 -0400, Billy A. Pumphrey wrote: >>> Does anyone only accept email that will do a reverse lookup? Does >>> anyone recommend it? >> >> I use it on all my inbound MX's, it's pretty standard, you won't see > any >> problems using it, all the bigger ISP's implemented it some time ago, >> and brought the smaller guys into line. >> >> I've been testing http://smfs.sourceforge.net/smf-sav.html this milter >> as well, on a lower pref MX (Spam Catcher). It goes further then just >> checking reverse DNS, it also checks whether the domain actually > accepts >> mail, and if it accepts mail for the specified sender. >> >> Regards >> Michael Baird >> >> -- > > Thank you for everyone's input. I was configuring my Exchange box some > and ran across that setting and it came to mind. Sounds like this > setting is in the sendmail configuration. I am going to go ahead and > configure it. > > Do you think I should put this setting in sendmail or exchange or both? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Thu Aug 17 17:26:57 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 17 17:27:24 2006 Subject: Wiki is sick... In-Reply-To: <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/17/2006 1:42 AM: > On 17/08/06, Res wrote: >> On Wed, 16 Aug 2006, Scott Silva wrote: >> >> >>> my vote is for anything that works faster, its painfull waiting as >> >> >> IMO, most wikis are quite slow. Especially if they are more ... >> >> "featureful" (tikiwiki comes to mind). And most relies on a database, >> >> which DW doesn't. A case of choosing between the plague and cholera... >> >> I say stay with the sickness you know:-) >> >> >> > I choose hangover! ;-) >> > Not fun to have, more fun to get, but you only WISH you died from it! >> >> I'll pay that one lol > > Selfinduced sickness..... I always prefer the part before the sickness > arrives:-). Always much more fun! > If you swing by Stockholm, I'll chip in too, for some practical > experimentation;-) I have trouble getting out of town, so out of the country would be a chore!! How many side jobs does it take to get a round trip ticket from the west coast of the US to Stockholm? And since 90 percent of the side jobs I get are for spyware and viruses, Julian is really helping me to stay in town!! ;-) > >> Hmmm on a side note I seem to have lost the responses to my post, this is >> the first... Michele can you tell me if any list posts to me are >> bouncing? >> > Strange. See them in gmane? > > Amyway, a further sidenote... Wiki seems to be on the mend. Rather > snappy ATM, and no errors... Did you move it Jules? > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solid-state-logic.com Thu Aug 17 17:31:39 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Thu Aug 17 17:31:48 2006 Subject: Best RBL to use? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0F4@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0F4@UBIMAIL1.ubisoft.org> Message-ID: <44E499EB.30306@solid-state-logic.com> Daniel Maher wrote: > We use TrendMicro?s RBL service here. It costs a little more than a > dollar (USD) per mailbox, per year, though you can use it from as many > MX servers as you want. We?ve found it to be quite reliable. To be > honest, I don?t think that we?d go back to using a free service at this > point. > > > > Of course, that?s just our experience ? ymmv. > > > > > > -- > > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > > ^ ^ Unix System Administrator > > > > //Sentio aliquos togatos contra me conspirare.// > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Damian Mendoza > *Sent:* August 17, 2006 11:28 AM > *To:* mailscanner@lists.mailscanner.info > *Subject:* Best RBL to use? > > > > Hi, > > > > I would like to stop more of the junk messages at the RBL level (via > sendmail.mc). I use SpamCop and Spamhaus SBL+XBL currently but they have > had false positives from time to time. Do the paid subscriptions like > Trend Micro RBL+ work better? I know they are very expensive for 1,000 > mailboxes. > > > > Any others I should be using? > > > > > > Thanks, > > > > Damian > I find the URI-RBLs in Spamassassin more useful at blocking spam, but I still use Sorbs and the spamhaus offerrings. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From casey at deccio.net Thu Aug 17 17:40:05 2006 From: casey at deccio.net (Casey T. Deccio) Date: Thu Aug 17 17:40:32 2006 Subject: Training spamassassin Bayes In-Reply-To: <44E49024.2060303@pixelhammer.com> References: <1155828065.21022.9.camel@boomerang.ran.sandia.gov> <44E49024.2060303@pixelhammer.com> Message-ID: <1155832805.21022.38.camel@boomerang.ran.sandia.gov> On Thu, 2006-08-17 at 11:49 -0400, DAve wrote: > Casey T. Deccio wrote: > > Should there be any problem with me doing > > training using sa-learn as root while also doing auto training (turned > > on by default--at least in Debian)? Spam classification has gotten > > extremely poor sincne I began doing that. > > > > > spam.assassin.prefs.conf; > bayes_path /usr/local/etc/MailScanner/bayes/bayes > bayes_file_mode 0770 > bayes_auto_learn 1 > bayes_ignore_header X-MailScanner > bayes_ignore_header X-MailScanner-SpamCheck > bayes_ignore_header X-MailScanner-SpamScore > bayes_ignore_header X-MailScanner-Information > bayes_ignore_header X-Account_key > bayes_ignore_header X-UIDL > bayes_ignore_header X-Mozilla-Status > bayes_ignore_header X-Mozilla-Status2 > MailScanner.conf seems to be okay. However, in spam.assassin.prefs.conf I seem to have had my bayes_ignore_header lines misconfigured, so they didn't match the X-MailScanner-* headers in MailScanner.conf. Could this be tainting my spam training (significantly)? If so, do I need to clear out the old data from my bayes database and start over? Also, should I add certain client headers to this list (e.g., evolution, mozilla, or whatever)? > Perms are, > bash-2.05b# ls -la | less > total 2462018 > drwxr-xr-x 2 root cvs 38912 Aug 17 11:43 . > dr-xr-xr-x 8 root cvs 1024 Aug 8 14:36 .. > -rw----rw- 1 root cvs 10632 Aug 17 11:45 bayes.mutex > -rw-rw---- 1 root cvs 78120 Aug 17 11:45 bayes_journal > -rw-rw---- 1 root cvs 10190848 Aug 17 11:45 bayes_seen > -rw-rw---- 1 root cvs 10174464 Aug 17 11:45 bayes_toks bash-2.05b# ls -la | less -rw------- 1 Debian-exim Debian-exim 651264 2006-08-17 09:21 auto-whitelist -rw-rw-rw- 1 root root 27084 2006-08-17 06:31 bayes.mutex -rw------- 1 Debian-exim Debian-exim 1290240 2006-08-17 07:41 bayes_seen -rw------- 1 Debian-exim Debian-exim 10522624 2006-08-17 09:29 bayes_toks -rw------- 1 Debian-exim Debian-exim 1294336 2006-07-21 17:46 bayes_toks.expire10036 -rw------- 1 Debian-exim Debian-exim 1409024 2006-07-17 09:16 bayes_toks.expire10080 -rw------- 1 Debian-exim Debian-exim 1445888 2006-07-15 01:11 bayes_toks.expire10092 ... [many more bayes_toks.expire* files] > > What does your reporting say? If you train a "insert favorite spam here" > message and then see more of them come through later are they showing > Bayes scores? At first glance no, but I'll need to monitor from here out to see. Casey From ssilva at sgvwater.com Thu Aug 17 17:39:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 17 17:41:16 2006 Subject: Some more on AV scanners. In-Reply-To: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/17/2006 7:04 AM: > Since bdc has turned into payware, I'm thinking about the alternatives. > Today I run with ClamAV, McAfee and BitDefender. > > Looking at the list of supported scanners, I'm leaning either toward > implementing AVG or Norman. Does anyone have any experience with these > two they'd care to share? > Or perhaps F-secure or Antivir... same there, what's your experience? > Or how about Kaspersky or DrWeb? > > The cheapest alternative is likely Panda (buy their cheapest product > so that you can get at the updates), but .... I've never particularly > liked that one:). > > Sophos, vexira, f-prot and nod32 seemed a bit steep, which would > likely cull them from my list (tightfisted PHB:-). And I just detest > Trend, Symantec and CA, so those went out before the start:-). > > Going through the list of supported scanners in MailScanner.conf I > noted that the URL for Norman points to their German site, which is a > bit strange considering they are Norwegian... www.norman.com or > www.norman.no would be better... And the link to Command just doesn't > seem to work at all. Does it still exist? > BTW, I suppose Jules could cull RAV from the list pretty soon too... > It's "Microsoft" nowadays, and I couldn't find any *nix scanner at all > at their site (rather unsurprising:-). > > I've also noted that there are a few(!) scanners we don't support... > Would there be any interest in getting a wrapper going for Avast!, Una > or some other AV? > I have been trying to get some response from Bitdefender, and so far it looks like the free version should continue to work for the forseeable future, but could not get any real idea when they would "break" it. So it you have it, it should be ok for the short to mid term while you look. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Aug 17 17:44:53 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 17 17:43:51 2006 Subject: Best RBL to use? In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D126BD4@core01.workgroupsolutions.com> References: <0C941442AC84A8449448BA2207DD4F4D126BD4@core01.workgroupsolutions.com> Message-ID: <44E49D05.4090806@pacific.net> I'd drop spamcop in favor of dsbl.org in your sendmail.mc. If you want to stop more spam in your mta, try milter-link (snertsoft) with black.uribl.com, sc.surbl.org and ph.surbl.org.. amazing stuff! milter-p0f is quite interesting too - for bumping up SA scores of connecting windows boxes. These work well for us with very low fp rates. Ken Anderson Pacific.Net Damian Mendoza wrote: > Hi, > > > > I would like to stop more of the junk messages at the RBL level (via > sendmail.mc). I use SpamCop and Spamhaus SBL+XBL currently but they have > had false positives from time to time. Do the paid subscriptions like > Trend Micro RBL+ work better? I know they are very expensive for 1,000 > mailboxes. > > > > Any others I should be using? > > > > > > Thanks, > > > > Damian > > > From bpumphrey at WoodMacLaw.com Thu Aug 17 17:45:00 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 17 17:45:03 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E66B@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > Sent: Thursday, August 17, 2006 11:53 AM > To: MailScanner discussion > Subject: RE: Could Be OT: How many people only accept reverse DNS > lookupmail? > > I put require_rdns.m4 back into my sendmail .cf files this morning > and turned this back on. My previous test was on 6/6/2005, over > a year ago. I warned our Helpdesk and I'm waiting for my phone > to start screaming... > > Jeff Earickson > Colby College > Will you help me get require_rdns.m4 up and running. My thoughts so far: Download it at http://www.cs.niu.edu/%7Erickert/cf/hack/require_rdns.m4 Put it in /etc/mail/spamassassin Restart MailScanner Is this correct? Thank you From dave.list at pixelhammer.com Thu Aug 17 18:21:45 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 17 18:22:21 2006 Subject: Training spamassassin Bayes In-Reply-To: <1155832805.21022.38.camel@boomerang.ran.sandia.gov> References: <1155828065.21022.9.camel@boomerang.ran.sandia.gov> <44E49024.2060303@pixelhammer.com> <1155832805.21022.38.camel@boomerang.ran.sandia.gov> Message-ID: <44E4A5A9.5020401@pixelhammer.com> Casey T. Deccio wrote: > On Thu, 2006-08-17 at 11:49 -0400, DAve wrote: >> Casey T. Deccio wrote: >>> Should there be any problem with me doing >>> training using sa-learn as root while also doing auto training (turned >>> on by default--at least in Debian)? Spam classification has gotten >>> extremely poor sincne I began doing that. >>> >>> > >> spam.assassin.prefs.conf; >> bayes_path /usr/local/etc/MailScanner/bayes/bayes >> bayes_file_mode 0770 >> bayes_auto_learn 1 >> bayes_ignore_header X-MailScanner >> bayes_ignore_header X-MailScanner-SpamCheck >> bayes_ignore_header X-MailScanner-SpamScore >> bayes_ignore_header X-MailScanner-Information >> bayes_ignore_header X-Account_key >> bayes_ignore_header X-UIDL >> bayes_ignore_header X-Mozilla-Status >> bayes_ignore_header X-Mozilla-Status2 >> > > MailScanner.conf seems to be okay. However, in spam.assassin.prefs.conf > I seem to have had my bayes_ignore_header lines misconfigured, so they > didn't match the X-MailScanner-* headers in MailScanner.conf. I have those because I train from a Thunderbird mbox, I don't want bayes to learn those headers. YMMV. > > Could this be tainting my spam training (significantly)? If so, do I > need to clear out the old data from my bayes database and start over? Someone with more Bayes experience would have to answer that, but I would think it is certainly not helping if bayes is making tokens out of your MailScanner headers. > > Also, should I add certain client headers to this list (e.g., evolution, > mozilla, or whatever)? Only add the headers you want Bayes to ignore. So it depends on the messages you train with. If you only use autolearning then I would think no. > >> Perms are, >> bash-2.05b# ls -la | less >> total 2462018 >> drwxr-xr-x 2 root cvs 38912 Aug 17 11:43 . >> dr-xr-xr-x 8 root cvs 1024 Aug 8 14:36 .. >> -rw----rw- 1 root cvs 10632 Aug 17 11:45 bayes.mutex >> -rw-rw---- 1 root cvs 78120 Aug 17 11:45 bayes_journal >> -rw-rw---- 1 root cvs 10190848 Aug 17 11:45 bayes_seen >> -rw-rw---- 1 root cvs 10174464 Aug 17 11:45 bayes_toks > > bash-2.05b# ls -la | less > -rw------- 1 Debian-exim Debian-exim 651264 2006-08-17 09:21 > auto-whitelist > -rw-rw-rw- 1 root root 27084 2006-08-17 06:31 > bayes.mutex > -rw------- 1 Debian-exim Debian-exim 1290240 2006-08-17 07:41 > bayes_seen > -rw------- 1 Debian-exim Debian-exim 10522624 2006-08-17 09:29 > bayes_toks > -rw------- 1 Debian-exim Debian-exim 1294336 2006-07-21 17:46 > bayes_toks.expire10036 > -rw------- 1 Debian-exim Debian-exim 1409024 2006-07-17 09:16 > bayes_toks.expire10080 > -rw------- 1 Debian-exim Debian-exim 1445888 2006-07-15 01:11 > bayes_toks.expire10092 > ... > [many more bayes_toks.expire* files] Where is your bayes_journal? Also, if you have lots of bayes_toks.expire files it is because you have SA trying to expire bayes and it doesn't finish in time. See the MailScanner spam.assassin.prefs.conf file for an explanation. You need to set bayes_auto_expire. # When using the scheduled Bayes expiry feature, in MailScanner.conf # you probably want to turn off auto-expiry in SpamAssassin as it will # rarely complete before it is killed for taking too long. # You will just end up with # MailScanner: big bayes_toks.new files # wasting space. bayes_auto_expire 0 > >> What does your reporting say? If you train a "insert favorite spam here" >> message and then see more of them come through later are they showing >> Bayes scores? > > At first glance no, but I'll need to monitor from here out to see. > > Casey > > DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at mango.zw Thu Aug 17 18:11:11 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 17 18:23:24 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: Message-ID: On Thu, 17 Aug 2006, Jeff A. Earickson wrote: > I have tried this with sendmail using the require_rdns.m4 hack from Neil > Rickert a couple of times in the past, for brief periods (less than one > day). The damage was too great IMHO. I tried it once a couple of years > ago, and then again a few months ago shortly after AOL announced that > they would enforce this in their email policies. > > After a few months of AOL beating the world into shape, maybe it is time > to revisit this issue again... I have used the require_rdns.m4 hack for some months now, but found too many problems with the default configuration that gives a 550 error to systems without valid PTR records (there are too many non-compliant systems in Southern Africa). I therefore edited it to give 451 responses for all three categories: no reverse DNS unable to resolve PTR record possibly forged hostname The result of that is that most genuine systems that are blocked will then deliver shortly afterwards to our secondary MX, which does not implement RDNS checks. Spammers mostly give up at that point and don't even try the secondary MX. Note however that there may be genuine systems that won't try again - probably the use of one of the standard whitelists from a greylisting package would be useful here (as greylists also use the 451 response). However I would expect that many (most?) of the major systems that have problems with greylisting (eg Yahoo, Gmail etc) would be RDNS compliant. As soon as non-compliant but genuine systems are identified, they are added to the sendmail access file with an rdns entry to whitelist them. (We send out a daily notification to our users with a list of all blocked mail, separately from the daily MailScanner notifications we send out.) This setup is specific to our situation, where we have a secondary MX under our control and where the secondary doesn't run RDNS checks. If they both ran RDNS checks I think we would definitely lose too much genuine mail. The total of incoming messages blocked by the RDNS checks is equivalent in number to around 30% of the number of messages we actually accept for delivery. In the beginning it was much higher (due to false positives), until we got the whitelisting right. Compare that with the greet-pause checks, whose ratio of blocked incoming connections to accepted messages is around 60%. With all these eliminated, MailScanner blocks a ratio of 15% to the number of accepted messages. Sorry for the messy way of expressing the percentages, but that is the simplest for now, and doesn't take into account other mail blocked at MTA level for other reasons. At some stage it would be useful to have some kind of consistent formula to express the overall percentages of blocked mail, but it is complicated because blocking can be done on the basis of: Connections blocked by the firewall or routing tables (for really annoying systems such as the one that has made 50,000 attempts so far to deliver the same two messages from May up to today) Connections blocked by the MTA (sendmail): Servers blocked by the greet-pause feature (so no data is recorded for sender or recipient) Mail blocked by the MTA: Blocked by the RDNS checks Blacklisted servers, domains and addresses Throttled by excessive connections, rates etc Mail to invalid recipients Mail blocked/quarantined by MailScanner Spam Viruses/Phishing attacks etc Other blacklisted mail What should be the base figure for percentages? Incoming connections? Incoming senders? Local recipients? But this is getting further OT. In conclusion, I think that RDNS checking has great potential, but needs more development, eg: Pre-configured whitelist (as for greylist packages) that can be updated automatically from an external source Use 451 errors only Temporarily whitelist systems that resend after a reasonable interval (using the same logic as for greylisting triplets) Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > On Thu, 17 Aug 2006, Billy A. Pumphrey wrote: > > > Date: Thu, 17 Aug 2006 09:11:51 -0400 > > From: Billy A. Pumphrey > > Reply-To: MailScanner discussion > > To: MailScanner discussion > > Subject: Could Be OT: How many people only accept reverse DNS lookup mail? > > > > Does anyone only accept email that will do a reverse lookup? Does > > anyone recommend it? > > > > Thank you > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > From mailscanner at mango.zw Thu Aug 17 18:25:12 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 17 18:28:27 2006 Subject: Best RBL to use? In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D126BD4@core01.workgroupsolutions.com> Message-ID: On Thu, 17 Aug 2006, Damian Mendoza wrote: > I would like to stop more of the junk messages at the RBL level (via > sendmail.mc). I use SpamCop and Spamhaus SBL+XBL currently but they have > had false positives from time to time. Do the paid subscriptions like > Trend Micro RBL+ work better? I know they are very expensive for 1,000 > mailboxes. > > Any others I should be using? We use dnsbl.net.au (see http://www.dnsbl.net.au/) and are very pleased with it. It is also a commercial package (although free for approved not for profits and individuals). However we found it a little aggressive at the MTA level, and therefore now use it only with MailScanner. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From jaearick at colby.edu Thu Aug 17 18:34:52 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 17 18:40:37 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E66B@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E66B@woodenex.woodmaclaw.local> Message-ID: On Thu, 17 Aug 2006, Billy A. Pumphrey wrote: > Date: Thu, 17 Aug 2006 12:45:00 -0400 > From: Billy A. Pumphrey > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Could Be OT: How many people only accept reverse DNS lookupmail? > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson >> Sent: Thursday, August 17, 2006 11:53 AM >> To: MailScanner discussion >> Subject: RE: Could Be OT: How many people only accept reverse DNS >> lookupmail? >> >> I put require_rdns.m4 back into my sendmail .cf files this morning >> and turned this back on. My previous test was on 6/6/2005, over >> a year ago. I warned our Helpdesk and I'm waiting for my phone >> to start screaming... >> >> Jeff Earickson >> Colby College >> > > Will you help me get require_rdns.m4 up and running. My thoughts so > far: > > Download it at http://www.cs.niu.edu/%7Erickert/cf/hack/require_rdns.m4 > Put it in /etc/mail/spamassassin > Restart MailScanner > > Is this correct? Nyet!! The m4 file goes in your sendmail-8.x.x/cf/hack subdirectory. Then you reference the m4 file in your sendmail.mc file, like so: HACK(require_rdns,`REJECT') Then you rebuild your sendmail.cf file from your sendmail.mc file like so: M4=/usr/local/bin/m4 CF=/usr/local/src/mail/sendmail/sendmail-8.13.8/cf $M4 -D_CF_DIR_=${CF}/ ${CF}/m4/cf.m4 sendmail.mc > sendmail.cf Then you save a copy of your old /etc/mail/sendmail.cf file, put the new one in place, restart sendmail, and watch your logs to see what happens. This whole thing is a sendmail tweak, and has nothing to do with MailScanner at all. Tread carefully, and consult your copy of the Bat Book. Jeff Earickson Colby College From michele at blacknight.ie Thu Aug 17 18:47:22 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Thu Aug 17 18:47:32 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: References: Message-ID: <44E4ABAA.603@blacknight.ie> Jim Holland wrote: However I would expect that many (most?) of the major systems > that have problems with greylisting (eg Yahoo, Gmail etc) would be RDNS > compliant. > Our solution to that was to whitelist the netblocks that gmail use .. their main issue wasn't that they didn't "comply" with greylisting, but do some kind of load-balancing on the outbound mail, so the same mail could "try" from several IPs... and never graduate to a whitelist -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jase at sensis.com Thu Aug 17 18:47:51 2006 From: jase at sensis.com (Desai, Jason) Date: Thu Aug 17 18:48:52 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? Message-ID: <1951DC816E1A9F469307B05FA183F43852225A@corpatsmail1.corp.sensis.com> > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? We don't drop connections without reverse lookups, but using acl's in exim we do give them a larger delay (similar to sendmail's greetpause). Jase From alex at nkpanama.com Thu Aug 17 19:05:16 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 17 19:05:53 2006 Subject: MailScanner load In-Reply-To: <004e01c6c171$611d1940$0705000a@DDF5DW71> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> Message-ID: <44E4AFDC.9000803@nkpanama.com> Steve Campbell wrote: > Decided to make an intelligent statement this time: > > One thing I did find to lower my load average, though, was MimeDefang in > a look-ahead environment. Would be interesting to include a small article in the wiki about how to do this, since some people might want a free alternative to milter-ahead. From ssilva at sgvwater.com Thu Aug 17 19:24:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 17 19:25:25 2006 Subject: MailScanner load In-Reply-To: <44E4AFDC.9000803@nkpanama.com> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk> <004e01c6c171$611d1940$0705000a@DDF5DW71> <44E4AFDC.9000803@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 8/17/2006 11:05 AM: > Steve Campbell wrote: >> Decided to make an intelligent statement this time: >> >> One thing I did find to lower my load average, though, was MimeDefang >> in a look-ahead environment. > Would be interesting to include a small article in the wiki about how to > do this, since some people might want a free alternative to milter-ahead. I am going to give Mimedefang a shot this week, with help I got from Steve. IF I am sucessful, I'll get something in the wiki, as long as I can remember my login! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Thu Aug 17 19:43:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 17 19:43:18 2006 Subject: Some more on AV scanners. In-Reply-To: References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> Message-ID: <223f97700608171143k49799f46y95b74e4677c374b5@mail.gmail.com> On 17/08/06, Scott Silva wrote: (snip) > I have been trying to get some response from Bitdefender, and so far it looks > like the free version should continue to work for the forseeable future, but > could not get any real idea when they would "break" it. So it you have it, it > should be ok for the short to mid term while you look. > My thought exactly, Scott. No rush, but... Since I happen to have a smidgen of time over this week, and might be severely out of time the next couple of weeks/months (new network (hp 3500:s and 5412/5406:s) and rebuilding the storage for the db servers and implementing a new VPN and starting the work on purchasing new db servers altogether and updating oracle and... generally running around in little circles to keep everyone happy... sigh), I thought it a good idea to start looking know:-). Appreciate the input though. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 17 19:56:20 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 17 19:56:24 2006 Subject: Wiki is sick... In-Reply-To: References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> Message-ID: <223f97700608171156s5c206dcet4d242138852f96e2@mail.gmail.com> Seriously off-topic below. You've been warned:-). On 17/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/17/2006 1:42 AM: > > On 17/08/06, Res wrote: > >> On Wed, 16 Aug 2006, Scott Silva wrote: > >> > >> >>> my vote is for anything that works faster, its painfull waiting as > >> > >> >> IMO, most wikis are quite slow. Especially if they are more ... > >> >> "featureful" (tikiwiki comes to mind). And most relies on a database, > >> >> which DW doesn't. A case of choosing between the plague and cholera... > >> >> I say stay with the sickness you know:-) > >> >> > >> > I choose hangover! ;-) > >> > Not fun to have, more fun to get, but you only WISH you died from it! > >> > >> I'll pay that one lol > > > > Selfinduced sickness..... I always prefer the part before the sickness > > arrives:-). > > Always much more fun! > > > > If you swing by Stockholm, I'll chip in too, for some practical > > experimentation;-) > > I have trouble getting out of town, so out of the country would be a chore!! > How many side jobs does it take to get a round trip ticket from the west coast > of the US to Stockholm? Not sure... about 5000 - 10000 SEK (approximately 7 SEK per dollar), I'd guess (if the air fares are pretty consistently priced in that direction. You'd likely go by way of Seattle or Chicago over the arctic region)... All depends on how many $$$ you average/side job:-) > And since 90 percent of the side jobs I get are for spyware and viruses, > Julian is really helping me to stay in town!! ;-) *chuckle* Well, you could always just tip one for me next time you pass by a pub/bar:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jaearick at colby.edu Thu Aug 17 20:17:46 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 17 20:18:36 2006 Subject: require_rdns.m4 (Was Require RDNS?) Message-ID: Gang, I rolled out require_rdns.m4 this morning and my phone is starting to ring. I have discovered that our network guy created (at least) two entire subnets in DHCP but never bothered to create DNS zones for them, so I have whole chunks of my campus not able to send email! My question for you sendmail mc gurus: instead of doing $#error $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 in require_rdns.m4, I want to just log the message and go on (dry-run mode), something like: $#print $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 Anybody know how to tweak an mc to just syslog an action? Jeff Earickson Colby College From steve.freegard at fsl.com Thu Aug 17 20:46:33 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Aug 17 20:46:45 2006 Subject: require_rdns.m4 (Was Require RDNS?) In-Reply-To: References: Message-ID: <44E4C799.6090307@fsl.com> Hi Jeff, Jeff A. Earickson wrote: > Gang, > > I rolled out require_rdns.m4 this morning and my phone is starting > to ring. I have discovered that our network guy created (at least) > two entire subnets in DHCP but never bothered to create DNS zones > for them, so I have whole chunks of my campus not able to send email! > My question for you sendmail mc gurus: instead of doing > > $#error $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 > > in require_rdns.m4, I want to just log the message and go on (dry-run > mode), something like: > > $#print $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 > > Anybody know how to tweak an mc to just syslog an action? > I'm not sure how to do that -- but you could 'whitelist' your internal IP address ranges using the access.db if you have the latest version of the hack (see: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4) - e.g. rdns:192.168.47 OK Just a thought. Cheers, Steve. From ssilva at sgvwater.com Thu Aug 17 20:56:40 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 17 20:57:07 2006 Subject: Wiki is sick... In-Reply-To: <223f97700608171156s5c206dcet4d242138852f96e2@mail.gmail.com> References: <44E2D2C9.5030306@ecs.soton.ac.uk> <027d01c6c115$4e2a0b10$88c5c657@arthur> <223f97700608160235g3b046408hf59a6628f27ae719@mail.gmail.com> <223f97700608160411g63a73dc6w50c7778b8aa263e1@mail.gmail.com> <223f97700608170142s151f09d3t6869e53cec73d574@mail.gmail.com> <223f97700608171156s5c206dcet4d242138852f96e2@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/17/2006 11:56 AM: > Seriously off-topic below. You've been warned:-). > > On 17/08/06, Scott Silva wrote: >> Glenn Steen spake the following on 8/17/2006 1:42 AM: >> > On 17/08/06, Res wrote: >> >> On Wed, 16 Aug 2006, Scott Silva wrote: >> >> >> >> >>> my vote is for anything that works faster, its painfull waiting as >> >> >> >> >> IMO, most wikis are quite slow. Especially if they are more ... >> >> >> "featureful" (tikiwiki comes to mind). And most relies on a >> database, >> >> >> which DW doesn't. A case of choosing between the plague and >> cholera... >> >> >> I say stay with the sickness you know:-) >> >> >> >> >> > I choose hangover! ;-) >> >> > Not fun to have, more fun to get, but you only WISH you died from >> it! >> >> >> >> I'll pay that one lol >> > >> > Selfinduced sickness..... I always prefer the part before the sickness >> > arrives:-). >> >> Always much more fun! >> >> >> > If you swing by Stockholm, I'll chip in too, for some practical >> > experimentation;-) >> >> I have trouble getting out of town, so out of the country would be a >> chore!! >> How many side jobs does it take to get a round trip ticket from the >> west coast >> of the US to Stockholm? > > Not sure... about 5000 - 10000 SEK (approximately 7 SEK per dollar), > I'd guess (if the air fares are pretty consistently priced in that > direction. You'd likely go by way of Seattle or Chicago over the > arctic region)... All depends on how many $$$ you average/side job:-) > >> And since 90 percent of the side jobs I get are for spyware and viruses, >> Julian is really helping me to stay in town!! ;-) > > *chuckle* > Well, you could always just tip one for me next time you pass by a > pub/bar:-). > I'll be tipping a few in your direction this weekend! This part of the world is in swimming pool weather. But it might have to be a US domestic, as the only Swedish beer I have seen around here was Pripps. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bpumphrey at WoodMacLaw.com Thu Aug 17 21:05:13 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 17 21:05:26 2006 Subject: require_rdns.m4 (Was Require RDNS?) In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E7BE@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > Sent: Thursday, August 17, 2006 3:18 PM > To: mailscanner mailing list > Subject: require_rdns.m4 (Was Require RDNS?) > > Gang, > > I rolled out require_rdns.m4 this morning and my phone is starting > to ring. I have discovered that our network guy created (at least) > two entire subnets in DHCP but never bothered to create DNS zones > for them, so I have whole chunks of my campus not able to send email! > My question for you sendmail mc gurus: instead of doing > > $#error $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 > > in require_rdns.m4, I want to just log the message and go on (dry-run > mode), something like: > > $#print $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 > > Anybody know how to tweak an mc to just syslog an action? > > Jeff Earickson > Colby College > -- Crap...I fell responsible for that! I am sorry Jeff From jaearick at colby.edu Thu Aug 17 21:27:38 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 17 21:33:07 2006 Subject: require_rdns.m4 (Was Require RDNS?) In-Reply-To: <44E4C799.6090307@fsl.com> References: <44E4C799.6090307@fsl.com> Message-ID: On Thu, 17 Aug 2006, Steve Freegard wrote: > Date: Thu, 17 Aug 2006 20:46:33 +0100 > From: Steve Freegard > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: require_rdns.m4 (Was Require RDNS?) > > Hi Jeff, > > Jeff A. Earickson wrote: >> Gang, >> >> I rolled out require_rdns.m4 this morning and my phone is starting >> to ring. I have discovered that our network guy created (at least) >> two entire subnets in DHCP but never bothered to create DNS zones >> for them, so I have whole chunks of my campus not able to send email! >> My question for you sendmail mc gurus: instead of doing >> >> $#error $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 >> >> in require_rdns.m4, I want to just log the message and go on (dry-run >> mode), something like: >> >> $#print $@ 5.7.1 $: 550 RDNS: Fix reverse DNS for $1 >> >> Anybody know how to tweak an mc to just syslog an action? >> > > I'm not sure how to do that -- but you could 'whitelist' your internal IP > address ranges using the access.db if you have the latest version of the hack > (see: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4) - e.g. > > rdns:192.168.47 OK > > Just a thought. Excellent point, I missed that. However Da Boss asks "Can we try this in dry-run mode? Just log what rdns would do, but not really do it?" She has a good point. My ability to decipher sendmail.cf files has always been weak. I thought about changing the $#error numbers to 200, but figured that would blow up. Billy, I take responsibility for my own stupidity. You didn't force me to retry RDNS today... Jeff Earickson Colby College From campbell at cnpapers.com Thu Aug 17 21:54:14 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 17 21:54:33 2006 Subject: MailScanner load References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com><000e01c6c12f$28f4e6c0$0705000a@DDF5DW71> <44E36393.8020601@ecs.soton.ac.uk><004e01c6c171$611d1940$0705000a@DDF5DW71> <44E4AFDC.9000803@nkpanama.com> Message-ID: <004101c6c23f$4c375260$0705000a@DDF5DW71> ----- Original Message ----- From: "Alex Neuman van der Hans" To: "MailScanner discussion" Sent: Thursday, August 17, 2006 2:05 PM Subject: Re: MailScanner load > Steve Campbell wrote: >> Decided to make an intelligent statement this time: >> >> One thing I did find to lower my load average, though, was MimeDefang in >> a look-ahead environment. > Would be interesting to include a small article in the wiki about how to > do this, since some people might want a free alternative to milter-ahead. I wanted to use Scott as my test bed for memory testing(my memory, not CPU...I'm getting too old) . I wasn't sure I gave him all of the proper stuff to get this done. So if he concurs with my details, and he promises to change the specifics to generics in the file lists I gave him, I would be glad to help him get it to the wiki. It's really great stuff. Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Thu Aug 17 23:09:50 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Aug 17 23:05:30 2006 Subject: require_rdns.m4 (Was Require RDNS?) In-Reply-To: References: <44E4C799.6090307@fsl.com> Message-ID: <44E4E92E.2090401@fsl.com> Hi Jeff, > Excellent point, I missed that. However Da Boss asks "Can we try this > in dry-run mode? Just log what rdns would do, but not really do it?" > She has a good point. My ability to decipher sendmail.cf files has > always been weak. I thought about changing the $#error numbers to 200, > but figured that would blow up. Okay -- if you want to work out what would be blocked how about something like this: [root@gateway html]# grep -Poi 'relay=\[(.+)\]' /var/log/maillog | cut -d[ -f2 | cut -d] -f1 | sort | uniq -c | sort -rn 2712 80.54.0.150 110 219.146.60.186 72 221.201.152.114 60 222.173.12.176 59 219.146.60.213 59 209.60.51.138 56 219.146.60.242 47 72.13.174.159 47 219.146.60.118 43 127.0.0.1 That's a list of the Top 10 IP addresses with no reverse DNS sorted by the number of connections which would have been rejected. Here's a list of 'may be forged' IP addresses that would be tempfailed: [root@gateway html]# grep -Pio 'relay=.+ \[(.+)\] \(may be forged\)' /var/log/maillog | cut -d[ -f2 | cut -d] -f1 | sort | uniq -c | sort -rn 54 201.29.69.82 46 203.187.194.174 44 61.17.27.233 40 85.136.41.187 40 207.144.2.42 29 84.204.244.138 29 210.211.236.171 27 24.69.160.154 26 209.205.237.17 26 203.187.222.130 Cheers, Steve. From jose.gonzalez at compac.com.mx Thu Aug 17 23:59:22 2006 From: jose.gonzalez at compac.com.mx (Jose Gonzalez) Date: Fri Aug 18 00:00:13 2006 Subject: Using spam whitelisting Message-ID: <44E4F4CA.1080407@compac.com.mx> I?m using MailScanner with Spamassasin. Spam checking is ignoring some rules posted in my spam.whitelist.rules, example: In spam.whitelist.rules: From: *@olicom.com.mx yes In my logs: X-yoursite-MailScanner-SpamCheck: spam, SpamAssassin (no almacenado, Score=7.125, requerido 5, AWL 0.21, BAYES_00 -2.60, HTML_50_60 0.09, HTML_MESSAGE 0.00, MSGID_FROM_MTA_ID 1.72, RCVD_IN_DSBL 3.81, RCVD_IN_NJABL_PROXY 0.44, RCVD_IN_SORBS_HTTP 0.04, RCVD_IN_SORBS_SOCKS 0.34, RCVD_IN_XBL 3.08) From ccampbell at brueggers.com Fri Aug 18 01:41:47 2006 From: ccampbell at brueggers.com (Christian Campbell) Date: Fri Aug 18 01:42:08 2006 Subject: OT: PTR and SPF Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060817/a87e21db/smime.bin From jrudd at ucsc.edu Fri Aug 18 01:58:10 2006 From: jrudd at ucsc.edu (John Rudd) Date: Fri Aug 18 01:58:22 2006 Subject: OT: PTR and SPF In-Reply-To: References: Message-ID: On Aug 17, 2006, at 17:41, Christian Campbell wrote: > All this talk about rDNS made me consider rejecting mail from hosts > that do not have a valid PTR record.? A legitimate company we exchange > a lot of mail with does that have a PTR record for their mail server.? > As I was composing an email asking them if they could create a PTR > record, I decided to reference an RFC to help support my argument?(RFC > 1912).? But, after doing some more Googling, I found this site:? > http://www.emailauthentication.org/resources/?which states: > ? > ---%< snip %<--- > Several readers have inquired on the use of a PTR or reverse DNS > lookup.? AOTA strongly encourages site owners to follow the warning as > published in the IETF RFC and NOT use a PTR;? The specification for > SPF records (RFC 4408 see below) discourages use of "ptr" for > performance and reliability reasons. ... > > "Note: Use of this mechanism is discouraged because it is slow, ...? > ---%< snip %<--- It is not saying "You shouldn't have a PTR record". It's saying your SPF text shouldn't tell other people to look at your PTR record _for_validating_SPF_. Those are two VERY different statements. What's being discouraged is the "ptr mechanism in SPF". Not "PTR Resource Records in DNS". > ?Not knowing?anything about SPF....does this mean a SMTP host > shouldn't use a PTR record?? Or...should one not use a PTR if you are > using SPF?? > ? > My next question is, is there a way to tell if the company in question > is using SPF and that's why they don't have a PTR?? I'd hate to make > an ignorant request.? Should the company still create a PTR record > regardless? If they don't have a PTR because they are using SPF, I would probably feel extra comfortable blocking them. And, frankly, if AOTA is suggesting that people not use PTR DNS RR's, then I think AOTA is a bunch of idiots. :-} From csweeney at osubucks.org Fri Aug 18 03:00:17 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Fri Aug 18 03:00:36 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Message-ID: <44E51F31.9010504@osubucks.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You mean that the IP reverses to an address or that it matches? I have always refused email from any server that does NOT have a reverse address of some kind. I have not noticed that big of a complaint pool from it as MOST IP's even Dynamic have some sort of reverse address. Billy A. Pumphrey wrote: > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? > > Thank you > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > - -- Thanks Chris Check me out! Finally setup a MySpace.com account http://www.osubucks.net csweeney@osubucks.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE5R8wS9AMNDUYgIcRApL7AKCGm/2kViy0XalJcnUQsAsFNG9H9ACg35RF zeS0z53Jr82O3wraMV4KW38= =jDSO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060817/23026beb/attachment.html From davidj at synaq.com Fri Aug 18 08:26:46 2006 From: davidj at synaq.com (David Jacobson) Date: Fri Aug 18 08:27:05 2006 Subject: MCP Efficiency? Message-ID: <1155886006.12295.4.camel@jakes.synaq.com> Hi Guys / Julian, We've noticed some load problems using MCP. We initially thought it had to do with the MCP spam.assassin.prefs using all the SA plugins... We enabled MCP on one domain on a server that's load average is 3 as we enable MCP the load jumps to 15. I'm concerned how this can happen as it's just scanning 1 domain out of 100's that does very minimal mail on the server the ruleset is to use MCP for one domain. Julian, do you perhaps know of any problems with this code in terms of speed? As far as I'm concerned if it's enabled for one domain with minimal volume it should not immediately jump the load on the server to 15. I did a watch on ps and noticed the MCP check only comes once every like 5-10 minutes for a few seconds. Thanks in advance. -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 245 5888 Direct: 011 245 5889 Fax: 011 783 9275 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From glenn.steen at gmail.com Fri Aug 18 08:52:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 18 08:52:07 2006 Subject: MCP Efficiency? In-Reply-To: <1155886006.12295.4.camel@jakes.synaq.com> References: <1155886006.12295.4.camel@jakes.synaq.com> Message-ID: <223f97700608180052g3e770bch99e0538cc9e2d72a@mail.gmail.com> On 18/08/06, David Jacobson wrote: > Hi Guys / Julian, > > We've noticed some load problems using MCP. We initially thought it had > to do with the MCP spam.assassin.prefs using all the SA plugins... > > We enabled MCP on one domain on a server that's load average is 3 as we > enable MCP the load jumps to 15. > > I'm concerned how this can happen as it's just scanning 1 domain out of > 100's that does very minimal mail on the server the ruleset is to use > MCP for one domain. > > Julian, do you perhaps know of any problems with this code in terms of > speed? As far as I'm concerned if it's enabled for one domain with > minimal volume it should not immediately jump the load on the server to > 15. I did a watch on ps and noticed the MCP check only comes once every > like 5-10 minutes for a few seconds. > > Thanks in advance. > Might the load be due to many processes getting stuck in I/O wait? Count your processes in state "D"... Try setting "dns_available no" in mcp.spam.assassin.prefs.conf, to be sure it doesn't try to use any BL lookups, if you haven't already. HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Aug 18 09:20:42 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 18 09:21:27 2006 Subject: Using spam whitelisting In-Reply-To: <44E4F4CA.1080407@compac.com.mx> References: <44E4F4CA.1080407@compac.com.mx> Message-ID: <44E5785A.8070906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Gonzalez wrote: > I?m using MailScanner with Spamassasin. Spam checking is ignoring some > rules posted in my spam.whitelist.rules, example: > > In spam.whitelist.rules: > > From: *@olicom.com.mx yes > > > In my logs: > > X-yoursite-MailScanner-SpamCheck: spam, SpamAssassin (no almacenado, > Score=7.125, requerido 5, AWL 0.21, BAYES_00 -2.60, > HTML_50_60 0.09, HTML_MESSAGE 0.00, MSGID_FROM_MTA_ID 1.72, > RCVD_IN_DSBL 3.81, RCVD_IN_NJABL_PROXY 0.44, RCVD_IN_SORBS_HTTP 0.04, > RCVD_IN_SORBS_SOCKS 0.34, RCVD_IN_XBL 3.08) What does the X-MailScanner-From: header say? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5XhbEfZZRxQVtlQRAiHuAJ4ngCxJafai7EzYIHsmNPaPWv9ocACfTr9v y3dQ+MeVURWmiKVRAO5Lu3E= =MbZE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Aug 18 09:26:46 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 18 09:27:26 2006 Subject: MCP Efficiency? In-Reply-To: <1155886006.12295.4.camel@jakes.synaq.com> References: <1155886006.12295.4.camel@jakes.synaq.com> Message-ID: <44E579C6.7050303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Jacobson wrote: > Hi Guys / Julian, > > We've noticed some load problems using MCP. We initially thought it had > to do with the MCP spam.assassin.prefs using all the SA plugins... > > We enabled MCP on one domain on a server that's load average is 3 as we > enable MCP the load jumps to 15. > Yes, the load cost is very high. > I'm concerned how this can happen as it's just scanning 1 domain out of > 100's that does very minimal mail on the server the ruleset is to use > MCP for one domain. > > Julian, do you perhaps know of any problems with this code in terms of > speed? As far as I'm concerned if it's enabled for one domain with > minimal volume it should not immediately jump the load on the server to > 15. I did a watch on ps and noticed the MCP check only comes once every > like 5-10 minutes for a few seconds. > Currently, I do the MCP checks on every batch unless there is an explicit MCP Checks = no in MailScanner.conf. If any domain uses it, then it is called for every batch of messages. What I could do to improve the situation is check every message in the batch to see if that message produces a "yes" answer from a ruleset. If no messages produce a "yes" then don't call MCP. That should relieve your problem nicely. Prepared to test it for me if I post a patch? Jules. > Thanks in advance. > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5XnHEfZZRxQVtlQRAulTAJ4ttwQiMsjPKRvHbhdvHMGdpdQ3NwCfQC9F JHVeyuXfFQ5lEjp7zJHOPTU= =+qnw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Aug 18 09:36:19 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 18 09:37:05 2006 Subject: MCP Efficiency? In-Reply-To: <1155886006.12295.4.camel@jakes.synaq.com> References: <1155886006.12295.4.camel@jakes.synaq.com> Message-ID: <44E57C03.9030804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, just checked the code. I am doing that already. The cause of the problem is that SpamAssassin does not appear to support the way I am trying to use it. I want 2 completely separate instances of SpamAssassin. One has all the normal SA rules as expected. The other one has no rules or dns checks or Razor or anything at all, it *only* has the few rules specified for MCP checking. I can't make it do this, while still keeping all the rules compiled in both instances and every setup done and cached. The only thing I can make it do to run the way I want, is to tell it not to pre-compile all the rules. As a result it has to do a huge load of SA compilation for every message. If Matt Kettler is around, maybe he could offer me some advice. I have tried asking on the SA list several times, and they don't understand why I would want my 2nd instance at all, so I never got any helpful answers. David Jacobson wrote: > Hi Guys / Julian, > > We've noticed some load problems using MCP. We initially thought it had > to do with the MCP spam.assassin.prefs using all the SA plugins... > > We enabled MCP on one domain on a server that's load average is 3 as we > enable MCP the load jumps to 15. > > I'm concerned how this can happen as it's just scanning 1 domain out of > 100's that does very minimal mail on the server the ruleset is to use > MCP for one domain. > > Julian, do you perhaps know of any problems with this code in terms of > speed? As far as I'm concerned if it's enabled for one domain with > minimal volume it should not immediately jump the load on the server to > 15. I did a watch on ps and noticed the MCP check only comes once every > like 5-10 minutes for a few seconds. > > Thanks in advance. > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5XwEEfZZRxQVtlQRAnKeAKC8GF/pcWSvQNnDYhxWEQY0ePJtlgCgq3s/ fJ6egikKzrXcboErOJNySQk= =tlvH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Aug 18 09:53:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 18 09:53:51 2006 Subject: MCP Efficiency? In-Reply-To: <44E57C03.9030804@ecs.soton.ac.uk> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> Message-ID: <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> On 18/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, just checked the code. I am doing that already. > > The cause of the problem is that SpamAssassin does not appear to support > the way I am trying to use it. I want 2 completely separate instances of > SpamAssassin. One has all the normal SA rules as expected. The other one > has no rules or dns checks or Razor or anything at all, it *only* has > the few rules specified for MCP checking. > > I can't make it do this, while still keeping all the rules compiled in > both instances and every setup done and cached. The only thing I can > make it do to run the way I want, is to tell it not to pre-compile all > the rules. As a result it has to do a huge load of SA compilation for > every message. > > If Matt Kettler is around, maybe he could offer me some advice. I have > tried asking on the SA list several times, and they don't understand why > I would want my 2nd instance at all, so I never got any helpful answers. > This is exactly what I suspected from the few trials I did recently (was thinking of starting to use MCP). And that is where I got the idea to set dns as unavailable. Helps some, but not all. The problems lie solidly in the built-in defaults that you cannot override. What I think you have to do is to maintain a "cleaned" SA environment, and see to it that MCP uses it by way of a chroot thingie. Really icky:-(. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Fri Aug 18 12:16:33 2006 From: res at ausics.net (Res) Date: Fri Aug 18 12:16:42 2006 Subject: require_rdns.m4 (Was Require RDNS?) In-Reply-To: References: Message-ID: On Thu, 17 Aug 2006, Jeff A. Earickson wrote: > Gang, > > I rolled out require_rdns.m4 this morning and my phone is starting > to ring. I have discovered that our network guy created (at least) > two entire subnets in DHCP but never bothered to create DNS zones > for them, so I have whole chunks of my campus not able to send email! > My question for you sendmail mc gurus: instead of doing > errr why are they not marked as RELAY the require_rdns.m4 wont prevent local hosts sending, maybe you need to enable: FEATURE(`delay_checks', 'friend')dnl > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From slewis at complaw.com Fri Aug 18 12:37:23 2006 From: slewis at complaw.com (Sam Lewis) Date: Fri Aug 18 12:37:39 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <4D10EA9E-B9B2-482A-9E14-2383A97D6DD1@complaw.com> On Aug 15, 2006, at 2:46 AM, Jon Bates wrote: > I was just wondering what peoples opinions were on running multiple > virus scanners with MailScanner. I'm currently only running ClamAV, > and I was thinking about running one or two more. > Could someone recommend what other scanner/s to use? My main > concern is system resources. I would like something that doesn't > load up the server too much more as ClamAV is quite light on > resources from my experience with it. Clam is good, but I also use CA's eTrust AV. I find that using two scanners increases the chances of picking up newly discovered variants, for in some cases eTrust has the definitions before Clam. Hope this helps. Regards, --Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060818/576c3f9e/attachment.html From bpumphrey at WoodMacLaw.com Fri Aug 18 13:53:31 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 13:55:40 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <44E51F31.9010504@osubucks.org> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E87E@woodenex.woodmaclaw.local> > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Sweeney > Sent: Thursday, August 17, 2006 10:00 PM > To: MailScanner discussion > Subject: Re: Could Be OT: How many people only accept reverse DNS lookup mail? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >? > You mean that the IP reverses to an address or that it matches?? I > have always refused email from any server that does NOT have a reverse > address of some kind.? I have not noticed that big of a complaint pool > from it as MOST IP's even Dynamic have some sort of reverse address. Yes, having all email rejected that does not have a reverse lookup. Thank you for your input and confidence of using it. From bpumphrey at WoodMacLaw.com Fri Aug 18 14:30:17 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 14:30:20 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E8E6@woodenex.woodmaclaw.local> Well I created a little mess for myself. I configured the Exchange machine some with filtering and it was blocking some emails. The maillog would say this: Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: to=, delay=00:00:12, xdelay=00:00:00, mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, stat=Deferred: Connection refused by [10.1.1.22] So seemingly the ones that got the connection refused message are being held in MailScanner. I configured exchanges rules, and I no longer get these messages and all email is not getting rejected. The Outbound used to be about 300 and seemingly they were all going to get delivered until it stuck on 153, well 152 now. (minus one email in about 10 minutes) Am I missing something to get MailScanner to deliver these emails? Billy Pumphrey IT Manager Wooden & McLaughlin From bpumphrey at WoodMacLaw.com Fri Aug 18 14:47:28 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 14:47:32 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E8E6@woodenex.woodmaclaw.local> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E917@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: Friday, August 18, 2006 9:30 AM > To: MailScanner discussion > Subject: 153 will not deliever from the Outbound > > Well I created a little mess for myself. I configured the Exchange > machine some with filtering and it was blocking some emails. The > maillog would say this: > > Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: > to=, delay=00:00:12, xdelay=00:00:00, > mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, > stat=Deferred: Connection refused by [10.1.1.22] > > So seemingly the ones that got the connection refused message are being > held in MailScanner. > > I configured exchanges rules, and I no longer get these messages and all > email is not getting rejected. The Outbound used to be about 300 and > seemingly they were all going to get delivered until it stuck on 153, > well 152 now. (minus one email in about 10 minutes) > > Am I missing something to get MailScanner to deliver these emails? > I was trying to do some things to see the emails. My inbound and outbound are the default /var/spool/mqueue and /var/spool/mqueue.in Will someone give me some tips on how to manually manipulate the emails? My Inbound and Outbound links in MailWatch show nothing on the page so I am not able to see what is in them. How does someone copy/move the emails from mqueue into a mailbox so that one can sift through them? As I am wanting to see what is in these emails because people are wondering about specific emails and I want to at least make sure that I got them. From mikea at mikea.ath.cx Fri Aug 18 15:00:13 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 18 15:00:16 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E917@woodenex.woodmaclaw.local>; from bpumphrey@WoodMacLaw.com on Fri, Aug 18, 2006 at 09:47:28AM -0400 References: <04D932B0071FE34FA63EBB1977B48D150187E8E6@woodenex.woodmaclaw.local> <04D932B0071FE34FA63EBB1977B48D150187E917@woodenex.woodmaclaw.local> Message-ID: <20060818090013.A17847@mikea.ath.cx> On Fri, Aug 18, 2006 at 09:47:28AM -0400, Billy A. Pumphrey wrote: > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > > Sent: Friday, August 18, 2006 9:30 AM > > To: MailScanner discussion > > Subject: 153 will not deliever from the Outbound > > > > Well I created a little mess for myself. I configured the Exchange > > machine some with filtering and it was blocking some emails. The > > maillog would say this: > > > > Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: > > to=, delay=00:00:12, xdelay=00:00:00, > > mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, > > stat=Deferred: Connection refused by [10.1.1.22] > > > > So seemingly the ones that got the connection refused message are > being > > held in MailScanner. > > > > I configured exchanges rules, and I no longer get these messages and > all > > email is not getting rejected. The Outbound used to be about 300 and > > seemingly they were all going to get delivered until it stuck on 153, > > well 152 now. (minus one email in about 10 minutes) > > > > Am I missing something to get MailScanner to deliver these emails? > > > > I was trying to do some things to see the emails. My inbound and > outbound are the default /var/spool/mqueue and /var/spool/mqueue.in > > Will someone give me some tips on how to manually manipulate the emails? > My Inbound and Outbound links in MailWatch show nothing on the page so I > am not able to see what is in them. > > How does someone copy/move the emails from mqueue into a mailbox so that > one can sift through them? As I am wanting to see what is in these > emails because people are wondering about specific emails and I want to > at least make sure that I got them. You can sift through them with the "less" command, and the "mailq" command will give you information about the status of the mails on the default queue. To see the status of the mails on mqueue.in, you have to get a little more creative: sendmail -v -bp -OQueueDirectory=/var/spool/mqueue.in as root. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From a.peacock at chime.ucl.ac.uk Fri Aug 18 15:03:58 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 18 15:04:46 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E917@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E917@woodenex.woodmaclaw.local> Message-ID: <44E5C8CE.4070904@chime.ucl.ac.uk> Hi, Billy A. Pumphrey wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey >> Sent: Friday, August 18, 2006 9:30 AM >> To: MailScanner discussion >> Subject: 153 will not deliever from the Outbound >> >> Well I created a little mess for myself. I configured the Exchange >> machine some with filtering and it was blocking some emails. The >> maillog would say this: >> >> Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: >> to=, delay=00:00:12, xdelay=00:00:00, >> mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, >> stat=Deferred: Connection refused by [10.1.1.22] >> >> So seemingly the ones that got the connection refused message are > being >> held in MailScanner. >> >> I configured exchanges rules, and I no longer get these messages and > all >> email is not getting rejected. The Outbound used to be about 300 and >> seemingly they were all going to get delivered until it stuck on 153, >> well 152 now. (minus one email in about 10 minutes) >> >> Am I missing something to get MailScanner to deliver these emails? >> > > I was trying to do some things to see the emails. My inbound and > outbound are the default /var/spool/mqueue and /var/spool/mqueue.in > > Will someone give me some tips on how to manually manipulate the emails? > My Inbound and Outbound links in MailWatch show nothing on the page so I > am not able to see what is in them. > > How does someone copy/move the emails from mqueue into a mailbox so that > one can sift through them? As I am wanting to see what is in these > emails because people are wondering about specific emails and I want to > at least make sure that I got them. If you are using sendmail as your MTA on the mailscanner box you can use the following from a command prompt: mailq -Oqueuedirectory=/var/spool/mqueue.in & mailq -Oqueuedirectory=/var/spool/mqueue To show the contents of the queues. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From akostocker at gmail.com Fri Aug 18 15:15:08 2006 From: akostocker at gmail.com (Tony Stocker) Date: Fri Aug 18 15:15:10 2006 Subject: SASL authenticated users marked as spam Message-ID: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> All, We set up our server to allow SASL authenticated users to be able to send (relay) mail through the server. This way they can use their mail clients at home or on the road and we don't have to worry about the ip address. However in early testing of this we found that several emails from users who had authenticated were getting marked as spam by SA (full score line below). Is there a way to set a rule that will put SASL authenticated users as 'safe' or at least give a negative score? Aug 8 22:38:55 pps-mail MailScanner[31647]: Message BBF838EB2C.21AF6 from 68.106.108.165 (tony.stocker@example.com) to abc.com,def.com is spam, SpamAssassin (not cached, score=5.266, required 3, BAYES_50 0.00, INFO_TLD 1.27, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05) Both of the IN_*_DUL rules seem to indicate a 'hit' because of being a "dial up user" based on what I could find on the web. However I believe, if we set things up right, that only authenticated users should be able to submit messages into the system. So should I just disable these rules? That seems a little ham-fisted to me, and I don't want to degrade spam detection I just don't want our users own outbound mails getting marked as spam. Any ideas? Tony From andoni.auzmendi at robertwalters.com Fri Aug 18 15:20:23 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Fri Aug 18 15:20:50 2006 Subject: 153 will not deliever from the Outbound Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E521@PAT.internal.robertwalters.com> Have you tried telneting from you mailscanner into the smtp port on exchange and try to send a test message. You will be able to see the actual error message from exchange and might give you some clues why is rejecting mails. Is the exchange server configured as non internet facing email server? I just wonder whether it thinks you mailscanner is doing a DDOS attack. Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anthony Peacock Sent: 18 August 2006 15:04 To: MailScanner discussion Subject: Re: 153 will not deliever from the Outbound Hi, Billy A. Pumphrey wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey >> Sent: Friday, August 18, 2006 9:30 AM >> To: MailScanner discussion >> Subject: 153 will not deliever from the Outbound >> >> Well I created a little mess for myself. I configured the Exchange >> machine some with filtering and it was blocking some emails. The >> maillog would say this: >> >> Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: >> to=, delay=00:00:12, xdelay=00:00:00, >> mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, >> stat=Deferred: Connection refused by [10.1.1.22] >> >> So seemingly the ones that got the connection refused message are > being >> held in MailScanner. >> >> I configured exchanges rules, and I no longer get these messages and > all >> email is not getting rejected. The Outbound used to be about 300 and >> seemingly they were all going to get delivered until it stuck on 153, >> well 152 now. (minus one email in about 10 minutes) >> >> Am I missing something to get MailScanner to deliver these emails? >> > > I was trying to do some things to see the emails. My inbound and > outbound are the default /var/spool/mqueue and /var/spool/mqueue.in > > Will someone give me some tips on how to manually manipulate the emails? > My Inbound and Outbound links in MailWatch show nothing on the page so I > am not able to see what is in them. > > How does someone copy/move the emails from mqueue into a mailbox so that > one can sift through them? As I am wanting to see what is in these > emails because people are wondering about specific emails and I want to > at least make sure that I got them. If you are using sendmail as your MTA on the mailscanner box you can use the following from a command prompt: mailq -Oqueuedirectory=/var/spool/mqueue.in & mailq -Oqueuedirectory=/var/spool/mqueue To show the contents of the queues. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From dhawal at netmagicsolutions.com Fri Aug 18 15:23:23 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 18 15:23:43 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> Message-ID: <44E5CD5B.9040305@netmagicsolutions.com> Tony Stocker wrote: > All, > > We set up our server to allow SASL authenticated users to be able to > send (relay) mail through the server. This way they can use their > mail clients at home or on the road and we don't have to worry about > the ip address. However in early testing of this we found that > several emails from users who had authenticated were getting marked as > spam by SA (full score line below). Is there a way to set a rule that > will put SASL authenticated users as 'safe' or at least give a > negative score? > > Aug 8 22:38:55 pps-mail MailScanner[31647]: Message BBF838EB2C.21AF6 > from 68.106.108.165 (tony.stocker@example.com) to abc.com,def.com is > spam, SpamAssassin (not cached, score=5.266, required 3, BAYES_50 > 0.00, INFO_TLD 1.27, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05) > > Both of the IN_*_DUL rules seem to indicate a 'hit' because of being a > "dial up user" based on what I could find on the web. However I > believe, if we set things up right, that only authenticated users > should be able to submit messages into the system. So should I just > disable these rules? That seems a little ham-fisted to me, and I > don't want to degrade spam detection I just don't want our users own > outbound mails getting marked as spam. > > Any ideas? Read this.. http://wiki.apache.org/spamassassin/DynablockIssues See if your MTA will add a X-Auth OR a similar header for authenticated users. Finally, write a good rule to assign such mails -ve points. - dhawal From bpumphrey at WoodMacLaw.com Fri Aug 18 15:27:33 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 15:27:39 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <44E5C8CE.4070904@chime.ucl.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E9AB@woodenex.woodmaclaw.local> > > Hi, > > Billy A. Pumphrey wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > >> Sent: Friday, August 18, 2006 9:30 AM > >> To: MailScanner discussion > >> Subject: 153 will not deliever from the Outbound > >> > >> Well I created a little mess for myself. I configured the Exchange > >> machine some with filtering and it was blocking some emails. The > >> maillog would say this: > >> > >> Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: > >> to=, delay=00:00:12, xdelay=00:00:00, > >> mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, > >> stat=Deferred: Connection refused by [10.1.1.22] > >> > >> So seemingly the ones that got the connection refused message are > > being > >> held in MailScanner. > >> > >> I configured exchanges rules, and I no longer get these messages and > > all > >> email is not getting rejected. The Outbound used to be about 300 and > >> seemingly they were all going to get delivered until it stuck on 153, > >> well 152 now. (minus one email in about 10 minutes) > >> > >> Am I missing something to get MailScanner to deliver these emails? > >> > > > > I was trying to do some things to see the emails. My inbound and > > outbound are the default /var/spool/mqueue and /var/spool/mqueue.in > > > > Will someone give me some tips on how to manually manipulate the emails? > > My Inbound and Outbound links in MailWatch show nothing on the page so I > > am not able to see what is in them. > > > > How does someone copy/move the emails from mqueue into a mailbox so that > > one can sift through them? As I am wanting to see what is in these > > emails because people are wondering about specific emails and I want to > > at least make sure that I got them. > > If you are using sendmail as your MTA on the mailscanner box you can use > the following from a command prompt: > > mailq -Oqueuedirectory=/var/spool/mqueue.in > > & > > mailq -Oqueuedirectory=/var/spool/mqueue > > To show the contents of the queues. > > Ok, it is making some sense. These are all deffered: k7I6YIjY018427 83988 Fri Aug 18 02:34 (Deferred: Connection timed out with [10.1.1.22]) k7I4T9ZP012437 10234 Fri Aug 18 00:29 <1.34418.36303137343931.b@ramailer.real 7BIT (Deferred: Connection timed out with [10.1.1.22]) k7I6XeqG018290 120323 Fri Aug 18 02:33 (Deferred: Connection timed out with [10.1.1.22]) k7I6XwYY018338 140230 Fri Aug 18 02:33 (Deferred: Connection timed out with [10.1.1.22]) k7IBsgW3003307 2792502 Fri Aug 18 07:54 (Deferred: Connection timed out with [10.1.1.22]) k7IC5iZC004424 3437444 Fri Aug 18 08:08 MAILER-DAEMON (Deferred: Connection timed out with [10.1.1.22]) administrator@woodmclaw.com k7IC3N3E004078 3867105 Fri Aug 18 08:03 (Deferred: Connection timed out with [10.1.1.22]) I did a few searches on knowing what the deffered does and the status of these deffered emails but I go too confused. From what I can understand it means that it will try later. Is this correct? From dhawal at netmagicsolutions.com Fri Aug 18 15:37:43 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 18 15:37:48 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <4D10EA9E-B9B2-482A-9E14-2383A97D6DD1@complaw.com> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <4D10EA9E-B9B2-482A-9E14-2383A97D6DD1@complaw.com> Message-ID: <44E5D0B7.9050604@netmagicsolutions.com> Sam Lewis wrote: > On Aug 15, 2006, at 2:46 AM, Jon Bates wrote: >> I was just wondering what peoples opinions were on running multiple >> virus scanners with MailScanner. I'm currently only running ClamAV, >> and I was thinking about running one or two more. >> Could someone recommend what other scanner/s to use? My main concern >> is system resources. I would like something that doesn't load up the >> server too much more as ClamAV is quite light on resources from my >> experience with it. > > Clam is good, but I also use CA's eTrust AV. I find that using two > scanners increases the chances of picking up newly discovered variants, > for in some cases eTrust has the definitions before Clam. > > Hope this helps. > > Regards, > --Sam Mcafee's uvscan is good enough and quite cheap (if you opt for the SMB edition multi-user pack). Plus the newer engine (5xxx) is quite low on resource usage compared to the previous versions and virus defs are released daily (sometimes multiple times a day) BTW, for those using speedownload.nai.com (see the archives) are recommended to change to ftp.nai.com.. the download speed difference is huge!!! Also i find bdc quite annoying on the CPU usage.. to consider it for long term usage. - dhawal From bpumphrey at WoodMacLaw.com Fri Aug 18 15:41:03 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 15:41:06 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E521@PAT.internal.robertwalters.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E9CB@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Andoni Auzmendi > Sent: Friday, August 18, 2006 10:20 AM > To: MailScanner discussion > Subject: RE: 153 will not deliever from the Outbound > > Have you tried telneting from you mailscanner into the smtp port on > exchange and try to send a test message. You will be able to see the > actual error message from exchange and might give you some clues why is > rejecting mails. > > Is the exchange server configured as non internet facing email server? I > just wonder whether it thinks you mailscanner is doing a DDOS attack. > > Andoni > I think all should be good now. It is just taking a long time evidently. 68 emails in the Outbound now. Watching the maillog I do not see anymore rejection. I am looking at the log still and will report more. From bpumphrey at WoodMacLaw.com Fri Aug 18 15:50:15 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 15:50:22 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E521@PAT.internal.robertwalters.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187E9E3@woodenex.woodmaclaw.local> Ok.... On the particular emails that I was checking to make sure that they went through have. So everything is going to iron out looks like. (Outbound down to 23 now) However, questions if someone would be so kind to answer them. MailScanner was always working fine, it was the exchange machine that I messed up and it started blocking connections to only certain emails. What does sendmail do with these emails? Apparently holds on to them until they are delivered and are referred to as deffered? There was a log entry that sent a notification to the sender that it failed after 4 hours. What happens after that? Why does it wait so long before trying to send the deffered emails again, assuming that is a sendmail setting? Can you tell sendmail to process them "now"? As usual, you guys are the best at responding and helping out. From a.peacock at chime.ucl.ac.uk Fri Aug 18 15:56:16 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 18 15:56:39 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E9AB@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E9AB@woodenex.woodmaclaw.local> Message-ID: <44E5D510.3080003@chime.ucl.ac.uk> Hi, Billy A. Pumphrey wrote: >> Hi, >> >> Billy A. Pumphrey wrote: >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey >>>> Sent: Friday, August 18, 2006 9:30 AM >>>> To: MailScanner discussion >>>> Subject: 153 will not deliever from the Outbound >>>> >>>> Well I created a little mess for myself. I configured the Exchange >>>> machine some with filtering and it was blocking some emails. The >>>> maillog would say this: >>>> >>>> Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: >>>> to=, delay=00:00:12, xdelay=00:00:00, >>>> mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, >>>> stat=Deferred: Connection refused by [10.1.1.22] >>>> >>>> So seemingly the ones that got the connection refused message are >>> being >>>> held in MailScanner. >>>> >>>> I configured exchanges rules, and I no longer get these messages > and >>> all >>>> email is not getting rejected. The Outbound used to be about 300 > and >>>> seemingly they were all going to get delivered until it stuck on > 153, >>>> well 152 now. (minus one email in about 10 minutes) >>>> >>>> Am I missing something to get MailScanner to deliver these emails? >>>> >>> I was trying to do some things to see the emails. My inbound and >>> outbound are the default /var/spool/mqueue and /var/spool/mqueue.in >>> >>> Will someone give me some tips on how to manually manipulate the > emails? >>> My Inbound and Outbound links in MailWatch show nothing on the page > so I >>> am not able to see what is in them. >>> >>> How does someone copy/move the emails from mqueue into a mailbox so > that >>> one can sift through them? As I am wanting to see what is in these >>> emails because people are wondering about specific emails and I want > to >>> at least make sure that I got them. >> If you are using sendmail as your MTA on the mailscanner box you can > use >> the following from a command prompt: >> >> mailq -Oqueuedirectory=/var/spool/mqueue.in >> >> & >> >> mailq -Oqueuedirectory=/var/spool/mqueue >> >> To show the contents of the queues. >> >> > > > Ok, it is making some sense. These are all deffered: > > > k7I6YIjY018427 83988 Fri Aug 18 02:34 > > (Deferred: Connection timed out with [10.1.1.22]) > > k7I4T9ZP012437 10234 Fri Aug 18 00:29 > <1.34418.36303137343931.b@ramailer.real > 7BIT (Deferred: Connection timed out with [10.1.1.22]) > > k7I6XeqG018290 120323 Fri Aug 18 02:33 > > (Deferred: Connection timed out with [10.1.1.22]) > > k7I6XwYY018338 140230 Fri Aug 18 02:33 > > (Deferred: Connection timed out with [10.1.1.22]) > > k7IBsgW3003307 2792502 Fri Aug 18 07:54 > (Deferred: Connection timed out with [10.1.1.22]) > > k7IC5iZC004424 3437444 Fri Aug 18 08:08 MAILER-DAEMON > (Deferred: Connection timed out with [10.1.1.22]) > administrator@woodmclaw.com > k7IC3N3E004078 3867105 Fri Aug 18 08:03 > (Deferred: Connection timed out with [10.1.1.22]) > > > I did a few searches on knowing what the deffered does and the status of > these deffered emails but I go too confused. From what I can understand > it means that it will try later. Is this correct? If this is the outgoing queue (/var/spool/mqueue) then MailScanner has finished with them and sendmail has tried to connect to the server at 10.1.1.22, that connection has timed out. Sendmail should try to send these again. You might want to look at why the server at 10.1.1.22 is not accepting these connections. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From a.peacock at chime.ucl.ac.uk Fri Aug 18 15:57:21 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 18 15:57:38 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E9E3@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E9E3@woodenex.woodmaclaw.local> Message-ID: <44E5D551.8000908@chime.ucl.ac.uk> Hi, Billy A. Pumphrey wrote: > Ok.... > > On the particular emails that I was checking to make sure that they went > through have. So everything is going to iron out looks like. (Outbound > down to 23 now) > > However, questions if someone would be so kind to answer them. > > MailScanner was always working fine, it was the exchange machine that I > messed up and it started blocking connections to only certain emails. > > What does sendmail do with these emails? > > Apparently holds on to them until they are delivered and are referred > to as deffered? > > There was a log entry that sent a notification to the sender that it > failed after 4 hours. What happens after that? > > Why does it wait so long before trying to send the deffered emails > again, assuming that is a sendmail setting? > > Can you tell sendmail to process them "now"? > > As usual, you guys are the best at responding and helping out. The default settings for sendmail is to continue retying for 5 days, sending a warning after 4 hours. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From glenn.steen at gmail.com Fri Aug 18 16:01:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 18 16:01:59 2006 Subject: MCP Efficiency? In-Reply-To: <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> Message-ID: <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> On 18/08/06, Glenn Steen wrote: > On 18/08/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Sorry, just checked the code. I am doing that already. > > > > The cause of the problem is that SpamAssassin does not appear to support > > the way I am trying to use it. I want 2 completely separate instances of > > SpamAssassin. One has all the normal SA rules as expected. The other one > > has no rules or dns checks or Razor or anything at all, it *only* has > > the few rules specified for MCP checking. > > > > I can't make it do this, while still keeping all the rules compiled in > > both instances and every setup done and cached. The only thing I can > > make it do to run the way I want, is to tell it not to pre-compile all > > the rules. As a result it has to do a huge load of SA compilation for > > every message. > > > > If Matt Kettler is around, maybe he could offer me some advice. I have > > tried asking on the SA list several times, and they don't understand why > > I would want my 2nd instance at all, so I never got any helpful answers. > > > This is exactly what I suspected from the few trials I did recently > (was thinking of starting to use MCP). And that is where I got the > idea to set dns as unavailable. Helps some, but not all. > > The problems lie solidly in the built-in defaults that you cannot override. > What I think you have to do is to maintain a "cleaned" SA environment, > and see to it that MCP uses it by way of a chroot thingie. Really > icky:-(. > Replying to myself after actually reading your code and the code of the spamassassin command, as well as engaging brain just a tad (I might be fooling myself here:-)... Correct me if I'm wrong, but whatr you do in MCP.pm should be equivalent to calling spamassassin like: # spamassassin -D --lint -C /etc/MailScanner/mcp --siteconfigpath=/etc/MailScanner/mcp -p /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf 2>&1 | less -e .... or something very similar. That shouldn't get the effect you cite, nor the effect I (wrongly) observed. It should work IMO (so no need for extreme measures:-). Or am I totally missing something here? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 18 16:03:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 18 16:03:21 2006 Subject: MCP Efficiency? In-Reply-To: <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> Message-ID: <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> On 18/08/06, Glenn Steen wrote: > On 18/08/06, Glenn Steen wrote: > > On 18/08/06, Julian Field wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Sorry, just checked the code. I am doing that already. > > > > > > The cause of the problem is that SpamAssassin does not appear to support > > > the way I am trying to use it. I want 2 completely separate instances of > > > SpamAssassin. One has all the normal SA rules as expected. The other one > > > has no rules or dns checks or Razor or anything at all, it *only* has > > > the few rules specified for MCP checking. > > > > > > I can't make it do this, while still keeping all the rules compiled in > > > both instances and every setup done and cached. The only thing I can > > > make it do to run the way I want, is to tell it not to pre-compile all > > > the rules. As a result it has to do a huge load of SA compilation for > > > every message. > > > > > > If Matt Kettler is around, maybe he could offer me some advice. I have > > > tried asking on the SA list several times, and they don't understand why > > > I would want my 2nd instance at all, so I never got any helpful answers. > > > > > This is exactly what I suspected from the few trials I did recently > > (was thinking of starting to use MCP). And that is where I got the > > idea to set dns as unavailable. Helps some, but not all. > > > > The problems lie solidly in the built-in defaults that you cannot override. > > What I think you have to do is to maintain a "cleaned" SA environment, > > and see to it that MCP uses it by way of a chroot thingie. Really > > icky:-(. > > > Replying to myself after actually reading your code and the code of > the spamassassin command, as well as engaging brain just a tad (I > might be fooling myself here:-)... > Correct me if I'm wrong, but whatr you do in MCP.pm should be > equivalent to calling spamassassin like: > # spamassassin -D --lint -C /etc/MailScanner/mcp > --siteconfigpath=/etc/MailScanner/mcp -p > /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf 2>&1 | less -e > > .... or something very similar. > That shouldn't get the effect you cite, nor the effect I (wrongly) > observed. It should work IMO (so no need for extreme measures:-). > Or am I totally missing something here? > Ah, just saw the light. Stupid me, please ignore....:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jose.gonzalez at compac.com.mx Fri Aug 18 16:04:16 2006 From: jose.gonzalez at compac.com.mx (Jose Gonzalez) Date: Fri Aug 18 16:04:57 2006 Subject: Using spam whitelisting Message-ID: <44E5D6F0.2050609@compac.com.mx> I do not see the header exactly like you write (X-MailScanner-From:), but I have a header like this, and it?s empty (just there is the problem): X-MailScanner-Envelope-From: The header from this whitelisted sender no cantain any data. --- I?m using MailScanner with Spamassasin. Spam checking is ignoring some rules posted in my spam.whitelist.rules, example: In spam.whitelist.rules: From: *@olicom.com.mx yes In my logs: X-yoursite-MailScanner-SpamCheck: spam, SpamAssassin (no almacenado, Score=7.125, requerido 5, AWL 0.21, BAYES_00 -2.60, HTML_50_60 0.09, HTML_MESSAGE 0.00, MSGID_FROM_MTA_ID 1.72, RCVD_IN_DSBL 3.81, RCVD_IN_NJABL_PROXY 0.44, RCVD_IN_SORBS_HTTP 0.04, RCVD_IN_SORBS_SOCKS 0.34, RCVD_IN_XBL 3.08) From bpumphrey at WoodMacLaw.com Fri Aug 18 16:06:59 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 16:07:02 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <44E5D551.8000908@chime.ucl.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187EA1D@woodenex.woodmaclaw.local> > > As usual, you guys are the best at responding and helping out. > > The default settings for sendmail is to continue retying for 5 days, > sending a warning after 4 hours. > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- Wow, five days. From MailScanner at ecs.soton.ac.uk Fri Aug 18 16:08:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 18 16:08:53 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <44E5CD5B.9040305@netmagicsolutions.com> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> Message-ID: <44E5D7D9.2040103@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dhawal Doshy wrote: > Tony Stocker wrote: >> All, >> >> We set up our server to allow SASL authenticated users to be able to >> send (relay) mail through the server. This way they can use their >> mail clients at home or on the road and we don't have to worry about >> the ip address. However in early testing of this we found that >> several emails from users who had authenticated were getting marked as >> spam by SA (full score line below). Is there a way to set a rule that >> will put SASL authenticated users as 'safe' or at least give a >> negative score? >> >> Aug 8 22:38:55 pps-mail MailScanner[31647]: Message BBF838EB2C.21AF6 >> from 68.106.108.165 (tony.stocker@example.com) to abc.com,def.com is >> spam, SpamAssassin (not cached, score=5.266, required 3, BAYES_50 >> 0.00, INFO_TLD 1.27, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05) >> >> Both of the IN_*_DUL rules seem to indicate a 'hit' because of being a >> "dial up user" based on what I could find on the web. However I >> believe, if we set things up right, that only authenticated users >> should be able to submit messages into the system. So should I just >> disable these rules? That seems a little ham-fisted to me, and I >> don't want to degrade spam detection I just don't want our users own >> outbound mails getting marked as spam. >> >> Any ideas? > > Read this.. > http://wiki.apache.org/spamassassin/DynablockIssues > > See if your MTA will add a X-Auth OR a similar header for > authenticated users. Finally, write a good rule to assign such mails > -ve points. You can usually look for something like the word "authenticated" in the "Received" headers. Give that a big negative score. Try this in /etc/MailScanner/spam.assassin.prefs.conf : header USER_DID_AUTH Received =~ /authenticated/ score USER_DID_AUTH -10 describe USER_DID_AUTH User authenticated their SMTP connection - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE5dfaEfZZRxQVtlQRArwDAKDJbEcGPfMlsg1hKN02zFc4KBapbgCeLWmX sRXGAb1YPl2llLT3PEXu+Ng= =Bbwl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From akostocker at gmail.com Fri Aug 18 16:29:21 2006 From: akostocker at gmail.com (Tony Stocker) Date: Fri Aug 18 16:29:24 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <44E5CD5B.9040305@netmagicsolutions.com> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> Message-ID: <7801ad8f0608180829s1ae15fc2t3dc7be39542f857c@mail.gmail.com> On 8/18/06, Dhawal Doshy wrote: > Read this.. > http://wiki.apache.org/spamassassin/DynablockIssues > > See if your MTA will add a X-Auth OR a similar header for authenticated > users. Finally, write a good rule to assign such mails -ve points. > Thanks for the link! I'll have to see if the RH provided Postfix rpm has that particular option in it or not. From steve.freegard at fsl.com Fri Aug 18 16:41:51 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Aug 18 16:42:06 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E9E3@woodenex.woodmaclaw.local> References: <5450254EC7E7B54193C8AEFD904AA36325E521@PAT.internal.robertwalters.com> <04D932B0071FE34FA63EBB1977B48D150187E9E3@woodenex.woodmaclaw.local> Message-ID: <44E5DFBF.4030309@fsl.com> Hi Billy, Billy A. Pumphrey wrote: > Ok.... > > On the particular emails that I was checking to make sure that they went > through have. So everything is going to iron out looks like. (Outbound > down to 23 now) > > However, questions if someone would be so kind to answer them. > > MailScanner was always working fine, it was the exchange machine that I > messed up and it started blocking connections to only certain emails. > > What does sendmail do with these emails? > > Apparently holds on to them until they are delivered and are referred > to as deffered? Correct. > > There was a log entry that sent a notification to the sender that it > failed after 4 hours. What happens after that? > By default - a notification is sent every 4 hours, then if the mail is still undelivered after 5 days a delivery service notification (DSN) is sent back to the user stating that the message could not be delivered and the message is deleted from the queue. > Why does it wait so long before trying to send the deffered emails > again, assuming that is a sendmail setting? Could be a number of factors -- by default on a RedHat system the queue is run every 15 minutes. Some systems might set confHOST_STATUS_DIRECTORY which holds a 'cache' of hosts and their status and therefore if a host is marked as 'down' the messages will be skipped for that host until the cache expires (default 30 minutes). > Can you tell sendmail to process them "now"? To run force a queue run in the background: sendmail -q To run the queue and watch the output sendmail -q -v To run the queue and skip using the HOST_STATUS_DIRECTORY (if defined) sendmail -qR@ Cheers, Steve. From dhawal at netmagicsolutions.com Fri Aug 18 16:47:20 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 18 16:47:40 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <7801ad8f0608180829s1ae15fc2t3dc7be39542f857c@mail.gmail.com> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> <7801ad8f0608180829s1ae15fc2t3dc7be39542f857c@mail.gmail.com> Message-ID: <44E5E108.6080503@netmagicsolutions.com> Tony Stocker wrote: > On 8/18/06, Dhawal Doshy wrote: >> Read this.. >> http://wiki.apache.org/spamassassin/DynablockIssues >> >> See if your MTA will add a X-Auth OR a similar header for authenticated >> users. Finally, write a good rule to assign such mails -ve points. >> > Thanks for the link! I'll have to see if the RH provided Postfix rpm > has that particular option in it or not. Umm.. you'll need postfix > 2.3 for that, read the link again and search for postfix. - dhawal From bpumphrey at WoodMacLaw.com Fri Aug 18 16:53:46 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Fri Aug 18 16:53:49 2006 Subject: 153 will not deliever from the Outbound In-Reply-To: <44E5DFBF.4030309@fsl.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187EA77@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: Friday, August 18, 2006 11:42 AM > To: MailScanner discussion > Subject: Re: 153 will not deliever from the Outbound > > Hi Billy, > > Billy A. Pumphrey wrote: > > Ok.... > > > > On the particular emails that I was checking to make sure that they went > > through have. So everything is going to iron out looks like. (Outbound > > down to 23 now) > > > > However, questions if someone would be so kind to answer them. > > > > MailScanner was always working fine, it was the exchange machine that I > > messed up and it started blocking connections to only certain emails. > > > > What does sendmail do with these emails? > > > > Apparently holds on to them until they are delivered and are referred > > to as deffered? > > Correct. > > > > > There was a log entry that sent a notification to the sender that it > > failed after 4 hours. What happens after that? > > > > By default - a notification is sent every 4 hours, then if the mail is > still undelivered after 5 days a delivery service notification (DSN) is > sent back to the user stating that the message could not be delivered > and the message is deleted from the queue. > > > Why does it wait so long before trying to send the deffered emails > > again, assuming that is a sendmail setting? > > Could be a number of factors -- by default on a RedHat system the queue > is run every 15 minutes. > > Some systems might set confHOST_STATUS_DIRECTORY which holds a 'cache' > of hosts and their status and therefore if a host is marked as 'down' > the messages will be skipped for that host until the cache expires > (default 30 minutes). > > > Can you tell sendmail to process them "now"? > > To run force a queue run in the background: > > sendmail -q > > To run the queue and watch the output > > sendmail -q -v > > To run the queue and skip using the HOST_STATUS_DIRECTORY (if defined) > > sendmail -qR@ > > Cheers, > Steve. > -- Good to know information. Thank you much. From mikea at mikea.ath.cx Fri Aug 18 17:46:40 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 18 17:46:45 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <44E5D7D9.2040103@ecs.soton.ac.uk>; from MailScanner@ecs.soton.ac.uk on Fri, Aug 18, 2006 at 04:08:09PM +0100 References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> <44E5D7D9.2040103@ecs.soton.ac.uk> Message-ID: <20060818114640.A18607@mikea.ath.cx> On Fri, Aug 18, 2006 at 04:08:09PM +0100, Julian Field wrote: > Dhawal Doshy wrote: > > Tony Stocker wrote: > >> All, > >> > >> We set up our server to allow SASL authenticated users to be able to > >> send (relay) mail through the server. This way they can use their > >> mail clients at home or on the road and we don't have to worry about > >> the ip address. However in early testing of this we found that > >> several emails from users who had authenticated were getting marked as > >> spam by SA (full score line below). Is there a way to set a rule that > >> will put SASL authenticated users as 'safe' or at least give a > >> negative score? > >> > >> Aug 8 22:38:55 pps-mail MailScanner[31647]: Message BBF838EB2C.21AF6 > >> from 68.106.108.165 (tony.stocker@example.com) to abc.com,def.com is > >> spam, SpamAssassin (not cached, score=5.266, required 3, BAYES_50 > >> 0.00, INFO_TLD 1.27, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SORBS_DUL 2.05) > >> > >> Both of the IN_*_DUL rules seem to indicate a 'hit' because of being a > >> "dial up user" based on what I could find on the web. However I > >> believe, if we set things up right, that only authenticated users > >> should be able to submit messages into the system. So should I just > >> disable these rules? That seems a little ham-fisted to me, and I > >> don't want to degrade spam detection I just don't want our users own > >> outbound mails getting marked as spam. > >> > >> Any ideas? > > > > Read this.. > > http://wiki.apache.org/spamassassin/DynablockIssues > > > > See if your MTA will add a X-Auth OR a similar header for > > authenticated users. Finally, write a good rule to assign such mails > > -ve points. > You can usually look for something like the word "authenticated" in the > "Received" headers. Give that a big negative score. > Try this in /etc/MailScanner/spam.assassin.prefs.conf : > header USER_DID_AUTH Received =~ /authenticated/ > score USER_DID_AUTH -10 > describe USER_DID_AUTH User authenticated their SMTP connection Julian's right, but you want to be sure that you're checking for this in a header you can trust, and not a header that the sender fabricated in _his_ machine. Remembber, to SMTP, headers are just part of the data. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From akostocker at gmail.com Fri Aug 18 18:07:57 2006 From: akostocker at gmail.com (Tony Stocker) Date: Fri Aug 18 18:08:00 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <20060818114640.A18607@mikea.ath.cx> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> <44E5D7D9.2040103@ecs.soton.ac.uk> <20060818114640.A18607@mikea.ath.cx> Message-ID: <7801ad8f0608181007k4049d1byb8eda2509271e5c4@mail.gmail.com> On 8/18/06, mikea wrote: > > Julian's right, but you want to be sure that you're checking for this > in a header you can trust, and not a header that the sender fabricated > in _his_ machine. > > Remembber, to SMTP, headers are just part of the data. Thanks all. At the moment it appears that the RedHat provided Postfix does not support the smtpd_sasl_authenticated_header directive. I've popped off an email, and hopefully as a paying customer we might have at least some kind of impact on them including an updated version soon. In the meantime I think we may just have to restrict our roaming users, or live with the occassionaly bad score on their email. Once RH has a compatible Postfix though I'll effect the change, and do my best to make the header field somewhat unique so that it's less likely to be spoofed. From mkettler at evi-inc.com Fri Aug 18 18:48:35 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Aug 18 18:48:49 2006 Subject: MCP Efficiency? In-Reply-To: <44E57C03.9030804@ecs.soton.ac.uk> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> Message-ID: <44E5FD73.4060202@evi-inc.com> Julian Field wrote: > Sorry, just checked the code. I am doing that already. > > The cause of the problem is that SpamAssassin does not appear to support > the way I am trying to use it. I want 2 completely separate instances of > SpamAssassin. One has all the normal SA rules as expected. The other one > has no rules or dns checks or Razor or anything at all, it *only* has > the few rules specified for MCP checking. > > I can't make it do this, while still keeping all the rules compiled in > both instances and every setup done and cached. The only thing I can > make it do to run the way I want, is to tell it not to pre-compile all > the rules. As a result it has to do a huge load of SA compilation for > every message. > > If Matt Kettler is around, maybe he could offer me some advice. I have > tried asking on the SA list several times, and they don't understand why > I would want my 2nd instance at all, so I never got any helpful answers. I am around, unfortunately, this is completely out of my domain. I'm very familiar with SA configuration, rule writing, and how the behavior of the code affects rules and configuration. However, I have almost no familiarity with the perl API and making it do various things.. As an educated guess, I'd suggest you'd have to have to: 1) point rules_filename to a directory containing a single empty .cf file, or perhaps just a copy of 10_misc.cf. If the directory passed doesn't exist, SA may wind up defaulting back to searching for a suitable equivalent to /usr/share/spamassassin. 2) set site_rules_filename to a directory containing just your MCP rules. Again, this would have to exist or SA will probably search for a suitable equivalent to /etc/mail/spamassassin. 3) userprefs_filename would also have to point to an empty file. From glenn.steen at gmail.com Fri Aug 18 19:42:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 18 19:42:35 2006 Subject: MCP Efficiency? In-Reply-To: <44E5FD73.4060202@evi-inc.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <44E5FD73.4060202@evi-inc.com> Message-ID: <223f97700608181142l4e39018y4c4d5d990d64e56b@mail.gmail.com> On 18/08/06, Matt Kettler wrote: > Julian Field wrote: > > Sorry, just checked the code. I am doing that already. > > > > The cause of the problem is that SpamAssassin does not appear to support > > the way I am trying to use it. I want 2 completely separate instances of > > SpamAssassin. One has all the normal SA rules as expected. The other one > > has no rules or dns checks or Razor or anything at all, it *only* has > > the few rules specified for MCP checking. > > > > I can't make it do this, while still keeping all the rules compiled in > > both instances and every setup done and cached. The only thing I can > > make it do to run the way I want, is to tell it not to pre-compile all > > the rules. As a result it has to do a huge load of SA compilation for > > every message. > > > > If Matt Kettler is around, maybe he could offer me some advice. I have > > tried asking on the SA list several times, and they don't understand why > > I would want my 2nd instance at all, so I never got any helpful answers. > > > I am around, unfortunately, this is completely out of my domain. > > I'm very familiar with SA configuration, rule writing, and how the behavior of > the code affects rules and configuration. However, I have almost no familiarity > with the perl API and making it do various things.. > > As an educated guess, I'd suggest you'd have to have to: > > 1) point rules_filename to a directory containing a single empty .cf file, or > perhaps just a copy of 10_misc.cf. If the directory passed doesn't exist, SA may > wind up defaulting back to searching for a suitable equivalent to > /usr/share/spamassassin. > > 2) set site_rules_filename to a directory containing just your MCP rules. Again, > this would have to exist or SA will probably search for a suitable equivalent to > /etc/mail/spamassassin. > > 3) userprefs_filename would also have to point to an empty file. > This is pretty much what is done in Jules code already ( well, the directories and MailScanner.conf settings come into it too:-), at least that is what I could deduce. If I've (finally!) understood the problem correctly, the problems arise from "contamination" between the otwo separate SA objects instantiated for MCP and the regular SA run, resulting in the rule caching mechanism getting somewhat confused. Did I finally get it right Jules? :-) Not sure what one could do to alleviate this, unfortunately. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Aug 18 23:16:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 18 23:16:35 2006 Subject: MCP Efficiency? In-Reply-To: <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/18/2006 8:03 AM: > On 18/08/06, Glenn Steen wrote: >> On 18/08/06, Glenn Steen wrote: >> > On 18/08/06, Julian Field wrote: >> > > -----BEGIN PGP SIGNED MESSAGE----- >> > > Hash: SHA1 >> > > >> > > Sorry, just checked the code. I am doing that already. >> > > >> > > The cause of the problem is that SpamAssassin does not appear to >> support >> > > the way I am trying to use it. I want 2 completely separate >> instances of >> > > SpamAssassin. One has all the normal SA rules as expected. The >> other one >> > > has no rules or dns checks or Razor or anything at all, it *only* has >> > > the few rules specified for MCP checking. >> > > >> > > I can't make it do this, while still keeping all the rules >> compiled in >> > > both instances and every setup done and cached. The only thing I can >> > > make it do to run the way I want, is to tell it not to pre-compile >> all >> > > the rules. As a result it has to do a huge load of SA compilation for >> > > every message. >> > > >> > > If Matt Kettler is around, maybe he could offer me some advice. I >> have >> > > tried asking on the SA list several times, and they don't >> understand why >> > > I would want my 2nd instance at all, so I never got any helpful >> answers. >> > > >> > This is exactly what I suspected from the few trials I did recently >> > (was thinking of starting to use MCP). And that is where I got the >> > idea to set dns as unavailable. Helps some, but not all. >> > >> > The problems lie solidly in the built-in defaults that you cannot >> override. >> > What I think you have to do is to maintain a "cleaned" SA environment, >> > and see to it that MCP uses it by way of a chroot thingie. Really >> > icky:-(. >> > >> Replying to myself after actually reading your code and the code of >> the spamassassin command, as well as engaging brain just a tad (I >> might be fooling myself here:-)... >> Correct me if I'm wrong, but whatr you do in MCP.pm should be >> equivalent to calling spamassassin like: >> # spamassassin -D --lint -C /etc/MailScanner/mcp >> --siteconfigpath=/etc/MailScanner/mcp -p >> /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf 2>&1 | less -e >> >> .... or something very similar. >> That shouldn't get the effect you cite, nor the effect I (wrongly) >> observed. It should work IMO (so no need for extreme measures:-). >> Or am I totally missing something here? >> > Ah, just saw the light. Stupid me, please ignore....:-). > Glen is replying to himself again! Did a Postfix upgrade come out or something? ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lshaw at emitinc.com Fri Aug 18 23:22:21 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 18 23:22:33 2006 Subject: SASL authenticated users marked as spam In-Reply-To: <7801ad8f0608181007k4049d1byb8eda2509271e5c4@mail.gmail.com> References: <7801ad8f0608180715o41c9cba1qb07283332fe32f53@mail.gmail.com> <44E5CD5B.9040305@netmagicsolutions.com> <44E5D7D9.2040103@ecs.soton.ac.uk> <20060818114640.A18607@mikea.ath.cx> <7801ad8f0608181007k4049d1byb8eda2509271e5c4@mail.gmail.com> Message-ID: On Fri, 18 Aug 2006, Tony Stocker wrote: > Thanks all. At the moment it appears that the RedHat provided Postfix > does not support the smtpd_sasl_authenticated_header directive. I've > popped off an email, and hopefully as a paying customer we might have > at least some kind of impact on them including an updated version > soon. In the meantime I think we may just have to restrict our > roaming users, or live with the occassionaly bad score on their email. Another approach, by the way, might be to accept submissions on port 587, and but require authentication for any and all activities on port 587. Then configure all your roaming users to submit through port 587, have that go into a separate queue, and have MailScanner skip the spam checks on that queue. (It might have to be a separate MailScanner instance.) From binaryflow at gmail.com Sat Aug 19 01:16:41 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Sat Aug 19 01:16:45 2006 Subject: Filesys::Df module error after upgrade Message-ID: I am trying to upgrade MailScanner from version 4.49.7-1 to 4.55.9-1. After installing the upgrade I see the following error when trying to restart the service: [root@mxtest MailScanner]# service MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: postfix/postfix-script: fatal: the Postfix mail system is already running [ OK ] MailScanner: Can't locate Filesys/Df.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.7/i386-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl/5.8.7/i386-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 66. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 66. [ OK ] I have researched this fairly heavily and cannot seem to find a resolution. I can find Df.pm on the server but cannot seem to make the service start properly. I have upgraded MailScanner several times on this box and haven't seen this error before. What am I missing? I appreciate any help you could offer. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060818/1d88e983/attachment.html From glenn.steen at gmail.com Sat Aug 19 11:07:02 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 19 11:07:05 2006 Subject: MCP Efficiency? In-Reply-To: References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> Message-ID: <223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com> On 19/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/18/2006 8:03 AM: > > On 18/08/06, Glenn Steen wrote: > >> On 18/08/06, Glenn Steen wrote: > >> > On 18/08/06, Julian Field wrote: > >> > > -----BEGIN PGP SIGNED MESSAGE----- > >> > > Hash: SHA1 > >> > > > >> > > Sorry, just checked the code. I am doing that already. > >> > > > >> > > The cause of the problem is that SpamAssassin does not appear to > >> support > >> > > the way I am trying to use it. I want 2 completely separate > >> instances of > >> > > SpamAssassin. One has all the normal SA rules as expected. The > >> other one > >> > > has no rules or dns checks or Razor or anything at all, it *only* has > >> > > the few rules specified for MCP checking. > >> > > > >> > > I can't make it do this, while still keeping all the rules > >> compiled in > >> > > both instances and every setup done and cached. The only thing I can > >> > > make it do to run the way I want, is to tell it not to pre-compile > >> all > >> > > the rules. As a result it has to do a huge load of SA compilation for > >> > > every message. > >> > > > >> > > If Matt Kettler is around, maybe he could offer me some advice. I > >> have > >> > > tried asking on the SA list several times, and they don't > >> understand why > >> > > I would want my 2nd instance at all, so I never got any helpful > >> answers. > >> > > > >> > This is exactly what I suspected from the few trials I did recently > >> > (was thinking of starting to use MCP). And that is where I got the > >> > idea to set dns as unavailable. Helps some, but not all. > >> > > >> > The problems lie solidly in the built-in defaults that you cannot > >> override. > >> > What I think you have to do is to maintain a "cleaned" SA environment, > >> > and see to it that MCP uses it by way of a chroot thingie. Really > >> > icky:-(. > >> > > >> Replying to myself after actually reading your code and the code of > >> the spamassassin command, as well as engaging brain just a tad (I > >> might be fooling myself here:-)... > >> Correct me if I'm wrong, but whatr you do in MCP.pm should be > >> equivalent to calling spamassassin like: > >> # spamassassin -D --lint -C /etc/MailScanner/mcp > >> --siteconfigpath=/etc/MailScanner/mcp -p > >> /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf 2>&1 | less -e > >> > >> .... or something very similar. > >> That shouldn't get the effect you cite, nor the effect I (wrongly) > >> observed. It should work IMO (so no need for extreme measures:-). > >> Or am I totally missing something here? > >> > > Ah, just saw the light. Stupid me, please ignore....:-). > > > Glen is replying to himself again! > Did a Postfix upgrade come out or something? ;-) > The compulsive "replying to oneself" behaviour is dictateb by the use of Postfix.... Not it's release schedule:-):-) .... Or just by me being a bit slow... Couldn't even claim "hangover" as the reason for that... Just sloppy reading/understanding.:-) Somewhat more on-topic... Is the solution to this MCP problem to redisgn MCP? Make it use some other package (not that I would suggest any particular one), or ... Perhaps one could use the groundwork done for the phishing net to make something workable for MCP. After all, does it really have to be SA doing it? Just a thought. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at ecs.soton.ac.uk Sat Aug 19 12:32:49 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 19 12:32:57 2006 Subject: MCP Efficiency? In-Reply-To: <223f97700608181142l4e39018y4c4d5d990d64e56b@mail.gmail.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <44E5FD73.4060202@evi-inc.com> <223f97700608181142l4e39018y4c4d5d990d64e56b@mail.gmail.com> Message-ID: <44E6F6E1.9090709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 18/08/06, Matt Kettler wrote: >> Julian Field wrote: >> > Sorry, just checked the code. I am doing that already. >> > >> > The cause of the problem is that SpamAssassin does not appear to >> support >> > the way I am trying to use it. I want 2 completely separate >> instances of >> > SpamAssassin. One has all the normal SA rules as expected. The other >> one >> > has no rules or dns checks or Razor or anything at all, it *only* has >> > the few rules specified for MCP checking. >> > >> > I can't make it do this, while still keeping all the rules compiled in >> > both instances and every setup done and cached. The only thing I can >> > make it do to run the way I want, is to tell it not to pre-compile all >> > the rules. As a result it has to do a huge load of SA compilation for >> > every message. >> > >> > If Matt Kettler is around, maybe he could offer me some advice. I have >> > tried asking on the SA list several times, and they don't understand >> why >> > I would want my 2nd instance at all, so I never got any helpful >> answers. >> >> >> I am around, unfortunately, this is completely out of my domain. >> >> I'm very familiar with SA configuration, rule writing, and how the >> behavior of >> the code affects rules and configuration. However, I have almost no >> familiarity >> with the perl API and making it do various things.. >> >> As an educated guess, I'd suggest you'd have to have to: >> >> 1) point rules_filename to a directory containing a single empty .cf >> file, or >> perhaps just a copy of 10_misc.cf. If the directory passed doesn't >> exist, SA may >> wind up defaulting back to searching for a suitable equivalent to >> /usr/share/spamassassin. >> >> 2) set site_rules_filename to a directory containing just your MCP >> rules. Again, >> this would have to exist or SA will probably search for a suitable >> equivalent to >> /etc/mail/spamassassin. >> >> 3) userprefs_filename would also have to point to an empty file. >> > This is pretty much what is done in Jules code already ( well, the > directories and MailScanner.conf settings come into it too:-), at > least that is what I could deduce. > If I've (finally!) understood the problem correctly, the problems > arise from "contamination" between the otwo separate SA objects > instantiated for MCP and the regular SA run, resulting in the rule > caching mechanism getting somewhat confused. Did I finally get it > right Jules? :-) That's a fair summary, yes. SA compiles rules into individual perl functions, and the 2 pools of perl functions cross-contaminate. More or less. > > Not sure what one could do to alleviate this, unfortunately. > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE5vblEfZZRxQVtlQRAnBoAKDoVsfjCa1QUov7al5uUBEGiuefhACcCHJq 8bIO4yIYiIW0goZFHTNJYDM= =Uwqp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 19 12:35:52 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 19 12:36:01 2006 Subject: MCP Efficiency? In-Reply-To: <223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> <223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com> Message-ID: <44E6F798.7030701@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 19/08/06, Scott Silva wrote: >> Glenn Steen spake the following on 8/18/2006 8:03 AM: >> > On 18/08/06, Glenn Steen wrote: >> >> On 18/08/06, Glenn Steen wrote: >> >> > On 18/08/06, Julian Field wrote: >> >> > > -----BEGIN PGP SIGNED MESSAGE----- >> >> > > Hash: SHA1 >> >> > > >> >> > > Sorry, just checked the code. I am doing that already. >> >> > > >> >> > > The cause of the problem is that SpamAssassin does not appear to >> >> support >> >> > > the way I am trying to use it. I want 2 completely separate >> >> instances of >> >> > > SpamAssassin. One has all the normal SA rules as expected. The >> >> other one >> >> > > has no rules or dns checks or Razor or anything at all, it >> *only* has >> >> > > the few rules specified for MCP checking. >> >> > > >> >> > > I can't make it do this, while still keeping all the rules >> >> compiled in >> >> > > both instances and every setup done and cached. The only thing >> I can >> >> > > make it do to run the way I want, is to tell it not to pre-compile >> >> all >> >> > > the rules. As a result it has to do a huge load of SA >> compilation for >> >> > > every message. >> >> > > >> >> > > If Matt Kettler is around, maybe he could offer me some advice. I >> >> have >> >> > > tried asking on the SA list several times, and they don't >> >> understand why >> >> > > I would want my 2nd instance at all, so I never got any helpful >> >> answers. >> >> > > >> >> > This is exactly what I suspected from the few trials I did recently >> >> > (was thinking of starting to use MCP). And that is where I got the >> >> > idea to set dns as unavailable. Helps some, but not all. >> >> > >> >> > The problems lie solidly in the built-in defaults that you cannot >> >> override. >> >> > What I think you have to do is to maintain a "cleaned" SA >> environment, >> >> > and see to it that MCP uses it by way of a chroot thingie. Really >> >> > icky:-(. >> >> > >> >> Replying to myself after actually reading your code and the code of >> >> the spamassassin command, as well as engaging brain just a tad (I >> >> might be fooling myself here:-)... >> >> Correct me if I'm wrong, but whatr you do in MCP.pm should be >> >> equivalent to calling spamassassin like: >> >> # spamassassin -D --lint -C /etc/MailScanner/mcp >> >> --siteconfigpath=/etc/MailScanner/mcp -p >> >> /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf 2>&1 | less -e >> >> >> >> .... or something very similar. >> >> That shouldn't get the effect you cite, nor the effect I (wrongly) >> >> observed. It should work IMO (so no need for extreme measures:-). >> >> Or am I totally missing something here? >> >> >> > Ah, just saw the light. Stupid me, please ignore....:-). >> > >> Glen is replying to himself again! >> Did a Postfix upgrade come out or something? ;-) >> > The compulsive "replying to oneself" behaviour is dictateb by the use > of Postfix.... Not it's release schedule:-):-) > .... Or just by me being a bit slow... Couldn't even claim "hangover" > as the reason for that... Just sloppy reading/understanding.:-) > > Somewhat more on-topic... Is the solution to this MCP problem to > redisgn MCP? Make it use some other package (not that I would suggest > any particular one), or ... Perhaps one could use the groundwork done > for the phishing net to make something workable for MCP. After all, > does it really have to be SA doing it? Just a thought. I used SA to do it, as it very easily gave me a hugely flexible system for mapping rules onto the incoming text. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE5vecEfZZRxQVtlQRAkY6AKCP5O0Tq8a9RGUR8c2LGwggzVboaACgiV22 m+Qd4bJxpg72dpGcAG2JVdM= =G0hl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Sat Aug 19 12:58:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 19 12:58:58 2006 Subject: MCP Efficiency? In-Reply-To: <44E6F798.7030701@ecs.soton.ac.uk> References: <1155886006.12295.4.camel@jakes.synaq.com> <44E57C03.9030804@ecs.soton.ac.uk> <223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com> <223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com> <223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com> <223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com> <44E6F798.7030701@ecs.soton.ac.uk> Message-ID: <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com> On 19/08/06, Julian Field wrote: > Glenn Steen wrote: (snip) > > Somewhat more on-topic... Is the solution to this MCP problem to > > redisgn MCP? Make it use some other package (not that I would suggest > > any particular one), or ... Perhaps one could use the groundwork done > > for the phishing net to make something workable for MCP. After all, > > does it really have to be SA doing it? Just a thought. > > I used SA to do it, as it very easily gave me a hugely flexible system > for mapping rules onto the incoming text. Yes, and that is a very good reason too. But any suggestion on how to solve it is likely going to be rather icky to implement... So a "Gordian cut" could perhaps be the best solution:-). I haven't delved too deeply, but I suppose you've considered doing something like like a client server thing for it, making the MCP thing a completely separate process? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ajos1 at onion.demon.co.uk Sat Aug 19 17:04:01 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sat Aug 19 17:04:13 2006 Subject: Filesys::Df module error after upgrade Message-ID: http://search.cpan.org/search?dist=Filesys-Df or cpan -i Filesys::Df -----Original Message----- From: MailScanner discussion From dward at nccumc.org Sat Aug 19 19:52:37 2006 From: dward at nccumc.org (Douglas Ward) Date: Sat Aug 19 19:52:40 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: Message-ID: Thank you for this information. When I run the command you suggested I see the following failure message (missing package Digest::SHA produces the same error): [root@mxtest douglas]# cpan -i Filesys::Df CPAN: File::HomeDir loaded ok CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Fri, 18 Aug 2006 18:32:44 GMT Running install for module Filesys::Df Running make for I/IG/IGUTHRIE/Filesys-Df-0.92.tar.gz CPAN: checksum security checks disabled because Digest::SHA not installed. Please consider installing the Digest::SHA module. Scanning cache /root/.cpan/build for sizes CPAN: Compress::Zlib loaded ok Filesys-Df-0.92/ Filesys-Df-0.92/XS_statvfs Filesys-Df-0.92/META.yml Filesys-Df-0.92/test.pl Filesys-Df-0.92/Changes Filesys-Df-0.92/MANIFEST Filesys-Df-0.92/typemap Filesys-Df-0.92/Df.pm Filesys-Df-0.92/XS_statfs Filesys-Df-0.92/Makefile.PL Filesys-Df-0.92/README Removing previously used /root/.cpan/build/Filesys-Df-0.92 CPAN: Module::Signature loaded ok Package came without SIGNATURE CPAN.pm: Going to build I/IG/IGUTHRIE/Filesys-Df-0.92.tar.gz OS = linux Checking for statvfs ..... d_statvfs is defined. i_sysstatvfs is defined. Building with statvfs .... Checking if your kit is complete... Looks good Writing Makefile for Filesys::Df CPAN: YAML loaded ok cp Df.pm blib/lib/Filesys/Df.pm /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -prototypes -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap -typemap typemap Df.xs > Df.xsc && mv Df.xsc Df.c make: *** No rule to make target `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `Df.o'. Stop. /usr/bin/make install Df.pm -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible On Sat, 19 Aug 2006 17:04:01 (GMT/BST), ajos1@onion.demon.co.uk < ajos1@onion.demon.co.uk> wrote: > > > http://search.cpan.org/search?dist=Filesys-Df > > or > > cpan -i Filesys::Df > > -----Original Message----- > From: MailScanner discussion Subj: Filesys::Df module error after upgrade > Date: Fri, 18 Aug 2006 20:16:41 -0400 > > I have researched this fairly heavily and cannot seem to find a > resolution. I can find Df.pm on the server but cannot seem to make the > service start properly. I have upgraded MailScanner several times on this > box and haven't seen this error before. What am I missing? I appreciate any > help you could offer. Thanks! >
> -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060819/d8840c2d/attachment.html From ajos1 at onion.demon.co.uk Sat Aug 19 20:02:35 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sat Aug 19 20:02:55 2006 Subject: 153 will not deliever from the Outbound Message-ID: - If you have McAfee Enterprise 8 virus scanner installed on your server... "it might"... or "might not" be causing the problem... as it contains a port blocker section to it. On my Exchange server... it does not cause me any problems... but it could be different for you. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey >> Sent: Friday, August 18, 2006 9:30 AM >> To: MailScanner discussion >> Subject: 153 will not deliever from the Outbound >> >> Well I created a little mess for myself. I configured the Exchange >> machine some with filtering and it was blocking some emails. The >> maillog would say this: >> >> Aug 18 07:47:34 WoodenMS2 sendmail[2677]: k7IBlMHk002635: >> to=, delay=00:00:12, xdelay=00:00:00, >> mailer=esmtp, pri=121593, relay=[10.1.1.22] [10.1.1.22], dsn=4.0.0, >> stat=Deferred: Connection refused by [10.1.1.22] >> >> So seemingly the ones that got the connection refused message are > being >> held in MailScanner. >> >> I configured exchanges rules, and I no longer get these messages and > all >> email is not getting rejected. The Outbound used to be about 300 and >> seemingly they were all going to get delivered until it stuck on 153, >> well 152 now. (minus one email in about 10 minutes) >> >> Am I missing something to get MailScanner to deliver these emails? >> > > I was trying to do some things to see the emails. My inbound and > outbound are the default /var/spool/mqueue and /var/spool/mqueue.in > > Will someone give me some tips on how to manually manipulate the emails? > My Inbound and Outbound links in MailWatch show nothing on the page so I > am not able to see what is in them. > > How does someone copy/move the emails from mqueue into a mailbox so that > one can sift through them? As I am wanting to see what is in these > emails because people are wondering about specific emails and I want to > at least make sure that I got them. == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From holger at gebhardweb.de Sun Aug 20 02:05:31 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Sun Aug 20 02:05:48 2006 Subject: Postfix 2.3 and MailScanner References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com> Message-ID: <006a01c6c3f4$bc1028d0$840804c3@PCHOME2> Hi Julian, Hi Group, i run mailscanner with postfix (split queues) for many years with no problems. Currently running mailscanner version 4.52.2. The last week i upgraded postfix from 2.2 to 2.3. After the upgrade i can see some strange warnings from postfix in my mail-logs: "ignoring out-of-order DSN original recipient..." I searched some group and found this threat: http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 The strange is that only some messages are affected by this failure not all. I tried both postfix implementations (single postfix with hold queue and split queues with two postfix instances) with no success. The warning is still there with some messages. Fortunately the affected messages are still being delivered. But where come this failure from? Holger From mailscanner at ecs.soton.ac.uk Sun Aug 20 16:02:59 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 20 16:03:20 2006 Subject: Postfix 2.3 and MailScanner In-Reply-To: <006a01c6c3f4$bc1028d0$840804c3@PCHOME2> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com> <006a01c6c3f4$bc1028d0$840804c3@PCHOME2> Message-ID: <44E879A3.8030905@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does this happen with all messages, or only some? Can you isolate a single message that causes this problem for me please? I would suggest using "Archive Mail =" to archive all your mail and then use the logs to identify a particular message that causes the problem to be logged, and one that doesn't cause the problem. It is essential that you archive as "Raw Queue Files". If you can then send me one message file that causes the problem, and one message that doesn't cause it, I can take a look and fix it. I haven't played with Postfix 2.3 much yet, so have little experience of it. This is clearly another hurdle Wietse has created for my benefit :-) Holger Gebhard wrote: > Hi Julian, > Hi Group, > > i run mailscanner with postfix (split queues) for many years with no > problems. > Currently running mailscanner version 4.52.2. > > The last week i upgraded postfix from 2.2 to 2.3. > After the upgrade i can see some strange warnings from postfix in my > mail-logs: "ignoring out-of-order DSN original recipient..." > > I searched some group and found this threat: > > http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 > > > The strange is that only some messages are affected by this failure not > all. > > I tried both postfix implementations (single postfix with hold queue and > split queues with two postfix instances) with no success. The warning is > still there with some messages. > > Fortunately the affected messages are still being delivered. > But where come this failure from? > > > Holger - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE6HmnEfZZRxQVtlQRAhqgAJ9SaQs+JrKzjmdTnEC2K8IyvHEwBQCg7Qrm +XKMzlqKZpxVdml+PvmnjyE= =PYlg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From holger at gebhardweb.de Sun Aug 20 17:35:43 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Sun Aug 20 17:36:10 2006 Subject: Postfix 2.3 and MailScanner References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk> Message-ID: <00cc01c6c476$aea287b0$840804c3@PCHOME2> Hi Julian, the failure happens only with some messages, not all. The attached archive contains some example messages. Thanks for help :-) Holger ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Sunday, August 20, 2006 5:02 PM Subject: Re: Postfix 2.3 and MailScanner -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does this happen with all messages, or only some? Can you isolate a single message that causes this problem for me please? I would suggest using "Archive Mail =" to archive all your mail and then use the logs to identify a particular message that causes the problem to be logged, and one that doesn't cause the problem. It is essential that you archive as "Raw Queue Files". If you can then send me one message file that causes the problem, and one message that doesn't cause it, I can take a look and fix it. I haven't played with Postfix 2.3 much yet, so have little experience of it. This is clearly another hurdle Wietse has created for my benefit :-) Holger Gebhard wrote: > Hi Julian, > Hi Group, > > i run mailscanner with postfix (split queues) for many years with no > problems. > Currently running mailscanner version 4.52.2. > > The last week i upgraded postfix from 2.2 to 2.3. > After the upgrade i can see some strange warnings from postfix in my > mail-logs: "ignoring out-of-order DSN original recipient..." > > I searched some group and found this threat: > > http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 > > > The strange is that only some messages are affected by this failure not > all. > > I tried both postfix implementations (single postfix with hold queue and > split queues with two postfix instances) with no success. The warning is > still there with some messages. > > Fortunately the affected messages are still being delivered. > But where come this failure from? > > > Holger - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE6HmnEfZZRxQVtlQRAhqgAJ9SaQs+JrKzjmdTnEC2K8IyvHEwBQCg7Qrm +XKMzlqKZpxVdml+PvmnjyE= =PYlg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: mails.zip Type: application/octet-stream Size: 5372 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060820/b048bce7/mails.obj From ajos1 at onion.demon.co.uk Sun Aug 20 18:11:34 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sun Aug 20 18:11:42 2006 Subject: Filesys::Df module error after upgrade Message-ID: - What version of linux and so forth are you on? Have you tried updating using the perl modules that are included with the MailScanner package? -----Original Message----- From: MailScanner discussion References: Message-ID: I am running Mandriva 2006. I ran the mailscanner installation file. I assumed it would install any missing perl modules? On Sun, 20 Aug 2006 18:11:34 (GMT/BST), ajos1@onion.demon.co.uk < ajos1@onion.demon.co.uk> wrote: > > - > > What version of linux and so forth are you on? > > Have you tried updating using the perl modules that are included with the > MailScanner package? > > -----Original Message----- > From: MailScanner discussion Subj: Re: Filesys::Df module error after upgrade > Date: Sat, 19 Aug 2006 14:52:37 -0400 > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060820/5c6c95fe/attachment.html From mailscanner at ecs.soton.ac.uk Sun Aug 20 19:23:41 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 20 19:24:02 2006 Subject: Postfix 2.3 and MailScanner In-Reply-To: <00cc01c6c476$aea287b0$840804c3@PCHOME2> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk> <00cc01c6c476$aea287b0$840804c3@PCHOME2> Message-ID: <44E8A8AD.40603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you make sure you are using the latest Postfix? I am running 2.3.2 and I cannot re-create your symptoms. I have used all the 4 messages you sent me and they all worked fine, bar a warning about timestamps which I always get and is due to the way I am dropping things into its queue directories. I can't fix it until I can reproduce it, sorry. Holger Gebhard wrote: > Hi Julian, > > the failure happens only with some messages, not all. > The attached archive contains some example messages. > > Thanks for help :-) > > > Holger > > ----- Original Message ----- From: "Julian Field" > > To: "MailScanner discussion" > Sent: Sunday, August 20, 2006 5:02 PM > Subject: Re: Postfix 2.3 and MailScanner > > > > > * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 > * text/plain body > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 > > Does this happen with all messages, or only some? > Can you isolate a single message that causes this problem for me please? > I would suggest using "Archive Mail =" to archive all your mail and then > use the logs to identify a particular message that causes the problem to > be logged, and one that doesn't cause the problem. > > It is essential that you archive as "Raw Queue Files". > > If you can then send me one message file that causes the problem, and > one message that doesn't cause it, I can take a look and fix it. > > I haven't played with Postfix 2.3 much yet, so have little experience of > it. This is clearly another hurdle Wietse has created for my benefit :-) > > > Holger Gebhard wrote: >> Hi Julian, >> Hi Group, >> >> i run mailscanner with postfix (split queues) for many years with no >> problems. >> Currently running mailscanner version 4.52.2. >> >> The last week i upgraded postfix from 2.2 to 2.3. >> After the upgrade i can see some strange warnings from postfix in my >> mail-logs: "ignoring out-of-order DSN original recipient..." >> >> I searched some group and found this threat: >> >> http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 >> >> >> >> The strange is that only some messages are affected by this failure not >> all. >> >> I tried both postfix implementations (single postfix with hold queue and >> split queues with two postfix instances) with no success. The warning is >> still there with some messages. >> >> Fortunately the affected messages are still being delivered. >> But where come this failure from? >> >> >> Holger > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE6KiwEfZZRxQVtlQRAt2pAKDSUti8KDrj7mNGGA8MqhFEXIo9hACfV2Le ui8msutTnYukLNNMyKAvt3U= =fQhv -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sun Aug 20 19:38:12 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 20 19:38:30 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: Message-ID: <44E8AC14.9040906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of this module renamed it, if I remember correctly :-( Do perl -MCPAN -e shell and then install Filesys::Df and that should install the latest version of the required module. Douglas Ward wrote: > I am running Mandriva 2006. I ran the mailscanner installation file. I > assumed it would install any missing perl modules? > > On Sun, 20 Aug 2006 18:11:34 (GMT/BST), * ajos1@onion.demon.co.uk > * > wrote: > > - > > What version of linux and so forth are you on? > > Have you tried updating using the perl modules that are included > with the MailScanner package? > > -----Original Message----- > From: MailScanner discussion < mailscanner@lists.mailscanner.info > > Subj: Re: Filesys::Df module error after upgrade > Date: Sat, 19 Aug 2006 14:52:37 -0400 > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Douglas Ward > Director of Information Technology > NC Methodist Conference > 1307 Glenwood Ave. > Raleigh, NC 27605 > Work: (919) 832-9560 ext. 227 > Fax: (919) 834-7989 > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE6KwWEfZZRxQVtlQRAicjAKCzo8BDWVBLgZLApSSHyN08lOj/TwCfSbRK KU64n8TsL4ncA+86/V4XMwo= =RqmZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ajos1 at onion.demon.co.uk Sun Aug 20 19:45:34 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sun Aug 20 19:45:44 2006 Subject: Filesys::Df module error after upgrade Message-ID: - True... it should auto install them. What version of perl are you on? perl -v I am on 5.8.8 and have loads of files in /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE ... including EXTERN.h... but only 1 file in /usr/lib/perl5/5.8.7/i386-linux-thread-multi/CORE . [On redhat]. -----Original Message----- From: MailScanner discussion <44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2> <44E8A8AD.40603@ecs.soton.ac.uk> Message-ID: <002601c6c48b$ba7054e0$840804c3@PCHOME2> I am also running Postfix in Version 2.3.2... I forward a copy of all Spammails to a Mailbox (Spam Actions). Maybe the failure comes from here? It seems the failure produced by the DSN Recipient Line in the Envelope-Header. Only a idea... But what will happen if MailScanner delete all the DSN Header in the envelope. When the Message is requeued, postfix might add new headers to the Queuefile? ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Sunday, August 20, 2006 8:23 PM Subject: Re: Postfix 2.3 and MailScanner -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you make sure you are using the latest Postfix? I am running 2.3.2 and I cannot re-create your symptoms. I have used all the 4 messages you sent me and they all worked fine, bar a warning about timestamps which I always get and is due to the way I am dropping things into its queue directories. I can't fix it until I can reproduce it, sorry. Holger Gebhard wrote: > Hi Julian, > > the failure happens only with some messages, not all. > The attached archive contains some example messages. > > Thanks for help :-) > > > Holger > > ----- Original Message ----- From: "Julian Field" > > To: "MailScanner discussion" > Sent: Sunday, August 20, 2006 5:02 PM > Subject: Re: Postfix 2.3 and MailScanner > > > > > * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 > * text/plain body > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 > > Does this happen with all messages, or only some? > Can you isolate a single message that causes this problem for me please? > I would suggest using "Archive Mail =" to archive all your mail and then > use the logs to identify a particular message that causes the problem to > be logged, and one that doesn't cause the problem. > > It is essential that you archive as "Raw Queue Files". > > If you can then send me one message file that causes the problem, and > one message that doesn't cause it, I can take a look and fix it. > > I haven't played with Postfix 2.3 much yet, so have little experience of > it. This is clearly another hurdle Wietse has created for my benefit :-) > > > Holger Gebhard wrote: >> Hi Julian, >> Hi Group, >> >> i run mailscanner with postfix (split queues) for many years with no >> problems. >> Currently running mailscanner version 4.52.2. >> >> The last week i upgraded postfix from 2.2 to 2.3. >> After the upgrade i can see some strange warnings from postfix in my >> mail-logs: "ignoring out-of-order DSN original recipient..." >> >> I searched some group and found this threat: >> >> http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 >> >> >> >> The strange is that only some messages are affected by this failure not >> all. >> >> I tried both postfix implementations (single postfix with hold queue and >> split queues with two postfix instances) with no success. The warning is >> still there with some messages. >> >> Fortunately the affected messages are still being delivered. >> But where come this failure from? >> >> >> Holger > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE6KiwEfZZRxQVtlQRAt2pAKDSUti8KDrj7mNGGA8MqhFEXIo9hACfV2Le ui8msutTnYukLNNMyKAvt3U= =fQhv -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pete at enitech.com.au Sun Aug 20 23:40:16 2006 From: pete at enitech.com.au (Peter Russell) Date: Sun Aug 20 23:40:45 2006 Subject: Some more on AV scanners. In-Reply-To: <223f97700608171143k49799f46y95b74e4677c374b5@mail.gmail.com> References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> <223f97700608171143k49799f46y95b74e4677c374b5@mail.gmail.com> Message-ID: <44E8E4D0.5050501@enitech.com.au> I use clam, bitdefender and antivir - antivir is german i think and is available for free for non commercial use (we are a not or profit company). We ahve a site wide CA license but i gave up trying to get it working on centos/rhel4 Glenn Steen wrote: > On 17/08/06, Scott Silva wrote: > (snip) >> I have been trying to get some response from Bitdefender, and so far >> it looks >> like the free version should continue to work for the forseeable >> future, but >> could not get any real idea when they would "break" it. So it you have >> it, it >> should be ok for the short to mid term while you look. >> > My thought exactly, Scott. > No rush, but... Since I happen to have a smidgen of time over this > week, and might be severely out of time the next couple of > weeks/months (new network (hp 3500:s and 5412/5406:s) and rebuilding > the storage for the db servers and implementing a new VPN and starting > the work on purchasing new db servers altogether and updating oracle > and... generally running around in little circles to keep everyone > happy... sigh), I thought it a good idea to start looking know:-). > Appreciate the input though. > From ajos1 at onion.demon.co.uk Mon Aug 21 03:09:52 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 21 03:10:00 2006 Subject: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 Message-ID: - Have I got something wrong and being silly? I am:- mailscanner-4.55.10-3.noarch.rpm Sys::Syslog - 0.16 And I am getting this lovely message when I do:- [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart Stopping spamd: [ OK ] Starting spamd: [771] error: no connection to syslog available [771] error: - _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 [ OK ] From ajos1 at onion.demon.co.uk Mon Aug 21 03:34:07 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 21 03:34:20 2006 Subject: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 Message-ID: - Update... I have 5 systems... at different stages... So I went back and checked them one of them... ===================================== So... I checked... a backup system... mailscanner-4.55.9-1.noarch.rpm Sys::Syslog - 0.13 and there were NO errors... ===================================== So I updated MailScanner on the backup system, so it became... mailscanner-4.55.10-3.noarch.rpm Sys::Syslog - 0.13 Still NO errors... ===================================== So ON MY PROBLEM system... I back ported Syslog back to 0.13 mailscanner-4.55.10-3.noarch.rpm Sys::Syslog - 0.13 And now there are NO errors! ===================================== Do we need to go back to 0.13 or something not 0.16? -----Original Message----- From: ajos1@onion.demon.co.uk Subj: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 Date: Mon, 21 Aug 2006 03:09:52 (GMT/BST) - Have I got something wrong and being silly? I am:- mailscanner-4.55.10-3.noarch.rpm Sys::Syslog - 0.16 And I am getting this lovely message when I do:- [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart Stopping spamd: [ OK ] Starting spamd: [771] error: no connection to syslog available [771] error: - _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 [ OK ] From res at ausics.net Mon Aug 21 03:47:21 2006 From: res at ausics.net (Res) Date: Mon Aug 21 03:47:32 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: Message-ID: You should not be using 0.16 of sys::syslog it is faulty downgrade to 0.15 ASAP. On Mon, 21 Aug 2006, ajos1@onion.demon.co.uk wrote: > - > > Have I got something wrong and being silly? > > I am:- > > mailscanner-4.55.10-3.noarch.rpm > Sys::Syslog - 0.16 > > > And I am getting this lovely message when I do:- > > > [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart > Stopping spamd: [ OK ] > Starting spamd: [771] error: no connection to syslog available > [771] error: - _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 > [ OK ] > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Mon Aug 21 03:52:23 2006 From: res at ausics.net (Res) Date: Mon Aug 21 03:52:36 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: Message-ID: Julian, your sys:syslog package update to remove the semi broken 0.17 has included the utterly broken 0.16, can you release an update with 0.15 please, at least until Seb releases 0.18 :) On Mon, 21 Aug 2006, ajos1@onion.demon.co.uk wrote: > - > > Have I got something wrong and being silly? > > I am:- > > mailscanner-4.55.10-3.noarch.rpm > Sys::Syslog - 0.16 > > > And I am getting this lovely message when I do:- > > > [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart > Stopping spamd: [ OK ] > Starting spamd: [771] error: no connection to syslog available > [771] error: - _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 > [ OK ] > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From leiw324 at yahoo.com.hk Mon Aug 21 05:08:00 2006 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Mon Aug 21 05:08:04 2006 Subject: Cannot delete spam mail Message-ID: <20060821040800.38563.qmail@web54403.mail.yahoo.com> I was setup postfix+mailscanner+spamassissan+clamav The virus protect are working well but the spam quarantine still cannot delete, the following is the some information: X-SFAEPS-MailScanner-SpamCheck: spam, SpamAssassin (score=5.014, required 3 MailScanner.conf: Required SpamAssassin Score = 3 High SpamAssassin Score = 5 Spam Actions = delete header "X-Spam-Status: Yes" High Scoring Spam Actions = delete header "X-Spam-Status: Yes" Non Spam Actions = deliver header "X-Spam-Status: No" Some Maillog: Aug 21 11:08:49 gateway postfix/cleanup[2342]: EBEBD330261: hold: header Received: from localhost (msa.epaper.com.tw [211.20.188.80])??by msi.epaper.com.tw (Postfix) with SMTP??id EEE231CDE15E2; Mon, 21 Aug 2006 11:07:37 +0800 (CST) from msi.epaper.com.tw[211.20.188.88]; from= to= proto=ESMTP helo= Aug 21 11:08:49 gateway postfix/cleanup[2342]: EBEBD330261: message-id=<20060821030737.EEE231CDE15E2@msi.epaper.com.tw> Aug 21 11:08:50 gateway postfix/smtpd[2336]: disconnect from msi.epaper.com.tw[211.20.188.88] Aug 21 11:08:50 gateway MailScanner[1976]: New Batch: Scanning 1 messages, 135789 bytes Aug 21 11:08:50 gateway MailScanner[1976]: Expired 2 records from the SpamAssassin cache Aug 21 11:08:55 gateway MailScanner[1976]: Spam Checks: Found 1 spam messages Aug 21 11:08:56 gateway MailScanner[1976]: Virus and Content Scanning: Starting Aug 21 11:09:05 gateway MailScanner[1976]: Content Checks: Detected and have disarmed web bug tags in HTML message in EBEBD330261.938B5 from edm@mx1.epaper.com.tw Aug 21 11:09:06 gateway MailScanner[1976]: Requeue: EBEBD330261.938B5 to EEBE833026B Aug 21 11:09:06 gateway MailScanner[1976]: Uninfected: Delivered 1 messages Aug 21 11:09:06 gateway MailScanner[1976]: Batch (1 message) processed in 16.00 seconds Thank ! _______________________________________ YM - Â÷½u°T®§ ´Nºâ§A¨S¦³¤Wºô¡A§AªºªB¤Í¤´¥i¥H¯d¤U°T®§µ¹§A¡A·í§A¤Wºô®É´N¯à¥ß§Y¬Ý¨ì¡A¥ô¦ó»¡¸Ü³£ÉN¨«¥¢¡C http://messenger.yahoo.com.hk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/452a7bbb/attachment.html From raymond at prolocation.net Mon Aug 21 08:07:18 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Aug 21 08:07:20 2006 Subject: Cannot delete spam mail In-Reply-To: <20060821040800.38563.qmail@web54403.mail.yahoo.com> References: <20060821040800.38563.qmail@web54403.mail.yahoo.com> Message-ID: Hi! > > Spam Actions = delete header "X-Spam-Status: Yes" > > High Scoring Spam Actions = delete header "X-Spam-Status: Yes" > Uhm, why not simply 'delete' ? Adding things on mail you delete anyway is only wasting time. Bye, Raymond. From padma at eis.iisc.ernet.in Mon Aug 21 13:42:13 2006 From: padma at eis.iisc.ernet.in (padma@eis.iisc.ernet.in) Date: Mon Aug 21 08:18:19 2006 Subject: MailScanner + sendmail - sendmail process killed abruptly Message-ID: Hi! The entire setup is running MailScanner-4.45.4 | sendmail-8.13.4. When only sendmail is running it is working fine. But when I start the mailscanner (which internally starts sendmail) after a few seconds sendmail dies abruptly and gives an connection refused error relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Regards Padma ERNET Helpdesk From MailScanner at ecs.soton.ac.uk Mon Aug 21 09:39:52 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 09:40:17 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: Message-ID: <44E97158.8080305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, but you are wrong. I just checked the RPM install.sh script and it clearly install 0.17, in a way that works just fine. Where is the evidence that the latest stable release installs 0.16? Res wrote: > Julian, your sys:syslog package update to remove the semi broken 0.17 > has included the utterly broken 0.16, can you release an update with > 0.15 please, at least until Seb releases 0.18 :) > > > On Mon, 21 Aug 2006, ajos1@onion.demon.co.uk wrote: > >> - >> >> Have I got something wrong and being silly? >> >> I am:- >> >> mailscanner-4.55.10-3.noarch.rpm >> Sys::Syslog - 0.16 >> >> >> And I am getting this lovely message when I do:- >> >> >> [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart >> Stopping spamd: [ OK ] >> Starting spamd: [771] error: no connection to syslog available >> [771] error: - _PATH_LOG not available in syslog.h at >> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm >> line 79 >> [ OK ] >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6XFZEfZZRxQVtlQRAgLoAJ9tGjmm4cuWJErGNJFwF11cDL/lpQCfSStK 5MhI3docmxHmm41N816AMUs= =fLvz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Aug 21 09:41:04 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 09:41:23 2006 Subject: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: Message-ID: <44E971A0.7080703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need 0.17 which is what the installer currently installs. This is 4.55.10-3. You won't have any problems with the latest stable release. ajos1@onion.demon.co.uk wrote: > - > > Update... I have 5 systems... at different stages... > > So I went back and checked them one of them... > > ===================================== > > So... I checked... a backup system... > > mailscanner-4.55.9-1.noarch.rpm > Sys::Syslog - 0.13 > > and there were NO errors... > > ===================================== > > So I updated MailScanner on the backup system, so it became... > > mailscanner-4.55.10-3.noarch.rpm > Sys::Syslog - 0.13 > > Still NO errors... > > ===================================== > > So ON MY PROBLEM system... I back ported Syslog back to 0.13 > > mailscanner-4.55.10-3.noarch.rpm > Sys::Syslog - 0.13 > > And now there are NO errors! > > ===================================== > > Do we need to go back to 0.13 or something not 0.16? > > > -----Original Message----- > From: ajos1@onion.demon.co.uk > Subj: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 > Date: Mon, 21 Aug 2006 03:09:52 (GMT/BST) > > - > > Have I got something wrong and being silly? > > I am:- > > mailscanner-4.55.10-3.noarch.rpm > Sys::Syslog - 0.16 > > > And I am getting this lovely message when I do:- > > > [root@www perl_ext]# sh /etc/rc.d/init.d/spamassassin restart > Stopping spamd: [ OK ] > Starting spamd: [771] error: no connection to syslog available > [771] error: - _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 > [ OK ] > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6XGgEfZZRxQVtlQRAjIaAKCMUplvj8DfBg3Kwk+2BRf72+QU6QCfSd50 hOHAJMDu9ZMCGyxdYVySR4Y= =Sa6g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solid-state-logic.com Mon Aug 21 09:59:00 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 09:59:09 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E97158.8080305@ecs.soton.ac.uk> References: <44E97158.8080305@ecs.soton.ac.uk> Message-ID: <44E975D4.4080005@solid-state-logic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, but you are wrong. I just checked the RPM install.sh script and > it clearly install 0.17, in a way that works just fine. > > Where is the evidence that the latest stable release installs 0.16? > > Res wrote: >> Julian, your sys:syslog package update to remove the semi broken 0.17 >> has included the utterly broken 0.16, can you release an update with >> 0.15 please, at least until Seb releases 0.18 :) >> >> > Jules from the www.mailscannerc.info front page...news 7/8/2006 - Updated the stable release to include downgrading Sys::Syslog from 0.17 to 0.16 as the author of this module has withdrawn 0.17 due to incompatibility reasons. Oh yeah and Seb's got a beta 0.18 ready whenever you are ready to pop it into the MS beta (as he said on the IRC channel last week, but you weren't around at the time). -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at ausics.net Mon Aug 21 11:29:44 2006 From: res at ausics.net (Res) Date: Mon Aug 21 11:29:53 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E97158.8080305@ecs.soton.ac.uk> References: <44E97158.8080305@ecs.soton.ac.uk> Message-ID: On Mon, 21 Aug 2006, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry, but you are wrong. I just checked the RPM install.sh script and > it clearly install 0.17, in a way that works just fine. Wrong? hmm interesting, your "OWN" comments : [news.gif] 7/8/2006 - Updated the stable release to include downgrading Sys::Syslog from 0.17 to 0.16 as the author of this module has withdrawn 0.17 due to incompatibility reasons. and my comments: and as 0.16 was broken even more......... From res at ausics.net Mon Aug 21 11:31:33 2006 From: res at ausics.net (Res) Date: Mon Aug 21 11:31:55 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E975D4.4080005@solid-state-logic.com> References: <44E97158.8080305@ecs.soton.ac.uk> <44E975D4.4080005@solid-state-logic.com> Message-ID: On Mon, 21 Aug 2006, Martin Hepworth wrote: > > from the www.mailscannerc.info front page...news > I know I've been pretty sleep deprived lately Martin, but I was sure I have not completely lost it yet and was the only person reading that. maybe you are just as sleep deprived as I am and we both dreamt it :) -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solid-state-logic.com Mon Aug 21 11:45:29 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 11:45:45 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: <44E97158.8080305@ecs.soton.ac.uk> <44E975D4.4080005@solid-state-logic.com> Message-ID: <44E98EC9.4040403@solid-state-logic.com> Res wrote: > On Mon, 21 Aug 2006, Martin Hepworth wrote: > >> >> from the www.mailscannerc.info front page...news >> > > I know I've been pretty sleep deprived lately Martin, but I was sure I > have not completely lost it yet and was the only person reading that. > maybe you are just as sleep deprived as I am and we both dreamt it :) > Res refreshed my cache - looked in the maillist archives and it's all still there.....maybe Jules needs some sleep ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at ausics.net Mon Aug 21 12:17:54 2006 From: res at ausics.net (Res) Date: Mon Aug 21 12:18:09 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E98EC9.4040403@solid-state-logic.com> References: <44E97158.8080305@ecs.soton.ac.uk> <44E975D4.4080005@solid-state-logic.com> <44E98EC9.4040403@solid-state-logic.com> Message-ID: On Mon, 21 Aug 2006, Martin Hepworth wrote: > Res wrote: >> On Mon, 21 Aug 2006, Martin Hepworth wrote: >> >>> >>> from the www.mailscannerc.info front page...news >>> >> >> I know I've been pretty sleep deprived lately Martin, but I was sure I >> have not completely lost it yet and was the only person reading that. >> maybe you are just as sleep deprived as I am and we both dreamt it :) >> > Res > > refreshed my cache - looked in the maillist archives and it's all still > there.....maybe Jules needs some sleep ;-) its just possible your right :) -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From MailScanner at ecs.soton.ac.uk Mon Aug 21 13:44:10 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 13:44:33 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E98EC9.4040403@solid-state-logic.com> References: <44E97158.8080305@ecs.soton.ac.uk> <44E975D4.4080005@solid-state-logic.com> <44E98EC9.4040403@solid-state-logic.com> Message-ID: <44E9AA9A.20302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just posted a news item to the website, to clear and verify the situation with Sys::syslog. Martin Hepworth wrote: > Res wrote: >> On Mon, 21 Aug 2006, Martin Hepworth wrote: >> >>> >>> from the www.mailscannerc.info front page...news >>> >> >> I know I've been pretty sleep deprived lately Martin, but I was sure >> I have not completely lost it yet and was the only person reading that. >> maybe you are just as sleep deprived as I am and we both dreamt it :) >> > Res > > refreshed my cache - looked in the maillist archives and it's all > still there.....maybe Jules needs some sleep ;-) > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6aqbEfZZRxQVtlQRAmmIAJ9nIgETrpw+wzzKnVgAixvJRp+iVgCgkwrQ ZSOGmS6wOO5MlsDptycF7gg= =O1du -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Aug 21 13:51:13 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 13:51:38 2006 Subject: Thoughts on Barracudas? Message-ID: <44E9AC41.1010005@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have had some comments from a few people leaving the mailing list as they are ditching their MailScanner setups and switching to Barracuda applicances instead. They claim that things worked fine when they first installed MailScanner, but gradually more and more spam is leaking through, to the point where they have decided to abandon it. Here is what he said: "I've tried Mailscanner on FreeBSD for almost one year. It worked great for about two months, then after every upgrade it began to let more and more spam through. I've tried everything to fix it and just got tired of my users complaining of increased spam. "It wasn't worth the headache. Your forums indicate that there are numerous people experienced the same problems I have encountered. "I have since purchased a Barracuda SPAM 200 firewall. This device has worked much better." What is your opinion on the Barracuda appliance? How easy is it to use? Does it actually work? Can it survive the loads they say it can? And, of course, how does it compare with MailScanner? Please be open and honest, and as impartial as you can. All of your thoughts are most welcome. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 aSJKg2X8ibML6k+ZA3hpPlQ= =Ji1K -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solid-state-logic.com Mon Aug 21 13:53:55 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 13:54:03 2006 Subject: {MailScanner: Spam?} _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: <44E9AA9A.20302@ecs.soton.ac.uk> References: <44E97158.8080305@ecs.soton.ac.uk> <44E975D4.4080005@solid-state-logic.com> <44E98EC9.4040403@solid-state-logic.com> <44E9AA9A.20302@ecs.soton.ac.uk> Message-ID: <44E9ACE3.4080608@solid-state-logic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just posted a news item to the website, to clear and verify the > situation with Sys::syslog. > > Martin Hepworth wrote: >> Res wrote: >>> On Mon, 21 Aug 2006, Martin Hepworth wrote: >>> >>>> from the www.mailscannerc.info front page...news >>>> >>> I know I've been pretty sleep deprived lately Martin, but I was sure >>> I have not completely lost it yet and was the only person reading that. >>> maybe you are just as sleep deprived as I am and we both dreamt it :) >>> >> Res >> >> refreshed my cache - looked in the maillist archives and it's all >> still there.....maybe Jules needs some sleep ;-) >> > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFE6aqbEfZZRxQVtlQRAmmIAJ9nIgETrpw+wzzKnVgAixvJRp+iVgCgkwrQ > ZSOGmS6wOO5MlsDptycF7gg= > =O1du > -----END PGP SIGNATURE----- > Jules that'll be 0.17 of Sys:Syslog, not 1.17 then ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solid-state-logic.com Mon Aug 21 14:02:54 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 14:03:02 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9AEFE.1060105@solid-state-logic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > > - -- > Julian Field Jules You need to maintain the SA side of things, make sure you have RulesDuJour etc installed and picking up the SARE and other rules. Spam is an evolving thing and therefore you need to spend a little time making sure you system can auto-update. It's not a install/forget system - I think this way of thinking is another example of M$ skewing the market, you don't need all those expensive well trained/experienced sys-admins! From what I've heard of Baracuda they are not very good (I've heard expletives use here). Cobweb (who run a hosted MS-Exchange business in the UK) used to use them but moved away about 6 months ago as the spam trapping was v poor. Upgrading MS won't increase the spam getting through, this is just an excuse.....ya gotta setup SA correctly in the first place. The thing how can we get people to setup SA better? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From michele at blacknight.ie Mon Aug 21 14:03:54 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Mon Aug 21 14:04:03 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <05ed01c6c522$421944b0$88c5c657@arthur> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list > as they are ditching their MailScanner setups and switching to > Barracuda applicances instead. They claim that things worked fine > when they first installed MailScanner, but gradually more and more > spam is leaking through, to the point where they have decided to > abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked > great for about two months, then after every upgrade it began to let > more and more spam through. I've tried everything to fix it and just > got tired of my users complaining of increased spam. "It wasn't worth > the headache. Your forums indicate that there are numerous people > experienced the same problems I have encountered. "I have since > purchased a Barracuda SPAM 200 firewall. This device has worked much > better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > >From what I've heard they're pretty much a sealed box, so you don't have the same level of control that you would get from MailScanner Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From martelm at quark.vsc.edu Mon Aug 21 14:14:46 2006 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Mon Aug 21 14:14:55 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: --On August 21, 2006 1:51:13 PM +0100 Julian Field wrote: > What is your opinion on the Barracuda appliance? I don't like it. I was forced into it by Management. They were wowed by the graphical front end that allowed individual users to manage their own white and black lists. I think that the biggest thing it's got going for it is the graphical interface. Remove that and it's not that good. > How easy is it to use? Easy to use, but not very flexible. You can't edit scores for rules, and a lot of the settings are for the entire box and not per domain. > Does it actually work? Yes, it does. > Can it survive the loads they say it can? Don't know. We push about 40k messages a day through it in the summer, and about 120k messages a day once classes start (today!). I don't know what it's rated for. We're using a model 600. > And, of course, how does it compare with MailScanner? The only thing that it does better than my MailScanner setup, IMHO, is that it blocks at the SMTP level based on black lists. I just haven't bothered to enable the checks in Sendmail to do this myself. :) I haven't found anything that the Barracuda does that I can't do in MailScanner. Other than the GUI. Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From mike at tc3net.com Mon Aug 21 14:24:56 2006 From: mike at tc3net.com (Michael Baird) Date: Mon Aug 21 14:17:35 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <1156166696.4295.8.camel@mike-new2.tc3net.com> On Mon, 2006-08-21 at 13:51 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. It is very similar to MailScanner in a canned package, with a nice role based management interface. It uses many open source milters. The basic difference is that they also provide "Energizer Updates" via subscription, which essentially means ruleset upgrades and such are pushed out from their servers. It is nice, if you don't want to mess around. I'm still using MailScanner because I'm fine keeping spamassassin up to date, and prefer to keep fine control of all the systems involved in our email. They have forums, and an online demo of the admin/user interface, which will give you a good idea of what you can do with it. Regards Michael Baird From prandal at herefordshire.gov.uk Mon Aug 21 14:09:42 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Aug 21 14:18:04 2006 Subject: Thoughts on Barracudas? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B22A@isabella.herefordshire.gov.uk> Cripes, silly people! MailScanner / SA 3.1.4 / Razor / Pyzor /DCC + well trained Bayes + SARE Rules + ImageInfo.pm (http://www.rulesemporium.com/plugins.htm) + a few custom rules gets over 99% of the incoming spam here. The FuzzOCR plugin got a few more until spammers started sending interlaced .gif files, too. Count me in as one very satisfied customer. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 21 August 2006 13:51 > To: MailScanner discussion > Subject: Thoughts on Barracudas? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the > mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when > they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It > worked great > for about two months, then after every upgrade it began to > let more and > more spam through. I've tried everything to fix it and just > got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 > aSJKg2X8ibML6k+ZA3hpPlQ= > =Ji1K > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martelm at quark.vsc.edu Mon Aug 21 14:18:31 2006 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Mon Aug 21 14:18:41 2006 Subject: Thoughts on Barracudas? In-Reply-To: <05ed01c6c522$421944b0$88c5c657@arthur> References: <05ed01c6c522$421944b0$88c5c657@arthur> Message-ID: <5810EDD13002D44185E1BF3F@sherlockholmes.local> --On August 21, 2006 2:03:54 PM +0100 "Michele Neylon :: Blacknight Solutions" wrote: >> From what I've heard they're pretty much a sealed box, so you don't have >> the > same level of control that you would get from MailScanner completely sealed box. :( No way to adjust scores or add additional rule sets. Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From prandal at herefordshire.gov.uk Mon Aug 21 14:19:03 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Aug 21 14:21:27 2006 Subject: Thoughts on Barracudas? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B230@isabella.herefordshire.gov.uk> One simple thing which would hepl is to use SA 3.1.4 and a daily sa-update cron job. If I read the changelog correctly, the issues surrounding sa-update have been fixed. Certainly no problems here. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin Hepworth > Sent: 21 August 2006 14:03 > To: MailScanner discussion > Subject: Re: Thoughts on Barracudas? > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Folks, > > > > I have had some comments from a few people leaving the > mailing list as > > they are ditching their MailScanner setups and switching to > Barracuda > > applicances instead. They claim that things worked fine > when they first > > installed MailScanner, but gradually more and more spam is leaking > > through, to the point where they have decided to abandon it. > > > > > > Here is what he said: > > > > "I've tried Mailscanner on FreeBSD for almost one year. It > worked great > > for about two months, then after every upgrade it began to > let more and > > more spam through. I've tried everything to fix it and just > got tired of > > my users complaining of increased spam. > > "It wasn't worth the headache. Your forums indicate that there are > > numerous people experienced the same problems I have encountered. > > "I have since purchased a Barracuda SPAM 200 firewall. This > device has > > worked much better." > > > > > > > > What is your opinion on the Barracuda appliance? > > How easy is it to use? > > Does it actually work? > > Can it survive the loads they say it can? > > > > And, of course, how does it compare with MailScanner? > > > > Please be open and honest, and as impartial as you can. > > > > All of your thoughts are most welcome. > > > > - -- > > Julian Field > > Jules > > You need to maintain the SA side of things, make sure you have > RulesDuJour etc installed and picking up the SARE and other rules. > > Spam is an evolving thing and therefore you need to spend a > little time > making sure you system can auto-update. It's not a > install/forget system > - I think this way of thinking is another example of M$ skewing the > market, you don't need all those expensive well trained/experienced > sys-admins! > > From what I've heard of Baracuda they are not very good (I've heard > expletives use here). Cobweb (who run a hosted MS-Exchange > business in > the UK) used to use them but moved away about 6 months ago as > the spam > trapping was v poor. > > Upgrading MS won't increase the spam getting through, this is just an > excuse.....ya gotta setup SA correctly in the first place. > > The thing how can we get people to setup SA better? > > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dave.list at pixelhammer.com Mon Aug 21 14:26:21 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 21 14:26:34 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9B47D.4000609@pixelhammer.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? Not good overall, I deal with a *lot* of shrinkwrap administrators who have no understanding at all of how to use the app, how it works, or what each option really does. > How easy is it to use? Very easy, which is why so many get purchased. Just "plug it in" and watch your spam disappear. > Does it actually work? I believe it can work in the hands of a capable administrator. In most installations I believe it works "Okay", see below for an explanation. > Can it survive the loads they say it can? NE > > And, of course, how does it compare with MailScanner? See below. > > Please be open and honest, and as impartial as you can. > My experience comes from two places. Clients who have a Barracuda and do not use our service (MailScanner based) and clients who use our service in front of, or in lieu of a Barracuda. We are an ISP with a wide variety of mail traffic. Corporate (lots of word docs and leek speak believe it or not), Worldwide (Pacific Rim, Eastern and Western European languages), marketing (everything SA is designed to catch ;^), technical (large attachments), dialup users (it's not spam it's magic lotto numbers, that whitelisted Ebay monthly report is spam! Why do I keep getting it?). Based on those scenarios, my experience is that the Barracuda can be configured to be very effective for a single installation such as a small corporate LAN. However, you must be willing to accept it's limitations. If you purchase a product chosen from a shiny four color add with pretty people looking pensive in front of a massive wall of servers, you believe the product works and that the product supplier has designed it well. You see the limitations and you accept them. You make your argument to the board, you install the product, it works well enough, the company feels you are 'doing something' about the problem. This is where the Barracuda succeeds. If you purchase a product from your Service Provider, the SP will invariably need to offer some type of advantage over doing your own filtering. Many of the things I have been asked to do for clients would never have been possible with an OTS system. The fine grained control offered by MailScanner far exceeds anything Barracuda could possibly offer. The advantage offered is "configurability" This is where MailScanner succeeds. Does that help? DAve PS. If a MailScanner box is failing to catch spam over a period of time I would think the answer was right in front of the user. Bayes. I had never been a fan of Bayes as it seemed to always cause more load and headache than it was worth. However, out of sheer need, I have configured and run Bayes for the last three weeks and I have to say it works much much better in 3.1.X than it did in 2.[4-6].X. But I can see where a combination of Bayes, AutoLearning, and lack of attention could lead to very bad capture rates. Bayes is like a fast woman, keep an eye on it and be prepared for suprises, and it is worth having. Just don't turn your back on it. ;^) -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dhawal at netmagicsolutions.com Mon Aug 21 14:30:20 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Aug 21 14:30:39 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9B56C.40808@netmagicsolutions.com> Julian Field wrote: [SNIP] > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. We managed to convince a customer (5K+ users) to use MS (though it was and always is mostly a commercial game). Spam is an evolving thing and MS is doing well enough. The MTA+SA part on which MS really depends for spam rejection/detection is the weak link (though a properly configured MTA+SA works better than a barracuda). Where barracuda and other commercial products have an advantage is the fact that they use "your appliance" for distributed checksumming (something like razor/dcc) thus giving them better spam detection, maybe they also use "your appliance" as a spamtrap. Add automated updates (at both engine + rules level) and a pretty GUI for finishing touches.. The appliance from the folks at FSL is way better compared to a barracuda. IMHO, MS + MailWatch does it quite well. Maybe (just maybe) you would want to consider URIBL support in MS (for non-SA users) OR a MS-Milter OR something on these lines. Finally, check barracuda's security track record if you really want to convince someone away from them.. - dhawal From dave.list at pixelhammer.com Mon Aug 21 14:30:36 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 21 14:30:51 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AEFE.1060105@solid-state-logic.com> References: <44E9AC41.1010005@ecs.soton.ac.uk> <44E9AEFE.1060105@solid-state-logic.com> Message-ID: <44E9B57C.6020501@pixelhammer.com> Martin Hepworth wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Folks, >> >> I have had some comments from a few people leaving the mailing list as >> they are ditching their MailScanner setups and switching to Barracuda >> applicances instead. They claim that things worked fine when they >> first installed MailScanner, but gradually more and more spam is >> leaking through, to the point where they have decided to abandon it. >> >> >> Here is what he said: >> >> "I've tried Mailscanner on FreeBSD for almost one year. It worked great >> for about two months, then after every upgrade it began to let more and >> more spam through. I've tried everything to fix it and just got tired of >> my users complaining of increased spam. >> "It wasn't worth the headache. Your forums indicate that there are >> numerous people experienced the same problems I have encountered. >> "I have since purchased a Barracuda SPAM 200 firewall. This device has >> worked much better." >> >> >> >> What is your opinion on the Barracuda appliance? >> How easy is it to use? >> Does it actually work? >> Can it survive the loads they say it can? >> >> And, of course, how does it compare with MailScanner? >> >> Please be open and honest, and as impartial as you can. >> >> All of your thoughts are most welcome. >> >> - -- Julian Field > > Jules > > You need to maintain the SA side of things, make sure you have > RulesDuJour etc installed and picking up the SARE and other rules. > > Spam is an evolving thing and therefore you need to spend a little time > making sure you system can auto-update. It's not a install/forget system > - I think this way of thinking is another example of M$ skewing the > market, you don't need all those expensive well trained/experienced > sys-admins! > > From what I've heard of Baracuda they are not very good (I've heard > expletives use here). Cobweb (who run a hosted MS-Exchange business in > the UK) used to use them but moved away about 6 months ago as the spam > trapping was v poor. > > Upgrading MS won't increase the spam getting through, this is just an > excuse.....ya gotta setup SA correctly in the first place. > > The thing how can we get people to setup SA better? > > I was just involved in a long conversation on that very subject on the SA list. There are now SARE rules available from a sa-update channel. sa-update is a very nice setup and looks to provide a one stop shop to install and maintain rules in a single location with a single method. Check the "Re: SARE sa-update channels available!" thread. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From raymond at prolocation.net Mon Aug 21 14:33:44 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Aug 21 14:33:42 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: Hi! > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. This has nothing to do with MailScanner, it has to do with a basic SA install. Spammers get smarter, so you need to update rulesets. No way those Barracuda is catching more, in fact, we have a few customers running them and we are preparing a migration so they can ditch them.... Its all about maintaining a system, if you maintain a system, its ok. If you dont or are clueless, buy a Barracuda, since thats a maintained box. Or ask someone to support your MailScanner setup. We can do that also if people are not able to do it. We also deliver ruleset support. ;) If you use SARE you are much better out but even then you always walk behind. But also SARE is behind, on purpose, if we add new rules there spammers know about them publicly also. The question should be, can you maintain your system, if not buy support! Bye, Raymond. From MailScanner at ecs.soton.ac.uk Mon Aug 21 14:37:41 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 14:37:59 2006 Subject: Thoughts on Barracudas? In-Reply-To: References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9B725.9000302@ecs.soton.ac.uk> Michael H. Martel wrote: > --On August 21, 2006 1:51:13 PM +0100 Julian Field > wrote: > >> What is your opinion on the Barracuda appliance? > > I don't like it. I was forced into it by Management. They were wowed > by the graphical front end that allowed individual users to manage > their own white and black lists. I think that the biggest thing it's > got going for it is the graphical interface. Remove that and it's not > that good. MailWatch provides this very well. And if you want an easy-to-install package of everything you need, then DefenderMX from Fort Systems Ltd (www.fsl.com) will do it for you. And it's cheaper than Barracuda too. > >> How easy is it to use? > > Easy to use, but not very flexible. You can't edit scores for rules, > and a lot of the settings are for the entire box and not per domain. > >> Does it actually work? > > Yes, it does. > >> Can it survive the loads they say it can? > > Don't know. We push about 40k messages a day through it in the > summer, and about 120k messages a day once classes start (today!). I > don't know what it's rated for. We're using a model 600. > >> And, of course, how does it compare with MailScanner? > > The only thing that it does better than my MailScanner setup, IMHO, is > that it blocks at the SMTP level based on black lists. I just haven't > bothered to enable the checks in Sendmail to do this myself. :) We can do that using Sendmail's accss db. > > I haven't found anything that the Barracuda does that I can't do in > MailScanner. Other than the GUI. Agreed. Take a look at MailWatch. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Mon Aug 21 14:38:30 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 21 14:38:34 2006 Subject: Thoughts on Barracudas? In-Reply-To: <05ed01c6c522$421944b0$88c5c657@arthur> Message-ID: <373401c6c527$1752da20$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon :: Blacknight > Solutions > Sent: Monday, August 21, 2006 9:04 AM > To: 'MailScanner discussion' > Subject: RE: Thoughts on Barracudas? > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Folks, > > > > I have had some comments from a few people leaving the mailing list > > as they are ditching their MailScanner setups and switching to > > Barracuda applicances instead. They claim that things worked fine > > when they first installed MailScanner, but gradually more and more > > spam is leaking through, to the point where they have decided to > > abandon it. > > > > > > Here is what he said: > > > > "I've tried Mailscanner on FreeBSD for almost one year. It worked > > great for about two months, then after every upgrade it began to let > > more and more spam through. I've tried everything to fix it and just > > got tired of my users complaining of increased spam. "It wasn't worth > > the headache. Your forums indicate that there are numerous people > > experienced the same problems I have encountered. "I have since > > purchased a Barracuda SPAM 200 firewall. This device has worked much > > better." > > > > > > > > What is your opinion on the Barracuda appliance? > > How easy is it to use? > > Does it actually work? > > Can it survive the loads they say it can? > > > > And, of course, how does it compare with MailScanner? > > > > Please be open and honest, and as impartial as you can. > > > > All of your thoughts are most welcome. > > We've had several customers test DefenderMX (Commercial product based on MailScanner / SpamAssassin with web interface) against different anti-spam products including Barracuda. Barracuda has not won yet. In tests where more than 2 products were tested, Barracuda never even placed second. You can't run Barracuda on your own hardware. Domain based settings for most configuration items are not available And if you want to scan outbound email, you'll need two Barracudas, one to can inbound mail and one to scan outbound mail. That can get pretty pricy. The complaint we've heard most often was poor technical support but to be fair, that was a while back and it may have improved by now. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From bpumphrey at WoodMacLaw.com Mon Aug 21 14:39:19 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 21 14:39:25 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187ECB8@woodenex.woodmaclaw.local> > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > I have thought about appliances in general just because they are set and forget it type machines. I would like very much for MailScanner to have such an option. I enjoy taking care of the MailScanner machine mainly because I learn from configuring and messing it up. That is about the only reason. I find that it is hard to learn what one needs to know to get the most spam blockage. I believe that I can do an excellent job at blocking spam, but if you do not learn a bunch of things (if you were like me) and take multiple days to set it up it does not do a very good job. It would be nice if there was a prepackage ( I guess fort systems covers this area) that had all of the common units installed and it was ready to go. Had Rules installed, Pyzor, DCC, the SARE rules, trained Bayes datatbase, ClamAV, bitdefender, MailWatch, etc. Then after that, automatic updates would be super. Most of the updates are somewhat covered. I guess the only ones missing from automatic updates in my knowledge are MailScanner, SpamAssassin, and ClamAV, MailWatch. In essence all of that would turn MailScanner into a appliance type machine, which I would think it would appeal to even more people. From mdlaney at morehouse.edu Mon Aug 21 14:46:14 2006 From: mdlaney at morehouse.edu (Matt Laney) Date: Mon Aug 21 14:46:17 2006 Subject: Thoughts on Barracudas? In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580ED6B22A@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580ED6B22A@isabella.herefordshire.gov.uk> Message-ID: <20060821134614.GT13735@morehouse.edu> Hey, Julian, > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. ... I run between three and five MailScanner boxes at my site (5000 email users, something like 150,000 emails per day) depending on which of my found hardware is working, and when the Barracuda started gaining popularity about a year ago I tried it out as a means of reducing my mail management overhead. Basically, since I run neither FreeBSD nor RedHat, I was trying to get around the headaches associated with MailScanner upgrades. The 30-day or so demo went poorly enough that I sent the thing back and haven't regretted it a bit. Instead, I'm building a couple really big MailScanner boxes that'll do nicely with FreeBSD. > What is your opinion on the Barracuda appliance? I think the Barracuda spam filter gizmo is fine for small sites with limited numbers of users, Exchange on the back end, and not much in the way of complicated need. In fact, I recommend it to several of my consulting clients who have 30-person offices. > How easy is it to use? The interface is pretty, but not very intuitive. Training it is difficult: you pretty much have to let it collect a bunch of mail, then click on each of those items of mail with a web browser and tell it Spam or Not Spam. At least at the time I played with it there was no equivalent to feeding it a couple corpi via sa-learn. There's a built-in quarantine feature that I couldn't use because of my mail store system (non-LDAP-friendly). It makes pretty pictures. Tweaking settings per user was both easy and hard -- I couldn't make it do what I wanted. Like so many commercial products, you're sort of stuck with the way of thinking about mail and spam that they've built in. I think they tried too hard to get personalized spam handling per recipient, which is something my site doesn't use. (We have almost nothing configured per-user except the level of spamminess at which mail is deleted before they ever see it, and even that's only done for about 10 people.) > Does it actually work? Kinda. We had more spam getting through it than I had getting through an old MailScanner with an old SpamAssassin on it. It's nowhere near as flexible as MailScanner, but for straight up picking spam out of the email stream, it did OK. > Can it survive the loads they say it can? Not in my tests. I was getting bigger delays in processing across a new Barracuda than I was getting across MailScanner before the last two big speed improvements... running on a Pentium 3 900MHz with 256 megs of RAM. > And, of course, how does it compare with MailScanner? I stayed with MailScanner. It does not win my vote, particularly when the load is large. :-) -Matt -- Matt Laney, mdlaney@morehouse.edu Dir. Network Services & Technical Support Morehouse College; Atlanta, GA, USA From alex at erus.co.uk Mon Aug 21 14:53:24 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Mon Aug 21 14:53:30 2006 Subject: Thoughts on Barracudas? In-Reply-To: References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9BAD4.1060605@erus.co.uk> Michael H. Martel wrote: > --On August 21, 2006 1:51:13 PM +0100 Julian Field > wrote: > >> What is your opinion on the Barracuda appliance? > > I don't like it. I was forced into it by Management. They were wowed > by the graphical front end that allowed individual users to manage their > own white and black lists. I think that the biggest thing it's got > going for it is the graphical interface. Remove that and it's not that > good. Digressing slightly as I have no experience with a Barracuda, you can use MailWatch + MailScanner to get the graphical interface your uers crave. Mailwatch allows user controlled white/blacklist, intelligent quarantining/reporting plus a shiny front-end to see what's flowing through your MailScanner box. If you want support, then Defender MX (which is basically MailScanner, MailWatch and other bits and bobs) from FSL should do the trick. Regards, Alex From bpumphrey at WoodMacLaw.com Mon Aug 21 15:02:27 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 21 15:02:29 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187ECFB@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Monday, August 21, 2006 8:51 AM > To: MailScanner discussion > Subject: Thoughts on Barracudas? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 > aSJKg2X8ibML6k+ZA3hpPlQ= > =Ji1K > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. I have thought about appliances in general just because they are set and forget it type machines. I would like very much for MailScanner to have such an option. I enjoy taking care of the MailScanner machine mainly because I learn from configuring and messing it up. That is about the only reason. I find that it is hard to learn what one needs to know to get the most spam blockage. I believe that I can do an excellent job at blocking spam, but if you do not learn a bunch of things (if you were like me) and take multiple days to set it up it does not do a very good job. It would be nice if there was a prepackage ( I guess fort systems covers this area) that had all of the common units installed and it was ready to go. Had Rules installed, Pyzor, DCC, the SARE rules, trained Bayes datatbase, ClamAV, bitdefender, MailWatch, etc. Then after that, automatic updates would be super. Most of the updates are somewhat covered. I guess the only ones missing from automatic updates in my knowledge are MailScanner, SpamAssassin, and ClamAV, MailWatch. In essence all of that would turn MailScanner into a appliance type machine, which I would think it would appeal to even more people. From bpumphrey at WoodMacLaw.com Mon Aug 21 15:10:12 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 21 15:11:12 2006 Subject: Test In-Reply-To: <44E9B725.9000302@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> My emails are not going through for some reason. From amoore at dekalbmemorial.com Mon Aug 21 15:11:20 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Mon Aug 21 15:11:24 2006 Subject: Thoughts on Barracudas? In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF1225701608430@exch1.dekalbmemorial.local> Martin Hepworth wrote: > You need to maintain the SA side of things, make sure you have > RulesDuJour etc installed and picking up the SARE and other rules. > > Spam is an evolving thing and therefore you need to spend a little > time making sure you system can auto-update. It's not a > install/forget system - I think this way of thinking is another > example of M$ skewing the market, you don't need all those expensive > well trained/experienced sys-admins! I agree. Moving SpamAssassin to using the MySQL backend for bayes and the awl really increased our performance here. I've had to do some major tweaking of sendmail here to deal with our ever increasing amount of spam. About 8 months ago I added milter-ahead and milter-error to sendmail. I converted some code that I had written to create a dynamic blacklist based on spam assassin scores by adding them to the access file to generate files for rbldnsd. And I added a couple of other rbls to mix for good measure. I also had to adjust the following sendmail settings, as our inbound mail server, on which I run MailScanner, was getting swamped with inbound connection attempts to the point the machine crashed. confMAX_RCPTS_PER_MESSAGE confBAD_RCPT_THROTTLE confCONNECTION_RATE_THROTTLE confQUEUE_LA confREFUSE_LA confDELAY_LA Dealing with spam, regardless of what some people think, is not a set and forget situation. And there isn't a one size fits all solution. MailScanner is great and works well out of a box. But no amount of automation can make up for actually getting to know the components of the system, how they work, and how they interact. If they were getting bad performance out of MailScanner, there's a good chance they needed to do a lot more tweaking of their setup. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN E-mail: amoore@dekalbmemorial.com From mike at vesol.com Mon Aug 21 15:17:46 2006 From: mike at vesol.com (Mike Kercher) Date: Mon Aug 21 15:17:52 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the > mailing list as they are ditching their MailScanner setups > and switching to Barracuda applicances instead. They claim > that things worked fine when they first installed > MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. I've had ONE customer move away from MailScanner and the reason they did so was the inability for users to configure their own white/black lists. They went to Sophos PureMessage. It does an adequate job, but from what I've seen, it's accuracy is not on the same level as MS/SA. It's performance is much lower too. Mike From jstevens at athensdistributing.com Mon Aug 21 15:39:59 2006 From: jstevens at athensdistributing.com (James R. Stevens) Date: Mon Aug 21 15:40:12 2006 Subject: Thoughts on Barracudas? Message-ID: <1A65E6BAEADF9B4F865314484A13ECF10F8EC1@atlas.athensdistributing.com> Quote of the day: "Bayes is like a fast woman, keep an eye on it and be prepared for suprises, and it is worth having. Just don't turn your back on it." Super Dave, your alright in my book!! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: Monday, August 21, 2006 8:26 AM To: MailScanner discussion Subject: Re: Thoughts on Barracudas? Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they > first installed MailScanner, but gradually more and more spam is > leaking through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked > great for about two months, then after every upgrade it began to let > more and more spam through. I've tried everything to fix it and just > got tired of my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? Not good overall, I deal with a *lot* of shrinkwrap administrators who have no understanding at all of how to use the app, how it works, or what each option really does. > How easy is it to use? Very easy, which is why so many get purchased. Just "plug it in" and watch your spam disappear. > Does it actually work? I believe it can work in the hands of a capable administrator. In most installations I believe it works "Okay", see below for an explanation. > Can it survive the loads they say it can? NE > > And, of course, how does it compare with MailScanner? See below. > > Please be open and honest, and as impartial as you can. > My experience comes from two places. Clients who have a Barracuda and do not use our service (MailScanner based) and clients who use our service in front of, or in lieu of a Barracuda. We are an ISP with a wide variety of mail traffic. Corporate (lots of word docs and leek speak believe it or not), Worldwide (Pacific Rim, Eastern and Western European languages), marketing (everything SA is designed to catch ;^), technical (large attachments), dialup users (it's not spam it's magic lotto numbers, that whitelisted Ebay monthly report is spam! Why do I keep getting it?). Based on those scenarios, my experience is that the Barracuda can be configured to be very effective for a single installation such as a small corporate LAN. However, you must be willing to accept it's limitations. If you purchase a product chosen from a shiny four color add with pretty people looking pensive in front of a massive wall of servers, you believe the product works and that the product supplier has designed it well. You see the limitations and you accept them. You make your argument to the board, you install the product, it works well enough, the company feels you are 'doing something' about the problem. This is where the Barracuda succeeds. If you purchase a product from your Service Provider, the SP will invariably need to offer some type of advantage over doing your own filtering. Many of the things I have been asked to do for clients would never have been possible with an OTS system. The fine grained control offered by MailScanner far exceeds anything Barracuda could possibly offer. The advantage offered is "configurability" This is where MailScanner succeeds. Does that help? DAve PS. If a MailScanner box is failing to catch spam over a period of time I would think the answer was right in front of the user. Bayes. I had never been a fan of Bayes as it seemed to always cause more load and headache than it was worth. However, out of sheer need, I have configured and run Bayes for the last three weeks and I have to say it works much much better in 3.1.X than it did in 2.[4-6].X. But I can see where a combination of Bayes, AutoLearning, and lack of attention could lead to very bad capture rates. Bayes is like a fast woman, keep an eye on it and be prepared for suprises, and it is worth having. Just don't turn your back on it. ;^) -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. From martinh at solid-state-logic.com Mon Aug 21 15:44:14 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 15:44:27 2006 Subject: Test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> Message-ID: <44E9C6BE.4090408@solid-state-logic.com> Billy A. Pumphrey wrote: > My emails are not going through for some reason. > Billy are for me.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From evan at espphotography.com Mon Aug 21 15:46:26 2006 From: evan at espphotography.com (Evan Platt) Date: Mon Aug 21 15:46:38 2006 Subject: Test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmacl aw.local> References: <44E9B725.9000302@ecs.soton.ac.uk> <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> Message-ID: <7.0.1.0.0.20060821074556.058df008@espphotography.com> At 07:10 AM 8/21/2006, you wrote: >My emails are not going through for some reason. Yes, they are. I've seen 3 posts from you today. From davidn at keymarkinc.com Mon Aug 21 15:57:55 2006 From: davidn at keymarkinc.com (David Nalley) Date: Mon Aug 21 15:57:39 2006 Subject: Thoughts on Barracudas? Message-ID: <81214BB68B68BF4586FE1D82E7B3C472C0BEA5@kmex01.keymark.dom> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > You need to maintain the SA side of things, make sure you > have RulesDuJour etc installed and picking up the SARE and > other rules. > > Spam is an evolving thing and therefore you need to spend a > little time making sure you system can auto-update. It's not > a install/forget system > - I think this way of thinking is another example of M$ > skewing the market, you don't need all those expensive well > trained/experienced sys-admins! I can't agree more! I installed my first MailScanner system ~4 years ago, and like the person who is abandoning MS, it worked great for many months before slowly degrading into only catching about 75% of spam. The problem wasn't MailScanner it was the admin (me). I had not run any updates to the rulesets, installed any optional rulesets etc. The constant everchanging nature of spam and my failure to react was problematic. That being said, it still requires precious little maintenance once properly setup. RDJ constantly updates my rulesets. My biggest administrative task now is white/blacklist maintenance, which is neglible. Unfortunately SA is such a key component, and you have made things so easy with the installation script that the 'admins' need know nothing about SA to install it. I think that one of two things, either A, the requisite plugins should be installed along side SA, along with FSLs's RDJ script to make things really simple, or their needs to be a great howto document that covers end to end 'appliance' setup for new users. There are many howtos out there, but the really slick completely automated setup requires that you pick pieces from different articles on the wiki/website. (this may have changed recently, I haven't read the docs in 5 or 6 months.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFE6cnzU7rV35qFz0QRAtOdAKCQ/rCocpwACJsZE3UGDeHxa8+u2QCeLafF 9VcADUxfcrqXCQHl0lWYGyM= =btDV -----END PGP SIGNATURE----- From steve.swaney at fsl.com Mon Aug 21 16:02:34 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 21 16:02:36 2006 Subject: Thoughts on Barracudas? In-Reply-To: <20060821134614.GT13735@morehouse.edu> Message-ID: <382e01c6c532$d59ada90$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Laney > Sent: Monday, August 21, 2006 9:46 AM > To: MailScanner discussion > Subject: Re: Thoughts on Barracudas? > > Hey, Julian, > > > I have had some comments from a few people leaving the mailing list as > > they are ditching their MailScanner setups and switching to Barracuda > > applicances instead. They claim that things worked fine when they first > > installed MailScanner, but gradually more and more spam is leaking > > through, to the point where they have decided to abandon it. > ... > > > I run between three and five MailScanner boxes at my site (5000 email > users, something like 150,000 emails per day) depending on which of > my found hardware is working, and when the Barracuda started gaining > popularity about a year ago I tried it out as a means of reducing my mail > management overhead. Basically, since I run neither FreeBSD nor RedHat, > I was trying to get around the headaches associated with MailScanner > upgrades. > > The 30-day or so demo went poorly enough that I sent the thing back and > haven't regretted it a bit. Instead, I'm building a couple really big > MailScanner boxes that'll do nicely with FreeBSD. > > > What is your opinion on the Barracuda appliance? > > I think the Barracuda spam filter gizmo is fine for small sites with > limited numbers of users, Exchange on the back end, and not much in the > way of complicated need. In fact, I recommend it to several of my > consulting clients who have 30-person offices. > If you have 30 or less users and an exchange backend it's typically much less expensive to use a service to scan your email. Fortunately there are many out there that use MailScanner :) Perhaps Julian could add a page that lists these MailScanner friendly sites and their location by country :) > > How easy is it to use? > > The interface is pretty, but not very intuitive. Training it is > difficult: > you pretty much have to let it collect a bunch of mail, then click on each > of those items of mail with a web browser and tell it Spam or Not Spam. > At > least at the time I played with it there was no equivalent to feeding it a > couple corpi via sa-learn. > > There's a built-in quarantine feature that I couldn't use because of my > mail store system (non-LDAP-friendly). > > It makes pretty pictures. > > Tweaking settings per user was both easy and hard -- I couldn't make it do > what I wanted. Like so many commercial products, you're sort of stuck > with > the way of thinking about mail and spam that they've built in. > > I think they tried too hard to get personalized spam handling per > recipient, > which is something my site doesn't use. (We have almost nothing > configured > per-user except the level of spamminess at which mail is deleted before > they > ever see it, and even that's only done for about 10 people.) > > > Does it actually work? > > Kinda. We had more spam getting through it than I had getting through > an old MailScanner with an old SpamAssassin on it. It's nowhere near > as flexible as MailScanner, but for straight up picking spam out of the > email stream, it did OK. > > > Can it survive the loads they say it can? > > Not in my tests. I was getting bigger delays in processing across a new > Barracuda than I was getting across MailScanner before the last two big > speed improvements... running on a Pentium 3 900MHz with 256 megs of RAM. > > > And, of course, how does it compare with MailScanner? > > I stayed with MailScanner. It does not win my vote, particularly when > the load is large. :-) > > Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From steve.swaney at fsl.com Mon Aug 21 16:07:28 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 21 16:07:31 2006 Subject: Thoughts on Barracudas? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ECFB@woodenex.woodmaclaw.local> Message-ID: <383b01c6c533$85077420$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: Monday, August 21, 2006 10:02 AM > To: MailScanner discussion > Subject: RE: Thoughts on Barracudas? > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Julian Field > > Sent: Monday, August 21, 2006 8:51 AM > > To: MailScanner discussion > > Subject: Thoughts on Barracudas? > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Folks, > > > > I have had some comments from a few people leaving the mailing list as > > they are ditching their MailScanner setups and switching to Barracuda > > applicances instead. They claim that things worked fine when they > first > > installed MailScanner, but gradually more and more spam is leaking > > through, to the point where they have decided to abandon it. > > > > > > Here is what he said: > > > > "I've tried Mailscanner on FreeBSD for almost one year. It worked > great > > for about two months, then after every upgrade it began to let more > and > > more spam through. I've tried everything to fix it and just got tired > of > > my users complaining of increased spam. > > "It wasn't worth the headache. Your forums indicate that there are > > numerous people experienced the same problems I have encountered. > > "I have since purchased a Barracuda SPAM 200 firewall. This device has > > worked much better." > > > > > > > > What is your opinion on the Barracuda appliance? > > How easy is it to use? > > Does it actually work? > > Can it survive the loads they say it can? > > > > And, of course, how does it compare with MailScanner? > > > > Please be open and honest, and as impartial as you can. > > > > All of your thoughts are most welcome. > > > > - -- > > Julian Field > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.5.0 (Build 1112) > > Comment: (pgp-secured) > > Charset: ISO-8859-1 > > > > wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 > > aSJKg2X8ibML6k+ZA3hpPlQ= > > =Ji1K > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > I have thought about appliances in general just because they are set and > forget it type machines. I would like very much for MailScanner to have > such an option. I enjoy taking care of the MailScanner machine mainly > because I learn from configuring and messing it up. That is about the > only reason. I find that it is hard to learn what one needs to know to > get the most spam blockage. I believe that I can do an excellent job at > blocking spam, but if you do not learn a bunch of things (if you were > like me) and take multiple days to set it up it does not do a very good > job. > > It would be nice if there was a prepackage ( I guess fort systems covers > this area) that had all of the common units installed and it was ready > to go. Had Rules installed, Pyzor, DCC, the SARE rules, trained Bayes > datatbase, ClamAV, bitdefender, MailWatch, etc. > > Then after that, automatic updates would be super. Most of the updates > are somewhat covered. I guess the only ones missing from automatic > updates in my knowledge are MailScanner, SpamAssassin, and ClamAV, > MailWatch. > DefenderMX packages all of the application as rpms which use install.sh or upgrade.sh scripts to do all the work. Very easy to install or upgrade. Version 2.0 (out this fall) will use `yum` to make this even less of a challenge :) > In essence all of that would turn MailScanner into a appliance type > machine, which I would think it would appeal to even more people. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ssilva at sgvwater.com Mon Aug 21 15:51:49 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 21 16:09:05 2006 Subject: Postfix 2.3 and MailScanner In-Reply-To: <44E879A3.8030905@ecs.soton.ac.uk> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com> <006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/20/2006 8:02 AM: > Does this happen with all messages, or only some? > Can you isolate a single message that causes this problem for me please? > I would suggest using "Archive Mail =" to archive all your mail and then > use the logs to identify a particular message that causes the problem to > be logged, and one that doesn't cause the problem. > > It is essential that you archive as "Raw Queue Files". > > If you can then send me one message file that causes the problem, and > one message that doesn't cause it, I can take a look and fix it. > > I haven't played with Postfix 2.3 much yet, so have little experience of > it. This is clearly another hurdle Wietse has created for my benefit :-) > Its only because he cares! O:-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From listacct at tulsaconnect.com Mon Aug 21 16:15:22 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Aug 21 16:15:23 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44E9CE0A.6000001@tulsaconnect.com> Julian Field wrote: > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. We demo'ed a few model 400 (I think) appliances a year or so ago. My impression was that it was just a fancy front-end on a SA-based scanner with ClamAV as the AV engine. The accuracy was comparable to SA native. I agree with others who said that SA maintenance is the key to accuracy -- after all, MS isn't doing much spam "identification" itself, it just puts together all the needed tools to do so. Barracuda may make the maintenance easier for the lazy, but you do loose a lot of flexibility. Fort System's DefenderMX product, http://www.fsl.com/ , is the way to go if you want a appliance solution based on MS. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mwilson at cobasys.com Mon Aug 21 16:17:36 2006 From: mwilson at cobasys.com (Mike Wilson) Date: Mon Aug 21 16:17:46 2006 Subject: Access .rules files via HTTP ? Message-ID: <2C7100720056A2408E0DC6795A5CDF0A01693CA7@COBS-EXCH-01.texaco.ovonic> Hello everyone, I'm new to the list, but have been using MailScanner for over a year, anyway, here is my question. Is there a way to specify that the .conf files can be read over http? We edit the spam whitelist 2-3 times a day on 2 different MailScanner servers. Is there a way to configure MailScanner to read this file for a centralized web server instead of from the local file? Mike Wilson -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/4d3b8836/attachment.html From MailScanner at ecs.soton.ac.uk Mon Aug 21 16:22:20 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 21 16:22:37 2006 Subject: Thoughts on Barracudas? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ECB8@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187ECB8@woodenex.woodmaclaw.local> Message-ID: <44E9CFAC.4000304@ecs.soton.ac.uk> Billy A. Pumphrey wrote: >> It would be nice if there was a prepackage ( I guess fort systems covers >> this area) that had all of the common units installed and it was ready >> to go. Had Rules installed, Pyzor, DCC, the SARE rules, trained Bayes >> datatbase, ClamAV, bitdefender, MailWatch, etc. >> This is exactly what DefenderMX provides. Everything pre-packaged, dead simple to install and you can buy it as a pre-configured plug-and-go appliance if that's what you need. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Mon Aug 21 16:20:16 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 21 16:25:45 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/21/2006 5:51 AM: > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > If I were to purchase an "Appliance" I would most definitely go with a DefenderMX. I have heard more negatives on the Barracuda's than positives. Maybe if you added Steve Swaney's RulesDuJour setup to your easy to use spamassassin and Clamav setup, it would make a more effective system "out of the box". And when an admin gets more knowledge, you can tune MailScanner to catch anything. With a Barracuda, i believe you have to submit samples, and hope they decide to add something for it. The only thing a Barracuda has on MailScanner, IMHO, is the autoupdate functionality. That is a plus for all the non-technical people out there. I think the people on this list are aces above their "Barracuda Central". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Aug 21 16:24:14 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 21 16:45:21 2006 Subject: Test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> References: <44E9B725.9000302@ecs.soton.ac.uk> <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey spake the following on 8/21/2006 7:10 AM: > My emails are not going through for some reason. > This one did... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jfagan at firstlightnetworks.com Mon Aug 21 16:48:34 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Aug 21 16:46:19 2006 Subject: Test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187ED0B@woodenex.woodmaclaw.local> Message-ID: <59E4A3A1069C2640959AD0F7518C4812064B2F@FLN1.fln.local> Yes they are. At least I am seeing them. From daniel.maher at ubisoft.com Mon Aug 21 17:07:08 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Aug 21 17:07:13 2006 Subject: Access .rules files via HTTP ? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D11B@UBIMAIL1.ubisoft.org> Hello, We have a lot of servers which do the same sorts of things (proxies, mail servers, build machines, etc..). We manage all of the configurations via a common subversion repository, and the magic of cfengine. http://subversion.tigris.org/ http://www.cfengine.org/ For example, for both the black and white lists, one of our junior admins simply edits the appropriate configuration file in the SVN repository, and then commits it. Every 15 minutes, cfengine compares the existing config files to the ones in the repository, updates as necessary, then reloads the appropriate service. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Wilson Sent: August 21, 2006 11:18 AM To: mailscanner@lists.mailscanner.info Subject: RE: Access .rules files via HTTP ? Hello everyone, I'm new to the list, but have been using MailScanner for over a year, anyway, here is my question. Is there a way to specify that the .conf files can be read over http? We edit the spam whitelist 2-3 times a day on 2 different MailScanner servers. Is there a way to configure MailScanner to read this file for a centralized web server instead of from the local file? Mike Wilson -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/cb33224d/attachment.html From greg at blastzone.com Mon Aug 21 17:35:01 2006 From: greg at blastzone.com (Greg Deputy) Date: Mon Aug 21 17:35:33 2006 Subject: Messages spoofed as to/from me not being scanned. What am I missing... Message-ID: <20060821163541.26DAC16F9B3@mx.blastzone.com> I've been running MailScanner for a little over a year now and have been extremely happy with it. I've had some spams getting through recently that are addressed to me, and from me. For some reason, MailScanner doesn't seem to bother scanning them, just says they're clean and passes them through. This makes me think I may have my own address whitelisted somewhere, but if I do I cant find it. I'm running with the spam.bydomain white/blacklists, and have checked both the default and the one for the domain the mail is coming in on, but my address isn't in there. Is there another location I should be looking for this, or is something else going on? The header of the message is below. This is on a fedora core 2 system running MailScanner 4.50.15, SA 3.1.0 processing about 50k messages per day. Message Header: Return-Path: X-Original-To: greg@blastzone.com Delivered-To: greg@blastzone.com Received: from 203.162.3.157 (unknown [222.253.101.77]) by mx.blastzone.com (Postfix) with ESMTP id B139316F9B7 for ; Mon, 21 Aug 2006 07:29:41 -0700 (PDT) Received: from mta.xtra.co.nz (mta.xtra.co.nz [210.54.141.1]) by 203.162.3.157 (Qmailv1) with ESMTP id 8SWCF23W for ; Fri, 21 Jul 2006 10:30:39 +0700 Received: from 194.154.164.82 ([fodlets.co.uk]:2306 "EHLO fodlets.co.uk" smtp-auth: "tokshcauqu" TLS-CIPHER: TLS-PEER-CN1: ) by mta.xtra.co.nz with ESMTP id YL66-NWJ0NInw-p1 (ORCPT ); Fri, 21 Jul 2006 00:20:38 -0200 Date: Fri, 21 Jul 2006 00:20:38 -0200 From: "Paul Ross" X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: <56780461541336.20060721002038570781@fodlets.co.uk> To: greg@blastzone.com Subject: Throw away your embarrassment MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------SFBER0FEHQNCQUOAW" X-Blastzone.com-MailScanner-Information: Please contact postmaster@blastzone.com for more information X-Blastzone.com-MailScanner: Found to be clean X-Blastzone.com-MailScanner-SpamCheck: X-MailScanner-From: greg@blastzone.com Thanks! From martinh at solid-state-logic.com Mon Aug 21 17:46:10 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 21 17:46:18 2006 Subject: Messages spoofed as to/from me not being scanned. What am I missing... In-Reply-To: <20060821163541.26DAC16F9B3@mx.blastzone.com> References: <20060821163541.26DAC16F9B3@mx.blastzone.com> Message-ID: <44E9E352.9010409@solid-state-logic.com> Greg Deputy wrote: > I've been running MailScanner for a little over a year now and have been > extremely happy with it. I've had some spams getting through recently that > are addressed to me, and from me. For some reason, MailScanner doesn't seem > to bother scanning them, just says they're clean and passes them through. > This makes me think I may have my own address whitelisted somewhere, but if > I do I cant find it. I'm running with the spam.bydomain white/blacklists, > and have checked both the default and the one for the domain the mail is > coming in on, but my address isn't in there. > > Is there another location I should be looking for this, or is something else > going on? The header of the message is below. > > This is on a fedora core 2 system running MailScanner 4.50.15, SA 3.1.0 > processing about 50k messages per day. > > > Message Header: > > Return-Path: > X-Original-To: greg@blastzone.com > Delivered-To: greg@blastzone.com > Received: from 203.162.3.157 (unknown [222.253.101.77]) > by mx.blastzone.com (Postfix) with ESMTP id B139316F9B7 > for ; Mon, 21 Aug 2006 07:29:41 -0700 (PDT) > Received: from mta.xtra.co.nz (mta.xtra.co.nz [210.54.141.1]) > by 203.162.3.157 (Qmailv1) with ESMTP id 8SWCF23W > for ; Fri, 21 Jul 2006 10:30:39 +0700 > Received: from 194.154.164.82 ([fodlets.co.uk]:2306 "EHLO fodlets.co.uk" > smtp-auth: "tokshcauqu" TLS-CIPHER: TLS-PEER-CN1: ) > by mta.xtra.co.nz with ESMTP id YL66-NWJ0NInw-p1 (ORCPT > ); Fri, 21 Jul 2006 00:20:38 -0200 > Date: Fri, 21 Jul 2006 00:20:38 -0200 > From: "Paul Ross" > X-Mailer: The Bat! (v2.12.00) Personal > X-Priority: 3 > Message-ID: <56780461541336.20060721002038570781@fodlets.co.uk> > To: greg@blastzone.com > Subject: Throw away your embarrassment > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----------SFBER0FEHQNCQUOAW" > X-Blastzone.com-MailScanner-Information: Please contact > postmaster@blastzone.com for more information > X-Blastzone.com-MailScanner: Found to be clean > X-Blastzone.com-MailScanner-SpamCheck: > X-MailScanner-From: greg@blastzone.com > > > Thanks! > Greg first of all remove the . in the %org-name% setting in mailScanner.conf - it'll confuse certain MTAs and isn't a valid character in the first of a header anyway! I'd also check the "Is Definite Not Spam" setting and "Scan Messages". If you have domains in there I'd suggest making it ip-addresses (ie don't spam scan 127.0.0.1 and 192.168.1.1 which is my lan!) and not to use domain names.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From listacct at tulsaconnect.com Mon Aug 21 17:50:30 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Aug 21 17:50:30 2006 Subject: Adding Exchage IMF "header" with MailScanner Message-ID: <44E9E456.1010304@tulsaconnect.com> Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. Basically, it looks for the following header(s): X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) X-MS-Exchange-Organization-SCL: (Spam Confidence Level) More details can be found at: http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2-8509-4b25-9876-763536e77c27.mspx?mfr=true So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: X-MS-Exchange-Organization-SCL:5 The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX). I see where I can add additional headers in the: Spam Actions = deliver header "X-Spam-Status: Yes" However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in. It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would be helpful. Any pointers? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From sandrews at andrewscompanies.com Mon Aug 21 18:48:52 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Mon Aug 21 18:48:56 2006 Subject: OT: IM Logging Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1C0D@winchester.andrewscompanies.com> We use our mailscanner to do a fair amount of email logging and are looking into the MCP as well. However, does anyone know of any instant message logging products? I've looked at the barracuda product, but I actually am one that went the other way; barracuda wasn't that effective for us; they do have an IM control and logging product, but it appears you use their IM client and it talks to all the major IM providers and logs from there. Anyway, I'm on the hunt for a vendor neutral IM logging product that we could built into our *nix firewall. Thanks, -TIA Steve From stork at openenterprise.ca Mon Aug 21 18:51:55 2006 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Aug 21 18:52:18 2006 Subject: Rules du jour script is gone? Message-ID: Does anyone have a recent copy of the rdj bash script they can send me? The download link below appears to be gone? Thanks http://sandgnat.com/rdj/rules_du_jour --------------------------------------------- Johnny Stork Open Enterprise Solutions http://www.openenterprise.ca (Linux & Open Source Business Technology) http://www.dreamscapemedia.ca (Photography & Media) http://www.mountainlinux.ca (Linux Users Group) From michele at blacknight.ie Mon Aug 21 19:06:11 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Mon Aug 21 19:06:14 2006 Subject: Rules du jour script is gone? In-Reply-To: References: Message-ID: <44E9F613.3040401@blacknight.ie> Johnny Stork wrote: > Does anyone have a recent copy of the rdj bash script they can send me? The download link below appears to be gone? > > Thanks > > > http://sandgnat.com/rdj/rules_du_jour > There's one on the fsl site -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From rgreen at trayerproducts.com Mon Aug 21 19:06:12 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Mon Aug 21 19:07:10 2006 Subject: auto whitelisting Message-ID: <44E9F614.60806@trayerproducts.com> Hello, Is it recommended to disable auto whitelisting in spam.assassin.prefs.conf? Thanks / / -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From carl.andrews at crackerbarrel.com Mon Aug 21 19:08:26 2006 From: carl.andrews at crackerbarrel.com (Carl Andrews) Date: Mon Aug 21 19:09:07 2006 Subject: Rules du jour script is gone? In-Reply-To: <200608211801.k7LI1leX016428@smtpgw1.crackerbarrel.com> References: <200608211801.k7LI1leX016428@smtpgw1.crackerbarrel.com> Message-ID: <1156183706.8427.5.camel@localhost> On Mon, 2006-08-21 at 10:51 -0700, Johnny Stork wrote: > Does anyone have a recent copy of the rdj bash script they can send me? The download link below appears to be gone? > > Thanks > > > http://sandgnat.com/rdj/rules_du_jour > > --------------------------------------------- > Johnny Stork > Open Enterprise Solutions > > http://www.openenterprise.ca (Linux & Open Source Business Technology) > http://www.dreamscapemedia.ca (Photography & Media) > http://www.mountainlinux.ca (Linux Users Group) > -------------- next part -------------- A non-text attachment was scrubbed... Name: rules_du_jour Type: application/x-shellscript Size: 63479 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/d06074fd/rules_du_jour-0001.bin From jfagan at firstlightnetworks.com Mon Aug 21 19:11:40 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Aug 21 19:09:25 2006 Subject: Rules du jour script is gone? In-Reply-To: Message-ID: <59E4A3A1069C2640959AD0F7518C4812064B31@FLN1.fln.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Johnny Stork > Sent: Monday, August 21, 2006 10:52 AM > To: mailscanner > Subject: Rules du jour script is gone? > > Does anyone have a recent copy of the rdj bash script they > can send me? The download link below appears to be gone? > > Thanks > > > http://sandgnat.com/rdj/rules_du_jour > > --------------------------------------------- > Johnny Stork > Open Enterprise Solutions > > http://www.openenterprise.ca (Linux & Open Source Business > Technology) http://www.dreamscapemedia.ca (Photography & > Media) http://www.mountainlinux.ca (Linux Users Group) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Here is the one I have been using. wget http://fear.jfworks.net/linux/rules_du_jour James From dward at nccumc.org Mon Aug 21 19:11:36 2006 From: dward at nccumc.org (Douglas Ward) Date: Mon Aug 21 19:11:39 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: Message-ID: I am running perl 5.8.7 installed by Mandriva by default. On Sun, 20 Aug 2006 19:45:34 (GMT/BST), ajos1@onion.demon.co.uk < ajos1@onion.demon.co.uk> wrote: > > - > > True... it should auto install them. > > What version of perl are you on? perl -v > > I am on 5.8.8 and have loads of files > in /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE ... including > EXTERN.h... but only 1 file > in /usr/lib/perl5/5.8.7/i386-linux-thread-multi/CORE . [On redhat]. > > -----Original Message----- > From: MailScanner discussion Subj: Re: Filesys::Df module error after upgrade > Date: Sun, 20 Aug 2006 14:07:28 -0400 > > I am running Mandriva 2006. I ran the mailscanner installation file. I > assumed it would install any missing perl modules? > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/6e5efcc6/attachment.html From dward at nccumc.org Mon Aug 21 19:18:13 2006 From: dward at nccumc.org (Douglas Ward) Date: Mon Aug 21 19:18:16 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: <44E8AC14.9040906@ecs.soton.ac.uk> References: <44E8AC14.9040906@ecs.soton.ac.uk> Message-ID: Julian, Perl command fails with the following error: Writing Makefile for Filesys::Df CPAN: YAML loaded ok cp Df.pm blib/lib/Filesys/Df.pm /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -prototypes -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap -typemap typemap Df.xs > Df.xsc && mv Df.xsc Df.c make: *** No rule to make target `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `Df.o'. Stop. /usr/bin/make install Df.pm -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible Failed during this command: IGUTHRIE/Filesys-Df-0.92.tar.gz : make NO On 8/20/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The author of this module renamed it, if I remember correctly :-( > Do > perl -MCPAN -e shell > and then > install Filesys::Df > and that should install the latest version of the required module. > > Douglas Ward wrote: > > I am running Mandriva 2006. I ran the mailscanner installation file. I > > assumed it would install any missing perl modules? > > > > On Sun, 20 Aug 2006 18:11:34 (GMT/BST), * ajos1@onion.demon.co.uk > > * > > wrote: > > > > - > > > > What version of linux and so forth are you on? > > > > Have you tried updating using the perl modules that are included > > with the MailScanner package? > > > > -----Original Message----- > > From: MailScanner discussion < mailscanner@lists.mailscanner.info > > > > Subj: Re: Filesys::Df module error after upgrade > > Date: Sat, 19 Aug 2006 14:52:37 -0400 > > > > == > > > ===================================================================== > > = > > = When Ms Jowell, whose department is responsible for sport, was > > = asked who she thought was going to win the cup, she gleefully > > = pointed towards her ministerial vehicle, which is now bedecked in > > = flags, to declare: "There's only one England." > > = > > = Need help dealing with Parking Tickets, Bailiffs, Capita or > NTL... > > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > > = > > > ===================================================================== > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > -- > > Douglas Ward > > Director of Information Technology > > NC Methodist Conference > > 1307 Glenwood Ave. > > Raleigh, NC 27605 > > Work: (919) 832-9560 ext. 227 > > Fax: (919) 834-7989 > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Charset: ISO-8859-1 > > wj8DBQFE6KwWEfZZRxQVtlQRAicjAKCzo8BDWVBLgZLApSSHyN08lOj/TwCfSbRK > KU64n8TsL4ncA+86/V4XMwo= > =RqmZ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060821/f8f01b6a/attachment.html From mkettler at evi-inc.com Mon Aug 21 19:35:57 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Aug 21 19:36:11 2006 Subject: auto whitelisting In-Reply-To: <44E9F614.60806@trayerproducts.com> References: <44E9F614.60806@trayerproducts.com> Message-ID: <44E9FD0D.5020807@evi-inc.com> Green, Rodney wrote: > Hello, > > Is it recommended to disable auto whitelisting in spam.assassin.prefs.conf? Largely a matter of personal preference. That said, my personal opinion is that SA's AWL is not ready for production use on a mailserver that serves more than 10 people. The SA devs would argue otherwise, and they do use it on their production boxes. I base my opinion on the lack of automatic database maintenance. There is no auto-expire for AWL entries. Even if you use the "check-whitelist --clean" script, this only removes entries based on the number of times a particular address has been seen. It will not remove an address that was used 100 times, then became inactive 2 years ago.. So, until the AWL gets a real atime-based auto-expire system like the bayes system has, I will refrain from using it on a production box. Of course, I'd suggest you develop your own opinion, as the requirements of your system may be quite different from mine. From rgreen at trayerproducts.com Mon Aug 21 20:12:40 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Mon Aug 21 20:13:37 2006 Subject: auto whitelisting In-Reply-To: <44E9FD0D.5020807@evi-inc.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> Message-ID: <44EA05A8.8080606@trayerproducts.com> Matt Kettler wrote: > Green, Rodney wrote: > >> Hello, >> >> Is it recommended to disable auto whitelisting in spam.assassin.prefs.conf? >> > > Largely a matter of personal preference. > > That said, my personal opinion is that SA's AWL is not ready for production use > on a mailserver that serves more than 10 people. The SA devs would argue > otherwise, and they do use it on their production boxes. > > I base my opinion on the lack of automatic database maintenance. There is no > auto-expire for AWL entries. Even if you use the "check-whitelist --clean" > script, this only removes entries based on the number of times a particular > address has been seen. It will not remove an address that was used 100 times, > then became inactive 2 years ago.. > > So, until the AWL gets a real atime-based auto-expire system like the bayes > system has, I will refrain from using it on a production box. > > Of course, I'd suggest you develop your own opinion, as the requirements of your > system may be quite different from mine. > Thanks Matt. I'm going to try running without it enabled for a while and see what happens. Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sailer at bnl.gov Mon Aug 21 20:21:03 2006 From: sailer at bnl.gov (Tim Sailer) Date: Mon Aug 21 20:21:57 2006 Subject: OT: IM Logging In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1C0D@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1C0D@winchester.andrewscompanies.com> Message-ID: <20060821192103.GA21117@bnl.gov> On Mon, Aug 21, 2006 at 01:48:52PM -0400, sandrews@andrewscompanies.com wrote: > We use our mailscanner to do a fair amount of email logging and are > looking into the MCP as well. However, does anyone know of any instant > message logging products? Google for AimSniff. Tim -- Tim Sailer Information and Special Technologies Program Northeast Regional Counterintelligence Office Brookhaven National Laboratory (631) 344-3001 From stork at openenterprise.ca Mon Aug 21 20:28:56 2006 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Aug 21 20:29:45 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: <59E4A3A1069C2640959AD0F7518C4812064B31@FLN1.fln.local> Message-ID: Thanks to everyone that sent me the script. I don?t think I have things setup correctly? I went through the docs in the script, created a basic /etc/rulesdujour/config file and editing the various variables, but this is what I get when I run it? : command not foundnfig: line 3: : command not foundnfig: line 3: mkdir: cannot create directory `/etc/mail/spamassassin\r/RulesDuJour': No such file or directory /RulesDuJour: No such file or directory78: cd: /etc/mail/spamassassin . Are you running as the correct user? No rulesets will be checked or updated. /RulesDuJour. Are you running as the correct user? No rulesets will be checked or updated. /RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 2>&1assassin curl_output: 200 Performing preliminary lint (sanity check; does the CURRENT config lint?). No files updated; No restart required. /etc/rulesdujour/config contents: SA_DIR="/etc/mail/spamassassin" MAIL_ADDRESS="root" SINGLE_EMAIL_ONLY="true"; # SA_RESTART="/etc/init.d/spamassassin restart" TRUSTED_RULESETS=" TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 RANDOMVAL SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_OBFU0 SARE_SPAMCOP_TOP200 " CentOS 4.3 Mailscanner 4.55.9 SA 3.1.2 -----Original Message----- From: jfagan@firstlightnetworks.com [mailto:jfagan@firstlightnetworks.com] Sent: Monday, August 21, 2006 11:12 AM To: MailScanner discussion Subject: RE: Rules du jour script is gone? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Johnny Stork > Sent: Monday, August 21, 2006 10:52 AM > To: mailscanner > Subject: Rules du jour script is gone? > > Does anyone have a recent copy of the rdj bash script they can send > me? The download link below appears to be gone? > > Thanks > > > http://sandgnat.com/rdj/rules_du_jour > > --------------------------------------------- > Johnny Stork > Open Enterprise Solutions > > http://www.openenterprise.ca (Linux & Open Source Business > Technology) http://www.dreamscapemedia.ca (Photography & > Media) http://www.mountainlinux.ca (Linux Users Group) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Here is the one I have been using. wget http://fear.jfworks.net/linux/rules_du_jour James -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Mon Aug 21 20:42:36 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Aug 21 20:42:40 2006 Subject: Rules du jour script doest seem to be working right Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D127@UBIMAIL1.ubisoft.org> Are you editing the file using a Windows text editor (such as Notepad), and then uploading it to your Linux server? If so - this is likely your problem. Windows adds end-of-line characters to text files that Linux doesn't like - and it causes problems like this The solution, of course, is to edit it in Linux, or use a proper editor. Just a thought! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Johnny Stork > Sent: August 21, 2006 3:29 PM > To: mailscanner > Subject: Rules du jour script doest seem to be working right > > Thanks to everyone that sent me the script. > > I don't think I have things setup correctly? I went through the docs in > the script, created a basic /etc/rulesdujour/config file and editing the > various variables, but this is what I get when I run it? > > > > : command not foundnfig: line 3: > : command not foundnfig: line 3: > mkdir: cannot create directory `/etc/mail/spamassassin\r/RulesDuJour': No > such file or directory > /RulesDuJour: No such file or directory78: cd: /etc/mail/spamassassin > . Are you running as the correct user? No rulesets will be checked or > updated. > /RulesDuJour. Are you running as the correct user? No rulesets will be > checked or updated. > /RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour > 2>&1assassin > curl_output: 200 > Performing preliminary lint (sanity check; does the CURRENT config lint?). > No files updated; No restart required. > > > > /etc/rulesdujour/config contents: > > SA_DIR="/etc/mail/spamassassin" > MAIL_ADDRESS="root" > SINGLE_EMAIL_ONLY="true"; > # SA_RESTART="/etc/init.d/spamassassin restart" > TRUSTED_RULESETS=" > TRIPWIRE > ANTIDRUG > SARE_EVILNUMBERS0 > RANDOMVAL > SARE_ADULT > SARE_FRAUD > SARE_BML > SARE_SPOOF > SARE_BAYES_POISON_NXM > SARE_OEM > SARE_RANDOM > SARE_OBFU0 > SARE_SPAMCOP_TOP200 > " > > > CentOS 4.3 > Mailscanner 4.55.9 > SA 3.1.2 > > -----Original Message----- > From: jfagan@firstlightnetworks.com [mailto:jfagan@firstlightnetworks.com] > Sent: Monday, August 21, 2006 11:12 AM > To: MailScanner discussion > Subject: RE: Rules du jour script is gone? > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Johnny Stork > > Sent: Monday, August 21, 2006 10:52 AM > > To: mailscanner > > Subject: Rules du jour script is gone? > > > > Does anyone have a recent copy of the rdj bash script they can send > > me? The download link below appears to be gone? > > > > Thanks > > > > > > http://sandgnat.com/rdj/rules_du_jour > > > > --------------------------------------------- > > Johnny Stork > > Open Enterprise Solutions > > > > http://www.openenterprise.ca (Linux & Open Source Business > > Technology) http://www.dreamscapemedia.ca (Photography & > > Media) http://www.mountainlinux.ca (Linux Users Group) > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > Here is the one I have been using. > > wget http://fear.jfworks.net/linux/rules_du_jour > > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikej at rogers.com Mon Aug 21 20:08:12 2006 From: mikej at rogers.com (Mike Jakubik) Date: Mon Aug 21 20:48:50 2006 Subject: Ignoring RFC1918 address space in numeric phishing Message-ID: <44EA049C.1070300@rogers.com> Does anybody know of a way to ignore the IANA private address space when numeric phishing is on? I tried adding in the form of "172.16", "172.16.*", "172.16.*.*" but none seem to work. I have an application which sends out HTML emails which contain links to local webservers, its hard to predict each servers IP address, but i know it will be a private address. I think ignoring these by default is a safe bet for most people. From jfagan at firstlightnetworks.com Mon Aug 21 20:53:54 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Aug 21 20:51:38 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: Message-ID: <59E4A3A1069C2640959AD0F7518C4812064B33@FLN1.fln.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Johnny Stork > Sent: Monday, August 21, 2006 12:29 PM > To: mailscanner > Subject: Rules du jour script doest seem to be working right > > Thanks to everyone that sent me the script. > > I don't think I have things setup correctly? I went through > the docs in the script, created a basic > /etc/rulesdujour/config file and editing the various > variables, but this is what I get when I run it? > > > > : command not foundnfig: line 3: > : command not foundnfig: line 3: > mkdir: cannot create directory > `/etc/mail/spamassassin\r/RulesDuJour': No such file or directory > /RulesDuJour: No such file or directory78: cd: > I installed it with this package http://www.fsl.com/support/Rules_Du_Jour.tar.gz Untar it and there is an install.sh file I believe that copies all the files to the right places and such. Give it a shot. From mikej at rogers.com Mon Aug 21 21:02:06 2006 From: mikej at rogers.com (Mike Jakubik) Date: Mon Aug 21 21:01:56 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44EA113E.3090904@rogers.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > Because of the nature of the application, it has to be constantly kept up to date in order to be effective. This is a bonus that you get out of an appliance, as everything (should be) kept up to date for you automatically. If you are interested, i am developing such an appliance, which is based on MailScanner and FreeBSD and will have a more attractive price than most of the commercial alternatives. It's still not finished, but i am testing it with at a few sites, so far so good. I believe i should have it ready for prime time within a few months. From ssilva at sgvwater.com Mon Aug 21 21:01:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 21 21:02:05 2006 Subject: Thoughts on Barracudas? In-Reply-To: <383b01c6c533$85077420$287ba8c0@office.fsl> References: <04D932B0071FE34FA63EBB1977B48D150187ECFB@woodenex.woodmaclaw.local> <383b01c6c533$85077420$287ba8c0@office.fsl> Message-ID: > DefenderMX packages all of the application as rpms which use install.sh or > upgrade.sh scripts to do all the work. Very easy to install or upgrade. > Version 2.0 (out this fall) will use `yum` to make this even less of a > challenge :) Now there is one of the last differences between DefenderMX and a Barracuda. The option of easy updates. When that version is out, you could almost set cron to do weekly yum updates, and your system would stay up-to-date. I am afraid that if I had a Defender, my PHB's might decide I don't have enough to do! ;-) >> In essence all of that would turn MailScanner into a appliance type >> machine, which I would think it would appeal to even more people. > Steve > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From stork at openenterprise.ca Mon Aug 21 21:03:42 2006 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Aug 21 21:04:14 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D127@UBIMAIL1.ubisoft.org> Message-ID: Of course....me dummy....keep forgetting about that. Ok, now do I also need to change any rule path settings in SA, if I have RDJ putting the rule files into /etc/mail/spamassassin/RuleDuJour ? My rules path is /etc/mail/spamassassin -----Original Message----- From: Daniel Maher [mailto:daniel.maher@ubisoft.com] Sent: Monday, August 21, 2006 12:43 PM To: MailScanner discussion Subject: RE: Rules du jour script doest seem to be working right Are you editing the file using a Windows text editor (such as Notepad), and then uploading it to your Linux server? If so - this is likely your problem. Windows adds end-of-line characters to text files that Linux doesn't like - and it causes problems like this The solution, of course, is to edit it in Linux, or use a proper editor. Just a thought! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Johnny Stork > Sent: August 21, 2006 3:29 PM > To: mailscanner > Subject: Rules du jour script doest seem to be working right > > Thanks to everyone that sent me the script. > > I don't think I have things setup correctly? I went through the docs > in the script, created a basic /etc/rulesdujour/config file and > editing the various variables, but this is what I get when I run it? > > > > : command not foundnfig: line 3: > : command not foundnfig: line 3: > mkdir: cannot create directory `/etc/mail/spamassassin\r/RulesDuJour': > No such file or directory > /RulesDuJour: No such file or directory78: cd: /etc/mail/spamassassin > . Are you running as the correct user? No rulesets will be checked > or updated. > /RulesDuJour. Are you running as the correct user? No rulesets will > be checked or updated. > /RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour > 2>&1assassin > curl_output: 200 > Performing preliminary lint (sanity check; does the CURRENT config lint?). > No files updated; No restart required. > > > > /etc/rulesdujour/config contents: > > SA_DIR="/etc/mail/spamassassin" > MAIL_ADDRESS="root" > SINGLE_EMAIL_ONLY="true"; > # SA_RESTART="/etc/init.d/spamassassin restart" > TRUSTED_RULESETS=" > TRIPWIRE > ANTIDRUG > SARE_EVILNUMBERS0 > RANDOMVAL > SARE_ADULT > SARE_FRAUD > SARE_BML > SARE_SPOOF > SARE_BAYES_POISON_NXM > SARE_OEM > SARE_RANDOM > SARE_OBFU0 > SARE_SPAMCOP_TOP200 > " > > > CentOS 4.3 > Mailscanner 4.55.9 > SA 3.1.2 > > -----Original Message----- > From: jfagan@firstlightnetworks.com > [mailto:jfagan@firstlightnetworks.com] > Sent: Monday, August 21, 2006 11:12 AM > To: MailScanner discussion > Subject: RE: Rules du jour script is gone? > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Johnny Stork > > Sent: Monday, August 21, 2006 10:52 AM > > To: mailscanner > > Subject: Rules du jour script is gone? > > > > Does anyone have a recent copy of the rdj bash script they can send > > me? The download link below appears to be gone? > > > > Thanks > > > > > > http://sandgnat.com/rdj/rules_du_jour > > > > --------------------------------------------- > > Johnny Stork > > Open Enterprise Solutions > > > > http://www.openenterprise.ca (Linux & Open Source Business > > Technology) http://www.dreamscapemedia.ca (Photography & > > Media) http://www.mountainlinux.ca (Linux Users Group) > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > Here is the one I have been using. > > wget http://fear.jfworks.net/linux/rules_du_jour > > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Aug 21 21:10:01 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 21 21:10:40 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: References: <59E4A3A1069C2640959AD0F7518C4812064B31@FLN1.fln.local> Message-ID: Johnny Stork spake the following on 8/21/2006 12:28 PM: > Thanks to everyone that sent me the script. > > I don?t think I have things setup correctly? I went through the docs in the script, created a basic /etc/rulesdujour/config file and editing the various variables, but this is what I get when I run it? > Try this; http://www.fsl.com/support/Rules_Du_Jour.tar.gz -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Mon Aug 21 21:14:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 21 21:14:34 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: <44E8AC14.9040906@ecs.soton.ac.uk> Message-ID: <223f97700608211314q30f674a4pb3738c4884b80e2b@mail.gmail.com> On 21/08/06, Douglas Ward wrote: > Julian, > > Perl command fails with the following error: > > > Writing Makefile for Filesys::Df > CPAN: YAML loaded ok > cp Df.pm blib/lib/Filesys/Df.pm > /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp > -prototypes -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap > -typemap typemap Df.xs > Df.xsc && mv Df.xsc Df.c > make: *** No rule to make target > `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by > `Df.o'. Stop. > /usr/bin/make install Df.pm -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > Failed during this command: > IGUTHRIE/Filesys-Df-0.92.tar.gz : make NO > > Hi Douglas, I just tried installing it from cpan, without any problems. I did the install for perl 5.8.7 on a Mandriva 2006.0 (Official). The error you get kind of suggest that you've forgotten to install the perl-devel package, which contains the header file EXTERN.h ... Try doing an "urpmi perl-devel" (as root) and then rerun the cpan install. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Mon Aug 21 21:18:08 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Aug 21 21:17:32 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: On Thu, 17 Aug 2006, Michael Baird wrote: > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > as well, on a lower pref MX (Spam Catcher). It goes further then just > checking reverse DNS, it also checks whether the domain actually accepts > mail, and if it accepts mail for the specified sender. I have just installed it on a test machine and found it does what it says - ie blocks mail from invalid envelope senders - very well. However the key drawback that stops me from putting it into production is that you can't whitelist sender addresses that might be invalid but do send genuine mail, eg from mailing lists, web sites, etc. It also has a very limited system for whitelisting hosts - but you have to put them all in one single regular expression, which is not very convenient. It is a pity that it isn't integrated with the access file in the same way as require_rdns is. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From steve.swaney at fsl.com Mon Aug 21 21:24:16 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 21 21:24:19 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: <59E4A3A1069C2640959AD0F7518C4812064B33@FLN1.fln.local> Message-ID: <3b2001c6c55f$c6a47730$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James Fagan > Sent: Monday, August 21, 2006 3:54 PM > To: MailScanner discussion > Subject: RE: Rules du jour script doest seem to be working right > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Johnny Stork > > Sent: Monday, August 21, 2006 12:29 PM > > To: mailscanner > > Subject: Rules du jour script doest seem to be working right > > > > Thanks to everyone that sent me the script. > > > > I don't think I have things setup correctly? I went through > > the docs in the script, created a basic > > /etc/rulesdujour/config file and editing the various > > variables, but this is what I get when I run it? > > > > > > > > : command not foundnfig: line 3: > > : command not foundnfig: line 3: > > mkdir: cannot create directory > > `/etc/mail/spamassassin\r/RulesDuJour': No such file or directory > > /RulesDuJour: No such file or directory78: cd: > > > > > I installed it with this package > http://www.fsl.com/support/Rules_Du_Jour.tar.gz > > Untar it and there is an install.sh file I believe that copies all the > files to the > right places and such. Give it a shot. Please note that as the documentation says, the install script works fine ln Linux based systems, RH, CentOS, SUSE, but will need modifications of other Operating systems, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From glenn.steen at gmail.com Mon Aug 21 21:38:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 21 21:38:28 2006 Subject: Some more on AV scanners. In-Reply-To: <44E8E4D0.5050501@enitech.com.au> References: <223f97700608170704r4246bb4kebfb17ec7ec5b929@mail.gmail.com> <223f97700608171143k49799f46y95b74e4677c374b5@mail.gmail.com> <44E8E4D0.5050501@enitech.com.au> Message-ID: <223f97700608211338y79af1318lf7d86ce6b3e31034@mail.gmail.com> On 21/08/06, Peter Russell wrote: > I use clam, bitdefender and antivir - antivir is german i think and is > available for free for non commercial use (we are a not or profit company). > > We ahve a site wide CA license but i gave up trying to get it working on > centos/rhel4 > Thanks for the input Pete. We're .gov, so.... I'm not entirely sure I can use Antivir for free (has been recommending it to friends&relatives who don't think AVs worth spending a dime on (www.free-av.com ... indeed).... So I'm pretty familiar with its "classic" windoze variant:-). Anyway, no time to play with this further (the 5412's arrived, so ... work work work:). If things get nasty with bdc, the PHB will just have to spring for something:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Mon Aug 21 22:41:51 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Aug 21 22:42:00 2006 Subject: Could Be OT: How many people only accept reverse DNS lookup mail? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150187E4AF@woodenex.woodmaclaw.local> Message-ID: <44EA289F.6070608@evi-inc.com> Billy A. Pumphrey wrote: > Does anyone only accept email that will do a reverse lookup? Does > anyone recommend it? > I don't require it, however, I've managed to configure milter-greylist to greylist hosts without a reverse DNS entry. Basically I've gone against the standard "greylist everything, except some hosts" and done a "don't greylist anything, except hosts that match these regexes..." type configuration. This kind of gives me a lot of spam and virus control benefit, but the occasional legitimate site with no RDNS can still deliver mail, albeit delayed. I've found there's a fairly good number of small company sites that we need to work with that lack RDNS entries for their mailservers, so outright blocking is a bit problematic for me. From sandrews at andrewscompanies.com Tue Aug 22 01:16:18 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 22 01:16:22 2006 Subject: Thoughts on Barracudas? Message-ID: <1964AAFBC212F742958F9275BF63DBB03BD694@winchester.andrewscompanies.com> Yeah, defender would seriously cut into billable hours and we really don't want that. ;) We can all cron the thing until our eyes bleed but I prefer not to; that way every couple weeks the spam increases a bit (as it normally does as spamers figure ways around the blocks), and the client calls and mentions it; we add a few more rules or update the version or SA and the junk goes away for a while. I've trained all my clients that keeping spam at bay is hard and requires vigilance; you make an appliance that does that well and I'll be pissed. I think the barracuda does a good job, but since it's an appliance it does appliance level work. If you want to knock off 80% of the spam with 20% of the work, barracuda will do that; but a properly manged MS box will do quite a bit better imho, but that performance comes from a human making decisions and isn't that what they pay us for? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, August 21, 2006 4:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: Thoughts on Barracudas? > DefenderMX packages all of the application as rpms which use > install.sh or upgrade.sh scripts to do all the work. Very easy to install or upgrade. > Version 2.0 (out this fall) will use `yum` to make this even less of a > challenge :) Now there is one of the last differences between DefenderMX and a Barracuda. The option of easy updates. When that version is out, you could almost set cron to do weekly yum updates, and your system would stay up-to-date. I am afraid that if I had a Defender, my PHB's might decide I don't have enough to do! ;-) >> In essence all of that would turn MailScanner into a appliance type >> machine, which I would think it would appeal to even more people. > Steve > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Tue Aug 22 01:43:56 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 22 01:44:12 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <44EA534C.7000605@nkpanama.com> My two cents: I've noticed that the effectiveness of a system using MailScanner *will* degrade as spammer tactics change, unless you properly feed and care for it. This is true however, for any system. There are markets for every kind of gadget available, and that's a fact of life. If they are willing to spend money on an "appliance" (only a different box with some different software, but in the end *everything's* an appliance), they will go ahead and do it. I *have* noticed, however, that there are *some* people out there in the IT field that lack the resourcefulness that is sometimes required when you're dealing with technology. These people will go out of their way to buy "appliances" not because it saves them money or resources (that *will* be their stated "reason", but you and I know it's their covert *excuse*), but because they can blame someone else when it breaks, instead of fixing it. Spam will leak through eventually in any system. You have to train your users so that they don't engage in spam-attracting activities (giving out their e-mail address, writing it on a webpage or a forum, using those crappy "remind me of my birthday" address harvesters, etc.), you have to train your system (using bayes or whatever), you have to keep upgrading your protection (including more clever ways to detect spam), and in general, be proactive. That said, MailScanner is like the stone in the "stone soup" tale. It uses third party AV scanners, third party content scanners (spamassassin et. al), third party MTA's (with their own milters or whatever), and basically scans for bad content if any of the other pieces missed something. It's probably the best example of a program being "much more than the sum of its parts". Without knowing the specifics of the situation these few people are in, I'm reminded of many of my relatives who, after a year or two using their brand new car, realize they have to do things like realign their tires, change their oil, check their batteries, etc. - "I thought it just ran on unleaded!!". You know the type. We used to call them "flashing 12s" in the 80s. :-) Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I have had some comments from a few people leaving the mailing list as > they are ditching their MailScanner setups and switching to Barracuda > applicances instead. They claim that things worked fine when they first > installed MailScanner, but gradually more and more spam is leaking > through, to the point where they have decided to abandon it. > > > Here is what he said: > > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. > "It wasn't worth the headache. Your forums indicate that there are > numerous people experienced the same problems I have encountered. > "I have since purchased a Barracuda SPAM 200 firewall. This device has > worked much better." > > > > What is your opinion on the Barracuda appliance? > How easy is it to use? > Does it actually work? > Can it survive the loads they say it can? > > And, of course, how does it compare with MailScanner? > > Please be open and honest, and as impartial as you can. > > All of your thoughts are most welcome. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 > aSJKg2X8ibML6k+ZA3hpPlQ= > =Ji1K > -----END PGP SIGNATURE----- > From leiw324 at yahoo.com.hk Tue Aug 22 02:06:49 2006 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Tue Aug 22 02:06:53 2006 Subject: Delete spam mail problem Message-ID: <20060822010649.65850.qmail@web54410.mail.yahoo.com> I tried to send spam mail to my company postfix mail server from my home, its can't delete spam mail, the postfix mail server included spamassissan + clamav + MailScanner. Here is my MailScanner.conf: http://uwants.no-ip.org/MailScanner.conf The one of E-mail format: http://uwants.no-ip.org/mail.txt Thank !! _______________________________________ YM - Â÷½u°T®§ ´Nºâ§A¨S¦³¤Wºô¡A§AªºªB¤Í¤´¥i¥H¯d¤U°T®§µ¹§A¡A·í§A¤Wºô®É´N¯à¥ß§Y¬Ý¨ì¡A¥ô¦ó»¡¸Ü³£ÉN¨«¥¢¡C http://messenger.yahoo.com.hk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060822/47eb65ed/attachment.html From markee at bandwidthco.com Tue Aug 22 03:55:47 2006 From: markee at bandwidthco.com (markee) Date: Tue Aug 22 03:56:14 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: <007d01c6c596$77cf2bf0$0300a8c0@bandwidthco.com> Julian - I am a security consultant. I have been protecting my own mail system with MailScanner for about three years now. Out of thousands, I may have two or three spam emails getting through my MailScanner protected gateway per day. I'd say that is pretty damm good. One of my largest clients has been using a Barracuda for about three years. For the first couple of years they had fairly good success with it. However, 2006 has been a different story. They are getting buried in spam and the Barracuda seems hapless. One BIG vote here for MailScanner. Don't know what I would do without it and I don't know how others survive without it. ########################################## This is coming from the home and office of: Mark E. Donaldson Bandwidthco Computer Security markee@bandwidthco.com http://www.bandwidthco.com/ Copyright C 1999 Bandwidthco.com. All rights reserved. 4500 0028 a66b 4000 8006 d307 c0a8 000a c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60 5010 f64c c0f6 0000 0000 0000 0000 ########################################## CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, GAWN, X-Ways (WinHex) Forensics Certified ########################################## Hacking is the process of influencing a computer system in such a way that it performs an action that is useful to you. ########################################## .~. /V\ /( )\ ^^-^^ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, August 21, 2006 5:51 AM To: MailScanner discussion Subject: Thoughts on Barracudas? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have had some comments from a few people leaving the mailing list as they are ditching their MailScanner setups and switching to Barracuda applicances instead. They claim that things worked fine when they first installed MailScanner, but gradually more and more spam is leaking through, to the point where they have decided to abandon it. Here is what he said: "I've tried Mailscanner on FreeBSD for almost one year. It worked great for about two months, then after every upgrade it began to let more and more spam through. I've tried everything to fix it and just got tired of my users complaining of increased spam. "It wasn't worth the headache. Your forums indicate that there are numerous people experienced the same problems I have encountered. "I have since purchased a Barracuda SPAM 200 firewall. This device has worked much better." What is your opinion on the Barracuda appliance? How easy is it to use? Does it actually work? Can it survive the loads they say it can? And, of course, how does it compare with MailScanner? Please be open and honest, and as impartial as you can. All of your thoughts are most welcome. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 aSJKg2X8ibML6k+ZA3hpPlQ= =Ji1K -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From mike at vesol.com Tue Aug 22 04:10:54 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Aug 22 04:11:04 2006 Subject: Delete spam mail problem In-Reply-To: <20060822010649.65850.qmail@web54410.mail.yahoo.com> Message-ID: Log entries? =20 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok Sent: Monday, August 21, 2006 8:07 PM To: mailscanner@lists.mailscanner.info Subject: Delete spam mail problem =09 =09 I tried to send spam mail to my company postfix mail server from my home, its =20 can't delete spam mail, the postfix mail server included spamassissan + =20 clamav + MailScanner. =20 Here is my MailScanner.conf: =20 http://uwants.no-ip.org/MailScanner.conf =20 The one of E-mail format: =20 http://uwants.no-ip.org/mail.txt=20 =20 Thank !! _______________________________________ YM - =EBx=BE=80=D3=8D=CF=A2 = =BE=CD=CB=E3=C4=E3=9B]=D3=D0=C9=CF=BEW=A3=AC=C4=E3=B5=C4=C5=F3=D3=D1=C8=D4= =BF=C9=D2=D4=C1=F4=CF=C2=D3=8D=CF=A2=BDo=C4=E3=A3=AC=AE=94=C4=E3=C9=CF=BE= W=95r=BE=CD=C4=DC=C1=A2=BC=B4=BF=B4 =B5=BD=A3=AC=C8=CE=BA=CE=D5f=D4=92=B6=BC=83=D3=D7=DF=CA=A7=A1=A3 http://messenger.yahoo.com.hk From sandrews at andrewscompanies.com Tue Aug 22 04:29:17 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 22 04:29:21 2006 Subject: Thoughts on Barracudas? Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1C27@winchester.andrewscompanies.com> Which is odd because barracuda is based on SA; but you're right they seemed to have dropped the 2006 ball... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of markee Sent: Monday, August 21, 2006 10:56 PM To: 'MailScanner discussion' Subject: RE: Thoughts on Barracudas? Julian - I am a security consultant. I have been protecting my own mail system with MailScanner for about three years now. Out of thousands, I may have two or three spam emails getting through my MailScanner protected gateway per day. I'd say that is pretty damm good. One of my largest clients has been using a Barracuda for about three years. For the first couple of years they had fairly good success with it. However, 2006 has been a different story. They are getting buried in spam and the Barracuda seems hapless. One BIG vote here for MailScanner. Don't know what I would do without it and I don't know how others survive without it. ########################################## This is coming from the home and office of: Mark E. Donaldson Bandwidthco Computer Security markee@bandwidthco.com http://www.bandwidthco.com/ Copyright C 1999 Bandwidthco.com. All rights reserved. 4500 0028 a66b 4000 8006 d307 c0a8 000a c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60 5010 f64c c0f6 0000 0000 0000 0000 ########################################## CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, GAWN, X-Ways (WinHex) Forensics Certified ########################################## Hacking is the process of influencing a computer system in such a way that it performs an action that is useful to you. ########################################## .~. /V\ /( )\ ^^-^^ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, August 21, 2006 5:51 AM To: MailScanner discussion Subject: Thoughts on Barracudas? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have had some comments from a few people leaving the mailing list as they are ditching their MailScanner setups and switching to Barracuda applicances instead. They claim that things worked fine when they first installed MailScanner, but gradually more and more spam is leaking through, to the point where they have decided to abandon it. Here is what he said: "I've tried Mailscanner on FreeBSD for almost one year. It worked great for about two months, then after every upgrade it began to let more and more spam through. I've tried everything to fix it and just got tired of my users complaining of increased spam. "It wasn't worth the headache. Your forums indicate that there are numerous people experienced the same problems I have encountered. "I have since purchased a Barracuda SPAM 200 firewall. This device has worked much better." What is your opinion on the Barracuda appliance? How easy is it to use? Does it actually work? Can it survive the loads they say it can? And, of course, how does it compare with MailScanner? Please be open and honest, and as impartial as you can. All of your thoughts are most welcome. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 aSJKg2X8ibML6k+ZA3hpPlQ= =Ji1K -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solid-state-logic.com Tue Aug 22 09:06:51 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 22 09:07:10 2006 Subject: Rules du jour script is gone? In-Reply-To: <59E4A3A1069C2640959AD0F7518C4812064B31@FLN1.fln.local> References: <59E4A3A1069C2640959AD0F7518C4812064B31@FLN1.fln.local> Message-ID: <44EABB1B.7010508@solid-state-logic.com> James Fagan wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Johnny Stork >> Sent: Monday, August 21, 2006 10:52 AM >> To: mailscanner >> Subject: Rules du jour script is gone? >> >> Does anyone have a recent copy of the rdj bash script they >> can send me? The download link below appears to be gone? >> >> Thanks >> >> >> http://sandgnat.com/rdj/rules_du_jour >> >> --------------------------------------------- >> Johnny Stork >> Open Enterprise Solutions >> >> http://www.openenterprise.ca (Linux & Open Source Business >> Technology) http://www.dreamscapemedia.ca (Photography & >> Media) http://www.mountainlinux.ca (Linux Users Group) >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Here is the one I have been using. > > wget http://fear.jfworks.net/linux/rules_du_jour > > > James Works fine for from sandgnat.com - that's the official place for it. Maybe temp site down?????? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solid-state-logic.com Tue Aug 22 09:08:09 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 22 09:08:22 2006 Subject: auto whitelisting In-Reply-To: <44E9FD0D.5020807@evi-inc.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> Message-ID: <44EABB69.4090001@solid-state-logic.com> Matt Kettler wrote: > Green, Rodney wrote: >> Hello, >> >> Is it recommended to disable auto whitelisting in spam.assassin.prefs.conf? > > Largely a matter of personal preference. > > That said, my personal opinion is that SA's AWL is not ready for production use > on a mailserver that serves more than 10 people. The SA devs would argue > otherwise, and they do use it on their production boxes. > > I base my opinion on the lack of automatic database maintenance. There is no > auto-expire for AWL entries. Even if you use the "check-whitelist --clean" > script, this only removes entries based on the number of times a particular > address has been seen. It will not remove an address that was used 100 times, > then became inactive 2 years ago.. > > So, until the AWL gets a real atime-based auto-expire system like the bayes > system has, I will refrain from using it on a production box. > > Of course, I'd suggest you develop your own opinion, as the requirements of your > system may be quite different from mine. I'd agree with Matt. I always recommend you turn the thing off as it tends to let spam through when you don't want it to.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solid-state-logic.com Tue Aug 22 09:13:07 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 22 09:13:19 2006 Subject: Rules du jour script doest seem to be working right In-Reply-To: References: Message-ID: <44EABC93.3060404@solid-state-logic.com> Johnny Stork wrote: > Of course....me dummy....keep forgetting about that. Ok, now do I also need to change any rule path settings in SA, if I have RDJ putting the rule files into /etc/mail/spamassassin/RuleDuJour ? My rules path is /etc/mail/spamassassin > > -----Original Message----- James RDJ will dump the downloads into /etc/mail/spamassassin/RulesDuJour first, do a lint test then is everything is fine move the new files to /etc/mail/spamassassin. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solid-state-logic.com Tue Aug 22 09:18:26 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 22 09:18:39 2006 Subject: Delete spam mail problem In-Reply-To: <20060822010649.65850.qmail@web54410.mail.yahoo.com> References: <20060822010649.65850.qmail@web54410.mail.yahoo.com> Message-ID: <44EABDD2.2070608@solid-state-logic.com> Wilson Kwok wrote: > I tried to send spam mail to my company postfix mail server from my > home, its > > can't delete spam mail, the postfix mail server included spamassissan + > > clamav + MailScanner. > > Here is my MailScanner.conf: > > http://uwants.no-ip.org/MailScanner.conf > > The one of E-mail format: > > http://uwants.no-ip.org/mail.txt > > Thank !! > > _______________________________________ > YM - Â÷½u°T®§ > ´Nºâ§A¨S¦³¤Wºô¡A§AªºªB¤Í¤´¥i¥H¯d¤U°T®§µ¹§A¡A·í§A¤Wºô®É´N¯à¥ß§Y¬Ý¨ì¡A¥ô¦ó > »¡¸Ü³£ÉN¨«¥¢¡C > http://messenger.yahoo.com.hk > Wilson In MailScanner.conf you've defined the High Score for spamassassin as 5, but the email you send scored above 6. High SpamAssassin Score = 5 So it will run the "High Scoring Spam Actions" actions. Unforturnately you've commented this out so it won't do anything different than deliver. Try uncommenting this setting and it should not deliver the email. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Aug 22 10:17:04 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 22 10:17:34 2006 Subject: Access .rules files via HTTP ? In-Reply-To: <2C7100720056A2408E0DC6795A5CDF0A01693CA7@COBS-EXCH-01.texaco.ovonic> References: <2C7100720056A2408E0DC6795A5CDF0A01693CA7@COBS-EXCH-01.texaco.ovonic> Message-ID: <44EACB90.8080802@ecs.soton.ac.uk> You could easily write a very short script to wget the configuration files, then do a "service MailScanner reload". Set this up as a "cron" job and it will get done regularly for you. Mike Wilson wrote: > > Hello everyone, > > I?m new to the list, but have been using MailScanner for over a year, > anyway, here is my question. > > Is there a way to specify that the .conf files can be read over http? > > We edit the spam whitelist 2-3 times a day on 2 different MailScanner > servers. > > Is there a way to configure MailScanner to read this file for a > centralized web server instead of from the local file? > > Mike Wilson > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 22 10:21:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 22 10:21:31 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: <44E8AC14.9040906@ecs.soton.ac.uk> Message-ID: <44EACC88.40006@ecs.soton.ac.uk> In which case you need to contact the maintainer of the Filesys::Df module and ask him/her about it. You can find the author's address very easily from search.cpan.org. Douglas Ward wrote: > Julian, > > Perl command fails with the following error: > > Writing Makefile for Filesys::Df > CPAN: YAML loaded ok > cp Df.pm blib/lib/Filesys/Df.pm > /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -prototypes > -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap -typemap typemap Df.xs > > Df.xsc && mv Df.xsc Df.c > make: *** No rule to make target > `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `Df.o'. Stop. > /usr/bin/make install Df.pm -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > Failed during this command: > IGUTHRIE/Filesys-Df-0.92.tar.gz : make NO > > > On 8/20/06, *Julian Field* > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The author of this module renamed it, if I remember correctly :-( > Do > perl -MCPAN -e shell > and then > install Filesys::Df > and that should install the latest version of the required module. > > Douglas Ward wrote: > > I am running Mandriva 2006. I ran the mailscanner installation > file. I > > assumed it would install any missing perl modules? > > > > On Sun, 20 Aug 2006 18:11:34 (GMT/BST), * > ajos1@onion.demon.co.uk > > >* > > >> wrote: > > > > - > > > > What version of linux and so forth are you on? > > > > Have you tried updating using the perl modules that are > included > > with the MailScanner package? > > > > -----Original Message----- > > From: MailScanner discussion < > mailscanner@lists.mailscanner.info > > > > > > Subj: Re: Filesys::Df module error after upgrade > > Date: Sat, 19 Aug 2006 14:52:37 -0400 > > > > == > > > ===================================================================== > > = > > = When Ms Jowell, whose department is responsible for sport, was > > = asked who she thought was going to win the cup, she gleefully > > = pointed towards her ministerial vehicle, which is now > bedecked in > > = flags, to declare: "There's only one England." > > = > > = Need help dealing with Parking Tickets, Bailiffs, Capita > or NTL... > > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > > = > > > ===================================================================== > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > < http://lists.mailscanner.info/mailman/listinfo/mailscanner> > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > -- > > Douglas Ward > > Director of Information Technology > > NC Methodist Conference > > 1307 Glenwood Ave. > > Raleigh, NC 27605 > > Work: (919) 832-9560 ext. 227 > > Fax: (919) 834-7989 > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Charset: ISO-8859-1 > > wj8DBQFE6KwWEfZZRxQVtlQRAicjAKCzo8BDWVBLgZLApSSHyN08lOj/TwCfSbRK > KU64n8TsL4ncA+86/V4XMwo= > =RqmZ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Douglas Ward > Director of Information Technology > NC Methodist Conference > 1307 Glenwood Ave. > Raleigh, NC 27605 > Work: (919) 832-9560 ext. 227 > Fax: (919) 834-7989 -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 22 10:23:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 22 10:23:23 2006 Subject: Ignoring RFC1918 address space in numeric phishing In-Reply-To: <44EA049C.1070300@rogers.com> References: <44EA049C.1070300@rogers.com> Message-ID: <44EACCF5.4020501@ecs.soton.ac.uk> Use a ruleset. They are documented well in the MAQ, the wiki and the book. Just use it to not do phishing checks when the message comes from one of your addresses. Mike Jakubik wrote: > Does anybody know of a way to ignore the IANA private address space > when numeric phishing is on? I tried adding in the form of "172.16", > "172.16.*", "172.16.*.*" but none seem to work. I have an application > which sends out HTML emails which contain links to local webservers, > its hard to predict each servers IP address, but i know it will be a > private address. I think ignoring these by default is a safe bet for > most people. > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From t.d.lee at durham.ac.uk Tue Aug 22 10:54:48 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Aug 22 10:56:10 2006 Subject: Ignoring RFC1918 address space in numeric phishing In-Reply-To: <44EACCF5.4020501@ecs.soton.ac.uk> References: <44EA049C.1070300@rogers.com> <44EACCF5.4020501@ecs.soton.ac.uk> Message-ID: On Tue, 22 Aug 2006, Julian Field wrote: > Mike Jakubik wrote: > > Does anybody know of a way to ignore the IANA private address space > > when numeric phishing is on? I tried adding in the form of "172.16", > > "172.16.*", "172.16.*.*" but none seem to work. I have an application > > which sends out HTML emails which contain links to local webservers, > > its hard to predict each servers IP address, but i know it will be a > > private address. I think ignoring these by default is a safe bet for > > most people. > > > > Use a ruleset. They are documented well in the MAQ, the wiki and the > book. Just use it to not do phishing checks when the message comes from > one of your addresses. Combining the two: 1. Mike's suggestion that it default to ignoring private IPs; 2. Julian's "use a ruleset" suggestion; and also noting that dabbling in rulesets seems (understandably) a big and somewhat scary hurdle for some new (and not so new!) MS end-users... ...how about making the default "out of the box" set-up ignore these IPs (Mike's request) by using ruleset technology (Julian's suggestion), which thereby gives nervous, first-time ruleset dabblers a real, concrete example of rulesets already in use in their own (default) MS configuration when they later have to create some other new ruleset elsewhere? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From FStein at thehill.org Tue Aug 22 12:22:25 2006 From: FStein at thehill.org (Stein, Mr. Fred) Date: Tue Aug 22 12:23:05 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: Julian, I have been using mailscanner for several years. I have only had 1 email virus hit my Symantec antivirus gateway in the last 18 months thanks to mailscanner and spam blocking is excellent. I had a school employee call last week and he said spam is getting ridiculous. I agreed and asked how I could help. His reply, I am getting covered in spam. I asked that he quantify his statement. Well, 2 in 2 weeks. Okay what is your norm was my reply. There was a silence. These are the only 2 I ever receive here at school in 2 years. So needless to say we have been very happy with mailscanner. Fred Stein Network Administrator The Hill School 717 E. High Street Pottstown, PA? 19464 fstein@thehill.org www.thehill.org -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, August 21, 2006 8:51 AM To: MailScanner discussion Subject: Thoughts on Barracudas? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have had some comments from a few people leaving the mailing list as they are ditching their MailScanner setups and switching to Barracuda applicances instead. They claim that things worked fine when they first installed MailScanner, but gradually more and more spam is leaking through, to the point where they have decided to abandon it. Here is what he said: "I've tried Mailscanner on FreeBSD for almost one year. It worked great for about two months, then after every upgrade it began to let more and more spam through. I've tried everything to fix it and just got tired of my users complaining of increased spam. "It wasn't worth the headache. Your forums indicate that there are numerous people experienced the same problems I have encountered. "I have since purchased a Barracuda SPAM 200 firewall. This device has worked much better." What is your opinion on the Barracuda appliance? How easy is it to use? Does it actually work? Can it survive the loads they say it can? And, of course, how does it compare with MailScanner? Please be open and honest, and as impartial as you can. All of your thoughts are most welcome. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE6axCEfZZRxQVtlQRAiZ7AJ4oePxv84AnY5kWulLNvXbHDhCNxACgnwq9 aSJKg2X8ibML6k+ZA3hpPlQ= =Ji1K -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From support-lists at petdoctors.co.uk Tue Aug 22 13:01:03 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Aug 22 13:01:30 2006 Subject: Config is double checking blacklists Message-ID: <000701c6c5e2$aca01190$1465a8c0@support01> Hi Folks, I noticed we were suddenly getting a lot of our own outbound mail marked as spam. The root cause was we'd ended up in CBL due to a mis-configured server name, but in sorting this out, I noticed the following info at Spamhaus.. === Exploits Block List The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. Incorporates CBL data and NJABL proxy data The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are: - the CBL (Composite Block List) from cbl.abuseat.org - the NJABL Open Proxy IPs list from www.njabl.org. Mail servers already using cbl.abuseat.org should NOT also use xbl.spamhaus.org or you will be making 'double' queries to basically the same data source and only one DNSBL will appear to work (the other(s) will appear to not catch anything). Mail servers already using dnsbl.njabl.org are advised to continue doing so, as dnsbl.njabl.org is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL. === The only reason I point this out is that my installation of MailScanner et. Al was originally done using Johnny Hughes' excellent howto and by default, the spam checking rules used list both SBL+XBL and CBL, which according to the above means we are effectively double-checking and any 'hit' will count as 2 towards 'spam lists to be spam'. If my assumption is correct, will I be OK to remove SBL+XBL and replace it with spamhaus.org in order to not check both XBL and CBL? Thanks From daniel.maher at ubisoft.com Tue Aug 22 16:02:49 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 22 16:02:54 2006 Subject: SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D132@UBIMAIL1.ubisoft.org> Hello all, I set up a new MailScanner server today, basically as a clone of an already existing one in the pool. I have SpamAssassin's "autolearn" feature enabled on the existing mail servers; however, even though I have the same environment and configuration file on the new incoming server, autolearn does not appear to be activated. It's either that, or bayes just isn't activating properly, and autolearn is deactivating on it's own.. I'm just not sure. Relevant config snippet: ### use_bayes 1 bayes_path /var/spool/MailScanner/incoming/bayes/bayes bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam -5.0 bayes_auto_learn_threshold_spam 12 ### On the servers which appear to have functioning Bayes databases, the "autolearn=*" string appears in the Score line as one would expect. On the new server, the autolearn string simply does not appear, and the "bayes_*" files do not grow in size. Oddly enough, running a lint check on the new server shows no obvious problems: [18747] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_toks [18747] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_seen [18747] dbg: bayes: found bayes db version 3 [18747] dbg: bayes: DB journal sync: last sync: 0 [18747] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [18747] dbg: bayes: untie-ing [18747] dbg: bayes: untie-ing db_toks [18747] dbg: bayes: untie-ing db_seen Which is, of course, exactly what you'd expect. Any ideas? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060822/c256042f/attachment.html From rgreen at trayerproducts.com Tue Aug 22 16:54:09 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Tue Aug 22 16:55:09 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D132@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D132@UBIMAIL1.ubisoft.org> Message-ID: <44EB28A1.2070902@trayerproducts.com> Daniel Maher wrote: > > Hello all, > > I set up a new MailScanner server today, basically as a clone of an > already existing one in the pool. I have SpamAssassin?s ?autolearn? > feature enabled on the existing mail servers; however, even though I > have the same environment and configuration file on the new incoming > server, autolearn does not appear to be activated. It?s either that, > or bayes just isn?t activating properly, and autolearn is deactivating > on it?s own.. I?m just not sure. > > Relevant config snippet: > > ### > > use_bayes 1 > > bayes_path /var/spool/MailScanner/incoming/bayes/bayes > > bayes_auto_learn 1 > > bayes_auto_learn_threshold_nonspam -5.0 > > bayes_auto_learn_threshold_spam 12 > > ### > > On the servers which appear to have functioning Bayes databases, the > ?autolearn=*? string appears in the Score line as one would expect. On > the new server, the autolearn string simply does not appear, and the > ?bayes_*? files do not grow in size. Oddly enough, running a lint > check on the new server shows no obvious problems: > > [18747] dbg: bayes: tie-ing to DB file R/O > /var/spool/MailScanner/incoming/bayes/bayes_toks [18747] dbg: bayes: > tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_seen > > [18747] dbg: bayes: found bayes db version 3 > > [18747] dbg: bayes: DB journal sync: last sync: 0 > > [18747] dbg: bayes: not available for scanning, only 0 spam(s) in > bayes DB < 200 > > [18747] dbg: bayes: untie-ing > > [18747] dbg: bayes: untie-ing db_toks [18747] dbg: bayes: untie-ing > db_seen > Does autolearn function when the minimum for spam/ham is not meet? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solid-state-logic.com Tue Aug 22 16:57:47 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 22 16:59:09 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <44EB28A1.2070902@trayerproducts.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D132@UBIMAIL1.ubisoft.org> <44EB28A1.2070902@trayerproducts.com> Message-ID: <44EB297B.9020401@solid-state-logic.com> Green, Rodney wrote: > > > Daniel Maher wrote: >> >> Hello all, >> >> I set up a new MailScanner server today, basically as a clone of an >> already existing one in the pool. I have SpamAssassin?s ?autolearn? >> feature enabled on the existing mail servers; however, even though I >> have the same environment and configuration file on the new incoming >> server, autolearn does not appear to be activated. It?s either that, >> or bayes just isn?t activating properly, and autolearn is deactivating >> on it?s own.. I?m just not sure. >> >> Relevant config snippet: >> >> ### >> >> use_bayes 1 >> >> bayes_path /var/spool/MailScanner/incoming/bayes/bayes >> >> bayes_auto_learn 1 >> >> bayes_auto_learn_threshold_nonspam -5.0 >> >> bayes_auto_learn_threshold_spam 12 >> >> ### >> >> On the servers which appear to have functioning Bayes databases, the >> ?autolearn=*? string appears in the Score line as one would expect. On >> the new server, the autolearn string simply does not appear, and the >> ?bayes_*? files do not grow in size. Oddly enough, running a lint >> check on the new server shows no obvious problems: >> >> [18747] dbg: bayes: tie-ing to DB file R/O >> /var/spool/MailScanner/incoming/bayes/bayes_toks [18747] dbg: bayes: >> tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_seen >> >> [18747] dbg: bayes: found bayes db version 3 >> >> [18747] dbg: bayes: DB journal sync: last sync: 0 >> >> [18747] dbg: bayes: not available for scanning, only 0 spam(s) in >> bayes DB < 200 >> >> [18747] dbg: bayes: untie-ing >> >> [18747] dbg: bayes: untie-ing db_toks [18747] dbg: bayes: untie-ing >> db_seen >> > Does autolearn function when the minimum for spam/ham is not meet? > In a word no.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From daniel.maher at ubisoft.com Tue Aug 22 17:03:21 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 22 17:03:29 2006 Subject: SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D135@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Green, Rodney > Sent: August 22, 2006 11:54 AM > To: MailScanner discussion > Subject: Re: SA bayes not working / autolearn inactive? > > > Does autolearn function when the minimum for spam/ham is not meet? > On the existing mail servers, autolearn doesn't occur when the thresholds are not met. This is normal. On the new mail server, as I mentioned previously, autolearn /never/ occurs, regardless of whether the thresholds are met or not. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From rgreen at trayerproducts.com Tue Aug 22 17:34:27 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Tue Aug 22 17:35:25 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D135@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D135@UBIMAIL1.ubisoft.org> Message-ID: <44EB3213.6070202@trayerproducts.com> Daniel Maher wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Green, Rodney >> Sent: August 22, 2006 11:54 AM >> To: MailScanner discussion >> Subject: Re: SA bayes not working / autolearn inactive? >> >> >> Does autolearn function when the minimum for spam/ham is not meet? >> >> > > On the existing mail servers, autolearn doesn't occur when the thresholds are not met. This is normal. On the new mail server, as I mentioned previously, autolearn /never/ occurs, regardless of whether the thresholds are met or not. I didn't see anything in your original posting saying that you populated the bayes db to try it. Also, the lint output you posted says that it does not meet the threshold requirement. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Aug 22 18:06:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 22 18:07:13 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44EA534C.7000605@nkpanama.com> References: <44E9AC41.1010005@ecs.soton.ac.uk> <44EA534C.7000605@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 8/21/2006 5:43 PM: > My two cents: > > I've noticed that the effectiveness of a system using MailScanner *will* > degrade as spammer tactics change, unless you properly feed and care for > it. This is true however, for any system. > > There are markets for every kind of gadget available, and that's a fact > of life. If they are willing to spend money on an "appliance" (only a > different box with some different software, but in the end > *everything's* an appliance), they will go ahead and do it. > > I *have* noticed, however, that there are *some* people out there in the > IT field that lack the resourcefulness that is sometimes required when > you're dealing with technology. These people will go out of their way to > buy "appliances" not because it saves them money or resources (that > *will* be their stated "reason", but you and I know it's their covert > *excuse*), but because they can blame someone else when it breaks, > instead of fixing it. > > Spam will leak through eventually in any system. You have to train your > users so that they don't engage in spam-attracting activities (giving > out their e-mail address, writing it on a webpage or a forum, using > those crappy "remind me of my birthday" address harvesters, etc.), you > have to train your system (using bayes or whatever), you have to keep > upgrading your protection (including more clever ways to detect spam), > and in general, be proactive. > > That said, MailScanner is like the stone in the "stone soup" tale. It > uses third party AV scanners, third party content scanners (spamassassin > et. al), third party MTA's (with their own milters or whatever), and > basically scans for bad content if any of the other pieces missed > something. It's probably the best example of a program being "much more > than the sum of its parts". > > Without knowing the specifics of the situation these few people are in, > I'm reminded of many of my relatives who, after a year or two using > their brand new car, realize they have to do things like realign their > tires, change their oil, check their batteries, etc. - "I thought it > just ran on unleaded!!". You know the type. We used to call them > "flashing 12s" in the 80s. :-) I haven't heard "flashing 12's" since the 80's! Thanks for the memories!! I'll have to add that back into the "one liner's". ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From taz at taz-mania.com Tue Aug 22 19:37:47 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Aug 22 19:38:01 2006 Subject: Access .rules files via HTTP ? In-Reply-To: <44EACB90.8080802@ecs.soton.ac.uk> References: <2C7100720056A2408E0DC6795A5CDF0A01693CA7@COBS-EXCH-01.texaco.ovonic> <44EACB90.8080802@ecs.soton.ac.uk> Message-ID: <44EB4EFB.8040209@taz-mania.com> What I do is; I have a master configuration server where all it does in hold the configuration files for a number of distributed services, but actually runs nothing itself. I edit any config files there and then I have a series of scripts I run when I complete the edit. I use rsync to push the changes out to all the servers. In the case of MailScanner, I have it configured to stop and restart itself once an hour so any changes take effect within an hour. I also don't have to edit multiple files on multiple servers. One drawback is at upgrade time. If the conf files have been upgraded then you have to be very sure you upgrade all servers and the admin master all at once (or at least prior to executing a change from the master). I thought about making the MailScanner directory on each server an NFS mount to the master which would allow me to edit the configs and rules "on the fly", but if the tunnels I have connecting the datacenters goes down or the master for some reason goes down, all the actual working machines will stop and will not be able to start back up until the tunnel/connection is restored. The way I have it now if the tunnel drops I cannot do updates, but the servers all continue to run and even if they failed while the connection was down they can startup by themselves. I'm going to make some changes where all the rules are stored in a database (MySQL) and script runs that builds the actual config and rule files then rsyncs them in place. I will do a JSP front end to edit the rules that are in the database so I can edit them from anywhere on the WEB. Julian Field wrote: > You could easily write a very short script to wget the configuration > files, then do a "service MailScanner reload". Set this up as a "cron" > job and it will get done regularly for you. > > Mike Wilson wrote: >> >> Hello everyone, >> >> I?m new to the list, but have been using MailScanner for over a year, >> anyway, here is my question. >> >> Is there a way to specify that the .conf files can be read over http? >> >> We edit the spam whitelist 2-3 times a day on 2 different MailScanner >> servers. >> >> Is there a way to configure MailScanner to read this file for a >> centralized web server instead of from the local file? >> >> Mike Wilson >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by *MailScanner* , >> and is >> believed to be clean. > From mkettler at evi-inc.com Tue Aug 22 19:38:38 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Aug 22 19:38:47 2006 Subject: auto whitelisting In-Reply-To: <44EABB69.4090001@solid-state-logic.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> <44EABB69.4090001@solid-state-logic.com> Message-ID: <44EB4F2E.4020201@evi-inc.com> Martin Hepworth wrote: > > I'd agree with Matt. I always recommend you turn the thing off as it > tends to let spam through when you don't want it to.. Well, that's true.. but it can also cause spam to be tagged when it would otherwise be missed. Remember.. the AWL is NOT a whitelist.. From hmkash at arl.army.mil Tue Aug 22 20:57:13 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Tue Aug 22 20:57:17 2006 Subject: Max SpamAssassin Size problems Message-ID: <229A346E44379140A59A48951B56E0C00260CC02@ARLABML01.DS.ARL.ARMY.MIL> With the new OCR/Image verification plugins now available for SpamAssassin, MailScanner truncating messages due to "Max SpamAssassin Size" in the middle of an attached image is causing higher than normal scores due to these images appearing to be corrupt. How hard would it be to truncate to the closest MIME boundary (either before or after this value) instead of in the middle of it? You could increase the value of "Max SpamAssassin Size", but unless it's the same as the max allowed message size you're still going to potentially truncate MIME attachments. There may also be other SA tests that get triggered due to truncated MIME attachments. Thanks, Howard From dward at nccumc.org Tue Aug 22 21:37:42 2006 From: dward at nccumc.org (Douglas Ward) Date: Tue Aug 22 21:37:44 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: <223f97700608211314q30f674a4pb3738c4884b80e2b@mail.gmail.com> References: <44E8AC14.9040906@ecs.soton.ac.uk> <223f97700608211314q30f674a4pb3738c4884b80e2b@mail.gmail.com> Message-ID: Thank you!! I was indeed missing the perl-devel package. After I installed it the Filesys::Df module installed properly. Thank you for your help! On 8/21/06, Glenn Steen wrote: > > On 21/08/06, Douglas Ward wrote: > > Julian, > > > > Perl command fails with the following error: > > > > > > Writing Makefile for Filesys::Df > > CPAN: YAML loaded ok > > cp Df.pm blib/lib/Filesys/Df.pm > > /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp > > -prototypes -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap > > -typemap typemap Df.xs > Df.xsc && mv Df.xsc Df.c > > make: *** No rule to make target > > `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by > > `Df.o'. Stop. > > /usr/bin/make install Df.pm -- NOT OK > > Running make test > > Can't test without successful make > > Running make install > > make had returned bad status, install seems impossible > > Failed during this command: > > IGUTHRIE/Filesys-Df-0.92.tar.gz : make NO > > > > > Hi Douglas, > > I just tried installing it from cpan, without any problems. I did the > install for perl 5.8.7 on a Mandriva 2006.0 (Official). > The error you get kind of suggest that you've forgotten to install the > perl-devel package, which contains the header file EXTERN.h ... Try > doing an "urpmi perl-devel" (as root) and then rerun the cpan install. > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060822/94b68dd9/attachment.html From james at grayonline.id.au Tue Aug 22 21:57:51 2006 From: james at grayonline.id.au (James Gray) Date: Tue Aug 22 21:58:30 2006 Subject: Rule set - is this valid? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I was wondering if the following is valid in a rule set: /etc/MailScanner/rules/script.tag.rules: From: allowed-script-senders.txt and To: allowed-script- recips.txt yes FromOrTo: default disarm Then the two allowed...txt files simply contain a list of e-mail addresses, domains, and matches (one per line) that should be read and inserted. I vaguely remember this being discussed ages ago, but couldn't find any references or examples via google...it is early though, and I haven't had my morning cup of Joe. BTW, do rule files still need to be tab-separated? Or is that only the filename/filetype rules? Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE62/TwBHpdJO7b9ERAnfeAKDYRlkCv6jXHb0bXlIS8XC5lGH8OQCgu+OO g0PRsL+KNxa/oFemncAZeQ4= =n6dO -----END PGP SIGNATURE----- From mailscanner at mango.zw Tue Aug 22 23:54:42 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Aug 22 23:54:03 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: Message-ID: Hi Julian I installed the above beta version this evening on Red Hat 7.1 earlier this evening, just after installing sendmail 8.13.8. See details of configuration below (you may notice that it is using Sys::Syslog version 0.01 - the current version does not compile on RH 7.1). The installation went fine, but I experienced the following error when trying to start MailScanner: Can't locate Sys/Hostname/Long.pm in @INC . . . That was solved by installing Sys::Hostname::Long using cpan and it worked fine after that. You have very kindly included a new facility for providing separate reports for messages and attachments which have been blocked or quarantined due to user specified size restrictions. I have done some testing on both oversize messages and attachments, and am pleased to report that it works exactly as intended for attachments, giving a report such as: MailScanner: Attachment is too large: 154303 bytes However in the case of oversize messages, the report is just: MailScanner: Message is too large with no indication of the size of the message that has been quarantined. Would it be possible to include the size in that case as well? That would be very helpful for people who don't want to unquarantine a message that is far too large for them to handle. I was not able to test the sender.size.report.txt as the production site is not bouncing any MailScanner reports back to sender. To be honest, I am not quite sure how to enable these for test purposes. I presume it is just a matter of changing no to yes in: # Do you want to notify the people who sent you messages containing # viruses or badly-named filenames? # This can also be the filename of a ruleset. Notify Senders = no and # *If* "Notify Senders" is set to yes, do you want to notify people # who sent you messages containing other blocked content, such as # partial messages or messages with external bodies? # This can also be the filename of a ruleset. Notify Senders Of Other Blocked Content = no The other test not done is to see how the deleted.size.message.txt report works. We are not deleting any messages or attachments at the moment - everything gets quarantined. However to test this, is the only option to change yes to no in: # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes That would mean that everything that was suspect would be deleted. I presume that there is no means of being more selective to delete only messages with blocked content, for example? With clarification on the above I will set up MailScanner on a test server to confirm that these also work as intended. Thanks again for your assistance. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Running on Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 unknown This is Red Hat Linux release 7.1 (Seawolf) This is Perl version 5.006001 (5.6.1) This is MailScanner version 4.56.1 Module versions are: 1.14 Archive::Zip 1.119 Convert::BinHex 1.03 Fcntl 2.6 File::Basename 2.03 File::Copy 2.00 FileHandle 1.0404 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.20 IO 1.08 IO::File 1.121 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.03 POSIX 1.72 Socket 1.4 Sys::Hostname::Long 0.01 Sys::Syslog 1.86 Time::HiRes 1.01 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.75 DB_File 1.12 DBD::SQLite 1.50 DBI 1.10 Digest missing Digest::HMAC 2.36 Digest::MD5 missing Digest::SHA1 missing Inline missing Mail::ClamAV missing Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite missing Net::IP missing Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.46 Test::Harness 0.62 Test::Simple missing Text::Balanced 1.35 URI From lshaw at emitinc.com Wed Aug 23 00:18:21 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Aug 23 00:18:45 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C00260CC02@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC02@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: On Tue, 22 Aug 2006, Kash, Howard (Civ, ARL/CISD) wrote: > With the new OCR/Image verification plugins now available for > SpamAssassin, MailScanner truncating messages due to "Max SpamAssassin > Size" in the middle of an attached image is causing higher than normal > scores due to these images appearing to be corrupt. How hard would it > be to truncate to the closest MIME boundary (either before or after this > value) instead of in the middle of it? You could increase the value of > "Max SpamAssassin Size", but unless it's the same as the max allowed > message size you're still going to potentially truncate MIME > attachments. That's a very good point, and in fact it could explain some false rule firings (of FUZZY_OCR_CORRUPT_IMG) that I've seen, although it's hard to know for sure. If the closest MIME boundary thing turns out to be prohibitively difficult, another idea is to just have a flag for tests that indicates whether the test should be run if the message was truncated. Of course, that might require changes to both SpamAssassin and Mailscanner, so maybe not that easy... - Logan From alex at nkpanama.com Wed Aug 23 02:44:43 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 23 02:44:55 2006 Subject: Rule set - is this valid? In-Reply-To: References: Message-ID: <44EBB30B.6020607@nkpanama.com> James Gray wrote: > I was wondering if the following is valid in a rule set: > > /etc/MailScanner/rules/script.tag.rules: > From: allowed-script-senders.txt and To: > allowed-script-recips.txt yes > FromOrTo: default disarm > > Then the two allowed...txt files simply contain a list of e-mail > addresses, domains, and matches (one per line) that should be read and > inserted. I vaguely remember this being discussed ages ago, but > couldn't find any references or examples via google...it is early > though, and I haven't had my morning cup of Joe. No, you'd have to follow: From: alice@domain.com and To:alice@domain.com yes From: alice@domain.com and To:bob@domain.com yes From: bob@domain.com and To:alice@domain.com yes From: bob@domain.com and To:bob@domain.com yes And so on... I don't think there's a provision in place to distinguish files from values, except for things ending in ".rules" - and that's only for the consequences of the ruleset, not for the *basis* for the ruleset. That means (if logic doesn't fail me) that: From: alice@domain.com %rules-dir%/alice.rules Would be valid, but... From: %rules-dir%/listofpeople.rules disarm ... wouldn't. From MailScanner at ecs.soton.ac.uk Wed Aug 23 08:22:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 08:22:37 2006 Subject: Rule set - is this valid? In-Reply-To: References: Message-ID: <44EC0224.9000207@ecs.soton.ac.uk> James Gray wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi All, > > I was wondering if the following is valid in a rule set: > > /etc/MailScanner/rules/script.tag.rules: > From: allowed-script-senders.txt and To: > allowed-script-recips.txt yes > FromOrTo: default disarm The only you forgot is that you need to put the full path to the allowed-script-senders.txt file. Also I have thought to try using 2 pattern-list files in the same rule, I'm not entirely sure what it will do. Is there a way you just use 1 pattern-list file in the rule? But otherwise you've got the syntax right, yes. > > Then the two allowed...txt files simply contain a list of e-mail > addresses, domains, and matches (one per line) that should be read and > inserted. I vaguely remember this being discussed ages ago, but > couldn't find any references or examples via google...it is early > though, and I haven't had my morning cup of Joe. > > BTW, do rule files still need to be tab-separated? Or is that only > the filename/filetype rules? Only filename.rules.conf and filetype.rules.conf files need to be tab-separated. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 23 08:25:23 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 08:25:44 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: References: Message-ID: <44EC02E3.5010108@ecs.soton.ac.uk> Jim Holland wrote: > Hi Julian > > I installed the above beta version this evening on Red Hat 7.1 earlier > this evening, just after installing sendmail 8.13.8. See details of > configuration below (you may notice that it is using Sys::Syslog version > 0.01 - the current version does not compile on RH 7.1). > > The installation went fine, but I experienced the following error when > trying to start MailScanner: > > Can't locate Sys/Hostname/Long.pm in @INC . . . > > That was solved by installing Sys::Hostname::Long using cpan and it worked > fine after that. > I'll take a look. What happened when the install.sh tried to install it? > You have very kindly included a new facility for providing separate > reports for messages and attachments which have been blocked or > quarantined due to user specified size restrictions. I have done some > testing on both oversize messages and attachments, and am pleased to > report that it works exactly as intended for attachments, giving a report > such as: > > MailScanner: Attachment is too large: 154303 bytes > > However in the case of oversize messages, the report is just: > > MailScanner: Message is too large > > with no indication of the size of the message that has been quarantined. > Would it be possible to include the size in that case as well? That would > be very helpful for people who don't want to unquarantine a message that > is far too large for them to handle. > I'll take a look and see. I can only think that there was some good reason why I couldn't do it. > I was not able to test the sender.size.report.txt as the production site > is not bouncing any MailScanner reports back to sender. To be honest, I am > not quite sure how to enable these for test purposes. I presume it is > just a matter of changing no to yes in: > > # Do you want to notify the people who sent you messages containing > # viruses or badly-named filenames? > # This can also be the filename of a ruleset. > Notify Senders = no > and > # *If* "Notify Senders" is set to yes, do you want to notify people > # who sent you messages containing other blocked content, such as > # partial messages or messages with external bodies? > # This can also be the filename of a ruleset. > Notify Senders Of Other Blocked Content = no > Correct. > The other test not done is to see how the deleted.size.message.txt report > works. We are not deleting any messages or attachments at the moment - > everything gets quarantined. However to test this, is the only option to > change yes to no in: > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > That would mean that everything that was suspect would be deleted. I > presume that there is no means of being more selective to delete only > messages with blocked content, for example? > No you can't, sorry. It's rather "all or nothing". > With clarification on the above I will set up MailScanner on a test server > to confirm that these also work as intended. > That would be most helpful. > Thanks again for your assistance. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > > Running on > Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 unknown > This is Red Hat Linux release 7.1 (Seawolf) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.56.1 > Module versions are: > 1.14 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.16 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 1.4 Sys::Hostname::Long > 0.01 Sys::Syslog > 1.86 Time::HiRes > 1.01 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.75 DB_File > 1.12 DBD::SQLite > 1.50 DBI > 1.10 Digest > missing Digest::HMAC > 2.36 Digest::MD5 > missing Digest::SHA1 > missing Inline > missing Mail::ClamAV > missing Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > missing Net::IP > missing Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > 2.46 Test::Harness > 0.62 Test::Simple > missing Text::Balanced > 1.35 URI > > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 23 08:34:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 08:34:26 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC02@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44EC04E9.6040803@ecs.soton.ac.uk> Logan Shaw wrote: > On Tue, 22 Aug 2006, Kash, Howard (Civ, ARL/CISD) wrote: >> With the new OCR/Image verification plugins now available for >> SpamAssassin, MailScanner truncating messages due to "Max SpamAssassin >> Size" in the middle of an attached image is causing higher than normal >> scores due to these images appearing to be corrupt. How hard would it >> be to truncate to the closest MIME boundary (either before or after this >> value) instead of in the middle of it? You could increase the value of >> "Max SpamAssassin Size", but unless it's the same as the max allowed >> message size you're still going to potentially truncate MIME >> attachments. > > That's a very good point, and in fact it could explain some > false rule firings (of FUZZY_OCR_CORRUPT_IMG) that I've seen, > although it's hard to know for sure. > > If the closest MIME boundary thing turns out to be prohibitively > difficult, Instead of the closest following MIME boundary, how about the closest following blank line (or line that only contains whitespace). Would that be okay? -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 23 08:41:43 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 08:42:11 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC02E3.5010108@ecs.soton.ac.uk> References: <44EC02E3.5010108@ecs.soton.ac.uk> Message-ID: <44EC06B7.6090800@ecs.soton.ac.uk> Julian Field wrote: > > Jim Holland wrote: > >> You have very kindly included a new facility for providing separate >> reports for messages and attachments which have been blocked or >> quarantined due to user specified size restrictions. I have done >> some testing on both oversize messages and attachments, and am >> pleased to report that it works exactly as intended for attachments, >> giving a report such as: >> >> MailScanner: Attachment is too large: 154303 bytes >> >> However in the case of oversize messages, the report is just: >> >> MailScanner: Message is too large >> >> with no indication of the size of the message that has been >> quarantined. Would it be possible to include the size in that case >> as well? That would be very helpful for people who don't want to >> unquarantine a message that is far too large for them to handle. >> > I'll take a look and see. I can only think that there was some good > reason why I couldn't do it. Edit /usr/lib/MailScanner/MailScanner/SweepContent.pm and around line 131 you need to change it to say MailScanner::Config::LanguageValue($message, 'toobig') . ": " . $message->{size} . " bytes\n"; -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Aug 23 09:02:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 09:02:59 2006 Subject: Filesys::Df module error after upgrade In-Reply-To: References: <44E8AC14.9040906@ecs.soton.ac.uk> <223f97700608211314q30f674a4pb3738c4884b80e2b@mail.gmail.com> Message-ID: <223f97700608230102k1541183fx4d0acbb5cf0466c6@mail.gmail.com> On 22/08/06, Douglas Ward wrote: > Thank you!! I was indeed missing the perl-devel package. After I installed > it the Filesys::Df module installed properly. Thank you for your help! > Glad to have been of help! On a slightly philosophical note, Mandriva may have evolved away from its roots but it is still fairly similar in the way it is "come together" with any RedHat/Fedora thing. Major things like the separation of any package into "run-time" and "devel" packages is common to them all (as well as the kernel source being the most blatant exception:-). So this type of error could have happened on any distro with that type of "setup". Why did it work for you before? Well, it probably didn't:-). But then you had equivalent rpm packages installed for the crucial perl modules, so all was well. The unfortunate side effect of installing Jules nice (tarball source) packages or modules from CPAN is that it'll more or less invalidate the rpm database (for those packages), so best is always to only have a package installed by _one_ method. Otherwise a regular "urpmi.update -a && urpmi --auto-select --auto" (or similar (yum) method) might "backdate" that newly cpan-updated module. Oh well. To be fair to Jules excellent effort, his rpm packages will do the right thing and build/install the modules as rpm packages, so those are pretty safe. Hm, that's enough philosophical mumblings for today:-D. Again, really nice to hear I could help (it being such a dreary day... pouring rain... Sigh). > > On 8/21/06, Glenn Steen wrote: (snip) > Hi Douglas, > > I just tried installing it from cpan, without any problems. I did the > install for perl 5.8.7 on a Mandriva 2006.0 (Official). > The error you get kind of suggest that you've forgotten to install the > perl-devel package, which contains the header file EXTERN.h ... Try > doing an "urpmi perl-devel" (as root) and then rerun the cpan install. > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From colin at mainline.co.uk Wed Aug 23 09:12:14 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 09:11:39 2006 Subject: File Attachment Rules Message-ID: I'm a newbie to MailScanner, so please be gentle ... I want to create a ruleset for Allow Filenames but am not sure of the syntax If I edit MailScanner.conf then I use Allow Filenames = /.pdf$ /.zip$ etc. If however I change that to Allow Filenames = %ruledir%/filenames.rules then create a filenames.rules file do I just put /.pdf$ /.zip$ /.ico$ in the rules file or do I have to put in other stuff? Thanks Colin ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Wed Aug 23 09:21:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 09:21:33 2006 Subject: File Attachment Rules In-Reply-To: References: Message-ID: <44EC0FF8.3030301@ecs.soton.ac.uk> Colin Jack wrote: > I'm a newbie to MailScanner, so please be gentle ... > > I want to create a ruleset for Allow Filenames but am not sure of the > syntax > > If I edit MailScanner.conf then I use > > Allow Filenames = /.pdf$ /.zip$ etc. > They should \ and not / > If however I change that to > > Allow Filenames = %ruledir%/filenames.rules > %rules-dir% not %ruledir% > then create a filenames.rules file do I just put > > /.pdf$ > /.zip$ > /.ico$ > > > in the rules file or do I have to put in other stuff? > In the filename.rules file you need to put rules that would like From: user1@domain.com \.pdf$ \.zip$ \.ico$ To: *@domain2.com \.pdf$ FromOrTo: abuse@domain.com . This would 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com 2) Allow *.pdf in mail to anyone at domain2.com 3) Allow everything ('.' matches any character and so will match every filename) in mail from or to abuse@domain.com. > Thanks > > Colin > > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access by anyone > other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed and neither > Mainline IT nor Mainline Internet will accept claims arising as a result > of using this medium. > 3. Any opinions expressed herein are the opinions of the author and are > not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the responsibility of > the recipient to ensure they have adequate anti-virus defences. > > ------------------------------------------------------------------------ > > > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From colin at mainline.co.uk Wed Aug 23 09:33:55 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 09:33:21 2006 Subject: File Attachment Rules Message-ID: Okay ... so if I wanted anybody to be able to attach particular filenames then FromOrTo: *.* /.pdf$ /.zip$ Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 23 August 2006 09:21 > To: MailScanner discussion > Subject: Re: File Attachment Rules > > > > Colin Jack wrote: > > I'm a newbie to MailScanner, so please be gentle ... > > > > I want to create a ruleset for Allow Filenames but am not > sure of the > > syntax > > > > If I edit MailScanner.conf then I use > > > > Allow Filenames = /.pdf$ /.zip$ etc. > > > They should \ and not / > > If however I change that to > > > > Allow Filenames = %ruledir%/filenames.rules > > > %rules-dir% not %ruledir% > > then create a filenames.rules file do I just put > > > > /.pdf$ > > /.zip$ > > /.ico$ > > > > > > in the rules file or do I have to put in other stuff? > > > In the filename.rules file you need to put rules that would like > > From: user1@domain.com \.pdf$ \.zip$ \.ico$ > To: *@domain2.com \.pdf$ > FromOrTo: abuse@domain.com . > > This would > 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com > 2) Allow *.pdf in mail to anyone at domain2.com > 3) Allow everything ('.' matches any character and so will match every > filename) in mail from or to abuse@domain.com. > > > > Thanks > > > > Colin > > > > > > ----------------------disclaimer --------------------------------- > > > > 1. This e-mail and any attachments are confidential & > access by anyone > > other than the addressee(s) is unauthorised. > > 2. The security of e-mail communication cannot be > guaranteed and neither > > Mainline IT nor Mainline Internet will accept claims > arising as a result > > of using this medium. > > 3. Any opinions expressed herein are the opinions of the > author and are > > not those of either Mainline IT or Mainline Internet. > > 4. Although all email is scanned for viruses, it is the > responsibility of > > the recipient to ensure they have adequate anti-virus defences. > > > > > -------------------------------------------------------------- > ---------- > > > > > > > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From james at grayonline.id.au Wed Aug 23 09:36:23 2006 From: james at grayonline.id.au (James Gray) Date: Wed Aug 23 09:36:53 2006 Subject: Rule set - is this valid? In-Reply-To: <44EC0224.9000207@ecs.soton.ac.uk> References: <44EC0224.9000207@ecs.soton.ac.uk> Message-ID: On 23/08/2006, at 5:22 PM, Julian Field wrote: > James Gray wrote: >> Hi All, >> >> I was wondering if the following is valid in a rule set: >> >> /etc/MailScanner/rules/script.tag.rules: >> From: allowed-script-senders.txt and To: allowed-script- >> recips.txt yes >> FromOrTo: default disarm > The only you forgot is that you need to put the full path to the > allowed-script-senders.txt file. Also I have thought to try using 2 > pattern-list files in the same rule, I'm not entirely sure what it > will do. > > Is there a way you just use 1 pattern-list file in the rule? Indeed. The From list is in reality only one domain, so that's easy. The recipients though is a file generated by a VB script on our Exchange server that spits out all the e-mail addresses for the IT Operations staff. I have only a vague clue as to how the VB script works as someone else wrote it - I only need to see if it's output file changed and then pump it over to the MailScanner boxes and SIGHUP the MS kiddies. The example above was more a "is it valid to abstract out *either* the From or To" question, not necessarily *BOTH*. Although, now that you have my curiosity, I might just see what happens when I do both :P Thanks Julian, James From veliogluh at itu.edu.tr Wed Aug 23 09:38:23 2006 From: veliogluh at itu.edu.tr (Hakan VELIOGLU) Date: Wed Aug 23 09:38:33 2006 Subject: A question about mqueue.in directory Message-ID: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> Hi, I am new with sendmail and mailscanner, and I got a question about mqueue.in directory. Our mailgateway server is up for two weeks and it has 566 old files in /var/spool/mqueue.in/ directory. Is it normal? and why this happens? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From colin at mainline.co.uk Wed Aug 23 09:41:01 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 09:40:41 2006 Subject: File Attachment Rules Message-ID: Sorry Julian - I meant FromOrTo: *@* \.zip$ etc. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 23 August 2006 09:21 > To: MailScanner discussion > Subject: Re: File Attachment Rules > > > > Colin Jack wrote: > > I'm a newbie to MailScanner, so please be gentle ... > > > > I want to create a ruleset for Allow Filenames but am not > sure of the > > syntax > > > > If I edit MailScanner.conf then I use > > > > Allow Filenames = /.pdf$ /.zip$ etc. > > > They should \ and not / > > If however I change that to > > > > Allow Filenames = %ruledir%/filenames.rules > > > %rules-dir% not %ruledir% > > then create a filenames.rules file do I just put > > > > /.pdf$ > > /.zip$ > > /.ico$ > > > > > > in the rules file or do I have to put in other stuff? > > > In the filename.rules file you need to put rules that would like > > From: user1@domain.com \.pdf$ \.zip$ \.ico$ > To: *@domain2.com \.pdf$ > FromOrTo: abuse@domain.com . > > This would > 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com > 2) Allow *.pdf in mail to anyone at domain2.com > 3) Allow everything ('.' matches any character and so will match every > filename) in mail from or to abuse@domain.com. > > > > Thanks > > > > Colin > > > > > > ----------------------disclaimer --------------------------------- > > > > 1. This e-mail and any attachments are confidential & > access by anyone > > other than the addressee(s) is unauthorised. > > 2. The security of e-mail communication cannot be > guaranteed and neither > > Mainline IT nor Mainline Internet will accept claims > arising as a result > > of using this medium. > > 3. Any opinions expressed herein are the opinions of the > author and are > > not those of either Mainline IT or Mainline Internet. > > 4. Although all email is scanned for viruses, it is the > responsibility of > > the recipient to ensure they have adequate anti-virus defences. > > > > > -------------------------------------------------------------- > ---------- > > > > > > > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Wed Aug 23 10:35:13 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 10:35:37 2006 Subject: File Attachment Rules In-Reply-To: References: Message-ID: <44EC2151.3010508@ecs.soton.ac.uk> A synonym for "*@*" is the word "default". Colin Jack wrote: > Sorry Julian - I meant > > FromOrTo: *@* \.zip$ > > etc. > > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 23 August 2006 09:21 >> To: MailScanner discussion >> Subject: Re: File Attachment Rules >> >> >> >> Colin Jack wrote: >> >>> I'm a newbie to MailScanner, so please be gentle ... >>> >>> I want to create a ruleset for Allow Filenames but am not >>> >> sure of the >> >>> syntax >>> >>> If I edit MailScanner.conf then I use >>> >>> Allow Filenames = /.pdf$ /.zip$ etc. >>> >>> >> They should \ and not / >> >>> If however I change that to >>> >>> Allow Filenames = %ruledir%/filenames.rules >>> >>> >> %rules-dir% not %ruledir% >> >>> then create a filenames.rules file do I just put >>> >>> /.pdf$ >>> /.zip$ >>> /.ico$ >>> >>> >>> in the rules file or do I have to put in other stuff? >>> >>> >> In the filename.rules file you need to put rules that would like >> >> From: user1@domain.com \.pdf$ \.zip$ \.ico$ >> To: *@domain2.com \.pdf$ >> FromOrTo: abuse@domain.com . >> >> This would >> 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com >> 2) Allow *.pdf in mail to anyone at domain2.com >> 3) Allow everything ('.' matches any character and so will match every >> filename) in mail from or to abuse@domain.com. >> >> >> >>> Thanks >>> >>> Colin >>> >>> >>> ----------------------disclaimer --------------------------------- >>> >>> 1. This e-mail and any attachments are confidential & >>> >> access by anyone >> >>> other than the addressee(s) is unauthorised. >>> 2. The security of e-mail communication cannot be >>> >> guaranteed and neither >> >>> Mainline IT nor Mainline Internet will accept claims >>> >> arising as a result >> >>> of using this medium. >>> 3. Any opinions expressed herein are the opinions of the >>> >> author and are >> >>> not those of either Mainline IT or Mainline Internet. >>> 4. Although all email is scanned for viruses, it is the >>> >> responsibility of >> >>> the recipient to ensure they have adequate anti-virus defences. >>> >>> >>> >> -------------------------------------------------------------- >> ---------- >> >>> >>> >> -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access by anyone > other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed and neither > Mainline IT nor Mainline Internet will accept claims arising as a result > of using this medium. > 3. Any opinions expressed herein are the opinions of the author and are > not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the responsibility of > the recipient to ensure they have adequate anti-virus defences. > > ------------------------------------------------------------------------ > > > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From matt at coders.co.uk Wed Aug 23 10:40:25 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Aug 23 10:40:01 2006 Subject: A question about mqueue.in directory In-Reply-To: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> References: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> Message-ID: <44EC2289.6030900@coders.co.uk> Hakan VELIOGLU wrote: > Hi, > > I am new with sendmail and mailscanner, and I got a question about mqueue.in > directory. Our mailgateway server is up for two weeks and it has 566 old files > in /var/spool/mqueue.in/ directory. > > Is it normal? and why this happens? Yes. Unless you are getting qf files as well as the df files. The df files are generated first and if there is a milter error or the remote server disconnects the files are left in the directory. If you have qf files then you need to do more investigation as MailScanner should be processing them and deleting them. matt From colin at mainline.co.uk Wed Aug 23 11:03:43 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 11:03:10 2006 Subject: File Attachment Rules Message-ID: Thanks Julian - now I need to work out what other cool things I can do with rulesets ;) Regards Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 23 August 2006 10:35 > To: MailScanner discussion > Subject: Re: File Attachment Rules > > A synonym for "*@*" is the word "default". > > Colin Jack wrote: > > Sorry Julian - I meant > > > > FromOrTo: *@* \.zip$ > > > > etc. > > > > > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Julian Field > >> Sent: 23 August 2006 09:21 > >> To: MailScanner discussion > >> Subject: Re: File Attachment Rules > >> > >> > >> > >> Colin Jack wrote: > >> > >>> I'm a newbie to MailScanner, so please be gentle ... > >>> > >>> I want to create a ruleset for Allow Filenames but am not > >>> > >> sure of the > >> > >>> syntax > >>> > >>> If I edit MailScanner.conf then I use > >>> > >>> Allow Filenames = /.pdf$ /.zip$ etc. > >>> > >>> > >> They should \ and not / > >> > >>> If however I change that to > >>> > >>> Allow Filenames = %ruledir%/filenames.rules > >>> > >>> > >> %rules-dir% not %ruledir% > >> > >>> then create a filenames.rules file do I just put > >>> > >>> /.pdf$ > >>> /.zip$ > >>> /.ico$ > >>> > >>> > >>> in the rules file or do I have to put in other stuff? > >>> > >>> > >> In the filename.rules file you need to put rules that would like > >> > >> From: user1@domain.com \.pdf$ \.zip$ \.ico$ > >> To: *@domain2.com \.pdf$ > >> FromOrTo: abuse@domain.com . > >> > >> This would > >> 1) Allow *.pdf *.zip *.ico in mail from the address > user1@domain.com > >> 2) Allow *.pdf in mail to anyone at domain2.com > >> 3) Allow everything ('.' matches any character and so will match > >> every > >> filename) in mail from or to abuse@domain.com. > >> > >> > >> > >>> Thanks > >>> > >>> Colin > >>> > >>> > >>> ----------------------disclaimer --------------------------------- > >>> > >>> 1. This e-mail and any attachments are confidential & > >>> > >> access by anyone > >> > >>> other than the addressee(s) is unauthorised. > >>> 2. The security of e-mail communication cannot be > >>> > >> guaranteed and neither > >> > >>> Mainline IT nor Mainline Internet will accept claims > >>> > >> arising as a result > >> > >>> of using this medium. > >>> 3. Any opinions expressed herein are the opinions of the > >>> > >> author and are > >> > >>> not those of either Mainline IT or Mainline Internet. > >>> 4. Although all email is scanned for viruses, it is the > >>> > >> responsibility of > >> > >>> the recipient to ensure they have adequate anti-virus defences. > >>> > >>> > >>> > >> -------------------------------------------------------------- > >> ---------- > >> > >>> > >>> > >> -- > >> Julian Field > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous content by > >> MailScanner, and is believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > ----------------------disclaimer --------------------------------- > > > > 1. This e-mail and any attachments are confidential & > access by anyone > > other than the addressee(s) is unauthorised. > > 2. The security of e-mail communication cannot be guaranteed and > > neither Mainline IT nor Mainline Internet will accept > claims arising > > as a result of using this medium. > > 3. Any opinions expressed herein are the opinions of the author and > > are not those of either Mainline IT or Mainline Internet. > > 4. Although all email is scanned for viruses, it is the > responsibility > > of the recipient to ensure they have adequate anti-virus defences. > > > > > ---------------------------------------------------------------------- > > -- > > > > > > > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From colin at mainline.co.uk Wed Aug 23 11:11:07 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 11:10:32 2006 Subject: Odd time/date stamp in maillog Message-ID: I am running MailScanner on CentOS 4.3 and find that the dates for the MailScanner entries in maillog are -5 hours against system time ... anybody any idea why? --- tail -f maillog snip --- Aug 23 11:07:06 server1 dovecot: pop3-login: Login: user=, method=PLAIN, rip=88.96.118.166, lip=192.168.2.4 Aug 23 11:07:07 server1 sendmail[9046]: k7NA715S009046: from=, size=22216, class=0, nrcpts=1, msgid=<000b01c6c69b$df6ab260$36fd3550@bartek>, proto=ESMTP, daemon=MTA, relay=dr54.internetdsl.tpnet.pl [80.53.253.54] Aug 23 11:07:07 server1 dovecot: POP3(point): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 MailScanner[8145]: New Batch: Found 40 messages waiting Aug 23 06:07:10 server1 MailScanner[8145]: New Batch: Scanning 1 messages, 22763 bytes Aug 23 11:07:10 server1 dovecot: pop3-login: Login: user=, method=PLAIN, rip=87.127.16.161, lip=192.168.2.4 Aug 23 11:07:10 server1 dovecot: POP3(netia): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 MailScanner[8145]: Virus and Content Scanning: Starting Aug 23 06:07:11 server1 MailScanner[8145]: Uninfected: Delivered 1 messages Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: ClientCertFile missing Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: ClientKeyFile missing --- end snip --- The server has the correct settings: [root@server1 rules]# date Wed Aug 23 11:09:42 BST 2006 Regards Colin ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From glenn.steen at gmail.com Wed Aug 23 11:16:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 11:16:25 2006 Subject: Config is double checking blacklists In-Reply-To: <000701c6c5e2$aca01190$1465a8c0@support01> References: <000701c6c5e2$aca01190$1465a8c0@support01> Message-ID: <223f97700608230316s6b2475a0seec1d5b731910480@mail.gmail.com> On 22/08/06, Nigel Kendrick wrote: > Hi Folks, > > I noticed we were suddenly getting a lot of our own outbound mail marked as > spam. The root cause was we'd ended up in CBL due to a mis-configured server > name, but in sorting this out, I noticed the following info at Spamhaus.. > > === > > Exploits Block List > > The Spamhaus Exploits Block List (XBL) is a realtime database of IP > addresses of illegal 3rd party exploits, including open proxies (HTTP, > socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and > other types of trojan-horse exploits. > > Incorporates CBL data and NJABL proxy data > > The XBL wholly incorporates data from two highly-trusted DNSBL sources, with > tweaks by Spamhaus to maximise the data efficiency and lower False > Positives. The main components are: > - the CBL (Composite Block List) from cbl.abuseat.org > - the NJABL Open Proxy IPs list from www.njabl.org. > > Mail servers already using cbl.abuseat.org should NOT also use > xbl.spamhaus.org or you will be making 'double' queries to basically the > same data source and only one DNSBL will appear to work (the other(s) will > appear to not catch anything). Mail servers already using dnsbl.njabl.org > are advised to continue doing so, as dnsbl.njabl.org is itself a composite > list and contains more than the open proxy IPs list part now incorporated in > XBL. > > === > > The only reason I point this out is that my installation of MailScanner et. > Al was originally done using Johnny Hughes' excellent howto and by default, > the spam checking rules used list both SBL+XBL and CBL, which according to > the above means we are effectively double-checking and any 'hit' will count > as 2 towards 'spam lists to be spam'. > > If my assumption is correct, will I be OK to remove SBL+XBL and replace it > with spamhaus.org in order to not check both XBL and CBL? > > Thanks > Wouldn't the natural thing to do be to remove CBL and keep SBL-XBL? Also, search the mailing list archives, there has been a fair amount of discussion of where to do rbl checking (MTA, MS or SA) whith some fairly informed opinions:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From veliogluh at itu.edu.tr Wed Aug 23 11:17:14 2006 From: veliogluh at itu.edu.tr (Hakan VELIOGLU) Date: Wed Aug 23 11:17:48 2006 Subject: A question about mqueue.in directory In-Reply-To: <44EC2289.6030900@coders.co.uk> References: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> <44EC2289.6030900@coders.co.uk> Message-ID: <20060823131714.ai6eejsqu0qsggso@webmail.itu.edu.tr> Thanks for the answer. I searched for df and qf files and there is one df file and all the other 565 files are qf. Is this means that there is a problem or configuration error ? ----- Message from matt@coders.co.uk --------- Tarih: Wed, 23 Aug 2006 10:40:25 +0100 Kimden: Matt Hampton Cevap:MailScanner discussion Konu: Re: A question about mqueue.in directory Kime: MailScanner discussion > Hakan VELIOGLU wrote: >> Hi, >> >> I am new with sendmail and mailscanner, and I got a question about mqueue.in >> directory. Our mailgateway server is up for two weeks and it has 566 >> old files >> in /var/spool/mqueue.in/ directory. >> >> Is it normal? and why this happens? > > Yes. Unless you are getting qf files as well as the df files. > > The df files are generated first and if there is a milter error or the > remote server disconnects the files are left in the directory. > > If you have qf files then you need to do more investigation as > MailScanner should be processing them and deleting them. > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----- End message from matt@coders.co.uk ----- ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From martinh at solid-state-logic.com Wed Aug 23 11:26:34 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Wed Aug 23 11:26:44 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: <44EC2D5A.5030406@solid-state-logic.com> Colin Jack wrote: > I am running MailScanner on CentOS 4.3 and find that the dates for the > MailScanner entries in maillog are -5 hours against system time ... > anybody any idea why? > > --- tail -f maillog snip --- > > Aug 23 11:07:06 server1 dovecot: pop3-login: Login: user=, > method=PLAIN, rip=88.96.118.166, lip=192.168.2.4 > Aug 23 11:07:07 server1 sendmail[9046]: k7NA715S009046: > from=, size=22216, class=0, nrcpts=1, > msgid=<000b01c6c69b$df6ab260$36fd3550@bartek>, proto=ESMTP, daemon=MTA, > relay=dr54.internetdsl.tpnet.pl [80.53.253.54] > Aug 23 11:07:07 server1 dovecot: POP3(point): Disconnected: Logged out > top=0/0, retr=0/0, del=0/0, size=0 > Aug 23 06:07:10 server1 MailScanner[8145]: New Batch: Found 40 messages > waiting > Aug 23 06:07:10 server1 MailScanner[8145]: New Batch: Scanning 1 > messages, 22763 bytes > Aug 23 11:07:10 server1 dovecot: pop3-login: Login: user=, > method=PLAIN, rip=87.127.16.161, lip=192.168.2.4 > Aug 23 11:07:10 server1 dovecot: POP3(netia): Disconnected: Logged out > top=0/0, retr=0/0, del=0/0, size=0 > Aug 23 06:07:10 server1 MailScanner[8145]: Virus and Content Scanning: > Starting > Aug 23 06:07:11 server1 MailScanner[8145]: Uninfected: Delivered 1 > messages > Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: ClientCertFile missing > Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: ClientKeyFile missing > > --- end snip --- > > The server has the correct settings: > > [root@server1 rules]# date > Wed Aug 23 11:09:42 BST 2006 > > Regards > > Colin Hmm it does look like something is picking up the wrong TZ, for some reason MS seems to think its in New York.. what's in /etc/sysconfig/clock ? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From colin at mainline.co.uk Wed Aug 23 11:42:53 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 11:42:17 2006 Subject: Odd time/date stamp in maillog Message-ID: Well blow me ... ZONE="America/New_York" UTC=false ARC=false Where has that come from? The rest of the box things it is GMT +1 You are a genius ... do I just edit it? Thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin Hepworth > Sent: 23 August 2006 11:27 > To: MailScanner discussion > Subject: Re: Odd time/date stamp in maillog > > Colin Jack wrote: > > I am running MailScanner on CentOS 4.3 and find that the > dates for the > > MailScanner entries in maillog are -5 hours against system time ... > > anybody any idea why? > > > > --- tail -f maillog snip --- > > > > Aug 23 11:07:06 server1 dovecot: pop3-login: Login: user=, > > method=PLAIN, rip=88.96.118.166, lip=192.168.2.4 Aug 23 11:07:07 > > server1 sendmail[9046]: k7NA715S009046: > > from=, size=22216, class=0, nrcpts=1, > > msgid=<000b01c6c69b$df6ab260$36fd3550@bartek>, proto=ESMTP, > > daemon=MTA, relay=dr54.internetdsl.tpnet.pl [80.53.253.54] Aug 23 > > 11:07:07 server1 dovecot: POP3(point): Disconnected: Logged out > > top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 > > MailScanner[8145]: New Batch: Found 40 messages waiting Aug 23 > > 06:07:10 server1 MailScanner[8145]: New Batch: Scanning 1 messages, > > 22763 bytes Aug 23 11:07:10 server1 dovecot: pop3-login: Login: > > user=, method=PLAIN, rip=87.127.16.161, > lip=192.168.2.4 Aug 23 > > 11:07:10 server1 dovecot: POP3(netia): Disconnected: Logged out > > top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 > > MailScanner[8145]: Virus and Content Scanning: > > Starting > > Aug 23 06:07:11 server1 MailScanner[8145]: Uninfected: Delivered 1 > > messages Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: > > ClientCertFile missing Aug 23 11:07:11 server1 sendmail[9071]: > > STARTTLS: ClientKeyFile missing > > > > --- end snip --- > > > > The server has the correct settings: > > > > [root@server1 rules]# date > > Wed Aug 23 11:09:42 BST 2006 > > > > Regards > > > > Colin > > Hmm it does look like something is picking up the wrong TZ, > for some reason MS seems to think its in New York.. > > what's in /etc/sysconfig/clock ? > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean.> > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From glenn.steen at gmail.com Wed Aug 23 11:43:07 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 11:43:10 2006 Subject: auto whitelisting In-Reply-To: <44EB4F2E.4020201@evi-inc.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> <44EABB69.4090001@solid-state-logic.com> <44EB4F2E.4020201@evi-inc.com> Message-ID: <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> On 22/08/06, Matt Kettler wrote: > Martin Hepworth wrote: > > > > I'd agree with Matt. I always recommend you turn the thing off as it > > tends to let spam through when you don't want it to.. > > Well, that's true.. but it can also cause spam to be tagged when it would > otherwise be missed. > > Remember.. the AWL is NOT a whitelist.. > Exactly! I can say for a fact that the AWL has been keeping my false rejection/tagging rate well down, even after applying some things (ImageInfo mainly) to get a grip on the image based spam. Without the AWL, many a financial newsletter would have gone down the drain... As it is now, I cannot find one case where they've got tagged or removed. Haven't seen the wildly fluctuating "missfires" of the AWL that some report either. So I'll be keeping my AWL on, for that crucial score averaging I need. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solid-state-logic.com Wed Aug 23 11:45:33 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Wed Aug 23 11:45:43 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: <44EC31CD.4060906@solid-state-logic.com> Colin Jack wrote: > Well blow me ... > > ZONE="America/New_York" > UTC=false > ARC=false > > Where has that come from? The rest of the box things it is GMT +1 > > You are a genius ... do I just edit it? > > Thanks > > Colin > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Martin Hepworth >> Sent: 23 August 2006 11:27 >> To: MailScanner discussion >> Subject: Re: Odd time/date stamp in maillog >> >> Colin Jack wrote: >>> I am running MailScanner on CentOS 4.3 and find that the >> dates for the >>> MailScanner entries in maillog are -5 hours against system time ... >>> anybody any idea why? >>> >>> --- tail -f maillog snip --- >>> >>> Aug 23 11:07:06 server1 dovecot: pop3-login: Login: user=, >>> method=PLAIN, rip=88.96.118.166, lip=192.168.2.4 Aug 23 11:07:07 >>> server1 sendmail[9046]: k7NA715S009046: >>> from=, size=22216, class=0, nrcpts=1, >>> msgid=<000b01c6c69b$df6ab260$36fd3550@bartek>, proto=ESMTP, >>> daemon=MTA, relay=dr54.internetdsl.tpnet.pl [80.53.253.54] Aug 23 >>> 11:07:07 server1 dovecot: POP3(point): Disconnected: Logged out >>> top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 >>> MailScanner[8145]: New Batch: Found 40 messages waiting Aug 23 >>> 06:07:10 server1 MailScanner[8145]: New Batch: Scanning 1 messages, >>> 22763 bytes Aug 23 11:07:10 server1 dovecot: pop3-login: Login: >>> user=, method=PLAIN, rip=87.127.16.161, >> lip=192.168.2.4 Aug 23 >>> 11:07:10 server1 dovecot: POP3(netia): Disconnected: Logged out >>> top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 >>> MailScanner[8145]: Virus and Content Scanning: >>> Starting >>> Aug 23 06:07:11 server1 MailScanner[8145]: Uninfected: Delivered 1 >>> messages Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: >>> ClientCertFile missing Aug 23 11:07:11 server1 sendmail[9071]: >>> STARTTLS: ClientKeyFile missing >>> >>> --- end snip --- >>> >>> The server has the correct settings: >>> >>> [root@server1 rules]# date >>> Wed Aug 23 11:09:42 BST 2006 >>> >>> Regards >>> >>> Colin >> Hmm it does look like something is picking up the wrong TZ, >> for some reason MS seems to think its in New York.. >> >> what's in /etc/sysconfig/clock ? >> >> -- >> Martin Hepworth or run /usr/sbin/timeconfig to make sure things get in there properly.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Wed Aug 23 11:59:01 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 11:59:05 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: <223f97700608230359l24634f91w1c4b2c893b08f8cf@mail.gmail.com> On 23/08/06, Colin Jack wrote: > Well blow me ... > > ZONE="America/New_York" > UTC=false > ARC=false > > Where has that come from? The rest of the box things it is GMT +1 > > You are a genius ... do I just edit it? > ... or use a tool. I suppose redhat-config-date is still around in CentOS(?)... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From colin at mainline.co.uk Wed Aug 23 12:03:18 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 12:02:43 2006 Subject: AOL problems Message-ID: We are having problems with AOL not allowing email because the reverse lookup fails. The problem is that it is failing it on the wrong address ... let me explain ;) Our users relay mail off our server server1.mainline.co.uk (212.21.100.75) and have done for years. DNS is okay. Many of our users however have dynamic IP addresses when they coneect to our server to send mail and this also shows in the header. So if we use an example of a user with a dynamic IP of 84.84.84.84 connecting to server1 to send email to AOL, the AOL mail server is bouncing it because it says the IP 84.84.84.84 does not have a valid DNS reverse. Why I don't know ... but I wondered if it had anything to do with MailScanner because that is a new addition to this box. In /etc/sysconfig I have found a MailScanner file with this in it: # # Sendmail Settings # SENDMAIL=/usr/sbin/sendmail QUEUETIME=15m #INQDIR=/var/spool/mqueue.in INPID=/var/run/sendmail.in.pid OUTPID=/var/run/sendmail.out.pid SMPID=/var/run/sm-client.pid MSPUSER=smmsp # User for mail submission queue runner MSPGROUP=smmsp # Group for mail submission queue runner # What does the SMPID line mean? Hope I have explained clearly! Thanks Colin ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From a.peacock at chime.ucl.ac.uk Wed Aug 23 12:08:22 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Aug 23 12:08:32 2006 Subject: auto whitelisting In-Reply-To: <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> <44EABB69.4090001@solid-state-logic.com> <44EB4F2E.4020201@evi-inc.com> <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> Message-ID: <44EC3726.1030100@chime.ucl.ac.uk> Hi, Glenn Steen wrote: > On 22/08/06, Matt Kettler wrote: >> Martin Hepworth wrote: >> > >> > I'd agree with Matt. I always recommend you turn the thing off as it >> > tends to let spam through when you don't want it to.. >> >> Well, that's true.. but it can also cause spam to be tagged when it would >> otherwise be missed. >> >> Remember.. the AWL is NOT a whitelist.. >> > Exactly! > I can say for a fact that the AWL has been keeping my false > rejection/tagging rate well down, even after applying some things > (ImageInfo mainly) to get a grip on the image based spam. Without the > AWL, many a financial newsletter would have gone down the drain... As > it is now, I cannot find one case where they've got tagged or removed. > Haven't seen the wildly fluctuating "missfires" of the AWL that some > report either. > So I'll be keeping my AWL on, for that crucial score averaging I need. I have to agree with Glenn here. On the whole the AWL works very well for me, helping push emails in the correct direction. Often the AWL prevents false positives for me. On the rare occasions where AWL is contributing to an incorrect score it is not usually the only problem, and it is easy enough to clear the AWL entry for that sender. But of course, like Bayes, YMMV. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From colin at mainline.co.uk Wed Aug 23 12:09:29 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 12:08:54 2006 Subject: Odd time/date stamp in maillog Message-ID: Can't find redhat-config-date or timeconfig ... but I will dig about a bit. Got /usr/bin/time? Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 23 August 2006 11:59 > To: MailScanner discussion > Subject: Re: Odd time/date stamp in maillog > > On 23/08/06, Colin Jack wrote: > > Well blow me ... > > > > ZONE="America/New_York" > > UTC=false > > ARC=false > > > > Where has that come from? The rest of the box things it is GMT +1 > > > > You are a genius ... do I just edit it? > > > ... or use a tool. I suppose redhat-config-date is still > around in CentOS(?)... > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From res at ausics.net Wed Aug 23 12:30:45 2006 From: res at ausics.net (Res) Date: Wed Aug 23 12:30:58 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: On Wed, 23 Aug 2006, Colin Jack wrote: > Can't find redhat-config-date or timeconfig ... but I will dig about a > bit. > as root type 'setup' you should see a tz option > Got /usr/bin/time? > > Colin > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Glenn Steen >> Sent: 23 August 2006 11:59 >> To: MailScanner discussion >> Subject: Re: Odd time/date stamp in maillog >> >> On 23/08/06, Colin Jack wrote: >>> Well blow me ... >>> >>> ZONE="America/New_York" >>> UTC=false >>> ARC=false >>> >>> Where has that come from? The rest of the box things it is GMT +1 >>> >>> You are a genius ... do I just edit it? >>> >> ... or use a tool. I suppose redhat-config-date is still >> around in CentOS(?)... >> >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access by anyone > other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed and neither > Mainline IT nor Mainline Internet will accept claims arising as a result > of using this medium. > 3. Any opinions expressed herein are the opinions of the author and are > not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the responsibility of > the recipient to ensure they have adequate anti-virus defences. > > ------------------------------------------------------------------------ > > > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From colin at mainline.co.uk Wed Aug 23 12:42:54 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 12:42:17 2006 Subject: Odd time/date stamp in maillog Message-ID: No ... just mouse and network and services ;( Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: 23 August 2006 12:31 > To: MailScanner discussion > Subject: RE: Odd time/date stamp in maillog > > On Wed, 23 Aug 2006, Colin Jack wrote: > > > Can't find redhat-config-date or timeconfig ... but I will > dig about a > > bit. > > > > > as root type 'setup' you should see a tz option > > > > Got /usr/bin/time? > > > > Colin > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Glenn Steen > >> Sent: 23 August 2006 11:59 > >> To: MailScanner discussion > >> Subject: Re: Odd time/date stamp in maillog > >> > >> On 23/08/06, Colin Jack wrote: > >>> Well blow me ... > >>> > >>> ZONE="America/New_York" > >>> UTC=false > >>> ARC=false > >>> > >>> Where has that come from? The rest of the box things it is GMT +1 > >>> > >>> You are a genius ... do I just edit it? > >>> > >> ... or use a tool. I suppose redhat-config-date is still around in > >> CentOS(?)... > >> > >> -- > >> -- Glenn > >> email: glenn < dot > steen < at > gmail < dot > com > >> work: glenn < dot > steen < at > ap1 < dot > se > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > ----------------------disclaimer --------------------------------- > > > > 1. This e-mail and any attachments are confidential & > access by anyone > > other than the addressee(s) is unauthorised. > > 2. The security of e-mail communication cannot be guaranteed and > > neither Mainline IT nor Mainline Internet will accept > claims arising > > as a result of using this medium. > > 3. Any opinions expressed herein are the opinions of the author and > > are not those of either Mainline IT or Mainline Internet. > > 4. Although all email is scanned for viruses, it is the > responsibility > > of the recipient to ensure they have adequate anti-virus defences. > > > > > ---------------------------------------------------------------------- > > -- > > > > > > > > -- > Cheers > Res > Aussie Open Source Hosting > > "Just a world that we all must share, it's not enough just to > stand and stare, is it only a dream that there'll be no more > turning away" - Floyd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From steve.swaney at fsl.com Wed Aug 23 13:15:52 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 23 13:15:58 2006 Subject: Odd time/date stamp in maillog In-Reply-To: Message-ID: <4bf401c6c6ad$e0cb0080$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Colin Jack > Sent: Wednesday, August 23, 2006 7:09 AM > To: MailScanner discussion > Subject: RE: Odd time/date stamp in maillog > > Can't find redhat-config-date or timeconfig ... but I will dig about a > bit. > > Got /usr/bin/time? > > Colin > Hmmmm. From `man time` on a RH system: TIME(1) NAME time - time a simple command or give resource usage SYNOPSIS time [options] command [arguments...] DESCRIPTION The time command runs the specified program command with the given arguments. When command finishes, time writes a message to standard output giving timing statistics about this program run. ...... Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From uxbod at splatnix.net Wed Aug 23 13:26:03 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Aug 23 13:26:19 2006 Subject: SpamAssassin Temporary Files Message-ID: <39208f33da6e6e55dec46b011d02d423@localhost> Hi, I am attempting to tune our MailScanner/SpamAssassin implementation, and have created a 256MB tmpfs for the bayes databases and incoming work area. What would be good is if a configuration item could be added to MailScanner for the SpamAssassin TMPDIR variable. I have harded coded it at the moment in the MailScanner perl script with :- $ENV{TMPDIR}="/var/spool/MailScanner/spamassassin"; # Write Temp Files to TMPFS And that does appear to speed things up quite nicely. I have FuzzyOCR running aswell so this now inherits the TMPDIR path aswell. What do you think ? Cheers, --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Wed Aug 23 13:27:53 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 23 13:28:15 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC06B7.6090800@ecs.soton.ac.uk> References: <44EC02E3.5010108@ecs.soton.ac.uk> <44EC06B7.6090800@ecs.soton.ac.uk> Message-ID: <44EC49C9.2060509@USherbrooke.ca> Julian Field a ?crit : > Edit /usr/lib/MailScanner/MailScanner/SweepContent.pm and around line > 131 you need to change it to say > > MailScanner::Config::LanguageValue($message, 'toobig') . ": " > . $message->{size} . " > bytes\n"; Julian, You should not print out English words such as "bytes" from within Perl code (there are already a couple of things I have to translate back to French whenever I upgrade MS)... you should use languages.conf instead, like you did for toobig... I'm sure it was just a quick hack... ;-) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060823/a0e27a0e/smime.bin From colin at mainline.co.uk Wed Aug 23 13:38:10 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 13:37:30 2006 Subject: Odd time/date stamp in maillog Message-ID: Yeah ... that's what I got. If I run date it says the time is correct [root@server1 ~]# date Wed Aug 23 13:34:22 BST 2006 [root@server1 ~]# ... it is just that MailScanner seems to use the time zone from /etc/sysconfig/clock Maybe CentOS uses another file for its date in which case I need to tell MailScanner where to find it. Regards Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stephen Swaney > Sent: 23 August 2006 13:16 > To: 'MailScanner discussion' > Subject: RE: Odd time/date stamp in maillog > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Colin Jack > > Sent: Wednesday, August 23, 2006 7:09 AM > > To: MailScanner discussion > > Subject: RE: Odd time/date stamp in maillog > > > > Can't find redhat-config-date or timeconfig ... but I will > dig about a > > bit. > > > > Got /usr/bin/time? > > > > Colin > > > > Hmmmm. From `man time` on a RH system: > > > TIME(1) > > NAME > time - time a simple command or give resource usage > > SYNOPSIS > time [options] command [arguments...] > > DESCRIPTION > The time command runs the specified program command > with the given arguments. When command finishes, time writes > a message to standard output giving timing statistics about > this program run. > ...... > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From res at ausics.net Wed Aug 23 13:49:18 2006 From: res at ausics.net (Res) Date: Wed Aug 23 13:49:31 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: Colin, On Wed, 23 Aug 2006, Colin Jack wrote: > ... it is just that MailScanner seems to use the time zone from > /etc/sysconfig/clock If you know the correct format of your timezone, put it in this file replacing the new york entry failing that you could, in your startup script put somthing like this: TZ='Australia/Brisbane' ; export TZ (of cource replace mine with your timezone) > Maybe CentOS uses another file for its date in which case I need to tell > MailScanner where to find it. CentOS is essentially RH, just minor mods so I doubt it uses anything weird, however its base server install package list leaves a lot to be desired, and does omit key packages. -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From MailScanner at ecs.soton.ac.uk Wed Aug 23 13:54:20 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 13:54:45 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC49C9.2060509@USherbrooke.ca> References: <44EC02E3.5010108@ecs.soton.ac.uk> <44EC06B7.6090800@ecs.soton.ac.uk> <44EC49C9.2060509@USherbrooke.ca> Message-ID: <44EC4FFC.9040108@ecs.soton.ac.uk> Denis Beauchemin wrote: > Julian Field a ?crit : >> Edit /usr/lib/MailScanner/MailScanner/SweepContent.pm and around line >> 131 you need to change it to say >> >> MailScanner::Config::LanguageValue($message, 'toobig') . ": " >> . $message->{size} . " >> bytes\n"; > Julian, > > You should not print out English words such as "bytes" from within > Perl code (there are already a couple of things I have to translate > back to French whenever I upgrade MS)... Where are the others? > you should use languages.conf instead, like you did for toobig... You're quite right, I should :-) > > I'm sure it was just a quick hack... ;-) > > Denis > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From colin at mainline.co.uk Wed Aug 23 14:10:51 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 14:10:12 2006 Subject: Odd time/date stamp in maillog Message-ID: Changed that and restarted MailScanner and it is still -5 hrs out :( Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin Hepworth > Sent: 23 August 2006 11:46 > To: MailScanner discussion > Subject: Re: Odd time/date stamp in maillog > > Colin Jack wrote: > > Well blow me ... > > > > ZONE="America/New_York" > > UTC=false > > ARC=false > > > > Where has that come from? The rest of the box things it is GMT +1 > > > > You are a genius ... do I just edit it? > > > > Thanks > > > > Colin > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Martin Hepworth > >> Sent: 23 August 2006 11:27 > >> To: MailScanner discussion > >> Subject: Re: Odd time/date stamp in maillog > >> > >> Colin Jack wrote: > >>> I am running MailScanner on CentOS 4.3 and find that the > >> dates for the > >>> MailScanner entries in maillog are -5 hours against > system time ... > >>> anybody any idea why? > >>> > >>> --- tail -f maillog snip --- > >>> > >>> Aug 23 11:07:06 server1 dovecot: pop3-login: Login: user=, > >>> method=PLAIN, rip=88.96.118.166, lip=192.168.2.4 Aug 23 11:07:07 > >>> server1 sendmail[9046]: k7NA715S009046: > >>> from=, size=22216, class=0, > nrcpts=1, > >>> msgid=<000b01c6c69b$df6ab260$36fd3550@bartek>, proto=ESMTP, > >>> daemon=MTA, relay=dr54.internetdsl.tpnet.pl [80.53.253.54] Aug 23 > >>> 11:07:07 server1 dovecot: POP3(point): Disconnected: Logged out > >>> top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 > >>> MailScanner[8145]: New Batch: Found 40 messages waiting Aug 23 > >>> 06:07:10 server1 MailScanner[8145]: New Batch: Scanning 1 > messages, > >>> 22763 bytes Aug 23 11:07:10 server1 dovecot: pop3-login: Login: > >>> user=, method=PLAIN, rip=87.127.16.161, > >> lip=192.168.2.4 Aug 23 > >>> 11:07:10 server1 dovecot: POP3(netia): Disconnected: Logged out > >>> top=0/0, retr=0/0, del=0/0, size=0 Aug 23 06:07:10 server1 > >>> MailScanner[8145]: Virus and Content Scanning: > >>> Starting > >>> Aug 23 06:07:11 server1 MailScanner[8145]: Uninfected: > Delivered 1 > >>> messages Aug 23 11:07:11 server1 sendmail[9071]: STARTTLS: > >>> ClientCertFile missing Aug 23 11:07:11 server1 sendmail[9071]: > >>> STARTTLS: ClientKeyFile missing > >>> > >>> --- end snip --- > >>> > >>> The server has the correct settings: > >>> > >>> [root@server1 rules]# date > >>> Wed Aug 23 11:09:42 BST 2006 > >>> > >>> Regards > >>> > >>> Colin > >> Hmm it does look like something is picking up the wrong > TZ, for some > >> reason MS seems to think its in New York.. > >> > >> what's in /etc/sysconfig/clock ? > >> > >> -- > >> Martin Hepworth > > > or run /usr/sbin/timeconfig to make sure things get in there > properly.. > > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean.> > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From steve.swaney at fsl.com Wed Aug 23 14:18:40 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 23 14:18:43 2006 Subject: Odd time/date stamp in maillog In-Reply-To: Message-ID: <4e2001c6c6b6$a6a8b6a0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Colin Jack > Sent: Wednesday, August 23, 2006 9:11 AM > To: MailScanner discussion > Subject: RE: Odd time/date stamp in maillog > > Changed that and restarted MailScanner and it is still -5 hrs out :( > > Colin > What OS / version are you using? Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From prandal at herefordshire.gov.uk Wed Aug 23 13:51:10 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 23 14:19:00 2006 Subject: Odd time/date stamp in maillog Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B703@isabella.herefordshire.gov.uk> It is system-config-date in CentOS 4. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 23 August 2006 11:59 > To: MailScanner discussion > Subject: Re: Odd time/date stamp in maillog > > On 23/08/06, Colin Jack wrote: > > Well blow me ... > > > > ZONE="America/New_York" > > UTC=false > > ARC=false > > > > Where has that come from? The rest of the box things it is GMT +1 > > > > You are a genius ... do I just edit it? > > > ... or use a tool. I suppose redhat-config-date is still > around in CentOS(?)... > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From strydom.dave at gmail.com Wed Aug 23 14:22:40 2006 From: strydom.dave at gmail.com (Dave Strydom) Date: Wed Aug 23 14:22:48 2006 Subject: Thoughts on Barracudas? In-Reply-To: <44E9AC41.1010005@ecs.soton.ac.uk> References: <44E9AC41.1010005@ecs.soton.ac.uk> Message-ID: > "I've tried Mailscanner on FreeBSD for almost one year. It worked great > for about two months, then after every upgrade it began to let more and > more spam through. I've tried everything to fix it and just got tired of > my users complaining of increased spam. Someone please explain to me how upgrading MailScanner can possible allow more spam through? Thats like saying "I upgraded my car doors, now my tyres have lost grip on the road" > What is your opinion on the Barracuda appliance? I think they have a good marketing department, lets take their 800 Model for example: # 15 million email messages per day # 8,000-22,000 active email users # 5,000 Domains # 200GB Quarantine Storage 5000 Domains? ok, this unit is already useless to me. Lets say you max this thing out and do 15 million emails a day, and say 10% of those emails are spam and have an total average size of 100kb. you would use up 143GB of that 200GB Quarantine. I just think they have a good marketing department. > How easy is it to use? depends on how stupid the person is that is using it? > Does it actually work? I would imagine so, yes, how well i dont know. > Can it survive the loads they say it can? Don't know, i dont know anyone who does 15 million emails a day, or anyone who has the bandwidth to handle this, it works out to 173 emails a second. > And, of course, how does it compare with MailScanner? I think it depends on what your requirements are, if you have a small business network and you dont want to spend time maintaining servers, then go with the fishy spam solution. In our enviroment it would not suite us at all, MailScanner is the best solution i know of to spam filtering. I use MailScanner with Mailwatch and exim (using EximConfig http://www.jcdigita.com/eximconfig/ ). And i hardly have any spam come through our systems (5 MailScanner Servers). Dave From bpumphrey at WoodMacLaw.com Wed Aug 23 14:26:11 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 23 14:26:16 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D132@UBIMAIL1.ubisoft.org> Message-ID: <04D932B0071FE34FA63EBB1977B48D15018E32F6@woodenex.woodmaclaw.local> > > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Maher > Sent: Tuesday, August 22, 2006 11:03 AM > To: MailScanner discussion > Subject: SA bayes not working / autolearn inactive? > > Hello all, > > I set up a new MailScanner server today, basically as a clone of an already existing one in the pool. ?I have SpamAssassin's "autolearn" feature > > > enabled on the existing mail servers; however, even though I have the same environment and configuration file on the new incoming server, autolearn > > does not appear to be activated.? It's either that, or bayes just isn't activating properly, and autolearn is deactivating on it's own.. I'm just not > sure. > > Relevant config snippet: > ### > use_bayes???????? 1 In my spam.assass.conf.prefs here is my use_bayes line: # use_bayes 0 It is commented out because bayes is used by default. Would that have anything to do with it? From colin at mainline.co.uk Wed Aug 23 14:28:29 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 14:27:52 2006 Subject: Odd time/date stamp in maillog Message-ID: CentOS > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stephen Swaney > Sent: 23 August 2006 14:19 > To: 'MailScanner discussion' > Subject: RE: Odd time/date stamp in maillog > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Colin Jack > > Sent: Wednesday, August 23, 2006 9:11 AM > > To: MailScanner discussion > > Subject: RE: Odd time/date stamp in maillog > > > > Changed that and restarted MailScanner and it is still -5 hrs out :( > > > > Colin > > > What OS / version are you using? > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From colin at mainline.co.uk Wed Aug 23 14:29:44 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 14:29:09 2006 Subject: Odd time/date stamp in maillog Message-ID: Sorry ... clicked 'send' before I had finished ;) CentOS 4.3 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stephen Swaney > Sent: 23 August 2006 14:19 > To: 'MailScanner discussion' > Subject: RE: Odd time/date stamp in maillog > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Colin Jack > > Sent: Wednesday, August 23, 2006 9:11 AM > > To: MailScanner discussion > > Subject: RE: Odd time/date stamp in maillog > > > > Changed that and restarted MailScanner and it is still -5 hrs out :( > > > > Colin > > > What OS / version are you using? > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From colin at mainline.co.uk Wed Aug 23 14:30:59 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 14:30:22 2006 Subject: Odd time/date stamp in maillog Message-ID: Thanks ... the odd thing is that the system time seems fine when I use 'date' ... it is just that MailScanner is putting the wrong time stamp in the logs. Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Randal, Phil > Sent: 23 August 2006 13:51 > To: MailScanner discussion > Subject: RE: Odd time/date stamp in maillog > > It is system-config-date in CentOS 4. > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Glenn > > Steen > > Sent: 23 August 2006 11:59 > > To: MailScanner discussion > > Subject: Re: Odd time/date stamp in maillog > > > > On 23/08/06, Colin Jack wrote: > > > Well blow me ... > > > > > > ZONE="America/New_York" > > > UTC=false > > > ARC=false > > > > > > Where has that come from? The rest of the box things it is GMT +1 > > > > > > You are a genius ... do I just edit it? > > > > > ... or use a tool. I suppose redhat-config-date is still around in > > CentOS(?)... > > > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From john at katy.com Wed Aug 23 14:31:53 2006 From: john at katy.com (John Schmerold) Date: Wed Aug 23 14:32:07 2006 Subject: A question about mqueue.in directory In-Reply-To: <20060823131714.ai6eejsqu0qsggso@webmail.itu.edu.tr> References: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> <44EC2289.6030900@coders.co.uk> <20060823131714.ai6eejsqu0qsggso@webmail.itu.edu.tr> Message-ID: <44EC58C9.10307@katy.com> To clean them up, run: find /var/spool/mqueue.in -type f -mtime +2 -exec rm {} \; I'm not sure what's going on, however I have a number of stragglers left in my queue as well. John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f Hakan VELIOGLU wrote: > Thanks for the answer. > > I searched for df and qf files and there is one df file and all the > other 565 > files are qf. > > Is this means that there is a problem or configuration error ? > > ----- Message from matt@coders.co.uk --------- > Tarih: Wed, 23 Aug 2006 10:40:25 +0100 > Kimden: Matt Hampton > Cevap:MailScanner discussion > Konu: Re: A question about mqueue.in directory > Kime: MailScanner discussion > > >> Hakan VELIOGLU wrote: >>> Hi, >>> >>> I am new with sendmail and mailscanner, and I got a question about >>> mqueue.in >>> directory. Our mailgateway server is up for two weeks and it has 566 >>> old files >>> in /var/spool/mqueue.in/ directory. >>> >>> Is it normal? and why this happens? >> >> Yes. Unless you are getting qf files as well as the df files. >> >> The df files are generated first and if there is a milter error or the >> remote server disconnects the files are left in the directory. >> >> If you have qf files then you need to do more investigation as >> MailScanner should be processing them and deleting them. >> >> matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > ----- End message from matt@coders.co.uk ----- > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > From Denis.Beauchemin at USherbrooke.ca Wed Aug 23 14:56:45 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 23 14:57:02 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC4FFC.9040108@ecs.soton.ac.uk> References: <44EC02E3.5010108@ecs.soton.ac.uk> <44EC06B7.6090800@ecs.soton.ac.uk> <44EC49C9.2060509@USherbrooke.ca> <44EC4FFC.9040108@ecs.soton.ac.uk> Message-ID: <44EC5E9D.4080503@USherbrooke.ca> Julian Field a ?crit : > > > Denis Beauchemin wrote: >> Julian Field a ?crit : >>> Edit /usr/lib/MailScanner/MailScanner/SweepContent.pm and around >>> line 131 you need to change it to say >>> >>> MailScanner::Config::LanguageValue($message, 'toobig') . ": " >>> . $message->{size} . " >>> bytes\n"; >> Julian, >> >> You should not print out English words such as "bytes" from within >> Perl code (there are already a couple of things I have to translate >> back to French whenever I upgrade MS)... > Where are the others? >> you should use languages.conf instead, like you did for toobig... > You're quite right, I should :-) >> >> I'm sure it was just a quick hack... ;-) >> >> Denis >> > Julian, I modify SweepViruses.pm (ProcessMcAfeeOutput function) to translate McAfee messages to French... not much you can do about it... I also modify Message.pm because of the following line (#5301 in the latest beta): $output .= 'Web Bug from ' . $attr->{'src'} if $attr->{'src'}; I just comment it out but it should be localized. I can't remember what it was but I think there was something else but I didn't bother translating it so I guess it was minor. Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060823/3b727566/smime.bin From glenn.steen at gmail.com Wed Aug 23 14:57:59 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 14:58:02 2006 Subject: Odd time/date stamp in maillog In-Reply-To: References: Message-ID: <223f97700608230657g21d41197vd265b8150c34da04@mail.gmail.com> On 23/08/06, Colin Jack wrote: > Thanks ... the odd thing is that the system time seems fine when I use > 'date' ... it is just that MailScanner is putting the wrong time stamp > in the logs. > > Colin > Yes, well... That is an interractive session, which has probably loaded some additional environmental setup files, so doesn't say much (TZ is probably set in a central profile, bashrc or similar file). If you look at your cron jobs etc, they likely have a somewhat "skewed" view of what timezone you're in too. You obviously have a correct setting for it in the interractive shell, so you might want to look at that (echo $TZ). BTW, (thanks Phil for the correction:) did you try running system-config-date? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Wed Aug 23 15:34:39 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Aug 23 15:33:53 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC02E3.5010108@ecs.soton.ac.uk> Message-ID: On Wed, 23 Aug 2006, Julian Field wrote: > Jim Holland wrote: > > Hi Julian > > > > I installed the above beta version this evening on Red Hat 7.1 earlier > > this evening, just after installing sendmail 8.13.8. See details of > > configuration below (you may notice that it is using Sys::Syslog version > > 0.01 - the current version does not compile on RH 7.1). > > > > The installation went fine, but I experienced the following error when > > trying to start MailScanner: > > > > Can't locate Sys/Hostname/Long.pm in @INC . . . > > > > That was solved by installing Sys::Hostname::Long using cpan and it worked > > fine after that. > > > I'll take a look. What happened when the install.sh tried to install it? Nothing. There were no errors in the installation log, which I have copied to you separately. However I see that with the list of modules to be installed in the install.sh script there is nothing reported in the log for modules after Getopt::Long, ie for: Time::HiRes Time-HiRes 1.86 1 noarch Filesys::Df Filesys-Df 0.90 1 noarch Net::IP Net-IP 1.24 1 noarch Sys::Hostname::Long Sys-Hostname-Long 1.4 1 noarch Sys::Syslog Sys-Syslog 0.17 1 noarch The next entry in the install log is for the tnef decoder. In my case I have the following versions of the above modules now installed: Time::HiRes 1.86 (I don't know when this was installed) Filesys::Df 0.92 (which I had to install manually when upgrading to 4.54.6) Net::IP missing Sys::Hostname::Long 1.4 (after installing it manually) Sys::Syslog 0.01 (the install script has never attempted to upgrade this module) It does look as if there could be a problem with the install script because I remember when installing 4.50.10-1 at the beginning of the year I had to install a whole bunch of Perl modules (eg DBI, SQL-Lite) manually at that time too. > > You have very kindly included a new facility for providing separate > > reports for messages and attachments which have been blocked or > > quarantined due to user specified size restrictions. I have done some > > testing on both oversize messages and attachments, and am pleased to > > report that it works exactly as intended for attachments, giving a report > > such as: > > > > MailScanner: Attachment is too large: 154303 bytes > > > > However in the case of oversize messages, the report is just: > > > > MailScanner: Message is too large > > > > with no indication of the size of the message that has been quarantined. > > Would it be possible to include the size in that case as well? That would > > be very helpful for people who don't want to unquarantine a message that > > is far too large for them to handle. > > > I'll take a look and see. I can only think that there was some good > reason why I couldn't do it. Thanks for that. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From hmkash at arl.army.mil Wed Aug 23 15:38:42 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Wed Aug 23 15:38:53 2006 Subject: Max SpamAssassin Size problems Message-ID: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> > Instead of the closest following MIME boundary, how about the closest > following blank line (or line that only contains whitespace). Would that > be okay? That sounds like an OK fix for the images. The plugins don't care about the closing MIME boundary, they just need the full base64 encoding present, which, as far as I know, shouldn't contain any blank lines. The only issue I can think of is if you hit the "Max SpamAssassin Size" limit in the middle of the MIME header. Then your next blank line would be between the header and the contents and you're left with a header but no contents. That would probably still trigger a corrupt image rule, but should be pretty rare. SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of zero in at least the 3.1 releases. Howard From daniel.maher at ubisoft.com Wed Aug 23 15:44:19 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 23 15:44:24 2006 Subject: SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D145@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: August 23, 2006 9:26 AM > To: MailScanner discussion > Subject: RE: SA bayes not working / autolearn inactive? > > > Relevant config snippet: > > ### > > use_bayes???????? 1 > > In my spam.assass.conf.prefs here is my use_bayes line: > # use_bayes 0 > It is commented out because bayes is used by default. > > Would that have anything to do with it? I don't know why explicitly turning an option on would, in fact, turn it off. Furthermore, this is exactly the same setting (and config file) that is on every other mail server in the pool - and their bayes and autolearn functions work properly. That said, in the absence of any other options, I commented the line out as you suggested, but it didn't help. Thanks anyways! Does anybody else have any more ideas? It's starting to get frustrating. :( -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From ylacan at teicam.com Wed Aug 23 15:52:31 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Wed Aug 23 15:52:56 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D145@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D145@UBIMAIL1.ubisoft.org> Message-ID: <44EC6BAF.5040804@teicam.com> Hi there, I seem to be running into a similar problem, although I might have messed up my bayes config by wanting to adapt it to Mailwatch. Somehow, my bayes db doesn't grow at all and just seems to sit there, sucking its thumb. Unfortunately, I'm as stuck as you are on this issue, so I can't really help you out. Cordialement, Youri LACAN-BARTLEY PCAM Espace HERVANN 641 Chemin des terriers 06600 ANTIBES Tel: 04.93.33.26.25 Fax: 04.93.33.73.45 Daniel Maher wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey >> Sent: August 23, 2006 9:26 AM >> To: MailScanner discussion >> Subject: RE: SA bayes not working / autolearn inactive? >> >> >>> Relevant config snippet: >>> ### >>> use_bayes 1 >>> >> In my spam.assass.conf.prefs here is my use_bayes line: >> # use_bayes 0 >> It is commented out because bayes is used by default. >> >> Would that have anything to do with it? >> > > I don't know why explicitly turning an option on would, in fact, turn it off. Furthermore, this is exactly the same setting (and config file) that is on every other mail server in the pool - and their bayes and autolearn functions work properly. > > That said, in the absence of any other options, I commented the line out as you suggested, but it didn't help. Thanks anyways! > > Does anybody else have any more ideas? It's starting to get frustrating. :( > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060823/943cd7c5/attachment-0001.html From Denis.Beauchemin at USherbrooke.ca Wed Aug 23 15:56:09 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 23 15:56:32 2006 Subject: A question about mqueue.in directory In-Reply-To: <44EC58C9.10307@katy.com> References: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> <44EC2289.6030900@coders.co.uk> <20060823131714.ai6eejsqu0qsggso@webmail.itu.edu.tr> <44EC58C9.10307@katy.com> Message-ID: <44EC6C89.7040506@USherbrooke.ca> John Schmerold a ?crit : > To clean them up, run: > find /var/spool/mqueue.in -type f -mtime +2 -exec rm {} \; > If you have many files in there the following will be much faster (and less resource intensive): find /var/spool/mqueue.in -type f -mtime +2 -print | xargs rm -f Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060823/5d3e57ab/smime.bin From glenn.steen at gmail.com Wed Aug 23 16:19:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 16:19:31 2006 Subject: Odd time/date stamp in maillog In-Reply-To: <223f97700608230657g21d41197vd265b8150c34da04@mail.gmail.com> References: <223f97700608230657g21d41197vd265b8150c34da04@mail.gmail.com> Message-ID: <223f97700608230819r5b7ea561q972e08ad45a6f524@mail.gmail.com> On 23/08/06, Glenn Steen wrote: > On 23/08/06, Colin Jack wrote: > > Thanks ... the odd thing is that the system time seems fine when I use > > 'date' ... it is just that MailScanner is putting the wrong time stamp > > in the logs. > > > > Colin > > > Yes, well... That is an interractive session, which has probably > loaded some additional environmental setup files, so doesn't say much > (TZ is probably set in a central profile, bashrc or similar file). If > you look at your cron jobs etc, they likely have a somewhat "skewed" > view of what timezone you're in too. > You obviously have a correct setting for it in the interractive shell, > so you might want to look at that (echo $TZ). > BTW, (thanks Phil for the correction:) did you try running system-config-date? > > Cheers If you don't have the system-config-date utility, you can easily yum it, as shown here: http://lists.centos.org/pipermail/centos/2005-May/047058.html -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Wed Aug 23 16:23:43 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 23 16:23:46 2006 Subject: SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D146@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Green, Rodney > Sent: August 22, 2006 12:34 PM > To: MailScanner discussion > Subject: Re: SA bayes not working / autolearn inactive? > > I didn't see anything in your original posting saying that you populated > the bayes db to try it. Also, the lint output you posted says that it > does not meet the threshold requirement. > Thanks for the reply, I have since populated the bayes DB (via sa-learn backup/restore) from one of the functioning mail servers. A lint check now shows this: --- [19182] dbg: bayes: DB journal sync: last sync: 1156345626 [19182] dbg: bayes: corpus size: nspam = 5507601, nham = 1761804 --- As before, my learning threshold config line is: --- bayes_auto_learn_threshold_spam 12 --- Take, for example, the following mail which passed through a few moments ago: --- Aug 23 15:14:05 yosemite MailScanner[18668]: Message 593C069B0A.6BE83 from 222.35.236.81 (offjskcjacpiz@yahoo.co.kr) to ubisoft.com is spam, SpamAssassin (score=31.401, required 6, DATE_IN_FUTURE_96_XX 1.89, DATE_SPAMWARE_Y2K 1.82, FORGED_IMS_HTML 2.27, FORGED_IMS_TAGS 2.12, FORGED_MUA_IMS 1.20, FROM_ILLEGAL_CHARS 3.28, FROM_LOCAL_NOVOWEL 2.33, HTML_MESSAGE 0.50, HTML_MIME_NO_HTML_TAG 0.51, MIME_BOUND_DD_DIGITS 3.60, MIME_HTML_ONLY 0.00, MIME_HTML_ONLY_MULTI 0.00, MISSING_MIMEOLE 1.39, MPART_ALT_DIFF 0.14, MSGID_SPAM_CAPS 3.52, RCVD_NUMERIC_HELO 1.25, REPTO_QUOTE_IMS 0.00, SARE_RECV_IP_222032 2.22, SUBJ_ILLEGAL_CHARS 3.36, UNPARSEABLE_RELAY 0.00) --- Clearly, this email meets the threshold for autolearning; however, there is no autolearn string to be found, and the access times on the bayes database do /not/ change. Any further input is more than welcome. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From daniel.maher at ubisoft.com Wed Aug 23 16:37:44 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 23 16:37:48 2006 Subject: [solved] SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> Thanks to everybody for your suggestions. I stopped MailScanner, and went through the directory tree manually, picking it over with a fine-toothed comb (as it were). I found that the parent directory of the bayes data directory did not have it's execute bit set for the group - only for the user. On the functioning mail servers, this group x bit was set. Voila. After making this change and re-starting MailScanner, SpamAssassin is now happily reading from and writing to the bayes database, and autolearn is active. Sometimes the best solutions are the most simple. :P -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Maher > Sent: August 23, 2006 11:24 AM > To: MailScanner discussion > Subject: RE: SA bayes not working / autolearn inactive? > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Green, Rodney > > Sent: August 22, 2006 12:34 PM > > To: MailScanner discussion > > Subject: Re: SA bayes not working / autolearn inactive? > > > > I didn't see anything in your original posting saying that you populated > > the bayes db to try it. Also, the lint output you posted says that it > > does not meet the threshold requirement. > > > > Thanks for the reply, > > I have since populated the bayes DB (via sa-learn backup/restore) from one > of the functioning mail servers. A lint check now shows this: > --- > [19182] dbg: bayes: DB journal sync: last sync: 1156345626 > [19182] dbg: bayes: corpus size: nspam = 5507601, nham = 1761804 > --- > > As before, my learning threshold config line is: > --- > bayes_auto_learn_threshold_spam 12 > --- > > Take, for example, the following mail which passed through a few moments > ago: > --- > Aug 23 15:14:05 yosemite MailScanner[18668]: Message 593C069B0A.6BE83 from > 222.35.236.81 (offjskcjacpiz@yahoo.co.kr) to ubisoft.com is spam, > SpamAssassin (score=31.401, required 6, DATE_IN_FUTURE_96_XX 1.89, > DATE_SPAMWARE_Y2K 1.82, FORGED_IMS_HTML 2.27, FORGED_IMS_TAGS 2.12, > FORGED_MUA_IMS 1.20, FROM_ILLEGAL_CHARS 3.28, FROM_LOCAL_NOVOWEL 2.33, > HTML_MESSAGE 0.50, HTML_MIME_NO_HTML_TAG 0.51, MIME_BOUND_DD_DIGITS 3.60, > MIME_HTML_ONLY 0.00, MIME_HTML_ONLY_MULTI 0.00, MISSING_MIMEOLE 1.39, > MPART_ALT_DIFF 0.14, MSGID_SPAM_CAPS 3.52, RCVD_NUMERIC_HELO 1.25, > REPTO_QUOTE_IMS 0.00, SARE_RECV_IP_222032 2.22, SUBJ_ILLEGAL_CHARS 3.36, > UNPARSEABLE_RELAY 0.00) > --- > > Clearly, this email meets the threshold for autolearning; however, there > is no autolearn string to be found, and the access times on the bayes > database do /not/ change. > > Any further input is more than welcome. > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > Sentio aliquos togatos contra me conspirare. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Wed Aug 23 16:38:10 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 23 16:38:31 2006 Subject: A question about mqueue.in directory References: <20060823113823.cczrgbrdmnwg8ok4@webmail.itu.edu.tr> Message-ID: <006b01c6c6ca$23c36820$0705000a@DDF5DW71> ----- Original Message ----- From: "Hakan VELIOGLU" To: Sent: Wednesday, August 23, 2006 4:38 AM Subject: A question about mqueue.in directory > Hi, > > I am new with sendmail and mailscanner, and I got a question about > mqueue.in > directory. Our mailgateway server is up for two weeks and it has 566 old > files > in /var/spool/mqueue.in/ directory. What version of sendmail? If it's 8.13.?, then check your "Lock Type" parm and make sure it's set to "posix". If sendmail is 8.12.?, set it to "flock". Don't assume it takes the default; I would set it manually. Steve > > Is it normal? and why this happens? > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Aug 23 16:54:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 16:54:41 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D146@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D146@UBIMAIL1.ubisoft.org> Message-ID: <223f97700608230854q311b19bh4d1a7f99d8b66667@mail.gmail.com> On 23/08/06, Daniel Maher wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Green, Rodney > > Sent: August 22, 2006 12:34 PM > > To: MailScanner discussion > > Subject: Re: SA bayes not working / autolearn inactive? > > > > I didn't see anything in your original posting saying that you populated > > the bayes db to try it. Also, the lint output you posted says that it > > does not meet the threshold requirement. > > > > Thanks for the reply, > > I have since populated the bayes DB (via sa-learn backup/restore) from one of the functioning mail servers. A lint check now shows this: > --- > [19182] dbg: bayes: DB journal sync: last sync: 1156345626 > [19182] dbg: bayes: corpus size: nspam = 5507601, nham = 1761804 > --- > > As before, my learning threshold config line is: > --- > bayes_auto_learn_threshold_spam 12 > --- > > Take, for example, the following mail which passed through a few moments ago: > --- > Aug 23 15:14:05 yosemite MailScanner[18668]: Message 593C069B0A.6BE83 from 222.35.236.81 (offjskcjacpiz@yahoo.co.kr) to ubisoft.com is spam, SpamAssassin (score=31.401, required 6, DATE_IN_FUTURE_96_XX 1.89, DATE_SPAMWARE_Y2K 1.82, FORGED_IMS_HTML 2.27, FORGED_IMS_TAGS 2.12, FORGED_MUA_IMS 1.20, FROM_ILLEGAL_CHARS 3.28, FROM_LOCAL_NOVOWEL 2.33, HTML_MESSAGE 0.50, HTML_MIME_NO_HTML_TAG 0.51, MIME_BOUND_DD_DIGITS 3.60, MIME_HTML_ONLY 0.00, MIME_HTML_ONLY_MULTI 0.00, MISSING_MIMEOLE 1.39, MPART_ALT_DIFF 0.14, MSGID_SPAM_CAPS 3.52, RCVD_NUMERIC_HELO 1.25, REPTO_QUOTE_IMS 0.00, SARE_RECV_IP_222032 2.22, SUBJ_ILLEGAL_CHARS 3.36, UNPARSEABLE_RELAY 0.00) > --- > > Clearly, this email meets the threshold for autolearning; however, there is no autolearn string to be found, and the access times on the bayes database do /not/ change. > > Any further input is more than welcome. > I think you're "using the wrong database" (user) for the lint, or the postfix user cannot write to the file(s). Do: su - postfix -s /bin/bash Then at that prompt, rerun the spamassassin lint. Any problems? Same is very likely the case for AWL. Fix is to see that the ownership/permissions are correct on the files as such, as well as checking/changing the appropriate *Permissions (Incoming and Quarantine, IIRC) are set correctly in MailScanner.conf... And (probably best... mandatory if you use MailWatch): bayes_path /etc/MailScanner/bayes/bayes bayes_file_mode 0770 ... or similar in /etc/mail/spamassassin/mailscanner.cf (which is a link to spam.assassin.prefs.conf). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From colin at mainline.co.uk Wed Aug 23 16:55:35 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Aug 23 16:55:00 2006 Subject: Odd time/date stamp in maillog Message-ID: Thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 23 August 2006 16:19 > To: MailScanner discussion > Subject: Re: Odd time/date stamp in maillog > > On 23/08/06, Glenn Steen wrote: > > On 23/08/06, Colin Jack wrote: > > > Thanks ... the odd thing is that the system time seems > fine when I > > > use 'date' ... it is just that MailScanner is putting the > wrong time > > > stamp in the logs. > > > > > > Colin > > > > > Yes, well... That is an interractive session, which has probably > > loaded some additional environmental setup files, so > doesn't say much > > (TZ is probably set in a central profile, bashrc or similar > file). If > > you look at your cron jobs etc, they likely have a somewhat "skewed" > > view of what timezone you're in too. > > You obviously have a correct setting for it in the > interractive shell, > > so you might want to look at that (echo $TZ). > > BTW, (thanks Phil for the correction:) did you try running > system-config-date? > > > > Cheers > If you don't have the system-config-date utility, you can > easily yum it, as shown here: > http://lists.centos.org/pipermail/centos/2005-May/047058.html > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From glenn.steen at gmail.com Wed Aug 23 16:56:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 23 16:56:59 2006 Subject: [solved] SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> Message-ID: <223f97700608230856o43534792taf994e90a4475fa1@mail.gmail.com> On 23/08/06, Daniel Maher wrote: > Thanks to everybody for your suggestions. > > I stopped MailScanner, and went through the directory tree manually, picking it over with a fine-toothed comb (as it were). I found that the parent directory of the bayes data directory did not have it's execute bit set for the group - only for the user. > > On the functioning mail servers, this group x bit was set. Voila. > > After making this change and re-starting MailScanner, SpamAssassin is now happily reading from and writing to the bayes database, and autolearn is active. > > Sometimes the best solutions are the most simple. :P > Glad you found it. Obviously, I'm a slow typer today:-):-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at WoodMacLaw.com Wed Aug 23 17:07:49 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 23 17:07:53 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <44EB28A1.2070902@trayerproducts.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D15018E344D@woodenex.woodmaclaw.local> > > > > Daniel Maher wrote: > > > > Hello all, > > > > I set up a new MailScanner server today, basically as a clone of an > > already existing one in the pool. I have SpamAssassin's "autolearn" > > feature enabled on the existing mail servers; however, even though I > > have the same environment and configuration file on the new incoming > > server, autolearn does not appear to be activated. It's either that, > > or bayes just isn't activating properly, and autolearn is deactivating > > on it's own.. I'm just not sure. > > What are the commands that you are running? From bpumphrey at WoodMacLaw.com Wed Aug 23 17:11:32 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 23 17:11:36 2006 Subject: SA bayes not working / autolearn inactive? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15018E344D@woodenex.woodmaclaw.local> Message-ID: <04D932B0071FE34FA63EBB1977B48D15018E3452@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: Wednesday, August 23, 2006 12:08 PM > To: MailScanner discussion > Subject: RE: SA bayes not working / autolearn inactive? > > > > > > > > > Daniel Maher wrote: > > > > > > Hello all, > > > > > > I set up a new MailScanner server today, basically as a clone of an > > > already existing one in the pool. I have SpamAssassin's "autolearn" > > > feature enabled on the existing mail servers; however, even though I > > > have the same environment and configuration file on the new incoming > > > server, autolearn does not appear to be activated. It's either that, > > > or bayes just isn't activating properly, and autolearn is > deactivating > > > on it's own.. I'm just not sure. > > > > > What are the commands that you are running? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. Nevermind, I see that it is solved. From mkettler at evi-inc.com Wed Aug 23 17:32:19 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Aug 23 17:32:33 2006 Subject: auto whitelisting In-Reply-To: <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> <44EABB69.4090001@solid-state-logic.com> <44EB4F2E.4020201@evi-inc.com> <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> Message-ID: <44EC8313.9070408@evi-inc.com> Glenn Steen wrote: > On 22/08/06, Matt Kettler wrote: >> Martin Hepworth wrote: >> > >> > I'd agree with Matt. I always recommend you turn the thing off as it >> > tends to let spam through when you don't want it to.. >> >> Well, that's true.. but it can also cause spam to be tagged when it would >> otherwise be missed. >> >> Remember.. the AWL is NOT a whitelist.. >> > Exactly! > I can say for a fact that the AWL has been keeping my false > rejection/tagging rate well down, even after applying some things > (ImageInfo mainly) to get a grip on the image based spam. Without the > AWL, many a financial newsletter would have gone down the drain... As > it is now, I cannot find one case where they've got tagged or removed. > Haven't seen the wildly fluctuating "missfires" of the AWL that some > report either. > So I'll be keeping my AWL on, for that crucial score averaging I need. > You know, one thing I find highly amusing is that even though I personally dislike the AWL, I wind up being a proponent of it to some folks. Which is completely fine by me, but rather funny. I guess that's what happens when you're more focused on giving folks the real facts about the AWL than on telling them how bad it is. It's hard to tell that I dislike the AWL if your read some of my wiki stuff on it: http://wiki.apache.org/spamassassin/AwlWrongWay I guess I just dislike misinformation a whole lot more than I dislike the AWL. From mailscanner at ecs.soton.ac.uk Wed Aug 23 19:53:29 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 19:53:56 2006 Subject: Config is double checking blacklists In-Reply-To: <223f97700608230316s6b2475a0seec1d5b731910480@mail.gmail.com> References: <000701c6c5e2$aca01190$1465a8c0@support01> <223f97700608230316s6b2475a0seec1d5b731910480@mail.gmail.com> Message-ID: <44ECA429.2090305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 22/08/06, Nigel Kendrick wrote: >> Hi Folks, >> >> I noticed we were suddenly getting a lot of our own outbound mail >> marked as >> spam. The root cause was we'd ended up in CBL due to a mis-configured >> server >> name, but in sorting this out, I noticed the following info at Spamhaus.. >> >> === >> >> Exploits Block List >> >> The Spamhaus Exploits Block List (XBL) is a realtime database of IP >> addresses of illegal 3rd party exploits, including open proxies (HTTP, >> socks, AnalogX, wingate, etc), worms/viruses with built-in spam >> engines, and >> other types of trojan-horse exploits. >> >> Incorporates CBL data and NJABL proxy data >> >> The XBL wholly incorporates data from two highly-trusted DNSBL >> sources, with >> tweaks by Spamhaus to maximise the data efficiency and lower False >> Positives. The main components are: >> - the CBL (Composite Block List) from cbl.abuseat.org >> - the NJABL Open Proxy IPs list from www.njabl.org. >> >> Mail servers already using cbl.abuseat.org should NOT also use >> xbl.spamhaus.org or you will be making 'double' queries to basically the >> same data source and only one DNSBL will appear to work (the other(s) >> will >> appear to not catch anything). Mail servers already using dnsbl.njabl.org >> are advised to continue doing so, as dnsbl.njabl.org is itself a >> composite >> list and contains more than the open proxy IPs list part now >> incorporated in >> XBL. >> >> === >> >> The only reason I point this out is that my installation of >> MailScanner et. >> Al was originally done using Johnny Hughes' excellent howto and by >> default, >> the spam checking rules used list both SBL+XBL and CBL, which >> according to >> the above means we are effectively double-checking and any 'hit' will >> count >> as 2 towards 'spam lists to be spam'. >> >> If my assumption is correct, will I be OK to remove SBL+XBL and >> replace it >> with spamhaus.org in order to not check both XBL and CBL? >> >> Thanks >> > Wouldn't the natural thing to do be to remove CBL and keep SBL-XBL? > Also, search the mailing list archives, there has been a fair amount > of discussion of where to do rbl checking (MTA, MS or SA) whith some > fairly informed opinions:-). My official party line is this: If you want nice rejection messages sent to people (please do NOT attempt to notify senders of spam messages, they are always fake and you will just royally piss off the poor innocent guy who owns the faked sender address) then reject in MailScanner. Otherwise reject in the MTA. Do not use more than about 2 "Spam Lists" in MailScanner.conf. They are queried in series, so every extra one slows down your mail more. Best bet: leave the job to SpamAssassin which uses loads of blacklists, knows exactly how reliable and trustworthy each blacklist is (as reflected in its score for each one, which is carefully calculated) and looks them all up in parallel, ie. really fast. But if you just want to reject anything on a particular blacklist, do it in your MTA. Personally: I use MailScanner and SpamAssassin to do the job. Though one day I may well remove the MailScanner tests and just do it in the MTA, but I have enough horsepower in my MXs to do it in MailScanner. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7KQsEfZZRxQVtlQRAqHAAKDZiAO5NtaMf0Ds8d3CE2tjJyVMoACdGWCY EOp5agfmWmwevahIuGdhFLc= =mohy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 23 19:57:01 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 19:57:25 2006 Subject: SpamAssassin Temporary Files In-Reply-To: <39208f33da6e6e55dec46b011d02d423@localhost> References: <39208f33da6e6e55dec46b011d02d423@localhost> Message-ID: <44ECA4FD.7040809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What does it use as default if it's not set? - --[ UxBoD ]-- wrote: > Hi, > > I am attempting to tune our MailScanner/SpamAssassin implementation, and have created a 256MB tmpfs for the bayes databases and incoming work area. > What would be good is if a configuration item could be added to MailScanner for the SpamAssassin TMPDIR variable. I have harded coded it at the moment in the MailScanner perl script with :- > > $ENV{TMPDIR}="/var/spool/MailScanner/spamassassin"; # Write Temp Files to TMPFS > > And that does appear to speed things up quite nicely. I have FuzzyOCR running aswell so this now inherits the TMPDIR path aswell. > > What do you think ? > > Cheers, > > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: UTF-8 wj8DBQFE7KUCEfZZRxQVtlQRAsOHAKCMym3nGg8mqPMQ44SvgxiaSKTYDACfdMvl QXqzpOViK2iVXk0QRoISetw= =dS+B -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at berger.nl Wed Aug 23 20:07:40 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Wed Aug 23 20:07:54 2006 Subject: gif attachments Message-ID: <1156360060.2502@bsd4.nedport.net> Hi there, As many others I also have a lot of problems tagging the spam with gif attachments. I now have a spam which referes to the gif attachment. This one is hardly tagged as spam, mainly because the text is changing every mail and the name of the gif attachment is changing. The only thing what stays the same is the size of the attachment. So, I am aware that this is not the right mailinglist, but has somebody written a rule which checks the size of an attachment? Thanks, Roger From raymond at prolocation.net Wed Aug 23 20:10:20 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Aug 23 20:10:16 2006 Subject: gif attachments In-Reply-To: <1156360060.2502@bsd4.nedport.net> References: <1156360060.2502@bsd4.nedport.net> Message-ID: Hi! > As many others I also have a lot of problems tagging the spam with gif > attachments. I now have a spam which referes to the gif attachment. This > one is hardly tagged as spam, mainly because the text is changing every > mail and the name of the gif attachment is changing. The only thing what > stays the same is the size of the attachment. > So, I am aware that this is not the right mailinglist, but has somebody > written a rule which checks the size of an attachment? Check: http://www.rulesemporium.com/plugins.htm Try ImageInfo Bye, Raymond. From ssilva at sgvwater.com Wed Aug 23 21:19:15 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 23 21:21:19 2006 Subject: File Attachment Rules In-Reply-To: References: Message-ID: Colin Jack spake the following on 8/23/2006 3:03 AM: > Thanks Julian - now I need to work out what other cool things I can do > with rulesets ;) > > Regards > > Colin Contribute to the project by adding some ruleset examples to the wiki for the less fortunate! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at ecs.soton.ac.uk Wed Aug 23 21:24:40 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 21:25:02 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44ECB988.2040006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kash, Howard (Civ, ARL/CISD) wrote: >> Instead of the closest following MIME boundary, how about the closest >> following blank line (or line that only contains whitespace). Would > that >> be okay? > > > That sounds like an OK fix for the images. The plugins don't care about > the closing MIME boundary, they just need the full base64 encoding > present, which, as far as I know, shouldn't contain any blank lines. > The only issue I can think of is if you hit the "Max SpamAssassin Size" > limit in the middle of the MIME header. Then your next blank line would > be between the header and the contents and you're left with a header but > no contents. That would probably still trigger a corrupt image rule, > but should be pretty rare. > > SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of > zero in at least the 3.1 releases. Sounds survivable. After the limit I will keep going until I hit the first line that only contains white space. All done. Will be in the next beta. *Please* test this functionality after I release this beta. > > > Howard - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7LmMEfZZRxQVtlQRAo6WAKDSJlPXxbqj3KfOEGRlA+IBeWVhtQCgjv8W 5N7UCvYtl9+ZRWw/G12ywk8= =4DzA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 23 21:27:06 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 21:27:31 2006 Subject: [solved] SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> Message-ID: <44ECBA1A.9050203@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That one is definitely worth documenting. Please can you add it to the wiki? wiki.mailscanner.info Daniel Maher wrote: > Thanks to everybody for your suggestions. > > I stopped MailScanner, and went through the directory tree manually, picking it over with a fine-toothed comb (as it were). I found that the parent directory of the bayes data directory did not have it's execute bit set for the group - only for the user. > > On the functioning mail servers, this group x bit was set. Voila. > > After making this change and re-starting MailScanner, SpamAssassin is now happily reading from and writing to the bayes database, and autolearn is active. > > Sometimes the best solutions are the most simple. :P > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Daniel Maher >> Sent: August 23, 2006 11:24 AM >> To: MailScanner discussion >> Subject: RE: SA bayes not working / autolearn inactive? >> >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Green, Rodney >>> Sent: August 22, 2006 12:34 PM >>> To: MailScanner discussion >>> Subject: Re: SA bayes not working / autolearn inactive? >>> >>> I didn't see anything in your original posting saying that you populated >>> the bayes db to try it. Also, the lint output you posted says that it >>> does not meet the threshold requirement. >>> >> Thanks for the reply, >> >> I have since populated the bayes DB (via sa-learn backup/restore) from one >> of the functioning mail servers. A lint check now shows this: >> --- >> [19182] dbg: bayes: DB journal sync: last sync: 1156345626 >> [19182] dbg: bayes: corpus size: nspam = 5507601, nham = 1761804 >> --- >> >> As before, my learning threshold config line is: >> --- >> bayes_auto_learn_threshold_spam 12 >> --- >> >> Take, for example, the following mail which passed through a few moments >> ago: >> --- >> Aug 23 15:14:05 yosemite MailScanner[18668]: Message 593C069B0A.6BE83 from >> 222.35.236.81 (offjskcjacpiz@yahoo.co.kr) to ubisoft.com is spam, >> SpamAssassin (score=31.401, required 6, DATE_IN_FUTURE_96_XX 1.89, >> DATE_SPAMWARE_Y2K 1.82, FORGED_IMS_HTML 2.27, FORGED_IMS_TAGS 2.12, >> FORGED_MUA_IMS 1.20, FROM_ILLEGAL_CHARS 3.28, FROM_LOCAL_NOVOWEL 2.33, >> HTML_MESSAGE 0.50, HTML_MIME_NO_HTML_TAG 0.51, MIME_BOUND_DD_DIGITS 3.60, >> MIME_HTML_ONLY 0.00, MIME_HTML_ONLY_MULTI 0.00, MISSING_MIMEOLE 1.39, >> MPART_ALT_DIFF 0.14, MSGID_SPAM_CAPS 3.52, RCVD_NUMERIC_HELO 1.25, >> REPTO_QUOTE_IMS 0.00, SARE_RECV_IP_222032 2.22, SUBJ_ILLEGAL_CHARS 3.36, >> UNPARSEABLE_RELAY 0.00) >> --- >> >> Clearly, this email meets the threshold for autolearning; however, there >> is no autolearn string to be found, and the access times on the bayes >> database do /not/ change. >> >> Any further input is more than welcome. >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> Sentio aliquos togatos contra me conspirare. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7LogEfZZRxQVtlQRAolHAJ0YWMdTFfuhBnWRKm4lus5z5ASMAgCfa0Uu k82TZLMX1Jr8zRRic1SxyIw= =0MGN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Aug 23 21:29:14 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 21:29:35 2006 Subject: gif attachments In-Reply-To: <1156360060.2502@bsd4.nedport.net> References: <1156360060.2502@bsd4.nedport.net> Message-ID: <44ECBA9A.6010209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try implementing greylisting on your servers. This has helped a lot with this problem on my systems. Even if you set the greylisting delay as low as 5 minutes. mailscanner@berger.nl wrote: > Hi there, > > As many others I also have a lot of problems tagging the spam with gif attachments. I now have a spam which referes to the gif attachment. This one is hardly tagged as spam, mainly because the text is changing every mail and the name of the gif attachment is changing. The only thing what stays the same is the size of the attachment. > So, I am aware that this is not the right mailinglist, but has somebody written a rule which checks the size of an attachment? > > Thanks, > > Roger > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7LqeEfZZRxQVtlQRAjTbAJ0ZOLjMTGFDd4KZG7kzVtR15KZnRACgjPp2 gk5NfwtjE44IKpstQ0EtVsE= =3Q8V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel.maher at ubisoft.com Wed Aug 23 22:02:06 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 23 22:02:10 2006 Subject: Greylisting (WAS: gif attachments) Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: August 23, 2006 4:29 PM > To: MailScanner discussion > Subject: Re: gif attachments > > > Try implementing greylisting on your servers. This has helped a lot with > this problem on my systems. > Even if you set the greylisting delay as low as 5 minutes. My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. Comments? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From jaearick at colby.edu Wed Aug 23 22:07:33 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 23 22:10:50 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: On Wed, 23 Aug 2006, Daniel Maher wrote: > Date: Wed, 23 Aug 2006 17:02:06 -0400 > From: Daniel Maher > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Greylisting (WAS: gif attachments) > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > > My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. > > Comments? That is like running a red light and then complaining about the accident. I doubt most email sysadmins would give the complainer much sympathy. Jeff Earickson Colby College From michele at blacknight.ie Wed Aug 23 22:11:07 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Wed Aug 23 22:11:11 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: <44ECC46B.3030908@blacknight.ie> Daniel Maher wrote: > > My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. > > Comments? > Make sure you have a sane whitelist.... Gmail, for example, seems to proxy their outbound mail, so you won't see the same sending IP. Solution - whitelist their netblocks -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From taz at taz-mania.com Wed Aug 23 22:18:27 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Aug 23 22:18:30 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: Unless someone from one of these services steps up and says they don't, then the only way to tell is if users of one of those service are getting bounces with the temporary failure message in it. I have been running greylisting for sometime and I have not seen this or had any of the users complain about losing email. Occasionally something that has been quarentined as Spam is a real email, but if it made into the quarentine, then it made it by the greylisting. On Wed, 23 Aug 2006 17:02:06 -0400 "Daniel Maher" wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >>[mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot >>with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > >My big fear w/ Greylisting is that a (legitmate) SMTP server >somewhere won't respect the "try again later" code, and instead just >fail to deliver the mail. I've heard rumours that some of the larger >webmail providers exhibit this behaviour. > >Comments? > >-- > _ > ?v? Daniel Maher >/(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > >Sentio aliquos togatos contra me conspirare. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From taz at taz-mania.com Wed Aug 23 22:24:37 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Aug 23 22:24:40 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: Additionally, I have a problem with "legitmate SMTP server" and not respecting the "try again later". There are lots of reasons a mail server may return a temp error other than greylisting. Like too high of a load (currently under a Spam attack), too many connections, etc... If you really want your email delivered you pretty much have to honor the temp errors and try again later. On Wed, 23 Aug 2006 17:02:06 -0400 "Daniel Maher" wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >>[mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot >>with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > >My big fear w/ Greylisting is that a (legitmate) SMTP server >somewhere won't respect the "try again later" code, and instead just >fail to deliver the mail. I've heard rumours that some of the larger >webmail providers exhibit this behaviour. > >Comments? > >-- > _ > ?v? Daniel Maher >/(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > >Sentio aliquos togatos contra me conspirare. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From sboone at pyrontechnologies.com Wed Aug 23 22:33:04 2006 From: sboone at pyrontechnologies.com (Steve Boone) Date: Wed Aug 23 22:27:54 2006 Subject: Greylisting (WAS: gif attachments) Message-ID: <46C861836653254E89507F1E26F3AE9389AE9B@frodo.pyron.local> I have noticed this behavior more from smaller ISPs. I have been running greylisting for a while and have had no problems with delivery from the larger mail servers. It's the people with accounts at the small town ISP that run into problems with their mail servers bouncing greylisted messages. I have noticed that even though I have the greylisting timeout set to 5 minutes, many servers wait anywhere from 20 minutes to several hours before retrying delivery. I find myself having to whitelist servers for people all the time because of this (because of course, their email is "time sensitive"). All in all though, the reduction in traffic through my MailScanner is well worth the tradeoff. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Maher Sent: Wednesday, August 23, 2006 3:02 PM To: MailScanner discussion Subject: RE: Greylisting (WAS: gif attachments) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: August 23, 2006 4:29 PM > To: MailScanner discussion > Subject: Re: gif attachments > > > Try implementing greylisting on your servers. This has helped a lot with > this problem on my systems. > Even if you set the greylisting delay as low as 5 minutes. My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. Comments? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Wed Aug 23 22:32:13 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 23 22:32:39 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: <44ECC95D.5090205@pixelhammer.com> Daniel Maher wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > > My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. > > Comments? We just configured greylisting on all our gateway servers this week. Our spam percentage (caught) dropped dramatically, because the number of messages which made it into our servers fell by over 70%. Very nice, our servers are bored now. We should have had over 80k messages today yet we are showing only 30k have made it inside so far. Now that five oclock is here, the percentage of good messages will fall fast. For what it is worth we went with Milter-greylist 2.02 as it provides a sync ability between multiple MXs. Note also that the conf file already has a large list of mail servers that do not honor temp failures and they are whitelisted from the gitgo. You can also whitelist IPs, rcpt addresses, sender addresses, regex addresses, domains. So far we are very happy. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at ecs.soton.ac.uk Wed Aug 23 22:37:45 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 23 22:38:08 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: <44ECCAA9.5090604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Maher wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > > My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. > > Comments? There is a well-maintained whitelist of addresses and netblocks you should whitelist at http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt This list (a slightly out-dated version) is included in the milter-greylist greylist.conf file. You just need to get the most recent version of the file and add it to your greylist.conf once you have mangled the syntax of each line appropriately. Problem solved. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7MquEfZZRxQVtlQRAgaEAKC4XCkOIWYBnv+ox3qR/VPGGOhHugCgqiUU NYAS6rseO9la9OQOj1lz0dA= =KEkf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at mango.zw Wed Aug 23 22:41:49 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Aug 23 22:40:57 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC06B7.6090800@ecs.soton.ac.uk> Message-ID: On Wed, 23 Aug 2006, Julian Field wrote: > > Jim Holland wrote: > > > >> You have very kindly included a new facility for providing separate > >> reports for messages and attachments which have been blocked or > >> quarantined due to user specified size restrictions. I have done > >> some testing on both oversize messages and attachments, and am > >> pleased to report that it works exactly as intended for attachments, > >> giving a report such as: > >> > >> MailScanner: Attachment is too large: 154303 bytes > >> > >> However in the case of oversize messages, the report is just: > >> > >> MailScanner: Message is too large > >> > >> with no indication of the size of the message that has been > >> quarantined. Would it be possible to include the size in that case > >> as well? That would be very helpful for people who don't want to > >> unquarantine a message that is far too large for them to handle. > >> > > I'll take a look and see. I can only think that there was some good > > reason why I couldn't do it. > Edit /usr/lib/MailScanner/MailScanner/SweepContent.pm and around line > 131 you need to change it to say > > MailScanner::Config::LanguageValue($message, 'toobig') . ": " > . $message->{size} . " bytes\n"; Thanks. That does the trick. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From matt at coders.co.uk Wed Aug 23 22:46:02 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Aug 23 22:45:30 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <44ECCAA9.5090604@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> Message-ID: <44ECCC9A.3030004@coders.co.uk> >>>> Try implementing greylisting on your servers. This has helped a lot with >>>> this problem on my systems. >>>> Even if you set the greylisting delay as low as 5 minutes. >>> My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere won't respect the "try again later" code, and instead just fail to deliver the mail. I've heard rumours that some of the larger webmail providers exhibit this behaviour. >>> >>> Comments? I ran it for about 6 months and didn't have any issues with it. However I then turned on sendmail's "greet_pause" facility and this caught almost as much as grey-listing. I decided to turn off the grey-listing as this was just another thing to maintain and debug if someone complained. matt From mailscanner at mango.zw Wed Aug 23 23:41:01 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Aug 23 23:40:07 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EC06B7.6090800@ecs.soton.ac.uk> Message-ID: Hi Julian You wrote in reference to my install.log sent privately: > It's probably in the Clam-SA tarball. > Looks like I will have to move it. > > root wrote: >> Hi Julian >> >> This is the log. >> >> I can't see any reference to trying to install Sys::Hostname::Long >> >> Regards >> >> Jim Holland However the perl-Sys-Hostname-Long-1.4-1.src.rpm file is already included in MailScanner-4.56.1-1.rpm.tar.gz. That rpm contains the Sys-Hostname-Long-1.4.tar.gz which is in the Clam-SA tarball. I still think something very strange is going on with the installation of the Perl modules. The installation goes as far as installing perl-Getopt-Long-2.35-1, which appears to go fine. However when running MailScanner -v there is no mention of this module at all - see listing below. It is however found at /usr/lib/perl5/5.6.1/Getopt/Long.pm. Having another look at the install log I now finally notice this: file /usr/lib/perl5/5.6.1/Getopt/Long.pm from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 file /usr/lib/perl5/5.6.1/newgetopt.pl from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 file /usr/share/man/man3/Getopt::Long.3pm.gz from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 I suspect that when a module installation failure occurs during the execution of the following command: rpm -Uvh ${NODEPS} ${RPMROOT}/RPMS/${ARC}/${FILEPREFIX}.${ARC}.rpm then the script breaks out of the Here Documents loop at this point and fails to continue to install any remaining Perl modules. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Running on Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 unknown This is Red Hat Linux release 7.1 (Seawolf) This is Perl version 5.006001 (5.6.1) This is MailScanner version 4.56.1 Module versions are: 1.14 Archive::Zip 1.119 Convert::BinHex 1.03 Fcntl 2.6 File::Basename 2.03 File::Copy 2.00 FileHandle 1.0404 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.20 IO 1.08 IO::File 1.121 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.03 POSIX 1.72 Socket 1.4 Sys::Hostname::Long 0.01 Sys::Syslog 1.86 Time::HiRes 1.01 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.75 DB_File 1.12 DBD::SQLite 1.50 DBI 1.10 Digest missing Digest::HMAC 2.36 Digest::MD5 missing Digest::SHA1 missing Inline missing Mail::ClamAV missing Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite missing Net::IP missing Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.46 Test::Harness 0.62 Test::Simple missing Text::Balanced 1.35 URI From pete at enitech.com.au Thu Aug 24 00:08:36 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 24 00:09:02 2006 Subject: Block Postive Phishing Frauds Message-ID: <44ECDFF4.2080708@enitech.com.au> I am about to enable phishing fraud detection for the first time - but i would prefer to block the email rather than forward with a warning. How do i easily raise the score of email that get the phishing warning? Or is there a better way to block these emails? Thanks Pete From jrudd at ucsc.edu Thu Aug 24 00:15:04 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 24 00:15:11 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> Message-ID: <237475650b3f75582324757f78a38306@ucsc.edu> On Aug 23, 2006, at 14:02, Daniel Maher wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: August 23, 2006 4:29 PM >> To: MailScanner discussion >> Subject: Re: gif attachments >> >> >> Try implementing greylisting on your servers. This has helped a lot >> with >> this problem on my systems. >> Even if you set the greylisting delay as low as 5 minutes. > > My big fear w/ Greylisting is that a (legitmate) SMTP server somewhere > won't respect the "try again later" code, and instead just fail to > deliver the mail. I've heard rumours that some of the larger webmail > providers exhibit this behaviour. > You kind of have to make the decision of whether you're going to enforce standards and endure the complaints from idiots within your own organization (who, unfortunately, might be politically powerful idiots) ... or you're going to not have hard and meaningful standards in the name of practicality. Not an easy decision in some environments. The unfortunate part is, it sometimes depends on whether or not your boss and bosses boss, etc., will shield you from the fallout of enforcing standards. I personally think that's the better path. But no one outside of your organization can really say whether it'll work for you. My personal answer, though, is: No SMTP server which behaves in the manner you describe qualifies for the label "legitimate". But, my definition of legitimate may vary slightly from yours. From jrudd at ucsc.edu Thu Aug 24 00:20:26 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 24 00:21:11 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <44ECCC9A.3030004@coders.co.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> Message-ID: On Aug 23, 2006, at 14:46, Matt Hampton wrote: > >>>>> Try implementing greylisting on your servers. This has helped a >>>>> lot with >>>>> this problem on my systems. >>>>> Even if you set the greylisting delay as low as 5 minutes. >>>> My big fear w/ Greylisting is that a (legitmate) SMTP server >>>> somewhere won't respect the "try again later" code, and instead >>>> just fail to deliver the mail. I've heard rumours that some of the >>>> larger webmail providers exhibit this behaviour. >>>> >>>> Comments? > > I ran it for about 6 months and didn't have any issues with it. > However > I then turned on sendmail's "greet_pause" facility and this caught > almost as much as grey-listing. > I, in turn, found that 90% of what greet_pause was catching was: a) had no PTR record, b) PTR and A record didn't match, or c) looked like it's from some ISP's client and/or dynamic host range (2 or more octets of its IP address, in decimal or hex format, in the hostname, or the words "dynamic", "dsl", "cable", or "dial-?up" in the hostname). I just reject these now, and I lowered my greet_pause to 3 seconds (ie. just blocking the slammers). From michele at blacknight.ie Thu Aug 24 00:28:13 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Thu Aug 24 00:28:28 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> Message-ID: <44ECE48D.8070101@blacknight.ie> John Rudd wrote: > > a) had no PTR record, Reasonable enough > b) PTR and A record didn't match, or So what about shared hosting?? -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From michele at blacknight.ie Thu Aug 24 00:32:38 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Thu Aug 24 00:32:41 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ECDFF4.2080708@enitech.com.au> References: <44ECDFF4.2080708@enitech.com.au> Message-ID: <44ECE596.3090002@blacknight.ie> Peter Russell wrote: > I am about to enable phishing fraud detection for the first time - but i > would prefer to block the email rather than forward with a warning. > > How do i easily raise the score of email that get the phishing warning? > Or is there a better way to block these emails? > > Thanks > Pete Strange that you should ask that .... We've a client in a similar situation that was looking for some way of blocking the paypal / ebay / bank phishes completely, while tagging and delivering the dodgy redirectors ..... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From lshaw at emitinc.com Thu Aug 24 00:52:39 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 24 00:52:57 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> Message-ID: On Wed, 23 Aug 2006, John Rudd wrote: > I, in turn, found that 90% of what greet_pause was catching was: > > a) had no PTR record, > b) PTR and A record didn't match, or > c) looked like it's from some ISP's client and/or dynamic host range > (2 or more octets of its IP address, in decimal or hex format, in > the hostname, or the words "dynamic", "dsl", "cable", or "dial-?up" > in the hostname). > > I just reject these now, and I lowered my greet_pause to 3 seconds > (ie. just blocking the slammers). I, in turn, have yet another approach. I have greet_pause enabled on the secondary MX but not on the primary MX. A whole lot of the spam goes to the secondary MX, so this catches a lot. (And the greet_pause delay on the secondary MX is nice and long, incidentally.) If a legit message has made it to the secondary MX, it means there was already a problem and already a delay, so I don't really care about the performance and whatnot. The same reasoning would apply to greylisting, mostly. - Logan From res at ausics.net Thu Aug 24 00:56:15 2006 From: res at ausics.net (Res) Date: Thu Aug 24 00:56:30 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ECDFF4.2080708@enitech.com.au> References: <44ECDFF4.2080708@enitech.com.au> Message-ID: Peter, On Thu, 24 Aug 2006, Peter Russell wrote: > I am about to enable phishing fraud detection for the first time - but i > would prefer to block the email rather than forward with a warning. This is highly not advised, the Phishing Fraud detection still often gets many many false positives -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jrudd at ucsc.edu Thu Aug 24 01:21:49 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 24 01:22:13 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <44ECE48D.8070101@blacknight.ie> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> <44ECE48D.8070101@blacknight.ie> Message-ID: On Aug 23, 2006, at 16:28, Michele Neylon:: Blacknight.ie wrote: > John Rudd wrote: >> >> a) had no PTR record, > > Reasonable enough > >> b) PTR and A record didn't match, or > > So what about shared hosting?? > The PTR record doesn't have to reflect any of the virtual/hosted domains. Assuming that the virtual/hosted domains are all sharing 1 IP address, instead of having virtual interfaces: Lets say you have the machine's actual nodename foo.A.com and it hosts mail with hostnames mail.B.com mail.C.com and mail.D.com You can have records such as: foo.A.com IN A W.X.Y.Z mail.B.com IN A W.X.Y.Z mail.C.com IN A W.X.Y.Z mail.D.com IN A W.X.Y.Z Z.X.Y.W.in-addr.arpa IN PTR foo.A.com. Thus, the PTR record points to an A record which then matches the PTR record. This satisfies what I think most people see as the intent of section 2.1 of RFC 1912 (the one which states that your PTR and A records should match). The fact that there are other A records besides the one that matches the PTR record is ok. The only problem you might have is if the receiving host is NOT RFC COMPLIANT and is rejecting sessions based upon the HELO/EHLO string. You can get around this if your helo string is always "foo.A.com" and not one of the mail.[B-D].com hostnames. Or you can switch to using virutal network interfaces for each hosted domain. Or you can decide not to care about recipients whose mail servers aren't RFC compliant. As for me being the recipient and blocking if their PTR record doesn't lead to an A record which has an IP address that matches the machine connected to me ... if they aren't going to set up their DNS records like the above, then I'm not confident that they're a legitimate mail service. And I give them an error which specifically says "you're not RFC 1912 compliant". From mkettler at evi-inc.com Thu Aug 24 01:43:40 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 24 01:43:52 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <44ECE48D.8070101@blacknight.ie> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> <44ECE48D.8070101@blacknight.ie> Message-ID: <44ECF63C.6080704@evi-inc.com> Michele Neylon:: Blacknight.ie wrote: > John Rudd wrote: >> a) had no PTR record, > > Reasonable enough > >> b) PTR and A record didn't match, or > > So what about shared hosting?? Should work fine. He's not talking about comparing the PTR to the HELO. What John really means is that: Given an IP address, perform a PTR lookup. Take the results of that PTR lookup and perform an A lookup on it. That should end up with the IP address you started with. So he's looking for ip != A_lookup( PTR_lookup(ip)) Even in a shared hosting environment that should always work work. The host-name you get from the PTR lookup might not match the HELO string, but that is not what we are checking for here. ie: 208.39.141.94 connects to you. You perform a PTR lookup, you get xanadu.evi-inc.com. You do an A record lookup of that and get 208.39.141. This works correctly, even if the machine is representing itself as "xanadu.evitechnology.com" in it's HELO (which it doesn't, but it could, as both domains are identical except in the "all" clause of their SPF records). From ajos1 at onion.demon.co.uk Thu Aug 24 02:35:15 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 24 02:35:18 2006 Subject: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 Message-ID: - I will try 0.17 ... I thought I had read that 0.17 had problems and was withdrawn... -----Original Message----- From: mailscanner@lists.mailscanner.info Subj: Re: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 Date: Mon, 21 Aug 2006 09:41:04 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need 0.17 which is what the installer currently installs. This is 4.55.10-3. You won't have any problems with the latest stable release. From pete at enitech.com.au Thu Aug 24 03:13:31 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 24 03:13:59 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ECE596.3090002@blacknight.ie> References: <44ECDFF4.2080708@enitech.com.au> <44ECE596.3090002@blacknight.ie> Message-ID: <44ED0B4B.5030606@enitech.com.au> Yeah i would be happy to stop those 3 entirely. I guess i need to write an SA rule? But one that only catch positive phishing frauds on these topics? Michele Neylon:: Blacknight.ie wrote: > Peter Russell wrote: >> I am about to enable phishing fraud detection for the first time - but i >> would prefer to block the email rather than forward with a warning. >> >> How do i easily raise the score of email that get the phishing warning? >> Or is there a better way to block these emails? >> >> Thanks >> Pete > Strange that you should ask that .... > > We've a client in a similar situation that was looking for some way of > blocking the paypal / ebay / bank phishes completely, while tagging and > delivering the dodgy redirectors ..... > > > From jrudd at ucsc.edu Thu Aug 24 03:27:39 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 24 03:28:02 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <44ECF63C.6080704@evi-inc.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D14A@UBIMAIL1.ubisoft.org> <44ECCAA9.5090604@ecs.soton.ac.uk> <44ECCC9A.3030004@coders.co.uk> <44ECE48D.8070101@blacknight.ie> <44ECF63C.6080704@evi-inc.com> Message-ID: <2f95b0c7eecfe2631c1b697b187ab08a@ucsc.edu> On Aug 23, 2006, at 5:43 PM, Matt Kettler wrote: > Michele Neylon:: Blacknight.ie wrote: >> John Rudd wrote: >>> a) had no PTR record, >> >> Reasonable enough >> >>> b) PTR and A record didn't match, or >> >> So what about shared hosting?? > > Should work fine. He's not talking about comparing the PTR to the HELO. Yeah, while I do some HELO filtering, I don't require that the HELO matches the PTR record. Even what little HELO filtering I do (don't give me my own name in the helo string) is technically an RFC violation, but I'm comfortable with being just that out of spec. Anything more than that would be, IMO, inappropriate. Though, looking through my nightly reports, I see that my DNS rules would catch 95% of those hosts anyway... so I may drop what little HELO filtering I'm doing. > What John really means is that: > > Given an IP address, perform a PTR lookup. Take the results of that > PTR lookup > and perform an A lookup on it. That should end up with the IP address > you > started with. > > > So he's looking for ip != A_lookup( PTR_lookup(ip)) Mostly correct. The A_lookup can return multiple IP addresses, however so it's more like: grep ip A_lookup(PTR_lookup(ip)) Sort of. From mailscanner at mango.zw Thu Aug 24 07:26:57 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 07:26:21 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ED0B4B.5030606@enitech.com.au> Message-ID: On Thu, 24 Aug 2006, Peter Russell wrote: > Yeah i would be happy to stop those 3 entirely. I guess i need to write > an SA rule? But one that only catch positive phishing frauds on these > topics? Don't forget that ClamAV identifies well-known phishing frauds and those are blocked as if they were viruses. Overnight I see it has caught the following on our server: 4 ClamAV: HTML.Phishing.Bank-491 2 ClamAV: HTML.Phishing.Pay-178 2 ClamAV: HTML.Phishing.Bank-503 1 ClamAV: HTML.Phishing.Pay-94 1 ClamAV: HTML.Phishing.Pay-201 1 ClamAV: HTML.Phishing.Card-32 1 ClamAV: HTML.Phishing.Bank-496 1 ClamAV: HTML.Phishing.Bank-471 1 ClamAV: HTML.Phishing.Bank-213 > Michele Neylon:: Blacknight.ie wrote: > > Peter Russell wrote: > >> I am about to enable phishing fraud detection for the first time - but i > >> would prefer to block the email rather than forward with a warning. > >> > >> How do i easily raise the score of email that get the phishing warning? > >> Or is there a better way to block these emails? > >> > >> Thanks > >> Pete > > Strange that you should ask that .... > > > > We've a client in a similar situation that was looking for some way of > > blocking the paypal / ebay / bank phishes completely, while tagging and > > delivering the dodgy redirectors ..... Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From a.peacock at chime.ucl.ac.uk Thu Aug 24 08:57:30 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Aug 24 08:57:44 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ECB988.2040006@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> Message-ID: <44ED5BEA.5080207@chime.ucl.ac.uk> Hi, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Kash, Howard (Civ, ARL/CISD) wrote: >>> Instead of the closest following MIME boundary, how about the closest >>> following blank line (or line that only contains whitespace). Would >> that >>> be okay? >> >> That sounds like an OK fix for the images. The plugins don't care about >> the closing MIME boundary, they just need the full base64 encoding >> present, which, as far as I know, shouldn't contain any blank lines. >> The only issue I can think of is if you hit the "Max SpamAssassin Size" >> limit in the middle of the MIME header. Then your next blank line would >> be between the header and the contents and you're left with a header but >> no contents. That would probably still trigger a corrupt image rule, >> but should be pretty rare. >> >> SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of >> zero in at least the 3.1 releases. > > Sounds survivable. After the limit I will keep going until I hit the > first line that only contains white space. > > All done. Will be in the next beta. > *Please* test this functionality after I release this beta. I have been watching this discussion with a growing uneasiness. I could be wrong but doesn't this behaviour open up the system to problems with huge image files... I understand that lots of people are concerned about these gif only spams, and that a lot of effort is going into creating the SA plugns that OCR them, etc (I am on the sa-users list as well :-)), but I think this change creates a means to bypass the max size setting, and could lead to the very problems that that setting was meant to prevent. The Max Msg Size setting is there so that we can tune how our systems work, preventing them being brought their knees by SA trying to scan huge emails. It feels like the new scheme is saying to the admin, well you can set a max msg size but we will ignore that if the msg has an image at that point. By changing the code as you describe there is now nothing to stop a malicious sender creating an email with a huge JPG file which then gets sent complete to SA, a few raw body rules later SA starts taking forever to scan emails. Receive many of these and the mail server begins to crawl. Wouldn't it be better to roll the massage back to the starting MIME boundary? This way a broken gif image is not passed to SA so the plugins don't complain, but all messages are smaller than the max message size set by the admin. I may misunderstand how this works, so I am waiting to be corrected :-) -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From mkellermann at net-com.de Thu Aug 24 09:10:49 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Thu Aug 24 09:10:02 2006 Subject: Control number of archives Message-ID: <44ED5F09.6070103@net-com.de> Hello everyone, I'm using MailScanner with postfix and its working fine. All the mail is archived under /var/spool/MailScanner/archive/YYYYMMDD. This is ok but how can I control the number of days that are archived there? I didn't find any options for that in the config file. A number of 7 would be great so the /var partition won't run out of space :) Best regards, Matthias From glenn.steen at gmail.com Thu Aug 24 09:27:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 24 09:27:14 2006 Subject: auto whitelisting In-Reply-To: <44EC8313.9070408@evi-inc.com> References: <44E9F614.60806@trayerproducts.com> <44E9FD0D.5020807@evi-inc.com> <44EABB69.4090001@solid-state-logic.com> <44EB4F2E.4020201@evi-inc.com> <223f97700608230343i3b15666dhd3891be0f5d2139f@mail.gmail.com> <44EC8313.9070408@evi-inc.com> Message-ID: <223f97700608240127g23d820f7hf1822a90bfeba43@mail.gmail.com> On 23/08/06, Matt Kettler wrote: > Glenn Steen wrote: > > On 22/08/06, Matt Kettler wrote: > >> Martin Hepworth wrote: > >> > > >> > I'd agree with Matt. I always recommend you turn the thing off as it > >> > tends to let spam through when you don't want it to.. > >> > >> Well, that's true.. but it can also cause spam to be tagged when it would > >> otherwise be missed. > >> > >> Remember.. the AWL is NOT a whitelist.. > >> > > Exactly! > > I can say for a fact that the AWL has been keeping my false > > rejection/tagging rate well down, even after applying some things > > (ImageInfo mainly) to get a grip on the image based spam. Without the > > AWL, many a financial newsletter would have gone down the drain... As > > it is now, I cannot find one case where they've got tagged or removed. > > Haven't seen the wildly fluctuating "missfires" of the AWL that some > > report either. > > So I'll be keeping my AWL on, for that crucial score averaging I need. > > > > You know, one thing I find highly amusing is that even though I personally > dislike the AWL, I wind up being a proponent of it to some folks. Which is > completely fine by me, but rather funny. > > I guess that's what happens when you're more focused on giving folks the real > facts about the AWL than on telling them how bad it is. > > It's hard to tell that I dislike the AWL if your read some of my wiki stuff on it: > > http://wiki.apache.org/spamassassin/AwlWrongWay > > I guess I just dislike misinformation a whole lot more than I dislike the AWL. > :-) I guess this is as good a time as any to say thank you for making it simpler to make an informed decission on the matter. Good docs like that (that I've pondered in the past, I might add:-) is the lubricant that make our toil so much simpler. As you imply, whether to use the AWL or not is not really a b/w thing... more like a study in grey, as with so many things in life:-). One just needs to keep an eye on things:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solid-state-logic.com Thu Aug 24 09:34:37 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Thu Aug 24 09:34:51 2006 Subject: Control number of archives In-Reply-To: <44ED5F09.6070103@net-com.de> References: <44ED5F09.6070103@net-com.de> Message-ID: <44ED649D.5050607@solid-state-logic.com> Matthias Kellermann wrote: > Hello everyone, > > I'm using MailScanner with postfix and its working fine. > > All the mail is archived under /var/spool/MailScanner/archive/YYYYMMDD. > This is ok but how can I control the number of days that are archived > there? I didn't find any options for that in the config file. A number > of 7 would be great so the /var partition won't run out of space :) > > Best regards, > Matthias Matthias there's a seperate cron job in the bin/cronjobs directory that you can set to run once per day and clean out 'old' stuff. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Thu Aug 24 09:46:44 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 09:47:04 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ECDFF4.2080708@enitech.com.au> References: <44ECDFF4.2080708@enitech.com.au> Message-ID: <44ED6774.6050508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is a little bug in the "less strict" phishing net which I have already fixed and will be released this weekend in a new beta (or sooner if I get time, which I might). So if you can use the "strict" phishing net, or merely delay your implementation by a few days, you will have a much easier life. Peter Russell wrote: > I am about to enable phishing fraud detection for the first time - but > i would prefer to block the email rather than forward with a warning. > > How do i easily raise the score of email that get the phishing > warning? Or is there a better way to block these emails? > > Thanks > Pete - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE7Wd1EfZZRxQVtlQRAh9wAKDjji5NgsvNVLrFt9Z/DI7nC5htOQCgvI7x M7GWZXELlfUV85sjyAm8EI8= =TVgN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 24 09:48:40 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 09:48:59 2006 Subject: Block Postive Phishing Frauds In-Reply-To: References: <44ECDFF4.2080708@enitech.com.au> Message-ID: <44ED67E8.2050809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote: > Peter, > > On Thu, 24 Aug 2006, Peter Russell wrote: > >> I am about to enable phishing fraud detection for the first time - >> but i would prefer to block the email rather than forward with a >> warning. > > > This is highly not advised, the Phishing Fraud detection still often > gets many many false positives The "less strict" one is a lot more easy-going. Personally I wouldn't run a system without it (but then again I did write it so I'm going to say that :-) - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE7WfoEfZZRxQVtlQRAsblAJ45nJKE9yKSzYd+U9heGBu5qS+TsgCfWsj3 LCiPViizcAEdCXDrgJss07o= =52P0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 24 09:49:33 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 09:49:50 2006 Subject: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 In-Reply-To: References: Message-ID: <44ED681D.6090805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The only problem with 0.17 as far as I know is that the "make test" hangs on certain systems. ajos1@onion.demon.co.uk wrote: > - > > I will try 0.17 ... > > I thought I had read that 0.17 had problems and was withdrawn... > > -----Original Message----- > From: mailscanner@lists.mailscanner.info > Subj: Re: _PATH_LOG not available in syslog.h at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 79 > Date: Mon, 21 Aug 2006 09:41:04 +0100 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You need 0.17 which is what the installer currently installs. This is > 4.55.10-3. You won't have any problems with the latest stable release. > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE7WgeEfZZRxQVtlQRAuTSAKCLvLx86dQ5pgFXe8aUU84PEObYxgCgjY43 EN87QKwzMiRXvC6QtkSEjwM= =z0oJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 24 09:53:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 09:53:27 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED5BEA.5080207@chime.ucl.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> Message-ID: <44ED68F5.2050906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Peacock wrote: > Hi, > > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Kash, Howard (Civ, ARL/CISD) wrote: >>>> Instead of the closest following MIME boundary, how about the >>>> closest following blank line (or line that only contains >>>> whitespace). Would >>> that >>>> be okay? >>> >>> That sounds like an OK fix for the images. The plugins don't care >>> about >>> the closing MIME boundary, they just need the full base64 encoding >>> present, which, as far as I know, shouldn't contain any blank lines. >>> The only issue I can think of is if you hit the "Max SpamAssassin Size" >>> limit in the middle of the MIME header. Then your next blank line >>> would >>> be between the header and the contents and you're left with a header >>> but >>> no contents. That would probably still trigger a corrupt image rule, >>> but should be pretty rare. >>> >>> SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of >>> zero in at least the 3.1 releases. >> >> Sounds survivable. After the limit I will keep going until I hit the >> first line that only contains white space. >> >> All done. Will be in the next beta. >> *Please* test this functionality after I release this beta. > > I have been watching this discussion with a growing uneasiness. I > could be wrong but doesn't this behaviour open up the system to > problems with huge image files... > > I understand that lots of people are concerned about these gif only > spams, and that a lot of effort is going into creating the SA plugns > that OCR them, etc (I am on the sa-users list as well :-)), but I > think this change creates a means to bypass the max size setting, and > could lead to the very problems that that setting was meant to prevent. > > The Max Msg Size setting is there so that we can tune how our systems > work, preventing them being brought their knees by SA trying to scan > huge emails. It feels like the new scheme is saying to the admin, > well you can set a max msg size but we will ignore that if the msg has > an image at that point. > > By changing the code as you describe there is now nothing to stop a > malicious sender creating an email with a huge JPG file which then > gets sent complete to SA, a few raw body rules later SA starts taking > forever to scan emails. Receive many of these and the mail server > begins to crawl. > > Wouldn't it be better to roll the massage back to the starting MIME > boundary? This way a broken gif image is not passed to SA so the > plugins don't complain, but all messages are smaller than the max > message size set by the admin. > > I may misunderstand how this works, so I am waiting to be corrected :-) > Yes, you are absolutely correct. Non-spam may well include huge images. The problem with rewinding to the previous boundary is that you may end up not giving SpamAssassin _anything_ to work with. So it's up for a vote: do I chop half way through an image? do I chop at the end of an image? do I carry on for a max of 100 lines of Base64 data or until the end of an image, which is earlier? I have no intention of making the 100 configurable, it will be impossible for 99.9% of users to know what to set it to. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE7Wj2EfZZRxQVtlQRAnS8AKCMru7YT5pnn4wS8k6l3boD9uaa3ACfYthV MQjQuJctKtXA2Jyu/dO7UUo= =nu50 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Aug 24 09:54:22 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 09:54:40 2006 Subject: Control number of archives In-Reply-To: <44ED649D.5050607@solid-state-logic.com> References: <44ED5F09.6070103@net-com.de> <44ED649D.5050607@solid-state-logic.com> Message-ID: <44ED693E.9040406@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Hepworth wrote: > Matthias Kellermann wrote: >> Hello everyone, >> >> I'm using MailScanner with postfix and its working fine. >> >> All the mail is archived under /var/spool/MailScanner/archive/YYYYMMDD. >> This is ok but how can I control the number of days that are archived >> there? I didn't find any options for that in the config file. A >> number of 7 would be great so the /var partition won't run out of >> space :) >> >> Best regards, >> Matthias > Matthias > > there's a seperate cron job in the bin/cronjobs directory that you can > set to run once per day and clean out 'old' stuff. > On Linux systems you will find it in /etc/cron.daily/clean.quarantine You just need to enable it (edit the script and you will see where, it's obvious). - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-15 wj8DBQFE7Wk+EfZZRxQVtlQRApFrAJ9s+o1aYj3zMmXP77RWPY48MmAXcwCgqB17 VN23823DrRmP+klKrcpQ60U= =BdgA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From shuttlebox at gmail.com Thu Aug 24 10:09:10 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Aug 24 10:09:13 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <625385e30608240209m6bd26358i57ec69a63c05569c@mail.gmail.com> On 8/24/06, Julian Field wrote: > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? I vote for the third alternative. -- /peter From mkellermann at net-com.de Thu Aug 24 10:14:28 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Thu Aug 24 10:13:44 2006 Subject: Control number of archives In-Reply-To: <44ED693E.9040406@ecs.soton.ac.uk> References: <44ED5F09.6070103@net-com.de> <44ED649D.5050607@solid-state-logic.com> <44ED693E.9040406@ecs.soton.ac.uk> Message-ID: <44ED6DF4.4040602@net-com.de> Julian Field schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Martin Hepworth wrote: > >> Matthias Kellermann wrote: >> >>> Hello everyone, >>> >>> I'm using MailScanner with postfix and its working fine. >>> >>> All the mail is archived under /var/spool/MailScanner/archive/YYYYMMDD. >>> This is ok but how can I control the number of days that are archived >>> there? I didn't find any options for that in the config file. A >>> number of 7 would be great so the /var partition won't run out of >>> space :) >>> >>> Best regards, >>> Matthias >>> >> Matthias >> >> there's a seperate cron job in the bin/cronjobs directory that you can >> set to run once per day and clean out 'old' stuff. >> >> > On Linux systems you will find it in /etc/cron.daily/clean.quarantine > You just need to enable it (edit the script and you will see where, it's > obvious). > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-15 > > wj8DBQFE7Wk+EfZZRxQVtlQRApFrAJ9s+o1aYj3zMmXP77RWPY48MmAXcwCgqB17 > VN23823DrRmP+klKrcpQ60U= > =BdgA > -----END PGP SIGNATURE----- > > Alright - thanks! Just edited the cronjob to delete the archives also. But would be nice if there will be an option in the MailScanner config too :) Best regards, Matthias -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/c9878a17/attachment.html From glenn.steen at gmail.com Thu Aug 24 10:17:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 24 10:17:06 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <223f97700608240217w1d6c4472t2285db668e19b362@mail.gmail.com> On 24/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Anthony Peacock wrote: (snip Anthonys excellent summary of the problem) > Yes, you are absolutely correct. Non-spam may well include huge images. > The problem with rewinding to the previous boundary is that you may end > up not giving SpamAssassin _anything_ to work with. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? > > I have no intention of making the 100 configurable, it will be > impossible for 99.9% of users to know what to set it to. > Isn't there a middle here too? A configuration option for the admins who want/don't want the new behaviour, would perhaps be something to consider? So that you could "be safe, but break SA scanning to some extent" or "be somewhat unsafe and still break SA scanning to some extent"...:-). Note that that wouldn't be the same as a configurable "100 or end of image" config limit. As to the vote, I'd vote for the "100 or end of image" alternative. Any which way we go here, we can't get a perfect solution, so a reasonable compromise is all we can aim at. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From a.peacock at chime.ucl.ac.uk Thu Aug 24 10:26:41 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Aug 24 10:26:52 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <44ED70D1.7030402@chime.ucl.ac.uk> Hi Julian, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Anthony Peacock wrote: >> Hi, >> >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Kash, Howard (Civ, ARL/CISD) wrote: >>>>> Instead of the closest following MIME boundary, how about the >>>>> closest following blank line (or line that only contains >>>>> whitespace). Would >>>> that >>>>> be okay? >>>> That sounds like an OK fix for the images. The plugins don't care >>>> about >>>> the closing MIME boundary, they just need the full base64 encoding >>>> present, which, as far as I know, shouldn't contain any blank lines. >>>> The only issue I can think of is if you hit the "Max SpamAssassin Size" >>>> limit in the middle of the MIME header. Then your next blank line >>>> would >>>> be between the header and the contents and you're left with a header >>>> but >>>> no contents. That would probably still trigger a corrupt image rule, >>>> but should be pretty rare. >>>> >>>> SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of >>>> zero in at least the 3.1 releases. >>> Sounds survivable. After the limit I will keep going until I hit the >>> first line that only contains white space. >>> >>> All done. Will be in the next beta. >>> *Please* test this functionality after I release this beta. >> I have been watching this discussion with a growing uneasiness. I >> could be wrong but doesn't this behaviour open up the system to >> problems with huge image files... >> >> I understand that lots of people are concerned about these gif only >> spams, and that a lot of effort is going into creating the SA plugns >> that OCR them, etc (I am on the sa-users list as well :-)), but I >> think this change creates a means to bypass the max size setting, and >> could lead to the very problems that that setting was meant to prevent. >> >> The Max Msg Size setting is there so that we can tune how our systems >> work, preventing them being brought their knees by SA trying to scan >> huge emails. It feels like the new scheme is saying to the admin, >> well you can set a max msg size but we will ignore that if the msg has >> an image at that point. >> >> By changing the code as you describe there is now nothing to stop a >> malicious sender creating an email with a huge JPG file which then >> gets sent complete to SA, a few raw body rules later SA starts taking >> forever to scan emails. Receive many of these and the mail server >> begins to crawl. >> >> Wouldn't it be better to roll the massage back to the starting MIME >> boundary? This way a broken gif image is not passed to SA so the >> plugins don't complain, but all messages are smaller than the max >> message size set by the admin. >> >> I may misunderstand how this works, so I am waiting to be corrected :-) >> > Yes, you are absolutely correct. Non-spam may well include huge images. And if the script kiddies find out they might start using this to cause problems. > The problem with rewinding to the previous boundary is that you may end > up not giving SpamAssassin _anything_ to work with. True. But for those of us not using the various image plugins, that is no different from the current situation. It is only those people using the image plugins that this causes problems with at the moment. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? I vote for the third option. It keeps the idea of limiting the amount of data that SA gets, whilst still giving the plugins chance to get a complete gif image. At the end of the day if the people using the plugins keep getting truncated images, they can always raise the Max Msg Size config parameter. > > I have no intention of making the 100 configurable, it will be > impossible for 99.9% of users to know what to set it to. Agreed! -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From P.G.M.Peters at utwente.nl Thu Aug 24 10:26:21 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Aug 24 10:27:31 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <625385e30608240209m6bd26358i57ec69a63c05569c@mail.gmail.com> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <625385e30608240209m6bd26358i57ec69a63c05569c@mail.gmail.com> Message-ID: <44ED70BD.6080805@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote on 24-8-2006 11:09: > On 8/24/06, Julian Field wrote: >> do I chop half way through an image? >> do I chop at the end of an image? >> do I carry on for a max of 100 lines of Base64 data or until the end of >> an image, which is earlier? > > I vote for the third alternative. I think this is the best. And change the comment in MailScanner.conf in something like this: # SpamAssassin is not very fast when scanning huge messages, so messages # bigger than this number of lines will be truncated to this length for # SpamAssassin testing. The original message will not be affected by # this. This value is a good compromise as very few spam messages are # bigger than this. # This is an estimation. Because of proper MIME handling the actual size # of the message handed over to SpamAssassin can be up to 100 lines # bigger. Max SpamAssassin Size = 30000 - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7XC8elLo80lrIdIRAjFoAJ4/Cbsybd9dXRaRtXPjgVR1/nX3EwCdHmjB l793ZxzCW5WVM1rmIoIzWMo= =ufCD -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Thu Aug 24 10:39:55 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Aug 24 10:40:00 2006 Subject: Block Postive Phishing Frauds In-Reply-To: References: Message-ID: <44ED73EB.2070808@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Holland wrote on 24-8-2006 8:26: > On Thu, 24 Aug 2006, Peter Russell wrote: > >> Yeah i would be happy to stop those 3 entirely. I guess i need to write >> an SA rule? But one that only catch positive phishing frauds on these >> topics? > > Don't forget that ClamAV identifies well-known phishing frauds and those > are blocked as if they were viruses. Overnight I see it has caught the > following on our server: > > 4 ClamAV: HTML.Phishing.Bank-491 > 2 ClamAV: HTML.Phishing.Pay-178 > 2 ClamAV: HTML.Phishing.Bank-503 > 1 ClamAV: HTML.Phishing.Pay-94 > 1 ClamAV: HTML.Phishing.Pay-201 > 1 ClamAV: HTML.Phishing.Card-32 > 1 ClamAV: HTML.Phishing.Bank-496 > 1 ClamAV: HTML.Phishing.Bank-471 > 1 ClamAV: HTML.Phishing.Bank-213 I had to put "Phishing" in "Non-Forging Viruses" (Don't ask me why). It turns out the phishing spam is forwarded like they should (silent viruses are deleted) but I have ha d a few situation where I get a message stating the "entire message" was quarantined. But it wasn't. I am currently running MS version 4.52.2 and plan to update sometime next week. I'll have a look whether this quarantine problem is still present in that version. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7XPrelLo80lrIdIRAuGoAKCh/c1PvcqJbDdo3tuGrQFPbfKFpgCghf0j B1Db8v1Ql0YxyFJLBm2/+rA= =KUBg -----END PGP SIGNATURE----- From colin at mainline.co.uk Thu Aug 24 10:43:23 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 10:42:46 2006 Subject: File Attachment Rules Message-ID: Hi Julian, Still not working ... people complaining it won't allow .ico files through. In MailScanner.conf I have: Allow Filenames = %rules-dir%/filenames.rules In the /rules directory I have a file called filenames.rules with this entry FromOrTo: default \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ I have restarted MailScanner Any ideas Thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Colin Jack > Sent: 23 August 2006 09:41 > To: MailScanner discussion > Subject: RE: File Attachment Rules > > Sorry Julian - I meant > > FromOrTo: *@* \.zip$ > > etc. > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Julian Field > > Sent: 23 August 2006 09:21 > > To: MailScanner discussion > > Subject: Re: File Attachment Rules > > > > > > > > Colin Jack wrote: > > > I'm a newbie to MailScanner, so please be gentle ... > > > > > > I want to create a ruleset for Allow Filenames but am not > > sure of the > > > syntax > > > > > > If I edit MailScanner.conf then I use > > > > > > Allow Filenames = /.pdf$ /.zip$ etc. > > > > > They should \ and not / > > > If however I change that to > > > > > > Allow Filenames = %ruledir%/filenames.rules > > > > > %rules-dir% not %ruledir% > > > then create a filenames.rules file do I just put > > > > > > /.pdf$ > > > /.zip$ > > > /.ico$ > > > > > > > > > in the rules file or do I have to put in other stuff? > > > > > In the filename.rules file you need to put rules that would like > > > > From: user1@domain.com \.pdf$ \.zip$ \.ico$ > > To: *@domain2.com \.pdf$ > > FromOrTo: abuse@domain.com . > > > > This would > > 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com > > 2) Allow *.pdf in mail to anyone at domain2.com > > 3) Allow everything ('.' matches any character and so will > match every > > filename) in mail from or to abuse@domain.com. > > > > > > > Thanks > > > > > > Colin > > > > > > > > > ----------------------disclaimer --------------------------------- > > > > > > 1. This e-mail and any attachments are confidential & > > access by anyone > > > other than the addressee(s) is unauthorised. > > > 2. The security of e-mail communication cannot be > > guaranteed and neither > > > Mainline IT nor Mainline Internet will accept claims > > arising as a result > > > of using this medium. > > > 3. Any opinions expressed herein are the opinions of the > > author and are > > > not those of either Mainline IT or Mainline Internet. > > > 4. Although all email is scanned for viruses, it is the > > responsibility of > > > the recipient to ensure they have adequate anti-virus defences. > > > > > > > > -------------------------------------------------------------- > > ---------- > > > > > > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access > by anyone other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed > and neither Mainline IT nor Mainline Internet will accept > claims arising as a result of using this medium. > 3. Any opinions expressed herein are the opinions of the > author and are not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the > responsibility of the recipient to ensure they have adequate > anti-virus defences. > > -------------------------------------------------------------- > ---------- > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From prandal at herefordshire.gov.uk Thu Aug 24 10:50:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 24 10:51:53 2006 Subject: Block Postive Phishing Frauds Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B838@isabella.herefordshire.gov.uk> If you're using ClamAV, add Steve Basford's anti-phising patterns: http://www.sanesecurity.com/clamav/ Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Peter Russell > Sent: 24 August 2006 00:09 > To: MailScanner discussion > Subject: Block Postive Phishing Frauds > > I am about to enable phishing fraud detection for the first > time - but i > would prefer to block the email rather than forward with a warning. > > How do i easily raise the score of email that get the > phishing warning? > Or is there a better way to block these emails? > > Thanks > Pete > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Thu Aug 24 10:48:57 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 24 10:52:09 2006 Subject: Max SpamAssassin Size problems Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B835@isabella.herefordshire.gov.uk> Julian wrote: > Yes, you are absolutely correct. Non-spam may well include > huge images. > The problem with rewinding to the previous boundary is that > you may end > up not giving SpamAssassin _anything_ to work with. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until > the end of > an image, which is earlier? > > I have no intention of making the 100 configurable, it will be > impossible for 99.9% of users to know what to set it to. I'd vote for option 3. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From colin at mainline.co.uk Thu Aug 24 11:04:11 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 11:03:40 2006 Subject: File attachments Message-ID: Just thinking ... maybe this is a ClamAV issue rather than MailScanner? This is what the user is getting: ---------- snip --- From: "MailScanner" Date: Thu, 24 Aug 2006 09:37:01 +0100 To: bren@fast-mail.net Subject: Warning: E-mail viruses detected Our e-mail content detector has just been triggered by a message you sent: To: peter.astley-sparke@personal-software.com Subject: Re:Desktop icons Date: Thu Aug 24 09:36:59 2006 One or more of the attachments (desktop 16 x 16.ico, desktop 32x32.ico, desktop 32x32-1.ico, desktop 16 x 16-1.ico) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: Possible buffer overflow in Windows (desktop 16 x 16.ico) Report: Possible buffer overflow in Windows (desktop 32x32.ico) Report: Possible buffer overflow in Windows (desktop 32x32-1.ico) Report: Possible buffer overflow in Windows (desktop 16 x 16-1.ico) -- MailScanner Email Virus Scanner Mainline Internet Services Limited www.mainline.co.uk --- end snip --- Any help gratefully received! Colin ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Thu Aug 24 11:21:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 24 11:21:26 2006 Subject: File Attachment Rules In-Reply-To: References: Message-ID: <44ED7D95.3050401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try removing the rules file and putting them straight on the config line, so you will have allowfilenames = \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ Colin Jack wrote: > Hi Julian, > > Still not working ... people complaining it won't allow .ico files > through. > > In MailScanner.conf I have: > > Allow Filenames = %rules-dir%/filenames.rules > > In the /rules directory I have a file called filenames.rules with this > entry > > FromOrTo: default \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ > > > I have restarted MailScanner > > Any ideas > > Thanks > > Colin > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Colin Jack >> Sent: 23 August 2006 09:41 >> To: MailScanner discussion >> Subject: RE: File Attachment Rules >> >> Sorry Julian - I meant >> >> FromOrTo: *@* \.zip$ >> >> etc. >> >> >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Julian Field >>> Sent: 23 August 2006 09:21 >>> To: MailScanner discussion >>> Subject: Re: File Attachment Rules >>> >>> >>> >>> Colin Jack wrote: >>> >>>> I'm a newbie to MailScanner, so please be gentle ... >>>> >>>> I want to create a ruleset for Allow Filenames but am not >>>> >>> sure of the >>> >>>> syntax >>>> >>>> If I edit MailScanner.conf then I use >>>> >>>> Allow Filenames = /.pdf$ /.zip$ etc. >>>> >>>> >>> They should \ and not / >>> >>>> If however I change that to >>>> >>>> Allow Filenames = %ruledir%/filenames.rules >>>> >>>> >>> %rules-dir% not %ruledir% >>> >>>> then create a filenames.rules file do I just put >>>> >>>> /.pdf$ >>>> /.zip$ >>>> /.ico$ >>>> >>>> >>>> in the rules file or do I have to put in other stuff? >>>> >>>> >>> In the filename.rules file you need to put rules that would like >>> >>> From: user1@domain.com \.pdf$ \.zip$ \.ico$ >>> To: *@domain2.com \.pdf$ >>> FromOrTo: abuse@domain.com . >>> >>> This would >>> 1) Allow *.pdf *.zip *.ico in mail from the address user1@domain.com >>> 2) Allow *.pdf in mail to anyone at domain2.com >>> 3) Allow everything ('.' matches any character and so will >>> >> match every >> >>> filename) in mail from or to abuse@domain.com. >>> >>> >>> >>>> Thanks >>>> >>>> Colin >>>> >>>> >>>> ----------------------disclaimer --------------------------------- >>>> >>>> 1. This e-mail and any attachments are confidential & >>>> >>> access by anyone >>> >>>> other than the addressee(s) is unauthorised. >>>> 2. The security of e-mail communication cannot be >>>> >>> guaranteed and neither >>> >>>> Mainline IT nor Mainline Internet will accept claims >>>> >>> arising as a result >>> >>>> of using this medium. >>>> 3. Any opinions expressed herein are the opinions of the >>>> >>> author and are >>> >>>> not those of either Mainline IT or Mainline Internet. >>>> 4. Although all email is scanned for viruses, it is the >>>> >>> responsibility of >>> >>>> the recipient to ensure they have adequate anti-virus defences. >>>> >>>> >>>> >>> -------------------------------------------------------------- >>> ---------- >>> >>>> >>>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> ----------------------disclaimer --------------------------------- >> >> 1. This e-mail and any attachments are confidential & access >> by anyone other than the addressee(s) is unauthorised. >> 2. The security of e-mail communication cannot be guaranteed >> and neither Mainline IT nor Mainline Internet will accept >> claims arising as a result of using this medium. >> 3. Any opinions expressed herein are the opinions of the >> author and are not those of either Mainline IT or Mainline Internet. >> 4. Although all email is scanned for viruses, it is the >> responsibility of the recipient to ensure they have adequate >> anti-virus defences. >> >> -------------------------------------------------------------- >> ---------- >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access by anyone > other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed and neither > Mainline IT nor Mainline Internet will accept claims arising as a result > of using this medium. > 3. Any opinions expressed herein are the opinions of the author and are > not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the responsibility of > the recipient to ensure they have adequate anti-virus defences. > > ------------------------------------------------------------------------ > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFE7X2VEfZZRxQVtlQRAr/FAKDk/Ix7C9Cq6I/qe0ymnqpOE5bWOQCfYcjv +WeXYPQ78QCVFUXO0H3r5vk= =NYTa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at mango.zw Thu Aug 24 11:23:19 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 11:22:30 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <44ED73EB.2070808@utwente.nl> Message-ID: On Thu, 24 Aug 2006, Peter Peters wrote: > Jim Holland wrote on 24-8-2006 8:26: > > On Thu, 24 Aug 2006, Peter Russell wrote: > > > >> Yeah i would be happy to stop those 3 entirely. I guess i need to write > >> an SA rule? But one that only catch positive phishing frauds on these > >> topics? > > > > Don't forget that ClamAV identifies well-known phishing frauds and those > > are blocked as if they were viruses. Overnight I see it has caught the > > following on our server: > > > > 4 ClamAV: HTML.Phishing.Bank-491 > > 2 ClamAV: HTML.Phishing.Pay-178 > > 2 ClamAV: HTML.Phishing.Bank-503 > > 1 ClamAV: HTML.Phishing.Pay-94 > > 1 ClamAV: HTML.Phishing.Pay-201 > > 1 ClamAV: HTML.Phishing.Card-32 > > 1 ClamAV: HTML.Phishing.Bank-496 > > 1 ClamAV: HTML.Phishing.Bank-471 > > 1 ClamAV: HTML.Phishing.Bank-213 > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask me why). It > turns out the phishing spam is forwarded like they should (silent > viruses are deleted) but I have ha d a few situation where I get a > message stating the "entire message" was quarantined. But it wasn't. > > I am currently running MS version 4.52.2 and plan to update sometime > next week. I'll have a look whether this quarantine problem is still > present in that version. I haven't had a problem with this AFAIK in the past. Certainly the current versions of both MS and ClamAV work fine with the quarantining of such mail (I prefer quarantining to deleting as it lets me see what is actually being identified as malware). I don't put "Phishing" in "Non-Forging Viruses", and haven't done anything unusual with the ClamAV configuration except to include the line: ScanOptions="--detect-broken" in the wrapper. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From colin at mainline.co.uk Thu Aug 24 11:41:26 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 11:40:59 2006 Subject: Block Postive Phishing Frauds Message-ID: Whoa ... a zimbo? Newbie question Jim ... where does ClamAV keep all the rules? Thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Holland > Sent: 24 August 2006 11:23 > To: MailScanner discussion > Subject: Re: Block Postive Phishing Frauds > > On Thu, 24 Aug 2006, Peter Peters wrote: > > > Jim Holland wrote on 24-8-2006 8:26: > > > On Thu, 24 Aug 2006, Peter Russell wrote: > > > > > >> Yeah i would be happy to stop those 3 entirely. I guess > i need to > > >> write an SA rule? But one that only catch positive > phishing frauds > > >> on these topics? > > > > > > Don't forget that ClamAV identifies well-known phishing > frauds and > > > those are blocked as if they were viruses. Overnight I see it has > > > caught the following on our server: > > > > > > 4 ClamAV: HTML.Phishing.Bank-491 > > > 2 ClamAV: HTML.Phishing.Pay-178 > > > 2 ClamAV: HTML.Phishing.Bank-503 > > > 1 ClamAV: HTML.Phishing.Pay-94 > > > 1 ClamAV: HTML.Phishing.Pay-201 > > > 1 ClamAV: HTML.Phishing.Card-32 > > > 1 ClamAV: HTML.Phishing.Bank-496 > > > 1 ClamAV: HTML.Phishing.Bank-471 > > > 1 ClamAV: HTML.Phishing.Bank-213 > > > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask > me why). > > It turns out the phishing spam is forwarded like they > should (silent > > viruses are deleted) but I have ha d a few situation where I get a > > message stating the "entire message" was quarantined. But it wasn't. > > > > I am currently running MS version 4.52.2 and plan to update > sometime > > next week. I'll have a look whether this quarantine problem > is still > > present in that version. > > I haven't had a problem with this AFAIK in the past. > Certainly the current versions of both MS and ClamAV work > fine with the quarantining of such mail (I prefer > quarantining to deleting as it lets me see what is actually > being identified as malware). I don't put "Phishing" in > "Non-Forging Viruses", and haven't done anything unusual with > the ClamAV configuration except to include the line: > > ScanOptions="--detect-broken" > > in the wrapper. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From mailscanner at mango.zw Thu Aug 24 12:05:47 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 12:04:56 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: Message-ID: Hi Julian (Excuse the top posting - seems more appropriate here) Just to be a little more explicit about the problem of the failed Perl module installation: The install.sh script includes: >> START QUOTE FROM INSTALL.SH while read MODNAME MODFILE VERS BUILD ARC do . . . # If the module version is already installed, go onto the next one # (unless it is MIME-tools which is always rebuilt. if ./CheckModuleVersion ${MODNAME} ${VERS} && [ "x$MODNAME" \!= "xMIME::Base64" ]; then echo Oh good, module ${MODNAME} version ${VERS} is already installed. echo timewait 5 else FILEPREFIX=perl-${MODFILE}-${VERS}-${BUILD} # Need to install my customised version of MIME-Base64 if [ "x${MODFILE}" = "xMIME-Base64" ]; then FILEPREFIX=MailScanner-${FILEPREFIX} fi echo Attempting to build and install ${FILEPREFIX} . . . fi done << EOF ExtUtils::MakeMaker ExtUtils-MakeMaker 6.30 1 noarch Net::CIDR Net-CIDR 0.10 1 noarch IsABundle IO-stringy 2.108 1 noarch MIME::Base64 MIME-Base64 3.05 5 arch IsABundle TimeDate 1.16 3 noarch IsABundle MailTools 1.71 1 noarch File::Spec File-Spec 0.82 1 noarch File::Temp File-Temp 0.16 1 noarch HTML::Tagset HTML-Tagset 3.03 1 noarch HTML::Parser HTML-Parser 3.54 1 arch Convert::BinHex Convert-BinHex 1.119 2 noarch IsABundle MIME-tools 5.420 1 noarch Convert::TNEF Convert-TNEF 0.17 1 noarch Compress::Zlib Compress-Zlib 1.41 1 arch Archive::Zip Archive-Zip 1.14 1 noarch DBI DBI 1.50 2 noarch DBD::SQLite DBD-SQLite 1.12 1 noarch Getopt::Long Getopt-Long 2.35 1 noarch Time::HiRes Time-HiRes 1.86 1 noarch Filesys::Df Filesys-Df 0.90 1 noarch Net::IP Net-IP 1.24 1 noarch Sys::Hostname::Long Sys-Hostname-Long 1.4 1 noarch Sys::Syslog Sys-Syslog 0.17 1 noarch EOF >>END QUOTE FROM INSTALL.SH So for each of the above modules you should see in the script's output either: Oh good, module . . . is already installed. or Attempting to build and install . . . When I ran the script I got the following lines in the output which I logged: Oh good, module ExtUtils::MakeMaker version 6.30 is already installed. Oh good, module Net::CIDR version 0.10 is already installed. Attempting to build and install perl-IO-stringy-2.108-1 Attempting to build and install MailScanner-perl-MIME-Base64-3.05-5 Attempting to build and install perl-TimeDate-1.16-3 Attempting to build and install perl-MailTools-1.71-1 Oh good, module File::Spec version 0.82 is already installed. Oh good, module File::Temp version 0.16 is already installed. Oh good, module HTML::Tagset version 3.03 is already installed. Oh good, module HTML::Parser version 3.54 is already installed. Oh good, module Convert::BinHex version 1.119 is already installed. Attempting to build and install perl-MIME-tools-5.420-1 Oh good, module Convert::TNEF version 0.17 is already installed. Oh good, module Compress::Zlib version 1.41 is already installed. Oh good, module Archive::Zip version 1.14 is already installed. Oh good, module DBI version 1.50 is already installed. Oh good, module DBD::SQLite version 1.12 is already installed. Attempting to build and install perl-Getopt-Long-2.35-1 but did not get the following expected lines for the remaining modules that were skipped: Oh good, module Time::HiRes version 1.86 is already installed. Oh good, module Filesys::Df version 0.90 is already installed. Attempting to build and install perl-Net-IP-1.24-1 Attempting to build and install Sys::Hostname::Long Attempting to build and install perl-Sys-Syslog-0.17-1 I still can't work out why it didn't work, but can only observe that after the errors with perl-Getopt-Long-2.35-1 (see below) the script didn't try to process the remaining five modules. In the absence of Sys::Hostname::Long, MailScanner failed to run until I had installed the module manually from cpan. My questions are: Is the install.sh script broken in some way or have I misunderstood how it is intended to work? Should I manually uninstall /usr/lib/perl5/5.6.1/Getopt/Long.pm and the cpan Sys::Hostname::Long and then rerun the install script or is it OK to leave as is? Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service On Thu, 24 Aug 2006, Jim Holland wrote: > Date: Thu, 24 Aug 2006 00:41:01 +0200 (CAT) > From: Jim Holland > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Feedback on MailScanner 4.56.1-1 beta > > Hi Julian > > You wrote in reference to my install.log sent privately: > > > It's probably in the Clam-SA tarball. > > Looks like I will have to move it. > > > > root wrote: > >> Hi Julian > >> > >> This is the log. > >> > >> I can't see any reference to trying to install Sys::Hostname::Long > >> > >> Regards > >> > >> Jim Holland > > However the perl-Sys-Hostname-Long-1.4-1.src.rpm file is already included > in MailScanner-4.56.1-1.rpm.tar.gz. That rpm contains the > Sys-Hostname-Long-1.4.tar.gz which is in the Clam-SA tarball. > > I still think something very strange is going on with the installation of > the Perl modules. The installation goes as far as installing > perl-Getopt-Long-2.35-1, which appears to go fine. However when running > MailScanner -v there is no mention of this module at all - see listing > below. It is however found at /usr/lib/perl5/5.6.1/Getopt/Long.pm. > > Having another look at the install log I now finally notice this: > > file /usr/lib/perl5/5.6.1/Getopt/Long.pm from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 > file /usr/lib/perl5/5.6.1/newgetopt.pl from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 > file /usr/share/man/man3/Getopt::Long.3pm.gz from install of perl-Getopt-Long-2.35-1 conflicts with file from package perl-5.6.1-36.1.71 > > I suspect that when a module installation failure occurs during the > execution of the following command: > > rpm -Uvh ${NODEPS} ${RPMROOT}/RPMS/${ARC}/${FILEPREFIX}.${ARC}.rpm > > then the script breaks out of the Here Documents loop at this point and > fails to continue to install any remaining Perl modules. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > Running on > Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 unknown > This is Red Hat Linux release 7.1 (Seawolf) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.56.1 > Module versions are: > 1.14 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.16 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 1.4 Sys::Hostname::Long > 0.01 Sys::Syslog > 1.86 Time::HiRes > 1.01 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.75 DB_File > 1.12 DBD::SQLite > 1.50 DBI > 1.10 Digest > missing Digest::HMAC > 2.36 Digest::MD5 > missing Digest::SHA1 > missing Inline > missing Mail::ClamAV > missing Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > missing Net::IP > missing Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > 2.46 Test::Harness > 0.62 Test::Simple > missing Text::Balanced > 1.35 URI > > From Jan-Peter.Koopmann at seceidos.de Thu Aug 24 12:19:59 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 24 12:20:16 2006 Subject: gif attachments In-Reply-To: <1156360060.2502@bsd4.nedport.net> Message-ID: On Wednesday, August 23, 2006 9:08 PM mailscanner@berger.nl wrote: > changing. The only thing what stays the same is the size of the > attachment. So, I am aware that this is not the right mailinglist, > but has somebody written a rule which checks the size of an > attachment? Have a look at http://wiki.apache.org/spamassassin/FuzzyOcrPlugin?highlight=%28FuzzyOCR%29 (especially the new 2.3) and http://www.rulesemporium.com/plugins.htm works like a charme here. Kind regards, JP From martin.lyberg at gmail.com Thu Aug 24 12:26:02 2006 From: martin.lyberg at gmail.com (Martin) Date: Thu Aug 24 12:26:54 2006 Subject: [solved] SA bayes not working / autolearn inactive? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D147@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher wrote: > Thanks to everybody for your suggestions. > > I stopped MailScanner, and went through the directory tree manually, picking it over with a fine-toothed comb (as it were). I found that the parent directory of the bayes data directory did not have it's execute bit set for the group - only for the user. > > On the functioning mail servers, this group x bit was set. Voila. > > After making this change and re-starting MailScanner, SpamAssassin is now happily reading from and writing to the bayes database, and autolearn is active. > > Sometimes the best solutions are the most simple. :P Daniel, Since i ran over this topic, i want to make sure i have the correct permissions aswell. I have loads of .expire files that won't disappear. Made some changes yesterday to disable the auto-expiring within SA. Can you tell me the correct permissions for the bayes directory? 0770? Sample output from my directory: # ls -al /var/spool/MailScanner/spamassassin/ total 776400 drwxrwx--- 2 postfix postfix 12288 2006-08-24 13:15 . drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. -rwxrwx--- 1 postfix postfix 671744 2006-08-24 13:14 auto-whitelist -rwxrwx--- 1 postfix postfix 163840 2006-08-24 13:14 bayes_seen -rwxrwx--- 1 postfix postfix 2613248 2006-08-24 13:15 bayes_toks -rwxrwx--- 1 postfix postfix 2514944 2006-07-21 13:56 bayes_toks.expire10000 -rwxrwx--- 1 postfix postfix 2658304 2006-07-25 18:17 bayes_toks.expire1004 -rwxrwx--- 1 postfix postfix 2560000 2006-07-21 14:03 bayes_toks.expire10186 * snip * Thank you / Martin From mailscanner at mango.zw Thu Aug 24 12:38:56 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 12:37:56 2006 Subject: Block Postive Phishing Frauds In-Reply-To: Message-ID: Hi Colin On Thu, 24 Aug 2006, Colin Jack wrote: > Whoa ... a zimbo? Not really - just an Aussie who has been living in Zimbabwe for rather too long! > Newbie question Jim ... where does ClamAV keep all the rules? > > Thanks > > Colin The two configuration files are: /usr/local/etc/clamd.conf /usr/local/etc/freshclam.conf The first is only if you are running the ClamAV daemon, which is not recommended. The second is for the updates - it is esssential to configure here the correct DatabaseMirror (eg db.zw.clamav.net). For use with MailScanner you need a wrapper which sets up the parameters that are passed to clamscan. This is the file: /usr/lib/MailScanner/clamav-wrapper The only change I make is to add ScanOptions="--detect-broken". The virus definitions are downloaded by freshclam (which is itself called by /usr/lib/MailScanner/clamav-autoupdate which is called by /etc/cron.hourly/update_virus_scanners) to /usr/local/share/clamav. Hope that helps! Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Jim Holland > > Sent: 24 August 2006 11:23 > > To: MailScanner discussion > > Subject: Re: Block Postive Phishing Frauds > > > > On Thu, 24 Aug 2006, Peter Peters wrote: > > > > > Jim Holland wrote on 24-8-2006 8:26: > > > > On Thu, 24 Aug 2006, Peter Russell wrote: > > > > > > > >> Yeah i would be happy to stop those 3 entirely. I guess > > i need to > > > >> write an SA rule? But one that only catch positive > > phishing frauds > > > >> on these topics? > > > > > > > > Don't forget that ClamAV identifies well-known phishing > > frauds and > > > > those are blocked as if they were viruses. Overnight I see it has > > > > caught the following on our server: > > > > > > > > 4 ClamAV: HTML.Phishing.Bank-491 > > > > 2 ClamAV: HTML.Phishing.Pay-178 > > > > 2 ClamAV: HTML.Phishing.Bank-503 > > > > 1 ClamAV: HTML.Phishing.Pay-94 > > > > 1 ClamAV: HTML.Phishing.Pay-201 > > > > 1 ClamAV: HTML.Phishing.Card-32 > > > > 1 ClamAV: HTML.Phishing.Bank-496 > > > > 1 ClamAV: HTML.Phishing.Bank-471 > > > > 1 ClamAV: HTML.Phishing.Bank-213 > > > > > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask > > me why). > > > It turns out the phishing spam is forwarded like they > > should (silent > > > viruses are deleted) but I have ha d a few situation where I get a > > > message stating the "entire message" was quarantined. But it wasn't. > > > > > > I am currently running MS version 4.52.2 and plan to update > > sometime > > > next week. I'll have a look whether this quarantine problem > > is still > > > present in that version. > > > > I haven't had a problem with this AFAIK in the past. > > Certainly the current versions of both MS and ClamAV work > > fine with the quarantining of such mail (I prefer > > quarantining to deleting as it lets me see what is actually > > being identified as malware). I don't put "Phishing" in > > "Non-Forging Viruses", and haven't done anything unusual with > > the ClamAV configuration except to include the line: > > > > ScanOptions="--detect-broken" > > > > in the wrapper. > > > > Regards > > > > Jim Holland > > System Administrator > > MANGO - Zimbabwe's non-profit e-mail service > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access by anyone > other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed and neither > Mainline IT nor Mainline Internet will accept claims arising as a result > of using this medium. > 3. Any opinions expressed herein are the opinions of the author and are > not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the responsibility of > the recipient to ensure they have adequate anti-virus defences. > > ------------------------------------------------------------------------ From colin at mainline.co.uk Thu Aug 24 13:20:20 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 13:20:51 2006 Subject: Block Postive Phishing Frauds Message-ID: Thanks Jim - I will have a poke about. Hope its not too bad out there ... Regards Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Holland > Sent: 24 August 2006 12:39 > To: MailScanner discussion > Subject: RE: Block Postive Phishing Frauds > > Hi Colin > > On Thu, 24 Aug 2006, Colin Jack wrote: > > > Whoa ... a zimbo? > > Not really - just an Aussie who has been living in Zimbabwe > for rather too long! > > > Newbie question Jim ... where does ClamAV keep all the rules? > > > > Thanks > > > > Colin > > The two configuration files are: > > /usr/local/etc/clamd.conf > /usr/local/etc/freshclam.conf > > The first is only if you are running the ClamAV daemon, which > is not recommended. The second is for the updates - it is > esssential to configure here the correct DatabaseMirror (eg > db.zw.clamav.net). > > For use with MailScanner you need a wrapper which sets up the > parameters that are passed to clamscan. This is the file: > > /usr/lib/MailScanner/clamav-wrapper > > The only change I make is to add ScanOptions="--detect-broken". > > The virus definitions are downloaded by freshclam (which is > itself called by /usr/lib/MailScanner/clamav-autoupdate which > is called by > /etc/cron.hourly/update_virus_scanners) to /usr/local/share/clamav. > > Hope that helps! > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jim > > > Holland > > > Sent: 24 August 2006 11:23 > > > To: MailScanner discussion > > > Subject: Re: Block Postive Phishing Frauds > > > > > > On Thu, 24 Aug 2006, Peter Peters wrote: > > > > > > > Jim Holland wrote on 24-8-2006 8:26: > > > > > On Thu, 24 Aug 2006, Peter Russell wrote: > > > > > > > > > >> Yeah i would be happy to stop those 3 entirely. I guess > > > i need to > > > > >> write an SA rule? But one that only catch positive > > > phishing frauds > > > > >> on these topics? > > > > > > > > > > Don't forget that ClamAV identifies well-known phishing > > > frauds and > > > > > those are blocked as if they were viruses. Overnight I see it > > > > > has caught the following on our server: > > > > > > > > > > 4 ClamAV: HTML.Phishing.Bank-491 > > > > > 2 ClamAV: HTML.Phishing.Pay-178 > > > > > 2 ClamAV: HTML.Phishing.Bank-503 > > > > > 1 ClamAV: HTML.Phishing.Pay-94 > > > > > 1 ClamAV: HTML.Phishing.Pay-201 > > > > > 1 ClamAV: HTML.Phishing.Card-32 > > > > > 1 ClamAV: HTML.Phishing.Bank-496 > > > > > 1 ClamAV: HTML.Phishing.Bank-471 > > > > > 1 ClamAV: HTML.Phishing.Bank-213 > > > > > > > > I had to put "Phishing" in "Non-Forging Viruses" (Don't ask > > > me why). > > > > It turns out the phishing spam is forwarded like they > > > should (silent > > > > viruses are deleted) but I have ha d a few situation > where I get a > > > > message stating the "entire message" was quarantined. > But it wasn't. > > > > > > > > I am currently running MS version 4.52.2 and plan to update > > > sometime > > > > next week. I'll have a look whether this quarantine problem > > > is still > > > > present in that version. > > > > > > I haven't had a problem with this AFAIK in the past. > > > Certainly the current versions of both MS and ClamAV work > fine with > > > the quarantining of such mail (I prefer quarantining to > deleting as > > > it lets me see what is actually being identified as malware). I > > > don't put "Phishing" in "Non-Forging Viruses", and haven't done > > > anything unusual with the ClamAV configuration except to > include the > > > line: > > > > > > ScanOptions="--detect-broken" > > > > > > in the wrapper. > > > > > > Regards > > > > > > Jim Holland > > > System Administrator > > > MANGO - Zimbabwe's non-profit e-mail service > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > ----------------------disclaimer --------------------------------- > > > > 1. This e-mail and any attachments are confidential & > access by anyone > > other than the addressee(s) is unauthorised. > > 2. The security of e-mail communication cannot be guaranteed and > > neither Mainline IT nor Mainline Internet will accept > claims arising > > as a result of using this medium. > > 3. Any opinions expressed herein are the opinions of the author and > > are not those of either Mainline IT or Mainline Internet. > > 4. Although all email is scanned for viruses, it is the > responsibility > > of the recipient to ensure they have adequate anti-virus defences. > > > > > ---------------------------------------------------------------------- > > -- > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ From sandrews at andrewscompanies.com Thu Aug 24 13:35:09 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Aug 24 13:35:15 2006 Subject: File attachments Message-ID: <1964AAFBC212F742958F9275BF63DBB04291AE@winchester.andrewscompanies.com> This comes from /etc/MailScanner/filename.rules.conf, no? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Colin Jack Sent: Thursday, August 24, 2006 6:04 AM To: MailScanner discussion Subject: File attachments Just thinking ... maybe this is a ClamAV issue rather than MailScanner? This is what the user is getting: ---------- snip --- From: "MailScanner" Date: Thu, 24 Aug 2006 09:37:01 +0100 To: bren@fast-mail.net Subject: Warning: E-mail viruses detected Our e-mail content detector has just been triggered by a message you sent: To: peter.astley-sparke@personal-software.com Subject: Re:Desktop icons Date: Thu Aug 24 09:36:59 2006 One or more of the attachments (desktop 16 x 16.ico, desktop 32x32.ico, desktop 32x32-1.ico, desktop 16 x 16-1.ico) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: Possible buffer overflow in Windows (desktop 16 x 16.ico) Report: Possible buffer overflow in Windows (desktop 32x32.ico) Report: Possible buffer overflow in Windows (desktop 32x32-1.ico) Report: Possible buffer overflow in Windows (desktop 16 x 16-1.ico) -- MailScanner Email Virus Scanner Mainline Internet Services Limited www.mainline.co.uk --- end snip --- Any help gratefully received! Colin ----------------------disclaimer --------------------------------- 1. This e-mail and any attachments are confidential & access by anyone other than the addressee(s) is unauthorised. 2. The security of e-mail communication cannot be guaranteed and neither Mainline IT nor Mainline Internet will accept claims arising as a result of using this medium. 3. Any opinions expressed herein are the opinions of the author and are not those of either Mainline IT or Mainline Internet. 4. Although all email is scanned for viruses, it is the responsibility of the recipient to ensure they have adequate anti-virus defences. ------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Thu Aug 24 13:39:32 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 24 13:40:02 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: References: Message-ID: <44ED9E04.5040801@USherbrooke.ca> Jim Holland a ?crit : > On Wed, 23 Aug 2006, Julian Field wrote: > > >> Jim Holland wrote: >> >>> Hi Julian >>> >>> I installed the above beta version this evening on Red Hat 7.1 earlier >>> this evening, just after installing sendmail 8.13.8. See details of >>> configuration below (you may notice that it is using Sys::Syslog version >>> 0.01 - the current version does not compile on RH 7.1). >>> >>> The installation went fine, but I experienced the following error when >>> trying to start MailScanner: >>> >>> Can't locate Sys/Hostname/Long.pm in @INC . . . >>> >>> That was solved by installing Sys::Hostname::Long using cpan and it worked >>> fine after that. >>> >>> >> I'll take a look. What happened when the install.sh tried to install it? >> > > Nothing. There were no errors in the installation log, which I have > copied to you separately. However I see that with the list of modules to > be installed in the install.sh script there is nothing reported in the log > for modules after Getopt::Long, ie for: > > Time::HiRes Time-HiRes 1.86 1 noarch > Filesys::Df Filesys-Df 0.90 1 noarch > Net::IP Net-IP 1.24 1 noarch > Sys::Hostname::Long Sys-Hostname-Long 1.4 1 noarch > Sys::Syslog Sys-Syslog 0.17 1 noarch > > The next entry in the install log is for the tnef decoder. > > In my case I have the following versions of the above modules now > installed: > > Time::HiRes 1.86 (I don't know when this was installed) > Filesys::Df 0.92 (which I had to install manually when > upgrading to 4.54.6) > Net::IP missing > Sys::Hostname::Long 1.4 (after installing it manually) > Sys::Syslog 0.01 (the install script has never attempted to > upgrade this module) > > It does look as if there could be a problem with the install script > because I remember when installing 4.50.10-1 at the beginning of the year > I had to install a whole bunch of Perl modules (eg DBI, SQL-Lite) > manually at that time too. > > >>> You have very kindly included a new facility for providing separate >>> reports for messages and attachments which have been blocked or >>> quarantined due to user specified size restrictions. I have done some >>> testing on both oversize messages and attachments, and am pleased to >>> report that it works exactly as intended for attachments, giving a report >>> such as: >>> >>> MailScanner: Attachment is too large: 154303 bytes >>> >>> However in the case of oversize messages, the report is just: >>> >>> MailScanner: Message is too large >>> >>> with no indication of the size of the message that has been quarantined. >>> Would it be possible to include the size in that case as well? That would >>> be very helpful for people who don't want to unquarantine a message that >>> is far too large for them to handle. >>> >>> >> I'll take a look and see. I can only think that there was some good >> reason why I couldn't do it. >> Julian, I installed 4.56.1-1 yesterday and I also noticed problems with the installation of Perl modules: Preparing... ########################################### [100%] file /usr/lib/perl5/5.8.5/File/Temp.pm from install of perl-File-Temp-0.16-1 conflicts with file from package perl-5.8.5-36.RHEL4 file /usr/share/man/man3/File::Temp.3pm.gz from install of perl-File-Temp-0.16-1 conflicts with file f rom package perl-5.8.5-36.RHEL4 Preparing... ########################################### [100%] file /usr/lib/perl5/5.8.5/i386-linux-thread-multi/Sys/Syslog.pm from install of perl-Sys-Syslog-0.17-1 conflicts with file from package perl-5.8.5-36.RHEL4 file /usr/lib/perl5/5.8.5/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so from install of perl-Sys-S yslog-0.17-1 conflicts with file from package perl-5.8.5-36.RHEL4 In the following output you can see that File::Temp is still at version 0.14 and Sys::Syslog at version 0.08: /usr/sbin/MailScanner -v Running on Linux ... 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux AS release 4 (Nahant Update 4) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.56.1 Module versions are: 1.00 AnyDBM_File 1.14 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.08 POSIX 1.77 Socket 1.4 Sys::Hostname::Long 0.08 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.809 DB_File 1.12 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 0.44 Inline 0.17 Mail::ClamAV 3.001000 Mail::SpamAssassin 1.998 Mail::SPF::Query 0.18 Net::CIDR::Lite 1.24 Net::IP 0.55 Net::DNS 0.31 Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.42 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/880fd974/smime.bin From colin at mainline.co.uk Thu Aug 24 13:50:22 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 13:49:45 2006 Subject: File Attachment Rules Message-ID: Putting it in the MailScanner.conf direct seems to work ... except that I now have a heckova long line. Would be tidier if I could get a ruleset working .. how does everybody else do it? Thanks Colin Julian Field Wrote: > Try removing the rules file and putting them straight on the > config line, so you will have allowfilenames = \.pdf$ \.zip$ > \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ > > Colin Jack wrote: > > Hi Julian, > > > > Still not working ... people complaining it won't allow .ico files > > through. > > > > In MailScanner.conf I have: > > > > Allow Filenames = %rules-dir%/filenames.rules > > > > In the /rules directory I have a file called > filenames.rules with this > > entry > > > > FromOrTo: default \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ > > \.tif$ > > > > > > I have restarted MailScanner > > > > Any ideas > > > > Thanks > > > > Colin > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Colin Jack > >> Sent: 23 August 2006 09:41 > >> To: MailScanner discussion > >> Subject: RE: File Attachment Rules > >> > >> Sorry Julian - I meant > >> > >> FromOrTo: *@* \.zip$ > >> > >> etc. > >> > >> > >> > >> > >>> -----Original Message----- > >>> From: mailscanner-bounces@lists.mailscanner.info > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >>> Julian Field > >>> Sent: 23 August 2006 09:21 > >>> To: MailScanner discussion > >>> Subject: Re: File Attachment Rules > >>> > >>> > >>> > >>> Colin Jack wrote: > >>> > >>>> I'm a newbie to MailScanner, so please be gentle ... > >>>> > >>>> I want to create a ruleset for Allow Filenames but am not > >>>> > >>> sure of the > >>> > >>>> syntax > >>>> > >>>> If I edit MailScanner.conf then I use > >>>> > >>>> Allow Filenames = /.pdf$ /.zip$ etc. > >>>> > >>>> > >>> They should \ and not / > >>> > >>>> If however I change that to > >>>> > >>>> Allow Filenames = %ruledir%/filenames.rules > >>>> > >>>> > >>> %rules-dir% not %ruledir% > >>> > >>>> then create a filenames.rules file do I just put > >>>> > >>>> /.pdf$ > >>>> /.zip$ > >>>> /.ico$ > >>>> > >>>> > >>>> in the rules file or do I have to put in other stuff? > >>>> > >>>> > >>> In the filename.rules file you need to put rules that would like > >>> > >>> From: user1@domain.com \.pdf$ \.zip$ \.ico$ > >>> To: *@domain2.com \.pdf$ > >>> FromOrTo: abuse@domain.com . > >>> > >>> This would > >>> 1) Allow *.pdf *.zip *.ico in mail from the address > user1@domain.com > >>> 2) Allow *.pdf in mail to anyone at domain2.com > >>> 3) Allow everything ('.' matches any character and so will > >>> > >> match every > >> > >>> filename) in mail from or to abuse@domain.com. > >>> > >>> > >>> > >>>> Thanks > >>>> > >>>> Colin > >>>> > >>>> From colin at mainline.co.uk Thu Aug 24 13:52:34 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 13:51:55 2006 Subject: File attachments Message-ID: Ahh ... light bulb above head! Many thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of sandrews@andrewscompanies.com > Sent: 24 August 2006 13:35 > To: mailscanner@lists.mailscanner.info > Subject: RE: File attachments > > This comes from /etc/MailScanner/filename.rules.conf, no? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Colin Jack > Sent: Thursday, August 24, 2006 6:04 AM > To: MailScanner discussion > Subject: File attachments > > Just thinking ... maybe this is a ClamAV issue rather than > MailScanner? > > This is what the user is getting: > > ---------- snip --- > > From: "MailScanner" > Date: Thu, 24 Aug 2006 09:37:01 +0100 > To: bren@fast-mail.net > Subject: Warning: E-mail viruses detected > > Our e-mail content detector has just been triggered by a message you > sent: > To: peter.astley-sparke@personal-software.com > Subject: Re:Desktop icons > Date: Thu Aug 24 09:36:59 2006 > > One or more of the attachments (desktop 16 x 16.ico, desktop > 32x32.ico, desktop 32x32-1.ico, desktop 16 x 16-1.ico) are on > the list of unacceptable attachments for this site and will > not have been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: Possible buffer overflow in Windows (desktop 16 x > 16.ico) > Report: Possible buffer overflow in Windows (desktop 32x32.ico) > Report: Possible buffer overflow in Windows (desktop 32x32-1.ico) > Report: Possible buffer overflow in Windows (desktop 16 x 16-1.ico) > > > -- > MailScanner > Email Virus Scanner > Mainline Internet Services Limited > www.mainline.co.uk > > --- end snip --- > > Any help gratefully received! > > Colin > > > ----------------------disclaimer --------------------------------- > > 1. This e-mail and any attachments are confidential & access > by anyone other than the addressee(s) is unauthorised. > 2. The security of e-mail communication cannot be guaranteed > and neither Mainline IT nor Mainline Internet will accept > claims arising as a result of using this medium. > 3. Any opinions expressed herein are the opinions of the > author and are not those of either Mainline IT or Mainline Internet. > 4. Although all email is scanned for viruses, it is the > responsibility of the recipient to ensure they have adequate > anti-virus defences. > > -------------------------------------------------------------- > ---------- > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Denis.Beauchemin at USherbrooke.ca Thu Aug 24 13:58:15 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 24 13:58:39 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <44EDA267.9070905@USherbrooke.ca> Julian Field a ?crit : > Yes, you are absolutely correct. Non-spam may well include huge images. > The problem with rewinding to the previous boundary is that you may end > up not giving SpamAssassin _anything_ to work with. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? > > I have no intention of making the 100 configurable, it will be > impossible for 99.9% of users to know what to set it to. > Julian, I vote for the status quo (chop half way). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/e67fd83f/smime.bin From holger at gebhardweb.de Thu Aug 24 14:39:28 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Thu Aug 24 14:40:19 2006 Subject: Postfix 2.3 and MailScanner References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk> <002601c6c48b$ba7054e0$840804c3@PCHOME2> Message-ID: <031601c6c782$ce6a59b0$0164320a@conware.int> Hi Julian, hi Group, a upgrade to mailscanner version 4.55.10 does not help to solve the problem with postfix 2.3.2, it was a try... I attached some queuefiles which produce the "out-of-order" postfix warning message in log: Directory "incoming" contains messages from postfixqueue before scanning by mailscanner. Directory "archiv" contains messages from mailscanner archiv function. Directory "outgoing" contains messages from postfixqueue after scanning by mailScanner. Queuefiles from incoming and archiv have the same content, no postfix warning for this files. Queuefiles form outgoing are modified by mailscanner, but only some produce the postfix warning. To see the warning just stop outgoing postfix (split queues) or postfix (hold queue). Then copy a message from outgoing directory to postfix incoming queue directory. Check systemrights for the copied file (for debian set to postfix.root). Next start Postfix and search your logs for the warning. Hope anyone can help to solve the problem... Thanks Holger ----- Original Message ----- From: "Holger Gebhard" To: "MailScanner discussion" Sent: Sunday, August 20, 2006 9:06 PM Subject: Re: Postfix 2.3 and MailScanner >I am also running Postfix in Version 2.3.2... > > I forward a copy of all Spammails to a Mailbox (Spam Actions). > Maybe the failure comes from here? > > It seems the failure produced by the DSN Recipient Line in the > Envelope-Header. > > Only a idea... > But what will happen if MailScanner delete all the DSN Header in the > envelope. > When the Message is requeued, postfix might add new headers to the > Queuefile? > > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Sunday, August 20, 2006 8:23 PM > Subject: Re: Postfix 2.3 and MailScanner > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Can you make sure you are using the latest Postfix? > I am running 2.3.2 and I cannot re-create your symptoms. I have used all > the 4 messages you sent me and they all worked fine, bar a warning about > timestamps which I always get and is due to the way I am dropping things > into its queue directories. > > I can't fix it until I can reproduce it, sorry. > > Holger Gebhard wrote: >> Hi Julian, >> >> the failure happens only with some messages, not all. >> The attached archive contains some example messages. >> >> Thanks for help :-) >> >> >> Holger >> >> ----- Original Message ----- From: "Julian Field" >> >> To: "MailScanner discussion" >> Sent: Sunday, August 20, 2006 5:02 PM >> Subject: Re: Postfix 2.3 and MailScanner >> >> >> >> >> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >> * text/plain body >> * Julian Field >> * 0x1415B654(L) >> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >> >> Does this happen with all messages, or only some? >> Can you isolate a single message that causes this problem for me please? >> I would suggest using "Archive Mail =" to archive all your mail and then >> use the logs to identify a particular message that causes the problem to >> be logged, and one that doesn't cause the problem. >> >> It is essential that you archive as "Raw Queue Files". >> >> If you can then send me one message file that causes the problem, and >> one message that doesn't cause it, I can take a look and fix it. >> >> I haven't played with Postfix 2.3 much yet, so have little experience of >> it. This is clearly another hurdle Wietse has created for my benefit :-) >> >> >> Holger Gebhard wrote: >>> Hi Julian, >>> Hi Group, >>> >>> i run mailscanner with postfix (split queues) for many years with no >>> problems. >>> Currently running mailscanner version 4.52.2. >>> >>> The last week i upgraded postfix from 2.2 to 2.3. >>> After the upgrade i can see some strange warnings from postfix in my >>> mail-logs: "ignoring out-of-order DSN original recipient..." >>> >>> I searched some group and found this threat: >>> >>> http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 >>> >>> >>> >>> The strange is that only some messages are affected by this failure not >>> all. >>> >>> I tried both postfix implementations (single postfix with hold queue and >>> split queues with two postfix instances) with no success. The warning is >>> still there with some messages. >>> >>> Fortunately the affected messages are still being delivered. >>> But where come this failure from? >>> >>> >>> Holger >> > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Charset: ISO-8859-1 > > wj8DBQFE6KiwEfZZRxQVtlQRAt2pAKDSUti8KDrj7mNGGA8MqhFEXIo9hACfV2Le > ui8msutTnYukLNNMyKAvt3U= > =fQhv > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: mails.zip Type: application/octet-stream Size: 67214 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/485e4205/mails-0001.obj From bpumphrey at WoodMacLaw.com Thu Aug 24 14:55:10 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 24 14:55:13 2006 Subject: OT: Microsoft's Antigen In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15018E36C4@woodenex.woodmaclaw.local> I have not heard much of Antigen from Microsoft. Does anyone have any experience with it and can confirm that yes indeed MailScanner is still a lot better than Antigen from Microsoft? From mailscanner at mango.zw Thu Aug 24 15:38:24 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 15:37:30 2006 Subject: File Attachment Rules In-Reply-To: Message-ID: On Thu, 24 Aug 2006, Colin Jack wrote: > Putting it in the MailScanner.conf direct seems to work ... except that > I now have a heckova long line. > > Would be tidier if I could get a ruleset working .. how does everybody > else do it? > > Thanks > > Colin Remember that there are now two separate mechanisms for managing file names and file types: (a) Default configuration files: Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf These are not normal rulesets, so are in the Configuration directory not the Rules directory. They set the basic system-wide policy for acceptance and rejection, and the error notices that are issued when files are blocked. (b) The allow and deny rules which can be rulesets, and which override the above configuration files if a match is found: Allow Filenames = Deny Filenames = I would start by editing the filename.rules.conf and filetype.rules.conf files if you want to change the overall defaults and then set up the ruleset files: Allow Filenames = %rules-dir%/filename_allow.rules Deny Filenames = %rules-dir%/filename_deny.rules So then instead of putting all the filenames in a line in MailScanner.conf, you can put them in the above two rulesets, and also customise them for individual users, eg: filename_allow.rules: To: *@* \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ FromOrTo: root@domain \.exe$ \.com$ # Default (whitelist nothing) FromOrTo: default and if the lines are too long I guess you could split them, although I haven't tested this, eg: To: *@* \.pdf$ \.zip$ \.jpg$ \.eps$ To: *@* \.ico$ \.ai$ \.qxd$ \.tif$ and for filename_deny.rules: To: user1@mango.zw \.gif$ \.jpg$ To: user2@mango.zw \.gif$ \.jpg$ \.pdf$ \.xls$ \.mid$ \.pps$ \.doc$ # Default (block nothing) FromOrTo: default Finally, if you want full control, you can do it the old way: Filename Rules = %rules-dir%/filename.rules Filetype Rules = %rules-dir%/filetype.rules and then in these files you can specify individual configuration files by user, eg: filename.rules: # List of users allowed to send any filenames From: user1@mango.zw %etc-dir%/filename.rules.allowall.conf # Users sending anything between each other From: user2@mango.zw and To: user3@mango.zw %etc-dir%/filename.rules.allowall.conf From: user3@mango.zw and To: user2@mango.zw %etc-dir%/filename.rules.allowall.conf # Customised settings To: user4@mango.zw %etc-dir%/filename.rules.user4.conf # Default FromOrTo: default %etc-dir%/filename.rules.conf and similarly for filetype.rules. All of these configuration files will have the same type of format as the original default %etc-dir%/filename.rules.conf and %etc-dir%/filetype.rules. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > Julian Field Wrote: > > Try removing the rules file and putting them straight on the > > config line, so you will have allowfilenames = \.pdf$ \.zip$ > > \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ > > > > Colin Jack wrote: > > > Hi Julian, > > > > > > Still not working ... people complaining it won't allow .ico files > > > through. > > > > > > In MailScanner.conf I have: > > > > > > Allow Filenames = %rules-dir%/filenames.rules > > > > > > In the /rules directory I have a file called > > filenames.rules with this > > > entry > > > > > > FromOrTo: default \.pdf$ \.zip$ \.jpg$ \.eps$ \.ico$ \.ai$ \.qxd$ > > > \.tif$ > > > > > > > > > I have restarted MailScanner > > > > > > Any ideas > > > > > > Thanks > > > > > > Colin > > > > > > > > >> -----Original Message----- > > >> From: mailscanner-bounces@lists.mailscanner.info > > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > >> Colin Jack > > >> Sent: 23 August 2006 09:41 > > >> To: MailScanner discussion > > >> Subject: RE: File Attachment Rules > > >> > > >> Sorry Julian - I meant > > >> > > >> FromOrTo: *@* \.zip$ > > >> > > >> etc. > > >> > > >> > > >> > > >> > > >>> -----Original Message----- > > >>> From: mailscanner-bounces@lists.mailscanner.info > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > >>> Julian Field > > >>> Sent: 23 August 2006 09:21 > > >>> To: MailScanner discussion > > >>> Subject: Re: File Attachment Rules > > >>> > > >>> > > >>> > > >>> Colin Jack wrote: > > >>> > > >>>> I'm a newbie to MailScanner, so please be gentle ... > > >>>> > > >>>> I want to create a ruleset for Allow Filenames but am not > > >>>> > > >>> sure of the > > >>> > > >>>> syntax > > >>>> > > >>>> If I edit MailScanner.conf then I use > > >>>> > > >>>> Allow Filenames = /.pdf$ /.zip$ etc. > > >>>> > > >>>> > > >>> They should \ and not / > > >>> > > >>>> If however I change that to > > >>>> > > >>>> Allow Filenames = %ruledir%/filenames.rules > > >>>> > > >>>> > > >>> %rules-dir% not %ruledir% > > >>> > > >>>> then create a filenames.rules file do I just put > > >>>> > > >>>> /.pdf$ > > >>>> /.zip$ > > >>>> /.ico$ > > >>>> > > >>>> > > >>>> in the rules file or do I have to put in other stuff? > > >>>> > > >>>> > > >>> In the filename.rules file you need to put rules that would like > > >>> > > >>> From: user1@domain.com \.pdf$ \.zip$ \.ico$ > > >>> To: *@domain2.com \.pdf$ > > >>> FromOrTo: abuse@domain.com . > > >>> > > >>> This would > > >>> 1) Allow *.pdf *.zip *.ico in mail from the address > > user1@domain.com > > >>> 2) Allow *.pdf in mail to anyone at domain2.com > > >>> 3) Allow everything ('.' matches any character and so will > > >>> > > >> match every > > >> > > >>> filename) in mail from or to abuse@domain.com. > > >>> > > >>> > > >>> > > >>>> Thanks > > >>>> > > >>>> Colin > > >>>> > > >>>> From colin at mainline.co.uk Thu Aug 24 15:48:27 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 15:47:33 2006 Subject: File Attachment Rules Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Holland > Sent: 24 August 2006 15:38 > To: MailScanner discussion > Subject: RE: File Attachment Rules > > On Thu, 24 Aug 2006, Colin Jack wrote: > > > Putting it in the MailScanner.conf direct seems to work ... except > > that I now have a heckova long line. > > > > Would be tidier if I could get a ruleset working .. how > does everybody > > else do it? > > > > Thanks > > > > Colin > > Remember that there are now two separate mechanisms for > managing file names and file types: > > (a) Default configuration files: > > Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules > = %etc-dir%/filetype.rules.conf > > These are not normal rulesets, so are in the Configuration > directory not the Rules directory. They set the basic > system-wide policy for acceptance and rejection, and the > error notices that are issued when files are blocked. > > (b) The allow and deny rules which can be rulesets, and which > override the above configuration files if a match is found: > > Allow Filenames = > Deny Filenames = > > I would start by editing the filename.rules.conf and > filetype.rules.conf files if you want to change the overall > defaults and then set up the ruleset files: > > Allow Filenames = %rules-dir%/filename_allow.rules Deny > Filenames = %rules-dir%/filename_deny.rules > > So then instead of putting all the filenames in a line in > MailScanner.conf, you can put them in the above two rulesets, > and also customise them for individual users, eg: > > filename_allow.rules: > > To: *@* \.pdf$ \.zip$ \.jpg$ > \.eps$ \.ico$ \.ai$ \.qxd$ \.tif$ > FromOrTo: root@domain \.exe$ \.com$ > > # Default (whitelist nothing) > FromOrTo: default > > and if the lines are too long I guess you could split them, > although I haven't tested this, eg: > > To: *@* \.pdf$ \.zip$ \.jpg$ \.eps$ > To: *@* \.ico$ \.ai$ \.qxd$ \.tif$ > > and for filename_deny.rules: > > To: user1@mango.zw \.gif$ \.jpg$ > To: user2@mango.zw \.gif$ \.jpg$ \.pdf$ > \.xls$ \.mid$ \.pps$ \.doc$ > > # Default (block nothing) > FromOrTo: default > > Finally, if you want full control, you can do it the old way: > > Filename Rules = %rules-dir%/filename.rules Filetype Rules = > %rules-dir%/filetype.rules > > and then in these files you can specify individual > configuration files by user, eg: > > filename.rules: > > # List of users allowed to send any filenames > From: user1@mango.zw > %etc-dir%/filename.rules.allowall.conf > > # Users sending anything between each other > From: user2@mango.zw and To: user3@mango.zw > %etc-dir%/filename.rules.allowall.conf > From: user3@mango.zw and To: user2@mango.zw > %etc-dir%/filename.rules.allowall.conf > > # Customised settings > To: user4@mango.zw %etc-dir%/filename.rules.user4.conf > > # Default > FromOrTo: default %etc-dir%/filename.rules.conf > > and similarly for filetype.rules. > > All of these configuration files will have the same type of > format as the original default %etc-dir%/filename.rules.conf > and %etc-dir%/filetype.rules. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service Great thanks Jim. That detailed explanation has helped me get my head around it. Much appreciated. Regards Colin From colin at mainline.co.uk Thu Aug 24 16:17:21 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 16:16:20 2006 Subject: Aah attachments again Message-ID: We have got the various file types allowed but it seems to be a bit fussy about file size :( Testing I have sent a 41k .zip successfully but a 1Mb .zip just doesn't arrive! Anybody able to help? 1Mb isn't very big! Thanks Colin From colin at mainline.co.uk Thu Aug 24 16:26:03 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 16:25:02 2006 Subject: Aah attachments again Message-ID: A bit more ... I successfully sent a 1.4Mb sql.dump .... but it won't work with 1Mb .zip? Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Colin Jack > Sent: 24 August 2006 16:17 > To: MailScanner discussion > Subject: Aah attachments again > > We have got the various file types allowed but it seems to be > a bit fussy about file size :( > > Testing I have sent a 41k .zip successfully but a 1Mb .zip > just doesn't arrive! > > Anybody able to help? 1Mb isn't very big! > > Thanks > > Colin > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From mailscanner at berger.nl Thu Aug 24 16:28:15 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Thu Aug 24 16:28:22 2006 Subject: gif attachments In-Reply-To: Message-ID: <1156433295.12582@bsd4.nedport.net> Well, With size I meant the Kb's. I have installed ImageInfo and set it up. But the spammer is using different sizes now in his email. So I have to use the OCR system, but my system is allready quietly haeavy loaded. I will install sendmail 8.13 (still have 8.12) and try the "greet_pause" and see if that helps on the load and then install the OCR system. Thanks, Roger Koopmann, Jan-Peter wrote .. > On Wednesday, August 23, 2006 9:08 PM mailscanner@berger.nl wrote: > > > changing. The only thing what stays the same is the size of the > > attachment. So, I am aware that this is not the right mailinglist, > > but has somebody written a rule which checks the size of an > > attachment? > > > Have a look at > > http://wiki.apache.org/spamassassin/FuzzyOcrPlugin?highlight=%28FuzzyOCR%29 > > (especially the new 2.3) > > and > > http://www.rulesemporium.com/plugins.htm > > works like a charme here. > > Kind regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From drew at themarshalls.co.uk Thu Aug 24 16:31:33 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Thu Aug 24 16:31:53 2006 Subject: Aah attachments again In-Reply-To: References: Message-ID: <15417.194.70.180.170.1156433493.squirrel@www.r-bit.net> On Thu, August 24, 2006 16:17, Colin Jack wrote: > We have got the various file types allowed but it seems to be a bit > fussy about file size :( > > Testing I have sent a 41k .zip successfully but a 1Mb .zip just doesn't > arrive! Got any logs Colin? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From colin at mainline.co.uk Thu Aug 24 16:42:48 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 16:42:30 2006 Subject: Aah attachments again Message-ID: Nothing in the maillog at all for the messages that 'disappear' ... are there other logs I could look in? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Drew Marshall > Sent: 24 August 2006 16:32 > To: MailScanner discussion > Subject: Re: Aah attachments again > > On Thu, August 24, 2006 16:17, Colin Jack wrote: > > We have got the various file types allowed but it seems to be a bit > > fussy about file size :( > > > > Testing I have sent a 41k .zip successfully but a 1Mb .zip just > > doesn't arrive! > > Got any logs Colin? > > Drew > > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by MailScanner, and is believed > to be clean. > www.themarshalls.co.uk/policy > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From hmkash at arl.army.mil Thu Aug 24 16:42:27 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Thu Aug 24 16:42:33 2006 Subject: Max SpamAssassin Size problems Message-ID: <229A346E44379140A59A48951B56E0C00260CC1C@ARLABML01.DS.ARL.ARMY.MIL> > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? If I had to choose between these three, I would choose the second. But I also like Glenn's suggestion of a new configuration option that switches between current behavior (first option) and the second option. Maybe something like adding a "+" sign after the Max Spamassassin Size number would mean "limit size to this value or to the end of the current MIME boundary". If you do keep the entire image, does this really add to spamassassin's load? In other words, will spamassassin do any processing (i.e. regex searches) on the additional image data or is it smart enough to ignore the contents of a base64 encoded attachment (unless specifically analyzed by a plugin)? Julian, does your implementation distinguish between different MIME types (i.e. image vs. non-image)? It would also be good to limit this behavior to only attachments with "Content-Type: image/*". At least until another plugin comes along that analyzes other attachment types. Howard From colin at mainline.co.uk Thu Aug 24 16:46:54 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 16:45:49 2006 Subject: Reloading confs Message-ID: I presume I need to restart MailScanner every time a modify the .conf files? At the moment I do this by restarting sendmail ... is there an easier way? :) Colin From mailscanner at mango.zw Thu Aug 24 17:05:08 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Aug 24 17:04:09 2006 Subject: Reloading confs In-Reply-To: Message-ID: On Thu, 24 Aug 2006, Colin Jack wrote: > I presume I need to restart MailScanner every time a modify the .conf > files? At the moment I do this by restarting sendmail ... is there an > easier way? :) service MailScanner reload then tail or view your maillog file to look for any errors. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From a.peacock at chime.ucl.ac.uk Thu Aug 24 17:06:23 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Aug 24 17:06:38 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C00260CC1C@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC1C@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44EDCE7F.9090501@chime.ucl.ac.uk> Hi, Kash, Howard (Civ, ARL/CISD) wrote: >> do I chop half way through an image? >> do I chop at the end of an image? >> do I carry on for a max of 100 lines of Base64 data or until the end > of >> an image, which is earlier? > > If I had to choose between these three, I would choose the second. But > I also like Glenn's suggestion of a new configuration option that > switches between current behavior (first option) and the second option. > Maybe something like adding a "+" sign after the Max Spamassassin Size > number would mean "limit size to this value or to the end of the current > MIME boundary". > > If you do keep the entire image, does this really add to spamassassin's > load? In other words, will spamassassin do any processing (i.e. regex > searches) on the additional image data or is it smart enough to ignore > the contents of a base64 encoded attachment (unless specifically > analyzed by a plugin)? Rules with a type of 'full' work on the whole of the message without any splitting out of MIME contents. From the docs: "full SYMBOLIC_TEST_NAME /pattern/modifiers Define a full message pattern test. pattern is a Perl regular expression. Note: as per the header tests, # must be escaped (\#) or else it is considered the beginning of a comment. The full message is the pristine message headers plus the pristine message body, including all MIME data such as images, other attachments, MIME boundaries, etc." The standard SA rules do use full, but only in some limited cases. The SARE rules use full particularly where they are looking for MIME boundary or HTML patterns. So the chances are that there will be some rules that are run against the whole of the data passed to SA. Which is why SA recommends that you limit the amount of data passed to it for scanning. If the code was chopping at the end of an image (ie until it found a MIME boundary or a blank line. It would be very easy for someone to craft an email message that had a starting boundary claiming to be an image type, but then pumped 100s of Mb without an ending boundary. There _HAS_ to be a limit to this. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From drew at themarshalls.co.uk Thu Aug 24 17:10:05 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Thu Aug 24 17:10:21 2006 Subject: Aah attachments again In-Reply-To: References: Message-ID: <20577.194.70.180.170.1156435805.squirrel@www.r-bit.net> On Thu, August 24, 2006 16:42, Colin Jack wrote: > Nothing in the maillog at all for the messages that 'disappear' ... are > there other logs I could look in? When you say 'nothing' you mean you don't get any action after MailScanner at all? Sounds fishy... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From craigwhite at azapple.com Thu Aug 24 17:10:15 2006 From: craigwhite at azapple.com (Craig White) Date: Thu Aug 24 17:10:29 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: <1156435815.14266.13.camel@lin-workstation.azapple.com> On Thu, 2006-08-24 at 16:46 +0100, Colin Jack wrote: > I presume I need to restart MailScanner every time a modify the .conf > files? > At the moment I do this by restarting sendmail ... is there an easier > way? :) ---- You shouldn't ever start sendmail (or restart sendmail) - you should only restart MailScanner which in turns stops/starts sendmail for you. on Red Hat systems... service MailScanner reload should do what you want. Craig From ssilva at sgvwater.com Thu Aug 24 17:10:00 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 24 17:12:22 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/24/2006 1:53 AM: > > > Anthony Peacock wrote: >>> Hi, >>> >>> Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Kash, Howard (Civ, ARL/CISD) wrote: >>>>>> Instead of the closest following MIME boundary, how about the >>>>>> closest following blank line (or line that only contains >>>>>> whitespace). Would >>>>> that >>>>>> be okay? >>>>> That sounds like an OK fix for the images. The plugins don't care >>>>> about >>>>> the closing MIME boundary, they just need the full base64 encoding >>>>> present, which, as far as I know, shouldn't contain any blank lines. >>>>> The only issue I can think of is if you hit the "Max SpamAssassin Size" >>>>> limit in the middle of the MIME header. Then your next blank line >>>>> would >>>>> be between the header and the contents and you're left with a header >>>>> but >>>>> no contents. That would probably still trigger a corrupt image rule, >>>>> but should be pretty rare. >>>>> >>>>> SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of >>>>> zero in at least the 3.1 releases. >>>> Sounds survivable. After the limit I will keep going until I hit the >>>> first line that only contains white space. >>>> >>>> All done. Will be in the next beta. >>>> *Please* test this functionality after I release this beta. >>> I have been watching this discussion with a growing uneasiness. I >>> could be wrong but doesn't this behaviour open up the system to >>> problems with huge image files... >>> >>> I understand that lots of people are concerned about these gif only >>> spams, and that a lot of effort is going into creating the SA plugns >>> that OCR them, etc (I am on the sa-users list as well :-)), but I >>> think this change creates a means to bypass the max size setting, and >>> could lead to the very problems that that setting was meant to prevent. >>> >>> The Max Msg Size setting is there so that we can tune how our systems >>> work, preventing them being brought their knees by SA trying to scan >>> huge emails. It feels like the new scheme is saying to the admin, >>> well you can set a max msg size but we will ignore that if the msg has >>> an image at that point. >>> >>> By changing the code as you describe there is now nothing to stop a >>> malicious sender creating an email with a huge JPG file which then >>> gets sent complete to SA, a few raw body rules later SA starts taking >>> forever to scan emails. Receive many of these and the mail server >>> begins to crawl. >>> >>> Wouldn't it be better to roll the massage back to the starting MIME >>> boundary? This way a broken gif image is not passed to SA so the >>> plugins don't complain, but all messages are smaller than the max >>> message size set by the admin. >>> >>> I may misunderstand how this works, so I am waiting to be corrected :-) >>> > Yes, you are absolutely correct. Non-spam may well include huge images. > The problem with rewinding to the previous boundary is that you may end > up not giving SpamAssassin _anything_ to work with. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? > > I have no intention of making the 100 configurable, it will be > impossible for 99.9% of users to know what to set it to. > I think the third option is a good compromise. It gives a little bit of wiggle room for the smaller images, but stops the possible overflow. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Aug 24 17:18:25 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 24 17:21:18 2006 Subject: gif attachments In-Reply-To: <1156433295.12582@bsd4.nedport.net> References: <1156433295.12582@bsd4.nedport.net> Message-ID: mailscanner@berger.nl spake the following on 8/24/2006 8:28 AM: > Well, > With size I meant the Kb's. I have installed ImageInfo and set it up. But the spammer is using different sizes now in his email. So I have to use the OCR system, but my system is allready quietly haeavy loaded. I will install sendmail 8.13 (still have 8.12) and try the "greet_pause" and see if that helps on the load and then install the OCR system. > > Thanks, > > Roger > > > Koopmann, Jan-Peter wrote .. >> On Wednesday, August 23, 2006 9:08 PM mailscanner@berger.nl wrote: >> >>> changing. The only thing what stays the same is the size of the >>> attachment. So, I am aware that this is not the right mailinglist, >>> but has somebody written a rule which checks the size of an >>> attachment? >> >> Have a look at >> >> http://wiki.apache.org/spamassassin/FuzzyOcrPlugin?highlight=%28FuzzyOCR%29 >> >> (especially the new 2.3) >> >> and >> >> http://www.rulesemporium.com/plugins.htm >> >> works like a charme here. >> >> Kind regards, >> JP >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! Are you using any sort of checksum like DCC or razor? They seem to catch on quite quickly. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From R.A.Gardener at shu.ac.uk Thu Aug 24 17:29:26 2006 From: R.A.Gardener at shu.ac.uk (Ray Gardener) Date: Thu Aug 24 17:30:04 2006 Subject: Solaris 10 init.d startup failing Message-ID: Hi, I had cause to reboot a Sunblade server running Exim and MailScanner version 4.53.8 and noticed a error. The mailscanner program is started by invoking MailScanner from the exim startup script in /etc/init.d. [I know this is a legacy method for Solaris 10 but do this to maintain consistency with other mailhubs based on Solaris 9]. On boot-up mainscannner instances were started and the startup log line was present in /var/log/maillog but the instances of mailscanner ate memory very quickly and didn't process mail. Pkilling the mailscanner instances and stopping and starting the init.d script resulted in a working system processing mail. Has anyone else seen this on Solaris 10 and if so is there a workaround? Incientally I later created a smf mailscanner service and tried to use that to start mailscanner but this also ate memory and didn't process mail. Regards, ____________________________________________________________________________ Ray Gardener, IT Services, LITS, Sheffield Hallam University, Howard Street, Sheffield, UK S1 1WB Telephone: +44 114 225 4926 Fax: +44 114 225 3840 Mobile: +44 07788190005 Email: R.A.Gardener@shu.ac.uk From martinh at solid-state-logic.com Thu Aug 24 17:38:14 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Thu Aug 24 17:38:29 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: Message-ID: <44EDD5F6.7090409@solid-state-logic.com> Ray Gardener wrote: > Hi, > > I had cause to reboot a Sunblade server running Exim and MailScanner > version 4.53.8 and noticed a error. The mailscanner program is started > by invoking MailScanner from the exim startup script in /etc/init.d. [I > know this is a legacy method for Solaris 10 but do this to maintain > consistency with other mailhubs based on Solaris 9]. On boot-up > mainscannner instances were started and the startup log line was present > in /var/log/maillog but the instances of mailscanner ate memory very > quickly and didn't process mail. Pkilling the mailscanner instances and > stopping and starting the init.d script resulted in a working system > processing mail. > > Has anyone else seen this on Solaris 10 and if so is there a workaround? > Incientally I later created a smf mailscanner service and tried to use > that to start mailscanner but this also ate memory and didn't process mail. > > Regards, > ____________________________________________________________________________ > > Ray Gardener, > IT Services, LITS, > Sheffield Hallam University, > Howard Street, > Sheffield, > UK > S1 1WB > Telephone: +44 114 225 4926 > Fax: +44 114 225 3840 > Mobile: +44 07788190005 > Email: R.A.Gardener@shu.ac.uk > Ray only problem like this is when using MS in combination with MailWatch. Problem can be that mysql isn't fully operational by the time MS starts up...so the first connection hangs. I solved this by putting a wait 30 at the start() function to make sure mysql is up and accepting connections before we start MS. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at herefordshire.gov.uk Thu Aug 24 17:42:06 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Aug 24 17:42:31 2006 Subject: gif attachments Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580ED6B939@isabella.herefordshire.gov.uk> FuzzyOCR can be configured to only run against emails which have an SA score (so far) less than a given number. In FuzzyOcr.cf: # This is used to disable the OCR engine if the message has already more points than this value #focr_autodisable_score 50 I set it to our high-spam threshold so it only scans images in emails which would otherwise be delivered to our users. I find that all my SA rules, ImageInfo, and Bayes get most of these spams anyhow. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of mailscanner@berger.nl > Sent: 24 August 2006 16:28 > To: MailScanner discussion > Subject: RE: gif attachments > > Well, > With size I meant the Kb's. I have installed ImageInfo and > set it up. But the spammer is using different sizes now in > his email. So I have to use the OCR system, but my system is > allready quietly haeavy loaded. I will install sendmail 8.13 > (still have 8.12) and try the "greet_pause" and see if that > helps on the load and then install the OCR system. > > Thanks, > > Roger > > > Koopmann, Jan-Peter wrote .. > > On Wednesday, August 23, 2006 9:08 PM mailscanner@berger.nl wrote: > > > > > changing. The only thing what stays the same is the size of the > > > attachment. So, I am aware that this is not the right mailinglist, > > > but has somebody written a rule which checks the size of an > > > attachment? > > > > > > Have a look at > > > > > http://wiki.apache.org/spamassassin/FuzzyOcrPlugin?highlight=% > 28FuzzyOCR%29 > > > > (especially the new 2.3) > > > > and > > > > http://www.rulesemporium.com/plugins.htm > > > > works like a charme here. > > > > Kind regards, > > JP > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Thu Aug 24 17:42:45 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 24 17:45:57 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: <44EDD5F6.7090409@solid-state-logic.com> References: <44EDD5F6.7090409@solid-state-logic.com> Message-ID: On Thu, 24 Aug 2006, Martin Hepworth wrote: > Date: Thu, 24 Aug 2006 17:38:14 +0100 > From: Martin Hepworth > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Solaris 10 init.d startup failing > > Ray Gardener wrote: >> Hi, >> >> I had cause to reboot a Sunblade server running Exim and MailScanner >> version 4.53.8 and noticed a error. The mailscanner program is started by >> invoking MailScanner from the exim startup script in /etc/init.d. [I know >> this is a legacy method for Solaris 10 but do this to maintain consistency >> with other mailhubs based on Solaris 9]. On boot-up mainscannner instances >> were started and the startup log line was present in /var/log/maillog but >> the instances of mailscanner ate memory very quickly and didn't process >> mail. Pkilling the mailscanner instances and stopping and starting the >> init.d script resulted in a working system processing mail. >> >> Has anyone else seen this on Solaris 10 and if so is there a workaround? >> Incientally I later created a smf mailscanner service and tried to use that >> to start mailscanner but this also ate memory and didn't process mail. >> >> Regards, >> ____________________________________________________________________________ >> Ray Gardener, >> IT Services, LITS, >> Sheffield Hallam University, >> Howard Street, >> Sheffield, >> UK >> S1 1WB >> Telephone: +44 114 225 4926 >> Fax: +44 114 225 3840 >> Mobile: +44 07788190005 >> Email: R.A.Gardener@shu.ac.uk >> > Ray > > only problem like this is when using MS in combination with MailWatch. > > Problem can be that mysql isn't fully operational by the time MS starts > up...so the first connection hangs. > > I solved this by putting a wait 30 at the start() function to make sure mysql > is up and accepting connections before we start MS. Martin, Can you post a diff of your change to the list so I can try it here? I don't use MailWatch or sql, so maybe a smaller wait time would solve my issue. Thanks. Jeff Earickson Colby College From jaearick at colby.edu Thu Aug 24 17:40:27 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 24 17:46:01 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: Message-ID: Hi, Yes, I run MS 4.55.8 on Solaris 10 and I have been chasing this illusive bug since May (with no success). The gist of it is that your init.d script will work great in Solaris 9, but cause MS to loop up in Solaris 10. The init.d script will also work fine if MS is in debug mode. I use sendmail, BTW. The work-around for me is to let MailScanner start via cron, eg: 0,5,10,15,20,25,30,35,40,45,50,55 * * * * [ -x /opt/MailScanner/bin/check_mailscanner ] && /opt/MailScanner/bin/check_mailscanner >/dev/null 2>&1 Cool your heels for up to five minutes, and then cron will get MS launched properly. The last suggestion on the list was maybe a PATH issue in the script, but I haven't had a chance to try this idea. Jeff Earickson Colby College On Thu, 24 Aug 2006, Ray Gardener wrote: > Date: Thu, 24 Aug 2006 17:29:26 +0100 (BST) > From: Ray Gardener > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Solaris 10 init.d startup failing > > Hi, > > I had cause to reboot a Sunblade server running Exim and MailScanner version > 4.53.8 and noticed a error. The mailscanner program is started by invoking > MailScanner from the exim startup script in /etc/init.d. [I know this is a > legacy method for Solaris 10 but do this to maintain consistency with other > mailhubs based on Solaris 9]. On boot-up mainscannner instances were started > and the startup log line was present in /var/log/maillog but the instances of > mailscanner ate memory very quickly and didn't process mail. Pkilling the > mailscanner instances and stopping and starting the init.d script resulted in > a working system processing mail. > > Has anyone else seen this on Solaris 10 and if so is there a workaround? > Incientally I later created a smf mailscanner service and tried to use that > to start mailscanner but this also ate memory and didn't process mail. > > Regards, > ____________________________________________________________________________ > Ray Gardener, > IT Services, LITS, > Sheffield Hallam University, > Howard Street, > Sheffield, > UK > S1 1WB > Telephone: +44 114 225 4926 > Fax: +44 114 225 3840 > Mobile: +44 07788190005 > Email: R.A.Gardener@shu.ac.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jase at sensis.com Thu Aug 24 17:46:10 2006 From: jase at sensis.com (Desai, Jason) Date: Thu Aug 24 17:47:23 2006 Subject: Max SpamAssassin Size problems Message-ID: <1951DC816E1A9F469307B05FA183F43852236E@corpatsmail1.corp.sensis.com> >>> do I chop half way through an image? >>> do I chop at the end of an image? >>> do I carry on for a max of 100 lines of Base64 data or until the end [snip] > If the code was chopping at the end of an image (ie until it found a > MIME boundary or a blank line. It would be very easy for someone to > craft an email message that had a starting boundary claiming to be an > image type, but then pumped 100s of Mb without an ending boundary. > There _HAS_ to be a limit to this. Agreed. I don't think the limit should be 100 lines though. A malicious email could be crafted which had a mime boundary claiming to be an image, a few normal lines, and then one very long line, MBs long. Instead, the limit should probably be a certain number of bytes. Perhaps something like 8kB? Jase From martinh at solid-state-logic.com Thu Aug 24 17:49:46 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Thu Aug 24 17:49:59 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> Message-ID: <44EDD8AA.90402@solid-state-logic.com> Jeff A. Earickson wrote: > On Thu, 24 Aug 2006, Martin Hepworth wrote: > >> Date: Thu, 24 Aug 2006 17:38:14 +0100 >> From: Martin Hepworth >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: Solaris 10 init.d startup failing >> >> Ray Gardener wrote: >>> Hi, >>> >>> I had cause to reboot a Sunblade server running Exim and MailScanner >>> version 4.53.8 and noticed a error. The mailscanner program is >>> started by invoking MailScanner from the exim startup script in >>> /etc/init.d. [I know this is a legacy method for Solaris 10 but do >>> this to maintain consistency with other mailhubs based on Solaris 9]. >>> On boot-up mainscannner instances were started and the startup log >>> line was present in /var/log/maillog but the instances of mailscanner >>> ate memory very quickly and didn't process mail. Pkilling the >>> mailscanner instances and stopping and starting the init.d script >>> resulted in a working system processing mail. >>> >>> Has anyone else seen this on Solaris 10 and if so is there a workaround? >>> Incientally I later created a smf mailscanner service and tried to >>> use that to start mailscanner but this also ate memory and didn't >>> process mail. >>> >>> Regards, >>> ____________________________________________________________________________ >>> Ray Gardener, >>> IT Services, LITS, >>> Sheffield Hallam University, >>> Howard Street, >>> Sheffield, >>> UK >>> S1 1WB >>> Telephone: +44 114 225 4926 >>> Fax: +44 114 225 3840 >>> Mobile: +44 07788190005 >>> Email: R.A.Gardener@shu.ac.uk >>> >> Ray >> >> only problem like this is when using MS in combination with MailWatch. >> >> Problem can be that mysql isn't fully operational by the time MS >> starts up...so the first connection hangs. >> >> I solved this by putting a wait 30 at the start() function to make >> sure mysql is up and accepting connections before we start MS. > > Martin, > > Can you post a diff of your change to the list so I can try it here? > I don't use MailWatch or sql, so maybe a smaller wait time would solve > my issue. Thanks. > > Jeff Earickson > Colby College > Jeff just added a sleep 30 at the top of the start) case statement in the rc.d script... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From lshaw at emitinc.com Thu Aug 24 18:23:06 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 24 18:23:17 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44ED68F5.2050906@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: On Thu, 24 Aug 2006, Julian Field wrote: > Anthony Peacock wrote: >> Julian Field wrote: >>> Sounds survivable. After the limit I will keep going until I hit the >>> first line that only contains white space. >> I have been watching this discussion with a growing uneasiness. I >> could be wrong but doesn't this behaviour open up the system to >> problems with huge image files... > Yes, you are absolutely correct. Non-spam may well include huge images. > The problem with rewinding to the previous boundary is that you may end > up not giving SpamAssassin _anything_ to work with. > > So it's up for a vote: > > do I chop half way through an image? > do I chop at the end of an image? > do I carry on for a max of 100 lines of Base64 data or until the end of > an image, which is earlier? I don't like the last option at all. It still easily allows a situation where a valid message with a valid image in it gets detected as a corrupt image and hits a rule that scores it as spam. If we assume there are 80 columns of base64 data per line, then we get 60 bytes per line (since each base64 character carries 6 bits of data). That means 100 lines only holds 6K, maximum. So this option only works if the chop-off point randomly happens to fall within the last 6K (or less) of the image. If the max message size causes the initial chop-off point to fall any earlier, it still creates an invalid image. If you have a 50K max message size and someone sends a 75K image (which is not out of the ordinary at all), this method will keep going up to 56K and then quit. Basically, adding the 100 extra lines is really not much better than chopping right at the max message size barrier, unless you assume that most images aren't much larger than 6K, which I don't think is a valid assumption at all. So, this option adds extra complexity and doesn't really give much benefit. - Logan From ka at pacific.net Thu Aug 24 18:41:04 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 24 18:40:00 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <44EDE4B0.20808@pacific.net> Logan Shaw wrote: > On Thu, 24 Aug 2006, Julian Field wrote: >> Anthony Peacock wrote: >>> Julian Field wrote: > >>>> Sounds survivable. After the limit I will keep going until I hit the >>>> first line that only contains white space. > >>> I have been watching this discussion with a growing uneasiness. I >>> could be wrong but doesn't this behaviour open up the system to >>> problems with huge image files... > >> Yes, you are absolutely correct. Non-spam may well include huge images. >> The problem with rewinding to the previous boundary is that you may end >> up not giving SpamAssassin _anything_ to work with. >> >> So it's up for a vote: >> >> do I chop half way through an image? >> do I chop at the end of an image? >> do I carry on for a max of 100 lines of Base64 data or until the end of >> an image, which is earlier? > > I don't like the last option at all. It still easily allows > a situation where a valid message with a valid image in it > gets detected as a corrupt image and hits a rule that scores > it as spam. > > If we assume there are 80 columns of base64 data per line, then > we get 60 bytes per line (since each base64 character carries > 6 bits of data). That means 100 lines only holds 6K, maximum. > > So this option only works if the chop-off point randomly > happens to fall within the last 6K (or less) of the image. > If the max message size causes the initial chop-off point to > fall any earlier, it still creates an invalid image. If you > have a 50K max message size and someone sends a 75K image > (which is not out of the ordinary at all), this method will > keep going up to 56K and then quit. > > Basically, adding the 100 extra lines is really not much better > than chopping right at the max message size barrier, unless > you assume that most images aren't much larger than 6K, which > I don't think is a valid assumption at all. So, this option > adds extra complexity and doesn't really give much benefit. > > - Logan I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you are worried about false positives. Fuzzyocr will get better at sorting this out. And of course in the mean time, don't use outlook, since it will probably render corrupt images just fine. (it's a feature) Ken A Pacific.Net From jaearick at colby.edu Thu Aug 24 18:43:20 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 24 18:47:07 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: <44EDD8AA.90402@solid-state-logic.com> References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: On Thu, 24 Aug 2006, Martin Hepworth wrote: > Date: Thu, 24 Aug 2006 17:49:46 +0100 > From: Martin Hepworth > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Solaris 10 init.d startup failing > > Jeff A. Earickson wrote: >> On Thu, 24 Aug 2006, Martin Hepworth wrote: >> >>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>> From: Martin Hepworth >>> Reply-To: MailScanner discussion >>> To: MailScanner discussion >>> Subject: Re: Solaris 10 init.d startup failing >>> >>> Ray Gardener wrote: >>>> Hi, >>>> >>>> I had cause to reboot a Sunblade server running Exim and MailScanner >>>> version 4.53.8 and noticed a error. The mailscanner program is started by >>>> invoking MailScanner from the exim startup script in /etc/init.d. [I know >>>> this is a legacy method for Solaris 10 but do this to maintain >>>> consistency with other mailhubs based on Solaris 9]. On boot-up >>>> mainscannner instances were started and the startup log line was present >>>> in /var/log/maillog but the instances of mailscanner ate memory very >>>> quickly and didn't process mail. Pkilling the mailscanner instances and >>>> stopping and starting the init.d script resulted in a working system >>>> processing mail. >>>> >>>> Has anyone else seen this on Solaris 10 and if so is there a workaround? >>>> Incientally I later created a smf mailscanner service and tried to use >>>> that to start mailscanner but this also ate memory and didn't process >>>> mail. >>>> >>>> Regards, >>>> ____________________________________________________________________________ >>>> Ray Gardener, >>>> IT Services, LITS, >>>> Sheffield Hallam University, >>>> Howard Street, >>>> Sheffield, >>>> UK >>>> S1 1WB >>>> Telephone: +44 114 225 4926 >>>> Fax: +44 114 225 3840 >>>> Mobile: +44 07788190005 >>>> Email: R.A.Gardener@shu.ac.uk >>>> >>> Ray >>> >>> only problem like this is when using MS in combination with MailWatch. >>> >>> Problem can be that mysql isn't fully operational by the time MS starts >>> up...so the first connection hangs. >>> >>> I solved this by putting a wait 30 at the start() function to make sure >>> mysql is up and accepting connections before we start MS. >> >> Martin, >> >> Can you post a diff of your change to the list so I can try it here? >> I don't use MailWatch or sql, so maybe a smaller wait time would solve >> my issue. Thanks. >> >> Jeff Earickson >> Colby College >> > Jeff > > just added a sleep 30 at the top of the start) case statement in the rc.d > script... Nope, didn't work for me. I turned on the "-x" option in my init.d script, the check_mailscanner script, watched it as I ran things by hand. The loop-up is somewhere after the bin/MailScanner perl code is launched. FWIW, the "stop" option in my init.d script does not work either. The only way I can get things stopped is via "pkill -9 MailScanner". The mystery continues. Jeff Earickson Colby College From taz at taz-mania.com Thu Aug 24 18:52:52 2006 From: taz at taz-mania.com (Dennis Willson) Date: Thu Aug 24 18:52:55 2006 Subject: Greylisting (WAS: gif attachments) In-Reply-To: <2f95b0c7eecfe2631c1b697b187ab08a@ucsc.edu> Message-ID: Your simple HELO check probably takes less time and cycles to do than the DNS checks. I too make sure that the HELO doesn't use my mail servers own name or IP address, and yes I would catch most of those further on, but catching as many as possible as early and with less work as possible appears to me to be a good thing. On Wed, 23 Aug 2006 19:27:39 -0700 John Rudd wrote: > >On Aug 23, 2006, at 5:43 PM, Matt Kettler wrote: > >>Michele Neylon:: Blacknight.ie wrote: >>>John Rudd wrote: >>>>a) had no PTR record, >>> >>>Reasonable enough >>> >>>>b) PTR and A record didn't match, or >>> >>>So what about shared hosting?? >> >>Should work fine. He's not talking about comparing the PTR to the >>HELO. > >Yeah, while I do some HELO filtering, I don't require that the HELO >matches the PTR record. Even what little HELO filtering I do (don't >give me my own name in the helo string) is technically an RFC >violation, but I'm comfortable with being just that out of spec. > Anything more than that would be, IMO, inappropriate. > >Though, looking through my nightly reports, I see that my DNS rules >would catch 95% of those hosts anyway... so I may drop what little >HELO filtering I'm doing. > > >>What John really means is that: >> >>Given an IP address, perform a PTR lookup. Take the results of that >>PTR lookup >>and perform an A lookup on it. That should end up with the IP address >>you >>started with. >> >> >>So he's looking for ip != A_lookup( PTR_lookup(ip)) > >Mostly correct. The A_lookup can return multiple IP addresses, >however so it's more like: > >grep ip A_lookup(PTR_lookup(ip)) > > >Sort of. > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From Denis.Beauchemin at USherbrooke.ca Thu Aug 24 18:55:38 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 24 18:55:51 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> Message-ID: <44EDE81A.6010709@USherbrooke.ca> Logan Shaw a ?crit : > On Thu, 24 Aug 2006, Julian Field wrote: >> Anthony Peacock wrote: >>> Julian Field wrote: > >>>> Sounds survivable. After the limit I will keep going until I hit the >>>> first line that only contains white space. > >>> I have been watching this discussion with a growing uneasiness. I >>> could be wrong but doesn't this behaviour open up the system to >>> problems with huge image files... > >> Yes, you are absolutely correct. Non-spam may well include huge images. >> The problem with rewinding to the previous boundary is that you may end >> up not giving SpamAssassin _anything_ to work with. >> >> So it's up for a vote: >> >> do I chop half way through an image? >> do I chop at the end of an image? >> do I carry on for a max of 100 lines of Base64 data or until the end of >> an image, which is earlier? > > I don't like the last option at all. It still easily allows > a situation where a valid message with a valid image in it > gets detected as a corrupt image and hits a rule that scores > it as spam. > > If we assume there are 80 columns of base64 data per line, then > we get 60 bytes per line (since each base64 character carries > 6 bits of data). That means 100 lines only holds 6K, maximum. > > So this option only works if the chop-off point randomly > happens to fall within the last 6K (or less) of the image. > If the max message size causes the initial chop-off point to > fall any earlier, it still creates an invalid image. If you > have a 50K max message size and someone sends a 75K image > (which is not out of the ordinary at all), this method will > keep going up to 56K and then quit. > > Basically, adding the 100 extra lines is really not much better > than chopping right at the max message size barrier, unless > you assume that most images aren't much larger than 6K, which > I don't think is a valid assumption at all. So, this option > adds extra complexity and doesn't really give much benefit. > > - Logan With all the measures I activated within sendmail (greylisting, greet-pause and bad-rcpt-throttle) and all the rules I activated within SA I really don't need to look at images within emails. That's why I don't want the actual behaviour changed. I do believe we can detect almost all image spams with other means currently available to all. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/8c8a748a/smime-0001.bin From Kevin_Miller at ci.juneau.ak.us Thu Aug 24 19:04:17 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 24 19:04:31 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <1155824628.18212.10.camel@mike-new2.tc3net.com> Message-ID: Michael Baird wrote: > I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > as well, on a lower pref MX (Spam Catcher). It goes further then just > checking reverse DNS, it also checks whether the domain actually > accepts mail, and if it accepts mail for the specified sender. Just installed this on a test server and a third level mx gateway (that gets maybe a half dozen non spam emails on a good day!) Have one question though - how do these sorts of milters deal with mailing lists? An awful lot of them seem to send from no-reply addresses. Do list senders typically create a valid account and just quietly drop any mail back, or what? I can see the sender check dropping a lot of valid email from lists so am a bit leary about it. Am I losing sleep over nothing? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From daniel.maher at ubisoft.com Thu Aug 24 19:08:08 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 24 19:08:12 2006 Subject: [solved] SA bayes not working / autolearn inactive? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D152@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Martin > Sent: August 24, 2006 7:26 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: [solved] SA bayes not working / autolearn inactive? > > Daniel, > > Since i ran over this topic, i want to make sure i have the correct > permissions aswell. I have loads of .expire files that won't disappear. > Made some changes yesterday to disable the auto-expiring within SA. > > Can you tell me the correct permissions for the bayes directory? 0770? > > Sample output from my directory: > > # ls -al /var/spool/MailScanner/spamassassin/ > > total 776400 > drwxrwx--- 2 postfix postfix 12288 2006-08-24 13:15 . > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. > -rwxrwx--- 1 postfix postfix 671744 2006-08-24 13:14 auto-whitelist > -rwxrwx--- 1 postfix postfix 163840 2006-08-24 13:14 bayes_seen > -rwxrwx--- 1 postfix postfix 2613248 2006-08-24 13:15 bayes_toks > -rwxrwx--- 1 postfix postfix 2514944 2006-07-21 13:56 > bayes_toks.expire10000 > -rwxrwx--- 1 postfix postfix 2658304 2006-07-25 18:17 > bayes_toks.expire1004 > -rwxrwx--- 1 postfix postfix 2560000 2006-07-21 14:03 > bayes_toks.expire10186 > * snip * > > Thank you > > / Martin Hi, This is what I have: -rw------- 1 postfix postfix 30 Aug 24 18:04 bayes.mutex -rw------- 1 postfix postfix 137818112 Aug 24 18:04 bayes_seen -rw-r----- 1 postfix postfix 12267520 Aug 24 18:02 bayes_toks The critical thing isn't the file perms themselves, but the perms on the directory that they're located in. I have that directory as 0770. As for those expire files - I just have a cron job that rm's them twice a day. :P -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From colin at mainline.co.uk Thu Aug 24 19:41:13 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 19:40:44 2006 Subject: Aah attachments again Message-ID: Well if mail goes through then it appears in the maillog as you would expect. The stuff that 'disappears' doesn't ... no bounce, nothing. Not sure if there is any way off turning on detailed logging to see what's happening Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Drew Marshall > Sent: 24 August 2006 17:10 > To: MailScanner discussion > Subject: RE: Aah attachments again > > On Thu, August 24, 2006 16:42, Colin Jack wrote: > > Nothing in the maillog at all for the messages that 'disappear' ... > > are there other logs I could look in? > > When you say 'nothing' you mean you don't get any action > after MailScanner at all? Sounds fishy... > > Drew > > > -- > In line with our policy, this message has been scanned for > viruses and dangerous content by MailScanner, and is believed > to be clean. > www.themarshalls.co.uk/policy > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From colin at mainline.co.uk Thu Aug 24 19:44:23 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 19:43:48 2006 Subject: Reloading confs Message-ID: Did that before and ... [root@server1 ~]# service MailScanner reload MailScanner: unrecognized service [root@server1 ~]# This is a CentOS box which is based on RH Ent Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Holland > Sent: 24 August 2006 17:05 > To: MailScanner discussion > Subject: Re: Reloading confs > > On Thu, 24 Aug 2006, Colin Jack wrote: > > > I presume I need to restart MailScanner every time a modify > the .conf > > files? At the moment I do this by restarting sendmail ... > is there an > > easier way? :) > > service MailScanner reload > > then tail or view your maillog file to look for any errors. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From colin at mainline.co.uk Thu Aug 24 19:46:17 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 19:45:45 2006 Subject: Reloading confs Message-ID: Nope .. tried this before and got [root@server1 ~]# service MailScanner reload MailScanner: unrecognized service [root@server1 ~]# This is a CentOS system which is basically RH Ent Regards Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Craig White > Sent: 24 August 2006 17:10 > To: MailScanner discussion > Subject: Re: Reloading confs > > On Thu, 2006-08-24 at 16:46 +0100, Colin Jack wrote: > > I presume I need to restart MailScanner every time a modify > the .conf > > files? > > At the moment I do this by restarting sendmail ... is there > an easier > > way? :) > ---- > You shouldn't ever start sendmail (or restart sendmail) - you > should only restart MailScanner which in turns stops/starts > sendmail for you. > > on Red Hat systems... > > service MailScanner reload > > should do what you want. > > Craig > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ljosnet at gmail.com Thu Aug 24 19:55:00 2006 From: ljosnet at gmail.com (emm1) Date: Thu Aug 24 19:55:04 2006 Subject: sending mail from command line in FreeBSD 6.1 Message-ID: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> Anyone know how i can send a mail to user from command line in FreeBSD with an attachment ? I tried sendmail -toi user@domain.com < test.txt but the test.txt doesn't come as an attachment, the contents of the file comes in the body of the mail. Thanks! From damon at marinocrane.com Thu Aug 24 20:01:05 2006 From: damon at marinocrane.com (Damon Lambooy) Date: Thu Aug 24 20:01:11 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: <44EDF771.2060103@marinocrane.com> service MailScanner restart. That should work. Colin Jack wrote: > Did that before and ... > > [root@server1 ~]# service MailScanner reload > MailScanner: unrecognized service > [root@server1 ~]# > > This is a CentOS box which is based on RH Ent > > Colin > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Jim Holland >> Sent: 24 August 2006 17:05 >> To: MailScanner discussion >> Subject: Re: Reloading confs >> >> On Thu, 24 Aug 2006, Colin Jack wrote: >> >> >>> I presume I need to restart MailScanner every time a modify >>> >> the .conf >> >>> files? At the moment I do this by restarting sendmail ... >>> >> is there an >> >>> easier way? :) >>> >> service MailScanner reload >> >> then tail or view your maillog file to look for any errors. >> >> Regards >> >> Jim Holland >> System Administrator >> MANGO - Zimbabwe's non-profit e-mail service >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/7022d473/attachment.html From ssilva at sgvwater.com Thu Aug 24 20:18:00 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 24 20:20:08 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: Colin Jack spake the following on 8/24/2006 11:46 AM: > Nope .. tried this before and got > > [root@server1 ~]# service MailScanner reload > MailScanner: unrecognized service > [root@server1 ~]# > > This is a CentOS system which is basically RH Ent > > Regards > > Colin You have something broken.. I have all my servers on Centos except for an old system on RedHat 9 that I haven't had time to fix. That works for me. Look in /etc/init.d and see if the MailScanner script is there. And make sure you didn't miss the upper case M and S, I do it occasionally when I miss the shift key. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rob at robhq.com Thu Aug 24 20:22:54 2006 From: rob at robhq.com (rob) Date: Thu Aug 24 20:22:59 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> Message-ID: <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> Not sure if this will work in FreeBSD, but I use this with CentOS Usage: sendEmail [options] or command | sendEmail [options] Required: -f from email address -t [] to email address(es) (space separated list) Common: -u (this will soon be -s, and -s will become -h[ost]) -m if -m is absent the message is read from STDIN -s default is localhost:25 Optional: -a [] file attachment(s) -cc [] cc email address(es) -bcc [] bcc email address(es) Paranormal: -l log to the specified file -v verbosity - use multiple times for greater effect -q be quiet (no stdout output) http://caspian.dotconf.net/menu/Software/SendEmail/ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 Sent: Thursday, August 24, 2006 1:55 PM To: MailScanner discussion Subject: sending mail from command line in FreeBSD 6.1 Anyone know how i can send a mail to user from command line in FreeBSD with an attachment ? I tried sendmail -toi user@domain.com < test.txt but the test.txt doesn't come as an attachment, the contents of the file comes in the body of the mail. Thanks! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From colin at mainline.co.uk Thu Aug 24 20:24:39 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 20:24:04 2006 Subject: Reloading confs Message-ID: Nope ... see below what I get: MailScanner: unrecognized service Colin ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Damon Lambooy Sent: 24 August 2006 20:01 To: MailScanner discussion Subject: Re: Reloading confs service MailScanner restart. That should work. Colin Jack wrote: Did that before and ... [root@server1 ~]# service MailScanner reload MailScanner: unrecognized service [root@server1 ~]# This is a CentOS box which is based on RH Ent Colin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jim Holland Sent: 24 August 2006 17:05 To: MailScanner discussion Subject: Re: Reloading confs On Thu, 24 Aug 2006, Colin Jack wrote: I presume I need to restart MailScanner every time a modify the .conf files? At the moment I do this by restarting sendmail ... is there an easier way? :) service MailScanner reload then tail or view your maillog file to look for any errors. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From colin at mainline.co.uk Thu Aug 24 20:32:42 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Aug 24 20:32:07 2006 Subject: Reloading confs Message-ID: Nope ... been there, done that ;) Not in init.d ... but its running! Maybe I need to look a bit harder ... > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: 24 August 2006 20:18 > To: mailscanner@lists.mailscanner.info > Subject: Re: Reloading confs > > Colin Jack spake the following on 8/24/2006 11:46 AM: > > Nope .. tried this before and got > > > > [root@server1 ~]# service MailScanner reload > > MailScanner: unrecognized service > > [root@server1 ~]# > > > > This is a CentOS system which is basically RH Ent > > > > Regards > > > > Colin > You have something broken.. I have all my servers on Centos > except for an old system on RedHat 9 that I haven't had time to fix. > That works for me. > Look in /etc/init.d and see if the MailScanner script is there. > And make sure you didn't miss the upper case M and S, I do it > occasionally when I miss the shift key. > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From taz at taz-mania.com Thu Aug 24 20:49:08 2006 From: taz at taz-mania.com (Dennis Willson) Date: Thu Aug 24 20:49:11 2006 Subject: Reloading confs In-Reply-To: Message-ID: Somethings broken then for sure. I have CentOS machines and they have the MailScanner script and work just fine. How does MailScanner start on boot if you don't have a script in /etc/init.d ? And how do you start/stop MailScanner itself? On Thu, 24 Aug 2006 20:24:39 +0100 "Colin Jack" wrote: >Nope ... see below what I get: > >MailScanner: unrecognized service > >Colin > >________________________________ > > From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >Damon >Lambooy > Sent: 24 August 2006 20:01 > To: MailScanner discussion > Subject: Re: Reloading confs > > > service MailScanner restart. > That should work. > > Colin Jack wrote: > > Did that before and ... > > [root@server1 ~]# service MailScanner reload > MailScanner: unrecognized service > [root@server1 ~]# > > This is a CentOS box which is based on RH Ent > > Colin > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > > >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Holland > Sent: 24 August 2006 17:05 > To: MailScanner discussion > Subject: Re: Reloading confs > > On Thu, 24 Aug 2006, Colin Jack wrote: > > > > I presume I need to restart MailScanner >every time a modify > > > the .conf > > > files? At the moment I do this by >restarting sendmail ... > > > is there an > > > easier way? :) > > > service MailScanner reload > > then tail or view your maillog file to look for >any errors. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > >http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read >http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book >off the website! > > > > > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From ssilva at sgvwater.com Thu Aug 24 20:53:52 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 24 20:56:43 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: Colin Jack spake the following on 8/24/2006 12:32 PM: > Nope ... been there, done that ;) > > Not in init.d ... but its running! > > Maybe I need to look a bit harder ... Did this get installed from the RPM based install, or the tarball? The rpm install should have added an init script for you. You might be getting it running by the check-mailscanner script in cron. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lshaw at emitinc.com Thu Aug 24 20:57:07 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 24 20:57:21 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44EDE4B0.20808@pacific.net> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> Message-ID: On Thu, 24 Aug 2006, Ken A wrote: > Logan Shaw wrote: >> On Thu, 24 Aug 2006, Julian Field wrote: >>> do I chop half way through an image? >>> do I chop at the end of an image? >>> do I carry on for a max of 100 lines of Base64 data or until the end of >>> an image, which is earlier? >> I don't like the last option at all. It still easily allows >> a situation where a valid message with a valid image in it >> gets detected as a corrupt image and hits a rule that scores >> it as spam. >> Basically, adding the 100 extra lines is really not much better >> than chopping right at the max message size barrier, unless >> you assume that most images aren't much larger than 6K, which >> I don't think is a valid assumption at all. So, this option >> adds extra complexity and doesn't really give much benefit. > I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you are > worried about false positives. Fuzzyocr will get better at sorting this out. Well, if you're going to disable FUZZY_OCR_CORRUPT_IMG, then there is no functional difference between #1 and #3 at all. In which case, I'd prefer #1 because it already exists, it is already known to work, and it's less complex. Contrariwise, if you're going to enable FUZZY_OCR_CORRUPT_IMG, then #3 has only a slight benefit over #1. Default "Max SpamAssassin Size" is 30000 bytes, and base64 data tends to have 70 to 80 characters per line. So being flexible about the cut-off by 100 lines means that rather than falling at 30000 exactly, the cut-off will fall in the range of about 30000-37000 or 30000-38000. Yes, it can and will happen that an attachment boundary falls there, but I'd be surprised if it happens anywhere close to 50% of the time on ham that contains images. In particular, take the case of a ham message that contains a single image. In that case, the image has to be sized between about 22500 and 28500 bytes (since base64 is 75% efficient at carrying data) for #3 to provide any benefit at all. But lots of ham that contains images contains stuff larger than that. To put it another way, I think #3 should be restated as "chop half way through an image most of the time, but occasionally luck out and find an image boundary in a narrow window and chop at the right place". - Logan From gborders at jlewiscooper.com Thu Aug 24 21:11:46 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Thu Aug 24 21:10:17 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: <44EE0802.1010509@jlewiscooper.com> Scott Silva wrote: > Colin Jack spake the following on 8/24/2006 12:32 PM: > >> Nope ... been there, done that ;) >> >> Not in init.d ... but its running! >> >> Maybe I need to look a bit harder ... >> > Did this get installed from the RPM based install, or the tarball? > The rpm install should have added an init script for you. You might be getting > it running by the check-mailscanner script in cron. > I concour with Scott. I've got a Redhat Ent.4 box, and the MailScanner script lives in /etc/init.d and does my basic boot start. I've since then cooked up a simple bash script that does a sendmail cf->mc compile, restarts my greylist-milter, and restarts MailScaner all in short order. Saves on th key strokes, and I don't forget any steps. ;) You should plop in a copy of the MailScanner script into your /etc/init.d folder and try it. Nab an official copy off the tarball would be quick and easy. Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rdr at xs4all.nl Thu Aug 24 21:14:15 2006 From: rdr at xs4all.nl (Remy de Ruysscher) Date: Thu Aug 24 21:14:17 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> Message-ID: <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> Hi, Use cat file | mailx -s "Subject" receipient -c "another receipient" Regards, Remy On Thu, August 24, 2006 21:22, rob wrote: > Not sure if this will work in FreeBSD, but I use this with CentOS > > Usage: sendEmail [options] or command | sendEmail [options] > > Required: > -f from email address > -t [] to email address(es) (space separated list) > > Common: > -u (this will soon be -s, and -s will become > -h[ost]) > -m if -m is absent the message is read from STDIN > -s default is localhost:25 > > Optional: > -a [] file attachment(s) > -cc [] cc email address(es) > -bcc [] bcc email address(es) > > Paranormal: > -l log to the specified file > -v verbosity - use multiple times for greater effect > -q be quiet (no stdout output) > > http://caspian.dotconf.net/menu/Software/SendEmail/ > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: Thursday, August 24, 2006 1:55 PM > To: MailScanner discussion > Subject: sending mail from command line in FreeBSD 6.1 > > Anyone know how i can send a mail to user from command line in FreeBSD > with an attachment ? I tried sendmail -toi user@domain.com < test.txt > but the test.txt doesn't come as an attachment, the contents of the > file comes in the body of the mail. > > Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ljosnet at gmail.com Thu Aug 24 21:15:10 2006 From: ljosnet at gmail.com (emm1) Date: Thu Aug 24 21:15:19 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> Message-ID: <910ee2ac0608241315n42e6feb4g6a3769e737e27a50@mail.gmail.com> Doesnt work. -a isnt a valid option. :) On 8/24/06, rob wrote: > Not sure if this will work in FreeBSD, but I use this with CentOS > > Usage: sendEmail [options] or command | sendEmail [options] > > Required: > -f from email address > -t [] to email address(es) (space separated list) > > Common: > -u (this will soon be -s, and -s will become -h[ost]) > -m if -m is absent the message is read from STDIN > -s default is localhost:25 > > Optional: > -a [] file attachment(s) > -cc [] cc email address(es) > -bcc [] bcc email address(es) > > Paranormal: > -l log to the specified file > -v verbosity - use multiple times for greater effect > -q be quiet (no stdout output) > > http://caspian.dotconf.net/menu/Software/SendEmail/ > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: Thursday, August 24, 2006 1:55 PM > To: MailScanner discussion > Subject: sending mail from command line in FreeBSD 6.1 > > Anyone know how i can send a mail to user from command line in FreeBSD > with an attachment ? I tried sendmail -toi user@domain.com < test.txt > but the test.txt doesn't come as an attachment, the contents of the > file comes in the body of the mail. > > Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ljosnet at gmail.com Thu Aug 24 21:25:38 2006 From: ljosnet at gmail.com (emm1) Date: Thu Aug 24 21:25:49 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> Message-ID: <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> The contents of the file is put in the body instead of being delivered as an attachment with that command. :) On 8/24/06, Remy de Ruysscher wrote: > > Hi, > Use cat file | mailx -s "Subject" receipient -c "another receipient" > > Regards, > Remy > > On Thu, August 24, 2006 21:22, rob wrote: > > Not sure if this will work in FreeBSD, but I use this with CentOS > > > > Usage: sendEmail [options] or command | sendEmail [options] > > > > Required: > > -f from email address > > -t [] to email address(es) (space separated list) > > > > Common: > > -u (this will soon be -s, and -s will become > > -h[ost]) > > -m if -m is absent the message is read from STDIN > > -s default is localhost:25 > > > > Optional: > > -a [] file attachment(s) > > -cc [] cc email address(es) > > -bcc [] bcc email address(es) > > > > Paranormal: > > -l log to the specified file > > -v verbosity - use multiple times for greater effect > > -q be quiet (no stdout output) > > > > http://caspian.dotconf.net/menu/Software/SendEmail/ > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: Thursday, August 24, 2006 1:55 PM > > To: MailScanner discussion > > Subject: sending mail from command line in FreeBSD 6.1 > > > > Anyone know how i can send a mail to user from command line in FreeBSD > > with an attachment ? I tried sendmail -toi user@domain.com < test.txt > > but the test.txt doesn't come as an attachment, the contents of the > > file comes in the body of the mail. > > > > Thanks! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Thu Aug 24 22:11:40 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 24 22:13:44 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <910ee2ac0608241315n42e6feb4g6a3769e737e27a50@mail.gmail.com> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <910ee2ac0608241315n42e6feb4g6a3769e737e27a50@mail.gmail.com> Message-ID: emm1 spake the following on 8/24/2006 1:15 PM: > Doesnt work. -a isnt a valid option. :) > Can you run mutt from the command line? mutt [ -n ] [ -F muttrc ] [ -a file ] [ -c address ] [ -i filename ] [ -s subject ] address [ address ... ] Otherwise, I found this script for OS-X that looks like it will work. Just check that the paths are OK. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: mail_files.tgz Type: application/x-compressed Size: 3772 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060824/8e59d4dd/mail_files.bin From lars+lister.mailscanner at adventuras.no Thu Aug 24 22:10:17 2006 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Thu Aug 24 22:14:22 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> Message-ID: <44EE15B9.60204@adventuras.no> emm1 skrev: > The contents of the file is put in the body instead of being delivered > as an attachment with that command. :) AFAIK you need to install a mailprogram that can handle attachements. I have sucessfully used mail/nail for that purpose. -- Regards from Lars > > On 8/24/06, Remy de Ruysscher wrote: >> >> Hi, >> Use cat file | mailx -s "Subject" receipient -c "another receipient" >> >> Regards, >> Remy >> >> On Thu, August 24, 2006 21:22, rob wrote: >> > Not sure if this will work in FreeBSD, but I use this with CentOS >> > >> > Usage: sendEmail [options] or command | sendEmail [options] >> > >> > Required: >> > -f from email address >> > -t [] to email address(es) (space separated list) >> > >> > Common: >> > -u (this will soon be -s, and -s will become >> > -h[ost]) >> > -m if -m is absent the message is read from STDIN >> > -s default is localhost:25 >> > >> > Optional: >> > -a [] file attachment(s) >> > -cc [] cc email address(es) >> > -bcc [] bcc email address(es) >> > >> > Paranormal: >> > -l log to the specified file >> > -v verbosity - use multiple times for greater >> effect >> > -q be quiet (no stdout output) >> > >> > http://caspian.dotconf.net/menu/Software/SendEmail/ >> > >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 >> > Sent: Thursday, August 24, 2006 1:55 PM >> > To: MailScanner discussion >> > Subject: sending mail from command line in FreeBSD 6.1 >> > >> > Anyone know how i can send a mail to user from command line in FreeBSD >> > with an attachment ? I tried sendmail -toi user@domain.com < test.txt >> > but the test.txt doesn't come as an attachment, the contents of the >> > file comes in the body of the mail. >> > >> > Thanks! >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From christian at columbiafuels.com Thu Aug 24 22:22:26 2006 From: christian at columbiafuels.com (Christian Rasmussen) Date: Thu Aug 24 22:22:30 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: Message-ID: <2023D81BC0235143A46589958FF543F502F5D90C@bigbird.columbiafuels.com> Another great little tool is a perl script written by a guy named David Wood called mail.pl http://examples.oreilly.com/progintemail/mail.pl -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, August 24, 2006 2:12 PM To: mailscanner@lists.mailscanner.info Subject: Re: sending mail from command line in FreeBSD 6.1 emm1 spake the following on 8/24/2006 1:15 PM: > Doesnt work. -a isnt a valid option. :) > Can you run mutt from the command line? mutt [ -n ] [ -F muttrc ] [ -a file ] [ -c address ] [ -i filename ] [ -s subject ] address [ address ... ] Otherwise, I found this script for OS-X that looks like it will work. Just check that the paths are OK. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From r.berber at computer.org Thu Aug 24 22:58:33 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Aug 24 22:59:16 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <44EE15B9.60204@adventuras.no> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> <44EE15B9.60204@adventuras.no> Message-ID: Lars Kristiansen wrote: > emm1 skrev: >> The contents of the file is put in the body instead of being delivered >> as an attachment with that command. :) > > AFAIK you need to install a mailprogram that can handle attachements. > I have sucessfully used mail/nail for that purpose. I agree, you need something like email: http://email.cleancode.org/ Short description: email-2.3.4-1 ------------------------------------------ Command line sending of email with attachments, optional GnuPG -- Ren? Berber From ljosnet at gmail.com Thu Aug 24 23:14:01 2006 From: ljosnet at gmail.com (emm1) Date: Thu Aug 24 23:14:05 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> <44EE15B9.60204@adventuras.no> Message-ID: <910ee2ac0608241514m1c5e3a38ibba2799fe95f83a0@mail.gmail.com> Thanks all. :) On 8/24/06, Ren? Berber wrote: > Lars Kristiansen wrote: > > > emm1 skrev: > >> The contents of the file is put in the body instead of being delivered > >> as an attachment with that command. :) > > > > AFAIK you need to install a mailprogram that can handle attachements. > > I have sucessfully used mail/nail for that purpose. > > I agree, you need something like email: http://email.cleancode.org/ > > Short description: > > email-2.3.4-1 > ------------------------------------------ > Command line sending of email with attachments, optional GnuPG > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From pete at enitech.com.au Thu Aug 24 23:17:20 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 24 23:17:36 2006 Subject: Block Postive Phishing Frauds In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580ED6B838@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580ED6B838@isabella.herefordshire.gov.uk> Message-ID: <44EE2570.2090907@enitech.com.au> Thanks, great idea, but not sure why they arent submitting these to the main project? Its has that facility and they have freshclam - i am not sure why they are making a separate database. I worry using could cause me pain in the end. I am taking Jules advice (as usual) and will wait for the new release. Thanks Pete Randal, Phil wrote: > If you're using ClamAV, add Steve Basford's anti-phising patterns: > > http://www.sanesecurity.com/clamav/ > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Peter Russell >> Sent: 24 August 2006 00:09 >> To: MailScanner discussion >> Subject: Block Postive Phishing Frauds >> >> I am about to enable phishing fraud detection for the first >> time - but i >> would prefer to block the email rather than forward with a warning. >> >> How do i easily raise the score of email that get the >> phishing warning? >> Or is there a better way to block these emails? >> >> Thanks >> Pete >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From res at ausics.net Fri Aug 25 00:36:51 2006 From: res at ausics.net (Res) Date: Fri Aug 25 00:37:02 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: On Thu, 24 Aug 2006, Colin Jack wrote: > Nope ... been there, done that ;) Colin, you have a very broken setup... Did you by any chance re install sendmail rpm after mailscanner? in the interim type " killall -HUP MailScanner " this will solve your immediate issue > > Not in init.d ... but its running! most likely because of a cron task ? cd /etc/rc.d grep -ri mailscanner * where is it ? :) > > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From lshaw at emitinc.com Fri Aug 25 00:48:01 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 25 00:48:13 2006 Subject: Reloading confs In-Reply-To: <1156435815.14266.13.camel@lin-workstation.azapple.com> References: <1156435815.14266.13.camel@lin-workstation.azapple.com> Message-ID: On Thu, 24 Aug 2006, Craig White wrote: > On Thu, 2006-08-24 at 16:46 +0100, Colin Jack wrote: >> I presume I need to restart MailScanner every time a modify the .conf >> files? >> At the moment I do this by restarting sendmail ... is there an easier >> way? :) > You shouldn't ever start sendmail (or restart sendmail) - you should > only restart MailScanner which in turns stops/starts sendmail for you. I've never really understood this. As far as I know, the dependency graph for proper operation looks like this: overall-mail-flow -> mailscanner overall-mail-flow -> sendmail But as far as I know, the graph doesn't contain either of these two relationships: mailscanner -> sendmail sendmail -> mailscanner Put another way, sendmail can happily run with MailScanner stopped. It will just queue up messages in the incoming queue, and will possibly chew on delivering any messages remaining in the outgoing queue. Things will never move from one queue to another, but that isn't sendmail's job. Likewise, it also seems like MailScanner can happily run with sendmail stopped. Any messages that are in the incoming queue will get processed and moved to the outgoing queue. No new messages will be placed in the incoming queue and messages in the outgoing queue will get delivered anywhere, but that's not MailScanner's job. As a result, I don't understand why the two services are tied together in one startup script. In fact, it seems definitely preferable to be able to restart mailscanner and leave sendmail running. In fact, this is exactly what I do. When I make a configuration change, I stop MailScanner ("bwahahaha...") but leave sendmail running. I can then make sure that if one of my users has his MUA connected to sendmail and is in the middle of sending a 5 MB attachment, that won't be disturbed. The users won't ever notice a broken connection or refused connection on port 587. Remote servers won't ever notice a refused connection on port 25 and as a result try and hit my secondary MX. It just makes more sense to me to leave sendmail up and let it queue messages if there is no reason to take that service down. It lessens the impact of making mailscanner changes. So is there something I'm missing? Is there a reason why it is the way it is? - Logan From lshaw at emitinc.com Fri Aug 25 00:53:48 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 25 00:54:00 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: On Thu, 24 Aug 2006, Jeff A. Earickson wrote: > Nope, didn't work for me. I turned on the "-x" option in my init.d > script, the check_mailscanner script, watched it as I ran things by > hand. The loop-up is somewhere after the bin/MailScanner perl code > is launched. In that case, it sounds like a configuration issue with MailScanner more than an init script issue. You could try passing the "--debug" and(?)/or "--lint" arguments to MailScanner when it starts up, I guess. > FWIW, the "stop" option in my init.d script does not > work either. The only way I can get things stopped is via > "pkill -9 MailScanner". The mystery continues. That's very odd. Are you sure it doesn't stop with just a "pkill MailScanner"?! It really only stops with a "-9"? If so, that would be fairly unusual for a Perl script. - Logan From ssilva at sgvwater.com Fri Aug 25 00:54:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 25 00:56:34 2006 Subject: Reloading confs In-Reply-To: References: <1156435815.14266.13.camel@lin-workstation.azapple.com> Message-ID: Logan Shaw spake the following on 8/24/2006 4:48 PM: > On Thu, 24 Aug 2006, Craig White wrote: >> On Thu, 2006-08-24 at 16:46 +0100, Colin Jack wrote: >>> I presume I need to restart MailScanner every time a modify the .conf >>> files? >>> At the moment I do this by restarting sendmail ... is there an easier >>> way? :) > >> You shouldn't ever start sendmail (or restart sendmail) - you should >> only restart MailScanner which in turns stops/starts sendmail for you. > > I've never really understood this. As far as I know, the > dependency graph for proper operation looks like this: > > overall-mail-flow -> mailscanner > overall-mail-flow -> sendmail > > But as far as I know, the graph doesn't contain either of > these two relationships: > > mailscanner -> sendmail > sendmail -> mailscanner > > Put another way, sendmail can happily run with MailScanner > stopped. It will just queue up messages in the incoming queue, > and will possibly chew on delivering any messages remaining > in the outgoing queue. Things will never move from one queue > to another, but that isn't sendmail's job. > > Likewise, it also seems like MailScanner can happily run with > sendmail stopped. Any messages that are in the incoming > queue will get processed and moved to the outgoing queue. > No new messages will be placed in the incoming queue and > messages in the outgoing queue will get delivered anywhere, > but that's not MailScanner's job. > > As a result, I don't understand why the two services are tied > together in one startup script. In fact, it seems definitely > preferable to be able to restart mailscanner and leave sendmail > running. In fact, this is exactly what I do. When I make a > configuration change, I stop MailScanner ("bwahahaha...") but > leave sendmail running. I can then make sure that if one of my > users has his MUA connected to sendmail and is in the middle of > sending a 5 MB attachment, that won't be disturbed. The users > won't ever notice a broken connection or refused connection on > port 587. Remote servers won't ever notice a refused connection > on port 25 and as a result try and hit my secondary MX. It just > makes more sense to me to leave sendmail up and let it queue > messages if there is no reason to take that service down. > It lessens the impact of making mailscanner changes. > > So is there something I'm missing? Is there a reason why it > is the way it is? > > - Logan Mailscanner takes care of scanning the mail. It starts sendmail differently than if you start sendmail on its own. If you start sendmail and then start MailScanner, you usually get errors about sendmail can't bind to port, already in use. If you start sendmail with service sendmail start, and leave mailscanner off, sendmail will happily forward every mail that comes in, whether it is clean, spam, or virus. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From craigwhite at azapple.com Fri Aug 25 01:52:01 2006 From: craigwhite at azapple.com (Craig White) Date: Fri Aug 25 01:53:35 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: <1156467121.14266.27.camel@lin-workstation.azapple.com> Is it possible that you didn't register it? chkconfig MailScanner on Craig On Thu, 2006-08-24 at 19:44 +0100, Colin Jack wrote: > Did that before and ... > > [root@server1 ~]# service MailScanner reload > MailScanner: unrecognized service > [root@server1 ~]# > > This is a CentOS box which is based on RH Ent > > Colin > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Jim Holland > > Sent: 24 August 2006 17:05 > > To: MailScanner discussion > > Subject: Re: Reloading confs > > > > On Thu, 24 Aug 2006, Colin Jack wrote: > > > > > I presume I need to restart MailScanner every time a modify > > the .conf > > > files? At the moment I do this by restarting sendmail ... > > is there an > > > easier way? :) > > > > service MailScanner reload > > > > then tail or view your maillog file to look for any errors. > > > > Regards > > > > Jim Holland > > System Administrator > > MANGO - Zimbabwe's non-profit e-mail service > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > From randyf at sibernet.com Fri Aug 25 04:57:41 2006 From: randyf at sibernet.com (Randy Fishel) Date: Fri Aug 25 04:59:32 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: > On Thu, 24 Aug 2006, Martin Hepworth wrote: > >> Date: Thu, 24 Aug 2006 17:49:46 +0100 >> From: Martin Hepworth >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: Solaris 10 init.d startup failing >> Jeff A. Earickson wrote: >>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>> From: Martin Hepworth >>>> Reply-To: MailScanner discussion >>>> >>>> To: MailScanner discussion >>>> Subject: Re: Solaris 10 init.d startup failing >>>> Ray Gardener wrote: >>>>> Hi, >>>>> I had cause to reboot a Sunblade server running Exim and >>>>> MailScanner version 4.53.8 and noticed a error. The mailscanner >>>>> program is started by invoking MailScanner from the exim >>>>> startup script in /etc/init.d. [I know this is a legacy method >>>>> for Solaris 10 but do this to maintain consistency with other >>>>> mailhubs based on Solaris 9]. On boot-up mainscannner instances >>>>> were started and the startup log line was present in /var/log/ >>>>> maillog but the instances of mailscanner ate memory very >>>>> quickly and didn't process mail. Pkilling the mailscanner >>>>> instances and stopping and starting the init.d script resulted >>>>> in a working system processing mail. >>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>> workaround? >>>>> Incientally I later created a smf mailscanner service and tried >>>>> to use that to start mailscanner but this also ate memory and >>>>> didn't process mail. >>>>> Regards, >>>>> __________________________________________________________________ >>>>> __________ Ray Gardener, >>>>> IT Services, LITS, >>>>> Sheffield Hallam University, >>>>> Howard Street, >>>>> Sheffield, >>>>> UK >>>>> S1 1WB >>>>> Telephone: +44 114 225 4926 >>>>> Fax: +44 114 225 3840 >>>>> Mobile: +44 07788190005 >>>>> Email: R.A.Gardener@shu.ac.uk >>>> Ray >>>> only problem like this is when using MS in combination with >>>> MailWatch. >>>> Problem can be that mysql isn't fully operational by the time MS >>>> starts up...so the first connection hangs. >>>> I solved this by putting a wait 30 at the start() function to >>>> make sure mysql is up and accepting connections before we start MS. >>> Martin, >>> Can you post a diff of your change to the list so I can try it here? >>> I don't use MailWatch or sql, so maybe a smaller wait time would >>> solve >>> my issue. Thanks. >>> Jeff Earickson >>> Colby College >> Jeff >> >> just added a sleep 30 at the top of the start) case statement in >> the rc.d script... > > Nope, didn't work for me. I turned on the "-x" option in my init.d > script, the check_mailscanner script, watched it as I ran things by > hand. The loop-up is somewhere after the bin/MailScanner perl code > is launched. FWIW, the "stop" option in my init.d script does not > work either. The only way I can get things stopped is via > "pkill -9 MailScanner". The mystery continues. > > Jeff Earickson > Colby College > -- I just created a manifest and have MailScanner run as a service and have had no problems starting _or_ stopping it. By setting all the correct dependancies, there should be no reason for waiting. My manifest replaces the Solaris smtp service, and starts sendmail as well, but there is no reason that there couldn't be a manifest for MailScanner that depends on sendmail or any other MTA. I could easily generate a MailScanner manifest and test it standalone if there is value. rf From micoots at yahoo.com Fri Aug 25 05:24:57 2006 From: micoots at yahoo.com (Michael Mansour) Date: Fri Aug 25 05:25:01 2006 Subject: Allowing BMP files through for a particular domain Message-ID: <20060825042457.36008.qmail@web33301.mail.mud.yahoo.com> Hi, I have one domain which requires BMP files to be let through for their domain. I added the following two lines to my "domainname.com.filetype.rules.conf" file: allow \.bmp$ Yes BMP files BMP graphics files allowed allow BMP Yes BMP files BMP graphics files allowed but MailScanner keeps blocking the BMP's. Is there something I'm missing? Thanks. Michael. ____________________________________________________ Do you Yahoo!? Check out gigs in your area on the comprehensive Yahoo! Music Gig Guide http://au.music.yahoo.com/gig-guide From james at grayonline.id.au Fri Aug 25 03:14:39 2006 From: james at grayonline.id.au (James Gray) Date: Fri Aug 25 07:56:34 2006 Subject: HTML Scripts etc, now quarantined....help Message-ID: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> Hi All, This is simply a case of looking at a problem for too long - I can no longer see a clue for the clue bats! In preparation for a policy change (that takes effect this weekend) I've been abstracting a whole bunch of stuff out to rule files and such (see my previous message "Rule set - is this valid" earlier this week). Now I've noticed that all messages with HTML scripts, IFRAME tags or CODEBASE tags are being quarantined instead of disarmed and delivered. I've read the MailScanner.conf file so many times now, I've managed to totally confuse myself :-S It happens...usually on Fridays. So my question to the group: what magic mix of Silent Viruses/Deliver/ Quarantine options do I need to achieve the above (disarm+deliver HTML script/iframe/codebase tags and webugs)?? I've disabled all the rule sets at this stage and using global options for all users/ domains from the MailScanner.conf file and I still can't get it right! This isn't show stopper for the weekend's plans, but when the CTO didn't get his daily news digest in fancy HTML this morning, I heard all about it![1] I'd rather be able to calm him down by delivering his mail on Monday :) Cheers, James [1] - Pulled it from quarantine and he was appeased, but still not "pleased". From james at grayonline.id.au Fri Aug 25 08:18:01 2006 From: james at grayonline.id.au (James Gray) Date: Fri Aug 25 08:18:33 2006 Subject: Allowing BMP files through for a particular domain In-Reply-To: <20060825042457.36008.qmail@web33301.mail.mud.yahoo.com> References: <20060825042457.36008.qmail@web33301.mail.mud.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/08/2006, at 2:24 PM, Michael Mansour wrote: > Hi, > > I have one domain which requires BMP files to be let > through for their domain. > > I added the following two lines to my > "domainname.com.filetype.rules.conf" file: > > allow \.bmp$ Yes BMP files BMP > graphics files allowed > allow BMP Yes BMP files BMP > graphics files allowed > > but MailScanner keeps blocking the BMP's. > > Is there something I'm missing? Hi Michael, I assume you already have a rule set for the filetype actions in MailScanner.conf, let's call it "filetype.user.rules". Filetype Rules = %rules-dir%/filetype.user.rules In filetype.user.rules you'll need this (watch the wrap - each of these is on a single line): From: *@domainame.com /path/to/ domainname.com.filetype.rules.conf /path/to/default/filetype.rules.conf FromOrTo: default /path/to/default/filetype.rules.conf Keep in mind file names and file types behave in unison to block if either block and only allow if both allow. If the attachment is allowed by filetypes, but blocked under file names, the attachment will blocked. It will only be allowed is there is no rule to handle it either file names or file types, OR it is explicitly "allowed" in BOTH file names AND file types. Filename | Filetype | Result - ------------------------------- allowed | allowed | allowed allowed | denied | blocked denied | allowed | blocked denied | denied | blocked N/A | N/A | allowed denied | N/A | blocked N/A | denied | blocked allowed | N/A | allowed N/A | allowed | allowed N/A = no explicit rule to allow or deny in the rule file. You may need to look at complimenting your file type rules with a customised set of file NAME rules. Have a look at: http://wiki.mailscanner.info/doku.php? id=documentation:configuration:rulesets:overloading&s=rules (or http://tinyurl.com/hua4e if that wraps) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE7qQtwBHpdJO7b9ERAlvsAJ4zOUk2CiIQpwFHRljrnBB6NpUKewCfUvAl 7gSHOrMOLNhRowinsFwEEfk= =JHp5 -----END PGP SIGNATURE----- From a.peacock at chime.ucl.ac.uk Fri Aug 25 08:57:34 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 25 08:57:45 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44EDE4B0.20808@pacific.net> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> Message-ID: <44EEAD6E.80009@chime.ucl.ac.uk> Ken A wrote: > > > Logan Shaw wrote: >> On Thu, 24 Aug 2006, Julian Field wrote: >>> Anthony Peacock wrote: >>>> Julian Field wrote: >> >>>>> Sounds survivable. After the limit I will keep going until I hit the >>>>> first line that only contains white space. >> >>>> I have been watching this discussion with a growing uneasiness. I >>>> could be wrong but doesn't this behaviour open up the system to >>>> problems with huge image files... >> >>> Yes, you are absolutely correct. Non-spam may well include huge images. >>> The problem with rewinding to the previous boundary is that you may end >>> up not giving SpamAssassin _anything_ to work with. >>> >>> So it's up for a vote: >>> >>> do I chop half way through an image? >>> do I chop at the end of an image? >>> do I carry on for a max of 100 lines of Base64 data or until the end of >>> an image, which is earlier? >> >> I don't like the last option at all. It still easily allows >> a situation where a valid message with a valid image in it >> gets detected as a corrupt image and hits a rule that scores >> it as spam. >> >> If we assume there are 80 columns of base64 data per line, then >> we get 60 bytes per line (since each base64 character carries >> 6 bits of data). That means 100 lines only holds 6K, maximum. >> >> So this option only works if the chop-off point randomly >> happens to fall within the last 6K (or less) of the image. >> If the max message size causes the initial chop-off point to >> fall any earlier, it still creates an invalid image. If you >> have a 50K max message size and someone sends a 75K image >> (which is not out of the ordinary at all), this method will >> keep going up to 56K and then quit. >> >> Basically, adding the 100 extra lines is really not much better >> than chopping right at the max message size barrier, unless >> you assume that most images aren't much larger than 6K, which >> I don't think is a valid assumption at all. So, this option >> adds extra complexity and doesn't really give much benefit. >> >> - Logan > > I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you > are worried about false positives. Fuzzyocr will get better at sorting > this out. And of course in the mean time, don't use outlook, since it > will probably render corrupt images just fine. (it's a feature) This could be controversial here... I have another suggestion, why don't we agree to leave the MailScanner code alone. Those people who are experiencing problems with broken images can raise the value of "Max SpamAssassin Size" in *THEIR* configurations, the rest of us can carry on as normal. There is already a way for people to adjust how much information SA gets from MailScanner, people who need more information can used that on their systems. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solid-state-logic.com Fri Aug 25 09:06:07 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Fri Aug 25 09:06:18 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: <44EEAF6F.3040701@solid-state-logic.com> Randy Fishel wrote: > > On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: > >> On Thu, 24 Aug 2006, Martin Hepworth wrote: >> >>> Date: Thu, 24 Aug 2006 17:49:46 +0100 >>> From: Martin Hepworth >>> Reply-To: MailScanner discussion >>> To: MailScanner discussion >>> Subject: Re: Solaris 10 init.d startup failing >>> Jeff A. Earickson wrote: >>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>>> From: Martin Hepworth >>>>> Reply-To: MailScanner discussion >>>>> To: MailScanner discussion >>>>> Subject: Re: Solaris 10 init.d startup failing >>>>> Ray Gardener wrote: >>>>>> Hi, >>>>>> I had cause to reboot a Sunblade server running Exim and >>>>>> MailScanner version 4.53.8 and noticed a error. The mailscanner >>>>>> program is started by invoking MailScanner from the exim startup >>>>>> script in /etc/init.d. [I know this is a legacy method for Solaris >>>>>> 10 but do this to maintain consistency with other mailhubs based >>>>>> on Solaris 9]. On boot-up mainscannner instances were started and >>>>>> the startup log line was present in /var/log/maillog but the >>>>>> instances of mailscanner ate memory very quickly and didn't >>>>>> process mail. Pkilling the mailscanner instances and stopping and >>>>>> starting the init.d script resulted in a working system processing >>>>>> mail. >>>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>>> workaround? >>>>>> Incientally I later created a smf mailscanner service and tried to >>>>>> use that to start mailscanner but this also ate memory and didn't >>>>>> process mail. >>>>>> Regards, >>>>>> ____________________________________________________________________________ >>>>>> Ray Gardener, >>>>>> IT Services, LITS, >>>>>> Sheffield Hallam University, >>>>>> Howard Street, >>>>>> Sheffield, >>>>>> UK >>>>>> S1 1WB >>>>>> Telephone: +44 114 225 4926 >>>>>> Fax: +44 114 225 3840 >>>>>> Mobile: +44 07788190005 >>>>>> Email: R.A.Gardener@shu.ac.uk >>>>> Ray >>>>> only problem like this is when using MS in combination with MailWatch. >>>>> Problem can be that mysql isn't fully operational by the time MS >>>>> starts up...so the first connection hangs. >>>>> I solved this by putting a wait 30 at the start() function to make >>>>> sure mysql is up and accepting connections before we start MS. >>>> Martin, >>>> Can you post a diff of your change to the list so I can try it here? >>>> I don't use MailWatch or sql, so maybe a smaller wait time would solve >>>> my issue. Thanks. >>>> Jeff Earickson >>>> Colby College >>> Jeff >>> >>> just added a sleep 30 at the top of the start) case statement in the >>> rc.d script... >> >> Nope, didn't work for me. I turned on the "-x" option in my init.d >> script, the check_mailscanner script, watched it as I ran things by >> hand. The loop-up is somewhere after the bin/MailScanner perl code >> is launched. FWIW, the "stop" option in my init.d script does not >> work either. The only way I can get things stopped is via >> "pkill -9 MailScanner". The mystery continues. >> >> Jeff Earickson >> Colby College >> -- > > I just created a manifest and have MailScanner run as a service and > have had no problems starting _or_ stopping it. By setting all the > correct dependancies, there should be no reason for waiting. My > manifest replaces the Solaris smtp service, and starts sendmail as well, > but there is no reason that there couldn't be a manifest for MailScanner > that depends on sendmail or any other MTA. I could easily generate a > MailScanner manifest and test it standalone if there is value. > > rf > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Randy How about posting that to the list, or (even better) drop in to the wiki. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From R.A.Gardener at shu.ac.uk Fri Aug 25 09:42:55 2006 From: R.A.Gardener at shu.ac.uk (Ray Gardener) Date: Fri Aug 25 09:44:05 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: <44EEAF6F.3040701@solid-state-logic.com> References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEAF6F.3040701@solid-state-logic.com> Message-ID: Many thanks for the number of useful replies; I would be interested in using a different manifest to the one that I knocked together quicker and tried with no positive results. One thing I haven't tried and should is to trace the errant mailscanner processes using something like truss which I will try and do and report back the findings. ____________________________________________________________________________ Ray Gardener, IT Services, LITS, Sheffield Hallam University, Howard Street, Sheffield, UK S1 1WB Telephone: +44 114 225 4926 Fax: +44 114 225 3840 Mobile: +44 07788190005 Email: R.A.Gardener@shu.ac.uk On Fri, 25 Aug 2006, Martin Hepworth wrote: > Randy Fishel wrote: >> >> On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: >> >>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>> >>>> Date: Thu, 24 Aug 2006 17:49:46 +0100 >>>> From: Martin Hepworth >>>> Reply-To: MailScanner discussion >>>> To: MailScanner discussion >>>> Subject: Re: Solaris 10 init.d startup failing >>>> Jeff A. Earickson wrote: >>>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>>>> From: Martin Hepworth >>>>>> Reply-To: MailScanner discussion >>>>>> To: MailScanner discussion >>>>>> Subject: Re: Solaris 10 init.d startup failing >>>>>> Ray Gardener wrote: >>>>>>> Hi, >>>>>>> I had cause to reboot a Sunblade server running Exim and MailScanner >>>>>>> version 4.53.8 and noticed a error. The mailscanner program is started >>>>>>> by invoking MailScanner from the exim startup script in /etc/init.d. >>>>>>> [I know this is a legacy method for Solaris 10 but do this to maintain >>>>>>> consistency with other mailhubs based on Solaris 9]. On boot-up >>>>>>> mainscannner instances were started and the startup log line was >>>>>>> present in /var/log/maillog but the instances of mailscanner ate >>>>>>> memory very quickly and didn't process mail. Pkilling the mailscanner >>>>>>> instances and stopping and starting the init.d script resulted in a >>>>>>> working system processing mail. >>>>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>>>> workaround? >>>>>>> Incientally I later created a smf mailscanner service and tried to use >>>>>>> that to start mailscanner but this also ate memory and didn't process >>>>>>> mail. >>>>>>> Regards, >>>>>>> ____________________________________________________________________________ >>>>>>> Ray Gardener, >>>>>>> IT Services, LITS, >>>>>>> Sheffield Hallam University, >>>>>>> Howard Street, >>>>>>> Sheffield, >>>>>>> UK >>>>>>> S1 1WB >>>>>>> Telephone: +44 114 225 4926 >>>>>>> Fax: +44 114 225 3840 >>>>>>> Mobile: +44 07788190005 >>>>>>> Email: R.A.Gardener@shu.ac.uk >>>>>> Ray >>>>>> only problem like this is when using MS in combination with MailWatch. >>>>>> Problem can be that mysql isn't fully operational by the time MS starts >>>>>> up...so the first connection hangs. >>>>>> I solved this by putting a wait 30 at the start() function to make sure >>>>>> mysql is up and accepting connections before we start MS. >>>>> Martin, >>>>> Can you post a diff of your change to the list so I can try it here? >>>>> I don't use MailWatch or sql, so maybe a smaller wait time would solve >>>>> my issue. Thanks. >>>>> Jeff Earickson >>>>> Colby College >>>> Jeff >>>> >>>> just added a sleep 30 at the top of the start) case statement in the rc.d >>>> script... >>> >>> Nope, didn't work for me. I turned on the "-x" option in my init.d >>> script, the check_mailscanner script, watched it as I ran things by >>> hand. The loop-up is somewhere after the bin/MailScanner perl code >>> is launched. FWIW, the "stop" option in my init.d script does not >>> work either. The only way I can get things stopped is via >>> "pkill -9 MailScanner". The mystery continues. >>> >>> Jeff Earickson >>> Colby College >>> -- >> >> I just created a manifest and have MailScanner run as a service and have >> had no problems starting _or_ stopping it. By setting all the correct >> dependancies, there should be no reason for waiting. My manifest replaces >> the Solaris smtp service, and starts sendmail as well, but there is no >> reason that there couldn't be a manifest for MailScanner that depends on >> sendmail or any other MTA. I could easily generate a MailScanner manifest >> and test it standalone if there is value. >> >> rf >> --MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Randy > > How about posting that to the list, or (even better) drop in to the wiki. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Fri Aug 25 09:54:54 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Aug 25 09:55:09 2006 Subject: SA Timeouts Message-ID: <16e381b5f5201067f490110107db6f25@localhost> Hi All, I just the following error in my logfile :- SpamAssassin timed out and was killed, failure 1 of 10 but the email still passed through as being un-checked. Is it possible to configure MailScanner so that it will re-check the email if the test timed out ? TIA --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solid-state-logic.com Fri Aug 25 10:05:16 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Fri Aug 25 10:05:33 2006 Subject: SA Timeouts In-Reply-To: <16e381b5f5201067f490110107db6f25@localhost> References: <16e381b5f5201067f490110107db6f25@localhost> Message-ID: <44EEBD4C.6050709@solid-state-logic.com> --[ UxBoD ]-- wrote: > Hi All, > > I just the following error in my logfile :- > > SpamAssassin timed out and was killed, failure 1 of 10 > > but the email still passed through as being un-checked. Is it possible to configure MailScanner so that it will re-check the email if the test timed out ? > > TIA > > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > > You need to figure out why SA timed out..... DNS/RBL issues or bayes cleanup issues are the usual suspects. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From uxbod at splatnix.net Fri Aug 25 10:48:04 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Aug 25 10:48:17 2006 Subject: SA Timeouts In-Reply-To: <44EEBD4C.6050709@solid-state-logic.com> References: <44EEBD4C.6050709@solid-state-logic.com> Message-ID: Thanks Martin. Yeah it must be the bayes rebuild, have told it to wait now. On Fri, 25 Aug 2006 10:05:16 +0100, Martin Hepworth wrote: > --[ UxBoD ]-- wrote: >> Hi All, >> >> I just the following error in my logfile :- >> >> SpamAssassin timed out and was killed, failure 1 of 10 >> >> but the email still passed through as being un-checked. Is it possible > to configure MailScanner so that it will re-check the email if the test > timed out ? >> >> TIA >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> >> > > You need to figure out why SA timed out..... > > DNS/RBL issues or bayes cleanup issues are the usual suspects. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sergiogc at treelogic.com Fri Aug 25 11:20:05 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Fri Aug 25 11:15:55 2006 Subject: MailScanner hangs once a day Message-ID: <44EECED5.1070603@treelogic.com> Hello, I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. The problem is that MailScanner hangs once a day (always at 09.30-10.00) so I have to restart it (/etc/init.d/mailscanner restart). I get the following info in the log ('mail.info'): ... Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: from=, size=2840, nrcpt=1 (queue active) Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: from=, size=10478, nrcpt=1 (queue active) Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 messages Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing completed at 3609875 bytes per second Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at 932113606 bytes per second Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 bytes per second (168675 / 109) Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) processed in 109.62 seconds Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying of old age ... Can anybody help me? Thanks. ** From mailscanner at ecs.soton.ac.uk Fri Aug 25 11:31:25 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 25 11:31:42 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44ED9E04.5040801@USherbrooke.ca> References: <44ED9E04.5040801@USherbrooke.ca> Message-ID: <44EED17D.6050305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is what I would expect to happen. RPM won't overwrite a file owned by another package unless forced to (which I don't like doing). Denis Beauchemin wrote: > Jim Holland a ?crit : >> On Wed, 23 Aug 2006, Julian Field wrote: >> >> >>> Jim Holland wrote: >>> >>>> Hi Julian >>>> >>>> I installed the above beta version this evening on Red Hat 7.1 >>>> earlier this evening, just after installing sendmail 8.13.8. See >>>> details of configuration below (you may notice that it is using >>>> Sys::Syslog version 0.01 - the current version does not compile on >>>> RH 7.1). >>>> >>>> The installation went fine, but I experienced the following error >>>> when trying to start MailScanner: >>>> >>>> Can't locate Sys/Hostname/Long.pm in @INC . . . >>>> >>>> That was solved by installing Sys::Hostname::Long using cpan and it >>>> worked fine after that. >>>> >>> I'll take a look. What happened when the install.sh tried to install it? >>> >> >> Nothing. There were no errors in the installation log, which I have >> copied to you separately. However I see that with the list of modules >> to be installed in the install.sh script there is nothing reported in >> the log for modules after Getopt::Long, ie for: >> >> Time::HiRes Time-HiRes 1.86 1 noarch >> Filesys::Df Filesys-Df 0.90 1 noarch >> Net::IP Net-IP 1.24 1 noarch >> Sys::Hostname::Long Sys-Hostname-Long 1.4 1 noarch >> Sys::Syslog Sys-Syslog 0.17 1 noarch >> >> The next entry in the install log is for the tnef decoder. >> >> In my case I have the following versions of the above modules now >> installed: >> >> Time::HiRes 1.86 (I don't know when this was installed) >> Filesys::Df 0.92 (which I had to install manually when >> upgrading to 4.54.6) >> Net::IP missing >> Sys::Hostname::Long 1.4 (after installing it manually) >> Sys::Syslog 0.01 (the install script has never attempted to >> upgrade this module) >> >> It does look as if there could be a problem with the install script >> because I remember when installing 4.50.10-1 at the beginning of the year >> I had to install a whole bunch of Perl modules (eg DBI, SQL-Lite) >> manually at that time too. >> >> >>>> You have very kindly included a new facility for providing separate >>>> reports for messages and attachments which have been blocked or >>>> quarantined due to user specified size restrictions. I have done >>>> some testing on both oversize messages and attachments, and am >>>> pleased to report that it works exactly as intended for attachments, >>>> giving a report such as: >>>> >>>> MailScanner: Attachment is too large: 154303 bytes >>>> >>>> However in the case of oversize messages, the report is just: >>>> >>>> MailScanner: Message is too large >>>> >>>> with no indication of the size of the message that has been >>>> quarantined. Would it be possible to include the size in that case >>>> as well? That would be very helpful for people who don't want to >>>> unquarantine a message that is far too large for them to handle. >>>> >>> I'll take a look and see. I can only think that there was some good >>> reason why I couldn't do it. >>> > Julian, > > I installed 4.56.1-1 yesterday and I also noticed problems with the > installation of Perl modules: > Preparing... ########################################### > [100%] > file /usr/lib/perl5/5.8.5/File/Temp.pm from install of > perl-File-Temp-0.16-1 conflicts with file from > package perl-5.8.5-36.RHEL4 > file /usr/share/man/man3/File::Temp.3pm.gz from install of > perl-File-Temp-0.16-1 conflicts with file f > rom package perl-5.8.5-36.RHEL4 > Preparing... ########################################### > [100%] > file /usr/lib/perl5/5.8.5/i386-linux-thread-multi/Sys/Syslog.pm > from install of perl-Sys-Syslog-0.17-1 > conflicts with file from package perl-5.8.5-36.RHEL4 > file > /usr/lib/perl5/5.8.5/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so > from install of perl-Sys-S > yslog-0.17-1 conflicts with file from package perl-5.8.5-36.RHEL4 > > In the following output you can see that File::Temp is still at version > 0.14 and Sys::Syslog at version 0.08: > /usr/sbin/MailScanner -v > Running on > Linux ... 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 > i386 GNU/Linux > This is Red Hat Enterprise Linux AS release 4 (Nahant Update 4) > This is Perl version 5.008005 (5.8.5) > > This is MailScanner version 4.56.1 > Module versions are: > 1.00 AnyDBM_File > 1.14 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.11 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.4 Sys::Hostname::Long > 0.08 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.809 DB_File > 1.12 DBD::SQLite > 1.50 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > 0.17 Mail::ClamAV > 3.001000 Mail::SpamAssassin > 1.998 Mail::SPF::Query > 0.18 Net::CIDR::Lite > 1.24 Net::IP > 0.55 Net::DNS > 0.31 Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.42 Test::Harness > 0.47 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > Denis > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE7tF+EfZZRxQVtlQRAs2bAJ96JxzK73md8k6pSGb/kVGBPE9kcgCg+01I guePT1ABhgiEPqueIqKyYRQ= =EZ1T -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From simon at ateb.co.uk Fri Aug 25 11:18:53 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Fri Aug 25 11:35:47 2006 Subject: List of variables for substitution in reports? Message-ID: <017001c6c832$35144a40$1404040a@purple> Sorry if this question has been asked before. Where can I find a list of all the variables that can be substituted into reports and in the config file for things such as subject lines etc? I can see some in the reports like $report :-) but to have a definitive list would be very helpful. Thanks in advance Simon From glenn.steen at gmail.com Fri Aug 25 11:42:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 11:42:27 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> References: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> Message-ID: <223f97700608250342s5b76fbbdj6d91b51873dd9804@mail.gmail.com> On 25/08/06, James Gray wrote: > Hi All, > > This is simply a case of looking at a problem for too long - I can no > longer see a clue for the clue bats! In preparation for a policy > change (that takes effect this weekend) I've been abstracting a whole > bunch of stuff out to rule files and such (see my previous message > "Rule set - is this valid" earlier this week). Now I've noticed that > all messages with HTML scripts, IFRAME tags or CODEBASE tags are > being quarantined instead of disarmed and delivered. > > I've read the MailScanner.conf file so many times now, I've managed > to totally confuse myself :-S It happens...usually on Fridays. Oh yes, a very common phenomenon... Been ther, done that etc:-). > So my question to the group: what magic mix of Silent Viruses/Deliver/ > Quarantine options do I need to achieve the above (disarm+deliver > HTML script/iframe/codebase tags and webugs)?? I've disabled all the > rule sets at this stage and using global options for all users/ > domains from the MailScanner.conf file and I still can't get it right! > > This isn't show stopper for the weekend's plans, but when the CTO > didn't get his daily news digest in fancy HTML this morning, I heard > all about it![1] I'd rather be able to calm him down by delivering > his mail on Monday :) > > Cheers, > > James > > [1] - Pulled it from quarantine and he was appeased, but still not > "pleased". > Sounds like CTO == PHB then:-). Have you looked at the Allow {Form | IFrame | Object Codebase} Tag settings? You can read up on that (and a host of other nice settings;) at http://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Form%20Tags Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 25 11:53:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 11:53:32 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44EEAD6E.80009@chime.ucl.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> Message-ID: <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> On 25/08/06, Anthony Peacock wrote: > Ken A wrote: > > > > > > Logan Shaw wrote: > >> On Thu, 24 Aug 2006, Julian Field wrote: > >>> Anthony Peacock wrote: > >>>> Julian Field wrote: > >> > >>>>> Sounds survivable. After the limit I will keep going until I hit the > >>>>> first line that only contains white space. > >> > >>>> I have been watching this discussion with a growing uneasiness. I > >>>> could be wrong but doesn't this behaviour open up the system to > >>>> problems with huge image files... > >> > >>> Yes, you are absolutely correct. Non-spam may well include huge images. > >>> The problem with rewinding to the previous boundary is that you may end > >>> up not giving SpamAssassin _anything_ to work with. > >>> > >>> So it's up for a vote: > >>> > >>> do I chop half way through an image? > >>> do I chop at the end of an image? > >>> do I carry on for a max of 100 lines of Base64 data or until the end of > >>> an image, which is earlier? > >> > >> I don't like the last option at all. It still easily allows > >> a situation where a valid message with a valid image in it > >> gets detected as a corrupt image and hits a rule that scores > >> it as spam. > >> > >> If we assume there are 80 columns of base64 data per line, then > >> we get 60 bytes per line (since each base64 character carries > >> 6 bits of data). That means 100 lines only holds 6K, maximum. > >> > >> So this option only works if the chop-off point randomly > >> happens to fall within the last 6K (or less) of the image. > >> If the max message size causes the initial chop-off point to > >> fall any earlier, it still creates an invalid image. If you > >> have a 50K max message size and someone sends a 75K image > >> (which is not out of the ordinary at all), this method will > >> keep going up to 56K and then quit. > >> > >> Basically, adding the 100 extra lines is really not much better > >> than chopping right at the max message size barrier, unless > >> you assume that most images aren't much larger than 6K, which > >> I don't think is a valid assumption at all. So, this option > >> adds extra complexity and doesn't really give much benefit. > >> > >> - Logan > > > > I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you > > are worried about false positives. Fuzzyocr will get better at sorting > > this out. And of course in the mean time, don't use outlook, since it > > will probably render corrupt images just fine. (it's a feature) > > This could be controversial here... > > > I have another suggestion, why don't we agree to leave the MailScanner > code alone. Those people who are experiencing problems with broken > images can raise the value of "Max SpamAssassin Size" in *THEIR* > configurations, the rest of us can carry on as normal. > > There is already a way for people to adjust how much information SA gets > from MailScanner, people who need more information can used that on > their systems. > > > > No need for dramatic escapes:-) You and Logan have made some good arguments for the status quo... After all, one needs to assess which is the lesser evil and go with that. On the first readthrough I was simply not looking at this from the correct perspective:-). MailScanner shouldn't need solve this "problem", at least not in such a way that it invites a possible DoS (which is far more dire than a simple SA rule "missfire", of course). That just tells us that both option 1 and 3 are viable though, so any argument for option 3 would need show that it would actually be worthwile to complicate the code further... And I can say I didn't do my maths (shame on me), but Logan shows that the usefulness of option 3 is rather less than we could assume at the outset. Oh well. Change my vote there to number 1. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 25 12:03:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 12:03:35 2006 Subject: MailScanner hangs once a day In-Reply-To: <44EECED5.1070603@treelogic.com> References: <44EECED5.1070603@treelogic.com> Message-ID: <223f97700608250403n6fc4066fx10a554fdd7140a37@mail.gmail.com> On 25/08/06, Sergio Garc?a Caso wrote: > Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 > and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at 09.30-10.00) > so I have to restart it (/etc/init.d/mailscanner restart). > I get the following info in the log ('mail.info'): > > ... > Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: > from=, size=2840, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: > from=, size=10478, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 > messages > Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing completed > at 3609875 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at > 932113606 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 > bytes per second (168675 / 109) > Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) > processed in 109.62 seconds > Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying of > old age > ... > > Can anybody help me? > Thanks. > ISTR that this has had to do with non-queue files ending up in the hold queue, thoroughly confusing matters, being the "root of this evil":). So look at that. Might be from razor or tnef or somesuch (might need set razor up a bit etc). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jaearick at colby.edu Fri Aug 25 12:12:28 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 25 12:15:33 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: On Thu, 24 Aug 2006, Randy Fishel wrote: > Date: Thu, 24 Aug 2006 20:57:41 -0700 > From: Randy Fishel > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Solaris 10 init.d startup failing > > > On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: > >> On Thu, 24 Aug 2006, Martin Hepworth wrote: >> >>> Date: Thu, 24 Aug 2006 17:49:46 +0100 >>> From: Martin Hepworth >>> Reply-To: MailScanner discussion >>> To: MailScanner discussion >>> Subject: Re: Solaris 10 init.d startup failing >>> Jeff A. Earickson wrote: >>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>>> From: Martin Hepworth >>>>> Reply-To: MailScanner discussion >>>>> To: MailScanner discussion >>>>> Subject: Re: Solaris 10 init.d startup failing >>>>> Ray Gardener wrote: >>>>>> Hi, >>>>>> I had cause to reboot a Sunblade server running Exim and MailScanner >>>>>> version 4.53.8 and noticed a error. The mailscanner program is started >>>>>> by invoking MailScanner from the exim startup script in /etc/init.d. [I >>>>>> know this is a legacy method for Solaris 10 but do this to maintain >>>>>> consistency with other mailhubs based on Solaris 9]. On boot-up >>>>>> mainscannner instances were started and the startup log line was >>>>>> present in /var/log/maillog but the instances of mailscanner ate memory >>>>>> very quickly and didn't process mail. Pkilling the mailscanner >>>>>> instances and stopping and starting the init.d script resulted in a >>>>>> working system processing mail. >>>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>>> workaround? >>>>>> Incientally I later created a smf mailscanner service and tried to use >>>>>> that to start mailscanner but this also ate memory and didn't process >>>>>> mail. >>>>>> Regards, >>>>>> ____________________________________________________________________________ >>>>>> Ray Gardener, >>>>>> IT Services, LITS, >>>>>> Sheffield Hallam University, >>>>>> Howard Street, >>>>>> Sheffield, >>>>>> UK >>>>>> S1 1WB >>>>>> Telephone: +44 114 225 4926 >>>>>> Fax: +44 114 225 3840 >>>>>> Mobile: +44 07788190005 >>>>>> Email: R.A.Gardener@shu.ac.uk >>>>> Ray >>>>> only problem like this is when using MS in combination with MailWatch. >>>>> Problem can be that mysql isn't fully operational by the time MS starts >>>>> up...so the first connection hangs. >>>>> I solved this by putting a wait 30 at the start() function to make sure >>>>> mysql is up and accepting connections before we start MS. >>>> Martin, >>>> Can you post a diff of your change to the list so I can try it here? >>>> I don't use MailWatch or sql, so maybe a smaller wait time would solve >>>> my issue. Thanks. >>>> Jeff Earickson >>>> Colby College >>> Jeff >>> >>> just added a sleep 30 at the top of the start) case statement in the rc.d >>> script... >> >> Nope, didn't work for me. I turned on the "-x" option in my init.d >> script, the check_mailscanner script, watched it as I ran things by >> hand. The loop-up is somewhere after the bin/MailScanner perl code >> is launched. FWIW, the "stop" option in my init.d script does not >> work either. The only way I can get things stopped is via >> "pkill -9 MailScanner". The mystery continues. >> >> Jeff Earickson >> Colby College >> -- > > I just created a manifest and have MailScanner run as a service and have had > no problems starting _or_ stopping it. By setting all the correct > dependancies, there should be no reason for waiting. My manifest replaces > the Solaris smtp service, and starts sendmail as well, but there is no reason > that there couldn't be a manifest for MailScanner that depends on sendmail or > any other MTA. I could easily generate a MailScanner manifest and test it > standalone if there is value. If you can easily create a svcadm standalone setup for MailScanner, you would be a hero to us few Solaris 10 users. I have traditionally seperated sendmail and MailScanner because I want to stop/start them seperately. It never really dawned on me that svc scripts for MailScanner would solve the problem... Jeff Earickson Colby College From jaearick at colby.edu Fri Aug 25 12:22:44 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 25 12:25:46 2006 Subject: MailScanner hangs once a day In-Reply-To: <44EECED5.1070603@treelogic.com> References: <44EECED5.1070603@treelogic.com> Message-ID: I would suggest looking at the cron logs (/var/cron/log or similar) to see if some cron job launches at that time and gets underfoot. I happen to run /opt/MailScanner/bin/update_phishing_sites every day at 9:22, which jogged my memory on this. Jeff Earickson Colby College On Fri, 25 Aug 2006, Sergio Garc?a Caso wrote: > Date: Fri, 25 Aug 2006 12:20:05 +0200 > From: Sergio Garc?a Caso > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: MailScanner hangs once a day > > Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 and > ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at 09.30-10.00) so I > have to restart it (/etc/init.d/mailscanner restart). > I get the following info in the log ('mail.info'): > > ... > Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: > from=, size=2840, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: > from=, size=10478, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 messages > Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing completed at > 3609875 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at > 932113606 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 bytes > per second (168675 / 109) > Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) processed in > 109.62 seconds > Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying of old > age > ... > > Can anybody help me? > Thanks. > > > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Fri Aug 25 12:49:00 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Aug 25 12:49:11 2006 Subject: MailScanner hangs once a day In-Reply-To: References: Message-ID: <659b318cdf7f7e414b68cbbaa941193d@localhost> Do you have a line like this in your cronjob ? :- 3,23,43 * * * * /opt/MailScanner/bin/check_mailscanner as this will check the processes and restart if not running. On Fri, 25 Aug 2006 07:22:44 -0400 (EDT), "Jeff A. Earickson" wrote: > I would suggest looking at the cron logs (/var/cron/log or similar) > to see if some cron job launches at that time and gets underfoot. > I happen to run /opt/MailScanner/bin/update_phishing_sites every day > at 9:22, which jogged my memory on this. > > Jeff Earickson > Colby College > > On Fri, 25 Aug 2006, Sergio Garc?a Caso wrote: > >> Date: Fri, 25 Aug 2006 12:20:05 +0200 >> From: Sergio Garc?a Caso >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: MailScanner hangs once a day >> >> Hello, >> >> I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 > and >> ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. >> The problem is that MailScanner hangs once a day (always at 09.30-10.00) > so I >> have to restart it (/etc/init.d/mailscanner restart). >> I get the following info in the log ('mail.info'): >> >> ... >> Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: >> from=, size=2840, nrcpt=1 (queue active) >> Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: >> from=, size=10478, nrcpt=1 (queue active) >> Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 > messages >> Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing completed > at >> 3609875 bytes per second >> Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at >> 932113606 bytes per second >> Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 > bytes >> per second (168675 / 109) >> Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) > processed in >> 109.62 seconds >> Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying of > old >> age >> ... >> >> Can anybody help me? >> Thanks. >> >> >> ** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at techniumcast.com Fri Aug 25 12:50:49 2006 From: rob at techniumcast.com (Rob Shepherd) Date: Fri Aug 25 12:51:00 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> Message-ID: <44EEE419.9010604@techniumcast.com> Jeff A. Earickson wrote: > If you can easily create a svcadm standalone setup for MailScanner, you > would be a hero to us few Solaris 10 users. This is mine... works great. Of course... Run In Foreground = no NOTE: remove the check_mailscanner cron entry. SMF will ensure it's up and running (if it can be).... The ps grepping in check_mailscanner didn't work for me (the pargs are too long and get chopped by ps) and spawned multiple top-level MS processes. Note to users: 1. check the dependencies. I use postfix. 2. note the fmri. site/mailscanner 3. no smf 'method' is required as calling check_mailscanner directly and the :kill utility seem to work fine. I place my own smf bits and bobs in /usr/local/svc/[method,manifest] Cheers Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob recieves mail at techniumcast.com | 01248 675024 | 07776 210516 -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.xml Type: text/xml Size: 1487 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060825/db6ca598/mailscanner.xml From mailscanner at mango.zw Fri Aug 25 13:03:15 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Aug 25 13:02:18 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EED17D.6050305@ecs.soton.ac.uk> Message-ID: On Fri, 25 Aug 2006, Julian Field wrote: > That is what I would expect to happen. RPM won't overwrite a file owned > by another package unless forced to (which I don't like doing). I understand that. My original question was why once the install.sh script experienced a problem with one module it would then fail to attempt installing the remaining modules. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > Denis Beauchemin wrote: > > Jim Holland a ?crit : > >> On Wed, 23 Aug 2006, Julian Field wrote: > >> > >> > >>> Jim Holland wrote: > >>> > >>>> Hi Julian > >>>> > >>>> I installed the above beta version this evening on Red Hat 7.1 > >>>> earlier this evening, just after installing sendmail 8.13.8. See > >>>> details of configuration below (you may notice that it is using > >>>> Sys::Syslog version 0.01 - the current version does not compile on > >>>> RH 7.1). > >>>> > >>>> The installation went fine, but I experienced the following error > >>>> when trying to start MailScanner: > >>>> > >>>> Can't locate Sys/Hostname/Long.pm in @INC . . . > >>>> > >>>> That was solved by installing Sys::Hostname::Long using cpan and it > >>>> worked fine after that. > >>>> > >>> I'll take a look. What happened when the install.sh tried to install it? > >>> > >> > >> Nothing. There were no errors in the installation log, which I have > >> copied to you separately. However I see that with the list of modules > >> to be installed in the install.sh script there is nothing reported in > >> the log for modules after Getopt::Long, ie for: > >> > >> Time::HiRes Time-HiRes 1.86 1 noarch > >> Filesys::Df Filesys-Df 0.90 1 noarch > >> Net::IP Net-IP 1.24 1 noarch > >> Sys::Hostname::Long Sys-Hostname-Long 1.4 1 noarch > >> Sys::Syslog Sys-Syslog 0.17 1 noarch > >> > >> The next entry in the install log is for the tnef decoder. > >> > >> In my case I have the following versions of the above modules now > >> installed: > >> > >> Time::HiRes 1.86 (I don't know when this was installed) > >> Filesys::Df 0.92 (which I had to install manually when > >> upgrading to 4.54.6) > >> Net::IP missing > >> Sys::Hostname::Long 1.4 (after installing it manually) > >> Sys::Syslog 0.01 (the install script has never attempted to > >> upgrade this module) > >> > >> It does look as if there could be a problem with the install script > >> because I remember when installing 4.50.10-1 at the beginning of the year > >> I had to install a whole bunch of Perl modules (eg DBI, SQL-Lite) > >> manually at that time too. > >> > >> > >>>> You have very kindly included a new facility for providing separate > >>>> reports for messages and attachments which have been blocked or > >>>> quarantined due to user specified size restrictions. I have done > >>>> some testing on both oversize messages and attachments, and am > >>>> pleased to report that it works exactly as intended for attachments, > >>>> giving a report such as: > >>>> > >>>> MailScanner: Attachment is too large: 154303 bytes > >>>> > >>>> However in the case of oversize messages, the report is just: > >>>> > >>>> MailScanner: Message is too large > >>>> > >>>> with no indication of the size of the message that has been > >>>> quarantined. Would it be possible to include the size in that case > >>>> as well? That would be very helpful for people who don't want to > >>>> unquarantine a message that is far too large for them to handle. > >>>> > >>> I'll take a look and see. I can only think that there was some good > >>> reason why I couldn't do it. > >>> > > Julian, > > > > I installed 4.56.1-1 yesterday and I also noticed problems with the > > installation of Perl modules: > > Preparing... ########################################### > > [100%] > > file /usr/lib/perl5/5.8.5/File/Temp.pm from install of > > perl-File-Temp-0.16-1 conflicts with file from > > package perl-5.8.5-36.RHEL4 > > file /usr/share/man/man3/File::Temp.3pm.gz from install of > > perl-File-Temp-0.16-1 conflicts with file f > > rom package perl-5.8.5-36.RHEL4 > > Preparing... ########################################### > > [100%] > > file /usr/lib/perl5/5.8.5/i386-linux-thread-multi/Sys/Syslog.pm > > from install of perl-Sys-Syslog-0.17-1 > > conflicts with file from package perl-5.8.5-36.RHEL4 > > file > > /usr/lib/perl5/5.8.5/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so > > from install of perl-Sys-S > > yslog-0.17-1 conflicts with file from package perl-5.8.5-36.RHEL4 > > > > In the following output you can see that File::Temp is still at version > > 0.14 and Sys::Syslog at version 0.08: > > /usr/sbin/MailScanner -v > > Running on > > Linux ... 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 > > i386 GNU/Linux > > This is Red Hat Enterprise Linux AS release 4 (Nahant Update 4) > > This is Perl version 5.008005 (5.8.5) > > > > This is MailScanner version 4.56.1 > > Module versions are: > > 1.00 AnyDBM_File > > 1.14 Archive::Zip > > 1.03 Carp > > 1.119 Convert::BinHex > > 1.00 DirHandle > > 1.05 Fcntl > > 2.73 File::Basename > > 2.08 File::Copy > > 2.01 FileHandle > > 1.06 File::Path > > 0.14 File::Temp > > 0.90 Filesys::Df > > 1.35 HTML::Entities > > 3.54 HTML::Parser > > 2.37 HTML::TokeParser > > 1.21 IO > > 1.10 IO::File > > 1.123 IO::Pipe > > 1.71 Mail::Header > > 3.05 MIME::Base64 > > 5.420 MIME::Decoder > > 5.420 MIME::Decoder::UU > > 5.420 MIME::Head > > 5.420 MIME::Parser > > 3.03 MIME::QuotedPrint > > 5.420 MIME::Tools > > 0.11 Net::CIDR > > 1.08 POSIX > > 1.77 Socket > > 1.4 Sys::Hostname::Long > > 0.08 Sys::Syslog > > 1.86 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 0.17 Convert::TNEF > > 1.809 DB_File > > 1.12 DBD::SQLite > > 1.50 DBI > > 1.08 Digest > > 1.01 Digest::HMAC > > 2.33 Digest::MD5 > > 2.10 Digest::SHA1 > > 0.44 Inline > > 0.17 Mail::ClamAV > > 3.001000 Mail::SpamAssassin > > 1.998 Mail::SPF::Query > > 0.18 Net::CIDR::Lite > > 1.24 Net::IP > > 0.55 Net::DNS > > 0.31 Net::LDAP > > 1.94 Parse::RecDescent > > missing SAVI > > 2.42 Test::Harness > > 0.47 Test::Simple > > 1.95 Text::Balanced > > 1.35 URI > > > > Denis > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Charset: ISO-8859-1 > > wj8DBQFE7tF+EfZZRxQVtlQRAs2bAJ96JxzK73md8k6pSGb/kVGBPE9kcgCg+01I > guePT1ABhgiEPqueIqKyYRQ= > =EZ1T > -----END PGP SIGNATURE----- > From Denis.Beauchemin at USherbrooke.ca Fri Aug 25 13:23:27 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 25 13:23:37 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: References: Message-ID: <44EEEBBF.20905@USherbrooke.ca> Jim Holland a ?crit : > On Fri, 25 Aug 2006, Julian Field wrote: > > >> That is what I would expect to happen. RPM won't overwrite a file owned >> by another package unless forced to (which I don't like doing). >> > > I understand that. My original question was why once the install.sh > script experienced a problem with one module it would then fail to attempt > installing the remaining modules. > > Not on my RHEL 4 system. It tried to install them all. The clash with system installed files is not new but I thought you got around it by installing your modules in a different directory. Am I mistaken? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060825/6e80b255/smime.bin From Denis.Beauchemin at USherbrooke.ca Fri Aug 25 13:32:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 25 13:32:13 2006 Subject: MailScanner hangs once a day In-Reply-To: <44EECED5.1070603@treelogic.com> References: <44EECED5.1070603@treelogic.com> Message-ID: <44EEEDC2.5080900@USherbrooke.ca> Sergio Garc?a Caso a ?crit : > Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin > 3.1.3 and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at > 09.30-10.00) so I have to restart it (/etc/init.d/mailscanner restart). > I get the following info in the log ('mail.info'): > > ... > Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: > from=, size=2840, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: > from=, size=10478, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 > messages > Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing > completed at 3609875 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at > 932113606 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 > bytes per second (168675 / 109) > Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) > processed in 109.62 seconds > Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying > of old age > . Sergio, This last message is all normal. Because MS doesn't want any potential memory leak to harm your system it restarts itself every 4 hours. See the "Restart Every" config value in MailScanner.conf. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060825/13d9afef/smime.bin From gborders at jlewiscooper.com Fri Aug 25 15:17:34 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Fri Aug 25 15:16:09 2006 Subject: Reloading confs In-Reply-To: References: <1156435815.14266.13.camel@lin-workstation.azapple.com> Message-ID: <44EF067E.8010803@jlewiscooper.com> Logan Shaw wrote: >> You shouldn't ever start sendmail (or restart sendmail) - you should >> only restart MailScanner which in turns stops/starts sendmail for you. > > I've never really understood this. > > So is there something I'm missing? Is there a reason why it > is the way it is? > > - Logan This is one of the single most common things I've seen when dealing with folks that are new to MailScanner. I too had to struggle with the logic of it at first. The thing of it is, it's a real change from the way you would expect it to work. Typically you would think, "I have my MTA and it does all the mail work, sending / recieving etc. as a service, running happily in the background." "Then I have my virus scanner, it does the same, scans all activity for files getting saved." So here's MailScanner, it should follow the same logic, and just run and flag all the e-mails that come and go as a service like the others. That's the fatal flaw in the thinking. MailScanner isn't just another service. It's a way of life for e-mail. By adding MailScanner to your systems, you are taking the services you know and trust, and turning them over to a caretaker to do it for you, and it does it better. A lot better. Since MailScanner is now "in control", you turn off the standalone services. Sendmail/Postfix/Exim/Etc. daemons are stopped. Virus checkers are stopped. All is quiet on the server, and then you fire up the MailScanner service. It is now the conductor of your e-mail orchestra, and calls upon the other programs as needed, to get the job done. This is my take on the flow of programs within a properly setup MailScanner system: MailScanner fires up instances of the MTA, waiting for messages to arrive. AKA "Children" MailScanner fires up instances of the MTA, waiting for messages to be sent. MailScanner fires off a slew of tasks once messages arrive. A batch of them are ready, MailScanner runs them thru spamassassin. Now any that didn't get flagged, are scanned for viruses with the ClamAV for example, (or more if you want). Then they are delivered/stored/etc. all based upon the settings in the .conf file with another MTA child. Whether users send messages out, or receive them, they go thru the same steps, and the are delivered by MailScanner via the tools that are wired into it. Julian has cooked up the very clever system that calls upon many external pieces to perform at the times needed, and has created the best most flexable open e-mail filtering system on the market. We can use many MTA's, many virus scanners, many spam scanners, and still have room for custom functions to do even more if we want. Take a look at the administrators guide, the first figure "MailScanner Process Flow". That will make it crystal clear on the total path, and number of tests MailScanner actually performs. It's a wonderful concept, once you can wrap your brain around the idea that MailScanner is more than just an add on service. Bolt on Steve's Mailwatch and you have more than most e-mail admins can dream about. ^__^ Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lday at txk.k12.ar.us Fri Aug 25 17:02:13 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Fri Aug 25 17:02:19 2006 Subject: Reloading confs In-Reply-To: <44EF067E.8010803@jlewiscooper.com> References: <1156435815.14266.13.camel@lin-workstation.azapple.com> <44EF067E.8010803@jlewiscooper.com> Message-ID: <44EF1F05.80607@txk.k12.ar.us> I like having the startup/shutdown scripts separated. If I want to make a change to MailScanner, I can shut it down while Sendmail continues to run. I find myself continually jacking with MailScanner and seldom do I mess with Sendmail. Yes, MailScanner is a necessary part of the e-mail process, but I see no reason to tie it into the running of Sendmail or any other MTA. I have my Sendmail checking against local RBL's and that stops about 90% of the junk. I can afford to let Sendmail accept messages while I have MailScanner shut down. If you're letting MailScanner do the RBL lookups, perhaps you can't. Lynn Greg Borders wrote: > > > Logan Shaw wrote: >>> You shouldn't ever start sendmail (or restart sendmail) - you should >>> only restart MailScanner which in turns stops/starts sendmail for you. >> >> I've never really understood this. >> >> So is there something I'm missing? Is there a reason why it >> is the way it is? >> >> - Logan > This is one of the single most common things I've seen when dealing > with folks that are new to MailScanner. > I too had to struggle with the logic of it at first. The thing of it > is, it's a real change from the way you would expect it to work. > Typically you would think, "I have my MTA and it does all the mail > work, sending / recieving etc. as a service, running happily in the > background." > "Then I have my virus scanner, it does the same, scans all activity > for files getting saved." > So here's MailScanner, it should follow the same logic, and just run > and flag all the e-mails that come and go as a service like the others. > > That's the fatal flaw in the thinking. MailScanner isn't just another > service. It's a way of life for e-mail. By adding MailScanner to your > systems, you are taking the services you know and trust, and turning > them over to a caretaker to do it for you, and it does it better. A > lot better. > > Since MailScanner is now "in control", you turn off the standalone > services. Sendmail/Postfix/Exim/Etc. daemons are stopped. Virus > checkers are stopped. > All is quiet on the server, and then you fire up the MailScanner > service. It is now the conductor of your e-mail orchestra, and calls > upon the other programs as needed, to get the job done. > > This is my take on the flow of programs within a properly setup > MailScanner system: > MailScanner fires up instances of the MTA, waiting for messages to > arrive. AKA "Children" > MailScanner fires up instances of the MTA, waiting for messages to be > sent. > MailScanner fires off a slew of tasks once messages arrive. > A batch of them are ready, MailScanner runs them thru spamassassin. > Now any that didn't get flagged, are scanned for viruses with the > ClamAV for example, (or more if you want). > Then they are delivered/stored/etc. all based upon the settings in the > .conf file with another MTA child. > > Whether users send messages out, or receive them, they go thru the > same steps, and the are delivered by MailScanner via the tools that > are wired into it. > > Julian has cooked up the very clever system that calls upon many > external pieces to perform at the times needed, and has created the > best most flexable open e-mail filtering system on the market. We can > use many MTA's, many virus scanners, many spam scanners, and still > have room for custom functions to do even more if we want. > > Take a look at the administrators guide, the first figure "MailScanner > Process Flow". That will make it crystal clear on the total path, and > number of tests MailScanner actually performs. > > It's a wonderful concept, once you can wrap your brain around the idea > that MailScanner is more than just an add on service. Bolt on Steve's > Mailwatch and you have more than most e-mail admins can dream about. ^__^ > > Greg. Borders > Sys. Admin. > JLC Co. > > > > > -- > This transmission may contain information that is privileged, > confidential > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this > transmission > in error, please immediately contact the sender and destroy the > material in > its entirety, whether in electronic or hard copy format. Thank you. > From gborders at jlewiscooper.com Fri Aug 25 17:50:08 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Fri Aug 25 17:48:44 2006 Subject: Reloading confs In-Reply-To: <44EF1F05.80607@txk.k12.ar.us> References: <1156435815.14266.13.camel@lin-workstation.azapple.com> <44EF067E.8010803@jlewiscooper.com> <44EF1F05.80607@txk.k12.ar.us> Message-ID: <44EF2A40.3010200@jlewiscooper.com> James L. Day wrote: > Greg Borders wrote: > >> Logan Shaw wrote: >> >>>> You shouldn't ever start sendmail (or restart sendmail) - you should >>>> only restart MailScanner which in turns stops/starts sendmail for you. >>>> >>> >>> I've never really understood this. >>> >>> So is there something I'm missing? Is there a reason why it >>> is the way it is? >>> >>> - Logan >>> >> This is one of the single most common things I've seen when dealing >> with folks that are new to MailScanner. >> I too had to struggle with the logic of it at first. The thing of it >> is, it's a real change from the way you would expect it to work. >> Typically you would think, "I have my MTA and it does all the mail >> work, sending / recieving etc. as a service, running happily in the >> background." >> "Then I have my virus scanner, it does the same, scans all activity >> for files getting saved." >> So here's MailScanner, it should follow the same logic, and just run >> and flag all the e-mails that come and go as a service like the others. >> >> That's the fatal flaw in the thinking. MailScanner isn't just another >> service. It's a way of life for e-mail. By adding MailScanner to your >> systems, you are taking the services you know and trust, and turning >> them over to a caretaker to do it for you, and it does it better. A >> lot better. >> >> Since MailScanner is now "in control", you turn off the standalone >> services. Sendmail/Postfix/Exim/Etc. daemons are stopped. Virus >> checkers are stopped. >> All is quiet on the server, and then you fire up the MailScanner >> service. It is now the conductor of your e-mail orchestra, and calls >> upon the other programs as needed, to get the job done. >> >> This is my take on the flow of programs within a properly setup >> MailScanner system: >> MailScanner fires up instances of the MTA, waiting for messages to >> arrive. AKA "Children" >> MailScanner fires up instances of the MTA, waiting for messages to be >> sent. >> MailScanner fires off a slew of tasks once messages arrive. >> A batch of them are ready, MailScanner runs them thru spamassassin. >> Now any that didn't get flagged, are scanned for viruses with the >> ClamAV for example, (or more if you want). >> Then they are delivered/stored/etc. all based upon the settings in the >> .conf file with another MTA child. >> >> Whether users send messages out, or receive them, they go thru the >> same steps, and the are delivered by MailScanner via the tools that >> are wired into it. >> >> Julian has cooked up the very clever system that calls upon many >> external pieces to perform at the times needed, and has created the >> best most flexable open e-mail filtering system on the market. We can >> use many MTA's, many virus scanners, many spam scanners, and still >> have room for custom functions to do even more if we want. >> >> Take a look at the administrators guide, the first figure "MailScanner >> Process Flow". That will make it crystal clear on the total path, and >> number of tests MailScanner actually performs. >> >> It's a wonderful concept, once you can wrap your brain around the idea >> that MailScanner is more than just an add on service. Bolt on Steve's >> Mailwatch and you have more than most e-mail admins can dream about. ^__^ >> >> Greg. Borders >> Sys. Admin. >> JLC Co. > I like having the startup/shutdown scripts separated. If I want to make > a change to MailScanner, I can shut it down while Sendmail continues to > run. I find myself continually jacking with MailScanner and seldom do I > mess with Sendmail. Yes, MailScanner is a necessary part of the e-mail > process, but I see no reason to tie it into the running of Sendmail or > any other MTA. > > I have my Sendmail checking against local RBL's and that stops about 90% > of the junk. I can afford to let Sendmail accept messages while I have > MailScanner shut down. If you're letting MailScanner do the RBL > lookups, perhaps you can't. > > Lynn What might be better in your case then, would be to use the additional service directives in the init.d script: Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms} You can issue commands that will start/stop any portion of the mail stream you like. By design MailScanner is meant to replace the entire mail process. No need to separate anything unless you really want to. But again, you aren't tyeing MailScanner into the MTA, you are replacing the control of the MTA with MailScanner. MailScanner creates the MTA children with specific commands that limit their scope, and kills them off itself and spawns new ones as needed to balance the load of messages that are flowing. By having the MTA functioning outside of the MS process, you are bypassing a core component of it's design. But it's a open e-mail universe, and you can process data any way you see fit. :) Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rpotter at rpcs.net Fri Aug 25 18:32:33 2006 From: rpotter at rpcs.net (Richard Potter) Date: Fri Aug 25 18:32:39 2006 Subject: sending mail from command line in FreeBSD 6.1 In-Reply-To: <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> References: <910ee2ac0608241155h2214bfa6n6dcea6c9fa503570@mail.gmail.com> <200608241922.k7OJMsYl027156@bkserver.blacknight.ie> <23750.62.140.137.125.1156450455.squirrel@webmail.xs4all.nl> <910ee2ac0608241325m35828543u834db8872e12edb3@mail.gmail.com> Message-ID: <20060825173233.GA16693@rpcs.net> Try this: uuencode /path/to/attachment attachment.name | mail -s "Subject" address So.. uuencode /tmp/testfile.xls testfile.xls | mail -s "Test" you@where Works for me on AIX and linux. Richard On Thu, Aug 24, 2006 at 08:25:38PM +0000, emm1 wrote: > The contents of the file is put in the body instead of being delivered > as an attachment with that command. :) > > On 8/24/06, Remy de Ruysscher wrote: > > > >Hi, > >Use cat file | mailx -s "Subject" receipient -c "another receipient" > > > >Regards, > >Remy > > > >On Thu, August 24, 2006 21:22, rob wrote: > >> Not sure if this will work in FreeBSD, but I use this with CentOS > >> > >> Usage: sendEmail [options] or command | sendEmail [options] > >> > >> Required: > >> -f from email address > >> -t [] to email address(es) (space separated list) > >> > >> Common: > >> -u (this will soon be -s, and -s will become > >> -h[ost]) > >> -m if -m is absent the message is read from STDIN > >> -s default is localhost:25 > >> > >> Optional: > >> -a [] file attachment(s) > >> -cc [] cc email address(es) > >> -bcc [] bcc email address(es) > >> > >> Paranormal: > >> -l log to the specified file > >> -v verbosity - use multiple times for greater > >effect > >> -q be quiet (no stdout output) > >> > >> http://caspian.dotconf.net/menu/Software/SendEmail/ > >> > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > >> Sent: Thursday, August 24, 2006 1:55 PM > >> To: MailScanner discussion > >> Subject: sending mail from command line in FreeBSD 6.1 > >> > >> Anyone know how i can send a mail to user from command line in FreeBSD > >> with an attachment ? I tried sendmail -toi user@domain.com < test.txt > >> but the test.txt doesn't come as an attachment, the contents of the > >> file comes in the body of the mail. > >> > >> Thanks! > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > >-- > >MailScanner mailing list > >mailscanner@lists.mailscanner.info > >http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > >Before posting, read http://wiki.mailscanner.info/posting > > > >Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Cheers! -- Richard Potter From ssilva at sgvwater.com Fri Aug 25 19:40:08 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 25 19:42:21 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/25/2006 3:53 AM: > On 25/08/06, Anthony Peacock wrote: >> Ken A wrote: >> > >> > >> > Logan Shaw wrote: >> >> On Thu, 24 Aug 2006, Julian Field wrote: >> >>> Anthony Peacock wrote: >> >>>> Julian Field wrote: >> >> >> >>>>> Sounds survivable. After the limit I will keep going until I hit >> the >> >>>>> first line that only contains white space. >> >> >> >>>> I have been watching this discussion with a growing uneasiness. I >> >>>> could be wrong but doesn't this behaviour open up the system to >> >>>> problems with huge image files... >> >> >> >>> Yes, you are absolutely correct. Non-spam may well include huge >> images. >> >>> The problem with rewinding to the previous boundary is that you >> may end >> >>> up not giving SpamAssassin _anything_ to work with. >> >>> >> >>> So it's up for a vote: >> >>> >> >>> do I chop half way through an image? >> >>> do I chop at the end of an image? >> >>> do I carry on for a max of 100 lines of Base64 data or until the >> end of >> >>> an image, which is earlier? >> >> >> >> I don't like the last option at all. It still easily allows >> >> a situation where a valid message with a valid image in it >> >> gets detected as a corrupt image and hits a rule that scores >> >> it as spam. >> >> >> >> If we assume there are 80 columns of base64 data per line, then >> >> we get 60 bytes per line (since each base64 character carries >> >> 6 bits of data). That means 100 lines only holds 6K, maximum. >> >> >> >> So this option only works if the chop-off point randomly >> >> happens to fall within the last 6K (or less) of the image. >> >> If the max message size causes the initial chop-off point to >> >> fall any earlier, it still creates an invalid image. If you >> >> have a 50K max message size and someone sends a 75K image >> >> (which is not out of the ordinary at all), this method will >> >> keep going up to 56K and then quit. >> >> >> >> Basically, adding the 100 extra lines is really not much better >> >> than chopping right at the max message size barrier, unless >> >> you assume that most images aren't much larger than 6K, which >> >> I don't think is a valid assumption at all. So, this option >> >> adds extra complexity and doesn't really give much benefit. >> >> >> >> - Logan >> > >> > I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >> > are worried about false positives. Fuzzyocr will get better at sorting >> > this out. And of course in the mean time, don't use outlook, since it >> > will probably render corrupt images just fine. (it's a feature) >> >> This could be controversial here... >> >> >> I have another suggestion, why don't we agree to leave the MailScanner >> code alone. Those people who are experiencing problems with broken >> images can raise the value of "Max SpamAssassin Size" in *THEIR* >> configurations, the rest of us can carry on as normal. >> >> There is already a way for people to adjust how much information SA gets >> from MailScanner, people who need more information can used that on >> their systems. >> >> >> >> > No need for dramatic escapes:-) > You and Logan have made some good arguments for the status quo... > After all, one needs to assess which is the lesser evil and go with > that. > On the first readthrough I was simply not looking at this from the > correct perspective:-). MailScanner shouldn't need solve this > "problem", at least not in such a way that it invites a possible DoS > (which is far more dire than a simple SA rule "missfire", of course). > That just tells us that both option 1 and 3 are viable though, so any > argument for option 3 would need show that it would actually be > worthwile to complicate the code further... And I can say I didn't do > my maths (shame on me), but Logan shows that the usefulness of option > 3 is rather less than we could assume at the outset. Oh well. Change > my vote there to number 1. > I still vote for execute the spammers! How much perl code will that take? Or do you just have to beat them with whatever is handy? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From paul at tenfjord.net Fri Aug 25 19:44:22 2006 From: paul at tenfjord.net (Paul Tenfjord) Date: Fri Aug 25 19:47:43 2006 Subject: MailScanner + kaspersky-4.5/5.5 problem Message-ID: <200608252044.22465.paul@tenfjord.net> Evening all. I've been trying to get MailScanner use Kaspersky virus scanner without success. I downloaded a trial version (kav5.5trial) and installed the deb file. The deb file installed Kaspersky to /opt/kav/5.5/kav4mailservers/. The wrapper script runs successfully, yet the log file never shows kaspersky scan the email, I can however see Clamav and Mailscanner entries in the detailed report. I have edited the installation directory in virus.scanners.conf to point to /opt/kav/5.5/kav4mailservers . thin# /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers [25/08/06 20:38:25 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.5.10/RELEASE build #115, compiled Mar 29 2006, 14:17:08 ..... [25/08/06 20:38:25 I] License file 001BEE74.key, serial 0038-000413-001BEE74, "Kaspersky Anti-Virus BO for SendMail / Qmail / Postfix International Edition. 50-MailAddress 1 month Trial Download Pack", expires 24-09-2006 in 28 days [25/08/06 20:38:27 I] There are 205521 records loaded, the latest update 25-08-2006 [25/08/06 20:38:27 I] The scan path: /opt/MailScanner-4.55.10/etc ...... [25/08/06 20:38:29 I] Scan summary: Files=432 Folders=20 Archives=181 Packed=0 Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 Corrupted=0 Protected=0 Error=0 ScanTime=00:00:02 ScanSpeed=1642.812 Kb/s thin# grep -ri kasper mail.log Aug 25 19:42:01 mx11 update.virus.scanners: Found kaspersky-4.5 installed Aug 25 19:42:01 mx11 update.virus.scanners: Running autoupdate for kaspersky-4.5 Aug 25 19:42:10 mx11 kaspersky-autoupdate[5949]: Kaspersky-5.0 updated MailScanner.conf : Virus Scanners = clamav kaspersky-4.5 virus.scanners.conf : kaspersky-4.5 /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers MailScanner ?lint : MailScanner.conf says "Virus Scanners = clamav kaspersky-4.5" Found these virus scanners installed: clamav, kaspersky-4.5 Vitals : MailScanner 4.55.10 Kaspersky 5.5trial installed in default location. Any suggestions or hints would be highly appreciated. Best Regards Paul. From ssilva at sgvwater.com Fri Aug 25 19:43:37 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 25 19:50:12 2006 Subject: Reloading confs In-Reply-To: <1156467121.14266.27.camel@lin-workstation.azapple.com> References: <1156467121.14266.27.camel@lin-workstation.azapple.com> Message-ID: Craig White spake the following on 8/24/2006 5:52 PM: > Is it possible that you didn't register it? > > chkconfig MailScanner on > You don't have to register a script to run it manually, only if you want it to start when the system runs through init. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Aug 25 20:04:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 20:05:00 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> Message-ID: <223f97700608251204q21fe03eai7b3ca15c0ba5b9a6@mail.gmail.com> On 25/08/06, Scott Silva wrote: (snip) > I still vote for execute the spammers! > > How much perl code will that take? > Or do you just have to beat them with whatever is handy? > Oh, any suitable LART will do.... Small sledgehammer is my personal favourite:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sandrews at andrewscompanies.com Fri Aug 25 20:19:21 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Fri Aug 25 20:19:25 2006 Subject: Max SpamAssassin Size problems Message-ID: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> What's wrong with a pointy stick? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Friday, August 25, 2006 3:05 PM To: MailScanner discussion Subject: Re: Max SpamAssassin Size problems On 25/08/06, Scott Silva wrote: (snip) > I still vote for execute the spammers! > > How much perl code will that take? > Or do you just have to beat them with whatever is handy? > Oh, any suitable LART will do.... Small sledgehammer is my personal favourite:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Fri Aug 25 20:43:46 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 25 20:44:00 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EEEBBF.20905@USherbrooke.ca> References: <44EEEBBF.20905@USherbrooke.ca> Message-ID: <44EF52F2.8070506@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Beauchemin wrote: > Jim Holland a ?crit : >> On Fri, 25 Aug 2006, Julian Field wrote: >> >> >>> That is what I would expect to happen. RPM won't overwrite a file >>> owned by another package unless forced to (which I don't like doing). >>> >> >> I understand that. My original question was why once the install.sh >> script experienced a problem with one module it would then fail to >> attempt >> installing the remaining modules. >> >> > > Not on my RHEL 4 system. It tried to install them all. Thankyou for that. I'm not going nuts after all. On everyone else's systems it tries to install them all, it doesn't give up after one failure. It carries on and tries to install the next one. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE71LzEfZZRxQVtlQRAq0QAJsGbaUCQYuDdWFkDyHjk2b1a29cmQCg4AAG TPp5IKpPlKh+2hBrtTMTUHo= =RwBv -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Aug 25 20:53:56 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 20:53:59 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> Message-ID: <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> On 25/08/06, sandrews@andrewscompanies.com wrote: > What's wrong with a pointy stick? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: Friday, August 25, 2006 3:05 PM > To: MailScanner discussion > Subject: Re: Max SpamAssassin Size problems > > On 25/08/06, Scott Silva wrote: > (snip) > > I still vote for execute the spammers! > > > > How much perl code will that take? > > Or do you just have to beat them with whatever is handy? > > > Oh, any suitable LART will do.... Small sledgehammer is my personal > favourite:-) > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > That's reserved for top-posters Semi-seriosly though... Whichever LART makes you happy, that would be perfectly fine:-D. One can easily imagine recreating some "Transylvanian Count Vlad moments" with such an implemeny....:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 25 20:56:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 25 20:56:48 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <44EF52F2.8070506@ecs.soton.ac.uk> References: <44EEEBBF.20905@USherbrooke.ca> <44EF52F2.8070506@ecs.soton.ac.uk> Message-ID: <223f97700608251256y26088cbcr26db57de177c7258@mail.gmail.com> On 25/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Denis Beauchemin wrote: > > Jim Holland a ?crit : > >> On Fri, 25 Aug 2006, Julian Field wrote: > >> > >> > >>> That is what I would expect to happen. RPM won't overwrite a file > >>> owned by another package unless forced to (which I don't like doing). > >>> > >> > >> I understand that. My original question was why once the install.sh > >> script experienced a problem with one module it would then fail to > >> attempt > >> installing the remaining modules. > >> > >> > > > > Not on my RHEL 4 system. It tried to install them all. > > Thankyou for that. I'm not going nuts after all. On everyone else's > systems it tries to install them all, it doesn't give up after one > failure. It carries on and tries to install the next one. > I wonder if this has something to do with the fact that Jim is doing his install on RH 7.1 ... Somewhat out of date, one might say (even with legacy updates:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Fri Aug 25 22:45:47 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Aug 25 22:44:47 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: <223f97700608251256y26088cbcr26db57de177c7258@mail.gmail.com> Message-ID: On Fri, 25 Aug 2006, Glenn Steen wrote: > On 25/08/06, Julian Field wrote: > > > > Denis Beauchemin wrote: > > > Jim Holland a ?crit : > > >> On Fri, 25 Aug 2006, Julian Field wrote: > > >> > > >> > > >>> That is what I would expect to happen. RPM won't overwrite a file > > >>> owned by another package unless forced to (which I don't like doing). > > >>> > > >> > > >> I understand that. My original question was why once the install.sh > > >> script experienced a problem with one module it would then fail to > > >> attempt > > >> installing the remaining modules. > > >> > > >> > > > > > > Not on my RHEL 4 system. It tried to install them all. > > > > Thankyou for that. I'm not going nuts after all. On everyone else's > > systems it tries to install them all, it doesn't give up after one > > failure. It carries on and tries to install the next one. > > > I wonder if this has something to do with the fact that Jim is doing > his install on RH 7.1 ... Somewhat out of date, one might say (even > with legacy updates:-) It is also driving me nuts too - not so much by the problem, which I can cope with, but trying to understand what is going on! I am totally baffled. Even if it is an ancient OS, a bash script shouldn't bomb out if a command returns a non-zero return code or even fails altogether. I have cut out the loop itself and run it without the rpm command, and then it works fine, going through each package and making appropriate comments. I will let people know if I ever manage to get to the bottom of it. For now it is a bit like a crossword puzzle that you can't finish but keep going back to. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From ssilva at sgvwater.com Fri Aug 25 23:39:57 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 25 23:42:11 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/25/2006 12:53 PM: > On 25/08/06, sandrews@andrewscompanies.com > wrote: >> What's wrong with a pointy stick? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn >> Steen >> Sent: Friday, August 25, 2006 3:05 PM >> To: MailScanner discussion >> Subject: Re: Max SpamAssassin Size problems >> >> On 25/08/06, Scott Silva wrote: >> (snip) >> > I still vote for execute the spammers! >> > >> > How much perl code will that take? >> > Or do you just have to beat them with whatever is handy? >> > >> Oh, any suitable LART will do.... Small sledgehammer is my personal >> favourite:-) >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > That's reserved for top-posters > Semi-seriosly though... Whichever LART makes you happy, that would be > perfectly fine:-D. One can easily imagine recreating some > "Transylvanian Count Vlad moments" with such an implemeny....:-) > But the jabbing motion of the pointy stick might give the jabber a splinter! I want all the pain to be inflicted on the nasty, dirty, (insert favorite expletive here!) spammer!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Fri Aug 25 23:50:07 2006 From: ka at pacific.net (Ken A) Date: Fri Aug 25 23:49:00 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <223f97700608250353l76dff66bla8f0811ed0641d36@mail.gmail.com> Message-ID: <44EF7E9F.3070903@pacific.net> Glenn Steen wrote: > On 25/08/06, Anthony Peacock wrote: >> Ken A wrote: >> > >> > >> > Logan Shaw wrote: >> >> On Thu, 24 Aug 2006, Julian Field wrote: >> >>> Anthony Peacock wrote: >> >>>> Julian Field wrote: >> >> >> >>>>> Sounds survivable. After the limit I will keep going until I hit >> the >> >>>>> first line that only contains white space. >> >> >> >>>> I have been watching this discussion with a growing uneasiness. I >> >>>> could be wrong but doesn't this behaviour open up the system to >> >>>> problems with huge image files... >> >> >> >>> Yes, you are absolutely correct. Non-spam may well include huge >> images. >> >>> The problem with rewinding to the previous boundary is that you >> may end >> >>> up not giving SpamAssassin _anything_ to work with. >> >>> >> >>> So it's up for a vote: >> >>> >> >>> do I chop half way through an image? >> >>> do I chop at the end of an image? >> >>> do I carry on for a max of 100 lines of Base64 data or until the >> end of >> >>> an image, which is earlier? >> >> >> >> I don't like the last option at all. It still easily allows >> >> a situation where a valid message with a valid image in it >> >> gets detected as a corrupt image and hits a rule that scores >> >> it as spam. >> >> >> >> If we assume there are 80 columns of base64 data per line, then >> >> we get 60 bytes per line (since each base64 character carries >> >> 6 bits of data). That means 100 lines only holds 6K, maximum. >> >> >> >> So this option only works if the chop-off point randomly >> >> happens to fall within the last 6K (or less) of the image. >> >> If the max message size causes the initial chop-off point to >> >> fall any earlier, it still creates an invalid image. If you >> >> have a 50K max message size and someone sends a 75K image >> >> (which is not out of the ordinary at all), this method will >> >> keep going up to 56K and then quit. >> >> >> >> Basically, adding the 100 extra lines is really not much better >> >> than chopping right at the max message size barrier, unless >> >> you assume that most images aren't much larger than 6K, which >> >> I don't think is a valid assumption at all. So, this option >> >> adds extra complexity and doesn't really give much benefit. >> >> >> >> - Logan >> > >> > I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >> > are worried about false positives. Fuzzyocr will get better at sorting >> > this out. And of course in the mean time, don't use outlook, since it >> > will probably render corrupt images just fine. (it's a feature) >> >> This could be controversial here... >> >> >> I have another suggestion, why don't we agree to leave the MailScanner >> code alone. Those people who are experiencing problems with broken >> images can raise the value of "Max SpamAssassin Size" in *THEIR* >> configurations, the rest of us can carry on as normal. >> >> There is already a way for people to adjust how much information SA gets >> from MailScanner, people who need more information can used that on >> their systems. >> Spammers do like to use broken gif images, and MailScanner should not default to looking like a spammer to an SA plugin. Maybe set "Max SpamAssassin Size" to a larger value and roll back to the previous mime boundry if MailScanner would otherwise be truncating an image? Or, would it be possible to skip the mime part if it was over a certain size, and continue with the rest of the message as if that part didn't exist? Ken A. Pacific.Net >> >> > No need for dramatic escapes:-) > You and Logan have made some good arguments for the status quo... > After all, one needs to assess which is the lesser evil and go with > that. > On the first readthrough I was simply not looking at this from the > correct perspective:-). MailScanner shouldn't need solve this > "problem", at least not in such a way that it invites a possible DoS > (which is far more dire than a simple SA rule "missfire", of course). > That just tells us that both option 1 and 3 are viable though, so any > argument for option 3 would need show that it would actually be > worthwile to complicate the code further... And I can say I didn't do > my maths (shame on me), but Logan shows that the usefulness of option > 3 is rather less than we could assume at the outset. Oh well. Change > my vote there to number 1. > From mailscanner at ecs.soton.ac.uk Sat Aug 26 12:32:02 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 12:32:17 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <1951DC816E1A9F469307B05FA183F43852236E@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F43852236E@corpatsmail1.corp.sensis.com> Message-ID: <44F03132.2070705@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Desai, Jason wrote: >>>> do I chop half way through an image? >>>> do I chop at the end of an image? >>>> do I carry on for a max of 100 lines of Base64 data or until the end > > [snip] > >> If the code was chopping at the end of an image (ie until it found a >> MIME boundary or a blank line. It would be very easy for someone to >> craft an email message that had a starting boundary claiming to be an >> image type, but then pumped 100s of Mb without an ending boundary. >> There _HAS_ to be a limit to this. > > Agreed. I don't think the limit should be 100 lines though. A > malicious email could be crafted which had a mime boundary claiming to > be an image, a few normal lines, and then one very long line, MBs long. > Instead, the limit should probably be a certain number of bytes. > Perhaps something like 8kB? Very good thought. I'll measure the length of the next line and only add it if that doesn't take me over the 8kb limit. We're slowly getting there... - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8DEzEfZZRxQVtlQRAqeKAJ9NmsXpHoseSiLTpNKaizqqVJkbQACbB1od 9M0J2gbqzEg4uzFqyMeCv4g= =s9Gr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 12:39:23 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 12:39:36 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: References: Message-ID: <44F032EB.70202@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Michael Baird wrote: > >> I've been testing http://smfs.sourceforge.net/smf-sav.html this milter >> as well, on a lower pref MX (Spam Catcher). It goes further then just >> checking reverse DNS, it also checks whether the domain actually >> accepts mail, and if it accepts mail for the specified sender. > > Just installed this on a test server and a third level mx gateway (that > gets maybe a half dozen non spam emails on a good day!) > > Have one question though - how do these sorts of milters deal with > mailing lists? An awful lot of them seem to send from no-reply > addresses. Do list senders typically create a valid account and just > quietly drop any mail back, or what? I can see the sender check > dropping a lot of valid email from lists so am a bit leary about it. Am > I losing sleep over nothing? On a slightly related question, I built this on a client's machine the other day, but could not remotely see how to configure it. The docs are next to useless from what I could find. Hints? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8DLsEfZZRxQVtlQRAmHSAJ9w+yQ0QCQFrkWSOBvqnlKe/j4+kQCfT/wr dEi94iZZDqb1NKEOGlUwTqM= =/lnx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 12:55:43 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 12:56:02 2006 Subject: Reloading confs In-Reply-To: References: Message-ID: <44F036BF.8030209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Colin Jack spake the following on 8/24/2006 12:32 PM: >> Nope ... been there, done that ;) >> >> Not in init.d ... but its running! >> >> Maybe I need to look a bit harder ... > Did this get installed from the RPM based install, or the tarball? > The rpm install should have added an init script for you. You might be getting > it running by the check-mailscanner script in cron. If you installed from the right .rpm.tar.gz then that stuff should all be there. Otherwise, look in /etc/init.d/MailScanner to see if that exists. If that doesn't exist, then I advise you reinstall MailScanner. If it is there, then chkconfig --add MailScanner chkconfig MailScanner on chkconfig sendmail off service sendmail stop service MailScanner start should clear it all up. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8DbAEfZZRxQVtlQRArsiAKCEWknRXfuFJAYvkBh4oF9i843umwCgmxfS SMkeDF7f3GjiPxRd4qRhdAg= =8OuL -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 13:59:36 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 13:59:52 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44EEAD6E.80009@chime.ucl.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> Message-ID: <44F045B8.4060605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Peacock wrote: > Ken A wrote: >> >> >> Logan Shaw wrote: >>> On Thu, 24 Aug 2006, Julian Field wrote: >>>> Anthony Peacock wrote: >>>>> Julian Field wrote: >>> >>>>>> Sounds survivable. After the limit I will keep going until I hit the >>>>>> first line that only contains white space. >>> >>>>> I have been watching this discussion with a growing uneasiness. I >>>>> could be wrong but doesn't this behaviour open up the system to >>>>> problems with huge image files... >>> >>>> Yes, you are absolutely correct. Non-spam may well include huge images. >>>> The problem with rewinding to the previous boundary is that you may end >>>> up not giving SpamAssassin _anything_ to work with. >>>> >>>> So it's up for a vote: >>>> >>>> do I chop half way through an image? >>>> do I chop at the end of an image? >>>> do I carry on for a max of 100 lines of Base64 data or until the end of >>>> an image, which is earlier? >>> >>> I don't like the last option at all. It still easily allows >>> a situation where a valid message with a valid image in it >>> gets detected as a corrupt image and hits a rule that scores >>> it as spam. >>> >>> If we assume there are 80 columns of base64 data per line, then >>> we get 60 bytes per line (since each base64 character carries >>> 6 bits of data). That means 100 lines only holds 6K, maximum. >>> >>> So this option only works if the chop-off point randomly >>> happens to fall within the last 6K (or less) of the image. >>> If the max message size causes the initial chop-off point to >>> fall any earlier, it still creates an invalid image. If you >>> have a 50K max message size and someone sends a 75K image >>> (which is not out of the ordinary at all), this method will >>> keep going up to 56K and then quit. >>> >>> Basically, adding the 100 extra lines is really not much better >>> than chopping right at the max message size barrier, unless >>> you assume that most images aren't much larger than 6K, which >>> I don't think is a valid assumption at all. So, this option >>> adds extra complexity and doesn't really give much benefit. >>> >>> - Logan >> >> I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >> are worried about false positives. Fuzzyocr will get better at sorting >> this out. And of course in the mean time, don't use outlook, since it >> will probably render corrupt images just fine. (it's a feature) > > This could be controversial here... > > > I have another suggestion, why don't we agree to leave the MailScanner > code alone. Those people who are experiencing problems with broken > images can raise the value of "Max SpamAssassin Size" in *THEIR* > configurations, the rest of us can carry on as normal. > > There is already a way for people to adjust how much information SA gets > from MailScanner, people who need more information can used that on > their systems. > > > Quack, quack, scamper, scamper.... In my book, that is a remarkably good idea. It would be much simpler for me to implement than any of the other, increasingly complicated versions. What objections to people have to simply letting you set this yourself? > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8EW5EfZZRxQVtlQRAjW6AJ9LQ/VZCRVD1NaWq8tjKZuTd5L4pwCfdk1X 8sADWtz5cgFUY/nsrBlVk4M= =qmB6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 14:01:13 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 14:01:25 2006 Subject: List of variables for substitution in reports? In-Reply-To: <017001c6c832$35144a40$1404040a@purple> References: <017001c6c832$35144a40$1404040a@purple> Message-ID: <44F04619.5050504@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My sample report files each use all the available variables in each one. If you need something else somewhere, let me know and I will see about adding it for you. Sorry it's no more consistent than that. Simon Annetts wrote: > Sorry if this question has been asked before. > > Where can I find a list of all the variables that can be substituted into reports and in the config file for things such as subject > lines etc? I can see some in the reports like $report :-) but to have a definitive list would be very helpful. > > Thanks in advance > Simon > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8EYaEfZZRxQVtlQRAt7wAKDJ0WfaswHkqwIaYCUId/nmlry/LQCfb4bq VFzdAHyYoeDxjUDSQmozcDk= =CLrn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 14:04:04 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 14:04:20 2006 Subject: MailScanner hangs once a day In-Reply-To: <44EECED5.1070603@treelogic.com> References: <44EECED5.1070603@treelogic.com> Message-ID: <44F046C4.2090907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is your Restart Every set to? Does it manage the regular restart at other times of day? I wonder if it is to do with the regular Bayes Rebuild? Tell it not to wait while doing the bayes rebuild and see if that changes the behaviour. Sergio Garc?a Caso wrote: > Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 > and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at 09.30-10.00) > so I have to restart it (/etc/init.d/mailscanner restart). > I get the following info in the log ('mail.info'): > > ... > Aug 24 09:34:48 localhost postfix/qmgr[15569]: 31C882B46B2: > from=, size=2840, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost postfix/qmgr[15569]: EDDB92B46B4: > from=, size=10478, nrcpt=1 (queue active) > Aug 24 09:34:48 localhost MailScanner[3295]: Uninfected: Delivered 4 > messages > Aug 24 09:34:48 localhost MailScanner[3295]: Virus Processing completed > at 3609875 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Disinfection completed at > 932113606 bytes per second > Aug 24 09:34:48 localhost MailScanner[3295]: Batch completed at 1538 > bytes per second (168675 / 109) > Aug 24 09:34:48 localhost MailScanner[3295]: Batch (30 messages) > processed in 109.62 seconds > Aug 24 09:34:48 localhost MailScanner[3295]: MailScanner child dying of > old age > ... > > Can anybody help me? > Thanks. > > > ** > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8EbFEfZZRxQVtlQRAiH7AJ0V7Y/bEhk8mrtX0oN/gBNcNdCZ4wCg03/a /IGfUu9PNRto13U463lYJWs= =SuNc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 14:13:57 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 14:14:14 2006 Subject: Reloading confs In-Reply-To: <44EF1F05.80607@txk.k12.ar.us> References: <1156435815.14266.13.camel@lin-workstation.azapple.com> <44EF067E.8010803@jlewiscooper.com> <44EF1F05.80607@txk.k12.ar.us> Message-ID: <44F04915.7050604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James L. Day wrote: > I like having the startup/shutdown scripts separated. If I want to make > a change to MailScanner, I can shut it down while Sendmail continues to > run. I find myself continually jacking with MailScanner and seldom do I > mess with Sendmail. Yes, MailScanner is a necessary part of the e-mail > process, but I see no reason to tie it into the running of Sendmail or > any other MTA. > > I have my Sendmail checking against local RBL's and that stops about 90% > of the junk. I can afford to let Sendmail accept messages while I have > MailScanner shut down. If you're letting MailScanner do the RBL > lookups, perhaps you can't. There are lots of possible options when running the "service MailScanner" command. Do a "service MailScanner help" and you will see them all. You can start and stop just about every bit independently. > > Lynn > > Greg Borders wrote: >> >> Logan Shaw wrote: >>>> You shouldn't ever start sendmail (or restart sendmail) - you should >>>> only restart MailScanner which in turns stops/starts sendmail for you. >>> >>> I've never really understood this. >>> >>> So is there something I'm missing? Is there a reason why it >>> is the way it is? >>> >>> - Logan >> This is one of the single most common things I've seen when dealing >> with folks that are new to MailScanner. >> I too had to struggle with the logic of it at first. The thing of it >> is, it's a real change from the way you would expect it to work. >> Typically you would think, "I have my MTA and it does all the mail >> work, sending / recieving etc. as a service, running happily in the >> background." >> "Then I have my virus scanner, it does the same, scans all activity >> for files getting saved." >> So here's MailScanner, it should follow the same logic, and just run >> and flag all the e-mails that come and go as a service like the others. >> >> That's the fatal flaw in the thinking. MailScanner isn't just another >> service. It's a way of life for e-mail. By adding MailScanner to your >> systems, you are taking the services you know and trust, and turning >> them over to a caretaker to do it for you, and it does it better. A >> lot better. >> >> Since MailScanner is now "in control", you turn off the standalone >> services. Sendmail/Postfix/Exim/Etc. daemons are stopped. Virus >> checkers are stopped. >> All is quiet on the server, and then you fire up the MailScanner >> service. It is now the conductor of your e-mail orchestra, and calls >> upon the other programs as needed, to get the job done. >> >> This is my take on the flow of programs within a properly setup >> MailScanner system: >> MailScanner fires up instances of the MTA, waiting for messages to >> arrive. AKA "Children" >> MailScanner fires up instances of the MTA, waiting for messages to be >> sent. >> MailScanner fires off a slew of tasks once messages arrive. >> A batch of them are ready, MailScanner runs them thru spamassassin. >> Now any that didn't get flagged, are scanned for viruses with the >> ClamAV for example, (or more if you want). >> Then they are delivered/stored/etc. all based upon the settings in the >> .conf file with another MTA child. >> >> Whether users send messages out, or receive them, they go thru the >> same steps, and the are delivered by MailScanner via the tools that >> are wired into it. >> >> Julian has cooked up the very clever system that calls upon many >> external pieces to perform at the times needed, and has created the >> best most flexable open e-mail filtering system on the market. We can >> use many MTA's, many virus scanners, many spam scanners, and still >> have room for custom functions to do even more if we want. >> >> Take a look at the administrators guide, the first figure "MailScanner >> Process Flow". That will make it crystal clear on the total path, and >> number of tests MailScanner actually performs. >> >> It's a wonderful concept, once you can wrap your brain around the idea >> that MailScanner is more than just an add on service. Bolt on Steve's >> Mailwatch and you have more than most e-mail admins can dream about. ^__^ >> >> Greg. Borders >> Sys. Admin. >> JLC Co. >> >> >> >> >> -- >> This transmission may contain information that is privileged, >> confidential >> and/or exempt from disclosure under applicable law. If you are not the >> intended recipient, you are hereby notified that any disclosure, copying, >> distribution, or use of the information contained herein (including any >> reliance thereon) is STRICTLY PROHIBITED. If you received this >> transmission >> in error, please immediately contact the sender and destroy the >> material in >> its entirety, whether in electronic or hard copy format. Thank you. >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8EkWEfZZRxQVtlQRAs52AJ40RSoN26t9mV4K5FpZ1Jjg4CMGOwCgwwu0 YCv2KXGj4sKRjFgpDjygBO4= =eB0c -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jaearick at colby.edu Sat Aug 26 14:12:54 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 26 14:15:35 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F045B8.4060605@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> Message-ID: On Sat, 26 Aug 2006, Julian Field wrote: > Date: Sat, 26 Aug 2006 13:59:36 +0100 > From: Julian Field > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Max SpamAssassin Size problems > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Anthony Peacock wrote: >> Ken A wrote: >>> >>> >>> Logan Shaw wrote: >>>> On Thu, 24 Aug 2006, Julian Field wrote: >>>>> Anthony Peacock wrote: >>>>>> Julian Field wrote: >>>> >>>>>>> Sounds survivable. After the limit I will keep going until I hit the >>>>>>> first line that only contains white space. >>>> >>>>>> I have been watching this discussion with a growing uneasiness. I >>>>>> could be wrong but doesn't this behaviour open up the system to >>>>>> problems with huge image files... >>>> >>>>> Yes, you are absolutely correct. Non-spam may well include huge images. >>>>> The problem with rewinding to the previous boundary is that you may end >>>>> up not giving SpamAssassin _anything_ to work with. >>>>> >>>>> So it's up for a vote: >>>>> >>>>> do I chop half way through an image? >>>>> do I chop at the end of an image? >>>>> do I carry on for a max of 100 lines of Base64 data or until the end of >>>>> an image, which is earlier? >>>> >>>> I don't like the last option at all. It still easily allows >>>> a situation where a valid message with a valid image in it >>>> gets detected as a corrupt image and hits a rule that scores >>>> it as spam. >>>> >>>> If we assume there are 80 columns of base64 data per line, then >>>> we get 60 bytes per line (since each base64 character carries >>>> 6 bits of data). That means 100 lines only holds 6K, maximum. >>>> >>>> So this option only works if the chop-off point randomly >>>> happens to fall within the last 6K (or less) of the image. >>>> If the max message size causes the initial chop-off point to >>>> fall any earlier, it still creates an invalid image. If you >>>> have a 50K max message size and someone sends a 75K image >>>> (which is not out of the ordinary at all), this method will >>>> keep going up to 56K and then quit. >>>> >>>> Basically, adding the 100 extra lines is really not much better >>>> than chopping right at the max message size barrier, unless >>>> you assume that most images aren't much larger than 6K, which >>>> I don't think is a valid assumption at all. So, this option >>>> adds extra complexity and doesn't really give much benefit. >>>> >>>> - Logan >>> >>> I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >>> are worried about false positives. Fuzzyocr will get better at sorting >>> this out. And of course in the mean time, don't use outlook, since it >>> will probably render corrupt images just fine. (it's a feature) >> >> This could be controversial here... >> >> >> I have another suggestion, why don't we agree to leave the MailScanner >> code alone. Those people who are experiencing problems with broken >> images can raise the value of "Max SpamAssassin Size" in *THEIR* >> configurations, the rest of us can carry on as normal. >> >> There is already a way for people to adjust how much information SA gets >> from MailScanner, people who need more information can used that on >> their systems. >> >> >> > > Quack, quack, scamper, scamper.... > > In my book, that is a remarkably good idea. It would be much simpler for > me to implement than any of the other, increasingly complicated versions. > > What objections to people have to simply letting you set this yourself? I've been semi-following this thread and have been wondering what the fuss was about. I raised my Max SpamAssassin Size to 40k several months back after having problems with some image-based spam getting past SA, The bigger number shooed the issue away and didn't kill my mail server performance. Nuff said, don't complicate your life, leave it alone. Jeff Earickson Colby College From mailscanner at ecs.soton.ac.uk Sat Aug 26 14:20:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 14:20:30 2006 Subject: MailScanner + kaspersky-4.5/5.5 problem In-Reply-To: <200608252044.22465.paul@tenfjord.net> References: <200608252044.22465.paul@tenfjord.net> Message-ID: <44F04A8F.5080305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I wonder if it's a problem with the trial version? I only ever test against the full purchased package. Paul Tenfjord wrote: > Evening all. > > I've been trying to get MailScanner use Kaspersky virus scanner without > success. > I downloaded a trial version (kav5.5trial) and installed the deb file. The deb > file installed Kaspersky to /opt/kav/5.5/kav4mailservers/. > The wrapper script runs successfully, yet the log file never shows kaspersky > scan the email, I can however see Clamav and Mailscanner entries in the > detailed report. > I have edited the installation directory in virus.scanners.conf to point > to /opt/kav/5.5/kav4mailservers . > > > thin# /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers > [25/08/06 20:38:25 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. > Version 5.5.10/RELEASE build #115, compiled Mar 29 2006, 14:17:08 > ..... > [25/08/06 20:38:25 I] License file 001BEE74.key, serial 0038-000413-001BEE74, > "Kaspersky Anti-Virus BO for SendMail / Qmail / Postfix International > Edition. 50-MailAddress 1 month Trial Download Pack", expires 24-09-2006 in > 28 days > [25/08/06 20:38:27 I] There are 205521 records loaded, the latest update > 25-08-2006 > [25/08/06 20:38:27 I] The scan path: /opt/MailScanner-4.55.10/etc > ...... > [25/08/06 20:38:29 I] Scan summary: Files=432 Folders=20 Archives=181 Packed=0 > Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 Corrupted=0 > Protected=0 Error=0 ScanTime=00:00:02 ScanSpeed=1642.812 Kb/s > > > thin# grep -ri kasper mail.log > Aug 25 19:42:01 mx11 update.virus.scanners: Found kaspersky-4.5 installed > Aug 25 19:42:01 mx11 update.virus.scanners: Running autoupdate for > kaspersky-4.5 > Aug 25 19:42:10 mx11 kaspersky-autoupdate[5949]: Kaspersky-5.0 updated > > MailScanner.conf : > Virus Scanners = clamav kaspersky-4.5 > > virus.scanners.conf : > kaspersky-4.5 /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers > > MailScanner ?lint : > MailScanner.conf says "Virus Scanners = clamav kaspersky-4.5" > Found these virus scanners installed: clamav, kaspersky-4.5 > > Vitals : > MailScanner 4.55.10 > Kaspersky 5.5trial installed in default location. > > > Any suggestions or hints would be highly appreciated. > > > > Best Regards Paul. > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: UTF-8 wj8DBQFE8EqQEfZZRxQVtlQRAqWAAJ0YdHxxo/KDq/hTr+HwdC1qusfbhQCeKo4B IH+vSe8TWTcVX1HYyfXXc+c= =3g3P -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 14:21:44 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 14:21:58 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> Message-ID: <44F04AE8.5020504@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 25/08/06, sandrews@andrewscompanies.com > wrote: >> What's wrong with a pointy stick? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn >> Steen >> Sent: Friday, August 25, 2006 3:05 PM >> To: MailScanner discussion >> Subject: Re: Max SpamAssassin Size problems >> >> On 25/08/06, Scott Silva wrote: >> (snip) >> > I still vote for execute the spammers! >> > >> > How much perl code will that take? >> > Or do you just have to beat them with whatever is handy? >> > >> Oh, any suitable LART will do.... Small sledgehammer is my personal >> favourite:-) >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > That's reserved for top-posters > Semi-seriosly though... Whichever LART makes you happy, that would be > perfectly fine:-D. One can easily imagine recreating some > "Transylvanian Count Vlad moments" with such an implemeny....:-) Don't be rude about Transylvania, they use MailScanner! (no joke, take a look at the www.mailscanner.info/users.html page). - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8ErpEfZZRxQVtlQRAlmzAJ9hZGJ9WCxWnP3QWXT7/L7xjD5nEACfXHiV myPpWmemtbizsc3Ce9V6Ub4= =hJVK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From res at ausics.net Sat Aug 26 14:34:25 2006 From: res at ausics.net (Res) Date: Sat Aug 26 14:34:35 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F04AE8.5020504@ecs.soton.ac.uk> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> <44F04AE8.5020504@ecs.soton.ac.uk> Message-ID: > Don't be rude about Transylvania, they use MailScanner! (no joke, take a > look at the www.mailscanner.info/users.html page). You need to move that to wiki so the many many more that do run it can add themselves if they so desire. -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From paul at tenfjord.net Sat Aug 26 14:50:14 2006 From: paul at tenfjord.net (Paul Tenfjord) Date: Sat Aug 26 14:53:40 2006 Subject: MailScanner + kaspersky-4.5/5.5 problem In-Reply-To: <44F04A8F.5080305@ecs.soton.ac.uk> References: <200608252044.22465.paul@tenfjord.net> <44F04A8F.5080305@ecs.soton.ac.uk> Message-ID: <200608261550.14945.paul@tenfjord.net> Thank you for the reply. I have found another person experiencing the same problem with a full license. I have contacted him and he had found no solution. You can find his post here, though it's exactly the same problem. http://comments.gmane.org/gmane.mail.virus.mailscanner/42375 I will keep trying and post the solution here if I find it. Thank you. Regards Paul On Saturday 26 August 2006 15:20, Julian Field wrote: > I wonder if it's a problem with the trial version? I only ever test > against the full purchased package. > > Paul Tenfjord wrote: > > Evening all. > > > > I've been trying to get MailScanner use Kaspersky virus scanner without > > success. > > I downloaded a trial version (kav5.5trial) and installed the deb file. > > The deb file installed Kaspersky to /opt/kav/5.5/kav4mailservers/. > > The wrapper script runs successfully, yet the log file never shows > > kaspersky scan the email, I can however see Clamav and Mailscanner > > entries in the detailed report. > > I have edited the installation directory in virus.scanners.conf to point > > to /opt/kav/5.5/kav4mailservers . > > > > > > thin# /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers > > [25/08/06 20:38:25 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. > > Version 5.5.10/RELEASE build #115, compiled Mar 29 2006, 14:17:08 > > ..... > > [25/08/06 20:38:25 I] License file 001BEE74.key, serial > > 0038-000413-001BEE74, "Kaspersky Anti-Virus BO for SendMail / Qmail / > > Postfix International Edition. 50-MailAddress 1 month Trial Download > > Pack", expires 24-09-2006 in 28 days > > [25/08/06 20:38:27 I] There are 205521 records loaded, the latest update > > 25-08-2006 > > [25/08/06 20:38:27 I] The scan path: /opt/MailScanner-4.55.10/etc > > ...... > > [25/08/06 20:38:29 I] Scan summary: Files=432 Folders=20 Archives=181 > > Packed=0 Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 > > Corrupted=0 Protected=0 Error=0 ScanTime=00:00:02 ScanSpeed=1642.812 Kb/s > > > > > > thin# grep -ri kasper mail.log > > Aug 25 19:42:01 mx11 update.virus.scanners: Found kaspersky-4.5 installed > > Aug 25 19:42:01 mx11 update.virus.scanners: Running autoupdate for > > kaspersky-4.5 > > Aug 25 19:42:10 mx11 kaspersky-autoupdate[5949]: Kaspersky-5.0 updated > > > > MailScanner.conf : > > Virus Scanners = clamav kaspersky-4.5 > > > > virus.scanners.conf : > > kaspersky-4.5 /opt/MailScanner/lib/kaspersky-wrapper > > /opt/kav/5.5/kav4mailservers > > > > MailScanner ?lint : > > MailScanner.conf says "Virus Scanners = clamav kaspersky-4.5" > > Found these virus scanners installed: clamav, kaspersky-4.5 > > > > Vitals : > > MailScanner 4.55.10 > > Kaspersky 5.5trial installed in default location. > > > > > > Any suggestions or hints would be highly appreciated. > > > > > > > > Best Regards Paul. > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From jchezny at northcarolina.edu Sat Aug 26 15:22:07 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Sat Aug 26 15:22:10 2006 Subject: Config error....spamwhitelist Message-ID: <1156602127.44f0590fb3989@webmail.northcarolina.edu> All, I am using spam.whitelist.rules in my configuration (Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules); and have notice this error message in the logs: * Config Error: Cannot match against destination IP address when resolving configuration option "spamwhitelist" * Otherwise, my installation works like a charm. MailScanner has served us faithfully for more than three years now. Thanks Julian for such a great product-I bought the book and a golf shirt! My configuration: Running on Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux - This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) - This is Perl version 5.008005 (5.8.5) - This is MailScanner version 4.51.6 - This is Postfix version 2.2.10 - This is a Dell PE 2850, 2x2.8Ghz, 1GB RAM Any ideas? Thanks in advance for any assistance you provide. Kind regards, J. Chezny ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From mailscanner at ecs.soton.ac.uk Sat Aug 26 15:48:14 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 15:48:40 2006 Subject: MailScanner + kaspersky-4.5/5.5 problem In-Reply-To: <200608261550.14945.paul@tenfjord.net> References: <200608252044.22465.paul@tenfjord.net> <44F04A8F.5080305@ecs.soton.ac.uk> <200608261550.14945.paul@tenfjord.net> Message-ID: <44F05F2E.90307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you can send me (offlist) a complete copy of the latest version of Kaspersky, I will look into it for you. You can take my word that I will only use it for development purposes and will certainly not let anyone else anywhere near it. (I've got a reputation to protect here! :-) Paul Tenfjord wrote: > Thank you for the reply. > > I have found another person experiencing the same problem with a full license. > I have contacted him and he had found no solution. > You can find his post here, though it's exactly the same problem. > http://comments.gmane.org/gmane.mail.virus.mailscanner/42375 > I will keep trying and post the solution here if I find it. > > Thank you. > > Regards Paul > > On Saturday 26 August 2006 15:20, Julian Field wrote: >> I wonder if it's a problem with the trial version? I only ever test >> against the full purchased package. >> >> Paul Tenfjord wrote: >>> Evening all. >>> >>> I've been trying to get MailScanner use Kaspersky virus scanner without >>> success. >>> I downloaded a trial version (kav5.5trial) and installed the deb file. >>> The deb file installed Kaspersky to /opt/kav/5.5/kav4mailservers/. >>> The wrapper script runs successfully, yet the log file never shows >>> kaspersky scan the email, I can however see Clamav and Mailscanner >>> entries in the detailed report. >>> I have edited the installation directory in virus.scanners.conf to point >>> to /opt/kav/5.5/kav4mailservers . >>> >>> >>> thin# /opt/MailScanner/lib/kaspersky-wrapper /opt/kav/5.5/kav4mailservers >>> [25/08/06 20:38:25 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. >>> Version 5.5.10/RELEASE build #115, compiled Mar 29 2006, 14:17:08 >>> ..... >>> [25/08/06 20:38:25 I] License file 001BEE74.key, serial >>> 0038-000413-001BEE74, "Kaspersky Anti-Virus BO for SendMail / Qmail / >>> Postfix International Edition. 50-MailAddress 1 month Trial Download >>> Pack", expires 24-09-2006 in 28 days >>> [25/08/06 20:38:27 I] There are 205521 records loaded, the latest update >>> 25-08-2006 >>> [25/08/06 20:38:27 I] The scan path: /opt/MailScanner-4.55.10/etc >>> ...... >>> [25/08/06 20:38:29 I] Scan summary: Files=432 Folders=20 Archives=181 >>> Packed=0 Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 >>> Corrupted=0 Protected=0 Error=0 ScanTime=00:00:02 ScanSpeed=1642.812 Kb/s >>> >>> >>> thin# grep -ri kasper mail.log >>> Aug 25 19:42:01 mx11 update.virus.scanners: Found kaspersky-4.5 installed >>> Aug 25 19:42:01 mx11 update.virus.scanners: Running autoupdate for >>> kaspersky-4.5 >>> Aug 25 19:42:10 mx11 kaspersky-autoupdate[5949]: Kaspersky-5.0 updated >>> >>> MailScanner.conf : >>> Virus Scanners = clamav kaspersky-4.5 >>> >>> virus.scanners.conf : >>> kaspersky-4.5 /opt/MailScanner/lib/kaspersky-wrapper >>> /opt/kav/5.5/kav4mailservers >>> >>> MailScanner ?lint : >>> MailScanner.conf says "Virus Scanners = clamav kaspersky-4.5" >>> Found these virus scanners installed: clamav, kaspersky-4.5 >>> >>> Vitals : >>> MailScanner 4.55.10 >>> Kaspersky 5.5trial installed in default location. >>> >>> >>> Any suggestions or hints would be highly appreciated. >>> >>> >>> >>> Best Regards Paul. >> -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: UTF-8 wj8DBQFE8F83EfZZRxQVtlQRAoc7AKD+2rEp0mbltLtHyuFLG859Sn78cACgw4me /o0S0m3fYDXhPVGh3TMzB1w= =sAeE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 26 15:50:42 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 15:50:58 2006 Subject: Config error....spamwhitelist In-Reply-To: <1156602127.44f0590fb3989@webmail.northcarolina.edu> References: <1156602127.44f0590fb3989@webmail.northcarolina.edu> Message-ID: <44F05FC2.3000604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You have a rule in there that says either To: 10.2.3.4 yes or FromOrTo: 10.2.3.4 yes haven't you? You cannot match a destination IP address in a rule. There is no way of knowing exactly what IP address the message will be delivered to until you are actually in the process of sending the bytes of data to it, due to the fault-tolerant way in which internet email delivery works. You can do a "From" match against an IP address, but certainly not a To or a FromOrTo. jchezny@northcarolina.edu wrote: > All, > I am using spam.whitelist.rules in my configuration (Is Definitely Not Spam = > %rules-dir%/spam.whitelist.rules); and have notice this error message in the > logs: > * Config Error: Cannot match against destination IP address when resolving > configuration option "spamwhitelist" * > > Otherwise, my installation works like a charm. MailScanner has served us > faithfully for more than three years now. Thanks Julian for such a great > product-I bought the book and a golf shirt! > > My configuration: > Running on Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 > i386 GNU/Linux > - This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) > - This is Perl version 5.008005 (5.8.5) > - This is MailScanner version 4.51.6 > - This is Postfix version 2.2.10 > - This is a Dell PE 2850, 2x2.8Ghz, 1GB RAM > > Any ideas? Thanks in advance for any assistance you provide. > > Kind regards, > > J. Chezny > > > > ---------------------------------------------------------------- > This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8F/DEfZZRxQVtlQRAqM7AJ0bGwanTsOIt6imFFC+BakKay0BlgCgjQP2 YH0DJrRV2gRe+nqCBrlD/ZI= =K+wz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hmkash at arl.army.mil Sat Aug 26 16:19:56 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Sat Aug 26 16:25:40 2006 Subject: Max SpamAssassin Size problems References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> Message-ID: <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> > What objections to people have to simply letting you set this yourself? With no changes to the code we have to disable Max Spamassassin Size in order to guarantee that no attachments are truncated in the middle and thus cause false positives. At the same time we loose all protection against DoS and resource over utilization. With code added that will only continue until the end of the current attachement, at least there is some protection. Granted, there may be one huge attachement, but at least it's something. Howard From mailscanner at ecs.soton.ac.uk Sat Aug 26 16:34:33 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 26 16:34:52 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44F06A09.9070201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kash, Howard (Civ, ARL/CISD) wrote: >> What objections to people have to simply letting you set this yourself? > > With no changes to the code we have to disable Max Spamassassin Size in order to guarantee that no attachments are truncated in the middle and thus cause false positives. At the same time we loose all protection against DoS and resource over utilization. With code added that will only continue until the end of the current attachement, at least there is some protection. Granted, there may be one huge attachement, but at least it's something. Why not just set the Max SpamAssassin Size to 50k or the partial-image-detection rules to 0? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: UTF-8 wj8DBQFE8GoLEfZZRxQVtlQRAgaSAKCg9lzXAwCbR/d3j2A6b8Py53bJyQCfVw0b PYr8Mk3F9qutMZIBsqkqLxc= =DjBq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Sat Aug 26 17:36:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 26 17:36:04 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: References: <223f97700608251256y26088cbcr26db57de177c7258@mail.gmail.com> Message-ID: <223f97700608260936n4457955ay5908b9e043f2cc3e@mail.gmail.com> On 25/08/06, Jim Holland wrote: > On Fri, 25 Aug 2006, Glenn Steen wrote: > > > On 25/08/06, Julian Field wrote: > > > > > > Denis Beauchemin wrote: > > > > Jim Holland a ?crit : > > > >> On Fri, 25 Aug 2006, Julian Field wrote: > > > >> > > > >> > > > >>> That is what I would expect to happen. RPM won't overwrite a file > > > >>> owned by another package unless forced to (which I don't like doing). > > > >>> > > > >> > > > >> I understand that. My original question was why once the install.sh > > > >> script experienced a problem with one module it would then fail to > > > >> attempt > > > >> installing the remaining modules. > > > >> > > > >> > > > > > > > > Not on my RHEL 4 system. It tried to install them all. > > > > > > Thankyou for that. I'm not going nuts after all. On everyone else's > > > systems it tries to install them all, it doesn't give up after one > > > failure. It carries on and tries to install the next one. > > > > > I wonder if this has something to do with the fact that Jim is doing > > his install on RH 7.1 ... Somewhat out of date, one might say (even > > with legacy updates:-) > > It is also driving me nuts too - not so much by the problem, which I can > cope with, but trying to understand what is going on! I am totally > baffled. Even if it is an ancient OS, a bash script shouldn't bomb out if > a command returns a non-zero return code or even fails altogether. I have > cut out the loop itself and run it without the rpm command, and then it > works fine, going through each package and making appropriate comments. > > I will let people know if I ever manage to get to the bottom of it. For > now it is a bit like a crossword puzzle that you can't finish but keep > going back to. > > Regards > Is it perhaps your rpm database that is somewhat corrupt? You could try an rpm rebuild....:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Sat Aug 26 18:12:45 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Aug 26 18:11:43 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: <44F032EB.70202@ecs.soton.ac.uk> Message-ID: On Sat, 26 Aug 2006, Julian Field wrote: > Kevin Miller wrote: > > Michael Baird wrote: > > > >> I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > >> as well, on a lower pref MX (Spam Catcher). It goes further then just > >> checking reverse DNS, it also checks whether the domain actually > >> accepts mail, and if it accepts mail for the specified sender. > > > > Just installed this on a test server and a third level mx gateway (that > > gets maybe a half dozen non spam emails on a good day!) > > > > Have one question though - how do these sorts of milters deal with > > mailing lists? An awful lot of them seem to send from no-reply > > addresses. Do list senders typically create a valid account and just > > quietly drop any mail back, or what? I can see the sender check > > dropping a lot of valid email from lists so am a bit leary about it. Am > > I losing sleep over nothing? > > On a slightly related question, I built this on a client's machine the > other day, but could not remotely see how to configure it. The docs are > next to useless from what I could find. > > Hints? See my rough notes below for a Debian installation, written in hindsight after much trial and error. I use it just for filtering my personal mail after it has been through the main MANGO system. So far it has stopped a few spammers that got through MailScanner (which is not currently using SpamAssassin etc yet due to lack of processing power), but the traffic is not large enough to draw many conclusions there. I have also installed it on a very old Red Hat 6.1 nameserver for which the incoming mail should only have been correspondence about domain registrations, but in the end the ratio of spam to genuine but very important mail was well over 100:1. This utility alone immediately blocked 80% of the spam, with no false positives at all. (Initially it would not compile - as it was never intended for such an old OS as 6.1 - but the very helpful developer (Eugene Kurmanin ) very kindly held my hand on line and with a combination of hacking of the source code and finding some old bind include files we got it working). I haven't tested the Recipient e-Mail Address Verification yet. The code is still at an early stage of development, but I am very impressed. The nameserver where I installed it was simply forwarding mail to a handful of accounts at other ISPs, so relied on their own spam and virus filtering. However one of them started to institute sender verification itself (very simple if you are using Exim, but not if you are using sendmail and can't afford a commercial milter). The result was huge numbers of undeliverable and unbounceable spam messages in the mail queue. That has now stopped almost completely. I would not recommend it for a production mail server at the moment, simply because it has no facility for whitelisting. However the developer says that whitelisting with a cache will be incorporated in the next version to be issued in a week or so. As the previous correspondent indicated, it will be important to be able to whitelist mailing lists etc. Clearly the more obvious junk that can be stopped by the MTA the better, leaving MailScanner etc with more processing power to fine filter the remainder. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service First updated to latest sendmail Installed package libmilter-dev, which also installed libmilter0 Downloaded smf-sav-1.2.0 from: http://prdownloads.sourceforge.net/smfs/smf-sav-1.2.0.tar.gz?use_mirror=kent Unpacked smf-sav-1.2.0.tar.gz in /usr/src/smf-sav-1.2.0 Made following changes to Makefile: < DATADIR = /var/run/smfs < CONFDIR = /etc/smfs --- > DATADIR = /var/smfs > CONFDIR = /usr/local/etc/smfs Ran make, then make install Created directory /usr/local/etc/smfs Created the following link: ln -s /usr/local/etc/smfs/smf-sav.conf /etc/smfs/smf-sav.conf (The above two steps seem to be required if you don't use the default location /usr/local/etc/smfs - I have reported this as a possible bug) Edited /etc/smfs/smf-sav.conf: < # /etc/smfs/smf-sav.conf --- > # /usr/local/etc/smfs/smf-sav.conf < Connect ^127\. --- > Connect (^127\.|^192\.168\.|^10\.) < PublicName test.mango.zw # should be corrected carefully --- > PublicName yourhost.yourdomain.tld # should be corrected carefully < SafeCallBack root@test.mango.zw # should be corrected carefully --- > SafeCallBack postmaster@yourdomain.tld # should be corrected carefully < Socket unix:/var/run/smfs/smf-sav.sock --- > Socket unix:/var/smfs/smf-sav.sock Add this line to /etc/syslog.conf file: local2.info -/var/log/sav.log If you want to exclude the successfully verified e-mail addresses from logging, set the syslog priority to notice instead the info. Run /etc/init.d/sysklogd restart Edit sendmail.mc file by adding: define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl Regenerate sendmail.cf Create startup script (there are some examples in the source init directory, but I based mine on a standard Debian script): Create /etc/init.d/smfsav based on /etc/init.d/ssh Runlevels 0, 1, 6: ln -s /etc/init.d/smfsav K20smfsav Runlevels 2-5: ln -s /etc/init.d/smfsav S20smfsav It must start before sendmail, stop after it. Then start up smf-sav and restart sendmail. Check the log file /var/log/sav.log Test by sending mail from an invalid address at a third party server. From jaearick at colby.edu Sat Aug 26 22:32:23 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 26 22:36:15 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F04AE8.5020504@ecs.soton.ac.uk> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> <44F04AE8.5020504@ecs.soton.ac.uk> Message-ID: On Sat, 26 Aug 2006, Julian Field wrote: > Date: Sat, 26 Aug 2006 14:21:44 +0100 > From: Julian Field > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Max SpamAssassin Size problems > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > >> That's reserved for top-posters >> Semi-seriosly though... Whichever LART makes you happy, that would be >> perfectly fine:-D. One can easily imagine recreating some >> "Transylvanian Count Vlad moments" with such an implemeny....:-) > > Don't be rude about Transylvania, they use MailScanner! (no joke, take a > look at the www.mailscanner.info/users.html page). Yah, our work-study student is from Romania. She is super smart and very pretty too. We wish we had more like her on the payroll. Jeff Earickson Colby College From mikea at mikea.ath.cx Sun Aug 27 03:09:54 2006 From: mikea at mikea.ath.cx (mikea) Date: Sun Aug 27 03:10:00 2006 Subject: Feedback on MailScanner 4.56.1-1 beta In-Reply-To: ; from mailscanner@mango.zw on Fri, Aug 25, 2006 at 11:45:47PM +0200 References: <223f97700608251256y26088cbcr26db57de177c7258@mail.gmail.com> Message-ID: <20060826210954.A23479@mikea.ath.cx> On Fri, Aug 25, 2006 at 11:45:47PM +0200, Jim Holland wrote: > On Fri, 25 Aug 2006, Glenn Steen wrote: > > > On 25/08/06, Julian Field wrote: > > > > > > Denis Beauchemin wrote: > > > > Jim Holland a ?crit : > > > >> On Fri, 25 Aug 2006, Julian Field wrote: > > > >> > > > >> > > > >>> That is what I would expect to happen. RPM won't overwrite a file > > > >>> owned by another package unless forced to (which I don't like doing). > > > >>> > > > >> > > > >> I understand that. My original question was why once the install.sh > > > >> script experienced a problem with one module it would then fail to > > > >> attempt > > > >> installing the remaining modules. > > > >> > > > >> > > > > > > > > Not on my RHEL 4 system. It tried to install them all. > > > > > > Thankyou for that. I'm not going nuts after all. On everyone else's > > > systems it tries to install them all, it doesn't give up after one > > > failure. It carries on and tries to install the next one. > > > > > I wonder if this has something to do with the fact that Jim is doing > > his install on RH 7.1 ... Somewhat out of date, one might say (even > > with legacy updates:-) > > It is also driving me nuts too - not so much by the problem, which I can > cope with, but trying to understand what is going on! I am totally > baffled. Even if it is an ancient OS, a bash script shouldn't bomb out if > a command returns a non-zero return code or even fails altogether. I have > cut out the loop itself and run it without the rpm command, and then it > works fine, going through each package and making appropriate comments. This came up on another list I'm subscribed to, and yes, indeed, some shells _do_ abort a script on a non-zero RC or if a command in the script failed. This caused a lot of heartache and head-examination. There is no good, universal solution, but it probably would be fairly easy to cobble up a short, guaranteed-to-fail script for folks to try as part of their next MS installation. It would be nice if it kicked out a warning on failure, or if it were written to be silent when it failed and to write a big, gaudy rooster-crowing success message. > I will let people know if I ever manage to get to the bottom of it. For > now it is a bit like a crossword puzzle that you can't finish but keep > going back to. What about changing the #! line at the head of each script to a shell that you know tests good on your system _and_ supports Jules' scripting needs? -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jchezny at northcarolina.edu Sun Aug 27 04:13:51 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Sun Aug 27 04:13:58 2006 Subject: Config error....spamwhitelist In-Reply-To: <44F05FC2.3000604@ecs.soton.ac.uk> References: <1156602127.44f0590fb3989@webmail.northcarolina.edu> <44F05FC2.3000604@ecs.soton.ac.uk> Message-ID: <1156648431.44f10defe6501@webmail.northcarolina.edu> Quoting Julian Field : Correct. Actually there were two rules w/ IP addresses. Removed the two rules and the error messages went away. Thank you, -jc > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You have a rule in there that says either > To: 10.2.3.4 yes > or > FromOrTo: 10.2.3.4 yes > haven't you? > > You cannot match a destination IP address in a rule. There is no way of > knowing exactly what IP address the message will be delivered to until > you are actually in the process of sending the bytes of data to it, due > to the fault-tolerant way in which internet email delivery works. > > You can do a "From" match against an IP address, but certainly not a To > or a FromOrTo. > > jchezny@northcarolina.edu wrote: > > All, > > I am using spam.whitelist.rules in my configuration (Is Definitely Not Spam > = > > %rules-dir%/spam.whitelist.rules); and have notice this error message in > the > > logs: > > * Config Error: Cannot match against destination IP address when > resolving > > configuration option "spamwhitelist" * > > > > Otherwise, my installation works like a charm. MailScanner has served us > > faithfully for more than three years now. Thanks Julian for such a great > > product-I bought the book and a golf shirt! > > > > My configuration: > > Running on Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 > i686 > > i386 GNU/Linux > > - This is Red Hat Enterprise Linux ES release 4 (Nahant Update 4) > > - This is Perl version 5.008005 (5.8.5) > > - This is MailScanner version 4.51.6 > > - This is Postfix version 2.2.10 > > - This is a Dell PE 2850, 2x2.8Ghz, 1GB RAM > > > > Any ideas? Thanks in advance for any assistance you provide. > > > > Kind regards, > > > > J. Chezny > > > > > > > > ---------------------------------------------------------------- > > This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Charset: ISO-8859-1 > > wj8DBQFE8F/DEfZZRxQVtlQRAqM7AJ0bGwanTsOIt6imFFC+BakKay0BlgCgjQP2 > YH0DJrRV2gRe+nqCBrlD/ZI= > =K+wz > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From matt at coders.co.uk Sun Aug 27 10:24:27 2006 From: matt at coders.co.uk (Matt Hampton) Date: Sun Aug 27 10:24:01 2006 Subject: Problems with sendmail 8.13.7 and the startup script Message-ID: <44F164CB.3020202@coders.co.uk> Morning all I was getting a large number of orphaned df files with the stock CentOS 4.3 (8.13.1 patched with bug fixes up to 8.13.6). According to the release notes for 8.13.7 this was fixed (and it is!) but there is now another issue. There is a known issue with 8.13.7 (fixed in 8.13.8) where the PID file is deleted. Therefore Jules init script is unable to stop the process. Upgrading to 8.13.8 fixes both issues... matt From glenn.steen at gmail.com Sun Aug 27 11:46:47 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Aug 27 11:46:49 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F04AE8.5020504@ecs.soton.ac.uk> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> <44F04AE8.5020504@ecs.soton.ac.uk> Message-ID: <223f97700608270346g54c58452v1c8a434a237da4fa@mail.gmail.com> On 26/08/06, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: (snip) > > That's reserved for top-posters > > Semi-seriosly though... Whichever LART makes you happy, that would be > > perfectly fine:-D. One can easily imagine recreating some > > "Transylvanian Count Vlad moments" with such an implemeny....:-) > > Don't be rude about Transylvania, they use MailScanner! (no joke, take a > look at the www.mailscanner.info/users.html page). No rudeness to transylvanians in general intended. The Count refered to is, of course the historic character that lies at the foundation fo the Dracula myth... Splendid chap who liked to stick a pointy stick up peoples backside, to create a truly horrid death... Now, if one looks at historic rulers/despots/tyrants in general they tend to have endearing traits like these, all and sundry... So perhaps the count has a somewhat smeared reputation:-). In this context, the suggestion would be to emulate count Vald, in handling spammers in such a manner (this i indeed a joke... No sane person should try this at home:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Aug 27 14:02:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Aug 27 14:02:28 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <223f97700608270346g54c58452v1c8a434a237da4fa@mail.gmail.com> References: <1964AAFBC212F742958F9275BF63DBB04291F4@winchester.andrewscompanies.com> <223f97700608251253m44804a69pf88c5dca408fb3c6@mail.gmail.com> <44F04AE8.5020504@ecs.soton.ac.uk> <223f97700608270346g54c58452v1c8a434a237da4fa@mail.gmail.com> Message-ID: <223f97700608270602w4bdc2bbi87fac69e6a84a5cd@mail.gmail.com> On 27/08/06, Glenn Steen wrote: > On 26/08/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Glenn Steen wrote: > (snip) > > > That's reserved for top-posters > > > Semi-seriosly though... Whichever LART makes you happy, that would be > > > perfectly fine:-D. One can easily imagine recreating some > > > "Transylvanian Count Vlad moments" with such an implemeny....:-) > > > > Don't be rude about Transylvania, they use MailScanner! (no joke, take a > > look at the www.mailscanner.info/users.html page). > > No rudeness to transylvanians in general intended. The Count refered > to is, of course the historic character that lies at the foundation fo > the Dracula myth... Splendid chap who liked to stick a pointy stick up > peoples backside, to create a truly horrid death... Now, if one looks > at historic rulers/despots/tyrants in general they tend to have > endearing traits like these, all and sundry... So perhaps the count > has a somewhat smeared reputation:-). > In this context, the suggestion would be to emulate count Vald, in > handling spammers in such a manner (this i indeed a joke... No sane > person should try this at home:-). > BTW, the "count" was really a prince, IIRC:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at norcomcable.ca Sun Aug 27 16:53:03 2006 From: lists at norcomcable.ca (Dan) Date: Sun Aug 27 16:53:16 2006 Subject: MailScanner + kaspersky-4.5/5.5 problem In-Reply-To: <200608252044.22465.paul@tenfjord.net> Message-ID: <4d6d001c6c9f0$e42df930$d100a8c0@norcom209> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Tenfjord > Sent: August 25, 2006 1:44 PM > To: MailScanner discussion > Subject: MailScanner + kaspersky-4.5/5.5 problem > > Evening all. > > I've been trying to get MailScanner use Kaspersky virus > scanner without success. > I downloaded a trial version (kav5.5trial) and installed the > deb file. The deb file installed Kaspersky to > /opt/kav/5.5/kav4mailservers/. > The wrapper script runs successfully, yet the log file never > shows kaspersky scan the email, I can however see Clamav and > Mailscanner entries in the detailed report. > I have edited the installation directory in > virus.scanners.conf to point to /opt/kav/5.5/kav4mailservers . > > > thin# /opt/MailScanner/lib/kaspersky-wrapper > /opt/kav/5.5/kav4mailservers > [25/08/06 20:38:25 I] Kaspersky Anti-Virus On-Demand Scanner > for Linux. > Version 5.5.10/RELEASE build #115, compiled Mar 29 2006, > 14:17:08 ..... > [25/08/06 20:38:25 I] License file 001BEE74.key, serial > 0038-000413-001BEE74, "Kaspersky Anti-Virus BO for SendMail / > Qmail / Postfix International Edition. 50-MailAddress 1 month > Trial Download Pack", expires 24-09-2006 in > 28 days > [25/08/06 20:38:27 I] There are 205521 records loaded, the > latest update > 25-08-2006 > [25/08/06 20:38:27 I] The scan path: > /opt/MailScanner-4.55.10/etc ...... > [25/08/06 20:38:29 I] Scan summary: Files=432 Folders=20 > Archives=181 Packed=0 Infected=0 Warnings=0 Suspicios=0 > Cured=0 CureFailed=0 Corrupted=0 Protected=0 Error=0 > ScanTime=00:00:02 ScanSpeed=1642.812 Kb/s > > > thin# grep -ri kasper mail.log > Aug 25 19:42:01 mx11 update.virus.scanners: Found > kaspersky-4.5 installed Aug 25 19:42:01 mx11 > update.virus.scanners: Running autoupdate for > kaspersky-4.5 > Aug 25 19:42:10 mx11 kaspersky-autoupdate[5949]: Kaspersky-5.0 updated > > MailScanner.conf : > Virus Scanners = clamav kaspersky-4.5 > > virus.scanners.conf : > kaspersky-4.5 /opt/MailScanner/lib/kaspersky-wrapper > /opt/kav/5.5/kav4mailservers > > MailScanner -lint : > MailScanner.conf says "Virus Scanners = clamav kaspersky-4.5" > Found these virus scanners installed: clamav, kaspersky-4.5 > > Vitals : > MailScanner 4.55.10 > Kaspersky 5.5trial installed in default location. > > > Any suggestions or hints would be highly appreciated. > > > > Best Regards Paul. > > > > > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I got kaspersky-5.5 to work for me, but I had to add some lines to a few files to make it happen. This works for me. /etc/MailScanner/virus.scanners.conf # Kaspersky 5.5 kaspersky-5.5 /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5 /usr/lib/MailScanner/kaspery-wrapper # For KAV 5.5 Scanner=kav4unix/bin/kavscanner if [ -x ${PackageDir}/$Scanner ]; then Report=/tmp/kavoutput.tmp.$$ ScanOptions="-xp -i0" # Don't report progress, don't attempt to clean if [ "x$1" = "x-IsItInstalled" ]; then exit 0 fi Args=`echo "$@" | sed -e 's/ -I/ -i/g; s/^-I/-i/g; s/-- / /g;'` rm -f $Report ${PackageDir}/$Scanner $ScanOptions -q -o$Report "$@" cat $Report rm -f $Report exit fi /usr/lib/MailScanner/kaspery-wrapper # Code for Kasperkey 5.5 if (-x "$PackageDir/kav4unix/bin/keepup2date") { &Lock(); system("$PackageDir/kav4unix/bin/keepup2date"); &Unlock(); Sys::Syslog::syslog('info', "Kaspersky-5.5 updated"); Sys::Syslog::closelog(); exit 0; } /usr/lib/MailScanner/MailScanner/SweepViruses.pm Following lines were added above the similar place where kaspersky4.5 code is. --> Around line 170 "kaspersky-5.5" => { Name => 'Kaspersky', Lock => 'KasperskyBusy.lock', CommonOptions => '', DisinfectOptions => '-i2', ScanOptions => '-i0', InitParser => \&InitKaspersky_5_5Parser, ProcessOutput => \&ProcessKaspersky_5_5Output, SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_SUPPORTED, }, --> Around line 1190 # Initialise any state variables the Kaspersky 5.5 output parser uses my ($kaspersky_5_5Version); sub InitKaspersky_5_5Parser { $kaspersky_5_5Version = 0; } --> Around line 1730 # Kaspersky 5.5 onwards is different to its predecessors. sub ProcessKaspersky_5_5Output { my($line, $infections, $types, $BaseDir, $Name) = @_; my($logout, $report, $infected, $id, $part, @rest); chomp $line; if (!$kaspersky_5_5Version) { # Version is on a line before any files are scanned $kaspersky_5_5Version = $1 if $line =~ /version\D+([\d.]+)/i; return 0; } return 0 unless $line =~ /\sINFECTED\s/i; $line =~ s/^\[[^\]]+\] //; $logout = "$line"; $logout =~ s/%/%%/g; $logout =~ s/\s{20,}/ /g; # MailScanner::Log::InfoLog($logout); $report = $line; # Save a copy $line =~ s/^$BaseDir\///; # Remove basedir/ off the front # Now have id/part followed possibly by /rest $line =~ /^(.+)\sINFECTED\s[^\s]+$/; $infected = $1; my ( $foo, $virusname ) = split(/INFECTED\s+/, $line); ($id, $part, @rest) = split(/\//, $infected); MailScanner::Log::InfoLog("Kaspersky5.5::INFECTED:: $virusname: $infected"); $report = $Name . ': ' if $Name; $infections->{"$id"}{"$part"} .= "$report$part is infected: $virusname\n"; $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender system("/usr/local/bin/virus.pl", $virusname); return 1; } YMMV but this did work for me. regards, -dan From alex at nkpanama.com Sun Aug 27 17:04:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sun Aug 27 17:04:13 2006 Subject: Control number of archives In-Reply-To: <44ED6DF4.4040602@net-com.de> References: <44ED5F09.6070103@net-com.de> <44ED649D.5050607@solid-state-logic.com> <44ED693E.9040406@ecs.soton.ac.uk> <44ED6DF4.4040602@net-com.de> Message-ID: <44F1C27D.8020202@nkpanama.com> Matthias Kellermann wrote: > Just edited the cronjob to delete the archives also. > But would be nice if there will be an option in the MailScanner config > too :) > > Best regards, > Matthias > That could be done by having the script look at mailscanner.conf for a variable value. From chris at tac.esi.net Sun Aug 27 21:46:51 2006 From: chris at tac.esi.net (Chris Hammond) Date: Sun Aug 27 21:47:09 2006 Subject: Looking for recommendation on how to proceed. Message-ID: <44F1CC7B.B662.0038.0@tac.esi.net> I am trying to find the easiest way to compare two text files containing domain names and tell me which domain names in the second file do not exist in the first. It seems like it should be a simple process but having no useful scripting knowledge, I am hoping someone can point me to something that already exists. Thanks Chris From hmkash at arl.army.mil Sun Aug 27 21:47:46 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Sun Aug 27 21:47:57 2006 Subject: Max SpamAssassin Size problems References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> Message-ID: <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> > Why not just set the Max SpamAssassin Size to 50k You'll still truncate images. I currently have it at 150k and it still truncates images (either large ones or messages with lots of attached images). > or the partial-image-detection rules to 0? This is an option, but you give up some SPAM detection capability. The plugin doesn't specifically test for partial images, but corrupt images in general, which truncated images are a subset of. Some image spammers have intentionally corrupted the image in such a way that many email clients will still render them readable, but image analysis utilities balk on them. So messages with corrupt images are given a higher score. And this isn't just about images, supposedly someone is working on a plugin to analyze Word documents for spam content. It may have the same problem with truncated Word attachments. Howard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5310 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060827/f14b0393/attachment.bin From glenn.steen at gmail.com Sun Aug 27 22:25:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Aug 27 22:25:56 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <44F1CC7B.B662.0038.0@tac.esi.net> References: <44F1CC7B.B662.0038.0@tac.esi.net> Message-ID: <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> On 27/08/06, Chris Hammond wrote: > I am trying to find the easiest way to compare two text files containing domain names and tell me which domain names in the second file do not exist in the first. It seems like it should be a simple process but having no useful scripting knowledge, I am hoping someone can point me to something that already exists. > > Thanks > Chris > Provided you have them 1 domain/line in the two files, it is very very simple: total differences (you cat in file1 twice, so that it'll only be the ones from file2 that pass out from "uniq": cat file1 file1 file2 | sort | uniq -u If you don't like that method, well... diff is our friend then:-): diff file1 file2 | egrep "^>" ... should do too:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Sun Aug 27 23:15:16 2006 From: dave.list at pixelhammer.com (DAve) Date: Sun Aug 27 23:15:31 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F045B8.4060605@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> Message-ID: <44F21974.7060604@pixelhammer.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Anthony Peacock wrote: >> Ken A wrote: >>> >>> Logan Shaw wrote: >>>> On Thu, 24 Aug 2006, Julian Field wrote: >>>>> Anthony Peacock wrote: >>>>>> Julian Field wrote: >>>>>>> Sounds survivable. After the limit I will keep going until I hit the >>>>>>> first line that only contains white space. >>>>>> I have been watching this discussion with a growing uneasiness. I >>>>>> could be wrong but doesn't this behaviour open up the system to >>>>>> problems with huge image files... >>>>> Yes, you are absolutely correct. Non-spam may well include huge images. >>>>> The problem with rewinding to the previous boundary is that you may end >>>>> up not giving SpamAssassin _anything_ to work with. >>>>> >>>>> So it's up for a vote: >>>>> >>>>> do I chop half way through an image? >>>>> do I chop at the end of an image? >>>>> do I carry on for a max of 100 lines of Base64 data or until the end of >>>>> an image, which is earlier? >>>> I don't like the last option at all. It still easily allows >>>> a situation where a valid message with a valid image in it >>>> gets detected as a corrupt image and hits a rule that scores >>>> it as spam. >>>> >>>> If we assume there are 80 columns of base64 data per line, then >>>> we get 60 bytes per line (since each base64 character carries >>>> 6 bits of data). That means 100 lines only holds 6K, maximum. >>>> >>>> So this option only works if the chop-off point randomly >>>> happens to fall within the last 6K (or less) of the image. >>>> If the max message size causes the initial chop-off point to >>>> fall any earlier, it still creates an invalid image. If you >>>> have a 50K max message size and someone sends a 75K image >>>> (which is not out of the ordinary at all), this method will >>>> keep going up to 56K and then quit. >>>> >>>> Basically, adding the 100 extra lines is really not much better >>>> than chopping right at the max message size barrier, unless >>>> you assume that most images aren't much larger than 6K, which >>>> I don't think is a valid assumption at all. So, this option >>>> adds extra complexity and doesn't really give much benefit. >>>> >>>> - Logan >>> I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >>> are worried about false positives. Fuzzyocr will get better at sorting >>> this out. And of course in the mean time, don't use outlook, since it >>> will probably render corrupt images just fine. (it's a feature) >> This could be controversial here... >> >> >> I have another suggestion, why don't we agree to leave the MailScanner >> code alone. Those people who are experiencing problems with broken >> images can raise the value of "Max SpamAssassin Size" in *THEIR* >> configurations, the rest of us can carry on as normal. >> >> There is already a way for people to adjust how much information SA gets >> from MailScanner, people who need more information can used that on >> their systems. >> >> >> > > Quack, quack, scamper, scamper.... > > In my book, that is a remarkably good idea. It would be much simpler for > me to implement than any of the other, increasingly complicated versions. > > What objections to people have to simply letting you set this yourself? > > I've resisted this thread on another list. It seems to me that there is nothing wrong with MailScanner. I believe the only way the users of these plugins will be happy (considering the possible up and coming Word plugin) will be if MailScanner could selectively send either a partial message or a whole message to SpamAssassin. Determined by.... dunno. I for one want no part of a plugin that requires I send every single message in it's entirety to SA every time. I'd be DOS'ed within a month. I also think this issue is not a MS issue as spamc/spamd have message size limitations by default. In fact if the message exceeds the size limit I don't believe it is even sent to spamd by spamc is it? (Can't remember). In any event I vote no to sending every message and it's attachment to SA. Please let me decide how much of a message is sent to SA. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From res at ausics.net Sun Aug 27 23:46:46 2006 From: res at ausics.net (Res) Date: Sun Aug 27 23:46:59 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F21974.7060604@pixelhammer.com> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> Message-ID: On Sun, 27 Aug 2006, DAve wrote: > I for one want no part of a plugin that requires I send every single message > in it's entirety to SA every time. I'd be DOS'ed within a month. I also think Agreed > -- Res From james at grayonline.id.au Sun Aug 27 23:58:28 2006 From: james at grayonline.id.au (James Gray) Date: Sun Aug 27 23:58:59 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> References: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> Message-ID: On 25/08/2006, at 12:14 PM, James Gray wrote: > Hi All, > > This is simply a case of looking at a problem for too long - I can > no longer see a clue for the clue bats! In preparation for a > policy change (that takes effect this weekend) I've been > abstracting a whole bunch of stuff out to rule files and such (see > my previous message "Rule set - is this valid" earlier this week). > Now I've noticed that all messages with HTML scripts, IFRAME tags > or CODEBASE tags are being quarantined instead of disarmed and > delivered. The "Allow (IFrame|Script|Form|Webbugs)..." settings were set to "% etc-dir%/rules/foo.rules" instead of "%rules-dir%/foo.rules". So the question is, despite: etc-dir = /etc/MailScanner rules-dir = /etc/MailScanner/rules Why did setting a few rule sets to %etc-dir%/rules/.... cause the rule sets to not be loaded, then default to "no"?? MailScanner 4.50.15 (Perl 5.8.6 running on FreeBSD 4.6). Why fBSD 4.6?!?! Simple: # uptime 6:56PM up 657 days, 19:57, 7 users, load averages: 0.08, 0.08, 0.05 ;) Thought that I'd make a mention of this, just in case someone else strikes it there will be a mention of it in the archives. Cheers, James From res at ausics.net Mon Aug 28 00:46:20 2006 From: res at ausics.net (Res) Date: Mon Aug 28 00:46:33 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: References: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> Message-ID: On Mon, 28 Aug 2006, James Gray wrote: > MailScanner 4.50.15 (Perl 5.8.6 running on FreeBSD 4.6). Why fBSD 4.6?!?! > Simple: > # uptime > 6:56PM up 657 days, 19:57, 7 users, load averages: 0.08, 0.08, 0.05 > Thought that I'd make a mention of this, just in case someone else strikes it > there will be a mention of it in the archives. Doubt anyone cares... I have a RH9 box amongst my colelction, why so old, cause its been up since RH9 was released years ago as well :) as do a couple ohters I know on here running slack 7 and an ancient netbsd box (now thats scarey) :P However the issue with bascially the same paths to your rulesets is interesting -- Res From james at grayonline.id.au Mon Aug 28 00:58:59 2006 From: james at grayonline.id.au (James Gray) Date: Mon Aug 28 00:59:31 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: References: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> Message-ID: <46860835-DBD9-43E4-A53E-6B6FDE39CB5E@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/08/2006, at 9:46 AM, Res wrote: > On Mon, 28 Aug 2006, James Gray wrote: > >> MailScanner 4.50.15 (Perl 5.8.6 running on FreeBSD 4.6). Why fBSD >> 4.6?!?! Simple: >> # uptime >> 6:56PM up 657 days, 19:57, 7 users, load averages: 0.08, 0.08, 0.05 > >> Thought that I'd make a mention of this, just in case someone else >> strikes it there will be a mention of it in the archives. > > > Doubt anyone cares... I have a RH9 box amongst my colelction, why > so old, cause its been up since RH9 was released years ago as > well :) as do a couple > ohters I know on here running slack 7 and an ancient netbsd box > (now thats scarey) :P If it aint broke... ;) After re-reading my last message, I was trying to say that I was making mention of the path/rule-set weirdness, not the uptime. Gah. It's Monday and I STILL haven't had my morning coffee. > However the issue with bascially the same paths to your rulesets is > interesting Indeed. I hope Julian see this solution and can shed some light. Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE8jHGwBHpdJO7b9ERAqKKAJ9TfCKyHIzPiRtwBFJf63ZEc+zgjwCfUVJq C9Tj0xnBRLjJ49MW28Mng44= =X5eJ -----END PGP SIGNATURE----- From chris at tac.esi.net Mon Aug 28 01:02:09 2006 From: chris at tac.esi.net (Chris Hammond) Date: Mon Aug 28 01:02:28 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> Message-ID: <44F1FA41.B662.0038.0@tac.esi.net> Oh my god! I knew it would be simple! I was trying to figure out how to do it with "sort | uniq" but it never crossed my mind to cat the first file to itself so that only the uniq files from the second file would be found. Thanks for the reply, that is just what I needed and it is greatly appreciated. Thanks Chris >>> "Glenn Steen" 08/27/06 5:25 PM >>> On 27/08/06, Chris Hammond wrote: > I am trying to find the easiest way to compare two text files containing domain names and tell me which domain names in the second file do not exist in the first. It seems like it should be a simple process but having no useful scripting knowledge, I am hoping someone can point me to something that already exists. > > Thanks > Chris > Provided you have them 1 domain/line in the two files, it is very very simple: total differences (you cat in file1 twice, so that it'll only be the ones from file2 that pass out from "uniq": cat file1 file1 file2 | sort | uniq - u If you don't like that method, well... diff is our friend then:- ): diff file1 file2 | egrep "^>" ... should do too:- ). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at mango.zw Mon Aug 28 08:48:25 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Aug 28 08:47:08 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: Message-ID: On Mon, 28 Aug 2006, James Gray wrote: > MailScanner 4.50.15 (Perl 5.8.6 running on FreeBSD 4.6). Why fBSD > 4.6?!?! Simple: > # uptime > 6:56PM up 657 days, 19:57, 7 users, load averages: 0.08, 0.08, 0.05 > e-mail service From sergiogc at treelogic.com Mon Aug 28 11:34:33 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Mon Aug 28 11:30:32 2006 Subject: MailScanner hangs once a day Message-ID: <44F2C6B9.1060605@treelogic.com> Thank you for the answers. - I don't have problems with non-queue files ending up in the hold queue - I have made a script which restart MailScanner when it is not running and it runs OK. - These are the values of some parameters of MailScanner.conf: * Restart Every = 14400 (it runs OK) * Rebuild Bayes Every = 0 * Wait During Bayes Rebuild = no >Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 > and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at 09.30-10.00) > so I have to restart it (/etc/init.d/mailscanner restart). > ** From Denis.Beauchemin at USherbrooke.ca Mon Aug 28 13:32:20 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Aug 28 13:32:37 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> Message-ID: <44F2E254.7090706@USherbrooke.ca> Res a ?crit : > On Sun, 27 Aug 2006, DAve wrote: > >> I for one want no part of a plugin that requires I send every single >> message in it's entirety to SA every time. I'd be DOS'ed within a month. > > Agreed > > >> > Same here! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060828/c956733e/smime.bin From mailscanner at mango.zw Mon Aug 28 13:39:03 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Aug 28 13:37:46 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: Message-ID: Just a comment on: > I would not recommend it for a production mail server at the moment, > simply because it has no facility for whitelisting. However the developer There is a one line entry in the config file that can be used to whitelist by IP address only, but it isn't very friendly, eg: Connect (^127\.|^192\.168\.) This will be upgraded in the next version. Regards Jim Holland On Sat, 26 Aug 2006, Jim Holland wrote: > Date: Sat, 26 Aug 2006 19:12:45 +0200 (CAT) > From: Jim Holland > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Could Be OT: How many people only accept reverse DNS > lookupmail? > > On Sat, 26 Aug 2006, Julian Field wrote: > > > Kevin Miller wrote: > > > Michael Baird wrote: > > > > > >> I've been testing http://smfs.sourceforge.net/smf-sav.html this milter > > >> as well, on a lower pref MX (Spam Catcher). It goes further then just > > >> checking reverse DNS, it also checks whether the domain actually > > >> accepts mail, and if it accepts mail for the specified sender. > > > > > > Just installed this on a test server and a third level mx gateway (that > > > gets maybe a half dozen non spam emails on a good day!) > > > > > > Have one question though - how do these sorts of milters deal with > > > mailing lists? An awful lot of them seem to send from no-reply > > > addresses. Do list senders typically create a valid account and just > > > quietly drop any mail back, or what? I can see the sender check > > > dropping a lot of valid email from lists so am a bit leary about it. Am > > > I losing sleep over nothing? > > > > On a slightly related question, I built this on a client's machine the > > other day, but could not remotely see how to configure it. The docs are > > next to useless from what I could find. > > > > Hints? > > See my rough notes below for a Debian installation, written in hindsight > after much trial and error. I use it just for filtering my personal mail > after it has been through the main MANGO system. So far it has stopped a > few spammers that got through MailScanner (which is not currently using > SpamAssassin etc yet due to lack of processing power), but the traffic is > not large enough to draw many conclusions there. > > I have also installed it on a very old Red Hat 6.1 nameserver for which > the incoming mail should only have been correspondence about domain > registrations, but in the end the ratio of spam to genuine but very > important mail was well over 100:1. This utility alone immediately > blocked 80% of the spam, with no false positives at all. (Initially it > would not compile - as it was never intended for such an old OS as 6.1 - > but the very helpful developer (Eugene Kurmanin ) very > kindly held my hand on line and with a combination of hacking of the > source code and finding some old bind include files we got it working). > > I haven't tested the Recipient e-Mail Address Verification yet. > > The code is still at an early stage of development, but I am very > impressed. The nameserver where I installed it was simply forwarding mail > to a handful of accounts at other ISPs, so relied on their own spam and > virus filtering. However one of them started to institute sender > verification itself (very simple if you are using Exim, but not if you are > using sendmail and can't afford a commercial milter). The result was huge > numbers of undeliverable and unbounceable spam messages in the mail queue. > That has now stopped almost completely. > > I would not recommend it for a production mail server at the moment, > simply because it has no facility for whitelisting. However the developer > says that whitelisting with a cache will be incorporated in the next > version to be issued in a week or so. As the previous correspondent > indicated, it will be important to be able to whitelist mailing lists etc. > > Clearly the more obvious junk that can be stopped by the MTA the better, > leaving MailScanner etc with more processing power to fine filter the > remainder. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > > First updated to latest sendmail > > Installed package libmilter-dev, which also installed libmilter0 > > > Downloaded smf-sav-1.2.0 from: > > http://prdownloads.sourceforge.net/smfs/smf-sav-1.2.0.tar.gz?use_mirror=kent > > Unpacked smf-sav-1.2.0.tar.gz in /usr/src/smf-sav-1.2.0 > > Made following changes to Makefile: > > < DATADIR = /var/run/smfs > < CONFDIR = /etc/smfs > --- > > DATADIR = /var/smfs > > CONFDIR = /usr/local/etc/smfs > > Ran make, then make install > > Created directory /usr/local/etc/smfs > > Created the following link: > > ln -s /usr/local/etc/smfs/smf-sav.conf /etc/smfs/smf-sav.conf > > (The above two steps seem to be required if you don't use the default > location /usr/local/etc/smfs - I have reported this as a possible bug) > > > Edited /etc/smfs/smf-sav.conf: > > < # /etc/smfs/smf-sav.conf > --- > > # /usr/local/etc/smfs/smf-sav.conf > > < Connect ^127\. > --- > > Connect (^127\.|^192\.168\.|^10\.) > > < PublicName test.mango.zw # should be corrected carefully > --- > > PublicName yourhost.yourdomain.tld # should be corrected carefully > > < SafeCallBack root@test.mango.zw # should be corrected carefully > --- > > SafeCallBack postmaster@yourdomain.tld # should be corrected carefully > > < Socket unix:/var/run/smfs/smf-sav.sock > --- > > Socket unix:/var/smfs/smf-sav.sock > > > Add this line to /etc/syslog.conf file: > > local2.info -/var/log/sav.log > > If you want to exclude the successfully verified e-mail addresses from > logging, set the syslog priority to notice instead the info. > > Run /etc/init.d/sysklogd restart > > > Edit sendmail.mc file by adding: > > define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl > INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl > > Regenerate sendmail.cf > > > Create startup script (there are some examples in the source init > directory, but I based mine on a standard Debian script): > > Create /etc/init.d/smfsav based on /etc/init.d/ssh > Runlevels 0, 1, 6: ln -s /etc/init.d/smfsav K20smfsav > Runlevels 2-5: ln -s /etc/init.d/smfsav S20smfsav > > It must start before sendmail, stop after it. > > > Then start up smf-sav and restart sendmail. > > > Check the log file /var/log/sav.log > > > Test by sending mail from an invalid address at a third party server. > > > > Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From jethro.binks at strath.ac.uk Mon Aug 28 13:58:50 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Aug 28 13:58:54 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <44F1FA41.B662.0038.0@tac.esi.net> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> Message-ID: <20060828135616.J59233@defjam.cc.strath.ac.uk> On Sun, 27 Aug 2006, Chris Hammond wrote: > Oh my god! I knew it would be simple! I was trying to figure out how > to do it with "sort | uniq" but it never crossed my mind to cat the > first file to itself so that only the uniq files from the second file > would be found. Even simpler is to use the tool designed for the job, "comm". DESCRIPTION The comm utility reads file1 and file2, which should be sorted lexically, and produces three text columns as output: lines only in file1; lines only in file2; and lines in both files. > >>> "Glenn Steen" 08/27/06 5:25 PM >>> > On 27/08/06, Chris Hammond wrote: > > I am trying to find the easiest way to compare two text files > > containing domain names and tell me which domain names in the second > > file do not exist in the first. It seems like it should be a simple > > process but having no useful scripting knowledge, I am hoping someone > > can point me to something that already exists. > > > > Thanks > > Chris > > > Provided you have them 1 domain/line in the two files, it is very very simple: > total differences (you cat in file1 twice, so that it'll only be the > ones from file2 that pass out from "uniq": > cat file1 file1 file2 | sort | uniq - u > If you don't like that method, well... diff is our friend then:- ): > diff file1 file2 | egrep "^>" > ... should do too:- ). > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From gborders at jlewiscooper.com Mon Aug 28 14:41:29 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Mon Aug 28 14:39:57 2006 Subject: List of variables for substitution in reports? In-Reply-To: <44F04619.5050504@ecs.soton.ac.uk> References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> Message-ID: <44F2F289.8060609@jlewiscooper.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > My sample report files each use all the available variables in each one. > If you need something else somewhere, let me know and I will see about > adding it for you. > > Sorry it's no more consistent than that. > > Simon Annetts wrote: > >> Sorry if this question has been asked before. >> >> Where can I find a list of all the variables that can be substituted into reports and in the config file for things such as subject >> lines etc? I can see some in the reports like $report :-) but to have a definitive list would be very helpful. >> >> Thanks in advance >> Simon >> This might be a prime opportunity for some intrepid MS user to filter through the reports and create a definitive list of report variables, and toss them in the wiki. ;) I'll see what I can do! I wanted this for myself a few months back. Greg Borders JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chris at tac.esi.net Mon Aug 28 14:49:02 2006 From: chris at tac.esi.net (Chris Hammond) Date: Mon Aug 28 14:49:13 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <20060828135616.J59233@defjam.cc.strath.ac.uk> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> Message-ID: <44F2BC75.B662.0038.0@tac.esi.net> Hmm. I'm surprised I didn't find that utility in my travels. Thanks for pointing this one out. Thanks Chris >>> Jethro R Binks 08/28/06 8:58 AM >>> On Sun, 27 Aug 2006, Chris Hammond wrote: > Oh my god! I knew it would be simple! I was trying to figure out how > to do it with "sort | uniq" but it never crossed my mind to cat the > first file to itself so that only the uniq files from the second file > would be found. Even simpler is to use the tool designed for the job, "comm". DESCRIPTION The comm utility reads file1 and file2, which should be sorted lexically, and produces three text columns as output: lines only in file1; lines only in file2; and lines in both files. > >>> "Glenn Steen" 08/27/06 5:25 PM >>> > On 27/08/06, Chris Hammond wrote: > > I am trying to find the easiest way to compare two text files > > containing domain names and tell me which domain names in the second > > file do not exist in the first. It seems like it should be a simple > > process but having no useful scripting knowledge, I am hoping someone > > can point me to something that already exists. > > > > Thanks > > Chris > > > Provided you have them 1 domain/line in the two files, it is very very simple: > total differences (you cat in file1 twice, so that it'll only be the > ones from file2 that pass out from "uniq": > cat file1 file1 file2 | sort | uniq - u > If you don't like that method, well... diff is our friend then:- ): > diff file1 file2 | egrep "^>" > ... should do too:- ). > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marlo at raidbr.com.br Mon Aug 28 16:41:37 2006 From: marlo at raidbr.com.br (marlo - raidbr) Date: Mon Aug 28 16:39:17 2006 Subject: NOT BLOCK ATTACHMENT OF THE INTERNAL NET Message-ID: <1156779698.4555.54.camel@localhost.localdomain> Help, mailscanner not block attachment of the internal net, which the configuration ? Thanks Marlo From Kevin_Miller at ci.juneau.ak.us Mon Aug 28 16:42:55 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Aug 28 16:43:00 2006 Subject: Could Be OT: How many people only accept reverse DNS lookupmail? In-Reply-To: Message-ID: Jim Holland wrote: > On Sat, 26 Aug 2006, Julian Field wrote: >> On a slightly related question, I built this on a client's machine >> the other day, but could not remotely see how to configure it. The >> docs are next to useless from what I could find. >> >> Hints? > > See my rough notes below for a Debian installation, written in > hindsight Very similar to what I did. I felt like I was sorta flying blind, but it seems to be working. I'm not sure, but I got the impression looking at the logs the other day that the access file was parsed before the milter. I'm not sure if it actually overrides it or just gets checked first but it may be a poor man's whitelist if it does override. My primary motivation is to do the recipient address checks, since we're using Exchange, and that works pretty well. Only thing is, I changed syslog to notice but it still seems to log validated recipient addresses. Haven't notified the author yet. Anybody else tried that? local2.notice -/var/log/sav.log Looking forward to the updated version. W/o getting too off topic, I'd be interested in peoples thoughts on how it compares to milter-ahead and milter-sender. Is the difference worth the $100 (give or take)? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ka at pacific.net Mon Aug 28 17:15:20 2006 From: ka at pacific.net (Ken A) Date: Mon Aug 28 17:14:09 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44F31698.6@pacific.net> Kash, Howard (Civ, ARL/CISD) wrote: >> Why not just set the Max SpamAssassin Size to 50k > > You'll still truncate images. I currently have it at 150k and it > still truncates images (either large ones or messages with lots of > attached images). > >> or the partial-image-detection rules to 0? > > This is an option, but you give up some SPAM detection capability. > The plugin doesn't specifically test for partial images, but corrupt > images in general, which truncated images are a subset of. Some > image spammers have intentionally corrupted the image in such a way > that many email clients will still render them readable, but image > analysis utilities balk on them. So messages with corrupt images are > given a higher score. > > And this isn't just about images, supposedly someone is working on a > plugin to analyze Word documents for spam content. It may have the > same problem with truncated Word attachments. > Exactly. So where's the best place to fix this? The most important argument in the "Don't change MailScanner" camp is that you'd be opening a door to DoSing a system, and defeating the purpose of "Max SpamAssassin Size" if you try to pass only complete messages, images or word docs to SA. This is absolutely correct, and must be avoided. I agree, but I think this is an issue that needs to be wrestled with more so that SA plugins developers are aware of how MailScanner works and things get worked out the best way possible. We aren't there yet. What if you could also pass a flag to SA that said, 'hey, SA, this might be a partial image!'. Then SA could pass that to the plugins that might FP on partial images? Parts of a system need to be aware of how other parts work. ..resisting the urge to quote rodney king. ;-P Ken A. Pacific.Net > Howard > From mailscanner at ecs.soton.ac.uk Mon Aug 28 17:23:48 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 28 17:24:05 2006 Subject: Max SpamAssassin Size problems -- round 2 In-Reply-To: <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44F31894.7030305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kash, Howard (Civ, ARL/CISD) wrote: >> Why not just set the Max SpamAssassin Size to 50k > > You'll still truncate images. I currently have it at 150k and it still truncates images (either large ones or messages with lots of attached images). > >> or the partial-image-detection rules to 0? > > This is an option, but you give up some SPAM detection capability. The plugin doesn't specifically test for partial images, but corrupt images in general, which truncated images are a subset of. Some image spammers have intentionally corrupted the image in such a way that many email clients will still render them readable, but image analysis utilities balk on them. So messages with corrupt images are given a higher score. > > And this isn't just about images, supposedly someone is working on a plugin to analyze Word documents for spam content. It may have the same problem with truncated Word attachments. All fair points. Which brings us back to the beginning. The option which got the biggest number of votes was along the lines of this: for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) { $line = getnextline(); $size += length($line); last if $size>20_000; push @SAinput, $line; last if $line =~ /^\s*$/; } It should keep copying lines until we hit a line that is only whitespace (or blank) or until we have copied 20k of extra data, whichever comes first. And it won't be confused by nearly 20k of extra data followed by 1 huge line lasting for mbytes. Is that a reasonable compromise? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: UTF-8 wj8DBQFE8xiVEfZZRxQVtlQRAkSBAJ4xQhTD87JW07O0i1UitiFhVtM7dgCgg+AJ T8S80gm7VYiKMuOOz1pUENs= =NDf+ -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Mon Aug 28 17:26:11 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 28 17:26:30 2006 Subject: Max SpamAssassin Size problems In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> Message-ID: <44F31923.2010608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote: > On Sun, 27 Aug 2006, DAve wrote: > >> I for one want no part of a plugin that requires I send every single >> message in it's entirety to SA every time. I'd be DOS'ed within a >> month. I also think > > Agreed I thoroughly agree that we shouldn't send the whole message. If you want to do that, just set Max SpamAssassin Size = 500m :-) I'm trying to come up with a compromise that keeps most of you happy most of the time. See my recent "--- round 2" posting. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8xkkEfZZRxQVtlQRAtOQAJ9utImlStbahvqpXKUEIFUcQOpkvACgpi6u vvmpD3qJaFKmkntp2ZWrndk= =cWFL -----END PGP SIGNATURE----- From ssilva at sgvwater.com Mon Aug 28 17:39:49 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 28 17:42:00 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F045B8.4060605@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/26/2006 5:59 AM: > > > Anthony Peacock wrote: >>> Ken A wrote: >>>> >>>> Logan Shaw wrote: >>>>> On Thu, 24 Aug 2006, Julian Field wrote: >>>>>> Anthony Peacock wrote: >>>>>>> Julian Field wrote: >>>>>>>> Sounds survivable. After the limit I will keep going until I hit the >>>>>>>> first line that only contains white space. >>>>>>> I have been watching this discussion with a growing uneasiness. I >>>>>>> could be wrong but doesn't this behaviour open up the system to >>>>>>> problems with huge image files... >>>>>> Yes, you are absolutely correct. Non-spam may well include huge images. >>>>>> The problem with rewinding to the previous boundary is that you may end >>>>>> up not giving SpamAssassin _anything_ to work with. >>>>>> >>>>>> So it's up for a vote: >>>>>> >>>>>> do I chop half way through an image? >>>>>> do I chop at the end of an image? >>>>>> do I carry on for a max of 100 lines of Base64 data or until the end of >>>>>> an image, which is earlier? >>>>> I don't like the last option at all. It still easily allows >>>>> a situation where a valid message with a valid image in it >>>>> gets detected as a corrupt image and hits a rule that scores >>>>> it as spam. >>>>> >>>>> If we assume there are 80 columns of base64 data per line, then >>>>> we get 60 bytes per line (since each base64 character carries >>>>> 6 bits of data). That means 100 lines only holds 6K, maximum. >>>>> >>>>> So this option only works if the chop-off point randomly >>>>> happens to fall within the last 6K (or less) of the image. >>>>> If the max message size causes the initial chop-off point to >>>>> fall any earlier, it still creates an invalid image. If you >>>>> have a 50K max message size and someone sends a 75K image >>>>> (which is not out of the ordinary at all), this method will >>>>> keep going up to 56K and then quit. >>>>> >>>>> Basically, adding the 100 extra lines is really not much better >>>>> than chopping right at the max message size barrier, unless >>>>> you assume that most images aren't much larger than 6K, which >>>>> I don't think is a valid assumption at all. So, this option >>>>> adds extra complexity and doesn't really give much benefit. >>>>> >>>>> - Logan >>>> I'm all for #3 and and just set "score FUZZY_OCR_CORRUPT_IMG 0" if you >>>> are worried about false positives. Fuzzyocr will get better at sorting >>>> this out. And of course in the mean time, don't use outlook, since it >>>> will probably render corrupt images just fine. (it's a feature) >>> This could be controversial here... >>> >>> >>> I have another suggestion, why don't we agree to leave the MailScanner >>> code alone. Those people who are experiencing problems with broken >>> images can raise the value of "Max SpamAssassin Size" in *THEIR* >>> configurations, the rest of us can carry on as normal. >>> >>> There is already a way for people to adjust how much information SA gets >>> from MailScanner, people who need more information can used that on >>> their systems. >>> >>> >>> > > Quack, quack, scamper, scamper.... > > In my book, that is a remarkably good idea. It would be much simpler for > me to implement than any of the other, increasingly complicated versions. > > What objections to people have to simply letting you set this yourself? > > Anything that makes your life easier, Julian, Is OK with me. I wonder just how many sites, as a percentage of the total installed, would need this code anyway? If you were trying to please 10 or 20 percent, then I could see it. But if it is only for a handful of sites, then you are complicating your code for a small return. I think that the image based plugin writers should take the possibility of truncated images into account when they write "their" code, and you shouldn't have to fix MailScanner to make their code work right. The only other option I could see would be if MailScanner added a header or some other sort of mark to the "trimmed" mail sent to spamassassin and the plugins would look for this header and know if a message was complete or not. But then the spammers would add this to their messages. Now if someone would spend as much time and money prosecuting spammers as they do looking for 13 year olds downloading music, maybe we could get ahead of the game. I really hate spammers! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at ecs.soton.ac.uk Mon Aug 28 17:55:41 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 28 17:55:57 2006 Subject: HTML Scripts etc, now quarantined....help In-Reply-To: <46860835-DBD9-43E4-A53E-6B6FDE39CB5E@grayonline.id.au> References: <7621F546-5AE5-44AD-9749-AEF972080B3E@grayonline.id.au> <46860835-DBD9-43E4-A53E-6B6FDE39CB5E@grayonline.id.au> Message-ID: <44F3200D.9060700@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Gray wrote: > * PGP Signed by an unverified key: 08/28/06 at 00:59:02 > > > On 28/08/2006, at 9:46 AM, Res wrote: > >> On Mon, 28 Aug 2006, James Gray wrote: >> >>> MailScanner 4.50.15 (Perl 5.8.6 running on FreeBSD 4.6). Why fBSD >>> 4.6?!?! Simple: >>> # uptime >>> 6:56PM up 657 days, 19:57, 7 users, load averages: 0.08, 0.08, 0.05 >> >>> Thought that I'd make a mention of this, just in case someone else >>> strikes it there will be a mention of it in the archives. >> >> >> Doubt anyone cares... I have a RH9 box amongst my colelction, why so >> old, cause its been up since RH9 was released years ago as well :) as >> do a couple >> ohters I know on here running slack 7 and an ancient netbsd box (now >> thats scarey) :P > > If it aint broke... ;) After re-reading my last message, I was trying > to say that I was making mention of the path/rule-set weirdness, not the > uptime. Gah. It's Monday and I STILL haven't had my morning coffee. > >> However the issue with bascially the same paths to your rulesets is >> interesting > > Indeed. I hope Julian see this solution and can shed some light. Interesting one. I will have to take a look... Remind me about it (off-list) if you don't get a reply in the next few days. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE8yANEfZZRxQVtlQRAtjEAJ9QOecyIlcmxu5VzMHFryhTAZO7aQCeKT3c 3Z952LAgz1XI188HqGa9C/c= =EOAb -----END PGP SIGNATURE----- From dave.list at pixelhammer.com Mon Aug 28 18:09:26 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 28 18:09:42 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F31698.6@pacific.net> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> <44F31698.6@pacific.net> Message-ID: <44F32346.2090909@pixelhammer.com> Ken A wrote: > > > Kash, Howard (Civ, ARL/CISD) wrote: >>> Why not just set the Max SpamAssassin Size to 50k >> >> You'll still truncate images. I currently have it at 150k and it >> still truncates images (either large ones or messages with lots of >> attached images). >> >>> or the partial-image-detection rules to 0? >> >> This is an option, but you give up some SPAM detection capability. >> The plugin doesn't specifically test for partial images, but corrupt >> images in general, which truncated images are a subset of. Some >> image spammers have intentionally corrupted the image in such a way >> that many email clients will still render them readable, but image >> analysis utilities balk on them. So messages with corrupt images are >> given a higher score. >> >> And this isn't just about images, supposedly someone is working on a >> plugin to analyze Word documents for spam content. It may have the >> same problem with truncated Word attachments. >> > > Exactly. So where's the best place to fix this? The most important > argument in the "Don't change MailScanner" camp is that you'd be opening > a door to DoSing a system, and defeating the purpose of "Max > SpamAssassin Size" if you try to pass only complete messages, images or > word docs to SA. This is absolutely correct, and must be avoided. > > I agree, but I think this is an issue that needs to be wrestled with > more so that SA plugins developers are aware of how MailScanner works > and things get worked out the best way possible. We aren't there yet. > > What if you could also pass a flag to SA that said, 'hey, SA, this might > be a partial image!'. Then SA could pass that to the plugins that might > FP on partial images? Parts of a system need to be aware of how other > parts work. ..resisting the urge to quote rodney king. ;-P I still do not believe this is a problem that MailScanner needs to fix. The plugin is 'assuming' it will always be handed a complete message from all past and future programs using SA, and that the message will never be truncated/mangled/poorly constructed for any reason. Whether that reason is a software failure, hardware failure, or system configuration. If the plugin needs to know what condition the message is in when it is received, I would suggest the SA API change to pass the original message size and the passed data size to SA. Then the plugin could make an intelligent decision about the data it is inspecting. In reality, the whole issue could be solved in the plugin README, "In order to properly check all messages for potential image spams, you must configure your to pass the entire message into SpamAssassin. See the website of your for information on how to do that." DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ms-list at alexb.ch Mon Aug 28 18:10:16 2006 From: ms-list at alexb.ch (Alex Broens) Date: Mon Aug 28 18:10:27 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F31923.2010608@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> <44F31923.2010608@ecs.soton.ac.uk> Message-ID: <44F32378.7090901@alexb.ch> On 8/28/2006 6:26 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Res wrote: >> On Sun, 27 Aug 2006, DAve wrote: >> >>> I for one want no part of a plugin that requires I send every single >>> message in it's entirety to SA every time. I'd be DOS'ed within a >>> month. I also think >> Agreed > > I thoroughly agree that we shouldn't send the whole message. If you want > to do that, just set Max SpamAssassin Size = 500m :-) > > I'm trying to come up with a compromise that keeps most of you happy > most of the time. See my recent "--- round 2" posting. Julian, Probably late & lame with this observation: Why not adopt the same logic as from ths spamc -s switch -s *max_size* Set the maximum message size which will be sent to spamd -- any bigger than this threshold and the message will be returned unprocessed (default: 250 KB). If spamc gets handed a message bigger than this, it won't be passed to spamd. The size is specified in bytes, as a positive integer greater than 0. For example, -s 250000. This means the full message size and will not distort the SA scanning if only part of the msg is scanned (and possibly misclasified) Alex From dave.list at pixelhammer.com Mon Aug 28 18:21:50 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 28 18:22:06 2006 Subject: Max SpamAssassin Size problems -- round 2 In-Reply-To: <44F31894.7030305@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> <44F31894.7030305@ecs.soton.ac.uk> Message-ID: <44F3262E.20201@pixelhammer.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Kash, Howard (Civ, ARL/CISD) wrote: >>> Why not just set the Max SpamAssassin Size to 50k >> >> You'll still truncate images. I currently have it at 150k and it still truncates images (either large ones or messages with lots of attached images). >> >>> or the partial-image-detection rules to 0? >> >> This is an option, but you give up some SPAM detection capability. The plugin doesn't specifically test for partial images, but corrupt images in general, which truncated images are a subset of. Some image spammers have intentionally corrupted the image in such a way that many email clients will still render them readable, but image analysis utilities balk on them. So messages with corrupt images are given a higher score. >> >> And this isn't just about images, supposedly someone is working on a plugin to analyze Word documents for spam content. It may have the same problem with truncated Word attachments. > > All fair points. Which brings us back to the beginning. > The option which got the biggest number of votes was along the lines of > this: > > for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) > { > $line = getnextline(); > $size += length($line); > last if $size>20_000; > push @SAinput, $line; > last if $line =~ /^\s*$/; > } > > It should keep copying lines until we hit a line that is only whitespace > (or blank) or until we have copied 20k of extra data, whichever comes > first. And it won't be confused by nearly 20k of extra data followed by > 1 huge line lasting for mbytes. > > Is that a reasonable compromise? That is still work for you, and wouldn't a 20k chunk of a 20.1k image still cause the plugin to fail to properly inspect the image? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From sergiogc at treelogic.com Mon Aug 28 18:35:33 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa?=) Date: Mon Aug 28 18:35:24 2006 Subject: MailScanner hangs once a day In-Reply-To: <200608251957.k7PJvM2p024055@bkserver.blacknight.ie> References: <200608251957.k7PJvM2p024055@bkserver.blacknight.ie> Message-ID: <44F32965.80200@treelogic.com> Another important thing that I have forgotten is that MailScanner didn?t stop netiher on Saturday nor on Sunday, but today (Monday) it has stopped and I have had to restart it. > Hello, > > I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 > and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. > The problem is that MailScanner hangs once a day (always at 09.30-10.00) > so I have to restart it (/etc/init.d/mailscanner restart). > I get the following info in the log ('mail.info'): From glenn.steen at gmail.com Mon Aug 28 18:46:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 28 18:46:28 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <44F2BC75.B662.0038.0@tac.esi.net> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> Message-ID: <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> Sorry, but this one isn't really related to MailScanner. Just some simple scripting:-). Rather OT, so don't read unless you're interrested. On 28/08/06, Chris Hammond wrote: > Hmm. I'm surprised I didn't find that utility in my travels. Thanks for pointing this one out. > > Thanks > Chris Yes, well... there is always one more way:-). Note that both methods have their "pitfalls":). The comm command needs input to be sorted beforehand (you'd be looking for something like "comm -1 -3 ..."), while my suggested little cat thing is sensitive to duplicates in the respective file. The latter can be "unified", so that it works (of course:-)... If one wants a "one-liner" it'd look something like: ((sort -u file1;sort -u file1; sort -u file2) | sort | uniq -u ... perhaps not the most intuitive thing:-). This will demonstrate the differences: b1 and b2 are files with just some random letters (one char/line). b1s and b2s is the same files, only sorted. Further comments below the examples: [root@mail ~]# cat b1 a b a b c d w [root@mail ~]# cat b2 a b d a b f q c d o o w [root@mail ~]# cat b1 b1 b2|sort|uniq -u f q [root@mail ~]# (sort -u b1;sort -u b1;sort -u b2)|sort|uniq -u f o q [root@mail ~]# sort b1 >b1s [root@mail ~]# sort b2 >b2s [root@mail ~]# comm -1 -3 b1s b2s d f o o q [root@mail ~]# sort -u b1 >b1su [root@mail ~]# sort -u b2 >b2su [root@mail ~]# comm -1 -3 b1su b2su f o q [root@mail ~]# As you can see, the "cat ..." misses the "o" line, since that gets gobbled by uniq -u. The "(sort ..." is correct, and only give the lines that only are in file b1. The "comm ..." includes any repeats and get a bit confused when the lists are only sorted. That could be handled by sort -u when creating b1s/b2s as shown last. I think I prefer the "(sort..." solution:-):-) (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Aug 28 18:49:15 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 28 18:49:17 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> Message-ID: <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> On 28/08/06, Glenn Steen wrote: (snip) > lines that only are in file b1. ... in b2 (!) .... of course. I need dinner... and sleep:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Aug 28 18:59:20 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 28 18:59:22 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F32965.80200@treelogic.com> References: <200608251957.k7PJvM2p024055@bkserver.blacknight.ie> <44F32965.80200@treelogic.com> Message-ID: <223f97700608281059k4823f054wf1134bcdcb48fabe@mail.gmail.com> On 28/08/06, Sergio Garc?a wrote: > Another important thing that I have forgotten is that MailScanner didn?t > stop > netiher on Saturday nor on Sunday, but today (Monday) it has stopped > and I have had to restart it. > Hm, well then.... One would surmise that *something* is happening weekdays that isn't happening during the weekends. I trust you looked at all the possible cron jobs (crontabs hi and lo ... /etc/cron*/* and the "oldstyle" crontabs) without finding anything that stood out? And no new connections to your MTA at the time of ... demise? (I'm thinking "huge mail" bringing things ... low...) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Aug 28 19:12:52 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 28 19:14:37 2006 Subject: Max SpamAssassin Size problems -- round 2 In-Reply-To: <44F3262E.20201@pixelhammer.com> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> <44F31894.7030305@ecs.soton.ac.uk> <44F3262E.20201@pixelhammer.com> Message-ID: DAve spake the following on 8/28/2006 10:21 AM: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Kash, Howard (Civ, ARL/CISD) wrote: >>>> Why not just set the Max SpamAssassin Size to 50k >>> >>> You'll still truncate images. I currently have it at 150k and it >>> still truncates images (either large ones or messages with lots of >>> attached images). >>> >>>> or the partial-image-detection rules to 0? >>> >>> This is an option, but you give up some SPAM detection capability. >>> The plugin doesn't specifically test for partial images, but corrupt >>> images in general, which truncated images are a subset of. Some >>> image spammers have intentionally corrupted the image in such a way >>> that many email clients will still render them readable, but image >>> analysis utilities balk on them. So messages with corrupt images are >>> given a higher score. >>> >>> And this isn't just about images, supposedly someone is working on a >>> plugin to analyze Word documents for spam content. It may have the >>> same problem with truncated Word attachments. >> >> All fair points. Which brings us back to the beginning. >> The option which got the biggest number of votes was along the lines >> of this: >> >> for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) >> { >> $line = getnextline(); >> $size += length($line); >> last if $size>20_000; >> push @SAinput, $line; >> last if $line =~ /^\s*$/; >> } >> >> It should keep copying lines until we hit a line that is only >> whitespace (or blank) or until we have copied 20k of extra data, >> whichever comes first. And it won't be confused by nearly 20k of extra >> data followed by 1 huge line lasting for mbytes. >> >> Is that a reasonable compromise? > > That is still work for you, and wouldn't a 20k chunk of a 20.1k image > still cause the plugin to fail to properly inspect the image? > > DAve > But you also have to take into account the original 4K (or whatever MailScanner is set to) added to that extra 20K. No solution is going to be perfect, except fixing the image plugins, or sending the entire message to spamassassin if the admin so desires, and is willing to take the chance of being dossed. Julian, you are probably not going to be able to make everybody happy, so go with what is easiest for you to maintain, or has less chance of breaking something. Then you will have to decide how you will set the defaults for newbie installations. If you get too many complaints about the 20K limit, those few admins can go in the code and change it if they feel so inclined. Or it can be a variable and set it in MailScanner.conf, with a suitable default, and a warning about the implications of what could happen. You have to decide how much you wish to complicate the code. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lshaw at emitinc.com Mon Aug 28 19:15:05 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 28 19:15:18 2006 Subject: Max SpamAssassin Size problems -- round 2 In-Reply-To: <44F31894.7030305@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> <44F31894.7030305@ecs.soton.ac.uk> Message-ID: On Mon, 28 Aug 2006, Julian Field wrote: > All fair points. Which brings us back to the beginning. > The option which got the biggest number of votes was along the lines of > this: > > for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) > { > $line = getnextline(); > $size += length($line); > last if $size>20_000; > push @SAinput, $line; > last if $line =~ /^\s*$/; > } > > It should keep copying lines until we hit a line that is only whitespace > (or blank) or until we have copied 20k of extra data, whichever comes > first. And it won't be confused by nearly 20k of extra data followed by > 1 huge line lasting for mbytes. > > Is that a reasonable compromise? I like the idea of trying to be a little intelligent and flexible about where you chop the message is a good one. That seems to me to have value. If you can chop at an attachment boundary, that's good, so chopping at the first boundary within a window (of bytes and/or lines) is a good thing. It will work some of the time. However, I still think there needs to be an answer to the question of what to do when the window method fails to solve the problem. I think that will happen frequently enough that it's important to be intentional about it. So, if the boundary does not lie in the window, what is the best thing to do? It seems to me you have three reasonable options: (1) chop somewhere inside the window anyway, (2) keep going to the end of the current attachment and chop after it's over, (3) roll back to the beginning of the current attachment, and chop before it begins. Implications of each: #1: False positives because of how FuzzyOcr behaves. #2: Possible denial-of-service attack because you're allowing input to bypass limits on message size. #3: False negatives because you're not scanning the whole message. Personally, I think if you have to err, you should err on the side of false negatives rather than false positives. So that eliminates #1 in my mind. That leaves only #2 and #3. Now, I think, if you want to scan the whole message, just turn off the "Max SpamAssassin Size" limit completely. That makes #2 fairly useless, or at least redundant. To me, that means that if you care about what happens when the intelligent window things fail, you've got to go with #3, which is roll back to the beginning of the current attachment. In Perl code, that shouldn't be too terribly hard: if you reach the end of the window loop and you haven't found a blank line within the window, then just keep popping lines off @SAinput until you get a blank line. Something like this: my $found_boundary = 0; for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) { $line = getnextline(); $size += length($line); last if $size>20_000; push @SAinput, $line; if ($line =~ /^\s*$/) { $found_boundary = 1; last; } } # roll back to previous blank line before the window if (not $found_boundary) { until ($SAinput[$#SAinput] =~ /^\s*$/) { pop @SAinput; } } Of course, that's not guaranteed to be bug free. Actually, it definitely isn't bug free since even the original loop doesn't check if getnextline() is telling you that you've already read the last line in the input. So maybe this: my $found_boundary = 0; for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) { $line = getnextline(); if (not defined $line) { $found_boundary = 1; last; } $size += length($line); last if $size>20_000; push @SAinput, $line; if ($line =~ /^\s*$/) { $found_boundary = 1; last; } } # roll back to previous blank line before the window if (not $found_boundary) { until ($SAinput[$#SAinput] =~ /^\s*$/) { pop @SAinput; } } Well, that gets the general idea across at least. - Logan From hmkash at arl.army.mil Mon Aug 28 19:20:03 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Aug 28 19:20:07 2006 Subject: Max SpamAssassin Size problems Message-ID: <229A346E44379140A59A48951B56E0C00260CC4B@ARLABML01.DS.ARL.ARMY.MIL> > I still do not believe this is a problem that MailScanner needs to fix. > The plugin is 'assuming' it will always be handed a complete message > from all past and future programs using SA, and that the message will > never be truncated/mangled/poorly constructed for any reason. Whether > that reason is a software failure, hardware failure, or system > configuration. And MailScanner is 'assuming' that it is OK to send partial messages to SA. Since there is no defined protocol here, neither one is necessarily wrong. But there are existing SA checks and plugins that assume entire messages are being passed. Maybe SA needs to implement DoS protection itself so that MailScanner (or any other program) can safely send entire messages without risk of resource exhaustion. SA sort-of does this already with the -s switch to spamc as pointed out by Alex. But it's an all or nothing limit, not truncate in the middle. Maybe MailScanner's "Max SpamAssassin Size" should be an all or nothing limit as suggested by Alex (messages < Max SpamAssassin Size get sent to SA in their entirety, messages > Max SpamAssassin Size don't get sent to SA at all). This would probably be a one-liner mod to MS. Based on SPAM blocked by my server last Thursday, only slightly over 1.7% of them (565/33002) are over 30k. Using 60k as the limit, the percentage drops to 1.1% (350/33002). 90k = 0.3% (85/33002). And most of those larger ones are not your typical SPAM, but things like chain letters, jokes with videos, etc. which some may consider HAM anyway. Howard From bbourdage at techpro.com Mon Aug 28 19:23:25 2006 From: bbourdage at techpro.com (Barry Bourdage) Date: Mon Aug 28 19:23:05 2006 Subject: ClamAVModule Perl Error Message-ID: <1BCA1677F917B44CBF448F7B68A35B0E2EDC49@w2k3-tp.techpro.local> Hello All, I am getting the following error, I have installed/re-installed on 2 different machines. I am not using SQLite. Barry ug 29 19:36:35 mx-test2 MailScanner[19836]: Virus and Content Scanning: Starting Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: -- DBI::END Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: -> disconnect_all for DBD::SQLite::dr (DBI::dr=HASH(0x904e098)~0x9b1ec20) thr#81f0008 Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: <- disconnect_all= '' at DBI.pm line 692 Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! -> DESTROY for DBD::SQLite::db (DBI::db=HASH(0x9b1f804)~INNER) thr#81f0008 Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: DESTROY DBI::db=HASH(0x9b1f804) skipped due to InactiveDestroy Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! <- DESTROY= undef during global destruction Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! -> DESTROY in DBD::_::common for DBD::SQLite::dr (DBI::dr=HASH(0x9b1e From ssilva at sgvwater.com Mon Aug 28 19:25:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 28 19:27:21 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/28/2006 10:49 AM: > On 28/08/06, Glenn Steen wrote: > (snip) >> lines that only are in file b1. > ... in b2 (!) .... of course. I need dinner... and sleep:-) > Sometimes I forget just how many time zones this list crosses? "I don't want the cheese anymore, I just want out of the trap." -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From listacct at tulsaconnect.com Mon Aug 28 19:57:05 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Aug 28 19:57:49 2006 Subject: MailScanner ignoring child process limit Message-ID: <44F33C81.3070401@tulsaconnect.com> I've been trying to track down a resource issue and have come across something odd. I have MS set to use 10 child processes, yet: 57136 53400 1:30PM 0:12.96 MailScanner: waiting for messages 55584 51836 1:45PM 0:03.87 MailScanner: waiting for messages 58288 54720 1:10PM 0:32.86 MailScanner: waiting for messages 63732 58580 1:09PM 0:33.49 MailScanner: waiting for messages 61648 58044 1:10PM 0:32.24 MailScanner: waiting for messages 59916 56336 1:16PM 0:24.85 MailScanner: waiting for messages 58924 55220 1:15PM 0:26.39 MailScanner: waiting for messages 60616 56500 1:10PM 0:32.27 MailScanner: waiting for messages 59060 55464 1:46PM 0:03.95 MailScanner: waiting for messages 59492 55860 1:45PM 0:04.32 MailScanner: waiting for messages 57696 53600 1:16PM 0:24.12 MailScanner: waiting for messages 60104 56208 1:31PM 0:13.27 MailScanner: waiting for messages 57216 53372 1:31PM 0:12.85 MailScanner: waiting for messages 56520 52804 1:30PM 0:10.73 MailScanner: waiting for messages 59924 56052 1:31PM 0:10.08 MailScanner: waiting for messages 60564 56604 1:15PM 0:26.45 MailScanner: waiting for messages 61564 57912 1:08PM 0:37.61 MailScanner: waiting for messages 58476 54604 1:30PM 0:11.33 MailScanner: waiting for messages 62200 58612 1:09PM 0:42.43 MailScanner: waiting for messages 61136 57584 1:09PM 0:33.56 MailScanner: waiting for messages 61504 56932 1:09PM 0:34.54 MailScanner: waiting for messages 61744 57908 1:09PM 0:33.92 MailScanner: waiting for messages 58840 54772 1:15PM 0:25.17 MailScanner: waiting for messages 58796 54392 1:15PM 0:25.72 MailScanner: waiting for messages 61940 58372 1:15PM 0:24.55 MailScanner: waiting for messages 58144 54048 1:15PM 0:24.70 MailScanner: waiting for messages 60280 56492 1:16PM 0:25.47 MailScanner: waiting for messages 59576 55980 1:16PM 0:25.62 MailScanner: waiting for messages 56676 53004 1:30PM 0:10.71 MailScanner: waiting for messages 56716 52872 1:30PM 0:13.47 MailScanner: waiting for messages 55712 51940 1:45PM 0:03.38 MailScanner: waiting for messages 56284 52048 1:45PM 0:02.73 MailScanner: waiting for messages 55752 51784 1:45PM 0:02.85 MailScanner: waiting for messages 55872 51876 1:46PM 0:03.08 MailScanner: waiting for messages 56256 52232 1:46PM 0:02.96 MailScanner: waiting for messages ... I regularly see 35+ child processes. I also see about 4 "masters": 1:08PM 0:00.03 MailScanner: master waiting for children, sleeping 1:15PM 0:00.03 MailScanner: master waiting for children, sleeping 1:30PM 0:00.02 MailScanner: master waiting for children, sleeping 1:45PM 0:00.02 MailScanner: master waiting for children, sleeping I understand that the children will spawn "temporary" processes to do virus scanning, etc which I did not include in the above lists. I'm running on FreeBSD 6.1-RELEASE, MailScanner-4.55.9 installed from ./install.sh, Perl 5.8.8, and all Perl packages installed from ports. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From listacct at tulsaconnect.com Mon Aug 28 20:35:56 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Aug 28 20:36:44 2006 Subject: MailScanner ignoring child process limit In-Reply-To: <44F33C81.3070401@tulsaconnect.com> References: <44F33C81.3070401@tulsaconnect.com> Message-ID: <44F3459C.3050409@tulsaconnect.com> TCIS List Acct wrote: > I've been trying to track down a resource issue and have come across > something odd. I have MS set to use 10 child processes, yet: > Eek. It is getting worse with time: $ ps -aux | grep "MailScanner: waiting" | wc -l 67 $ ps -aux | grep "MailScanner: master" | wc -l 8 -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From ka at pacific.net Mon Aug 28 20:54:36 2006 From: ka at pacific.net (Ken A) Date: Mon Aug 28 20:53:28 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <229A346E44379140A59A48951B56E0C00260CC4B@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC4B@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44F349FC.6060009@pacific.net> Kash, Howard (Civ, ARL/CISD) wrote: > >> I still do not believe this is a problem that MailScanner needs to > fix. >> The plugin is 'assuming' it will always be handed a complete message >> from all past and future programs using SA, and that the message will >> never be truncated/mangled/poorly constructed for any reason. Whether >> that reason is a software failure, hardware failure, or system >> configuration. > > > And MailScanner is 'assuming' that it is OK to send partial messages to > SA. Since there is no defined protocol here, neither one is necessarily > wrong. But there are existing SA checks and plugins that assume entire > messages are being passed. Maybe SA needs to implement DoS protection > itself so that MailScanner (or any other program) can safely send entire > messages without risk of resource exhaustion. SA sort-of does this > already with the -s switch to spamc as pointed out by Alex. But it's an > all or nothing limit, not truncate in the middle. Maybe MailScanner's > "Max SpamAssassin Size" should be an all or nothing limit as suggested > by Alex (messages < Max SpamAssassin Size get sent to SA in their > entirety, messages > Max SpamAssassin Size don't get sent to SA at all). > This would probably be a one-liner mod to MS. That's what it was originally, iirc. Sending partial messages was thought to better though, since spam can usually be detected in the first x bytes, even if a message goes over the limit. This way the limit could be set somewhat lower than if you only passed whole messages. > > Based on SPAM blocked by my server last Thursday, only slightly over > 1.7% of them (565/33002) are over 30k. Using 60k as the limit, the > percentage drops to 1.1% (350/33002). 90k = 0.3% (85/33002). And most > of those larger ones are not your typical SPAM, but things like chain > letters, jokes with videos, etc. which some may consider HAM anyway. So, from a plugin's perspective, a broken image encountered in the first "Max SpamAssassin Size" is really broken, and an image found after that is probably accidentally (on purpose) broken by MailScanner or other SA user. Ken A. Pacific.Net > > Howard > From glenn.steen at gmail.com Mon Aug 28 21:05:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 28 21:05:39 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> Message-ID: <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> On 28/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/28/2006 10:49 AM: > > On 28/08/06, Glenn Steen wrote: > > (snip) > >> lines that only are in file b1. > > ... in b2 (!) .... of course. I need dinner... and sleep:-) > > > Sometimes I forget just how many time zones this list crosses? I think the answer to that is buried in /usr/share/zoneinfo ...:-) > "I don't want the cheese anymore, I just want out of the trap." :-) Well, dinners done, onto sleep:-) > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > Still love this .sig! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Aug 28 21:05:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 28 21:05:45 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> Message-ID: <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> On 28/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/28/2006 10:49 AM: > > On 28/08/06, Glenn Steen wrote: > > (snip) > >> lines that only are in file b1. > > ... in b2 (!) .... of course. I need dinner... and sleep:-) > > > Sometimes I forget just how many time zones this list crosses? I think the answer to that is buried in /usr/share/zoneinfo ...:-) > "I don't want the cheese anymore, I just want out of the trap." :-) Well, dinners done, onto sleep:-) > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > Still love this .sig! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lshaw at emitinc.com Mon Aug 28 21:26:28 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 28 21:26:47 2006 Subject: MailScanner ignoring child process limit In-Reply-To: <44F33C81.3070401@tulsaconnect.com> References: <44F33C81.3070401@tulsaconnect.com> Message-ID: On Mon, 28 Aug 2006, TCIS List Acct wrote: > ... I regularly see 35+ child processes. I also see about 4 "masters": > > 1:08PM 0:00.03 MailScanner: master waiting for children, sleeping > 1:15PM 0:00.03 MailScanner: master waiting for children, sleeping > 1:30PM 0:00.02 MailScanner: master waiting for children, sleeping > 1:45PM 0:00.02 MailScanner: master waiting for children, sleeping I would venture a guess that something is wrong with the way (whatever)/bin/check_mailscanner is working. It's supposed to detect whether MailScanner is running, and if not, start it. It seems like something is probably wrong with the way that it checks and it's failing to see that one is already running. Oh yeah, almost forgot to mention, on the default setup, check_mailscanner is run from cron periodically. - Logan From brent.addis at pronet.co.nz Mon Aug 28 21:33:30 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Aug 28 21:34:35 2006 Subject: MailScanner ignoring child process limit In-Reply-To: <44F3459C.3050409@tulsaconnect.com> References: <44F33C81.3070401@tulsaconnect.com> <44F3459C.3050409@tulsaconnect.com> Message-ID: <44F3531A.1040706@pronet.co.nz> Are you sure you don't have check_mailscanner running in crontab, along with an invalid pid file location? check_mailscanner comes along at a set interval and ensures mailscanner is running, I assume by checking pid files. If it can't find valid pid files, it starts it up again. TCIS List Acct wrote: > > > TCIS List Acct wrote: >> I've been trying to track down a resource issue and have come across >> something odd. I have MS set to use 10 child processes, yet: >> > > Eek. It is getting worse with time: > > $ ps -aux | grep "MailScanner: waiting" | wc -l > 67 > > $ ps -aux | grep "MailScanner: master" | wc -l > 8 > From chris at tac.esi.net Mon Aug 28 21:36:02 2006 From: chris at tac.esi.net (Chris Hammond) Date: Mon Aug 28 21:36:10 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> Message-ID: <44F31BD9.B662.0038.0@tac.esi.net> I agree!! Chris >>> "Glenn Steen" 08/28/06 4:05 PM >>> > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > Still love this .sig! From ssilva at sgvwater.com Mon Aug 28 22:37:47 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 28 22:39:29 2006 Subject: Looking for recommendation on how to proceed. In-Reply-To: <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> References: <44F1CC7B.B662.0038.0@tac.esi.net> <223f97700608271425n28612376x349cb0cba849a66d@mail.gmail.com> <44F1FA41.B662.0038.0@tac.esi.net> <20060828135616.J59233@defjam.cc.strath.ac.uk> <44F2BC75.B662.0038.0@tac.esi.net> <223f97700608281046rcaec652xf9f58268aa6c2060@mail.gmail.com> <223f97700608281049v6e4b1f6bl93b4685ae0a68446@mail.gmail.com> <223f97700608281305p349cb2dp889a5957de2ab596@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/28/2006 1:05 PM: > On 28/08/06, Scott Silva wrote: >> Glenn Steen spake the following on 8/28/2006 10:49 AM: >> > On 28/08/06, Glenn Steen wrote: >> > (snip) >> >> lines that only are in file b1. >> > ... in b2 (!) .... of course. I need dinner... and sleep:-) >> > >> Sometimes I forget just how many time zones this list crosses? > > I think the answer to that is buried in /usr/share/zoneinfo ...:-) > >> "I don't want the cheese anymore, I just want out of the trap." > > :-) > Well, dinners done, onto sleep:-) With visions of spammers being LART'd in his dreams!!! >> -- >> >> MailScanner is like deodorant... >> You hope everybody uses it, and >> you notice quickly if they don't!!!! >> > Still love this .sig! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From james at grayonline.id.au Mon Aug 28 22:21:19 2006 From: james at grayonline.id.au (James Gray) Date: Tue Aug 29 00:28:29 2006 Subject: NOT BLOCK ATTACHMENT OF THE INTERNAL NET In-Reply-To: <1156779698.4555.54.camel@localhost.localdomain> References: <1156779698.4555.54.camel@localhost.localdomain> Message-ID: <60E0FD7A-A2D4-44B6-B3B2-A7B9D1A3FF18@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29/08/2006, at 1:41 AM, marlo - raidbr wrote: > Help, mailscanner not block attachment of the internal net, which the > configuration ? > > > Thanks > > Marlo Hi Marlo, Not knowing how your system is setup (gateway? internal mail host? something else?) I can only recommend you take a look at a rule set for outgoing mail or mail from your internal network (ie, match by IP range). I've found when exempting certain mail from the default file name and file type rules using an overloaded rule set works very well. There's plenty in the wiki about both these topics: http:// wiki.mailscanner.info/ Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE815XwBHpdJO7b9ERAm6hAJ9Yle1Yr/D3LlEMR+5Fv2dweynfgACePpcm G1MPJS5jjeDfKLV0Zde8z90= =yoql -----END PGP SIGNATURE----- From listacct at tulsaconnect.com Tue Aug 29 00:46:11 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Aug 29 00:46:14 2006 Subject: MailScanner ignoring child process limit [solved] In-Reply-To: References: <44F33C81.3070401@tulsaconnect.com> Message-ID: <44F38043.1090000@tulsaconnect.com> Logan Shaw wrote: > On Mon, 28 Aug 2006, TCIS List Acct wrote: >> ... I regularly see 35+ child processes. I also see about 4 "masters": >> >> 1:08PM 0:00.03 MailScanner: master waiting for children, sleeping >> 1:15PM 0:00.03 MailScanner: master waiting for children, sleeping >> 1:30PM 0:00.02 MailScanner: master waiting for children, sleeping >> 1:45PM 0:00.02 MailScanner: master waiting for children, sleeping > > I would venture a guess that something is wrong with the way > (whatever)/bin/check_mailscanner is working. It's supposed to > detect whether MailScanner is running, and if not, start it. > It seems like something is probably wrong with the way that > it checks and it's failing to see that one is already running. > > Oh yeah, almost forgot to mention, on the default setup, > check_mailscanner is run from cron periodically. > > - Logan Ding ding.. we have a winner. You were right on the money regarding the check_mailscanner thing. Basically, I did indeed have a crontab entry running the check_mailscanner script, however, it was one from a much older version of MailScanner (I had put it in /usr/local/etc/rc.d/ for FreeBSD). So, when I built this new box (FreeBSD 6.x, old boxes were 4.x, but I copied a lot of the config files over) the "old" check_mailscanner script was failing to run properly, and as a result it kept starting MailScanner over and over (every 15 mins via cron) until the box ran out of memory and crashed. This also explains the issue I reported a few months ago with my upgrade to the later versions of MailScanner, it corresponded to the change in the way MailScanner shows up in a process list. The old code: elif $UNAME | $FGREP -q "BSD" ; then pid=`$PS -axww | $GREP '[ ]'$msbindir/$process | $AWK '{print $1}'` The new code: elif $UNAME | $FGREP "BSD" >/dev/null ; then pid=`$PS -axww | $EGREP '[ ]('$msbindir/$process')|'$process'[:]' | $AWK '{print $1}'` So, it was my fault for not following the upgrade procedure properly, I should symlink to the check_mailscanner script (/opt/MailScanner/bin/check_mailscanner) in the future to make sure I'm running the latest and greatest. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From sergiogc at treelogic.com Tue Aug 29 08:45:33 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Tue Aug 29 08:41:19 2006 Subject: MailScanner hangs once a day In-Reply-To: <200608281833.k7SIXRXp010990@bkserver.blacknight.ie> References: <200608281833.k7SIXRXp010990@bkserver.blacknight.ie> Message-ID: <44F3F09D.6050700@treelogic.com> Friday MailScanner stopped at 10 AM, yesterday it stopped at 12.00 AM and today at 8.30 AM (another days it stopped at different times but always at morning) so I think that the problem isn?t a cron job. Perhaps the problem is the high load the server have weekdays? Sometimes when the message "MailScanner child dying of old age" appears in the syslog MailScanner don?t restart and it hangs. >> > Another important thing that I have forgotten is that MailScanner didn?t >> > stop >> > netiher on Saturday nor on Sunday, but today (Monday) it has stopped >> > and I have had to restart it. >> > >> > Hm, well then.... One would surmise that *something* is happening > weekdays that isn't happening during the weekends. I trust you looked > at all the possible cron jobs (crontabs hi and lo ... /etc/cron*/* and > the "oldstyle" crontabs) without finding anything that stood out? > And no new connections to your MTA at the time of ... demise? (I'm > thinking "huge mail" bringing things ... low...) From a.peacock at chime.ucl.ac.uk Tue Aug 29 09:19:43 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Aug 29 09:19:58 2006 Subject: Max SpamAssassin Size problems -- round 2 In-Reply-To: References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0C@ARLABML01.DS.ARL.ARMY.MIL> <44F06A09.9070201@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F0D@ARLABML01.DS.ARL.ARMY.MIL> <44F31894.7030305@ecs.soton.ac.uk> Message-ID: <44F3F89F.5060208@chime.ucl.ac.uk> Logan Shaw wrote: > On Mon, 28 Aug 2006, Julian Field wrote: >> All fair points. Which brings us back to the beginning. >> The option which got the biggest number of votes was along the lines of >> this: >> >> for ($lines=$size=0; $lines<100 && $size<20_000; $lines++) >> { >> $line = getnextline(); >> $size += length($line); >> last if $size>20_000; >> push @SAinput, $line; >> last if $line =~ /^\s*$/; >> } >> >> It should keep copying lines until we hit a line that is only whitespace >> (or blank) or until we have copied 20k of extra data, whichever comes >> first. And it won't be confused by nearly 20k of extra data followed by >> 1 huge line lasting for mbytes. >> >> Is that a reasonable compromise? > > I like the idea of trying to be a little intelligent and > flexible about where you chop the message is a good one. > That seems to me to have value. If you can chop at an > attachment boundary, that's good, so chopping at the first > boundary within a window (of bytes and/or lines) is a good > thing. It will work some of the time. If we agree that MS should be as friendly to SA as possible, and Julian is happy to make some changes, then I think this is the best option. I do not like the idea of just ignoring messages over the "Max SA Size" and not passing them to SA at all. That would lower the overall effectiveness of scanning. I think that having a flexible window around the "Max SA Size" to try to find the end of an image is a good idea. > However, I still think there needs to be an answer to the > question of what to do when the window method fails to solve > the problem. I think that will happen frequently enough that > it's important to be intentional about it. Agreed! > So, if the boundary does not lie in the window, what is the best > thing to do? It seems to me you have three reasonable options: > (1) chop somewhere inside the window anyway, > (2) keep going to the end of the current attachment and > chop after it's over, > (3) roll back to the beginning of the current attachment, > and chop before it begins. I would vote for No 3, as long as this did not make the code changes too complicated. I think that this has the advantage of passing something to SA to scan (headers, leading text, etc), without risking sending a broken image to SA. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From glenn.steen at gmail.com Tue Aug 29 10:01:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 29 10:01:40 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F3F09D.6050700@treelogic.com> References: <200608281833.k7SIXRXp010990@bkserver.blacknight.ie> <44F3F09D.6050700@treelogic.com> Message-ID: <223f97700608290201i103873cdrf102542d3b1cf0a3@mail.gmail.com> On 29/08/06, Sergio Garc?a Caso wrote: > Friday MailScanner stopped at 10 AM, yesterday it stopped at 12.00 AM > and today at 8.30 AM (another days it stopped at different times but > always at morning) so I think that the problem isn?t a cron job. Perhaps > the problem is the high load the server have weekdays? Could be. Do you have some stats? > Sometimes when the message "MailScanner child dying of old age" appears > in the syslog MailScanner don?t restart and it hangs. > Does the process stick around, and in what state? Or does it indeed die? If the former, one could perhaps try attach to it and see what it's doing. Do you log everything to syslog (so that it's a one-stop-shopping place for log analysis)? Or does /var/log/mail.* contain anything useful not in the syslog? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From holger at gebhardweb.de Tue Aug 29 11:17:28 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Tue Aug 29 11:29:08 2006 Subject: Postfix 2.3 and MailScanner - SOLVED References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk><002601c6c48b$ba7054e0$840804c3@PCHOME2> <031601c6c782$ce6a59b0$0164320a@conware.int> Message-ID: <02a201c6cb54$54d31990$0164320a@conware.int> My Problem with Postfix 2.3.x and MailScanner is solved... I seems that only messages with more than one recipient and messages actions delete and forward are affected. Here is a little example: A original message has 11 Recipients and is detected as Spam. The actions are delete and forward to another mailaddress. MailScanner marks the message as deleted and in the next step all the original recipients had to be removed from the envelope header. Here is the bug, MailScanner does not remove all old recipients! The code for the removement can be found in Postfix.pm -> sub DeleteRecipients: next unless $message->{metadata}[$linenum] =~ /^[RO]/; This regular expression remove only recipients starts with "R" or "O" in the header. Since Postfix 2.3.x there is a new recipient line that also must be removed. To remove the new line i changed the regular expression and made a bit more robust... next unless $message->{metadata}[$linenum] =~ /^[ARO].+@(?:\w|-|\.)+\.\w{2,})/; Work fine for two days now with no more warnings in log :-) Holger ----- Original Message ----- From: "Holger Gebhard" To: "MailScanner discussion" Sent: Thursday, August 24, 2006 3:39 PM Subject: Re: Postfix 2.3 and MailScanner > Hi Julian, > hi Group, > > a upgrade to mailscanner version 4.55.10 does not help to solve the > problem > with postfix 2.3.2, it was a try... > > I attached some queuefiles which produce the "out-of-order" postfix > warning > message in log: > > Directory "incoming" contains messages from postfixqueue before scanning > by > mailscanner. > Directory "archiv" contains messages from mailscanner archiv function. > Directory "outgoing" contains messages from postfixqueue after scanning by > mailScanner. > > Queuefiles from incoming and archiv have the same content, no postfix > warning for this files. > Queuefiles form outgoing are modified by mailscanner, but only some > produce > the postfix warning. > > To see the warning just stop outgoing postfix (split queues) or postfix > (hold queue). Then copy a message from outgoing directory to postfix > incoming queue directory. Check systemrights for the copied file (for > debian > set to postfix.root). Next start Postfix and search your logs for the > warning. > > Hope anyone can help to solve the problem... > > > Thanks > > Holger > > > > > > > > ----- Original Message ----- > From: "Holger Gebhard" > To: "MailScanner discussion" > Sent: Sunday, August 20, 2006 9:06 PM > Subject: Re: Postfix 2.3 and MailScanner > > >>I am also running Postfix in Version 2.3.2... >> >> I forward a copy of all Spammails to a Mailbox (Spam Actions). >> Maybe the failure comes from here? >> >> It seems the failure produced by the DSN Recipient Line in the >> Envelope-Header. >> >> Only a idea... >> But what will happen if MailScanner delete all the DSN Header in the >> envelope. >> When the Message is requeued, postfix might add new headers to the >> Queuefile? >> >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: Sunday, August 20, 2006 8:23 PM >> Subject: Re: Postfix 2.3 and MailScanner >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Can you make sure you are using the latest Postfix? >> I am running 2.3.2 and I cannot re-create your symptoms. I have used all >> the 4 messages you sent me and they all worked fine, bar a warning about >> timestamps which I always get and is due to the way I am dropping things >> into its queue directories. >> >> I can't fix it until I can reproduce it, sorry. >> >> Holger Gebhard wrote: >>> Hi Julian, >>> >>> the failure happens only with some messages, not all. >>> The attached archive contains some example messages. >>> >>> Thanks for help :-) >>> >>> >>> Holger >>> >>> ----- Original Message ----- From: "Julian Field" >>> >>> To: "MailScanner discussion" >>> Sent: Sunday, August 20, 2006 5:02 PM >>> Subject: Re: Postfix 2.3 and MailScanner >>> >>> >>> >>> >>> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >>> * text/plain body >>> * Julian Field >>> * 0x1415B654(L) >>> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >>> >>> Does this happen with all messages, or only some? >>> Can you isolate a single message that causes this problem for me please? >>> I would suggest using "Archive Mail =" to archive all your mail and then >>> use the logs to identify a particular message that causes the problem to >>> be logged, and one that doesn't cause the problem. >>> >>> It is essential that you archive as "Raw Queue Files". >>> >>> If you can then send me one message file that causes the problem, and >>> one message that doesn't cause it, I can take a look and fix it. >>> >>> I haven't played with Postfix 2.3 much yet, so have little experience of >>> it. This is clearly another hurdle Wietse has created for my benefit :-) >>> >>> >>> Holger Gebhard wrote: >>>> Hi Julian, >>>> Hi Group, >>>> >>>> i run mailscanner with postfix (split queues) for many years with no >>>> problems. >>>> Currently running mailscanner version 4.52.2. >>>> >>>> The last week i upgraded postfix from 2.2 to 2.3. >>>> After the upgrade i can see some strange warnings from postfix in my >>>> mail-logs: "ignoring out-of-order DSN original recipient..." >>>> >>>> I searched some group and found this threat: >>>> >>>> http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 >>>> >>>> >>>> >>>> The strange is that only some messages are affected by this failure not >>>> all. >>>> >>>> I tried both postfix implementations (single postfix with hold queue >>>> and >>>> split queues with two postfix instances) with no success. The warning >>>> is >>>> still there with some messages. >>>> >>>> Fortunately the affected messages are still being delivered. >>>> But where come this failure from? >>>> >>>> >>>> Holger >>> >> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.5.0 (Build 1112) >> Charset: ISO-8859-1 >> >> wj8DBQFE6KiwEfZZRxQVtlQRAt2pAKDSUti8KDrj7mNGGA8MqhFEXIo9hACfV2Le >> ui8msutTnYukLNNMyKAvt3U= >> =fQhv >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -------------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From sergiogc at treelogic.com Tue Aug 29 13:14:33 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Tue Aug 29 13:10:13 2006 Subject: MailScanner hangs once a day Message-ID: <44F42FA9.8070103@treelogic.com> >Friday MailScanner stopped at 10 AM, yesterday it stopped at 12.00 AM > and today at 8.30 AM (another days it stopped at different times but > always at morning) so I think that the problem isn?t a cron job. Perhaps > the problem is the high load the server have weekdays? >Could be. Do you have some stats? I don?t have stats but I think that because the problems happen only in weekdays. Before, I had another Mail Gateway with MailScanner and Sendmail and I didn't have this problem. > > Sometimes when the message "MailScanner child dying of old age" appears > > in the syslog MailScanner don?t restart and it hangs. > > > >Does the process stick around, and in what state? Or does it indeed >die? If the former, one could perhaps try attach to it and see what >it's doing. I think the proccess MailScanner die after the message "MailScanner child dying of old age" because it doesn't appear in the log more until restart. >Do you log everything to syslog (so that it's a one-stop-shopping >place for log analysis)? Or does /var/log/mail.* contain anything >useful not in the syslog? I look the 'syslog' and the 'mail.info' and I don't find anything useful. In both I get only the message "MailScanner child dying of old age". From simon at ateb.co.uk Tue Aug 29 15:16:22 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Tue Aug 29 15:15:15 2006 Subject: List of variables for substitution in reports? References: <017001c6c832$35144a40$1404040a@purple><44F04619.5050504@ecs.soton.ac.uk> <44F2F289.8060609@jlewiscooper.com> Message-ID: <01dc01c6cb75$cffc52f0$1404040a@purple> Thanks for that. I've grep'd through the reports and extracted the variables for the wiki. http://wiki.mailscanner.info/doku.php?id=documentation:reports Simon ----- Original Message ----- From: "Greg Borders" To: "MailScanner discussion" Sent: Monday, August 28, 2006 2:41 PM Subject: Re: List of variables for substitution in reports? Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > My sample report files each use all the available variables in each one. > If you need something else somewhere, let me know and I will see about > adding it for you. > > Sorry it's no more consistent than that. > > Simon Annetts wrote: > >> Sorry if this question has been asked before. >> >> Where can I find a list of all the variables that can be substituted into reports and in the config file for things such as >> subject >> lines etc? I can see some in the reports like $report :-) but to have a definitive list would be very helpful. >> >> Thanks in advance >> Simon >> This might be a prime opportunity for some intrepid MS user to filter through the reports and create a definitive list of report variables, and toss them in the wiki. ;) I'll see what I can do! I wanted this for myself a few months back. Greg Borders JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From P.G.M.Peters at utwente.nl Tue Aug 29 15:31:44 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 29 15:31:52 2006 Subject: List of variables for substitution in reports? In-Reply-To: <01dc01c6cb75$cffc52f0$1404040a@purple> References: <017001c6c832$35144a40$1404040a@purple><44F04619.5050504@ecs.soton.ac.uk> <44F2F289.8060609@jlewiscooper.com> <01dc01c6cb75$cffc52f0$1404040a@purple> Message-ID: <44F44FD0.7030109@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Annetts wrote on 29-8-2006 16:16: > Thanks for that. I've grep'd through the reports and extracted the variables for the wiki. > > http://wiki.mailscanner.info/doku.php?id=documentation:reports I noticed two errors: Typo in "Address part of postamster email address from config". I believe the $id is not the Message id but the Queue ID. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9E/QelLo80lrIdIRArSSAJ4pFr44Ypc7Xc6qNchdg/2sD6GGlACgmyMT W1XZu5HhhHhxIHAFX1Pd0xA= =9hcw -----END PGP SIGNATURE----- From t.d.lee at durham.ac.uk Tue Aug 29 16:05:40 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Aug 29 16:06:36 2006 Subject: List of variables for substitution in reports? In-Reply-To: <44F04619.5050504@ecs.soton.ac.uk> References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> Message-ID: On Sat, 26 Aug 2006, Julian Field wrote: > My sample report files each use all the available variables in each one. > If you need something else somewhere, let me know and I will see about > adding it for you. > > Sorry it's no more consistent than that. I wonder also if there is a particular consistency issue with "hostname"? The report files refer to lower-case '$hostname'. But MailScanner.conf seems to contain a definition: Hostname = the %org-name% ($HOSTNAME) MailScanner whose RHS has this as upper-case. (I understand that the case of its LHS is irrelevant). The reports we (org-name: DurhamAcUk) have been getting over the years contain an empty string: the DurhamAcUk () MailScanner This email thread has prompted me to check deeper. I wonder whether that peculiar "()" might be because the upper-case (default, I think) "$HOSTNAME" in MS.conf is not recognised. Julian: Could you check and comment upon this, please? (MS versions various over the years, but include up to 4.55.10 .) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From mailscanner.list.account at kerry.com Tue Aug 29 16:28:04 2006 From: mailscanner.list.account at kerry.com (Ron Hahn) Date: Tue Aug 29 16:28:27 2006 Subject: tnef RPM failed dependencies In-Reply-To: References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> Message-ID: <97073C5D-7685-4685-B161-DADC11AD980B@kerry.com> Colleagues, Bear with me if this is somewhere in the archives but I can't seem to find any reference to it. I'm trying to install (for the first time) mailscanner on a Cobalt RAQ 4 that has been converted to RAQ 550 OS. I have perl 5.8.3 successfully installed. When I run the ./install.sh script, it falls over on the tnef section: -------------start Installing tnef decoder error: failed dependencies: libc.so.6(GLIBC_2.3) is needed by tnef-1.4-1 Now to install MailScanner itself. NOTE: If you get lots of errors here, run the install.sh script NOTE: again with the command "./install.sh nodeps" error: failed dependencies: tnef >= 1.1.1 is needed by mailscanner-4.55.10-3 -------------end I searched for this shared library and found it in two places: [root MailScanner-4.55.10-3]# find / -name libc.so.6 -print /lib/libc.so.6 /usr/i386-glibc21-linux/lib/libc.so.6 As far as I can see both of these locations are in the library search path.. [root MailScanner-4.55.10-3]# cat /etc/ld.so.conf /usr/lib /usr/i486-linux-libc5/lib /usr/X11R6/lib /usr/sausalito/lib /usr/lib /home/chiliasp/lib /usr/i386-glibc21-linux/lib /lib So.... any suggestions as to why the installation of this RPM is falling over? I note that I have tnef-1.4.3 installed in /usr/local/ bin all ready. Thanks for the help, Ron From jaearick at colby.edu Tue Aug 29 16:59:43 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Aug 29 17:02:36 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: <44EEE419.9010604@techniumcast.com> References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEE419.9010604@techniumcast.com> Message-ID: On Fri, 25 Aug 2006, Rob Shepherd wrote: > Date: Fri, 25 Aug 2006 12:50:49 +0100 > From: Rob Shepherd > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Solaris 10 init.d startup failing > > Jeff A. Earickson wrote: > >> If you can easily create a svcadm standalone setup for MailScanner, you >> would be a hero to us few Solaris 10 users. > > This is mine... works great. Still no joy on this issue. Your SMF manifest didn't work, nor did one I constructed based on the sendmail manifest. Still the same loop-up problem at startup, just like with an old /etc/init.d script. > > NOTE: remove the check_mailscanner cron entry. SMF will ensure it's up and > running (if it can be).... The ps grepping in check_mailscanner didn't work > for me (the pargs are too long and get chopped by ps) and spawned multiple > top-level MS processes. Did you make any changes to check_mailscanner? In my case if I do (as root): cd /opt/MailScanner/bin ./MailScanner /opt/MailScanner/etc/MailScanner.conf then mailscanner still loops up. check_mailscanner and SMF scripts are not in the picture. Only the cron method works for me. Aaaargh. Jeff Earickson Colby College From rob at techniumcast.com Tue Aug 29 17:17:15 2006 From: rob at techniumcast.com (Rob Shepherd) Date: Tue Aug 29 17:17:25 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEE419.9010604@techniumcast.com> Message-ID: <44F4688B.7080109@techniumcast.com> Jeff A. Earickson wrote: > Did you make any changes to check_mailscanner? No sorry. I compiled my own perl though... And then battled my way through the MailScanner distribution making #!/usr/local/perl/bin/perl instead of the *hardcoded* default of #!/usr/bin/perl ... ... but it works for me (except for one dependency didn't get picked up, Sys-Hostname-Long, the syslog pm doesn't work properly, and because I'm running in a zone I need to do some awful mounting hack to ensure use of the *hardcoded* /opt/MailScanner path) Cheers Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516 From ssilva at sgvwater.com Tue Aug 29 18:34:58 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 29 18:38:54 2006 Subject: tnef RPM failed dependencies In-Reply-To: <97073C5D-7685-4685-B161-DADC11AD980B@kerry.com> References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> <97073C5D-7685-4685-B161-DADC11AD980B@kerry.com> Message-ID: Ron Hahn spake the following on 8/29/2006 8:28 AM: > Colleagues, > > Bear with me if this is somewhere in the archives but I can't seem to > find any reference to it. > > I'm trying to install (for the first time) mailscanner on a Cobalt RAQ 4 > that has been converted to RAQ 550 OS. > > I have perl 5.8.3 successfully installed. > > When I run the ./install.sh script, it falls over on the tnef section: > > -------------start > Installing tnef decoder > > error: failed dependencies: > libc.so.6(GLIBC_2.3) is needed by tnef-1.4-1 > > Now to install MailScanner itself. > > NOTE: If you get lots of errors here, run the install.sh script > NOTE: again with the command "./install.sh nodeps" > > error: failed dependencies: > tnef >= 1.1.1 is needed by mailscanner-4.55.10-3 > -------------end > > I searched for this shared library and found it in two places: > > [root MailScanner-4.55.10-3]# find / -name libc.so.6 -print > /lib/libc.so.6 > /usr/i386-glibc21-linux/lib/libc.so.6 > > As far as I can see both of these locations are in the library search > path.. > > [root MailScanner-4.55.10-3]# cat /etc/ld.so.conf > /usr/lib > /usr/i486-linux-libc5/lib > /usr/X11R6/lib > /usr/sausalito/lib > /usr/lib > /home/chiliasp/lib > /usr/i386-glibc21-linux/lib > /lib > > So.... any suggestions as to why the installation of this RPM is falling > over? I note that I have tnef-1.4.3 installed in /usr/local/bin all ready. > > Thanks for the help, > If you really have a lot of trouble, you could try BlueQuartz on that server. A more modern linux (CentOS) with the cloned webconfig. It could be easier than trying to hack the Raq software. Just a thought..... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikej at rogers.com Tue Aug 29 22:35:35 2006 From: mikej at rogers.com (Mike Jakubik) Date: Tue Aug 29 22:35:17 2006 Subject: Postfix 2.3 and MailScanner - SOLVED In-Reply-To: <02a201c6cb54$54d31990$0164320a@conware.int> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk><002601c6c48b$ba7054e0$840804c3@PCHOME2> <031601c6c782$ce6a59b0$0164320a@conware.int> <02a201c6cb54$54d31990$0164320a@conware.int> Message-ID: <44F4B327.2040504@rogers.com> Holger Gebhard wrote: > My Problem with Postfix 2.3.x and MailScanner is solved... > ... > To remove the new line i changed the regular expression and made a bit > more robust... > > next unless $message->{metadata}[$linenum] =~ > /^[ARO].+@(?:\w|-|\.)+\.\w{2,})/; > > Work fine for two days now with no more warnings in log :-) Is this change backwards compatible with postfix 2.2? From brett at wrl.org Tue Aug 29 23:21:45 2006 From: brett at wrl.org (Brett Charbeneau) Date: Tue Aug 29 23:26:53 2006 Subject: mqueue.in just gets bigger - no delivery? Message-ID: Greetings, I'd be grateful for any help anyone can find the time to offer! Our Debian mail server is a P4 3200 Ghz with 2GB of RAM and Ultra-320 SCSI drives, we handle about 6K messages a day. The building we are in is under renovation and our roofers were wielding sledge hammers with abandon when it seemed our swap partition had a crash. (Lots of CRC errors from the /tmp directory on the console.) I've since e2fsck'd the entire disk and swapped out the motherboard with an identical model. The MTA is sendmail and while this was a successful install originally, I've made sure to go over the sendmail/MailScanner instructions found here: http://www.mailscanner.info/sendmail.html The problem we are experiencing is that the mqueue.in directory just keeps growing and no mail is being delivered. MailWatch shows we've got 630 inbound messages as I type - and the number keeps getting bigger. I've run MS and SpamAssassin in debug mode, but can't find anything revealing: http://pastebin.ca/153822 I also did a "spamassassin -D -p \ /etc/MailScanner/spam.assassin.prefs.conf -t --lint 2>&1" with this output: http://pastebin.ca/153814 Can anyone offer any guidance as to what's going wrong? -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@.please.do.not.spam.me.wrl.org ******************************************************************** From lshaw at emitinc.com Tue Aug 29 23:35:01 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Aug 29 23:35:15 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: On Tue, 29 Aug 2006, Brett Charbeneau wrote: > Greetings, > > I'd be grateful for any help anyone can find the time to offer! > Our Debian mail server is a P4 3200 Ghz with 2GB of RAM and Ultra-320 > SCSI drives, we handle about 6K messages a day. > The building we are in is under renovation and our roofers were > wielding sledge hammers with abandon when it seemed our swap partition had a > crash. (Lots of CRC errors from the /tmp directory on the console.) > I've since e2fsck'd the entire disk and swapped out the motherboard > with an identical model. Not that e2fsck fixes errors on swap partitions, but it's a good idea anyway, I guess. > The MTA is sendmail and while this was a successful install > originally, I've made sure to go over the sendmail/MailScanner instructions > found here: > > http://www.mailscanner.info/sendmail.html > > The problem we are experiencing is that the mqueue.in directory just > keeps growing and no mail is being delivered. MailWatch shows we've got 630 > inbound messages as I type - and the number keeps getting bigger. First question: when you start MailScanner, does it successfully start and stay running? Next question: does it spawn children? Look at the output of "ps -ef | grep MailScanner" to see if it does. Next question: does it appear to be processing messages? What is it logging to syslog? (Do a "grep MailScanner /var/log/maillog" or similar.) - Logan From res at ausics.net Wed Aug 30 00:14:16 2006 From: res at ausics.net (Res) Date: Wed Aug 30 00:14:33 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F42FA9.8070103@treelogic.com> References: <44F42FA9.8070103@treelogic.com> Message-ID: On Tue, 29 Aug 2006, Sergio Garc?a Caso wrote: > > I think the proccess MailScanner die after the message "MailScanner child > dying of old age" because it doesn't appear in the log more until restart. Do your cycle your syslog files more than once a week? Is syslog still running when you discover MS hanging? Are there any mail files in the /var/spool/MailScanner/PID dirs? -check timestamps for the latest maillog entry against the files I might have missed it but what virus scanner do you use? Do you use spamassassin Is the MTA still operating (is the in queue getting bigger and bigger) -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Aug 30 00:19:03 2006 From: res at ausics.net (Res) Date: Wed Aug 30 00:19:13 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: On Tue, 29 Aug 2006, Brett Charbeneau wrote: > > The problem we are experiencing is that the mqueue.in directory just Can you MailScanner --lint This more or less sounds like a permissioning error when you ps ax | grep MailScanner do you see the parent and its typically 5 kids? Is there a after any or all of them? -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From james at grayonline.id.au Wed Aug 30 06:45:01 2006 From: james at grayonline.id.au (James Gray) Date: Wed Aug 30 06:45:47 2006 Subject: HTML Script problem returns.... Message-ID: <82733972-4EFB-41FC-8034-255DE2C7B8AA@grayonline.id.au> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060830/7872f32d/PGP.bin From anwarsanusi at gmail.com Wed Aug 30 07:43:05 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Wed Aug 30 07:43:19 2006 Subject: Lost Email Message-ID: <44F53379.2070901@gmail.com> Dear all, I have a problem with our mail server(sendmail + Mailscanner). i have lost my mail i mean somebody sent to me and cc to others, but i did not receive email for me ? this often happen to our other user. what i want to know is what the really problem of our Mail server and how to solve ? Thanks & Regards Anwar From michele at blacknight.ie Wed Aug 30 08:04:14 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Wed Aug 30 08:04:27 2006 Subject: Lost Email In-Reply-To: <44F53379.2070901@gmail.com> References: <44F53379.2070901@gmail.com> Message-ID: <44F5386E.9000002@blacknight.ie> Anwar Sanusi wrote: > Dear all, > > I have a problem with our mail server(sendmail + Mailscanner). i have > lost my mail i mean somebody sent to me and cc to others, but i did not > receive email for me ? this often happen to our other user. what i want > to know is what the really problem of our Mail server and how to solve ? > > Thanks & Regards > Anwar > Check your logs. The mail had to go somewhere.. presuming that it was ever actually sent -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From drew at themarshalls.co.uk Wed Aug 30 08:51:32 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 30 08:53:07 2006 Subject: Lost Email In-Reply-To: <44F5386E.9000002@blacknight.ie> References: <44F53379.2070901@gmail.com> <44F5386E.9000002@blacknight.ie> Message-ID: <38837.194.70.180.170.1156924292.squirrel@www.r-bit.net> On Wed, August 30, 2006 08:04, Michele Neylon:: Blacknight.ie wrote: > Anwar Sanusi wrote: >> Dear all, >> >> I have a problem with our mail server(sendmail + Mailscanner). i have >> lost my mail i mean somebody sent to me and cc to others, but i did not >> receive email for me ? this often happen to our other user. what i want >> to know is what the really problem of our Mail server and how to solve ? >> >> Thanks & Regards >> Anwar >> > Check your logs. The mail had to go somewhere.. presuming that it was > ever actually sent Or indeed ever reached you... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From anwarsanusi at gmail.com Wed Aug 30 09:17:59 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Wed Aug 30 09:18:06 2006 Subject: Lost Email In-Reply-To: <44F5386E.9000002@blacknight.ie> References: <44F53379.2070901@gmail.com> <44F5386E.9000002@blacknight.ie> Message-ID: <44F549B6.3010006@gmail.com> Michele Neylon:: Blacknight.ie wrote: >Anwar Sanusi wrote: > > >>Dear all, >> >>I have a problem with our mail server(sendmail + Mailscanner). i have >>lost my mail i mean somebody sent to me and cc to others, but i did not >>receive email for me ? this often happen to our other user. what i want >>to know is what the really problem of our Mail server and how to solve ? >> >>Thanks & Regards >>Anwar >> >> >> >Check your logs. The mail had to go somewhere.. presuming that it was >ever actually sent > > > i am confuse how to read and make sure that the mail had sent. i know that i hv not received the mail when the other user reply the mail. rgds,anwar From drew at themarshalls.co.uk Wed Aug 30 09:33:39 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 30 09:34:09 2006 Subject: Lost Email In-Reply-To: <44F549B6.3010006@gmail.com> References: <44F53379.2070901@gmail.com> <44F5386E.9000002@blacknight.ie> <44F549B6.3010006@gmail.com> Message-ID: <38941.194.70.180.170.1156926819.squirrel@www.r-bit.net> On Wed, August 30, 2006 09:17, Anwar Sanusi wrote: > i am confuse how to read and make sure that the mail had sent. i know > that i hv not received the mail when the other user reply the mail. > rgds,anwar Read your log file (Which is probably under /var/logs/maillog or similar) this will tell you much about what is going on. -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From simon at ateb.co.uk Wed Aug 30 10:10:30 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Wed Aug 30 10:09:05 2006 Subject: List of variables for substitution in reports? References: <017001c6c832$35144a40$1404040a@purple><44F04619.5050504@ecs.soton.ac.uk> Message-ID: <020f01c6cc14$36222f20$1404040a@purple> I've noticed this too: $HOSTNAME (or any other environment variable for that matter) don't seem to be available in the config. Does anyone know if env variables can be put into reports? Simon ----------------------- Ateb Ltd Marteg House St. Harmon Rhayader Powys LD6 5LG 01597 870329 ----------------------- ----- Original Message ----- From: "David Lee" To: "MailScanner discussion" Sent: Tuesday, August 29, 2006 4:05 PM Subject: Re: List of variables for substitution in reports? On Sat, 26 Aug 2006, Julian Field wrote: > My sample report files each use all the available variables in each one. > If you need something else somewhere, let me know and I will see about > adding it for you. > > Sorry it's no more consistent than that. I wonder also if there is a particular consistency issue with "hostname"? The report files refer to lower-case '$hostname'. But MailScanner.conf seems to contain a definition: Hostname = the %org-name% ($HOSTNAME) MailScanner whose RHS has this as upper-case. (I understand that the case of its LHS is irrelevant). The reports we (org-name: DurhamAcUk) have been getting over the years contain an empty string: the DurhamAcUk () MailScanner This email thread has prompted me to check deeper. I wonder whether that peculiar "()" might be because the upper-case (default, I think) "$HOSTNAME" in MS.conf is not recognised. Julian: Could you check and comment upon this, please? (MS versions various over the years, but include up to 4.55.10 .) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Aug 30 10:52:19 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 10:52:58 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F32378.7090901@alexb.ch> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> <44F31923.2010608@ecs.soton.ac.uk> <44F32378.7090901@alexb.ch> Message-ID: <44F55FD3.90806@ecs.soton.ac.uk> Alex Broens wrote: > On 8/28/2006 6:26 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Res wrote: >>> On Sun, 27 Aug 2006, DAve wrote: >>> >>>> I for one want no part of a plugin that requires I send every >>>> single message in it's entirety to SA every time. I'd be DOS'ed >>>> within a month. I also think >>> Agreed >> >> I thoroughly agree that we shouldn't send the whole message. If you >> want to do that, just set Max SpamAssassin Size = 500m :-) >> >> I'm trying to come up with a compromise that keeps most of you happy >> most of the time. See my recent "--- round 2" posting. > > Julian, > > Probably late & lame with this observation: > > > Why not adopt the same logic as from ths spamc -s switch > > -s *max_size* > Set the maximum message size which will be sent to spamd -- any > bigger than this threshold and the message will be returned > unprocessed (default: 250 KB). If spamc gets handed a message > bigger > than this, it won't be passed to spamd. > > The size is specified in bytes, as a positive integer greater > than > 0. For example, -s 250000. > > This means the full message size and will not distort the SA scanning > if only part of the msg is scanned (and possibly misclasified) I don't like that, as most spam can be identified by the first 20k, and your idea would let through large spam. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 30 10:54:58 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 10:55:23 2006 Subject: MailScanner hangs once a day In-Reply-To: <223f97700608281059k4823f054wf1134bcdcb48fabe@mail.gmail.com> References: <200608251957.k7PJvM2p024055@bkserver.blacknight.ie> <44F32965.80200@treelogic.com> <223f97700608281059k4823f054wf1134bcdcb48fabe@mail.gmail.com> Message-ID: <44F56072.1050102@ecs.soton.ac.uk> Glenn Steen wrote: > On 28/08/06, Sergio Garc?a wrote: >> Another important thing that I have forgotten is that MailScanner didn?t >> stop >> netiher on Saturday nor on Sunday, but today (Monday) it has stopped >> and I have had to restart it. >> > Hm, well then.... One would surmise that *something* is happening > weekdays that isn't happening during the weekends. I trust you looked > at all the possible cron jobs (crontabs hi and lo ... /etc/cron*/* and > the "oldstyle" crontabs) without finding anything that stood out? > And no new connections to your MTA at the time of ... demise? (I'm > thinking "huge mail" bringing things ... low...) > The output of "MailScanner --changed" might be useful here too, just in case you have made a mistake in your MailScanner.conf. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel at danielf.ch Wed Aug 30 11:10:53 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Wed Aug 30 11:14:53 2006 Subject: Deleted Virus Message Report Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2420EA@idefix.danielf.local> Hi All I'm very new to Mailscanner. Can I make a rule for the "Deleted Virus Message Report" that sends different messages according to the domain of the Sender? How has such a rule look like? And how do I have to configure it in MailScanner.conf? I have MailScanner 4.55.10, Perl 5.8.8 on FreeBSD 5.x Thanks for your help. Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060830/5bcea73b/attachment.html From MailScanner at ecs.soton.ac.uk Wed Aug 30 11:25:04 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 11:25:33 2006 Subject: ClamAVModule Perl Error In-Reply-To: <1BCA1677F917B44CBF448F7B68A35B0E2EDC49@w2k3-tp.techpro.local> References: <1BCA1677F917B44CBF448F7B68A35B0E2EDC49@w2k3-tp.techpro.local> Message-ID: <44F56780.6070305@ecs.soton.ac.uk> Check your ClamAV config files, you might have told it to use a DB for the Bayes data or something like that. What might be good is to remove the ClamAV config files and then re-run my ClamAV+SA installation. Barry Bourdage wrote: > Hello All, > I am getting the following error, I have installed/re-installed on 2 > different machines. I am not using SQLite. > > Barry > > > > ug 29 19:36:35 mx-test2 MailScanner[19836]: Virus and Content Scanning: > Starting > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: -- > DBI::END > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: -> > disconnect_all for DBD::SQLite::dr (DBI::dr=HASH(0x904e098)~0x9b1ec20) > thr#81f0008 > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: <- > disconnect_all= '' at DBI.pm line 692 > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! -> > DESTROY for DBD::SQLite::db (DBI::db=HASH(0x9b1f804)~INNER) thr#81f0008 > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule:: > DESTROY DBI::db=HASH(0x9b1f804) skipped due to InactiveDestroy > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! <- > DESTROY= undef during global destruction > Aug 29 19:36:35 mx-test2 MailScanner[19836]: ClamAVModule::! -> > DESTROY in DBD::_::common for DBD::SQLite::dr (DBI::dr=HASH(0x9b1e > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 30 11:28:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 11:29:18 2006 Subject: MailScanner ignoring child process limit In-Reply-To: <44F33C81.3070401@tulsaconnect.com> References: <44F33C81.3070401@tulsaconnect.com> Message-ID: <44F56863.5090208@ecs.soton.ac.uk> I suspect you have a cron job which is checking to see the MailScanner is still running. If this script does not successfully find the processes, it will start some more. It looks like the processes are being created regularly every 5 minutes. TCIS List Acct wrote: > I've been trying to track down a resource issue and have come across > something odd. I have MS set to use 10 child processes, yet: > > 57136 53400 1:30PM 0:12.96 MailScanner: waiting for messages > 55584 51836 1:45PM 0:03.87 MailScanner: waiting for messages > 58288 54720 1:10PM 0:32.86 MailScanner: waiting for messages > 63732 58580 1:09PM 0:33.49 MailScanner: waiting for messages > 61648 58044 1:10PM 0:32.24 MailScanner: waiting for messages > 59916 56336 1:16PM 0:24.85 MailScanner: waiting for messages > 58924 55220 1:15PM 0:26.39 MailScanner: waiting for messages > 60616 56500 1:10PM 0:32.27 MailScanner: waiting for messages > 59060 55464 1:46PM 0:03.95 MailScanner: waiting for messages > 59492 55860 1:45PM 0:04.32 MailScanner: waiting for messages > 57696 53600 1:16PM 0:24.12 MailScanner: waiting for messages > 60104 56208 1:31PM 0:13.27 MailScanner: waiting for messages > 57216 53372 1:31PM 0:12.85 MailScanner: waiting for messages > 56520 52804 1:30PM 0:10.73 MailScanner: waiting for messages > 59924 56052 1:31PM 0:10.08 MailScanner: waiting for messages > 60564 56604 1:15PM 0:26.45 MailScanner: waiting for messages > 61564 57912 1:08PM 0:37.61 MailScanner: waiting for messages > 58476 54604 1:30PM 0:11.33 MailScanner: waiting for messages > 62200 58612 1:09PM 0:42.43 MailScanner: waiting for messages > 61136 57584 1:09PM 0:33.56 MailScanner: waiting for messages > 61504 56932 1:09PM 0:34.54 MailScanner: waiting for messages > 61744 57908 1:09PM 0:33.92 MailScanner: waiting for messages > 58840 54772 1:15PM 0:25.17 MailScanner: waiting for messages > 58796 54392 1:15PM 0:25.72 MailScanner: waiting for messages > 61940 58372 1:15PM 0:24.55 MailScanner: waiting for messages > 58144 54048 1:15PM 0:24.70 MailScanner: waiting for messages > 60280 56492 1:16PM 0:25.47 MailScanner: waiting for messages > 59576 55980 1:16PM 0:25.62 MailScanner: waiting for messages > 56676 53004 1:30PM 0:10.71 MailScanner: waiting for messages > 56716 52872 1:30PM 0:13.47 MailScanner: waiting for messages > 55712 51940 1:45PM 0:03.38 MailScanner: waiting for messages > 56284 52048 1:45PM 0:02.73 MailScanner: waiting for messages > 55752 51784 1:45PM 0:02.85 MailScanner: waiting for messages > 55872 51876 1:46PM 0:03.08 MailScanner: waiting for messages > 56256 52232 1:46PM 0:02.96 MailScanner: waiting for messages > > ... I regularly see 35+ child processes. I also see about 4 "masters": > > 1:08PM 0:00.03 MailScanner: master waiting for children, sleeping > 1:15PM 0:00.03 MailScanner: master waiting for children, sleeping > 1:30PM 0:00.02 MailScanner: master waiting for children, sleeping > 1:45PM 0:00.02 MailScanner: master waiting for children, sleeping > > I understand that the children will spawn "temporary" processes to do > virus scanning, etc which I did not include in the above lists. I'm > running on FreeBSD 6.1-RELEASE, MailScanner-4.55.9 installed from > ./install.sh, Perl 5.8.8, and all Perl packages installed from ports. > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From holger at gebhardweb.de Wed Aug 30 12:03:45 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Wed Aug 30 12:03:37 2006 Subject: Postfix 2.3 and MailScanner - SOLVED References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk><002601c6c48b$ba7054e0$840804c3@PCHOME2> <031601c6c782$ce6a59b0$0164320a@conware.int><02a201c6cb54$54d31990$0164320a@conware.int> <44F4B327.2040504@rogers.com> Message-ID: <035001c6cc23$f69bb8c0$0164320a@conware.int> Yes, this change backwards compatible... Tested with some messages on Postfix Version 2.2.10. With Postfix 2.2.x the regex only match "R" and "O" recipients. There are no "A" lines that could match... ----- Original Message ----- From: "Mike Jakubik" To: "MailScanner discussion" Sent: Tuesday, August 29, 2006 11:35 PM Subject: Re: Postfix 2.3 and MailScanner - SOLVED > Holger Gebhard wrote: >> My Problem with Postfix 2.3.x and MailScanner is solved... >> > > ... > >> To remove the new line i changed the regular expression and made a bit >> more robust... >> >> next unless $message->{metadata}[$linenum] =~ >> /^[ARO].+@(?:\w|-|\.)+\.\w{2,})/; >> >> Work fine for two days now with no more warnings in log :-) > > Is this change backwards compatible with postfix 2.2? > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From sergiogc at treelogic.com Wed Aug 30 12:06:56 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Wed Aug 30 12:03:47 2006 Subject: MailScanner hangs once a day Message-ID: <44F57150.4030402@treelogic.com> > > >> The output of "MailScanner --changed" might be useful here too, just in > >> case you have made a mistake in your MailScanner.conf. > I can?t execute "MailScanner --changed" (It says: 'Unknown option: changed'). Today MailScanner hasn?t stopped yet. > >> Do your cycle your syslog files more than once a week? > >> Is syslog still running when you discover MS hanging? > >> Are there any mail files in the /var/spool/MailScanner/PID dirs? > >> -check timestamps for the latest maillog entry against the files > >> I might have missed it but what virus scanner do you use? > >> Do you use spamassassin > >> Is the MTA still operating (is the in queue getting bigger and bigger) - I cycle my syslog every day. - Syslog continues running after MailScanner hangs. - In /var/spool/MailScanner/incoming/ there are several dirs with mail files. There is another file too called 'SpamAssassin.cache.db'. - In /var/spool/MailScanner/spamassassin/ there are several files called 'bayes....' (for example: 'bayes_toks.expire10031', 'bayes_toks.expire20819') - I use the virus scanner ClamAV 0.88.4 - I use Spamaasassin 3.1.3 - I use Postfix 2.3 and it continues running after MailScanner hangs From MailScanner at ecs.soton.ac.uk Wed Aug 30 12:04:13 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 12:04:43 2006 Subject: Postfix 2.3 and MailScanner - SOLVED In-Reply-To: <02a201c6cb54$54d31990$0164320a@conware.int> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk><002601c6c48b$ba7054e0$840804c3@PCHOME2> <031601c6c782$ce6a59b0$0164320a@conware.int> <02a201c6cb54$54d31990$0164320a@conware.int> Message-ID: <44F570AD.6050003@ecs.soton.ac.uk> Many thanks for that, it will be in the next release. Holger Gebhard wrote: > My Problem with Postfix 2.3.x and MailScanner is solved... > > I seems that only messages with more than one recipient and messages > actions delete and forward are affected. > > Here is a little example: > > A original message has 11 Recipients and is detected as Spam. The > actions are delete and forward to another mailaddress. MailScanner > marks the message as deleted and in the next step all the original > recipients had to be removed from the envelope header. Here is the > bug, MailScanner does not remove all old recipients! > > The code for the removement can be found in Postfix.pm -> sub > DeleteRecipients: > > next unless $message->{metadata}[$linenum] =~ /^[RO]/; > > This regular expression remove only recipients starts with "R" or "O" > in the header. > Since Postfix 2.3.x there is a new recipient line that also must be > removed. > > To remove the new line i changed the regular expression and made a bit > more robust... > > next unless $message->{metadata}[$linenum] =~ > /^[ARO].+@(?:\w|-|\.)+\.\w{2,})/; > > Work fine for two days now with no more warnings in log :-) > > > Holger > > > ----- Original Message ----- From: "Holger Gebhard" > > To: "MailScanner discussion" > Sent: Thursday, August 24, 2006 3:39 PM > Subject: Re: Postfix 2.3 and MailScanner > > >> Hi Julian, >> hi Group, >> >> a upgrade to mailscanner version 4.55.10 does not help to solve the >> problem >> with postfix 2.3.2, it was a try... >> >> I attached some queuefiles which produce the "out-of-order" postfix >> warning >> message in log: >> >> Directory "incoming" contains messages from postfixqueue before scanning >> by >> mailscanner. >> Directory "archiv" contains messages from mailscanner archiv function. >> Directory "outgoing" contains messages from postfixqueue after >> scanning by >> mailScanner. >> >> Queuefiles from incoming and archiv have the same content, no postfix >> warning for this files. >> Queuefiles form outgoing are modified by mailscanner, but only some >> produce >> the postfix warning. >> >> To see the warning just stop outgoing postfix (split queues) or postfix >> (hold queue). Then copy a message from outgoing directory to postfix >> incoming queue directory. Check systemrights for the copied file (for >> debian >> set to postfix.root). Next start Postfix and search your logs for the >> warning. >> >> Hope anyone can help to solve the problem... >> >> >> Thanks >> >> Holger >> >> >> >> >> >> >> >> ----- Original Message ----- From: "Holger Gebhard" >> >> To: "MailScanner discussion" >> Sent: Sunday, August 20, 2006 9:06 PM >> Subject: Re: Postfix 2.3 and MailScanner >> >> >>> I am also running Postfix in Version 2.3.2... >>> >>> I forward a copy of all Spammails to a Mailbox (Spam Actions). >>> Maybe the failure comes from here? >>> >>> It seems the failure produced by the DSN Recipient Line in the >>> Envelope-Header. >>> >>> Only a idea... >>> But what will happen if MailScanner delete all the DSN Header in the >>> envelope. >>> When the Message is requeued, postfix might add new headers to the >>> Queuefile? >>> >>> >>> ----- Original Message ----- From: "Julian Field" >>> >>> To: "MailScanner discussion" >>> Sent: Sunday, August 20, 2006 8:23 PM >>> Subject: Re: Postfix 2.3 and MailScanner >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Can you make sure you are using the latest Postfix? >>> I am running 2.3.2 and I cannot re-create your symptoms. I have used >>> all >>> the 4 messages you sent me and they all worked fine, bar a warning >>> about >>> timestamps which I always get and is due to the way I am dropping >>> things >>> into its queue directories. >>> >>> I can't fix it until I can reproduce it, sorry. >>> >>> Holger Gebhard wrote: >>>> Hi Julian, >>>> >>>> the failure happens only with some messages, not all. >>>> The attached archive contains some example messages. >>>> >>>> Thanks for help :-) >>>> >>>> >>>> Holger >>>> >>>> ----- Original Message ----- From: "Julian Field" >>>> >>>> To: "MailScanner discussion" >>>> Sent: Sunday, August 20, 2006 5:02 PM >>>> Subject: Re: Postfix 2.3 and MailScanner >>>> >>>> >>>> >>>> >>>> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >>>> * text/plain body >>>> * Julian Field >>>> * 0x1415B654(L) >>>> * PGP Signed by an unmatched address: 08/20/06 at 16:03:03 >>>> >>>> Does this happen with all messages, or only some? >>>> Can you isolate a single message that causes this problem for me >>>> please? >>>> I would suggest using "Archive Mail =" to archive all your mail and >>>> then >>>> use the logs to identify a particular message that causes the >>>> problem to >>>> be logged, and one that doesn't cause the problem. >>>> >>>> It is essential that you archive as "Raw Queue Files". >>>> >>>> If you can then send me one message file that causes the problem, and >>>> one message that doesn't cause it, I can take a look and fix it. >>>> >>>> I haven't played with Postfix 2.3 much yet, so have little >>>> experience of >>>> it. This is clearly another hurdle Wietse has created for my >>>> benefit :-) >>>> >>>> >>>> Holger Gebhard wrote: >>>>> Hi Julian, >>>>> Hi Group, >>>>> >>>>> i run mailscanner with postfix (split queues) for many years with no >>>>> problems. >>>>> Currently running mailscanner version 4.52.2. >>>>> >>>>> The last week i upgraded postfix from 2.2 to 2.3. >>>>> After the upgrade i can see some strange warnings from postfix in my >>>>> mail-logs: "ignoring out-of-order DSN original recipient..." >>>>> >>>>> I searched some group and found this threat: >>>>> >>>>> http://groups.google.de/group/list.postfix.users/browse_thread/thread/8185dfd727a9c61c/8257ccf669d80019?lnk=st&q=%22out-of-order+dsn+original+recipient%22&rnum=1&hl=de#8257ccf669d80019 >>>>> >>>>> >>>>> >>>>> >>>>> The strange is that only some messages are affected by this >>>>> failure not >>>>> all. >>>>> >>>>> I tried both postfix implementations (single postfix with hold queue >>>>> and >>>>> split queues with two postfix instances) with no success. The warning >>>>> is >>>>> still there with some messages. >>>>> >>>>> Fortunately the affected messages are still being delivered. >>>>> But where come this failure from? >>>>> >>>>> >>>>> Holger >>>> >>> >>> - -- Julian Field >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> MailScanner customisation, or any advanced system administration help? >>> Contact me at Jules@MailScanner.biz >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: PGP Desktop 9.5.0 (Build 1112) >>> Charset: ISO-8859-1 >>> >>> wj8DBQFE6KiwEfZZRxQVtlQRAt2pAKDSUti8KDrj7mNGGA8MqhFEXIo9hACfV2Le >>> ui8msutTnYukLNNMyKAvt3U= >>> =fQhv >>> -----END PGP SIGNATURE----- >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > > -------------------------------------------------------------------------------- > > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 30 12:06:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 12:06:43 2006 Subject: List of variables for substitution in reports? In-Reply-To: References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> Message-ID: <44F57128.3030003@ecs.soton.ac.uk> The "$UPPERCASE" is so that you can put in environment variables into the reports. With your $HOSTNAME problems I would suspect that your default shell setup doesn't set the shell HOSTNAME environment variable. David Lee wrote: > On Sat, 26 Aug 2006, Julian Field wrote: > > >> My sample report files each use all the available variables in each one. >> If you need something else somewhere, let me know and I will see about >> adding it for you. >> >> Sorry it's no more consistent than that. >> > > I wonder also if there is a particular consistency issue with "hostname"? > > The report files refer to lower-case '$hostname'. But MailScanner.conf > seems to contain a definition: > Hostname = the %org-name% ($HOSTNAME) MailScanner > > whose RHS has this as upper-case. (I understand that the case of its LHS > is irrelevant). > > The reports we (org-name: DurhamAcUk) have been getting over the years > contain an empty string: > the DurhamAcUk () MailScanner > > This email thread has prompted me to check deeper. > > I wonder whether that peculiar "()" might be because the upper-case > (default, I think) "$HOSTNAME" in MS.conf is not recognised. > > Julian: Could you check and comment upon this, please? > > (MS versions various over the years, but include up to 4.55.10 .) > > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 30 12:07:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 12:07:36 2006 Subject: Postfix 2.3 and MailScanner - SOLVED In-Reply-To: <44F4B327.2040504@rogers.com> References: <1155886006.12295.4.camel@jakes.synaq.com><44E57C03.9030804@ecs.soton.ac.uk><223f97700608180153vc84f6a7ve26f246c57e794db@mail.gmail.com><223f97700608180801p71b535f0t3ff80ed8546012a3@mail.gmail.com><223f97700608180803rdaae616w182c2bc6752b06a3@mail.gmail.com><223f97700608190307q400f981dy5d4905308b424ecc@mail.gmail.com><44E6F798.7030701@ecs.soton.ac.uk> <223f97700608190458vdc5168fy465a6f3c08be7c5@mail.gmail.com><006a01c6c3f4$bc1028d0$840804c3@PCHOME2> <44E879A3.8030905@ecs.soton.ac.uk><00cc01c6c476$aea287b0$840804c3@PCHOME2><44E8A8AD.40603@ecs.soton.ac.uk><002601c6c48b$ba7054e0$840804c3@PCHOME2> <031601c6c782$ce6a59b0$0164320a@conware.int> <02a201c6cb54$54d31990$0164320a@conware.int> <44F4B327.2040504@rogers.com> Message-ID: <44F5715D.4010308@ecs.soton.ac.uk> Mike Jakubik wrote: > Holger Gebhard wrote: >> My Problem with Postfix 2.3.x and MailScanner is solved... >> > > ... > >> To remove the new line i changed the regular expression and made a >> bit more robust... >> >> next unless $message->{metadata}[$linenum] =~ >> /^[ARO].+@(?:\w|-|\.)+\.\w{2,})/; >> >> Work fine for two days now with no more warnings in log :-) > > Is this change backwards compatible with postfix 2.2? > > It should be, yes. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martin.lyberg at gmail.com Wed Aug 30 12:12:16 2006 From: martin.lyberg at gmail.com (Martin) Date: Wed Aug 30 12:13:07 2006 Subject: Trouble with Bayes Message-ID: Hi, I'm running Mailscanner + spamassassin on Debian. I've noticed the following error when running lint: 20549] dbg: bayes: no dbs present, cannot tie DB R/O: /var/spool/MailScanner/spamassassin/bayes_toks The bayes_toks IS there: :/var/spool/MailScanner/spamassassin# ls -al total 776456 drwxrwx--- 2 postfix postfix 12288 2006-08-30 13:03 . drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. -rwxrwx--- 1 postfix postfix 671744 2006-08-30 13:03 auto-whitelist -rwxrwx--- 1 postfix postfix 303104 2006-08-30 13:03 bayes_seen -rwxrwxr-x 1 postfix postfix 2609152 2006-08-30 13:03 bayes_toks -rwxrwx--- 1 postfix postfix 2514944 2006-07-21 13:56 bayes_toks.expire10000 -rwxrwx--- 1 postfix postfix 2658304 2006-07-25 18:17 bayes_toks.expire1004 * snip * And the following setting in /etc/MailScanner/spam.assassin.prefs.conf: bayes_path /var/spool/MailScanner/spamassassin/bayes Any clue what's wrong here? Thank you. / Martin From glenn.steen at gmail.com Wed Aug 30 12:40:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 12:40:42 2006 Subject: Trouble with Bayes In-Reply-To: References: Message-ID: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> On 30/08/06, Martin wrote: > Hi, > > I'm running Mailscanner + spamassassin on Debian. I've noticed the > following error when running lint: > > 20549] dbg: bayes: no dbs present, cannot tie DB R/O: > /var/spool/MailScanner/spamassassin/bayes_toks > > The bayes_toks IS there: > > :/var/spool/MailScanner/spamassassin# ls -al > total 776456 > drwxrwx--- 2 postfix postfix 12288 2006-08-30 13:03 . > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. > -rwxrwx--- 1 postfix postfix 671744 2006-08-30 13:03 auto-whitelist > -rwxrwx--- 1 postfix postfix 303104 2006-08-30 13:03 bayes_seen > -rwxrwxr-x 1 postfix postfix 2609152 2006-08-30 13:03 bayes_toks > -rwxrwx--- 1 postfix postfix 2514944 2006-07-21 13:56 bayes_toks.expire10000 > -rwxrwx--- 1 postfix postfix 2658304 2006-07-25 18:17 bayes_toks.expire1004 > * snip * > > And the following setting in /etc/MailScanner/spam.assassin.prefs.conf: > > bayes_path /var/spool/MailScanner/spamassassin/bayes > > Any clue what's wrong here? > > Thank you. > > / Martin > Hi Martin, Might be that you have some further issue "above" what can be seen in that listing (postfix lacking read privs on a dir further up). Do su - postfix -s /bin/sh cd /var/spool/MailScanner/spamassassin ... does that work? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martin.lyberg at gmail.com Wed Aug 30 12:50:13 2006 From: martin.lyberg at gmail.com (Martin) Date: Wed Aug 30 12:50:41 2006 Subject: Trouble with Bayes In-Reply-To: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> Message-ID: Glenn Steen wrote: > Might be that you have some further issue "above" what can be seen in > that listing (postfix lacking read privs on a dir further up). Do > su - postfix -s /bin/sh > cd /var/spool/MailScanner/spamassassin > ... does that work? Glenn, Both commands works with no error. Any other clue? Thank you / Martin From iarteaga at cwpanama.net Wed Aug 30 12:52:50 2006 From: iarteaga at cwpanama.net (Ivan Arteaga) Date: Wed Aug 30 12:52:56 2006 Subject: mail with attachment issues from internet clients. Message-ID: Hello, I have MS running on CentOS 4.x, it has two NICs installed (internal & external). When I send emails with attachments from the internal users works fine but not when I send it from the external users (mobile users via internet). It doesn't matter the attachment size, it can be Ks or Megs it takes a long until it timeouts. I have no firewalls between the server and the internet. Any advice?? Regards, --Ivan. ? ? ? "Lock both ways before crossing the net" From Andreas.Doerfler at kempten.de Wed Aug 30 13:17:00 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Wed Aug 30 13:17:06 2006 Subject: problem with recive mail from gmx Message-ID: hi there, since nearly 1 month i get the folling errors from GMX senders: g 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: collect: premature EOM: Connection reset by mail.gmx.de Aug 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: collect: premature EOM: Connection reset by mail.gmx.de Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: collect: premature EOM: Connection reset by mail.gmx.net Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: SYSERR(root): collect: I/O error on connection from mail.gmx.net, from= i get theses errors not from all gmx senders, only from a few, but this few always the same, so they cant send mails to us. i got some funny contact with gmx first level support, told me thats an dns (reverse dns check) error but fact is: its NOT a dns error. first lvl support .... at the moment i have no idea what i can do because: - its only a gmx problem - its only from a few gmx senders, not all - when i try to send to gmx accounts everthing fine - gmx support cant/wont help me any ideas ? anyone the same problem ? greetings andy ASCII ribbon campaign ( ) - against HTML email X & vCards / \ From ms-list at alexb.ch Wed Aug 30 13:27:02 2006 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 30 13:27:07 2006 Subject: Max SpamAssassin Size problems In-Reply-To: <44F55FD3.90806@ecs.soton.ac.uk> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> <44F31923.2010608@ecs.soton.ac.uk> <44F32378.7090901@alexb.ch> <44F55FD3.90806@ecs.soton.ac.uk> Message-ID: <44F58416.5070600@alexb.ch> On 8/30/2006 11:52 AM, Julian Field wrote: > > > Alex Broens wrote: >> On 8/28/2006 6:26 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Res wrote: >>>> On Sun, 27 Aug 2006, DAve wrote: >>>> >>>>> I for one want no part of a plugin that requires I send every >>>>> single message in it's entirety to SA every time. I'd be DOS'ed >>>>> within a month. I also think >>>> Agreed >>> >>> I thoroughly agree that we shouldn't send the whole message. If you >>> want to do that, just set Max SpamAssassin Size = 500m :-) >>> >>> I'm trying to come up with a compromise that keeps most of you happy >>> most of the time. See my recent "--- round 2" posting. >> >> Julian, >> >> Probably late & lame with this observation: >> >> >> Why not adopt the same logic as from ths spamc -s switch >> >> -s *max_size* >> Set the maximum message size which will be sent to spamd -- any >> bigger than this threshold and the message will be returned >> unprocessed (default: 250 KB). If spamc gets handed a message >> bigger >> than this, it won't be passed to spamd. >> >> The size is specified in bytes, as a positive integer greater >> than >> 0. For example, -s 250000. >> >> This means the full message size and will not distort the SA scanning >> if only part of the msg is scanned (and possibly misclasified) > I don't like that, as most spam can be identified by the first 20k, and > your idea would let through large spam. those were the days .... many img spams have a img payload of 30k, 2k of gibberish + a URL. See it every day... how do you know you'd be catching all of them? Aslo, your method often causes FPs with SA obfuscation rules hitting the first eg: 20kb of a 300kb PDF attachment (when the sender isn't a nice MUA), or a some SA plugin doesn't work properly coz it gets truncated data. Standard SA would not touch such msg in the first place and avoided a misfire. Rule misfire also applies to other attachement types in not 100% pretty MIME formats, and there's LOTS of those around. If possible, a configurable option for whatever behaviour would be most appreciated for those who want to taste MailScanner or vanilla SA behaviour. As a MS noobie, I'm surprised this issue hasn't been raised before. thanks Alex From ms-list at alexb.ch Wed Aug 30 13:29:41 2006 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 30 13:29:57 2006 Subject: problem with recive mail from gmx In-Reply-To: References: Message-ID: <44F584B5.30205@alexb.ch> On 8/30/2006 2:17 PM, D?rfler Andreas wrote: > hi there, > > since nearly 1 month i get the folling errors from GMX senders: > > g 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: collect: premature EOM: Connection reset by mail.gmx.net > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: SYSERR(root): collect: I/O error on connection from mail.gmx.net, from= > > i get theses errors not from all gmx senders, only from a few, but this few always the same, so they cant send > mails to us. > > i got some funny contact with gmx first level support, told me thats > an dns (reverse dns check) error but fact is: its NOT a dns error. > first lvl support .... > > at the moment i have no idea what i can do because: > > - its only a gmx problem > - its only from a few gmx senders, not all > - when i try to send to gmx accounts everthing fine > - gmx support cant/wont help me > > any ideas ? some milter? greylisting thingy? spf mule? Alex From Andreas.Doerfler at kempten.de Wed Aug 30 14:17:39 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Wed Aug 30 14:17:47 2006 Subject: problem with recive mail from gmx Message-ID: nothing i know about, forgot to say, day bevor ive done update from sa 3.0.4 to 3.1.4 but i havent found something about special rules in the release notes > > some milter? greylisting thingy? spf mule? From glenn.steen at gmail.com Wed Aug 30 14:35:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 14:35:41 2006 Subject: Trouble with Bayes In-Reply-To: References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> Message-ID: <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> On 30/08/06, Martin wrote: > Glenn Steen wrote: > > > Might be that you have some further issue "above" what can be seen in > > that listing (postfix lacking read privs on a dir further up). Do > > su - postfix -s /bin/sh > > cd /var/spool/MailScanner/spamassassin > > ... does that work? > > Glenn, > > Both commands works with no error. Any other clue? > > Thank you > > / Martin > Right. And as the postfix user, doing a spamassassin --lint -D 2>&1 | less -e everything works as expected, right? Is that lint snippet from MailWatch, perhaps? In that case, you need do the same test for the apache user (whatever that is on your system. It is "apache" on mine:). The way to get everything to work with Postfix and MailWatch (if that is the problem) is to make the necessary parts run as postfix:apache, and adjust the group rights accordingly. On a system near me I've got: drwxrwsrwx 2 postfix apache 4096 aug 30 15:28 ./ drwxr-xr-x 7 root root 4096 aug 30 04:12 ../ -rw-rw---- 1 postfix apache 76440 aug 30 15:27 bayes_journal -rw-rw---- 1 postfix apache 1200 aug 30 15:27 bayes.mutex -rw-rw---- 1 postfix apache 20971520 aug 30 15:27 bayes_seen -rw-rw---- 1 postfix apache 5111808 aug 30 15:27 bayes_toks ... with Run As User = postfix Run As Group = postfix Quarantine User = postfix Quarantine Group = apache Incoming Work Permissions = 0660 Quarantine Permissions = 0660 ... in /etc/MailScanner.conf, and bayes_path /etc/MailScanner/bayes/bayes bayes_file_mode 0770 ... in /etc/mail/spamassassin/mailscanner.cf (softlink to spam.assassin.prefs.conf). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Wed Aug 30 14:36:02 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Aug 30 14:36:05 2006 Subject: Trouble with Bayes Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D170@UBIMAIL1.ubisoft.org> Hello, I had a similar problem quite recently, actually. The issue was that the file permissions didn't match up with "bayes_file_mode" in spamassassin.prefs.conf . For example, if you have: bayes_file_mode 0600 Then your "bayes_toks" needs to be "-rw-------" as well. If you don't have "bayes_file_mode" specified, I would suggest specifying it. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Martin > Sent: August 30, 2006 7:12 AM > To: mailscanner@lists.mailscanner.info > Subject: Trouble with Bayes > > Hi, > > I'm running Mailscanner + spamassassin on Debian. I've noticed the > following error when running lint: > > 20549] dbg: bayes: no dbs present, cannot tie DB R/O: > /var/spool/MailScanner/spamassassin/bayes_toks > > The bayes_toks IS there: > > :/var/spool/MailScanner/spamassassin# ls -al > total 776456 > drwxrwx--- 2 postfix postfix 12288 2006-08-30 13:03 . > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. > -rwxrwx--- 1 postfix postfix 671744 2006-08-30 13:03 auto-whitelist > -rwxrwx--- 1 postfix postfix 303104 2006-08-30 13:03 bayes_seen > -rwxrwxr-x 1 postfix postfix 2609152 2006-08-30 13:03 bayes_toks > -rwxrwx--- 1 postfix postfix 2514944 2006-07-21 13:56 > bayes_toks.expire10000 > -rwxrwx--- 1 postfix postfix 2658304 2006-07-25 18:17 > bayes_toks.expire1004 > * snip * > > And the following setting in /etc/MailScanner/spam.assassin.prefs.conf: > > bayes_path /var/spool/MailScanner/spamassassin/bayes > > Any clue what's wrong here? > > Thank you. > > / Martin > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jayesha_shinde at yahoo.com Wed Aug 30 14:37:00 2006 From: jayesha_shinde at yahoo.com (jay shi) Date: Wed Aug 30 14:37:03 2006 Subject: message at bottom of every mails Message-ID: <20060830133701.80121.qmail@web54409.mail.yahoo.com> Hi friends , I am using MailScanner 4.55.9 version + sendmail + f-prot + fetchmail on fedora core 2 The Mails which are Send & Recive are tag with the following paragraph in the bottom of every mail as , This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. My some client don't want this message at bottom of every mails , So i change the following line from yes to no as followes :-- /etc/MailScanner/MailScanner.conf #Include Scanner Name In Reports = yes Include Scanner Name In Reports = no Then restart the MailScanner , but even though i am getting above tag (paragraph) . Is this is right setting what i have done ,if not plz show me the way, Also is it possible to write a rul set for this ??? Thanks & Regards Jayesh --------------------------------- How low will we go? Check out Yahoo! Messenger?s low PC-to-Phone call rates. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060830/9f6bd6aa/attachment.html From glenn.steen at gmail.com Wed Aug 30 14:51:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 14:52:02 2006 Subject: problem with recive mail from gmx In-Reply-To: References: Message-ID: <223f97700608300651m31493e03ndee552ccfdf483ad@mail.gmail.com> On 30/08/06, D?rfler Andreas wrote: > hi there, > > since nearly 1 month i get the folling errors from GMX senders: > > g 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: collect: premature EOM: Connection reset by mail.gmx.net > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: SYSERR(root): collect: I/O error on connection from mail.gmx.net, from= > > i get theses errors not from all gmx senders, only from a few, but this few always the same, so they cant send > mails to us. Seems to me that it is they who "drop the ball oo soon", so not much you _can_ do, unless their postmaster wants to check it out. You've mailed him/her, I presume? > i got some funny contact with gmx first level support, told me thats > an dns (reverse dns check) error but fact is: its NOT a dns error. > first lvl support .... First level support == First line of defence. I increasingly find that these types of "support organizations" have little to do with actually supporting anything, more to do with foisting the problem back into your lap. The times you find anyone at least barely literate in network related issues... Ah well. > at the moment i have no idea what i can do because: > > - its only a gmx problem > - its only from a few gmx senders, not all > - when i try to send to gmx accounts everthing fine > - gmx support cant/wont help me > > any ideas ? > anyone the same problem ? Not with them, and not anyone else... for the time being. "Educating" the other parties postmaster is the only way I know, and that only works some times (when they want to be ... "clued in":-). Other than that, I say it's their problem:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 30 14:55:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 14:55:46 2006 Subject: Trouble with Bayes In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D170@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D170@UBIMAIL1.ubisoft.org> Message-ID: <223f97700608300655l242f9f7fj2a2b94aa00fdbad1@mail.gmail.com> On 30/08/06, Daniel Maher wrote: > Hello, > > I had a similar problem quite recently, actually. The issue was that the file permissions didn't match up with "bayes_file_mode" in spamassassin.prefs.conf . > > For example, if you have: > bayes_file_mode 0600 > > Then your "bayes_toks" needs to be "-rw-------" as well. If you don't have "bayes_file_mode" specified, I would suggest specifying it. :) > According to Matt Kettler, one should always set that to accomodate situations where it can create directories too. Hence my setting it to 0770:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 30 14:59:47 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 14:59:51 2006 Subject: message at bottom of every mails In-Reply-To: <20060830133701.80121.qmail@web54409.mail.yahoo.com> References: <20060830133701.80121.qmail@web54409.mail.yahoo.com> Message-ID: <223f97700608300659i479980adn58a4257e06b64f32@mail.gmail.com> On 30/08/06, jay shi wrote: > Hi friends , > I am using MailScanner 4.55.9 version + sendmail + > f-prot + fetchmail on fedora core 2 > The Mails which are Send & Recive are tag with the > following paragraph in the bottom of every mail as , > > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > My some client don't want this message at bottom of > every mails , So i change the following line from yes to no as > followes :-- > /etc/MailScanner/MailScanner.conf > > #Include Scanner Name In Reports = yes > Include Scanner Name In Reports = no > Then restart the MailScanner , but even though i am > getting above tag (paragraph) . Is this is right setting what i have done > ,if not plz show me the way, > Also is it possible to write a rul set for this ??? > > Thanks & Regards > Jayesh > Nope, that's wrong setting. It's the SignClean Messages setting you should eb fiddling with, perhaps making it be a ruleset. Look at http://www.mailscanner.info/MailScanner.conf.index.html#Sign%20Clean%20Messages -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 30 15:05:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 15:05:33 2006 Subject: Deleted Virus Message Report In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2420EA@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2420EA@idefix.danielf.local> Message-ID: <44F59B0F.3080107@ecs.soton.ac.uk> Yes you can. Deleted Virus Message report = %rules-dir%/deleted.v.message.rules And then in that file From: domain.com /etc/MailScanner/en/report/delete.virus.message.txt FromOrTo: abuse@* /etc/MailScanner/en/report/other.report.txt To: special@domain2.com /etc/MailScanner/en/report/another.report.txt FromOrTo: default /etc/MailScanner/en/report/default.report.txt Then restart MailScanner. Daniel Fuhrer wrote: > > Hi All > > I'm very new to Mailscanner. Can I make a rule for the "Deleted Virus > Message Report" that sends different messages according to the domain > of the Sender? How has such a rule look like? And how do I have to > configure it in MailScanner.conf? > > I have MailScanner 4.55.10, Perl 5.8.8 on FreeBSD 5.x > > Thanks for your help. > > Cheers Daniel > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brett at wrl.org Wed Aug 30 15:04:29 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 15:07:04 2006 Subject: mqueue.in just gets bigger - no delivery? Message-ID: Thanks for your response, Logan! I appreciate it. > First question: when you start MailScanner, does it successfully > start and stay running? Yes. It forks off and chews up CPU time quite happily. > Next question: does it spawn children? Look at the output of > "ps -ef | grep MailScanner" to see if it does. Yepper: franklin:/var/backups# ps -ef | grep MailScanner root 29629 1 0 10:01 ? 00:00:00 MailScanner: starting children root 29630 29629 26 10:01 ? 00:00:08 MailScanner: starting children root 29656 29629 28 10:01 ? 00:00:06 MailScanner: starting children root 29681 29629 22 10:01 ? 00:00:02 MailScanner: starting children > Next question: does it appear to be processing messages? What is > it logging to syslog? (Do a "grep MailScanner /var/log/maillog" or > similar.) It seems to. If I set "Scan Messages = no" in MailScanner.conf, mail flows without inspection just fine. Here's some syslog with Scan Messages = yes Aug 30 10:01:44 franklin MailScanner[29656]: MailScanner E-Mail Virus Scanner version 4.51.5 starting... Aug 30 10:01:45 franklin MailScanner[29656]: Read 710 hostnames from the phishing whitelist Aug 30 10:01:45 franklin MailScanner[29656]: Config: calling custom init function MailWatchLogging Aug 30 10:01:45 franklin MailScanner[29656]: Started SQL Logging child Aug 30 10:01:46 franklin MailScanner[29656]: Using SpamAssassin results cache Aug 30 10:01:46 franklin MailScanner[29656]: Connected to SpamAssassin cache database Aug 30 10:01:46 franklin MailScanner[29656]: Enabling SpamAssassin auto-whitelist functionality... Aug 30 10:01:55 franklin MailScanner[29681]: MailScanner E-Mail Virus Scanner version 4.51.5 starting... Aug 30 10:01:55 franklin MailScanner[29681]: Read 710 hostnames from the phishing whitelist Aug 30 10:01:55 franklin MailScanner[29681]: Config: calling custom init function MailWatchLogging Aug 30 10:01:56 franklin MailScanner[29681]: Started SQL Logging child Aug 30 10:01:56 franklin MailScanner[29681]: Using SpamAssassin results cache Aug 30 10:01:56 franklin MailScanner[29681]: Connected to SpamAssassin cache database Aug 30 10:01:56 franklin MailScanner[29681]: Enabling SpamAssassin auto-whitelist functionality... Aug -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From dave.list at pixelhammer.com Wed Aug 30 15:12:26 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 30 15:12:51 2006 Subject: problem with recive mail from gmx In-Reply-To: References: Message-ID: <44F59CCA.9030703@pixelhammer.com> D?rfler Andreas wrote: > hi there, > > since nearly 1 month i get the folling errors from GMX senders: > > g 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:30:51 srv sendmail-in[21651]: k7U5UpY6021651: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: collect: premature EOM: Connection reset by mail.gmx.de > Aug 30 07:47:38 srv sendmail-in[22449]: k7U5lbxl022449: SYSERR(root): collect: I/O error on connection from mail.gmx.de, from= > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: collect: premature EOM: Connection reset by mail.gmx.net > Aug 30 07:58:04 srv sendmail-in[23060]: k7U5w3bk023060: SYSERR(root): collect: I/O error on connection from mail.gmx.net, from= > > i get theses errors not from all gmx senders, only from a few, but this few always the same, so they cant send > mails to us. > > i got some funny contact with gmx first level support, told me thats > an dns (reverse dns check) error but fact is: its NOT a dns error. > first lvl support .... > > at the moment i have no idea what i can do because: > > - its only a gmx problem > - its only from a few gmx senders, not all > - when i try to send to gmx accounts everthing fine > - gmx support cant/wont help me > > any ideas ? > anyone the same problem ? I get those at least a few times a day. I ignore them, no complaints from clients so far ;^) My Network admin suggested it was MTU size. I did find this explanation. No idea if it will cause your server to crash, stock prices to fall, or increase global warming. Investigate and make you own decision. http://www.hitechsavvy.com/print.php?sid=210 DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From MailScanner at ecs.soton.ac.uk Wed Aug 30 15:16:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 15:16:45 2006 Subject: mail with attachment issues from internet clients. In-Reply-To: References: Message-ID: <44F59DB0.9020502@ecs.soton.ac.uk> Have you got any rules involved? But it sounds a lot more like a sendmail problem than a MailScanner one. MailScanner is not involved with either the receipt or delivery of email messages. Ivan Arteaga wrote: > Hello, > > I have MS running on CentOS 4.x, it has two NICs installed (internal & > external). When I send emails with attachments from the internal users works > fine but not when I send it from the external users (mobile users via > internet). It doesn't matter the attachment size, it can be Ks or Megs it > takes a long until it timeouts. I have no firewalls between the server and > the internet. > > Any advice?? > > Regards, > > > --Ivan. > > > > "Lock both ways before crossing the net" > > > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brett at wrl.org Wed Aug 30 15:07:33 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 15:20:55 2006 Subject: mqueue.in just gets bigger - no delivery? Message-ID: Thanks for taking the time to help me out, Res! > Can you MailScanner --lint Sure can: franklin:/var/backups# MailScanner --lint Read 710 hostnames from the phishing whitelist Config: calling custom init function MailWatchLogging Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = clamavmodule" Found these virus scanners installed: clamavmodule > This more or less sounds like a permissioning error > when you ps ax | grep MailScanner do you see the parent and its typically > 5 kids? I've got "Max Children = 5": 29629 ? SNs 0:00 MailScanner: master waiting for children, sleeping 29630 ? SN 0:29 MailScanner: checking with SpamAssassin 29656 ? SN 0:29 MailScanner: virus scanning 29681 ? SN 0:27 MailScanner: checking with SpamAssassin 29694 ? SN 0:28 MailScanner: checking with SpamAssassin 29717 ? SN 0:28 MailScanner: virus scanning 29976 ? DN 0:00 MailScanner: checking with SpamAssassin 29993 ? RN 0:07 MailScanner: checking with SpamAssassin 30052 ? RN 0:03 MailScanner: checking with SpamAssassin 30060 ? DNs 0:00 MailScanner: virus scanning 30061 ? DNs 0:00 MailScanner: virus scanning > Is there a after any or all of them? Not at the time I ps'd... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From daniel at danielf.ch Wed Aug 30 15:17:08 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Wed Aug 30 15:21:08 2006 Subject: AW: Deleted Virus Message Report In-Reply-To: <44F59B0F.3080107@ecs.soton.ac.uk> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F24464A@idefix.danielf.local> -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > Gesendet: Mittwoch, 30. August 2006 16:05 > An: MailScanner discussion > Betreff: Re: Deleted Virus Message Report > > Yes you can. > Deleted Virus Message report = %rules-dir%/deleted.v.message.rules > > And then in that file > From: domain.com /etc/MailScanner/en/report/delete.virus.message.txt > FromOrTo: abuse@* /etc/MailScanner/en/report/other.report.txt > To: special@domain2.com /etc/MailScanner/en/report/another.report.txt > FromOrTo: default /etc/MailScanner/en/report/default.report.txt > > Then restart MailScanner. > > Daniel Fuhrer wrote: >> > > Hi All > > > > I'm very new to Mailscanner. Can I make a rule for the "Deleted Virus > > Message Report" that sends different messages according to the domain > > of the Sender? How has such a rule look like? And how do I have to > > configure it in MailScanner.conf? > > > > I have MailScanner 4.55.10, Perl 5.8.8 on FreeBSD 5.x > > > > Thanks for your help. > > > > Cheers Daniel > > > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! I think that works for all reports. Thanks for your help Cheers daniel From brett at wrl.org Wed Aug 30 15:12:54 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 15:21:51 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: I should add that SpamAssassin *is* timing out quite often: SpamAssassin timed out and was killed, failure 2 of 10 I've set bayes_auto_learn 0 bayes_auto_expire 0 in /etc/MailScanner/spam.assassin.prefs.conf I've posted output from spamassassin -x -D -p /path/to/spam.assassin.prefs.conf --lint here: http://pastebin.ca/154652 -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From P.G.M.Peters at utwente.nl Wed Aug 30 15:22:25 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 30 15:22:31 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: <44F59F21.3010707@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Charbeneau wrote on 30-8-2006 16:04: >> First question: when you start MailScanner, does it successfully >> start and stay running? > > Yes. It forks off and chews up CPU time quite happily. Do you see the forks? >> Next question: does it spawn children? Look at the output of >> "ps -ef | grep MailScanner" to see if it does. > > Yepper: > > franklin:/var/backups# ps -ef | grep MailScanner > root 29629 1 0 10:01 ? 00:00:00 MailScanner: starting > children > root 29630 29629 26 10:01 ? 00:00:08 MailScanner: starting > children > root 29656 29629 28 10:01 ? 00:00:06 MailScanner: starting > children > root 29681 29629 22 10:01 ? 00:00:02 MailScanner: starting > children I get: mail 5533 1 0 Aug29 00:00:00 MailScanner: starting child mail 17016 5533 0 16:00 00:00:07 MailScanner: waiting for messages mail 17039 5533 0 16:01 00:00:05 MailScanner: waiting for messages mail 17069 5533 0 16:01 00:00:07 MailScanner: waiting for messages mail 17094 5533 0 16:01 00:00:05 MailScanner: waiting for messages mail 17107 5533 0 16:01 00:00:06 MailScanner: waiting for messages mail 17133 5533 0 16:01 00:00:06 MailScanner: waiting for messages mail 17150 5533 0 16:01 00:00:06 MailScanner: waiting for messages mail 17176 5533 0 16:02 00:00:05 MailScanner: waiting for messages mail 17184 5533 0 16:02 00:00:06 MailScanner: waiting for messages mail 17211 5533 0 16:02 00:00:06 MailScanner: waiting for messages (Not such a busy server) >> Next question: does it appear to be processing messages? What is >> it logging to syslog? (Do a "grep MailScanner /var/log/maillog" or >> similar.) > > It seems to. > If I set "Scan Messages = no" in MailScanner.conf, mail flows > without inspection just fine. > Here's some syslog with Scan Messages = yes > > Aug 30 10:01:44 franklin MailScanner[29656]: MailScanner E-Mail Virus > Scanner version 4.51.5 starting... > Aug 30 10:01:45 franklin MailScanner[29656]: Read 710 hostnames from the > phishing whitelist > Aug 30 10:01:45 franklin MailScanner[29656]: Config: calling custom init > function MailWatchLogging > Aug 30 10:01:45 franklin MailScanner[29656]: Started SQL Logging child > Aug 30 10:01:46 franklin MailScanner[29656]: Using SpamAssassin results > cache > Aug 30 10:01:46 franklin MailScanner[29656]: Connected to SpamAssassin > cache database > Aug 30 10:01:46 franklin MailScanner[29656]: Enabling SpamAssassin > auto-whitelist functionality... You should find lines like this too: Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Found 21 messages waiting Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Scanning 1 messages, 21408 bytes This proves MailScanner has found the correct queue (21 messages in some state) and starts to process 1 message that is already completely delivered and not being processed by any other MS process. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9Z8helLo80lrIdIRAoyoAKCd0jcPHNfyjFjm6ElW7Wk1kPr+BACcDbTV DpLT5fw5k0qbHspeMSdsijQ= =OdpR -----END PGP SIGNATURE----- From dave.list at pixelhammer.com Wed Aug 30 15:29:03 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 30 15:29:27 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: <44F5A0AF.3070804@pixelhammer.com> Brett Charbeneau wrote: > > Thanks for your response, Logan! I appreciate it. > >> First question: when you start MailScanner, does it successfully >> start and stay running? > > Yes. It forks off and chews up CPU time quite happily. > >> Next question: does it spawn children? Look at the output of >> "ps -ef | grep MailScanner" to see if it does. > > Yepper: > > franklin:/var/backups# ps -ef | grep MailScanner > root 29629 1 0 10:01 ? 00:00:00 MailScanner: starting > children > root 29630 29629 26 10:01 ? 00:00:08 MailScanner: starting > children > root 29656 29629 28 10:01 ? 00:00:06 MailScanner: starting > children > root 29681 29629 22 10:01 ? 00:00:02 MailScanner: starting > children > >> Next question: does it appear to be processing messages? What is >> it logging to syslog? (Do a "grep MailScanner /var/log/maillog" or >> similar.) > > It seems to. > If I set "Scan Messages = no" in MailScanner.conf, mail flows > without inspection just fine. > Here's some syslog with Scan Messages = yes > > Aug 30 10:01:44 franklin MailScanner[29656]: MailScanner E-Mail Virus > Scanner version 4.51.5 starting... > Aug 30 10:01:45 franklin MailScanner[29656]: Read 710 hostnames from the > phishing whitelist > Aug 30 10:01:45 franklin MailScanner[29656]: Config: calling custom init > function MailWatchLogging > Aug 30 10:01:45 franklin MailScanner[29656]: Started SQL Logging child > Aug 30 10:01:46 franklin MailScanner[29656]: Using SpamAssassin results > cache > Aug 30 10:01:46 franklin MailScanner[29656]: Connected to SpamAssassin > cache database > Aug 30 10:01:46 franklin MailScanner[29656]: Enabling SpamAssassin > auto-whitelist functionality... > Aug 30 10:01:55 franklin MailScanner[29681]: MailScanner E-Mail Virus > Scanner version 4.51.5 starting... > Aug 30 10:01:55 franklin MailScanner[29681]: Read 710 hostnames from the > phishing whitelist > Aug 30 10:01:55 franklin MailScanner[29681]: Config: calling custom init > function MailWatchLogging > Aug 30 10:01:56 franklin MailScanner[29681]: Started SQL Logging child > Aug 30 10:01:56 franklin MailScanner[29681]: Using SpamAssassin results > cache > Aug 30 10:01:56 franklin MailScanner[29681]: Connected to SpamAssassin > cache database > Aug 30 10:01:56 franklin MailScanner[29681]: Enabling SpamAssassin > auto-whitelist functionality... > Aug > Are you using MailWatch? If so you should also be seeing log lines like so, Aug 30 10:24:59 avhost1 MailScanner[81205]: Logging message k7UEOgje096953 to SQL Try setting "Always Looked Up Last = no" in MailScanner.conf and see if the problem persists. Not that I think MailWatch is the issue, but removing config changes is always a good place to start troubleshooting. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From bpumphrey at WoodMacLaw.com Wed Aug 30 15:36:51 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 30 15:36:57 2006 Subject: OT: Feeding Bayes with EML's In-Reply-To: <44F59DB0.9020502@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150195DB76@woodenex.woodmaclaw.local> I have a bunch of EML files in windows but cannot figure out how to get them to the regular mail format to feed bayes. I know how to get the emails to bayes, no problem. Just need to get the EML's to show up as regular emails and not be an attachment. Has anyone done this? Thank you From brett at wrl.org Wed Aug 30 15:51:05 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 15:53:33 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F59F21.3010707@utwente.nl> References: <44F59F21.3010707@utwente.nl> Message-ID: Great to hear from you Peter - I'm grateful for the help! On Wed, 30 Aug 2006, Peter Peters wrote: PP> > Yes. It forks off and chews up CPU time quite happily. PP> PP> Do you see the forks? Well, I always thought the children of a process were the results of forking - did I miss something? If so, I'd love to know how to ps them, or whatever. PP> I get: PP> mail 5533 1 0 Aug29 00:00:00 MailScanner: starting child PP> mail 17016 5533 0 16:00 00:00:07 MailScanner: waiting for messages PP> mail 17039 5533 0 16:01 00:00:05 MailScanner: waiting for messages PP> PP> (Not such a busy server) I may not have let it run very long. Here is more typical output: franklin:/var/backups# ps ax | grep MailScanner 1851 ? SNs 0:00 MailScanner: master waiting for children, sleeping 1852 ? SN 0:29 MailScanner: checking with SpamAssassin 1876 ? SN 0:27 MailScanner: virus scanning 1892 ? SN 0:27 MailScanner: waiting for messages 1909 ? RN 0:27 MailScanner: starting children 1928 ? RN 0:24 MailScanner: starting children 1982 ? DN 0:10 MailScanner: checking with SpamAssassin 2033 ? RNs 0:00 MailScanner: virus scanning PP> You should find lines like this too: PP> Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Found 21 messages PP> waiting PP> Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Scanning 1 PP> messages, 21408 bytes PP> PP> This proves MailScanner has found the correct queue (21 messages in some PP> state) and starts to process 1 message that is already completely PP> delivered and not being processed by any other MS process. Right - I do get these: Aug 30 10:48:47 franklin MailScanner[1876]: New Batch: Found 50 messages waiting Aug 30 10:48:47 franklin MailScanner[1876]: New Batch: Scanning 1 messages, 1454 bytes Aug 30 10:49:01 franklin MailScanner[1892]: New Batch: Found 51 messages waiting Aug 30 10:49:01 franklin MailScanner[1892]: New Batch: Scanning 1 messages, 7267 bytes Aug 30 10:49:51 franklin MailScanner[1892]: New Batch: Found 50 messages waiting Aug 30 10:49:51 franklin MailScanner[1892]: New Batch: Scanning 1 messages, 88227 bytes Aug 30 10:50:12 franklin MailScanner[1928]: New Batch: Found 51 messages waiting Aug 30 10:50:12 franklin MailScanner[1928]: New Batch: Scanning 1 messages, 6066 bytes Aug 30 10:50:25 franklin MailScanner[1909]: New Batch: Found 52 messages waiting but as you can see it keeps finding more and more... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ms-list at alexb.ch Wed Aug 30 16:00:37 2006 From: ms-list at alexb.ch (Alex Broens) Date: Wed Aug 30 16:00:43 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: <44F5A815.4020801@alexb.ch> On 8/30/2006 4:12 PM, Brett Charbeneau wrote: > I should add that SpamAssassin *is* timing out quite often: > > SpamAssassin timed out and was killed, failure 2 of 10 > > I've set > > bayes_auto_learn 0 > bayes_auto_expire 0 > > in /etc/MailScanner/spam.assassin.prefs.conf > I've posted output from > > spamassassin -x -D -p /path/to/spam.assassin.prefs.conf --lint > > here: > > http://pastebin.ca/154652 Before you start turning knobs on MS I sugges you gothru your rule collection: The rule files below are include the numebred files you may be using so redundant. Use either the numbered or the general debug: config: read file /etc/spamassassin/70_sare_html.cf debug: config: read file /etc/spamassassin/70_sare_genlsubj.cf debug: config: read file /etc/spamassassin/70_sare_header.cf debug: config: read file /etc/spamassassin/70_sare_html.cf debug: config: read file /etc/spamassassin/70_sare_obfu.cf ____ debug: config: read file /etc/spamassassin/71_sare_bml_pre25x.cf debug: config: read file /etc/spamassassin/99_sare_fraud_pre25x.cf PRE 2.5 - obsolete and *may* cause issues with 3.x ___ debug: config: read file /etc/spamassassin/blacklist-uri.cf totally Unnecessary when usingURIDNSBL plugin HUGE size, slow and requires LOTS of memory. dump that! :-) ___ debug: config: read file /etc/spamassassin/70_sare_adult.cf Added to SA - obsolete. h2h Alex From brett at wrl.org Wed Aug 30 15:59:19 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 16:04:29 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F5A0AF.3070804@pixelhammer.com> References: <44F5A0AF.3070804@pixelhammer.com> Message-ID: Good question, Dave - thanks for your interest in our problem! On Wed, 30 Aug 2006, DAve wrote: D> Are you using MailWatch? If so you should also be seeing log lines like so, D> D> Aug 30 10:24:59 avhost1 MailScanner[81205]: Logging message k7UEOgje096953 to D> SQL Yes, and I do: Aug 30 10:51:07 franklin MailScanner[1928]: Logging message k7UEoRWo002197 to SQL Aug 30 10:51:07 franklin MailScanner[1928]: Logging message k7UEoRpO002199 to SQL Aug 30 10:51:08 franklin MailScanner[1856]: k7UEoRWo002197: Logged to MailWatch SQL Aug 30 10:51:08 franklin MailScanner[1856]: k7UEoRpO002199: Logged to MailWatch SQL Aug 30 10:51:20 franklin sm-mta[2267]: k7UEp9Ow002267: Subject:.RE:[HORIZON-L]SQL.to.Find.Patron Aug 30 10:51:34 franklin MailScanner[1892]: Logging message k7UEnKlH002041 to SQL Aug 30 10:51:34 franklin MailScanner[1856]: k7UEnKlH002041: Logged to MailWatch SQL D> Try setting "Always Looked Up Last = no" in MailScanner.conf and see if the D> problem persists. Not that I think MailWatch is the issue, but removing D> config changes is always a good place to start troubleshooting. Good plan. I had it as Always Looked Up Last = &MailWatchLogging and switched it to what you suggested. I'm afraid the Inbound queue continues to grow without delivery. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From mikea at mikea.ath.cx Wed Aug 30 16:07:06 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Aug 30 16:07:10 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: ; from brett@wrl.org on Wed, Aug 30, 2006 at 10:51:05AM -0400 References: <44F59F21.3010707@utwente.nl> Message-ID: <20060830100706.A40179@mikea.ath.cx> On Wed, Aug 30, 2006 at 10:51:05AM -0400, Brett Charbeneau wrote: > Great to hear from you Peter - I'm grateful for the help! > > On Wed, 30 Aug 2006, Peter Peters wrote: > > PP> > Yes. It forks off and chews up CPU time quite happily. > PP> > PP> Do you see the forks? > > Well, I always thought the children of a process were the results of > forking - did I miss something? If so, I'd love to know how to ps them, or > whatever. On my FreeBSD systems[1], `ps awwwwwwwwwwwwwwwwwwuxj` captures a lot of information, including the parent PID and GID. You can adjust the number of "w" in the command to capture what you want, of course. You may need to adjust the parms (slightly or massively) for Linux. [1] Yes, I know, I'm not running Linux. It works for me. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From glenn.steen at gmail.com Wed Aug 30 16:10:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 16:10:42 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> Message-ID: <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> On 30/08/06, Brett Charbeneau wrote: > Great to hear from you Peter - I'm grateful for the help! > > On Wed, 30 Aug 2006, Peter Peters wrote: > > PP> > Yes. It forks off and chews up CPU time quite happily. > PP> > PP> Do you see the forks? > > Well, I always thought the children of a process were the results of > forking - did I miss something? If so, I'd love to know how to ps them, or > whatever. > > PP> I get: > PP> mail 5533 1 0 Aug29 00:00:00 MailScanner: starting child > PP> mail 17016 5533 0 16:00 00:00:07 MailScanner: waiting for messages > PP> mail 17039 5533 0 16:01 00:00:05 MailScanner: waiting for messages > PP> > PP> (Not such a busy server) > > I may not have let it run very long. Here is more typical output: > > franklin:/var/backups# ps ax | grep MailScanner > 1851 ? SNs 0:00 MailScanner: master waiting for children, sleeping > 1852 ? SN 0:29 MailScanner: checking with SpamAssassin > 1876 ? SN 0:27 MailScanner: virus scanning > 1892 ? SN 0:27 MailScanner: waiting for messages > 1909 ? RN 0:27 MailScanner: starting children > 1928 ? RN 0:24 MailScanner: starting children > 1982 ? DN 0:10 MailScanner: checking with SpamAssassin > 2033 ? RNs 0:00 MailScanner: virus scanning > > > PP> You should find lines like this too: > PP> Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Found 21 messages > PP> waiting > PP> Aug 30 06:16:25 netlx094 MailScanner[3204]: New Batch: Scanning 1 > PP> messages, 21408 bytes > PP> > PP> This proves MailScanner has found the correct queue (21 messages in some > PP> state) and starts to process 1 message that is already completely > PP> delivered and not being processed by any other MS process. > > Right - I do get these: > > Aug 30 10:48:47 franklin MailScanner[1876]: New Batch: Found 50 messages waiting > Aug 30 10:48:47 franklin MailScanner[1876]: New Batch: Scanning 1 messages, 1454 > bytes > Aug 30 10:49:01 franklin MailScanner[1892]: New Batch: Found 51 messages waiting > Aug 30 10:49:01 franklin MailScanner[1892]: New Batch: Scanning 1 messages, 7267 > bytes > Aug 30 10:49:51 franklin MailScanner[1892]: New Batch: Found 50 messages waiting > Aug 30 10:49:51 franklin MailScanner[1892]: New Batch: Scanning 1 messages, > 88227 bytes > Aug 30 10:50:12 franklin MailScanner[1928]: New Batch: Found 51 messages waiting > Aug 30 10:50:12 franklin MailScanner[1928]: New Batch: Scanning 1 messages, 6066 > bytes > Aug 30 10:50:25 franklin MailScanner[1909]: New Batch: Found 52 messages waiting > > > but as you can see it keeps finding more and more... > How long were you out, and what is your average count of mails/day? Apart from it being a tad slow, perhaps, it looks to be chugging along nicely:-). It just might be a bit of backlog emulating a veritable "thindering herd" of messages:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 30 16:24:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 16:24:09 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <20060830100706.A40179@mikea.ath.cx> References: <44F59F21.3010707@utwente.nl> <20060830100706.A40179@mikea.ath.cx> Message-ID: <223f97700608300824j7581ecbav66eef1ee291a3739@mail.gmail.com> On 30/08/06, mikea wrote: > On Wed, Aug 30, 2006 at 10:51:05AM -0400, Brett Charbeneau wrote: > > Great to hear from you Peter - I'm grateful for the help! > > > > On Wed, 30 Aug 2006, Peter Peters wrote: > > > > PP> > Yes. It forks off and chews up CPU time quite happily. > > PP> > > PP> Do you see the forks? > > > > Well, I always thought the children of a process were the results of > > forking - did I miss something? If so, I'd love to know how to ps them, or > > whatever. > > On my FreeBSD systems[1], `ps awwwwwwwwwwwwwwwwwwuxj` captures a lot > of information, including the parent PID and GID. You can adjust the > number of "w" in the command to capture what you want, of course. You > may need to adjust the parms (slightly or massively) for Linux. > > [1] Yes, I know, I'm not running Linux. It works for me. > >From the ps manpage: ------- -w Wide output. Use this option twice for unlimited width. w Wide output. Use this option twice for unlimited width. ------ If FreeBSD uses procps (perhaps not likely?) it'd be the same:-). Oh, about [1]... I'm glad you use it intentionally... would be dreadful if choice of OS was accidental:-):-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 30 16:29:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 30 16:29:52 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <223f97700608300824j7581ecbav66eef1ee291a3739@mail.gmail.com> References: <44F59F21.3010707@utwente.nl> <20060830100706.A40179@mikea.ath.cx> <223f97700608300824j7581ecbav66eef1ee291a3739@mail.gmail.com> Message-ID: <223f97700608300829h5bb1696cv25185584998c0ed0@mail.gmail.com> On 30/08/06, Glenn Steen wrote: > On 30/08/06, mikea wrote: > > On Wed, Aug 30, 2006 at 10:51:05AM -0400, Brett Charbeneau wrote: > > > Great to hear from you Peter - I'm grateful for the help! > > > > > > On Wed, 30 Aug 2006, Peter Peters wrote: > > > > > > PP> > Yes. It forks off and chews up CPU time quite happily. > > > PP> > > > PP> Do you see the forks? > > > > > > Well, I always thought the children of a process were the results of > > > forking - did I miss something? If so, I'd love to know how to ps them, or > > > whatever. > > > > On my FreeBSD systems[1], `ps awwwwwwwwwwwwwwwwwwuxj` captures a lot > > of information, including the parent PID and GID. You can adjust the > > number of "w" in the command to capture what you want, of course. You > > may need to adjust the parms (slightly or massively) for Linux. > > > > [1] Yes, I know, I'm not running Linux. It works for me. > > > From the ps manpage: > ------- > > -w Wide output. Use this option twice for unlimited width. > > w Wide output. Use this option twice for unlimited width. > > ------ > > If FreeBSD uses procps (perhaps not likely?) it'd be the same:-). > Oh, about [1]... I'm glad you use it intentionally... would be > dreadful if choice of OS was accidental:-):-) (Just showing that I'm still a postfix user by replying to myself:-) The previous snippet was from a Mandriva linux system... This is from AIX: ----- w Specifies a wide-column format for output (132 columns rather than 80). If repeated, (for example, ww), uses arbitrarily wide output. This information is used to decide how much of long commands to print. ----- ... So perhaps it'd be the same on fdsd too. Save a bit on the key repeat:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From brett at wrl.org Wed Aug 30 16:50:11 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 16:51:20 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F5A815.4020801@alexb.ch> References: <44F5A815.4020801@alexb.ch> Message-ID: I appreciate input, Alex! On Wed, 30 Aug 2006, Alex Broens wrote: AB> Before you start turning knobs on MS I sugges you gothru your rule AB> collection: AB> AB> AB> The rule files below are include the numebred files you may be using so AB> redundant. Good thought. As you can probably tell I'm using the Rules_du_Jour script and opted for most of the rules. Redundancy didn't cross my mind. Doh! I'll definitely trim my TRUSTED_RULESETS in /etc/rulesdujour/config... AB> Use either the numbered or the general AB> AB> debug: config: read file /etc/spamassassin/70_sare_html.cf AB> debug: config: read file /etc/spamassassin/70_sare_genlsubj.cf AB> debug: config: read file /etc/spamassassin/70_sare_header.cf AB> debug: config: read file /etc/spamassassin/70_sare_html.cf AB> debug: config: read file /etc/spamassassin/70_sare_obfu.cf Not sure I'm following you here. Do these five sare rulesets overlap? AB> debug: config: read file /etc/spamassassin/71_sare_bml_pre25x.cf AB> debug: config: read file /etc/spamassassin/99_sare_fraud_pre25x.cf AB> AB> PRE 2.5 - obsolete and *may* cause issues with 3.x Duh. Thanks - deleted. AB> debug: config: read file /etc/spamassassin/blacklist-uri.cf AB> AB> totally Unnecessary when usingURIDNSBL plugin AB> HUGE size, slow and requires LOTS of memory. dump that! :-) Ah, that could be the reason for the timeouts! GOOD CALL. AB> debug: config: read file /etc/spamassassin/70_sare_adult.cf AB> Added to SA - obsolete. Exellent, Alex. I've treated the RulesDuJour as a set-it-and-forget-it thing, which is obviously asking for trouble. I'll try to find a way to keep on top of this... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From lodder at delodder.be Wed Aug 30 16:52:29 2006 From: lodder at delodder.be (Philippe Delodder) Date: Wed Aug 30 16:53:05 2006 Subject: Disable disarming sertant emails Message-ID: <44F5B43D.5010000@delodder.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hallo, i'm having a bit of a problem i'm trying to disable disarming emails from only a few email address. i have searched the web and i didn't found anything relevant. pls help me solve this issue of mine I have version 4.51.5 of mailscanner and i have version 2.2.10 of postfix my distro is debian etch thx in advance. - -- Philippe Delodder lodder@delodder.be http://www.delodder.be -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9bQ93KvtrDGPcVURArDPAJ9GXFm4XM1eG5zHGLO4IrWlSge7LQCfe5u+ CACePa+DL0cYJHOiAeFGZBQ= =FlIL -----END PGP SIGNATURE----- From brett at wrl.org Wed Aug 30 16:56:41 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 16:57:32 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> Message-ID: On Wed, 30 Aug 2006, Glenn Steen wrote: GS> How long were you out, and what is your average count of mails/day? GS> Apart from it being a tad slow, perhaps, it looks to be chugging along GS> nicely:-). GS> It just might be a bit of backlog emulating a veritable "thindering GS> herd" of messages:). I let it run yesterday for several hours and my Inbound queue just kept getting bigger. I know what you mean on chugging along, though. I'm think the SpamAssassin timeouts were revealing and Alex Broens' post on the redundant rules may have solved the problem. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ssilva at sgvwater.com Wed Aug 30 17:18:36 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 17:20:18 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F57150.4030402@treelogic.com> References: <44F57150.4030402@treelogic.com> Message-ID: Sergio Garc?a Caso spake the following on 8/30/2006 4:06 AM: >> >> >> The output of "MailScanner --changed" might be useful here too, >> just in >> case you have made a mistake in your MailScanner.conf. >> > I can?t execute "MailScanner --changed" (It says: 'Unknown option: > changed'). Today MailScanner hasn?t stopped yet. > >> >> Do your cycle your syslog files more than once a week? >> >> Is syslog still running when you discover MS hanging? >> >> Are there any mail files in the /var/spool/MailScanner/PID dirs? >> >> -check timestamps for the latest maillog entry against the files >> >> I might have missed it but what virus scanner do you use? >> >> Do you use spamassassin >> >> Is the MTA still operating (is the in queue getting bigger and bigger) > - I cycle my syslog every day. > - Syslog continues running after MailScanner hangs. > - In /var/spool/MailScanner/incoming/ there are several dirs with mail > files. There is another file too called 'SpamAssassin.cache.db'. > - In /var/spool/MailScanner/spamassassin/ there are several files called > 'bayes....' (for example: 'bayes_toks.expire10031', > 'bayes_toks.expire20819') > - I use the virus scanner ClamAV 0.88.4 > - I use Spamaasassin 3.1.3 > - I use Postfix 2.3 and it continues running after MailScanner hangs > > > I wonder if there is a bayes expire problem here. Could you give your settings for the following; # To avoid resource leaks, re-start periodically Restart Every = 7200 Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = yes -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brett at wrl.org Wed Aug 30 17:19:52 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 17:20:45 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F5A815.4020801@alexb.ch> Message-ID: Drat. Alex Broens's suggestion on the redundant rulesets was right on the money, but my Inbound queue continues to grow. I let MS run for a good 20 minutes and even mail sent to myself just got stuck in the queue and was not delivered. Meanwhile the queue continued to grow: Aug 30 11:51:26 franklin MailScanner[3228]: New Batch: Found 46 messages waiting Aug 30 11:53:06 franklin MailScanner[3228]: New Batch: Found 47 messages waiting Aug 30 11:55:39 franklin MailScanner[7997]: New Batch: Found 51 messages waiting Aug 30 11:57:10 franklin MailScanner[8046]: New Batch: Found 53 messages waiting Aug 30 11:57:31 franklin MailScanner[8031]: New Batch: Found 54 messages waiting Aug 30 12:00:45 franklin MailScanner[8383]: New Batch: Found 61 messages waiting Aug 30 12:01:51 franklin MailScanner[8449]: New Batch: Found 65 messages waiting Aug 30 12:02:51 franklin MailScanner[8449]: New Batch: Found 63 messages waiting Aug 30 12:05:46 franklin MailScanner[9034]: New Batch: Found 67 messages waiting Aug 30 12:05:59 franklin MailScanner[9139]: New Batch: Found 68 messages waiting Aug 30 12:10:20 franklin MailScanner[9175]: New Batch: Found 81 messages waiting Aug 30 12:13:35 franklin MailScanner[10652]: New Batch: Found 106 messages waiting When I tail mail.log it certainly *looks* like messages are getting scanned, just not delivered. Any other kind souls have suggestions on where to look for my goof? I'm scratching my head here... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From mailscanner at ecs.soton.ac.uk Wed Aug 30 17:26:12 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 30 17:26:17 2006 Subject: Disable disarming sertant emails In-Reply-To: <44F5B43D.5010000@delodder.be> References: <44F5B43D.5010000@delodder.be> Message-ID: <44F5BC24.9030702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Read about rulesets in the documentation. There are many explanations and examples out there. These let you set the value of each configuration option differently for different addresses. Philippe Delodder wrote: > * PGP Signed by an unknown key > > hallo, > > i'm having a bit of a problem i'm trying to disable disarming emails > from only a few email address. i have searched the web and i didn't > found anything relevant. pls help me solve this issue of mine > > I have version 4.51.5 of mailscanner and i have version 2.2.10 of postfix > > my distro is debian etch > > thx in advance. > > -- > Philippe Delodder > lodder@delodder.be > http://www.delodder.be > * Unknown Key > * 0x318F7155(L) > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE9bwlEfZZRxQVtlQRAgIyAJwPVc6ZhvvswNZzik8lhty+OqPYpACfUO/W 6RpgrbX0eAj5C80ivmTATo4= =WMrS -----END PGP SIGNATURE----- From carl.andrews at crackerbarrel.com Wed Aug 30 17:52:21 2006 From: carl.andrews at crackerbarrel.com (Carl Andrews) Date: Wed Aug 30 17:53:22 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <200608301628.k7UGRrsB021480@smtpgw1.crackerbarrel.com> References: <44F5A815.4020801@alexb.ch> <200608301628.k7UGRrsB021480@smtpgw1.crackerbarrel.com> Message-ID: <1156956742.5187.13.camel@localhost> I recently setup a MS computer on ubuntu on my home computer and had the same problem. I do not remember EXACTLY what the corrective procedure was, but I believe it was permissions. This was my first attempt at postfix, so I too was wielding a sledge hammer :-> /var/spool lrwxrwxrwx 1 root root 7 2005-12-28 18:56 mail -> ../mail drwxr-x--- 5 postfix postfix 4096 2006-08-03 18:31 MailScanner drwxr-xr-x 2 mail mail 4096 2006-08-08 00:59 mqueue drwxr-xr-x 2 smmta smmsp 4096 2006-08-07 23:14 mqueue.in drwxr-xr-x 19 root root 4096 2006-08-07 23:23 postfix /var/run drwxr-sr-x 5 root smmta 100 2006-08-29 23:20 sendmail I also had to do this for the MS to run and not get errors in (mail.log) mkdir -p /var/run/MailScanner chown -R postfix: /var/run/MailScanner mkdir -p /var/lock/subsys/MailScanner chown -R postfix: /var/lock/subsys/MailScanner/ If I can provide any more information or you would like me to set you up an account on the computer so you can compare, please let me know. Thanks, Carl On Wed, 2006-08-30 at 12:19 -0400, Brett Charbeneau wrote: > Drat. > Alex Broens's suggestion on the redundant rulesets was right on the > money, but my Inbound queue continues to grow. > I let MS run for a good 20 minutes and even mail sent to myself just got > stuck in the queue and was not delivered. Meanwhile the queue continued to > grow: > > Aug 30 11:51:26 franklin MailScanner[3228]: New Batch: Found 46 messages waiting > Aug 30 11:53:06 franklin MailScanner[3228]: New Batch: Found 47 messages waiting > Aug 30 11:55:39 franklin MailScanner[7997]: New Batch: Found 51 messages waiting > Aug 30 11:57:10 franklin MailScanner[8046]: New Batch: Found 53 messages waiting > Aug 30 11:57:31 franklin MailScanner[8031]: New Batch: Found 54 messages waiting > Aug 30 12:00:45 franklin MailScanner[8383]: New Batch: Found 61 messages waiting > Aug 30 12:01:51 franklin MailScanner[8449]: New Batch: Found 65 messages waiting > Aug 30 12:02:51 franklin MailScanner[8449]: New Batch: Found 63 messages waiting > Aug 30 12:05:46 franklin MailScanner[9034]: New Batch: Found 67 messages waiting > Aug 30 12:05:59 franklin MailScanner[9139]: New Batch: Found 68 messages waiting > Aug 30 12:10:20 franklin MailScanner[9175]: New Batch: Found 81 messages waiting > Aug 30 12:13:35 franklin MailScanner[10652]: New Batch: Found 106 messages waiting > > When I tail mail.log it certainly *looks* like messages are getting > scanned, just not delivered. > Any other kind souls have suggestions on where to look for my goof? I'm > scratching my head here... > > -- > ******************************************************************** > Brett Charbeneau > Network Administrator > Williamsburg Regional Library > 7770 Croaker Road > Williamsburg, VA 23188-7064 > (757)259-4044 www.wrl.org > (757)259-4079 (fax) brett@wrl.org > ******************************************************************** > From lshaw at emitinc.com Wed Aug 30 17:57:02 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Aug 30 17:57:16 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F5A815.4020801@alexb.ch> Message-ID: On Wed, 30 Aug 2006, Brett Charbeneau wrote: > Alex Broens's suggestion on the redundant rulesets was right on the > money, but my Inbound queue continues to grow. > I let MS run for a good 20 minutes and even mail sent to myself just got > stuck in the queue and was not delivered. Meanwhile the queue continued to > grow: > > Aug 30 11:51:26 franklin MailScanner[3228]: New Batch: Found 46 messages waiting > Aug 30 11:53:06 franklin MailScanner[3228]: New Batch: Found 47 messages waiting > Aug 30 11:55:39 franklin MailScanner[7997]: New Batch: Found 51 messages waiting > Aug 30 11:57:10 franklin MailScanner[8046]: New Batch: Found 53 messages waiting > Aug 30 11:57:31 franklin MailScanner[8031]: New Batch: Found 54 messages waiting > Aug 30 12:00:45 franklin MailScanner[8383]: New Batch: Found 61 messages waiting > Aug 30 12:01:51 franklin MailScanner[8449]: New Batch: Found 65 messages waiting > Aug 30 12:02:51 franklin MailScanner[8449]: New Batch: Found 63 messages waiting > Aug 30 12:05:46 franklin MailScanner[9034]: New Batch: Found 67 messages waiting > Aug 30 12:05:59 franklin MailScanner[9139]: New Batch: Found 68 messages waiting > Aug 30 12:10:20 franklin MailScanner[9175]: New Batch: Found 81 messages waiting > Aug 30 12:13:35 franklin MailScanner[10652]: New Batch: Found 106 messages waiting At this point, I think it would be worthwhile to know why the queue is growing, or at least what component of the system is causing it to grow. If you are getting in 100 messages every 5 minutes and the system can only scan 95, then you've got mail flowing properly, but your queue size is going to grow because there is a backlog. That's one possible explanation. However, there are other reasons your queue might be growing. You might be getting only a few messages, and maybe MailScanner is appearing to process them but isn't actually removing them from the queue. Or maybe you have a configuration problem and MailScanner is scanning them and putting them back into the same queue it took them out of. (Unlikely, but I think it's possible.) So, to me the next step is to kill the incoming sendmail. That will prevent *it* from putting more messages in the queue. Then, barring anything truly weird, there is no other software other than MailScanner that would know to put messages into that queue. So if the incoming sendmail is off and the number of messages in the queue grows, you know MailScanner is adding them. On the other hand, if incoming sendmail is killed and the number of messages in the queue then starts shrinking, you know it's a backlog thing. There are probably other diagnostics steps to analyze the nature of messages in the queue and where the new ones are coming from, so the above is just a starting point. - Logan From ssilva at sgvwater.com Wed Aug 30 17:54:56 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 17:58:28 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F5A815.4020801@alexb.ch> Message-ID: Brett Charbeneau spake the following on 8/30/2006 8:50 AM: > I appreciate input, Alex! > > On Wed, 30 Aug 2006, Alex Broens wrote: > > AB> Before you start turning knobs on MS I sugges you gothru your rule > AB> collection: > AB> > AB> > AB> The rule files below are include the numebred files you may be using so > AB> redundant. > > Good thought. As you can probably tell I'm using the Rules_du_Jour > script and opted for most of the rules. > Redundancy didn't cross my mind. Doh! > I'll definitely trim my TRUSTED_RULESETS in > /etc/rulesdujour/config... > > AB> Use either the numbered or the general > AB> > AB> debug: config: read file /etc/spamassassin/70_sare_html.cf > AB> debug: config: read file /etc/spamassassin/70_sare_genlsubj.cf > AB> debug: config: read file /etc/spamassassin/70_sare_header.cf > AB> debug: config: read file /etc/spamassassin/70_sare_html.cf > AB> debug: config: read file /etc/spamassassin/70_sare_obfu.cf > > Not sure I'm following you here. > Do these five sare rulesets overlap? > > AB> debug: config: read file /etc/spamassassin/71_sare_bml_pre25x.cf > AB> debug: config: read file /etc/spamassassin/99_sare_fraud_pre25x.cf > AB> > AB> PRE 2.5 - obsolete and *may* cause issues with 3.x > > Duh. Thanks - deleted. > > AB> debug: config: read file /etc/spamassassin/blacklist-uri.cf > AB> > AB> totally Unnecessary when usingURIDNSBL plugin > AB> HUGE size, slow and requires LOTS of memory. dump that! :-) > > Ah, that could be the reason for the timeouts! > GOOD CALL. > > AB> debug: config: read file /etc/spamassassin/70_sare_adult.cf > AB> Added to SA - obsolete. > > Exellent, Alex. > I've treated the RulesDuJour as a set-it-and-forget-it thing, which is > obviously asking for trouble. I'll try to find a way to keep on top of this... > I would recommend the rulesdujour install from Fortress Systems (http://www.fsl.com/support.html). You can later add some rules as you see how your system holds up. They are a good compromise of effective rules and system load. And Steve seems to be a very helpful person. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brett at wrl.org Wed Aug 30 18:58:23 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Aug 30 19:02:03 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F5A815.4020801@alexb.ch> Message-ID: On Wed, 30 Aug 2006, Logan Shaw wrote: LS> So, to me the next step is to kill the incoming sendmail. That will prevent LS> *it* from putting more messages in the queue. Then, barring anything truly LS> weird, there is no other software other than MailScanner that would know to LS> put messages into that queue. So if the incoming sendmail is off and the LS> number of messages in the queue grows, you know MailScanner is adding them. LS> On the other hand, if incoming sendmail is killed and the number of messages LS> in the queue then starts shrinking, you know it's a backlog thing. Good idea! Okay, at 1:38 I killed Sendmail and MailScanner, then started MailScanner (via /etc/init.d/mailscanner) - MailWatch shows Inbound 51 Outbound 2 and here's a count of the files in the queues: ls -al /var/spool/mqueue | wc -l 58 ls -al /var/spool/mqueue.in | wc -l 54 I checked to make sure MailScanner had children running throughout this test. At 1:43: Inbound 51 Outbound 1 ls -al /var/spool/mqueue | wc -l 58 ls -al /var/spool/mqueue.in | wc -l 54 At 1:48: Inbound 50 Outbound 1 ls -al /var/spool/mqueue | wc -l 58 ls -al /var/spool/mqueue.in | wc -l 54 At 1:58: Inbound 50 Outbound 1 ls -al /var/spool/mqueue | wc -l 58 ls -al /var/spool/mqueue.in | wc -l 54 Hope this is revealing... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From jwilliams at courtesymortgage.com Wed Aug 30 19:14:01 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Aug 30 19:11:09 2006 Subject: Another Bayes question/issue Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FCF39@cmexchange01.CourtesyMortgage.local> I've been following the Bayes thread recently and I too have been having problems with bayes. I just haven't had time to work on it. :/ I'm running FreeBSD 6, with postfix + mailscanner. I'm going to guess I have a permissions issue, but I get a few odd things when I run --lint even when specifiying -p to my spam-assassin.prefs.conf Here they are: [97841] warn: config: SpamAssassin failed to parse line, "/var/spool/MailScanner/spamassassin/" is not valid for "bayes_path", skipping: bayes_path /var/spool/MailScanner/spamassassin/ Is there a valid "bayes_path"? Which is followed by: [97413] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks [97413] dbg: config: score set 1 chosen. [97413] dbg: message: ---- MIME PARSER START ---- [97413] dbg: message: main message type: text/plain [97413] dbg: message: parsing normal part [97413] dbg: message: added part, type: text/plain [97413] dbg: message: ---- MIME PARSER END ---- [97413] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks The first line entry is probably causing the above issue. In my spam.assassin.prefs.conf: use_bayes 1 bayes_path /var/spool/MailScanner/spamassassin bayes_file_mode 0770 Here is the contents /var/spool/MailScanner/spamaassasin ls -la /var/spool/MailScanner/spamassassin/ total 11588 drwxr-xr-x 2 postfix postfix 512 Aug 30 10:47 . drwxr-xr-x 5 root wheel 512 Dec 8 2005 .. -rw----rw- 1 postfix postfix 1056 Aug 30 11:04 bayes.mutex -rw-rw---- 1 postfix postfix 46800 Aug 30 11:07 bayes_journal -rw-rw---- 1 postfix postfix 2617344 Aug 30 11:04 bayes_seen -rw-rw---- 1 postfix postfix 2629632 Aug 30 11:04 bayes_toks -rw-rw---- 1 postfix postfix 3010560 Jul 22 09:34 bayes_toks.expire34434 -rw-rw---- 1 postfix postfix 2908160 Jul 22 09:27 bayes_toks.expire4735 -rw-rw---- 1 postfix postfix 2994176 Jul 22 09:18 bayes_toks.expire71607 So im a little confused here. I appreciate the help. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at PDSCC.COM Wed Aug 30 19:17:10 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Wed Aug 30 19:17:23 2006 Subject: maq entry missing - large bayes database Message-ID: <200608301817.k7UIHAE1014729@sinclaire.sibble.net> On one of my MS manchines running 4.49.7, the /etc/MailScanner/bayes folder has grown to 1.7gb and filled the root filesystem, the maq entry http://www.mailscanner.info/serve/cache/317.html takes me to Not Found The requested URL /serve/cache/317.html was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/1.3.35 Server at www.mailscanner.info Port 80 Anyone got another link or can tell me what to do fix the problem? -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From derek at adcatanzaro.com Wed Aug 30 19:22:27 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Aug 30 19:22:51 2006 Subject: strange maillog entries plus DoS messages in maillog Message-ID: <44F5D763.2000407@adcatanzaro.com> I have included portions of my log where it shows that it is extracting java classes. I have never seen this before in any of my logs and I'm trying to figure out why this is happening? I have also included the DoS message that is being logged. Has anyone ever seen this type of activity on their servers??? MailScanner version 4.49.7 Fedora Core 2 0.17 Mail::ClamAV ---- snip ---- Aug 30 12:45:05 mailserver MailScanner[6552]: Virus Scanning: Denial Of Service attack detected! ----- snip ------ Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/UTF8Recognizer.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XCatalog$Parser$Resolver.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XCatalog$Parser.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XCatalog.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/xcatalog.dtd Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLCatalogHandler.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLDeclRecognizer.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityHandler$CharBuffer.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityHandler$CharDataHandler.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityHandler$DTDHandler.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityHandler$EntityReader.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityHandler.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityReader.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/readers/XMLEntityReaderFactory.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/Base64.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/CharDataChunk.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/ChunkyByteArray.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/ChunkyCharArray.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/Hash2intTable.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/HexBin.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/ImplementationMessages.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/ISO8601Format.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/NamespacesScope$NamespacesHandler.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/NamespacesScope.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/QName.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/BMPattern.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Match.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$CharOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$ChildOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$ConditionOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$ModifierOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$RangeOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$StringOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op$UnionOp.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Op.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/ParseException.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/ParserForXMLSchema.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/RangeToken.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/RegexParser$ReferencePosition.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/RegexParser.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/RegularExpression$Context.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/RegularExpression.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/REUtil.class Aug 30 12:44:10 mailserver MailScanner[6552]: extracting: org/apache/xerces/utils/regex/Token$CharToken.class -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Wed Aug 30 19:39:17 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Aug 30 19:39:29 2006 Subject: Another Bayes question/issue In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FCF39@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FCF39@cmexchange01.CourtesyMortgage.local> Message-ID: <44F5DB55.6020201@evi-inc.com> Jason Williams wrote: > I've been following the Bayes thread recently and I too have been having > problems with bayes. I just haven't had time to work on it. :/ > > I'm running FreeBSD 6, with postfix + mailscanner. > > I'm going to guess I have a permissions issue, but I get a few odd > things when I run --lint even when specifiying -p to my > spam-assassin.prefs.conf > > Here they are: > > [97841] warn: config: SpamAssassin failed to parse line, > "/var/spool/MailScanner/spamassassin/" is not valid for "bayes_path", > skipping: bayes_path /var/spool/MailScanner/spamassassin/ > > Is there a valid "bayes_path"? Yes.. if you read the docs VERY closely, you'll learn that bayes_path cannot be just a directory. It is a directory PLUS a partial filename. try bayes_path /var/spool/MailScanner/spamassassin/bayes From jwilliams at courtesymortgage.com Wed Aug 30 19:51:23 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Aug 30 19:48:32 2006 Subject: Another Bayes question/issue Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FCF3C@cmexchange01.CourtesyMortgage.local> >Yes.. if you read the docs VERY closely, you'll learn that bayes_path cannot be just a directory. It is a directory PLUS a partial filename. > >try > >bayes_path /var/spool/MailScanner/spamassassin/bayes How about that! Just a simple addition to the end and it works...don't I feel grand. Thanks for the help. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Aug 30 20:03:46 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 20:05:40 2006 Subject: maq entry missing - large bayes database In-Reply-To: <200608301817.k7UIHAE1014729@sinclaire.sibble.net> References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net> Message-ID: Harondel J. Sibble spake the following on 8/30/2006 11:17 AM: > On one of my MS manchines running 4.49.7, the /etc/MailScanner/bayes folder > has grown to 1.7gb and filled the root filesystem, the maq entry > > http://www.mailscanner.info/serve/cache/317.html > > takes me to > > Not Found > The requested URL /serve/cache/317.html was not found on this server. > > Additionally, a 404 Not Found error was encountered while trying to use an > ErrorDocument to handle the request. > Apache/1.3.35 Server at www.mailscanner.info Port 80 > > Anyone got another link or can tell me what to do fix the problem? > I found it in Googles cache. Here it is cut and pasted; Bayes database growing too much... How do I control the bayes database from growing out of control right now? Stop MS. Delete all files except bayes_journal, bayes_seen and bayes_toks. Now run "sa-learn --force-expire". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 30 20:08:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 20:10:53 2006 Subject: strange maillog entries plus DoS messages in maillog In-Reply-To: <44F5D763.2000407@adcatanzaro.com> References: <44F5D763.2000407@adcatanzaro.com> Message-ID: Derek Catanzaro spake the following on 8/30/2006 11:22 AM: > I have included portions of my log where it shows that it is extracting > java classes. I have never seen this before in any of my logs and I'm > trying to figure out why this is happening? I have also included the > DoS message that is being logged. Has anyone ever seen this type of > activity on their servers??? > > MailScanner version 4.49.7 > Fedora Core 2 > 0.17 Mail::ClamAV It looks as if a java .jar file was mailed to your system, and the virus scanners are trying to extract it to check the contents. You could grep the logs for that process number [6552] and get the message id at the beginning. If the message is still on your system, or you have mailwatch, you could get more info as to sender and recipient. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From r.berber at computer.org Wed Aug 30 20:17:15 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Aug 30 20:18:13 2006 Subject: strange maillog entries plus DoS messages in maillog In-Reply-To: <44F5D763.2000407@adcatanzaro.com> References: <44F5D763.2000407@adcatanzaro.com> Message-ID: Derek Catanzaro wrote: > I have included portions of my log where it shows that it is extracting > java classes. I have never seen this before in any of my logs and I'm > trying to figure out why this is happening? I have also included the > DoS message that is being logged. Has anyone ever seen this type of > activity on their servers??? Yes, once, and it also was a jar file. Jars sometimes have too many directory levels or files and that trips the clamav alarm. It is a false positive, and we have some control with the clamav-module parameters (timeout, max levels, max files, max compression), also by not scanning big files. -- Ren? Berber From mrm at medicine.wisc.edu Wed Aug 30 21:02:39 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Wed Aug 30 21:03:06 2006 Subject: Virus and spam spike? Message-ID: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> Just wondering if anyone else is noticing a HUGE jump in the amount of spam and virus' being received since last weekend??? MailScanner MRTG is showing about a 10 fold jump from the previous months since last Saturday.... Mike From mailscanner at PDSCC.COM Wed Aug 30 21:07:04 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Wed Aug 30 21:07:13 2006 Subject: maq entry missing - large bayes database In-Reply-To: References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net>, Message-ID: <200608302007.k7UK74V4015015@sinclaire.sibble.net> On 30 Aug 2006 at 12:03, Scott Silva wrote: > Bayes database growing too much... > > How do I control the bayes database from growing out of control right > now? > > Stop MS. Delete all files except bayes_journal, bayes_seen and > bayes_toks. Now run "sa-learn --force-expire". > Hmm, that didn't work, near the end I see dbg: bayes: reduction goal of -112500 is under 1000 tokens, skipping expire dbg: bayes : expire completed this is running with sa-learn -D --force-expire I am assuming that's not what I should see.... Googling on that line takes me to a lot of code examples for SA. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From dave.list at pixelhammer.com Wed Aug 30 21:15:49 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 30 21:16:12 2006 Subject: Virus and spam spike? In-Reply-To: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> References: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44F5F1F5.1070605@pixelhammer.com> Michael Masse wrote: > Just wondering if anyone else is noticing a HUGE jump in the amount of > spam and virus' being received since last weekend??? MailScanner > MRTG is showing about a 10 fold jump from the previous months since last > Saturday.... > > Mike That was the last two weeks for us, it's pretty quite now. Maybe they got your IP block on the end of the rotation? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From naolson at gmail.com Wed Aug 30 21:21:14 2006 From: naolson at gmail.com (Nathan Olson) Date: Wed Aug 30 21:21:17 2006 Subject: Virus and spam spike? In-Reply-To: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> References: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <8f54b4330608301321s66af98a2u748e1201c25c6a4f@mail.gmail.com> Due to the start of the school year, possibly. Nate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060830/b5febcc6/attachment.html From dnsadmin at 1bigthink.com Wed Aug 30 21:41:42 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Aug 30 21:42:03 2006 Subject: Virus and spam spike? In-Reply-To: <8f54b4330608301321s66af98a2u748e1201c25c6a4f@mail.gmail.co m> References: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> <8f54b4330608301321s66af98a2u748e1201c25c6a4f@mail.gmail.com> Message-ID: <7.0.1.0.0.20060830164028.0a3fd290@1bigthink.com> At 04:21 PM 8/30/2006, you wrote: >Due to the start of the school year, possibly. > >Nate Nope. New Microsoft security hole allowed huge allocation of your neighbors' computers as zombies. Cheers! From matt at coders.co.uk Wed Aug 30 22:49:01 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Aug 30 22:49:11 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F5A815.4020801@alexb.ch> Message-ID: <44F607CD.20307@coders.co.uk> Brett Charbeneau wrote: > On Wed, 30 Aug 2006, Logan Shaw wrote: > > LS> So, to me the next step is to kill the incoming sendmail. That will prevent > LS> *it* from putting more messages in the queue. Then, barring anything truly > LS> weird, there is no other software other than MailScanner that would know to > LS> put messages into that queue. So if the incoming sendmail is off and the > LS> number of messages in the queue grows, you know MailScanner is adding them. > LS> On the other hand, if incoming sendmail is killed and the number of messages > LS> in the queue then starts shrinking, you know it's a backlog thing. > > Good idea! > Okay, at 1:38 I killed Sendmail and MailScanner, then started > MailScanner (via /etc/init.d/mailscanner) - MailWatch shows > /etc/init.d/MailScanner stop /usr/sbin/MailScanner --debug what is the output? From ssilva at sgvwater.com Wed Aug 30 23:07:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 23:09:50 2006 Subject: maq entry missing - large bayes database In-Reply-To: <200608302007.k7UK74V4015015@sinclaire.sibble.net> References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net>, <200608302007.k7UK74V4015015@sinclaire.sibble.net> Message-ID: Harondel J. Sibble spake the following on 8/30/2006 1:07 PM: > > On 30 Aug 2006 at 12:03, Scott Silva wrote: >> Bayes database growing too much... >> >> How do I control the bayes database from growing out of control right >> now? >> >> Stop MS. Delete all files except bayes_journal, bayes_seen and >> bayes_toks. Now run "sa-learn --force-expire". >> > > Hmm, that didn't work, near the end I see > dbg: bayes: reduction goal of -112500 is under 1000 tokens, skipping expire > dbg: bayes : expire completed > > this is running with sa-learn -D --force-expire > > I am assuming that's not what I should see.... > > Googling on that line takes me to a lot of code examples for SA. You could always run the database in \var\spool\spamassassin. You should have a lot more room in your var partition. And there was a thread early in the month, or late last month that it might speed up some I/O times. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 30 23:24:30 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 23:27:00 2006 Subject: maq entry missing - large bayes database In-Reply-To: <200608302007.k7UK74V4015015@sinclaire.sibble.net> References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net>, <200608302007.k7UK74V4015015@sinclaire.sibble.net> Message-ID: Harondel J. Sibble spake the following on 8/30/2006 1:07 PM: > > On 30 Aug 2006 at 12:03, Scott Silva wrote: >> Bayes database growing too much... >> >> How do I control the bayes database from growing out of control right >> now? >> >> Stop MS. Delete all files except bayes_journal, bayes_seen and >> bayes_toks. Now run "sa-learn --force-expire". >> > > Hmm, that didn't work, near the end I see > dbg: bayes: reduction goal of -112500 is under 1000 tokens, skipping expire > dbg: bayes : expire completed > > this is running with sa-learn -D --force-expire > > I am assuming that's not what I should see.... > > Googling on that line takes me to a lot of code examples for SA. can you run ls -al /etc/MailScanner/bayes and post the output. You should only have 3 or 4 files in that directory. My bayes dir is much smaller; # du -h /etc/MailScanner/bayes/ 32M /etc/MailScanner/bayes/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 30 23:26:49 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 30 23:30:10 2006 Subject: Virus and spam spike? In-Reply-To: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> References: <44F5A88C.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 8/30/2006 1:02 PM: > Just wondering if anyone else is noticing a HUGE jump in the amount of > spam and virus' being received since last weekend??? MailScanner > MRTG is showing about a 10 fold jump from the previous months since last > Saturday.... > > Mike Not really, but I have the luxury of being able to dump anything on the sbl-xbl list, so I probably never saw most of it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hmkash at arl.army.mil Wed Aug 30 23:33:24 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Wed Aug 30 23:33:30 2006 Subject: Max SpamAssassin Size problems References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> <44F31923.2010608@ecs.soton.ac.uk> <44F32378.7090901@alexb.ch> <44F55FD3.90806@ecs.soton.ac.uk> Message-ID: <229A346E44379140A59A48951B56E0C0012D8F21@ARLABML01.DS.ARL.ARMY.MIL> > I don't like that, as most spam can be identified by the first 20k, and > your idea would let through large spam. How about this for a compromise - add a new MailScanner.conf option that specifies the behavior if the message size exceeds Max Spamassassin Size. Quick and easy options would be: truncate - current/default behavior drop - no content is sent to SA continue - continue until next blank line (no limit) continue N - continue until next blank line up to a maximum of N bytes - still risk truncating MIME content The first two options should just be a few lines of code. Based on previous emails, sounds like you've mostly coded variations of the last two options. So just add a new MailScanner.conf option to choose which method to use. Future enhancements could include: - make drop and continue options MIME-aware and only drop or continue if truncation occurs inside a MIME block. Use MIME boundaries instead of blank lines. - backtrack option - if truncation point is within a MIME block, revert back to previous MIME boundary, otherwise truncate at Max SpamAssassin Size Howard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6170 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060830/9515b7df/attachment.bin From res at ausics.net Wed Aug 30 23:55:26 2006 From: res at ausics.net (Res) Date: Wed Aug 30 23:55:42 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: Hi Brett, On Wed, 30 Aug 2006, Brett Charbeneau wrote: > Config: calling custom init function MailWatchLogging Try disable this above option > I've got "Max Children = 5": > > 29629 ? SNs 0:00 MailScanner: master waiting for children, sleeping > 29630 ? SN 0:29 MailScanner: checking with SpamAssassin > 29656 ? SN 0:29 MailScanner: virus scanning > 29681 ? SN 0:27 MailScanner: checking with SpamAssassin > 29694 ? SN 0:28 MailScanner: checking with SpamAssassin > 29717 ? SN 0:28 MailScanner: virus scanning > 29976 ? DN 0:00 MailScanner: checking with SpamAssassin > 29993 ? RN 0:07 MailScanner: checking with SpamAssassin > 30052 ? RN 0:03 MailScanner: checking with SpamAssassin > 30060 ? DNs 0:00 MailScanner: virus scanning > 30061 ? DNs 0:00 MailScanner: virus scanning This seems wrong... if you only have max kids 5, Did you do any upgrade in your fixing of the box? In an earlier post you showed us with several.... MailScanner: starting children you showed us: > root 29629 1 0 10:01 ? 00:00:00 MailScanner: starting children > root 29630 29629 26 10:01 ? 00:00:08 MailScanner: starting children > root 29656 29629 28 10:01 ? 00:00:06 MailScanner: starting children > root 29681 29629 22 10:01 ? 00:00:02 MailScanner: starting children This looks wrong.... You should only see 1 of these once all kids have started, in starting the kids you will see two of them, the 1 perm one and the kid starting up, once the kid has started you should see: MailScanner: waiting for messages It looks like something is running more than one copy and it is not starting properly. You indicated tmp was corrupted, silly question but does /tmp still have permisions of 1777 ? Ive done rip out replacements similar to this as im sure most others have and never had any hiccups like this. If you set the scan messages to off so MailScanner essentially is just a relay only, does mail flow again? Check Sendmail Dir perms: drwxrwx--- 2 smmsp smmsp 4096 2006-08-31 08:45 clientmqueue/ drwxr-xr-x 2 root root 4096 2006-08-31 08:45 mqueue/ drwxr-x--- 2 root bin 4096 2006-08-31 08:45 mqueue.in/ I also strongly suggest that you should upgrade, 4.51 is rather old any many of us may be trying to offer suggestions based on later releases. (like my display info above, cant recall when that was changed) -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From r.berber at computer.org Thu Aug 31 03:20:26 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Aug 31 03:20:54 2006 Subject: MS 4.54.6 failing to tag a phishing message Message-ID: Hi, I'm using MS version 4.54.6 and trying to figure out why a phishing message went in and MS didn't do anything. The message spam score (using spamassassin version 3.1.4 + some rules-du-jour) was very low, but as shown below inside the message was a very obvious phishing URL. Relevant parts of MailScanner.conf: Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Modify Subject = yes Phishing Subject Text = {Fraud?} The file phishing.safe.sites.conf does not contain the bank name. The country.domains.conf has a correct set of domain suffixes for this country. The relevant part of the message is: https://boveda.banamex.com.mx/serban/
The links are as different as they can be, http vs https (not used by MS), speakeasy.net vs banamex.com.mx, so what did fail in MS? Any pointers on how to debug this or should I upgrade to the latest version? I had a look at lib/MailScanner/Message.pm and found where the URLs are compared taking into account the levels used by the country, I'll try to find out what went wrong. Thanks. -- Ren? Berber From Andreas.Doerfler at kempten.de Thu Aug 31 07:59:01 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Thu Aug 31 07:59:23 2006 Subject: problem with recive mail from gmx Message-ID: > DAve > I get those at least a few times a day. I ignore them, no complaints > from clients so far ;^) My Network admin suggested it was MTU size. I > did find this explanation. No idea if it will cause your server to > crash, stock prices to fall, or increase global warming. > Investigate and > make you own decision. > > http://www.hitechsavvy.com/print.php?sid=210 well, ive tried it (no risk no fun ^^) but it only raised the problem with other mailers > -- Glenn > Not with them, and not anyone else... for the time being. "Educating" > the other parties postmaster is the only way I know, and that only > works some times (when they want to be ... "clued in":-). > Other than that, I say it's their problem:-). jea, but my users make it to my problem :/ howto say em "forget that crap freemailer, take another one" ... From sergiogc at treelogic.com Thu Aug 31 08:11:58 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Thu Aug 31 08:07:44 2006 Subject: MailScanner hangs once a day Message-ID: <44F68BBE.1070900@treelogic.com> - I cycle my syslog every day. > - Syslog continues running after MailScanner hangs. > - In /var/spool/MailScanner/incoming/ there are several dirs with mail > files. There is another file too called 'SpamAssassin.cache.db'. > - In /var/spool/MailScanner/spamassassin/ there are several files called > 'bayes....' (for example: 'bayes_toks.expire10031', > 'bayes_toks.expire20819') > - I use the virus scanner ClamAV 0.88.4 > - I use Spamaasassin 3.1.3 > - I use Postfix 2.3 and it continues running after MailScanner hangs > > > >I wonder if there is a bayes expire problem here. >Could you give your settings for the following; ># To avoid resource leaks, re-start periodically >Restart Every = 7200 >Rebuild Bayes Every = 86400 >Wait During Bayes Rebuild = yes I have the next values for this parameters: * Restart Every = 14400 (it runs OK) * Rebuild Bayes Every = 0 * Wait During Bayes Rebuild = no I tried 'Wait During Bayes Rebuild = yes' but MailScanner hangs too. From martinh at solidstatelogic.com Thu Aug 31 08:52:17 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Aug 31 08:52:34 2006 Subject: Spamassassin 3.1.5 out Message-ID: <44F69531.6070109@solidstatelogic.com> All http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.5-available%21-tf2190657.html Anyone tested with MS yes - doesn't look like too many issues for us, but it looks like there's change to the sa-updates handling stuff that should make local_rules handling better.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dhawal at netmagicsolutions.com Thu Aug 31 08:52:32 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 31 09:01:37 2006 Subject: Spamassassin 3.1.5 out In-Reply-To: <44F69531.6070109@solidstatelogic.com> References: <44F69531.6070109@solidstatelogic.com> Message-ID: <20060831132232.6y13sg7qs8wckgsg@mail.netmagicsolutions.com> Quoting Martin Hepworth : > All > > http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.5-available%21-tf2190657.html > > Anyone tested with MS yes - doesn't look like too many issues for us, > but it looks like there's change to the sa-updates handling stuff that > should make local_rules handling better.. Working well for about 12 hours here.. make sure you run sa-update post SA upgrade.. One more thing, all apache mirrors were not updated, mirror99.com worked for me though. - dhawal From ms-list at alexb.ch Thu Aug 31 09:06:00 2006 From: ms-list at alexb.ch (Alex Broens) Date: Thu Aug 31 09:06:11 2006 Subject: mcr - In-Reply-To: <229A346E44379140A59A48951B56E0C0012D8F21@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CC09@ARLABML01.DS.ARL.ARMY.MIL> <44ECB988.2040006@ecs.soton.ac.uk> <44ED5BEA.5080207@chime.ucl.ac.uk> <44ED68F5.2050906@ecs.soton.ac.uk> <44EDE4B0.20808@pacific.net> <44EEAD6E.80009@chime.ucl.ac.uk> <44F045B8.4060605@ecs.soton.ac.uk> <44F21974.7060604@pixelhammer.com> <44F31923.2010608@ecs.soton.ac.uk> <44F32378.7090901@alexb.ch> <44F55FD3.90806@ecs.soton.ac.uk> <229A346E44379140A59A48951B56E0C0012D8F21@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <44F69868.4050200@alexb.ch> On 8/31/2006 12:33 AM, Kash, Howard (Civ, ARL/CISD) wrote: >> I don't like that, as most spam can be identified by the first 20k, and >> your idea would let through large spam. > > How about this for a compromise - add a new MailScanner.conf option that specifies the behavior if the message size exceeds Max Spamassassin Size. Quick and easy options would be: > > truncate - current/default behavior > > drop - no content is sent to SA > > continue - continue until next blank line (no limit) > > continue N - continue until next blank line up to a maximum of N bytes - still risk truncating MIME content > > The first two options should just be a few lines of code. Based on previous emails, sounds like you've mostly coded variations of the last two options. So just add a new MailScanner.conf option to choose which method to use. > > > Future enhancements could include: > > - make drop and continue options MIME-aware and only drop or continue if truncation occurs inside a MIME block. Use MIME boundaries instead of blank lines. > > - backtrack option - if truncation point is within a MIME block, revert back to previous MIME boundary, otherwise truncate at Max SpamAssassin Size > > > Howard Isn't that making it overly complicated? and prone to (?:human|system) error? Wouldn't a total msg size be enough? If a msg has a 23 MB .doc attached to it... I doubt it will be spam, so why even waste SA time on it? Why send a voicemail 1.5Mb .wav file thru SA?, even if its only 50 kb of it, or when aunt Emily sends you the contents of the digital camera you gave her for her birthday, why even worry about sending 50kb of an 80Mb mail thru SA? It would save LOTS of MS/SA processing power and all kinds possibly inherent issues. From martin.lyberg at gmail.com Thu Aug 31 09:10:00 2006 From: martin.lyberg at gmail.com (Martin) Date: Thu Aug 31 09:10:36 2006 Subject: Trouble with Bayes In-Reply-To: <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> Message-ID: Glenn Steen wrote: > Right. And as the postfix user, doing a > spamassassin --lint -D 2>&1 | less -e > everything works as expected, right? > Is that lint snippet from MailWatch, perhaps? In that case, you need > do the same test for the apache user (whatever that is on your system. > It is "apache" on mine:). Yes, but i had to add -p /etc/MailScanner/spam.assassin.prefs.conf for it to pick up the right conf-file. You're right that the snippet in my post was made from Mailwatch webadmin. If i do it from the commandline as the postfix-user i get this: spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint -D 2>&1 | less -e: [9298] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks [9298] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen [9298] dbg: bayes: found bayes db version 3 [9298] dbg: bayes: DB journal sync: last sync: 0 [9298] dbg: bayes: not available for scanning, only 86 spam(s) in bayes DB < 200 [9298] dbg: bayes: untie-ing [9298] dbg: bayes: untie-ing db_toks [9298] dbg: bayes: untie-ing db_seen So it seem to work as it should when doing it this way. Could it be that Mailwatch is using some other user when linting from the web-admin? > The way to get everything to work with Postfix and MailWatch (if that > is the problem) is to make the necessary parts run as postfix:apache, > and adjust the group rights accordingly. > On a system near me I've got: > drwxrwsrwx 2 postfix apache 4096 aug 30 15:28 ./ > drwxr-xr-x 7 root root 4096 aug 30 04:12 ../ > -rw-rw---- 1 postfix apache 76440 aug 30 15:27 bayes_journal > -rw-rw---- 1 postfix apache 1200 aug 30 15:27 bayes.mutex > -rw-rw---- 1 postfix apache 20971520 aug 30 15:27 bayes_seen > -rw-rw---- 1 postfix apache 5111808 aug 30 15:27 bayes_toks > > ... with > Run As User = postfix > Run As Group = postfix > Quarantine User = postfix > Quarantine Group = apache > Incoming Work Permissions = 0660 > Quarantine Permissions = 0660 > ... in /etc/MailScanner.conf, and > bayes_path /etc/MailScanner/bayes/bayes > bayes_file_mode 0770 > ... in /etc/mail/spamassassin/mailscanner.cf (softlink to > spam.assassin.prefs.conf). I have the following in my MailScanner.conf: Quarantine User = postfix Quarantine Group = www-data Quarantine Permissions = 0660 Run As User = postfix Run As Group = postfix Incoming Work Permissions = 0600 I can't see any error here? Clues? Thank you / Martin From glenn.steen at gmail.com Thu Aug 31 09:32:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 31 09:32:16 2006 Subject: problem with recive mail from gmx In-Reply-To: References: Message-ID: <223f97700608310132u61bf876en49ce6d33745cf859@mail.gmail.com> On 31/08/06, D?rfler Andreas wrote: > > DAve > > I get those at least a few times a day. I ignore them, no complaints > > from clients so far ;^) My Network admin suggested it was MTU size. I > > did find this explanation. No idea if it will cause your server to > > crash, stock prices to fall, or increase global warming. > > Investigate and > > make you own decision. > > > > http://www.hitechsavvy.com/print.php?sid=210 > > well, ive tried it (no risk no fun ^^) but it only raised the problem > with other mailers > Yes, kind of makes sense. If the icmp fragmentation get lost somewhere (by someone "overzealosly" denying _all_ icmp packets), and this is all you see of it (this only one sender), it is very likely that the "denying" is done close to them.... not you. In which case it is a problem you simply cannot solve (without interraction with ... them). One could say "they get what they deserve":-). > > > -- Glenn > > Not with them, and not anyone else... for the time being. "Educating" > > the other parties postmaster is the only way I know, and that only > > works some times (when they want to be ... "clued in":-). > > Other than that, I say it's their problem:-). > > jea, but my users make it to my problem :/ > howto say em "forget that crap freemailer, take another one" ... Ah yes. In my semi-corporate .gov environment, these things can usually be handled (if it is a "relevant contact", at least)... and the rest be damned:-):-). I appreciate that you might have a somewhat different situation, but it is rather likely that there is nothing you _can_ do:-(. Then again, I might be wrong:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 31 09:45:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 31 09:45:40 2006 Subject: Trouble with Bayes In-Reply-To: References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> Message-ID: <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> On 31/08/06, Martin wrote: > Glenn Steen wrote: > > > Right. And as the postfix user, doing a > > spamassassin --lint -D 2>&1 | less -e > > everything works as expected, right? > > Is that lint snippet from MailWatch, perhaps? In that case, you need > > do the same test for the apache user (whatever that is on your system. > > It is "apache" on mine:). > > Yes, but i had to add -p /etc/MailScanner/spam.assassin.prefs.conf for > it to pick up the right conf-file. > > You're right that the snippet in my post was made from Mailwatch > webadmin. If i do it from the commandline as the postfix-user i get this: > > spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint -D 2>&1 > | less -e: > > [9298] dbg: bayes: tie-ing to DB file R/O > /var/spool/MailScanner/spamassassin/bayes_toks > [9298] dbg: bayes: tie-ing to DB file R/O > /var/spool/MailScanner/spamassassin/bayes_seen > [9298] dbg: bayes: found bayes db version 3 > [9298] dbg: bayes: DB journal sync: last sync: 0 > [9298] dbg: bayes: not available for scanning, only 86 spam(s) in bayes > DB < 200 > [9298] dbg: bayes: untie-ing > [9298] dbg: bayes: untie-ing db_toks > [9298] dbg: bayes: untie-ing db_seen > > So it seem to work as it should when doing it this way. Could it be that > Mailwatch is using some other user when linting from the web-admin? > > > The way to get everything to work with Postfix and MailWatch (if that > > is the problem) is to make the necessary parts run as postfix:apache, > > and adjust the group rights accordingly. > > On a system near me I've got: > > drwxrwsrwx 2 postfix apache 4096 aug 30 15:28 ./ > > drwxr-xr-x 7 root root 4096 aug 30 04:12 ../ > > -rw-rw---- 1 postfix apache 76440 aug 30 15:27 bayes_journal > > -rw-rw---- 1 postfix apache 1200 aug 30 15:27 bayes.mutex > > -rw-rw---- 1 postfix apache 20971520 aug 30 15:27 bayes_seen > > -rw-rw---- 1 postfix apache 5111808 aug 30 15:27 bayes_toks > > > > ... with > > Run As User = postfix > > Run As Group = postfix > > Quarantine User = postfix > > Quarantine Group = apache > > Incoming Work Permissions = 0660 > > Quarantine Permissions = 0660 > > ... in /etc/MailScanner.conf, and > > bayes_path /etc/MailScanner/bayes/bayes > > bayes_file_mode 0770 > > ... in /etc/mail/spamassassin/mailscanner.cf (softlink to > > spam.assassin.prefs.conf). > > I have the following in my MailScanner.conf: > > Quarantine User = postfix > Quarantine Group = www-data > Quarantine Permissions = 0660 > > Run As User = postfix > Run As Group = postfix > Incoming Work Permissions = 0600 > > I can't see any error here? Clues? > > Thank you > > / Martin > I didn't give it as actual commands, my bad:-)... Do: chown -R postfix:www-data /var/spool/MailScanner/spamassassin chmod 0660 /var/spool/MailScanner/spamassassin/* and set bayes_file_mode 0770 in spam.assassin.prefs.conf ... Now everything should look OK from MailWatch too, and you'll probably have better luck training bayes from that interface too. You can check it either from MailWatch or by su - www-data -s /bin/sh spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf ... of course:-). That you need specify the spam.assassin.prefs.conf on the commandline isn't good... Either you have a somewhat dated install, or install.sh (or whatever method you used to install) failed ot create the symlink in /etc/mail/spamassassin ... If the former, that is probably OK, but you should consider upgrading, if the latter.... Well, you might need fix that then (manually creating the link or rerunning your install methid, or somesuch). HtH and Cheers (BTW, you wouldn't hapopen to be in Sweden, now would you?) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 31 09:54:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 31 09:54:44 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F57150.4030402@treelogic.com> References: <44F57150.4030402@treelogic.com> Message-ID: <223f97700608310154y28da2a1ie1d5c8fcf6244345@mail.gmail.com> On 30/08/06, Sergio Garc?a Caso wrote: > > > > >> The output of "MailScanner --changed" might be useful here too, just in > > >> case you have made a mistake in your MailScanner.conf. > > > I can?t execute "MailScanner --changed" (It says: 'Unknown option: changed'). Today MailScanner hasn?t stopped yet. That is as expect (unfortunately), since you run 4.54.6 (whcih doesn't recognize that option... Jules introduced it in 4.55). You might consider an upgrade, if nothing else just so that you get to go through all options and settings once more:-). And use Jules nice clam+sa package to update to 3.1.4 too... A golden opportunity to check you sa rules over:-). Something *is* fishy here, so going for the latest, which has the changed option, wouldn't be a bad move. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martin.lyberg at gmail.com Thu Aug 31 10:17:15 2006 From: martin.lyberg at gmail.com (Martin) Date: Thu Aug 31 10:17:43 2006 Subject: Trouble with Bayes In-Reply-To: <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> Message-ID: Glenn Steen wrote: > I didn't give it as actual commands, my bad:-)... Do: > chown -R postfix:www-data /var/spool/MailScanner/spamassassin > chmod 0660 /var/spool/MailScanner/spamassassin/* This was the problem. Now it works as expected :) > and set > bayes_file_mode 0770 > in spam.assassin.prefs.conf ... bayes_file_mode were already set to 0770. > Now everything should look OK from MailWatch too, and you'll probably > have better luck training bayes from that interface too. You can check > it either from MailWatch or by > su - www-data -s /bin/sh > spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf > ... of course:-). Works like a charm! :) > That you need specify the spam.assassin.prefs.conf on the commandline > isn't good... Either you have a somewhat dated install, or install.sh > (or whatever method you used to install) failed ot create the symlink > in /etc/mail/spamassassin ... If the former, that is probably OK, but > you should consider upgrading, if the latter.... Well, you might need > fix that then (manually creating the link or rerunning your install > methid, or somesuch). Dunno why there's no symlink. The installation is made through APT and not by source. Will leave this as it is for now. > > HtH and Cheers (BTW, you wouldn't hapopen to be in Sweden, now would you?) Thanks for all your help, and yes i'm from Sweden too. Malm? to be more specific :) / Martin From t.d.lee at durham.ac.uk Thu Aug 31 11:06:12 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Aug 31 11:06:47 2006 Subject: List of variables for substitution in reports? In-Reply-To: <44F57128.3030003@ecs.soton.ac.uk> References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> <44F57128.3030003@ecs.soton.ac.uk> Message-ID: On Wed, 30 Aug 2006, Julian Field wrote: > The "$UPPERCASE" is so that you can put in environment variables into > the reports. With your $HOSTNAME problems I would suspect that your > default shell setup doesn't set the shell HOSTNAME environment variable. I had the recollection that this ought to work. But it seems not to do so for us. (We have flavours of "Fedora Core" 3 upwards: I believe the installs are reasonably "as delivered", local tweaks mimimal; and MS versions 4.50 upwards: some tweaks, but no major surgery.) The machines stay up for ages. From time to time I completely restart MailScanner from a shell prompt. That shell has $HOSTNAME. And a subshell also has $HOSTNAME, so that env.var. would seem to be exported. Yet still the apparently blank (empty, unset, etc.) HOSTNAME in: the %org-name% ($HOSTNAME) MailScanner Any hints as to how I might debug this? (Useful places in the code I could bug with diagnostic "print" etc.?) Naturally, I would intend report my findings. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From glenn.steen at gmail.com Thu Aug 31 11:23:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 31 11:23:49 2006 Subject: Trouble with Bayes In-Reply-To: References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> Message-ID: <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> On 31/08/06, Martin wrote: > Glenn Steen wrote: (snip) > > Now everything should look OK from MailWatch too, and you'll probably > > have better luck training bayes from that interface too. You can check > > it either from MailWatch or by > > su - www-data -s /bin/sh > > spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf > > ... of course:-). > > Works like a charm! :) Glad to hear it! > > > That you need specify the spam.assassin.prefs.conf on the commandline > > isn't good... Either you have a somewhat dated install, or install.sh > > (or whatever method you used to install) failed ot create the symlink > > in /etc/mail/spamassassin ... If the former, that is probably OK, but > > you should consider upgrading, if the latter.... Well, you might need > > fix that then (manually creating the link or rerunning your install > > methid, or somesuch). > > Dunno why there's no symlink. The installation is made through APT and > not by source. Will leave this as it is for now. > Ah, that explains it. IIRC the Debian (and clones, like Ubuntu) "lag" quite a bit, version-wise. Jules has a debian package on his pages, but i think you need dpkg it... Or can one set that as a separate apt repository? Anyway, if that "missing link" is from the latest (or fairly recent) install, from Jules site, it'd seem that this is a problem with that package. > > > > HtH and Cheers (BTW, you wouldn't hapopen to be in Sweden, now would you?) > > Thanks for all your help, and yes i'm from Sweden too. Malm? to be more > specific :) > Stockholm here. Nice to see some fellow countrymen around here:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From t.d.lee at durham.ac.uk Thu Aug 31 12:12:18 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Aug 31 12:12:48 2006 Subject: List of variables for substitution in reports? In-Reply-To: <44F04619.5050504@ecs.soton.ac.uk> References: <017001c6c832$35144a40$1404040a@purple> <44F04619.5050504@ecs.soton.ac.uk> Message-ID: On Sat, 26 Aug 2006, Julian Field wrote: > My sample report files each use all the available variables in each one. > If you need something else somewhere, let me know and I will see about > adding it for you. Julian: The end of a typical report (e.g. "recipient.spam.report.txt") has a 'signature' such as: ----------- snip --------------- MailScanner Email Virus Scanner %org-long-name% %web-site% For all your IT requirements visit: http://www.transtec.co.uk ----------- snip --------------- Our site likes to keep local changes to a minimum, so we try to take your reports as they are. But that final advertisement line isn't appropriate for our site. (And I would guess that we probably aren't alone in this.) Having to chop it out means a lot of potentially unnecessary maintenance effort as new versions of MS go in and their potentially changed reports have to be checked and reconciled. I can understand that you (as MS author) want to give recognition to one of your sponsors where reasonably possible. Fair enough; fine. So could I suggest that you introduce a new variable, such as %sponsor%, and use that in your reports. Your default value of %sponsor% could still be something about "transtec" (i.e. an untweaked install of MS would produce the same result as above). Supplementary: You might also introduce another variable, say %site-msg%, default value empty, which would allow a site to insert its own tag line (mission statement etc.) if it so chose. Hope that helps. (I'd be happy to try to beta-test this for you.) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From dave.list at pixelhammer.com Thu Aug 31 13:39:34 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 31 13:40:04 2006 Subject: problem with recive mail from gmx In-Reply-To: <223f97700608310132u61bf876en49ce6d33745cf859@mail.gmail.com> References: <223f97700608310132u61bf876en49ce6d33745cf859@mail.gmail.com> Message-ID: <44F6D886.1080605@pixelhammer.com> Glenn Steen wrote: > On 31/08/06, D?rfler Andreas wrote: >> > DAve >> > I get those at least a few times a day. I ignore them, no complaints >> > from clients so far ;^) My Network admin suggested it was MTU size. I >> > did find this explanation. No idea if it will cause your server to >> > crash, stock prices to fall, or increase global warming. >> > Investigate and >> > make you own decision. >> > >> > http://www.hitechsavvy.com/print.php?sid=210 >> >> well, ive tried it (no risk no fun ^^) but it only raised the problem >> with other mailers >> > Yes, kind of makes sense. If the icmp fragmentation get lost somewhere > (by someone "overzealosly" denying _all_ icmp packets), and this is > all you see of it (this only one sender), it is very likely that the > "denying" is done close to them.... not you. In which case it is a > problem you simply cannot solve (without interraction with ... them). > One could say "they get what they deserve":-). > >> >> > -- Glenn >> > Not with them, and not anyone else... for the time being. "Educating" >> > the other parties postmaster is the only way I know, and that only >> > works some times (when they want to be ... "clued in":-). >> > Other than that, I say it's their problem:-). >> >> jea, but my users make it to my problem :/ >> howto say em "forget that crap freemailer, take another one" ... > Ah yes. In my semi-corporate .gov environment, these things can > usually be handled (if it is a "relevant contact", at least)... and > the rest be damned:-):-). I appreciate that you might have a somewhat > different situation, but it is rather likely that there is nothing you > _can_ do:-(. > > Then again, I might be wrong:-) Just out of curiosity, do you run any Milters? I don't recall having this issue prior to running Milter-greylist and Milter-ahead. Possibly the problem is the Milter in front of sendmail? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From brett at wrl.org Thu Aug 31 14:15:53 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 14:19:05 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F607CD.20307@coders.co.uk> References: <44F5A815.4020801@alexb.ch> <44F607CD.20307@coders.co.uk> Message-ID: Thanks for the input, Matt! On Wed, 30 Aug 2006, Matt Hampton wrote: MH> /etc/init.d/MailScanner stop MH> MH> /usr/sbin/MailScanner --debug MH> MH> what is the output? Here ya go: franklin:~# /usr/sbin/MailScanner --debug In Debugging mode, not forking... Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From P.G.M.Peters at utwente.nl Thu Aug 31 14:26:00 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Aug 31 14:26:31 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> Message-ID: <44F6E368.7010300@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Charbeneau wrote on 30-8-2006 17:56: > On Wed, 30 Aug 2006, Glenn Steen wrote: > > GS> How long were you out, and what is your average count of mails/day? > GS> Apart from it being a tad slow, perhaps, it looks to be chugging along > GS> nicely:-). > GS> It just might be a bit of backlog emulating a veritable "thindering > GS> herd" of messages:). > > I let it run yesterday for several hours and my Inbound queue just kept > getting bigger. I know what you mean on chugging along, though. > I'm think the SpamAssassin timeouts were revealing and Alex Broens' post > on the redundant rules may have solved the problem. Do a grep -i "New Batch" on your maillog. I will show sets of two lines. One line telling you how much messages MS thinks is in the queue and how much he is going to process. You can also use /usr/sbin/sendmail - -QQueuedirectory=/var/spool/mqueue.in a few times to see whether the files you find in your mqueue.in are actual complete df/qf pairs or reminants of dropped connections. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9uNoelLo80lrIdIRAuyFAJ9cxlkw4NncG6j2c6VHTLtkAYKxJwCfRTic rsYSTCmeiC/mHIyYlh7v1ik= =Z0tJ -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Thu Aug 31 14:29:00 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Aug 31 14:29:06 2006 Subject: Spamassassin 3.1.5 out In-Reply-To: <44F69531.6070109@solidstatelogic.com> References: <44F69531.6070109@solidstatelogic.com> Message-ID: <44F6E41C.2040102@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Hepworth wrote on 31-8-2006 9:52: > All > > http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.5-available%21-tf2190657.html > > > Anyone tested with MS yes - doesn't look like too many issues for us, > but it looks like there's change to the sa-updates handling stuff that > should make local_rules handling better.. It appears SA is starting to do things MS does too. Like disarming script tags. I have an upgrade planned for next week (don't know whether I will make it) and have a look at it. I also have a small problem that I want to wait with reporting until I am running the latest version of everything. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9uQcelLo80lrIdIRArAYAKCoGowqVgH27pkm6sg0vbcy23T2tgCfSWRQ 9cCmVF5gIxM0a8Xqs1gEz6k= =mah0 -----END PGP SIGNATURE----- From brett at wrl.org Thu Aug 31 14:32:03 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 14:33:01 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: On Thu, 31 Aug 2006, Res wrote: R> Hi Brett, R> R> On Wed, 30 Aug 2006, Brett Charbeneau wrote: R> R> > Config: calling custom init function MailWatchLogging R> R> Try disable this above option Hmm. This seems to be in MailScanner.conf as Always Looked Up Last = ? It was "&MailWatchLogging" but I've set it to "no" No change, I'm afraid. R> > I've got "Max Children = 5": R> > R> > 29629 ? SNs 0:00 MailScanner: master waiting for children, R> > sleeping R> > 29630 ? SN 0:29 MailScanner: checking with SpamAssassin R> > 29656 ? SN 0:29 MailScanner: virus scanning R> > 29681 ? SN 0:27 MailScanner: checking with SpamAssassin R> > 29694 ? SN 0:28 MailScanner: checking with SpamAssassin R> > 29717 ? SN 0:28 MailScanner: virus scanning R> > 29976 ? DN 0:00 MailScanner: checking with SpamAssassin R> > 29993 ? RN 0:07 MailScanner: checking with SpamAssassin R> > 30052 ? RN 0:03 MailScanner: checking with SpamAssassin R> > 30060 ? DNs 0:00 MailScanner: virus scanning R> > 30061 ? DNs 0:00 MailScanner: virus scanning R> R> R> This seems wrong... if you only have max kids 5, Did you do any upgrade R> in your fixing of the box? I *did* try to upgrade sendmail, but there's an upstream problem with the package, so I was able to downgrade back. I let apt-get (this is in Debian) deal with the binaries, but I did check the conf files and they all reverted. R> In an earlier post you showed us with several.... R> MailScanner: starting children R> you showed us: R> > root 29629 1 0 10:01 ? 00:00:00 MailScanner: starting children R> > root 29630 29629 26 10:01 ? 00:00:08 MailScanner: starting children R> > root 29656 29629 28 10:01 ? 00:00:06 MailScanner: starting children R> > root 29681 29629 22 10:01 ? 00:00:02 MailScanner: starting children R> R> This looks wrong.... R> R> You should only see 1 of these once all kids have started, in starting the R> kids you will see two of them, the 1 perm one and the kid starting up, once R> the kid has started you should see: R> MailScanner: waiting for messages R> R> It looks like something is running more than one copy and it is not starting R> properly. R> R> You indicated tmp was corrupted, silly question but does /tmp still have R> permisions of 1777 ? Yepper: drwxrwxrwt 7 root root 2048 Aug 31 09:20 tmp and I'm mounting this as a separate partition in fstab like so: /dev/sda3 /tmp ext3 defaults 0 2 R> Ive done rip out replacements similar to this as im sure most others have and R> never had any hiccups like this. I'm seriously considering going this route and effectively starting over with the MS install. R> If you set the scan messages to off so MailScanner essentially is just a R> relay only, does mail flow again? Yes - sure does. Just no scanning. R> Check Sendmail Dir perms: R> drwxrwx--- 2 smmsp smmsp 4096 2006-08-31 08:45 clientmqueue/ R> drwxr-xr-x 2 root root 4096 2006-08-31 08:45 mqueue/ R> drwxr-x--- 2 root bin 4096 2006-08-31 08:45 mqueue.in/ Okay, now this should be interesting. Here's what I got: drwxr-s--- 2 smmta smmsp 28672 Aug 31 09:22 mqueue drwxrws--- 2 smmsp smmsp 4096 Aug 31 09:16 mqueue-client drwxr-x--- 2 root bin 61440 Aug 31 09:22 mqueue.in Carl Andrews was kind enough to refer me to a page specific to (the previous version of) Debian http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_highlightWords=debian&file=226 which conflicts with http://www.mailscanner.info/sendmail.html Since the former is of my distro, I went ahead and changed it to what "Michiel" of the former site suggests: drwxr-s--- 2 smmta smmsp 28672 Aug 31 09:26 mqueue drwxrws--- 2 smmsp smmsp 4096 Aug 31 09:16 mqueue-client drwxr-s--- 2 smmta smmsp 61440 Aug 31 09:29 mqueue.in I'll run this for a while and report back to the list. R> I also strongly suggest that you should upgrade, 4.51 is rather old R> any many of us may be trying to offer suggestions based on later releases. R> (like my display info above, cant recall when that was changed) Debian *is* quite conservative on what it considers "stable". For the most part I agree with them, but I should probably consider installing MS from a tarball instead... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ugob at camo-route.com Thu Aug 31 14:42:47 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 14:43:35 2006 Subject: OT: Sendmail restriction Message-ID: Hi, I'm looking for a way, in sendmail, to set access rule, saying: Accept messages for domain.com only from this IP address. I did some research yesterday, but could only find a way to restrict by IP for all domains managed by sendmail. Any ideas? Regards, Ugo From brett at wrl.org Thu Aug 31 15:13:24 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 15:14:20 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F6E368.7010300@utwente.nl> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: Thanks for weighing in, Peter! On Thu, 31 Aug 2006, Peter Peters wrote: PP> > I let it run yesterday for several hours and my Inbound queue just kept PP> > getting bigger. I know what you mean on chugging along, though. PP> > I'm think the SpamAssassin timeouts were revealing and Alex Broens' post PP> > on the redundant rules may have solved the problem. PP> PP> Do a grep -i "New Batch" on your maillog. I will show sets of two lines. PP> One line telling you how much messages MS thinks is in the queue and how PP> much he is going to process. Here ya go: franklin:/var/spool# tailmail | grep -i "New Batch" Aug 31 09:37:29 franklin MailScanner[22258]: New Batch: Found 122 messages waiting Aug 31 09:37:29 franklin MailScanner[22258]: New Batch: Scanning 10 messages, 75798 bytes Aug 31 09:38:53 franklin MailScanner[22487]: New Batch: Found 125 messages waiting Aug 31 09:38:53 franklin MailScanner[22487]: New Batch: Scanning 3 messages, 27060 bytes Aug 31 09:39:22 franklin MailScanner[22493]: New Batch: Found 128 messages waiting Aug 31 09:39:22 franklin MailScanner[22493]: New Batch: Scanning 3 messages, 27490 bytes Aug 31 09:39:53 franklin MailScanner[22507]: New Batch: Found 129 messages waiting Aug 31 09:39:53 franklin MailScanner[22507]: New Batch: Scanning 1 messages, 3678 bytes Aug 31 09:40:33 franklin MailScanner[22507]: New Batch: Found 129 messages waiting Aug 31 09:40:33 franklin MailScanner[22507]: New Batch: Scanning 1 messages, 16175 bytes Aug 31 09:40:56 franklin MailScanner[22526]: New Batch: Found 128 messages waiting Aug 31 09:40:56 franklin MailScanner[22526]: New Batch: Scanning 1 messages, 4351 bytes Aug 31 09:41:02 franklin MailScanner[22512]: New Batch: Found 128 messages waiting Aug 31 09:41:02 franklin MailScanner[22512]: New Batch: Scanning 1 messages, 16178 bytes PP> You can also use /usr/sbin/sendmail PP> - -QQueuedirectory=/var/spool/mqueue.in a few times to see whether the PP> files you find in your mqueue.in are actual complete df/qf pairs or PP> reminants of dropped connections. Now THAT'S a handy command. But I can't get it to complete on my machine. I reniced it to -15 and let it chew for almost 20 minutes - no output. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From martin.lyberg at gmail.com Thu Aug 31 15:50:38 2006 From: martin.lyberg at gmail.com (Martin) Date: Thu Aug 31 15:51:28 2006 Subject: Trouble with Bayes In-Reply-To: <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> Message-ID: Glenn Steen wrote: > Ah, that explains it. IIRC the Debian (and clones, like Ubuntu) "lag" > quite a bit, version-wise. Jules has a debian package on his pages, > but i think you need dpkg it... Or can one set that as a separate apt > repository? > Anyway, if that "missing link" is from the latest (or fairly recent) > install, from Jules site, it'd seem that this is a problem with that > package. Yeah, i know that Debian by default don't update to the latest versions on Deb sarge stable. Though, i've used "testing" for some packages like mailscanner, spamassassin and clamav. Now i'm using volatile for SA etc. My current versions: SpamAssassin version 3.1.4 MailScanner version 4.51.5 (currently behind) have not yet decided to try to upgrade this. Don't know if it will break anything. I have a testmachine with similar setup. Will try this first. None of the packages are installed from Julians site though. > Stockholm here. Nice to see some fellow countrymen around here:-) Couldn't agree more :) / Martin From martin.lyberg at gmail.com Thu Aug 31 15:56:22 2006 From: martin.lyberg at gmail.com (Martin) Date: Thu Aug 31 15:56:36 2006 Subject: Debian package outdated? In-Reply-To: <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> Message-ID: Glenn Steen wrote: > quite a bit, version-wise. Jules has a debian package on his pages, > but i think you need dpkg it... Or can one set that as a separate apt > repository? Since we're talking about versions here, why is the Debian package only at 4.51.5-1 (link on mailscanner site is pointing to Debian unstable)? There are many versions released after this one. Anyone? From mailscanner at yeticomputers.com Thu Aug 31 16:16:11 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 31 16:16:24 2006 Subject: Debian package outdated? In-Reply-To: References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> Message-ID: <44F6FD3B.6050302@yeticomputers.com> I asked myself this about nearly every package I had installed during my year-long Debian phase. I understand that it's not necessary to have the newest, shiniest stuff if everything is working, but that didn't suit my personality, so I was not a good match with Debian. If you want up-to-date packages, Debian is not the best choice of distros. If you want secure and stable with a minimum of maintenance, Debian works very well. Martin wrote: > Glenn Steen wrote: > >> quite a bit, version-wise. Jules has a debian package on his pages, >> but i think you need dpkg it... Or can one set that as a separate apt >> repository? > > Since we're talking about versions here, why is the Debian package > only at 4.51.5-1 (link on mailscanner site is pointing to Debian > unstable)? There are many versions released after this one. > > Anyone? > From michele at blacknight.ie Thu Aug 31 16:20:40 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Thu Aug 31 16:20:50 2006 Subject: Debian package outdated? In-Reply-To: Message-ID: <042901c6cd11$07edf050$88c5c657@arthur> Martin wrote: > Glenn Steen wrote: > >> quite a bit, version-wise. Jules has a debian package on his pages, >> but i think you need dpkg it... Or can one set that as a separate apt >> repository? > > Since we're talking about versions here, why is the Debian package > only at 4.51.5-1 (link on mailscanner site is pointing to Debian > unstable)? There are many versions released after this one. > > Anyone? Because it's in apt? Because Julian is overworked? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From TGFurnish at herffjones.com Thu Aug 31 16:51:02 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Thu Aug 31 16:51:08 2006 Subject: Really simple question for someone -- default for Archive Mail? Message-ID: <57573D714A832C43B9D80EAFBDA48D030135727C@inex3.herffjones.hj-int> Ok, for a value whose default is to be blank (ie Archive Mail), how do you set the default in a ruleset? Do you need to? In other words, if I make Archive Mail be a ruleset, do I need a "FromOrTo: default" line, and if so, what should be the third field? -- Trever From doko at cs.tu-berlin.de Thu Aug 31 16:51:58 2006 From: doko at cs.tu-berlin.de (Matthias Klose) Date: Thu Aug 31 16:52:03 2006 Subject: Debian package outdated? In-Reply-To: References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> Message-ID: <17655.1438.883294.598086@gargle.gargle.HOWL> Martin writes: > Glenn Steen wrote: > > > quite a bit, version-wise. Jules has a debian package on his pages, > > but i think you need dpkg it... Or can one set that as a separate apt > > repository? > > Since we're talking about versions here, why is the Debian package only > at 4.51.5-1 (link on mailscanner site is pointing to Debian unstable)? > There are many versions released after this one. I have a recent package, but I don't know if it still makes sense to provide the package in Debian. The recent releases don't ship any documentation. Even the manual pages are dropped. Checked on the website, which documentation could be included: - the online documentation doesn't have any copyright statements. In this way it's not distributable by Debian. Please point me to the copyright(s), if I'm wrong. - the online html documentation currently isn't really nice to distribute, including all the advertising on every page. - The MailScanner-Manual-Version-1.0.5.pdf (which I currently cannot find on the website anymore) has a copyright, which doesn't allow distribution of MailScanner as free documentation. So we are down to a piece of software which Debian can only ship without documentation. I'm not sure if that makes sense. MailScanner itself may be still free software, but much of that status is lost without free documentation. Julien, please correct me if I'm wrong. Matthias From steve.swaney at fsl.com Thu Aug 31 17:22:13 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Aug 31 17:22:16 2006 Subject: Debian package outdated? In-Reply-To: <17655.1438.883294.598086@gargle.gargle.HOWL> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matthias Klose > Sent: Thursday, August 31, 2006 11:52 AM > To: MailScanner discussion > Cc: Martin > Subject: Re: Debian package outdated? > > Martin writes: > > Glenn Steen wrote: > > > > > quite a bit, version-wise. Jules has a debian package on his pages, > > > but i think you need dpkg it... Or can one set that as a separate apt > > > repository? > > > > Since we're talking about versions here, why is the Debian package only > > at 4.51.5-1 (link on mailscanner site is pointing to Debian unstable)? > > There are many versions released after this one. > > I have a recent package, but I don't know if it still makes sense to > provide the package in Debian. The recent releases don't ship any > documentation. Even the manual pages are dropped. Checked on the > website, which documentation could be included: > > - the online documentation doesn't have any copyright statements. > In this way it's not distributable by Debian. Please point me > to the copyright(s), if I'm wrong. > > - the online html documentation currently isn't really nice to > distribute, including all the advertising on every page. > > - The MailScanner-Manual-Version-1.0.5.pdf (which I currently cannot > find on the website anymore) has a copyright, which doesn't allow > distribution of MailScanner as free documentation. > > So we are down to a piece of software which Debian can only ship > without documentation. I'm not sure if that makes sense. MailScanner > itself may be still free software, but much of that status is lost > without free documentation. Julien, please correct me if I'm wrong. > > Matthias I'm in the process of updating all of the basic Documentation. I can probably put together a copyright free version for distribution with Debian. It would be the basic Configuration and Installation instructions in text format. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From beatinger at edenhosting.net Thu Aug 31 17:31:45 2006 From: beatinger at edenhosting.net (Bjorgen T. Eatinger) Date: Thu Aug 31 17:31:52 2006 Subject: Batch Constantly Growing in Size Issue Message-ID: For unknown reason, my mail server started getting way behind in processing messages in the MailScanner batch, and the amount waiting just keeps growing and never decreases, but about 10 to 20 messages per day. Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Found 453 messages waiting Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Forwarding 1 unscanned messages, 36314 bytes Is anyone else experiencing this and/or know what this is all about and how to resolve it? I've searched the Internet for answers for more than 1 month with no success. I did try using the debug feature, and got zero results (no issues). I also tried searching the Archives and FAQs, also with no results. Please help! Thank you, Bjorgen Eatinger -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060831/1dbea9b0/attachment.html From lshaw at emitinc.com Thu Aug 31 18:01:16 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 31 18:01:30 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: On Thu, 31 Aug 2006, Brett Charbeneau wrote: > On Thu, 31 Aug 2006, Peter Peters wrote: > PP> You can also use /usr/sbin/sendmail > PP> - -QQueuedirectory=/var/spool/mqueue.in a few times to see whether the > PP> files you find in your mqueue.in are actual complete df/qf pairs or > PP> reminants of dropped connections. > > Now THAT'S a handy command. > But I can't get it to complete on my machine. I reniced it to -15 and > let it chew for almost 20 minutes - no output. That doesn't look like quite the right command to me. Should be this instead, I think: sendmail -bp -OQueueDirectory=/var/spool/mqueue.in - Logan From doko at cs.tu-berlin.de Thu Aug 31 18:04:09 2006 From: doko at cs.tu-berlin.de (Matthias Klose) Date: Thu Aug 31 18:04:15 2006 Subject: Debian package outdated? In-Reply-To: References: <17655.1438.883294.598086@gargle.gargle.HOWL> Message-ID: <17655.5769.82098.427576@gargle.gargle.HOWL> Stephen Swaney writes: > I'm in the process of updating all of the basic Documentation. I can > probably put together a copyright free version for distribution with Debian. a copyright free version doesn't help. The documentation should have a copyright and a license which allows distribution. > It would be the basic Configuration and Installation instructions in text > format. that would be nice. Matthias From matt at coders.co.uk Thu Aug 31 18:09:40 2006 From: matt at coders.co.uk (Matt Hampton) Date: Thu Aug 31 18:09:49 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: <44F717D4.5040305@coders.co.uk> Brett Charbeneau wrote: > Thanks for weighing in, Peter! > > On Thu, 31 Aug 2006, Peter Peters wrote: > > PP> > I let it run yesterday for several hours and my Inbound queue just kept > PP> > getting bigger. I know what you mean on chugging along, though. > PP> > I'm think the SpamAssassin timeouts were revealing and Alex Broens' post > PP> > on the redundant rules may have solved the problem. > PP> > PP> Do a grep -i "New Batch" on your maillog. I will show sets of two lines. > PP> One line telling you how much messages MS thinks is in the queue and how > PP> much he is going to process. > > Here ya go: > > franklin:/var/spool# tailmail | grep -i "New Batch" > Aug 31 09:37:29 franklin MailScanner[22258]: New Batch: Found 122 messages > waiting > Aug 31 09:37:29 franklin MailScanner[22258]: New Batch: Scanning 10 messages, > 75798 bytes > Aug 31 09:38:53 franklin MailScanner[22487]: New Batch: Found 125 messages > waiting > Aug 31 09:38:53 franklin MailScanner[22487]: New Batch: Scanning 3 messages, > 27060 bytes > Aug 31 09:39:22 franklin MailScanner[22493]: New Batch: Found 128 messages > waiting > Aug 31 09:39:22 franklin MailScanner[22493]: New Batch: Scanning 3 messages, > 27490 bytes > Aug 31 09:39:53 franklin MailScanner[22507]: New Batch: Found 129 messages > waiting > Aug 31 09:39:53 franklin MailScanner[22507]: New Batch: Scanning 1 messages, > 3678 bytes > Aug 31 09:40:33 franklin MailScanner[22507]: New Batch: Found 129 messages > waiting > Aug 31 09:40:33 franklin MailScanner[22507]: New Batch: Scanning 1 messages, > 16175 bytes > Aug 31 09:40:56 franklin MailScanner[22526]: New Batch: Found 128 messages > waiting > Aug 31 09:40:56 franklin MailScanner[22526]: New Batch: Scanning 1 messages, > 4351 bytes > Aug 31 09:41:02 franklin MailScanner[22512]: New Batch: Found 128 messages > waiting > Aug 31 09:41:02 franklin MailScanner[22512]: New Batch: Scanning 1 messages, > 16178 bytes > > PP> You can also use /usr/sbin/sendmail > PP> - -QQueuedirectory=/var/spool/mqueue.in a few times to see whether the > PP> files you find in your mqueue.in are actual complete df/qf pairs or > PP> reminants of dropped connections. > > Now THAT'S a handy command. > But I can't get it to complete on my machine. I reniced it to -15 and > let it chew for almost 20 minutes - no output. > > OK to confirm: You have checked the permission on /var/spool/MailScanner (and child directories) You have checked that the Lock Type is correct. Try removing the oldest messages from the queue and move them to another directory and see what happens. Could be a single message doing this..... matt From brett at wrl.org Thu Aug 31 18:47:00 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 18:51:40 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: On Thu, 31 Aug 2006, Logan Shaw wrote: LS> That doesn't look like quite the right command to me. Should be LS> this instead, I think: LS> LS> sendmail -bp -OQueueDirectory=/var/spool/mqueue.in Ah - NOW I get output. Man, *lots* of mismatched pairs. Like k7UBtv0q020039readqf: cannot open ./dfk7UBtv0q020039: No such file or directory -1 Wed Aug 30 07:56 8BITMIME I need to look into this sendmail parameter. Not used it before... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ugob at camo-route.com Thu Aug 31 18:55:12 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 18:56:07 2006 Subject: Batch Constantly Growing in Size Issue In-Reply-To: References: Message-ID: Bjorgen T. Eatinger wrote: > > For unknown reason, my mail server started getting way behind in > processing messages in the MailScanner batch, and the amount waiting > just keeps growing and never decreases, but about 10 to 20 messages per day. > Probably since the last upgrade? did you fix the lock type? If you did, then maybe you should clean up your mqueue.in. > Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Found 453 messages > waiting > Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Forwarding 1 > unscanned messages, 36314 bytes > > Is anyone else experiencing this and/or know what this is all about and > how to resolve it? > > I've searched the Internet for answers for more than 1 month with no > success. I did try using the debug feature, and got zero results (no > issues). > > I also tried searching the Archives and FAQs, also with no results. > > Please help! > > Thank you, Bjorgen Eatinger > From naolson at gmail.com Thu Aug 31 19:02:34 2006 From: naolson at gmail.com (Nathan Olson) Date: Thu Aug 31 19:02:37 2006 Subject: OT: Sendmail restriction In-Reply-To: References: Message-ID: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> The check_compat ruleset? Nate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060831/d0663a31/attachment.html From ugob at camo-route.com Thu Aug 31 19:05:39 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 19:10:32 2006 Subject: OT: Sendmail restriction In-Reply-To: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> References: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> Message-ID: Nathan Olson wrote: > The check_compat ruleset? Where can I find documentation about this? Do you have an url or sample config? Regards, > > Nate > From ugob at camo-route.com Thu Aug 31 19:05:04 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 19:15:58 2006 Subject: Batch Constantly Growing in Size Issue In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > Bjorgen T. Eatinger wrote: >> >> For unknown reason, my mail server started getting way behind in >> processing messages in the MailScanner batch, and the amount waiting >> just keeps growing and never decreases, but about 10 to 20 messages >> per day. >> > > Probably since the last upgrade? did you fix the lock type? If you > did, then maybe you should clean up your mqueue.in. I used find /var/spool/mqueue.in -type f -mtime +2 -print to display orphaned files and find /var/spool/mqueue.in -type f -mtime +2 -print | xargs rm -f to delete them. > >> Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Found 453 messages >> waiting >> Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Forwarding 1 >> unscanned messages, 36314 bytes >> >> Is anyone else experiencing this and/or know what this is all about >> and how to resolve it? >> >> I've searched the Internet for answers for more than 1 month with no >> success. I did try using the debug feature, and got zero results (no >> issues). >> >> I also tried searching the Archives and FAQs, also with no results. >> >> Please help! >> >> Thank you, Bjorgen Eatinger >> > From naolson at gmail.com Thu Aug 31 19:22:27 2006 From: naolson at gmail.com (Nathan Olson) Date: Thu Aug 31 19:22:29 2006 Subject: OT: Sendmail restriction In-Reply-To: References: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> Message-ID: <8f54b4330608311122h5708c8ewf647d91ce2aec7e1@mail.gmail.com> http://www.sendmail.org/m4/features.html Look for compat_check Nate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060831/70a3d4a6/attachment.html From ttaylor20060622 at duh.net Thu Aug 31 19:44:05 2006 From: ttaylor20060622 at duh.net (Travis Taylor) Date: Thu Aug 31 19:44:35 2006 Subject: OT: Sendmail forwarding envelope trick? Message-ID: This is a bit off topic, but thought I'd throw it out here. Maybe someone got an idea why this happened or where I might post this to figure it out. One of our MailScanners received a message from a mail forwarding account on yahoo to one of our clients. After scanning it, it attempted to deliver it to the internal mail server. It was refused because of the domain "bumeran.com.br", which should have be refused on the MailScanner box originally. Upon checking the logs, the envelope address used was "rrhhbr6.bumeran.com", not "bumeran.com.br" I did a quick google, but did not find anything relivent. How is this possible? Anyone got any ideas? Below is some sanitized data to protect the incent. Take note of the difference of the MAIL FROM in the message Received header and MAIL FROM envelope address in the log. I'm suspect the "rrhhbr6" of the envelope address as something to do with it. Also check out the smtp.bumeran.com session transcripts. MailScanner log: Aug 30 01:50:44 vps sendmail[3158]: NOQUEUE: connect from mta327.mail.mud.yahoo.com [209.191.88.80] Aug 30 01:51:20 vps sendmail[3158]: k7U6oiuD003158: <-- HELO mta327.mail.mud.yahoo.com Aug 30 01:51:21 vps sendmail[3158]: k7U6oiuD003158: <-- MAIL FROM: Aug 30 01:51:25 vps sendmail[3158]: k7U6oiuD003158: --- 250 2.1.0 ... Sender ok Aug 30 01:51:25 vps sendmail[3158]: k7U6oiuD003158: <-- RCPT TO: Aug 30 01:51:25 vps sendmail[3158]: k7U6oiuD003158: --- 250 2.1.5 ... Recipient ok Aug 30 01:51:26 vps sendmail[3158]: k7U6oiuD003158: <-- DATA Aug 30 01:51:26 vps sendmail[3158]: k7U6oiuD003158: from=, size=1548, class=0, nrcpts=1, msgid=<71302505789165.1F390036EF@1CBKS>, proto=SMTP, daemon=Daemon0, relay=mta327.mail.mud.yahoo.com [209.191.88.80] Aug 30 01:51:26 vps sendmail[3158]: k7U6oiuE003158: <-- QUIT Aug 30 01:51:26 vps sendmail[3158]: k7U6oiuE003158: --- 221 2.0.0 example.com closing connection Aug 30 01:51:52 vps MailScanner[31186]: Message k7U6oiuD003158 from 209.191.88.80 (ambling.alpert@rrhhbr6.bumeran.com) to example.net is spam, SpamAssassin (score=15.729 Bounce message to postmaster: Return-Path: Received: from localhost (localhost) by example.com (8.13.1/8.13.1) id k7U6q1RI003173; Wed, 30 Aug 2006 01:52:05 -0500 (envelope-from MAILER-DAEMON) Date: Wed, 30 Aug 2006 01:52:05 -0500 From: Mail Delivery Subsystem Message-Id: <200608300652.k7U6q1RI003173@example.com> To: postmaster-sending@example.com MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="k7U6q1RI003173.1156920725/example.com" Subject: Postmaster notify: see transcript for details Auto-Submitted: auto-generated (postmaster-notification) Parts/Attachments: 1 Shown 14 lines Text 2 Shown 343 bytes Message, "Delivery Status" 3 Shown 14 lines Text ---------------------------------------- The original message was received at Wed, 30 Aug 2006 01:52:01 -0500 from localhost with id k7U6q1RH003173 ----- The following addresses had permanent fatal errors ----- (reason: 550 5.1.1 ... User unknown) ----- Transcript of session follows ----- ... while talking to smtp.bumeran.com.: >>> DATA <<< 550 5.1.1 ... User unknown 550 5.1.1 ... User unknown <<< 503 5.0.0 Need RCPT (recipient) Bounce message to receiptant: Return-Path: Received: from localhost (localhost) by example.com (8.13.1/8.13.1) id k7U6q1RJ003173; Wed, 30 Aug 2006 01:52:05 -0500 (envelope-from MAILER-DAEMON) Date: Wed, 30 Aug 2006 01:52:05 -0500 From: Mail Delivery Subsystem Message-Id: <200608300652.k7U6q1RJ003173@example.com> To: postmaster-error@example.com MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="k7U6q1RJ003173.1156920725/example.com" Subject: Postmaster notify: see transcript for details Auto-Submitted: auto-generated (postmaster-notification) Parts/Attachments: 1 Shown 13 lines Text 2 Shown 376 bytes Message, "Delivery Status" 3 Shown 32 lines Text ---------------------------------------- The original message was received at Wed, 30 Aug 2006 01:51:25 -0500 from mta327.mail.mud.yahoo.com [209.191.88.80] with id k7U6oiuD003158 ----- The following addresses had permanent fatal errors ----- (reason: 550 5.0.0 ... REFUSED - WE DO NOT ACCEPT MAIL FROM OUTSIDE US ----- Transcript of session follows ----- ... while talking to mx1.mx-router.example.com.: >>> MAIL From: SIZE=2128 <<< 550 5.0.0 ... REFUSED - WE DO NOT ACCEPT MAIL FROM OUTSIDE US 554 5.0.0 Service unavailable Return-Path: Received: from mta327.mail.mud.yahoo.com (mta327.mail.mud.yahoo.com [209.191.88.80]) by example.com (8.13.1/8.13.1) with SMTP id k7U6oiuD003158 for ; Wed, 30 Aug 2006 01:51:25 -0500 (envelope-from ambling.alpert@bumeran.com.br) X-Yahoo-Forwarded: from example@yahoo.com to pat@example.net X-Rocket-Spam: 202.72.209.202 X-YahooFilteredBulk: 202.72.209.202 X-Originating-IP: [202.72.209.202] Authentication-Results: mta327.mail.mud.yahoo.com from=rrhhbr6.bumeran.com; domainkeys=neutral (no sig) Received: from 202.72.209.202 (EHLO LILA.1peu.org) (202.72.209.202) by mta327.mail.mud.yahoo.com with SMTP; Tue, 29 Aug 2006 23:50:43 -0700 Message-ID: <71302505789165.1F390036EF@1CBKS> From: "ambling" To: Subject: Express cash credit Date: Wed, 30 Aug 2006 13:48:07 +0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: H8aU1Q3avkrUQOhuPdvdeBQwqjtlbc8jgnLE Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit From mikea at mikea.ath.cx Thu Aug 31 20:05:04 2006 From: mikea at mikea.ath.cx (mikea) Date: Thu Aug 31 20:05:08 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: ; from lshaw@emitinc.com on Thu, Aug 31, 2006 at 12:01:16PM -0500 References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: <20060831140504.J45824@mikea.ath.cx> On Thu, Aug 31, 2006 at 12:01:16PM -0500, Logan Shaw wrote: > On Thu, 31 Aug 2006, Brett Charbeneau wrote: > > On Thu, 31 Aug 2006, Peter Peters wrote: > > > PP> You can also use /usr/sbin/sendmail > > PP> - -QQueuedirectory=/var/spool/mqueue.in a few times to see whether the > > PP> files you find in your mqueue.in are actual complete df/qf pairs or > > PP> reminants of dropped connections. > > > > Now THAT'S a handy command. > > But I can't get it to complete on my machine. I reniced it to -15 and > > let it chew for almost 20 minutes - no output. > > That doesn't look like quite the right command to me. Should be > this instead, I think: > > sendmail -bp -OQueueDirectory=/var/spool/mqueue.in Yes; I use sendmail -v -bp -OQueueDirectory=/var/spool/mqueue.in the -v flag provides a _little_ more information; without it, long addresses may wind up being truncated. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From brett at wrl.org Thu Aug 31 20:07:48 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 20:14:14 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <44F717D4.5040305@coders.co.uk> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <44F717D4.5040305@coders.co.uk> Message-ID: On Thu, 31 Aug 2006, Matt Hampton wrote: MH> OK to confirm: MH> MH> You have checked the permission on /var/spool/MailScanner (and child MH> directories) drwxr-x--- 5 mail mail 4096 Aug 31 12:10 MailScanner drwxr-x--- 2 mail mail 4096 Mar 5 20:29 archive drwxr-x--- 14 mail mail 4096 Aug 31 15:04 incoming drwxr-x--- 2 mail mail 4096 Mar 5 20:29 quarantine MH> You have checked that the Lock Type is correct. This is a sendmail machine, Lock Type = MH> Try removing the oldest messages from the queue and move them to another MH> directory and see what happens. Could be a single message doing this..... Good plan - and already tried that. Didn't make a difference I'm afraid. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From beatinger at edenhosting.net Thu Aug 31 20:16:44 2006 From: beatinger at edenhosting.net (Bjorgen T. Eatinger) Date: Thu Aug 31 20:16:50 2006 Subject: Is This List Working? Message-ID: I sent an email hours ago, and it should send my posting to myself, and I never received it. Can someone out there please confirm that this list is working? Thank you so much! Bjorgen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060831/da3b3d18/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Aug 31 20:22:33 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 31 20:22:37 2006 Subject: Is This List Working? In-Reply-To: Message-ID: Yup - working fine. Reply sent to the list and the original poster.... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Bjorgen T. Eatinger Sent: Thursday, August 31, 2006 11:17 AM To: mailscanner@lists.mailscanner.info Cc: Bjorgen T. Eatinger Subject: Is This List Working? I sent an email hours ago, and it should send my posting to myself, and I never received it. Can someone out there please confirm that this list is working? Thank you so much! Bjorgen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060831/600e4a29/attachment.html From mkettler at evi-inc.com Thu Aug 31 20:26:11 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 31 20:26:36 2006 Subject: Is This List Working? In-Reply-To: References: Message-ID: <44F737D3.20500@evi-inc.com> Bjorgen T. Eatinger wrote: > I sent an email hours ago, and it should send my posting to myself, and > I never received it. > > Can someone out there please confirm that this list is working? You sent it 3 hours ago, and it came through just fine. Date: Thu, 31 Aug 2006 09:31:45 -0700 From: "Bjorgen T. Eatinger" To: Cc: mailscanner@ecs.soton.ac.uk, mailscanner@lists.mailscanner.info Subject: Batch Constantly Growing in Size Issue However, based on that message, you might want to check and see if it is stuck in your mqueue.in. From ugob at camo-route.com Thu Aug 31 20:28:01 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 20:28:31 2006 Subject: Is This List Working? In-Reply-To: References: Message-ID: <44F73841.7010103@camo-route.com> Bjorgen T. Eatinger wrote: > I sent an email hours ago, and it should send my posting to myself, and > I never received it. > > Can someone out there please confirm that this list is working? > Yes, I wrote you back. > Probably since the last upgrade? did you fix the lock type? If you did, then maybe you should clean up your mqueue.in. I used find /var/spool/mqueue.in -type f -mtime +2 -print to display orphaned files and find /var/spool/mqueue.in -type f -mtime +2 -print | xargs rm -f to delete them. > Thank you so much! > Bjorgen > From mikej at rogers.com Thu Aug 31 20:30:48 2006 From: mikej at rogers.com (Mike Jakubik) Date: Thu Aug 31 20:30:40 2006 Subject: Is This List Working? In-Reply-To: References: Message-ID: <44F738E8.90106@rogers.com> Bjorgen T. Eatinger wrote: > I sent an email hours ago, and it should send my posting to myself, > and I never received it. > > Can someone out there please confirm that this list is working? > Nope, its busted. From ebhoeve-ms at ehoeve.com Thu Aug 31 20:38:57 2006 From: ebhoeve-ms at ehoeve.com (Eric) Date: Thu Aug 31 20:39:17 2006 Subject: Want more log detail from SpamAssassin via MailScanner In-Reply-To: <20060831140504.J45824@mikea.ath.cx> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <20060831140504.J45824@mikea.ath.cx> Message-ID: <1157053134.6031.189.camel@ws28.ehoeve.com> I am trying to get MailScanner to increase verbosity on SpamAssassin Tests (similar to what spamassassin -D --lint outputs). I do see this when I set "Debug = yes", but I would like to be able to see this in the logfile and not have the MailScanner die after one batch of email. All I see with regards to SpamAssassin is: Aug 31 14:29:45 server MailScanner[4265]: Message 708F1694C.EEF4C from 19.345.789.012 (newsletter@domain.com) to mydomain.com is spam, SpamAssassin (not cached, score=10.689, required 8, autolearn=spam, DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, DK_POLICY_SIGNSOME 0.00, DNS_FROM_AHBL_RHSBL 0.31, NO_OBLIGATION 0.30, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_PASS -0.00, URIBL_JP_SURBL 3.36, URIBL_OB_SURBL 2.62) I am running this on SLES (SuSE) 10, SA 3.1.4, ClamAV 0.88.4 I have included below (what I belive to be the relevant part) of MailScanner.conf. /etc/MailScanner.conf Run As User = postfix Run As Group = postfix Queue Scan Interval = 30 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 14400 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = yes MailScanner Version Number = 4.55.10 Debug = no Debug SpamAssassin = yes I can supply more info upon request. Any help would be greatly appreciated. Thanks in advance. -Eric From brett at wrl.org Thu Aug 31 20:51:16 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 20:52:21 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: Check this out, I HOPE this will tell something to somebody. Again, this is on a Debian box using sendmail as the MTA: drwxr-x--- 5 mail mail 4096 Aug 31 12:10 MailScanner franklin:/var/spool# ls -al MailScanner/ drwxr-x--- 2 mail mail 4096 Mar 5 20:29 archive drwxr-x--- 6 mail mail 4096 Aug 31 15:45 incoming drwxr-x--- 2 mail mail 4096 Mar 5 20:29 quarantine MailScanner has been relaying messages happily with "Scan Message = no" If I set it to "Scan Message = yes" and "Lock type = ", I get these errors in mail.log: Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot open ./dfk7VJLJCD018230: No such file or directory Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot open ./dfk7VIliaT014900: No such file or directory Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot open ./dfk7VIvrZp015791: No such file or directory Even with "Lock type = flock" these still appear. Any ideas? -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ugob at camo-route.com Thu Aug 31 20:53:13 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 20:54:12 2006 Subject: Batch Constantly Growing in Size Issue In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > Ugo Bellavance wrote: >> Bjorgen T. Eatinger wrote: >>> >>> For unknown reason, my mail server started getting way behind in >>> processing messages in the MailScanner batch, and the amount waiting >>> just keeps growing and never decreases, but about 10 to 20 messages >>> per day. >>> >> >> Probably since the last upgrade? did you fix the lock type? By lock type, I mean look at your MailScanner.conf file for this section: # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = posix Make sure it is ok for your mta. >> If you >> did, then maybe you should clean up your mqueue.in. > > I used > > find /var/spool/mqueue.in -type f -mtime +2 -print > > to display orphaned files and > > find /var/spool/mqueue.in -type f -mtime +2 -print | xargs rm -f > > to delete them. > >> >>> Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Found 453 messages >>> waiting >>> Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Forwarding 1 >>> unscanned messages, 36314 bytes >>> >>> Is anyone else experiencing this and/or know what this is all about >>> and how to resolve it? >>> >>> I've searched the Internet for answers for more than 1 month with no >>> success. I did try using the debug feature, and got zero results (no >>> issues). >>> >>> I also tried searching the Archives and FAQs, also with no results. >>> >>> Please help! >>> >>> Thank you, Bjorgen Eatinger >>> >> > From mailscanner at ecs.soton.ac.uk Thu Aug 31 21:01:39 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 31 21:01:48 2006 Subject: Batch Constantly Growing in Size Issue In-Reply-To: References: Message-ID: <44F74023.5010002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you are getting the output below, then you are getting loads of broken connections, resulting in qf files without any df files or vice versa. This is definitely a sendmail problem, not a MailScanner problem. If you have loads of df files without qf's or qf's without df's then you can just delete them. You should investigate why you are getting lots of broken SMTP connections. MailScanner does not get involved with the SMTP traffic at all, not in any way, so for some reason you are getting broken SMTP connections. All the files involved are simple text files, so you may be able to see if they are all from the same place perhaps? The specification of the qf files is documented in the O'Reilly sendmail book, and has not changed for many years. I wish you luck investigating your sendmail problem. Bjorgen T. Eatinger wrote: > > For unknown reason, my mail server started getting way behind in > processing messages in the MailScanner batch, and the amount waiting > just keeps growing and never decreases, but about 10 to 20 messages per day. > > Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Found 453 messages > waiting > Aug 31 09:24:16 mail MailScanner[5531]: New Batch: Forwarding 1 > unscanned messages, 36314 bytes > > Is anyone else experiencing this and/or know what this is all about and > how to resolve it? > > I've searched the Internet for answers for more than 1 month with no > success. I did try using the debug feature, and got zero results (no > issues). > > I also tried searching the Archives and FAQs, also with no results. > > Please help! > > Thank you, Bjorgen Eatinger > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Charset: ISO-8859-1 wj8DBQFE90AkEfZZRxQVtlQRAhkYAJ9kEhiZvYnopHSVIx/duQT+WspdnACeLOSM MoZPHmCqCI2yj+qV49Zmy7Y= =OOMj -----END PGP SIGNATURE----- From dave.list at pixelhammer.com Thu Aug 31 21:25:38 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 31 21:26:06 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: <44F745C2.3010604@pixelhammer.com> Brett Charbeneau wrote: > Check this out, I HOPE this will tell something to somebody. Again, this > is on a Debian box using sendmail as the MTA: > > drwxr-x--- 5 mail mail 4096 Aug 31 12:10 MailScanner > > franklin:/var/spool# ls -al MailScanner/ > drwxr-x--- 2 mail mail 4096 Mar 5 20:29 archive > drwxr-x--- 6 mail mail 4096 Aug 31 15:45 incoming > drwxr-x--- 2 mail mail 4096 Mar 5 20:29 quarantine > > MailScanner has been relaying messages happily with "Scan Message = no" > If I set it to "Scan Message = yes" and "Lock type = ", I get these > errors > in mail.log: > > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VJLJCD018230: No such file or directory > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VIliaT014900: No such file or directory > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VIvrZp015791: No such file or directory > > Even with "Lock type = flock" these still appear. > Any ideas? avhost2# ls -la drwxr-xr-x 13 root wheel 512 Aug 28 12:33 . drwxr-xr-x 5 root wheel 512 Feb 9 2005 .. drwxr-xr-x 5 root wheel 512 Jul 17 12:48 MailScanner drwxrwx--- 2 smmsp smmsp 512 Aug 31 14:23 clientmqueue drwxr-xr-x 2 smmsp smmsp 512 Aug 29 17:54 milter-ahead drwxr-xr-x 2 smmsp wheel 512 Aug 31 16:18 milter-greylist drwxr-xr-x 2 root daemon 512 Aug 31 16:20 mqueue drwxr-xr-x 2 root wheel 1536 Aug 31 16:20 mqueue.in avhost2# ls -la MailScanner/ drwxr-xr-x 5 root wheel 512 Jul 17 12:48 . drwxr-xr-x 13 root wheel 512 Aug 28 12:33 .. drwxr-xr-x 23 root wheel 512 Aug 31 16:22 incoming drwxr-xr-x 9 root nobody 512 Aug 31 06:01 quarantine The only change I have made over a stock install is to change the group ownership on the quarantine for MailWatch. Seems odd that without scanning MS works, but with scanning it does not. Either way it is having to move files from incoming to outgoing queues. I would have reinstalled by now, you could be hours ahead at this point. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Thu Aug 31 21:27:43 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 31 21:27:48 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: <223f97700608311327l2433d6e1sd190ec93e9141414@mail.gmail.com> On 31/08/06, Brett Charbeneau wrote: > Check this out, I HOPE this will tell something to somebody. Again, this > is on a Debian box using sendmail as the MTA: > > drwxr-x--- 5 mail mail 4096 Aug 31 12:10 MailScanner > > franklin:/var/spool# ls -al MailScanner/ > drwxr-x--- 2 mail mail 4096 Mar 5 20:29 archive > drwxr-x--- 6 mail mail 4096 Aug 31 15:45 incoming > drwxr-x--- 2 mail mail 4096 Mar 5 20:29 quarantine > > MailScanner has been relaying messages happily with "Scan Message = no" > If I set it to "Scan Message = yes" and "Lock type = ", I get these > errors > in mail.log: > > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VJLJCD018230: No such file or directory > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VIliaT014900: No such file or directory > Aug 31 15:49:36 franklin sendmail[20839]: NOQUEUE: SYSERR(root): readqf: cannot > open ./dfk7VIvrZp015791: No such file or directory > > Even with "Lock type = flock" these still appear. > Any ideas? > ('Scuse a somewhat sendmail noob (at least these days:-)) Shouldn't that lock setting be posix for newer sendmails? Say for 8.13.x? Obviously "flock" and setting it blank are the same, and (presumably) wrong, in your case. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Thu Aug 31 21:59:48 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 31 22:00:54 2006 Subject: Want more log detail from SpamAssassin via MailScanner In-Reply-To: <1157053134.6031.189.camel@ws28.ehoeve.com> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <20060831140504.J45824@mikea.ath.cx> <1157053134.6031.189.camel@ws28.ehoeve.com> Message-ID: Eric wrote: > I am trying to get MailScanner to increase verbosity on SpamAssassin > Tests (similar to what spamassassin -D --lint outputs). I do see this > when I set "Debug = yes", but I would like to be able to see this in the > logfile and not have the MailScanner die after one batch of email. You should not hijack a thread. It is impolite and you reduce your chance of being seen by the right eyes. In your case, I think only the author, Julian, can help you out with this request. > > All I see with regards to SpamAssassin is: > > Aug 31 14:29:45 server MailScanner[4265]: Message 708F1694C.EEF4C from > 19.345.789.012 (newsletter@domain.com) to mydomain.com is spam, > SpamAssassin (not cached, score=10.689, required 8, autolearn=spam, > DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, DK_POLICY_SIGNSOME 0.00, > DNS_FROM_AHBL_RHSBL 0.31, NO_OBLIGATION 0.30, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, > SPF_PASS -0.00, URIBL_JP_SURBL 3.36, URIBL_OB_SURBL 2.62) > > I am running this on SLES (SuSE) 10, SA 3.1.4, ClamAV 0.88.4 > > I have included below (what I belive to be the relevant part) of > MailScanner.conf. > > /etc/MailScanner.conf > > Run As User = postfix > Run As Group = postfix > Queue Scan Interval = 30 > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > Incoming Work Dir = /var/spool/MailScanner/incoming > Quarantine Dir = /var/spool/MailScanner/quarantine > PID file = /var/run/MailScanner.pid > Restart Every = 14400 > MTA = postfix > Sendmail = /usr/sbin/sendmail > Sendmail2 = /usr/sbin/sendmail > Incoming Work User = > Incoming Work Group = > Incoming Work Permissions = 0600 > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Max Unscanned Bytes Per Scan = 100000000 > Max Unsafe Bytes Per Scan = 50000000 > Max Unscanned Messages Per Scan = 30 > Max Unsafe Messages Per Scan = 30 > Max Normal Queue Size = 800 > Scan Messages = yes > > MailScanner Version Number = 4.55.10 > Debug = no > Debug SpamAssassin = yes > > > > I can supply more info upon request. > > Any help would be greatly appreciated. > > Thanks in advance. > > -Eric > From mkettler at evi-inc.com Thu Aug 31 22:27:20 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 31 22:27:31 2006 Subject: Want more log detail from SpamAssassin via MailScanner In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <20060831140504.J45824@mikea.ath.cx> <1157053134.6031.189.camel@ws28.ehoeve.com> Message-ID: <44F75438.6080208@evi-inc.com> Ugo Bellavance wrote: > Eric wrote: >> I am trying to get MailScanner to increase verbosity on SpamAssassin >> Tests (similar to what spamassassin -D --lint outputs). I do see this >> when I set "Debug = yes", but I would like to be able to see this in the >> logfile and not have the MailScanner die after one batch of email. > > You should not hijack a thread. It is impolite and you reduce your > chance of being seen by the right eyes. In your case, I think only the > author, Julian, can help you out with this request. > And to further clarify, Changing the subject line doesn't make a message free of references to the original you replied to. A decent threaded email client will not be thrown off by editing the subject, and will properly display your message buried under whatever message you replied to. It's these headers that give you away: In-Reply-To: <20060831140504.J45824@mikea.ath.cx> References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <20060831140504.J45824@mikea.ath.cx> From r.berber at computer.org Thu Aug 31 23:40:21 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Aug 31 23:40:43 2006 Subject: MS 4.54.6 failing to tag a phishing message In-Reply-To: References: Message-ID: Hello again, I see there are no takers for my question... no problem, I'll debug it myself. A quick question, where is the documentation for the options shown with --help: Usage: MailScanner [ -h|-v|--debug|--debug-sa|--lint ] | [--value= --from= --to=, --to=, ...] --ip=, --virus= ] Some are obvious, others... the man page says nothing, if only found the debug option looking at the ChangeLog. My plan is to run MS with --debug and a slightly changed configuration file pointing to a test queue directory, in that directory I'll put a message with the contents of the one that went through. -- Ren? Berber From brett at wrl.org Thu Aug 31 23:54:43 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Aug 31 23:54:26 2006 Subject: mqueue.in just gets bigger - no delivery? Message-ID: <20060831185443.g95erom950gg44w0@shadow.wrl.org> Quoting DAve : >avhost2# ls -la >drwxr-xr-x 13 root wheel 512 Aug 28 12:33 . >drwxr-xr-x 5 root wheel 512 Feb 9 2005 .. >drwxr-xr-x 5 root wheel 512 Jul 17 12:48 MailScanner >drwxrwx--- 2 smmsp smmsp 512 Aug 31 14:23 clientmqueue >drwxr-xr-x 2 smmsp smmsp 512 Aug 29 17:54 milter-ahead >drwxr-xr-x 2 smmsp wheel 512 Aug 31 16:18 milter-greylist >drwxr-xr-x 2 root daemon 512 Aug 31 16:20 mqueue >drwxr-xr-x 2 root wheel 1536 Aug 31 16:20 mqueue.in > >avhost2# ls -la MailScanner/ >drwxr-xr-x 5 root wheel 512 Jul 17 12:48 . >drwxr-xr-x 13 root wheel 512 Aug 28 12:33 .. >drwxr-xr-x 23 root wheel 512 Aug 31 16:22 incoming >drwxr-xr-x 9 root nobody 512 Aug 31 06:01 quarantine > >The only change I have made over a stock install is to change the group >ownership on the quarantine for MailWatch. > >Seems odd that without scanning MS works, but with scanning it does not. >Either way it is having to move files from incoming to outgoing >queues. >I would have reinstalled by now, you could be hours ahead at this point. My fault didn't mention it, but: have reinstalled. Twice, actually. Even restored the system partition from backups. And you're right, scanning or no scanning MS *still* has to pick stuff up and lay it back down, which makes this goofiness that much more of a mystery. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.